Compliance as an operating system.

Most small firms know the headline obligations: AML/KYC, conflicts, supervision, file review, data retention, complaints handling, transparency rules. The SRA puts out clear guidance; the ICO does the same on data protection; your insurer's renewal questions cover the rest. Reading them is straightforward.

The gap isn't knowing what to do. The gap is in the operating model — which person, what cadence, what evidence, and how it gets caught when it slips. This piece is that operating model. Not a compliance manual; the rhythm and accountability that turns the manual into something the firm actually does.

Caveat: this is operating guidance, not legal/regulatory advice. Your specific obligations depend on jurisdiction, firm structure, practice areas, and current regulator guidance. Treat what follows as a sensible starting scaffold.

The five things every small firm has to do

1. AML / source-of-funds checks on every relevant matter — and an annual practice-wide risk assessment.
2. Conflicts checks at intake, and a documented conflicts register.
3. Supervision and file review — every fee-earner has a named supervisor; a defined sample of files gets reviewed each month.
4. Complaints handling — a written procedure, a register, and timely responses.
5. Retention and destruction — files are kept for the right period and destroyed deliberately, not forever.

Plus the annual ones: SRA renewal, accounts rules audit (where applicable), insurance renewal, the firm's own risk assessment, the AML policy and training refresh.

AML / KYC — the workflow that holds up

The audit-trail standard isn't just “you did the check” — it's “you can show, in a reproducible way, what you did, when, and why.” Three pieces:

The matter-level workflow

• Trigger: matter opening. Nothing else gets done — no engagement letter, no work — until the relevant checks are clear.
• Risk classification: low / standard / high. Driven by client type, jurisdiction, source of funds, transaction size. Documented on the file.
• Evidence captured: ID + address proof (with sensible expiry), corporate documents where applicable, source-of-funds evidence proportionate to risk band.
• Sign-off: by named MLRO/deputy for high-risk matters; by the matter handler with a recorded attestation for standard matters.

The annual firm-level work

• Practice-wide risk assessment — refreshed every year, or sooner if the matter mix changes materially.
• AML policy document — current version, reviewed annually.
• Training refresh for everyone touching matters, with completion logged.

The tool question

For firms doing more than 100 client matters a year, a dedicated AML tool (SmartSearch, Veriphy, Thirdfort, Amiqus — there are several) almost always pays back. Not because manual checks aren't possible, but because the audit trail is the actual product, and these tools generate it consistently.

For very small firms — under 50 matters/year — manual checks documented on the matter file, with a master log spreadsheet, can work. The risk is consistency: it's the third missed check that becomes the SRA finding.

Conflicts — at intake, in the register

Two layers, both essential:

• The intake check.Name search across the conflicts register before opening a matter. Most practice management systems do this if asked; if you're working off a spreadsheet, the search is manual but still required.
• The standing register. Every adverse party, related party, and prior client logged. The register is only as good as its completeness — which is where the matter-opening discipline pays off.

Where conflicts get missed: the “quick favour” matter that didn't go through proper intake; the “same group of companies” relationship that wasn't mapped. Both are intake-discipline problems more than register problems. See client intake form for the lightweight version.

Supervision and file review

The standard expectation: every fee-earner has a named supervising partner, and a defined sample of files is reviewed each month. The numbers below are typical; check your specific regulatory guidance:

• Junior fee-earners (≤3 PQE): typically 4–6 files per month, sampled across matter types.
• Mid-level fee-earners (4–7 PQE): typically 2–3 files per month.
• Senior fee-earners and partners: peer review, often quarterly, focused on a subset of files (high-value or higher-risk matter types).

What “reviewed” means: a defined checklist run against the file, recorded findings, agreed actions, follow-up on whether actions were taken. Not just “I had a look and it seemed fine.” Use the matter tracking sheet as the source for which files to sample (filter by handler, filter by stage, sample randomly).

Complaints handling

Three pieces, all required:

1. Written procedure — given to clients at engagement, and easy to find on the website.
2. Register — every complaint logged, with subject matter, handler, response, outcome, and root cause.
3. Timely response— typically eight weeks from receipt; the regulator's clock is hard, not aspirational.

The undervalued piece: monthly review of the complaints register for patterns. Three complaints about the same matter type or the same handler is a process problem, not three unconnected events.

Retention and destruction

Files don't live forever. The retention period varies by matter type (longer for wills, conveyancing, anything with a long-tail liability profile; shorter for routine commercial advice). The discipline is:

• A retention schedule that names a period for each matter type.
• A closure step that records the retention date.
• A scheduled review (annually) of files past their retention date — destroyed deliberately, with a record of destruction.

Why this matters: keeping files indefinitely creates data protection exposure (you're holding personal data without lawful basis once the retention period expires) and complicates any later subject access request.

The annual compliance calendar

Don't treat compliance as a project; build a calendar the COLP/COFA owns. Realistic example:

• Monthly (2 hours): file review sample completed, complaints register reviewed, conflicts check on new matters spot-checked, AML completion log reviewed.
• Quarterly (half day): complaints pattern analysis, file-review trend report to partners, AML register audit, retention-due files cleared.
• Annually (a week of focused work): firm-wide risk assessment refreshed, AML policy reviewed, training delivered, supervisor allocations updated, SRA renewal, accounts rules report, insurance renewal, complaints annual summary.

Total: two hours/month of administrative time + half a day each quarter + a week each year. Real, but bounded — and far cheaper than a regulatory finding.

The PI insurance renewal — your real annual audit

Worth treating separately from the SRA-facing work: most firms' professional indemnity renewal questionnaire has, in recent years, become the de facto annual compliance audit — sometimes asking sharper questions than the regulator does. Cyber controls (MFA, EDR, backup testing — see cyber: what to ask your IT vendor ), AML risk-band evidence, supervision arrangements, file review samples, conflicts processes, complaints patterns — they all get probed.

The practical move: treat the PI renewal as a calendared, weeks-long event each year, not a last-minute scramble. Two benefits: (a) honest answers to the questionnaire (insurers increasingly cross-check, and overstating cover can void the policy at claim time), (b) the questionnaire itself becomes a checklist for the rest of your compliance year — anything the insurer cares about, the SRA probably will too.

For the firms that want this run end-to-end with the evidence trail integrated into matter management, that's what we built Clearmatter for — compliance, audit, and KPI capture all sit in one place rather than living in three different spreadsheets. For firms keeping their existing setup but needing help operationalising the calendar, Techsperience does the implementation work.

The trap: treating compliance as a project

The pattern that catches small firms: a quiet 18 months, followed by an upcoming SRA visit, followed by six weeks of panicked file remediation. The remediation gets done, the visit goes fine, the calendar lapses again, and the next cycle starts. The cost is felt in lost partner time during the panic phase — which would otherwise be billable.

The fix is the calendar. Once it's running, the SRA visit isn't a panic — it's a review of the evidence already on the shelf.

What good looks like at year one

A named COLP and COFA who know what they're responsible for and have time set aside to do it. A compliance calendar on the wall (literally — A3, with monthly tasks marked). AML, conflicts, complaints, supervision and retention all have clean evidence trails for the past 12 months. Annual regulator returns and the AML policy refresh happen on time without drama. The firm could host an unannounced regulator visit on a Tuesday afternoon and not need the rest of the week to prepare.

That's the operational definition of compliance working.