All posts
COFA6 min read

The COFA Role Explained: Client Money, Duties and Risk

The COFA is the individual your firm has told the SRA is accountable for client money. It's the compliance role with the sharpest edges — because Accounts Rules breaches are concrete, provable, and land on a named person. Here's the job in full.

By Daman Kaur

Month-end. The client account reconciliation is a few hundred pounds out, nobody can immediately say why, and the transfer that was supposed to clear on Friday didn't. In most businesses that's an accounting annoyance. In a law firm it's a potential Accounts Rules breach, and there is a named individual the SRA holds accountable for it: the COFA.

The COFA role gets less attention than the COLP because "finance and administration" sounds like back-office plumbing. That framing is exactly backwards. Client money is the area where breaches are least ambiguous, easiest for the SRA to evidence, and most likely to end a career. A conduct issue can be argued. A client-account shortfall is a number.

So here's the full role: what a COFA is, what the Accounts Rules actually demand, and where the exposure concentrates.

What COFA stands for, and why the role exists

COFA is the Compliance Officer for Finance and Administration. Every firm the SRA authorises must have one — an approved individual, designated at all times, per the SRA's Authorisation of Firms Rules.

The role exists because of one uncomfortable feature of legal practice: firms routinely hold large sums of money that belong to their clients. Completion monies, settlement funds, disbursement floats. The SRA Accounts Rules exist to keep that money ringfenced, traceable, and untouched by the firm's own finances — and the COFA is the person accountable for making that true.

The COLP owns compliance broadly; the COFA owns this one high-consequence slice. It's carved out precisely because getting it wrong is catastrophic in a way that most compliance slips are not.

The core duty: compliance with the Accounts Rules

The COFA's obligations sit in the SRA Code of Conduct for Firms, paragraph 9.2. The essence:

  • Ensure the firm complies with the SRA Accounts Rules. Not personally process every transaction — ensure the systems that govern client money work.
  • Keep records that demonstrate that compliance.
  • Ensure serious breaches of the Accounts Rules are reported to the SRA promptly.

Underneath that headline duty, the Accounts Rules themselves set the day-to-day standard. The ones that generate the most breaches in practice:

  • Client money is kept separate from the firm's money, in a client account.
  • Client money is returned promptly once there's no longer a proper reason to hold it — the "prompt" is doing a lot of work, and idle balances are a classic finding.
  • Reconciliations are performed at proper intervals, and discrepancies investigated, not carried forward.
  • Withdrawals from client account are only for proper purposes and properly authorised.

Field note: The Accounts Rules breach that most often escalates isn't theft or fraud. It's residual balances left sitting in client account long after the matter closed, because "return promptly" got deprioritised behind billable work. It's mundane, it's common, and it's exactly what a routine inspection surfaces.

Why the COFA role carries sharper risk than the COLP

Both roles are serious. But the COFA's exposure has a particular quality: it's quantifiable.

Conduct breach (COLP territory)Accounts Rules breach (COFA territory)
EvidenceOften contested and judgement-basedConcrete — a ledger, a reconciliation, a number
Ambiguity"Was this a serious breach?" is arguableA client-account shortfall is a shortfall
DetectionMay surface via a complaintSurfaces on inspection, audit, or reconciliation
DefensibilityThe reasoning can be explainedThe figures either reconcile or they don't

That's why a COFA needs systems more than arguments. When the number is wrong, no amount of well-reasoned policy helps. What helps is a contemporaneous record showing the discrepancy was caught, investigated, and resolved — or reported.

The reporting duty, and the number that should worry every COFA

The SRA's December 2025 thematic review of compliance officers is as relevant to COFAs as to COLPs. Across thirty-six officers, 1,377 internal reports over three years produced just nine referrals to the SRA. And only one officer in the group could describe all the material requirements of their role.

For a COFA, the reporting judgement is arguably harder to fudge than a COLP's, because financial breaches leave a paper trail. If a shortfall existed, the ledger shows it existed. The question the SRA will ask is not "did it happen" but "when you found it, what did you do, and did you report it if it was serious?"

The blunt question I'd put to any COFA: if the SRA reconstructed your last twelve months of client-account discrepancies from the ledgers, would your breach log match — or would there be findings that never made it into a record?

Running the COFA role well, by firm size

The right setup depends heavily on how much client money flows through the firm and how it's structured.

  • If you're a sole practitioner or small firm holding modest client balances: the priority is a disciplined reconciliation rhythm and a single log of every discrepancy and its resolution. You don't need sophisticated systems; you need a consistent one you actually keep.
  • If you're a growing firm with rising client-money volume: this is where a dedicated COFA earns their place. Conveyancing, probate, and litigation settlements push client-account activity up fast, and a COFA distracted by also being COLP is where residual balances and late transfers pile up unnoticed.
  • If your firm is automating billing, reconciliation, or client-account correspondence with AI: the COFA's remit now includes the accuracy and governance of those tools. An AI that touches client money needs the same evidential trail as a human who does — what it processed, what it reconciled, who checked it. "The software handles it" is not an Accounts Rules defence.

That last point connects the finance role to the wider AI-governance question. Whoever governs the firm's AI use — whether it's the COFA, the COLP, or one person holding both — needs to be able to prove the controls operated. We set out what that looks like in the COLP AI governance checklist, and the finance angle folds straight into it.

Practical rule: For client money, a policy is worthless and a record is everything. The COFA's real deliverable isn't a manual — it's the ability to show, transaction by transaction, that the money was where it should have been and moved when it should have.

FAQ

What does COFA stand for? Compliance Officer for Finance and Administration. It's the SRA-approved individual accountable for a firm's compliance with the SRA Accounts Rules governing client money.

Is a COFA mandatory? Yes. Every SRA-authorised firm must have an approved COFA at all times, alongside its COLP. Holding client money without an approved COFA is a breach.

What's the main difference between a COFA and a COLP? The COFA is accountable specifically for the SRA Accounts Rules and client money; the COLP is accountable for the firm's compliance with the SRA's regulatory arrangements as a whole. We break the split down in COLP vs COFA.

Can one person be both COLP and COFA? Yes, and in smaller firms it's common. It concentrates accountability for both conduct and client money in one individual, which raises the case for good record-keeping over reliance on memory.

What are the most common Accounts Rules breaches? Residual client balances not returned promptly, reconciliation discrepancies carried forward rather than investigated, and improper or unauthorised withdrawals from client account. Most are administrative drift, not dishonesty — but they're breaches all the same.


If your firm is using AI anywhere near client money or billing, LegalAI Space gives your COFA a signed, matter-level record of what each tool did and who verified it. Book a 30-minute call with Daman to see how the audit trail works.

Related reading