All posts
COLP7 min read

What Is a COLP? Role, Duties and the 2025 SRA Warning

A COLP is the person your firm has told the SRA is personally responsible for its compliance. The SRA's December 2025 review found only one COLP in thirty-six could describe the whole job. Here's the actual role, the duties, and where the exposure sits.

By Daman Kaur

Somebody in your firm has been named COLP. Maybe it's you. Maybe it was you three years ago and the letter of engagement with the SRA has been sitting in a drawer since. Either way, when a regulator, an insurer, or a court asks "who is responsible for compliance here?", the answer already has a name on it — and that name signed up for more than most people realise when they accepted the title.

Here is the uncomfortable part. In December 2025 the SRA ran a thematic review of compliance officers and found that, out of thirty-six interviewed, only one could describe all the material requirements of the role. Not "struggled with the edge cases." Could not outline the job they had personally taken on.

So this is the plain-English version: what a COLP actually is, what the role obliges you to do, and where the accountability bites — before the SRA, an AI tool, or a disgruntled client finds the gap for you.

A COLP is a named person, not a policy

COLP stands for Compliance Officer for Legal Practice. Every firm the SRA authorises has to have one, and a COFA (the finance-side equivalent) alongside — it's not optional and it's not a formality. Under the SRA's Authorisation of Firms Rules, a firm must at all times have an individual designated as its COLP whose designation the SRA has approved.

That last clause matters. The SRA approves the individual. You can't quietly reassign the role over email or let it lapse when the person leaves — a change of COLP is a regulatory event, and a firm that operates without an approved one is in breach from day one.

The common misreading is to treat "compliance" as a document. Firms point to a compliance manual and consider the box ticked. But the SRA didn't authorise a manual. It authorised a person, by name, to take reasonable steps to make the manual true.

Field note: If your firm's answer to "who is your COLP?" is a job title rather than a person who knows they hold it, you don't have a COLP problem yet — you have a COLP problem waiting for an inspection.

What the role actually obliges you to do

The COLP's duties live in the SRA Code of Conduct for Firms, paragraph 9.1. Stripped of the drafting, the job is three obligations that never switch off:

  • Ensure compliance with the terms of your firm's authorisation. Everything the SRA granted the firm permission to do, done within the conditions attached.
  • Ensure compliance with the SRA's regulatory arrangements — the Codes, the Accounts Rules, the Principles — across the whole firm, not just your own matters.
  • Ensure serious breaches are reported to the SRA promptly. This is the one that catches people out, and it's covered in its own section below.

Sitting underneath those are the firm's structural obligations in paragraph 2.1 of the same Code: "effective governance structures, arrangements, systems and controls." The COLP is the person who has to make sure those systems exist and actually work. Not that they're written down. That they operate.

The verb throughout is "ensure," softened in practice to "take all reasonable steps to ensure." You are not a guarantor that no one in the firm ever errs. You are the person accountable for whether the firm had a functioning system to catch it.

The reporting duty is where firms quietly fail

Here is the statistic that should stop any COLP mid-scroll. In the same 2025 review, the thirty-six compliance officers had received 1,377 internal reports over three years — and referred just nine of them to the SRA. That's roughly 86% of officers making no external report at all across the period.

Two readings are possible. Either those firms had almost nothing serious to report, or serious matters were being caught internally and never escalated. The SRA's framing leaves little doubt which it suspects.

The reporting duty asks for judgement, and judgement is exactly what's hard to evidence after the fact. "Serious" isn't defined by a bright line. What the SRA can see is the pattern: a firm with a live complaints log, a couple of near-misses, and zero reports over three years is a firm whose COLP is either exercising very confident judgement or not exercising it at all.

The blunt question I'd ask any COLP: if the SRA pulled your internal incident log tomorrow and asked why each item was or wasn't reported, could you answer for every one — with a contemporaneous record, not a reconstruction?

Who can be a COLP, and what it costs them

A COLP has to be a manager or employee of the firm, has to consent to the role, and can't be disqualified from it. Beyond eligibility, the practical demands are what people underestimate.

What people assumeWhat the role actually needs
A title the managing partner holdsTime, authority, and visibility across every department
A once-a-year policy reviewA live system that surfaces breaches as they happen
Personal liability only for your own filesAccountability for the firm's compliance systems as a whole
A job you can do around a full caseloadA job that competes directly with billable work for attention

That last row is the real tension. The SRA's review found compliance officers "stretched," juggling the role against fee-earning. The title is senior; the resourcing often isn't. A COLP with responsibility but without the authority to change how the firm actually works is carrying the exposure without the tools to reduce it.

The role just got harder, because the firm started using AI

Everything above predates the current pressure. Now add that most firms are deploying AI into live legal work — 61% of UK lawyers now use generative AI day-to-day, up from 46% in January 2025, according to LexisNexis's The AI Culture Clash survey — and the COLP's remit expands with it.

The SRA has been explicit. In its compliance guidance on AI and new technology, it states that it expects, as a minimum, the COLP to be responsible for regulatory compliance when new technology is introduced, with proper governance, systems and controls around its use. AI doesn't get its own rulebook. It falls to the person already named.

This is not abstract. Where AI tools have produced fabricated case citations that reached a court, the individuals responsible have been referred to the SRA — the Ayinde and Al-Haroun cases in 2025, and a fresh referral in 2026 among them. The COLP is the person who has to be able to show the firm had a system to prevent that, not just a policy asking people to be careful. We map the full set of AI questions the SRA can put to a firm in what the SRA can actually ask about AI.

Practical rule: The COLP's job isn't to have a policy for every risk. It's to be able to prove, on any given matter, that the firm's controls actually operated. A policy is a promise; a record is a defence.

What a working COLP setup looks like

If you're a COLP wondering whether you're exposed, the diagnostic is less about documents and more about evidence. For any regulated activity — including AI-assisted work — can you produce a record of what was done, who checked it, and when?

  • If you're a sole practitioner or small-firm COLP wearing every hat: prioritise a single, reliable breach log over an elaborate manual. The SRA cares far more that reporting judgement is recorded than that your policy suite is comprehensive.
  • If you're a COLP in a mid-size firm delegating to department heads: your risk is visibility. You're accountable for compliance you can't personally see, so you need systems that surface issues upward rather than relying on people to volunteer them.
  • If you're a COLP whose firm has adopted AI tools: you need an audit trail per matter — what the tool processed, what it checked, what a human reviewed — because "we trusted the vendor" is not a compliance system. Our COLP AI governance checklist sets out exactly what to capture.

The through-line is the same for all three: the SRA is moving from asking whether you have policies to asking whether you can evidence that your systems worked. The firms that will struggle are the ones that confused the two.

FAQ

What does COLP stand for? Compliance Officer for Legal Practice. It's the individual an SRA-authorised firm designates, with SRA approval, as responsible for the firm's compliance with its authorisation and the SRA's regulatory arrangements.

Is a COLP mandatory? Yes. Every body authorised by the SRA must at all times have an approved COLP and a COFA. Operating without an approved COLP is itself a breach.

Is the COLP personally liable? The COLP is personally accountable to the SRA for taking reasonable steps to ensure the firm's compliance systems function and that serious breaches are reported. It's accountability for the system, not strict liability for every individual error in the firm.

Can one person be both COLP and COFA? Yes, in many smaller firms one person holds both roles. It's permitted, but it concentrates a lot of accountability in one individual — we compare the two roles in COLP vs COFA.

Does the COLP have to report every breach to the SRA? No — only serious breaches must be reported promptly, and materiality is a judgement call. The safer practice is to record the reasoning for every breach you decide not to report, so the judgement is evidenced if the SRA later asks.


If you're a COLP trying to prove your firm's AI use is governed — not just policied — LegalAI Space produces a signed, matter-level audit trail the SRA can inspect. Book a 30-minute call with Daman and bring one real workflow.

Related reading