Law Society Risk & Compliance Conference March 2026 – A Summary

Mar 23, 2026 | Article

Whether you attended the Law Society’s Risk & Compliance Conference on 11th March in person or remotely, or were unable to do so, we’ve got you covered. We were at the event and attended as many sessions as the schedule would allow and have produced a summary below of the main topics discussed throughout the day.

 

Artificial Intelligence

This subject was covered in the Keynote speech by Andrew Hogan of Hailsham Chambers, the practical panel discussion session on ‘Governing AI and striking the balance’ as well as cropping up in the session aimed at SME law firms (I cannot comment on the session for larger firms as I was unable to attend that).

Charging practices

Hogan focused on the growing impact of AI on law firms, with AI becoming the “default infrastructure” in his view, without people being consciously aware of it, and on how lawyers charge clients for their services. He argued that hourly-rate billing cannot survive in an AI-enabled profession, with value-based billing (aka fixed fees) inevitably taking its place. With AI tools significantly reducing the time required for many tasks, charging by the hour will drive firms out of business (or lead to charges of fraud if they continue to charge for the time it used to take, as highlighted in a later session!). He predicted an inevitable shift towards fixed fee pricing, with clients paying for the analysis and judgement of the lawyer, rather than the time taken to reach an answer.  How this evolves, and how firms will deal with clients seeking a “quick (read cheap) consultation” to confirm the advice they have obtained from ChatGPT, remains to be seen, but Hogan’s message was clear: a shake-up of billing is the future, and the future is here.

Safely adopting AI

The ‘Governing AI and striking the balance’ session focussed on how firms can adopt AI safely and effectively. The key takeaways were:

  • Start small – engage those with an interest, focus on practical improvements to daily work, and avoid being overwhelmed by the sheer volume of options. Decide what you want AI to achieve – better admin efficiency, enhanced client experience, or both.
  • Don’t think that by banning AI, or having an overly restrictive policy on its use, it kicks the can down the road. Staff will use it no matter what, so set clear, practical guardrails to protect the firm and clients.
  • Train staff on how to use AI properly. AI isn’t the same as a search engine – it needs context and well-crafted prompts.
  • Don’t be afraid to bring in expert consultants to help you.
  • Engage with your PI insurers – what controls and policies do they want to see?
  • Treat AI as an assistant, not a decision-maker. Human oversight and supervision remains vital.
  • Think about your marketing strategy – ensure clients understand the added value of qualified, experienced lawyers – value that AI tools can’t replace on their own.

Responsible AI use

And finally, the session aimed at SME law firms touched on responsible AI use, focusing on firms putting an AI policy in place so staff understand what tools can be used and how, and stressing that mandating that your firm “doesn’t use AI” is unrealistic (staff will use it anyway!), risks poor controls, and will alarm PI insurers.

What next

According to the Law Society Gazette, the SRA is expected to publish new guidance on safe and compliance use of AI in the coming weeks, so watch this space.  In the meantime, if you haven’t got an AI policy in place yet, we have a template policy to get you started – get in touch if you want to know more.

 

FCA takeover of AML regulation

Never far from lawyers’ lips were the questions about the impending FCA takeover of AML regulation from the SRA. The issue was addressed in both the SRA Investigations and the Economic Crime Horizon scanning sessions in the afternoon, with the latter firmly disabusing anyone who thinks “it might just not happen” of this hope!

‘Best guesses’

Noone really has the answers as yet, but the collective ‘best guesses’ included:

  • A transition framework is likely to be in place by next summer, ahead of the Financial Action Task Force (FATF) review.
  • The FCA are possibly likely to fine fewer firms larger amounts than we currently see with the SRA.
  • FCA-mandated ‘Skilled Persons Reports’ as a step before enforcement action (with an average cost of £500,000) could be a nasty shock for law firms.
  • Double jeopardy is inevitable: FCA for AML breaches plus SRA for conduct breaches (arising from the AML breach), particularly in light of the Dentons decision (which concluded in the High Court that an AML breach would amount to a conduct issue, albeit this decision is due to be reviewed by the Court of Appeal imminently).
  • Triple jeopardy is possible: Sanctions breaches are often closely linked to AML investigations. If they remain the domain of the SRA (as per the new Regulatory Objective set out in ECCTA), firms could face concurrent (or even consecutive) investigations by the FCA, SRA and Office for Financial Sanctions Implementation (OFSI)! This is surely an area the government will need to address before the handover.

Key messages for firms

  • Don’t lose focus on current AML/ SRA obligations whilst worrying about the FCA. The regulator will change, but the Money Laundering Regulations are staying the same. As the Horizon-scanning panel put it, the FCA takeover is “not the closest crocodile to my canoe”!
  • Continue to ensure AML compliance, particularly in relation to client & matter risk assessments and Source of Funds/ wealth enquiries.
  • Expect an SRA visit if you haven’t yet had one.
  • Use the next 18 months (or so) before the takeover to focus on non-AML issues so you have capacity to deal with the FCA AML requirements when they come. For example, potential changes to how banks might treat pooled client accounts and the data they may request, may be one of the ‘closer crocodiles’ to focus on.
  • The only real immediate FCA/ AML-related recommendation was to assess whether your current technology will be able to handle increased FCA data demands. In particular, will you be able to distinguish between in-scope and out of scope work for reporting purposes (they will only be regulating in-scope work). Capture this information at matter inception to avoid time-consuming retrospective analysis.

 

Change in tone from the SRA?

Sarah Rapson’s (the new CEO of the SRA) conversation with Ian Jeffery (the CEO of the Law Society) felt like a bit of a breath of fresh air after perhaps less candid, and (dare I say) more defensive, “conversations” we have seen with the former SRA CEO in the past.  Her focus on the need to “change the tone” and rebuild the profession’s trust in the SRA, by working collaboratively to protect consumers and preserve trust and confidence in the legal profession, was certainly encouraging.

She signalled a desire for the SRA to become more proactive, commenting that earlier action might have helped reduce (or even prevent) the damage caused by the collapse of Axiom Ince and the SSB Group. Whilst she highlighted the progress made since then, including in response to the Legal Services Board (LSB)’s action plans, and the appointment of a dedicated executive director to oversee them, the recent collapse of PM Law is clearly an uncomfortable reality underscoring how much improvement is still needed.  However, the commitment to transparency and desire to learn from the latest collapse was refreshing to hear (and a noticeable departure from the “nothing to see here” responses we have seen in the past!).  What a more proactive stance will mean for firms on a day-to-day basis is perhaps less clear.

Perhaps the most encouraging takeaway from Rapson’s “conversation” was the acknowledgement that the SRA is arguably overly enforcement-led, too quickly resorting to formal investigations and sanctions for technical breaches, rather than using other tools available to work with firms to improve their compliance.  If it is truly embraced, and isn’t just ‘talk’, no doubt it will be very much welcomed by the profession.  And with the news that the SRA received an unprecedented 3,000 reports in December 2025 alone, it seems that such a change in direction can’t come soon enough for the SRA in terms of sustainability!  That said, she was clear that serious misconduct by those “letting the profession down” will continue to be dealt with robustly.

 

How firms should deal with mistakes

The “Ethical banana skins and culture” session explored why mistakes happen, why people don’t report mistakes (whether their own or others’), and how firms can build healthier, safer cultures around error reporting.

Why we make mistakes

  • We are human – mistakes are inevitable!
  • Time pressure, leading to incomplete analysis, and over confidence play a part. (Reference was made to research which concluded that, when asked how competent/ ethical lawyers thought they were, the majority believed they were more ethical than their peers.)
  • With the increasing prevalence of AI, there is a risk that reduced critical thinking and AI biases inherited from their training data could amplify errors.

How to reduce errors

  • Treat mistakes as learning opportunities. Firms should encourage open discussion about mistakes and ‘near misses’, focus on solutions and prevention, rather than blame, and create genuine psychological safety.
  • A true “just culture” focuses on what went wrong, rather than who is at fault, so people feel safe raising concerns, and know that they won’t get screamed at in front of the whole office.
  • In my experience, being reminded by senior leadership that “we have professional indemnity insurance for a reason” can really help junior lawyers come forward early (and generally avoid the use of PI insurance at all because the issue can be resolved), rather than digging themselves a hole of fear and making matters far worse.

Why people don’t report mistakes

  • Fear is the biggest barrier – fear of humiliation, job loss, or regulatory scrutiny (of you or one of your colleagues), and the associated potential mental health and career impacts of long, stressful SRA investigations. (Apparently, the legal profession is culturally less open about mistakes than sectors like tech.)
  • Despite being more likely to suffer as a result of mistakes, junior lawyers are the least likely to speak up. Given that junior lawyers are crucial to shaping future firm culture, helping them to seek help when necessary is vital.
  • Another hesitation is uncertainty about when something truly ‘crosses the line’, but the message was clear: even if it’s close to the line, it should be reported, at least internally.

Tips for improving firm culture

  • Whilst there is no silver-bullet, creating a culture of honesty and learning is a good place to start. Accountability will always be needed and some issues will still have to be reported to the SRA, but focussing on understanding, fixing root causes and sharing lessons from ‘near misses’ and actual errors, encourages earlier, simpler interventions generally with fewer, and less draconian, consequences.
  • Regular 360-degree feedback, with bonuses linked to compliance, and regular meaningful connections between staff (especially for remote workers) were some of the suggestions from the panellists for shifting cultural issues and improving risk management.

 

Key risk and compliance issues facing SME law firms

The SME risk and compliance session covered a lot of issues in a short space of time. These were my key takeaways:

Cybersecurity risks

Cyber threats are becoming more sophisticated and increasingly impacting smaller firms.  Practical steps include:

  • Enable multi-factor authentication (MFA)
  • Use strong passwords (consider the ‘3 random words’ approach – easy to remember but hard to crack)
  • Understand your IT providers’ security controls (are they keeping your (and your clients’) data safe?)
  • Carry out penetration testing to assess vulnerability to hacking

AML/ KYC controls

Invest in reliable digital ongoing monitoring for ID checks and PEPs & Sanctions screening, rather than relying on manual re-checks.

Responsible AI use

Put an AI policy in place so staff understand what tools can be used and how. Mandating that your firm “doesn’t use AI” is unrealistic (staff will use it anyway!), risks poor controls, and will alarm PI insurers.

Practical steps

  • Focus on core regulatory risks: AML, data protection & confidentiality, ethics and safeguarding client money.
  • Stress-test your policies and procedures – Do they work? Are they being followed by staff?
  • Investigate errors properly….rarely is “human error” the full explanation.
  • Limit access to client data to those that need to see it to reduce the risk of data breaches.
  • Reward good compliance behaviour and don’t overlook non-compliance by your “rainmakers” – if you do, your compliance-culture is doomed!
  • Actively supervise junior staff…they are your firm’s future.
  • Review your engagement letters and terms of business regularly – can you remember when you last did this?
  • Regular file reviews can identify a multitude of issues.

 

SRA investigations

The SRA Investigations session was, unsurprisingly, very popular!  The message couldn’t be clearer: if you haven’t had an SRA inspection yet, it is a matter of when, not if, so now is the time to get your ducks in a row.

What firms are being investigated for

Whilst the majority of inspections relate to Anti-money laundering (AML), the SRA’s remit is much wider, including investigations into claims firms (the scrutiny of which is likely to increase post-Mazur, no matter what the Court of Appeal decides), general misconduct investigations, and the really serious ones – visits from the SRA’s Forensic Investigations team.

Key concerns raised

  • Lengthy investigations and poor communication – many firms and individuals face long delays and minimal updates, with investigations dragging on for months (or years) – stalling careers and impacting mental health. (There was some optimism that under the new CEO, we may be seeing improved triaging and communication in 2026).
  • Complaints to the SRA are being weaponised, adding to backlogs.
  • Inconsistency of outcomes – Whilst document-gathering in advance of investigations by the SRA appears to be more uniform, the way investigators assess information varies significantly, making outcomes unpredictable and difficult to prepare for. The panel called for internal training at the SRA to improve consistency…let’s hope Sarah Rapson was listening.

Accounts Rules and Qualified Accountants’ Reports

The message was that banking facility breaches will always be investigated but that residual balances are unlikely to be, as long as firms have a clear plan in place to resolve them before the accountant’s report is filed.

A point flagged was that firms must ensure they complete their PI Insurance forms carefully, especially around qualified reports. Mis-answering can later trigger dishonesty allegations. Remember, that all questionnaires and forms firms are required to complete, whether for the SRA their insurers or their accountants, can come back to bite you, so read the questions carefully!