Ensuring Compliance in Law and Accountancy: The Risks of AI-Generated Email Content

AI writing tools are reshaping how professionals communicate. In law firms and accountancy practices, that shift is happening fast. Solicitors, partners, and accountants are turning to tools like ChatGPT to draft client emails, summarise documents, and speed up routine correspondence. It saves time. It sounds professional. And it can quietly create serious compliance problems.

The issue is not that AI is inherently dangerous. The issue is that many firms are using it without governance policies, without client disclosure, and without understanding how existing professional standards apply to content their staff did not actually write.

The Regulatory Position Is Already Clear

Neither the Solicitors Regulation Authority (SRA) nor the Institute of Chartered Accountants in England and Wales (ICAEW) have introduced AI-specific rulebooks. They do not need to. Existing standards already cover it.

The SRA makes its position explicit: solicitors remain personally responsible for all work produced, regardless of whether it was created by AI. If a ChatGPT-drafted email contains inaccurate legal advice, overpromises an outcome, or misrepresents the firm's position, the solicitor who sent it is accountable. Unverified AI output passed to a client is a potential breach of Principle 5 (competence) and Principle 2 (integrity) under the SRA Code of Conduct.

For accountants, the ICAEW Code of Ethics applies equally. The five fundamental principles — integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour — all carry direct implications for AI-generated correspondence. The ICAEW has specifically warned against "automation bias": the tendency to trust AI output without adequate scrutiny. In tax correspondence especially, the Professional Conduct in Relation to Taxation (PCRT) guidance requires that AI-drafted letters are reviewed for accuracy, appropriate tone, and compliance with current legislation before being sent.

What Makes an AI-Generated Email Non-Compliant

Most compliance failures do not come from malicious intent. They come from workflow habits that have not kept pace with the tools being used. Here are the most common risk points.

Unverified content reaching clients. ChatGPT can and does produce plausible-sounding but factually wrong information. In legal and financial correspondence, a single inaccurate statement — about a deadline, a liability threshold, or a regulatory requirement — can expose the firm and harm the client. Human review is not optional. Under SRA Code 3.5, supervision of all client-facing work is mandatory.

Confidential data entered into public AI tools. When a fee earner copies a client brief, contract extract, or financial summary into a standard ChatGPT account, that data leaves the firm's controlled environment. The SRA's Principle 7 requires firms to protect client confidentiality at all times. The ICAEW echoes this with a clear prohibition on uploading identifiable client data into public or uncontrolled generative AI tools. A data leak via an AI platform is treated no differently to any other confidentiality breach.

No disclosure to the client. Both the SRA and ICAEW expect transparency. If AI is being used to produce advice or correspondence that a client believes was personally written and considered by their professional adviser, that is a material misrepresentation of the service being provided. Clients have a right to know. The SRA's December 2024 Risk Outlook specifically highlighted AI transparency as an emerging priority area for firms.

No firm-level policy in place. Using AI without a written governance policy means staff are making individual decisions about a firm-wide risk. The ICAEW now expects firms to have formal AI policies covering data handling, staff training, human oversight checkpoints, and vendor due diligence. The SRA expects the firm's Compliance Officer for Legal Practice (COLP) to take personal accountability for any regulatory failure caused by AI use, including hallucinations and data breaches.

The Specific Risk of AI-Drafted Client Emails

Emails are the most common use case — and arguably the highest-risk one. Unlike an internal memo, a client email is a professional communication that carries regulatory weight. In many cases it forms part of the engagement record.

ChatGPT does not know your client. It does not know the nuances of their matter, their risk tolerance, or the advice they were given three months ago. It generates text based on statistical patterns, not on the file. That means an AI-drafted email can:

• Include inaccurate statements about timelines, legislation, or obligations

• Use a tone that contradicts the firm's professional standards

• Omit caveats that a qualified professional would routinely include

• Reproduce generic legal or financial content that does not apply to the specific client's circumstances

Any of these outcomes, sent without review, places the firm in breach of its professional duties. The fact that an AI produced the words is not a defence — it is an aggravating factor, because it suggests the firm failed to maintain adequate supervision.

How to Use AI Without Becoming Non-Compliant

This is not an argument against AI. Firms that use it well can communicate faster, reduce administrative burden, and maintain quality. The key is governance, not prohibition.

Use enterprise-grade tools with data protection agreements. OpenAI's enterprise tier, Microsoft Copilot integrated with your existing systems, and sector-specific legal AI platforms offer zero-data-retention options and GDPR-compliant processing. These are materially different from a free consumer ChatGPT account. If your staff are using the latter for client work, that needs to stop.

Build human review into every client-facing output. AI can draft. A qualified professional must review, edit, and approve before anything goes to a client. This is not a courtesy step. It is a regulatory requirement.

Disclose AI use to clients where relevant. The simplest way to do this is through your engagement letter or a standing policy notice. If clients are receiving AI-assisted correspondence, they should know. This is both an ethical obligation and a practical way to manage expectations.

Write and enforce an AI policy. Your policy should cover which tools are approved, how client data must be handled, what supervision is required, and how the policy will be enforced. Your COLP or compliance lead should own it. All staff should be trained on it.

Document your use. If a regulatory query arises about a client email, you need to be able to show that it was reviewed, that appropriate oversight was applied, and that the firm's standards were met. AI use without records creates a compliance gap that is difficult to close after the fact.

The Firms Getting This Right

Forward-looking firms are treating AI governance the same way they treat anti-money laundering compliance: a non-negotiable framework that everyone operates within. That means approved tool lists, mandatory training, audit trails, and clear accountability. It also means being honest with clients about how technology is being used in their matter.

Firms that take this approach gain a real competitive advantage. Clients increasingly want to know that their adviser is using technology competently and responsibly. A clear AI policy, disclosed proactively, signals exactly that.

Firms that skip the governance step and let individual staff decide how and when to use ChatGPT are carrying a risk that may not surface for months — but when it does, it will be a regulatory matter, not just an internal one.

The Bottom Line

AI-generated emails are not inherently non-compliant. They become non-compliant when they are sent without review, produced using tools that compromise client data, or used in a way that the client does not know about and the firm has not sanctioned.

The SRA and ICAEW are watching this space closely. The standards they apply are not new, but the scenarios they cover now include tools that did not exist five years ago. Law firms and accountancy practices that treat AI as just another productivity shortcut, rather than a regulated activity, are taking a risk they may not fully see until they are already exposed.

Start with a policy. Train your people. Review what you send. Disclose what you use. That is not a barrier to adopting AI — it is the foundation for doing it properly.