Menu Close

Blog

What Does an MLRO Actually Do? Secrets Finally Exposed

he MLRO — More Than a Job Title

More Than a Job Title

The Money Laundering Reporting Officer is one of the most consequential roles in any UK-regulated firm. It is not ceremonial, and it is emphatically not a title bestowed on a convenient senior employee who already has a full workload. The MLRO sits at the intersection of criminal law, regulatory obligation, and institutional risk management — carrying personal liability that few other roles in financial services can match.

Understanding what the role actually entails is essential, whether you are appointing an MLRO for the first time, currently serving in the function, or seeking authorisation from the FCA. Plain language clarifies where dense regulation often obscures.

What Does MLRO Stand For and What Is the Legal Basis for the Role?

MLRO stands for Money Laundering Reporting Officer. The legal foundation for the appointment is dual-layered. First, the Proceeds of Crime Act 2002 (POCA) requires firms to designate a “nominated officer” to receive internal disclosures of suspected money laundering and, where appropriate, report them externally to the National Crime Agency (NCA). Second, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) require firms to appoint a senior manager with overall responsibility for AML compliance.[^8]

In practice, these two obligations are almost universally discharged by a single individual: the MLRO. The role therefore has both a legal reporting dimension and a broader compliance stewardship dimension — each with distinct obligations and, critically, distinct consequences for failure.[^8]

Which Firms Must Appoint an MLRO?

The obligation to appoint an MLRO applies to all firms falling within the scope of the MLR 2017, broadly described as the “regulated sector.” This encompasses:

  • FCA-authorised firms conducting financial services activity
  • Credit institutions and banks
  • Consumer credit providers
  • Insurance intermediaries
  • Accountancy and audit firms
  • Legal practices conducting relevant financial or property transactions
  • Estate agency businesses
  • Cryptoasset businesses registered with the FCA
  • Payment institutions and electronic money institutions

Firms operating outside the regulated sector may not face a statutory obligation to appoint an MLRO, but many do so voluntarily as a matter of sound governance. The broader the firm’s exposure to financial flows from third parties, the stronger the case for a dedicated function.

The Dual Nature of the Role: Nominated Officer vs. Compliance Function

The MLRO inhabits two distinct legal personas simultaneously. As the Nominated Officer under POCA, their primary obligation is to receive internal suspicion reports from employees and determine whether an external Suspicious Activity Report (SAR) must be filed with the NCA. This is a reactive, quasi-judicial function: every report received must be assessed on its individual merits.[^9][^8]

As the individual discharging the MLR 2017 senior management responsibility, the MLRO has a proactive compliance function: building, maintaining, and continuously improving the firm’s AML framework. These two dimensions are complementary but operationally distinct. The nominated officer function is largely reactive; the compliance stewardship function is preventative and strategic. Conflating the two — or concentrating exclusively on one — is a structural weakness the FCA readily identifies during supervisory assessments.

SM\&CR and SMF17: The MLRO as an Approved Person

Under the Senior Managers and Certification Regime (SM\&CR), the MLRO function is a designated Senior Management Function: SMF17. This means the individual performing the role must be formally approved by the FCA before they can discharge the function.

Approval requires submission of a Form A to the FCA via the Connect portal, accompanied by evidence of the individual’s fitness and propriety. The FCA will assess their professional experience, qualifications, regulatory history, financial soundness, and any criminal record. Approval as SMF17 is not a mere formality. The FCA expects to see a credible candidate with genuine expertise, appropriate seniority, and sufficient autonomy to act independently of commercial pressures. Appointing a nominal SMF17 — in name only, without real authority — is a pattern the FCA’s supervisory teams are well practised at identifying and challenging.

Who Can Be an MLRO? Fit and Proper Requirements

The MLRO must be a senior employee based in the UK, possessing sufficient seniority to direct the activities of all staff — including, where necessary, members of the executive team. This authority is not optional. An MLRO who cannot direct a managing director to halt a transaction pending SAR assessment is structurally compromised.

Key attributes the FCA and MLR 2017 expect include:

  • Seniority — sufficient standing within the organisation to command respect and enforce decisions
  • Knowledge — a sound understanding of the firm’s business, services, client base, and specific financial crime risks
  • Capacity — adequate time and resource to fulfil the role meaningfully, not as an adjunct to an already-full schedule
  • Independence — freedom from conflicts of interest and commercial pressures that could distort SAR decision-making
  • Authority — unequivocal organisational mandate to implement and enforce AML controls

No specific professional qualification is mandated, but the individual must demonstrate competence proportionate to the firm’s complexity and risk profile. Continuing professional development in AML is not merely recommended — it is a practical necessity given the pace of legislative and guidance change.

The Firm-Wide AML Risk Assessment

One of the most substantive obligations falling on the MLRO is the completion and periodic review of a firm-wide AML risk assessment. This document is the foundation upon which all other AML controls are built. Without it, the firm’s compliance framework lacks an evidential basis for the risk-based approach demanded by the MLR 2017.

The risk assessment must identify and evaluate the specific money laundering and terrorist financing risks to which the firm is exposed, taking into account:

  • The nature, scale, and complexity of the business
  • Products and services offered, and the inherent risk each carries
  • The customer base, including geographic origins and business type
  • Delivery channels and distribution methods
  • Jurisdictional exposure, including any connections to high-risk third countries designated by the FATF

The assessment must be documented, kept up to date, and made available to supervisory authorities on request. It is a live document, not a one-time exercise. Regulators are unforgiving of firms whose risk assessments were last updated in a materially different business context.

Customer Due Diligence (CDD) and Know Your Customer (KYC) Oversight

The MLRO has overarching responsibility for ensuring that Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures are applied meticulously and consistently across the firm. These processes are the primary mechanism through which a firm establishes and verifies the identity of its clients and assesses the risk they represent.

Standard CDD requires:

  • Identification and verification of the customer’s identity using reliable, independent source documents
  • Identification of any beneficial owner holding or controlling more than 25% of a legal entity
  • Understanding the nature and purpose of the business relationship
  • Conducting ongoing monitoring of the relationship throughout its duration

CDD must be applied before establishing a business relationship, before carrying out occasional transactions above the relevant thresholds, and whenever there is a suspicion of money laundering — regardless of thresholds. The MLRO must ensure that staff understand these triggers and apply them consistently, without exception or commercial accommodation.

Enhanced Due Diligence (EDD): When and Why It Applies

Where a customer or transaction presents a higher risk of money laundering or terrorist financing, Enhanced Due Diligence (EDD) must be applied. Standard CDD measures are insufficient in these circumstances; more granular scrutiny is required.

Scenarios mandating EDD include:

  • Customers or transactions connected to high-risk third countries identified by the FATF or the UK government
  • Politically Exposed Persons (PEPs) and their close associates and family members
  • Correspondent banking relationships
  • Complex or unusually large transactions with no apparent economic rationale
  • Customers presenting unusual ownership or control structures

The MLRO must ensure EDD procedures are clearly documented, consistently applied, and subject to senior approval where the firm’s policies require it. EDD is not a discretionary enhancement — it is a legal obligation in the prescribed circumstances.

Suspicious Activity Reports (SARs): The MLRO’s Central Obligation

The SAR process is, in many respects, the core of the MLRO’s legal function. Under POCA 2002, employees who know or suspect — or have reasonable grounds to know or suspect — that a person is engaged in money laundering must report this to the MLRO. The MLRO then assumes the determinative role: assessing the disclosure and deciding whether an external SAR must be submitted to the NCA.

The MLRO’s responsibilities in this process include:

  • Receiving all internal disclosures from employees in a structured, confidential manner
  • Evaluating each disclosure against all available information, including client history and transaction data
  • Determining whether knowledge or suspicion of money laundering or terrorist financing exists, or whether there are reasonable grounds for such suspicion
  • Submitting an external SAR to the NCA where the threshold is met
  • Recording the rationale for all decisions, including where a SAR is not submitted

The decision not to file a SAR is as consequential as the decision to file one. Both must be documented with a clear, evidenced rationale. Undocumented decisions are indefensible in any subsequent regulatory or criminal investigation.

Reporting to the National Crime Agency (NCA)

External SARs are submitted to the National Crime Agency (NCA) through its online portal. The NCA is the UK’s Financial Intelligence Unit (FIU) and the designated body for receiving disclosures under POCA and the Terrorism Act 2000.

Once a SAR is submitted, the MLRO becomes the firm’s primary liaison point with the NCA. This may include responding to requests for further information, receiving feedback on submitted reports, and, in complex cases, managing the firm’s obligations across multiple associated disclosures. The MLRO must ensure the SAR is accurate, complete, and submitted without undue delay. Delay in filing, where the obligation has crystallised, is itself a potential criminal offence under POCA.

The “Consent” Regime: Seeking a Defence Before Proceeding

One of the more operationally complex aspects of the MLRO’s role is navigating the “consent” or “defence” regime under POCA. Where a firm knows or suspects it is involved in a transaction connected to criminal property, proceeding with that transaction without consent from the NCA constitutes the criminal offence of “arrangement.”

The MLRO may submit a SAR and simultaneously seek a “defence against money laundering” (DAML) from the NCA, requesting permission to proceed with the transaction. The NCA has seven working days from receipt of the DAML request to refuse consent; if no refusal is issued within that period, a moratorium period of 31 calendar days begins. Navigating this regime — including managing client relationships and commercial timelines without “tipping off” the client that a disclosure has been made — requires significant judgement and experience. Tipping off is itself a criminal offence under POCA, punishable by up to five years’ imprisonment.

Transaction Monitoring Systems and Controls

The MLRO has oversight responsibility for the firm’s transaction monitoring infrastructure — the systems and processes through which unusual or suspicious patterns of financial activity are identified, escalated, and investigated.

Effective transaction monitoring requires:

  • Systems calibrated to the firm’s specific risk profile and transaction typologies
  • Alert thresholds set at levels that generate actionable intelligence without overwhelming investigators with noise
  • Documented escalation procedures from front-line staff to the MLRO
  • Regular review and recalibration of monitoring parameters as the business evolves
  • Clear audit trails for all alerts, investigations, and outcomes

A transaction monitoring system that generates hundreds of false positives per day is as operationally inadequate as one that generates none. The MLRO must ensure the system is proportionate, effective, and subject to periodic independent review.

Developing and Maintaining AML Policies and Procedures

The MLRO bears primary responsibility for drafting, implementing, and keeping current the firm’s AML and Counter-Terrorist Financing (CTF) policies and procedures. These are not static documents. The legislative and regulatory landscape — spanning POCA, the MLR 2017, FATF guidance, FCA rules, and NCA typologies — evolves continuously, and the firm’s policies must reflect that evolution in real time.

A comprehensive AML policy suite typically encompasses:

  • The firm-wide AML/CTF Policy
  • Customer Risk Assessment methodology
  • CDD and EDD procedures
  • SAR internal reporting procedures
  • Tipping-off and confidentiality protocols
  • Record-keeping requirements
  • Staff training framework and competency standards
  • PEP and Sanctions screening procedures

Each policy must be reviewed at least annually and updated whenever there is a material change in legislation, regulatory guidance, or the firm’s own business model. The MLRO should maintain a policy review log as evidence of ongoing diligence.

Staff Training: Building a Firm-Wide Financial Crime Culture

The MLRO is responsible not merely for their own knowledge of AML obligations, but for ensuring that every relevant member of staff understands their personal obligations under POCA, the MLR 2017, and the firm’s internal procedures.

An effective training programme should:

  • Be delivered to all relevant employees at induction and refreshed at regular intervals
  • Cover the legal basis of AML obligations, the firm’s specific risk profile, and the internal SAR reporting process
  • Be tailored by role — front-line client-facing staff require different training content from back-office operations personnel
  • Include regular updates on new typologies, emerging threats, and regulatory developments
  • Be documented, with completion records maintained as evidence of compliance

An employee who does not know how to identify suspicious activity, or who does not know to report it to the MLRO, represents a systemic vulnerability. Enforcement actions frequently reveal that training failures were a proximate cause of the firm’s financial crime exposure.

The Annual MLRO Report to Senior Management

The MLRO is required to submit a formal Annual Report to the firm’s board or senior management, setting out a comprehensive assessment of the firm’s AML performance over the preceding year. This is both a statutory and a regulatory expectation.

A well-constructed MLRO Annual Report should include:

  • An executive summary highlighting significant compliance deficiencies and remedial actions taken
  • Statistics on internal SARs received and external SARs submitted to the NCA
  • An assessment of the adequacy of the firm’s AML policies, procedures, and controls
  • Details of training activity and staff competency assessments
  • An evaluation of the effectiveness of transaction monitoring systems
  • The outcome of any independent AML audit or external assessment
  • Recommendations for improvements and a clear owner and timeline for each

The report is not a formality. It is a governance document that places AML performance squarely before the board. Senior management cannot claim ignorance of financial crime risks if the MLRO has faithfully reported them. Where they fail to act on the MLRO’s recommendations, that inaction is itself a governance failure.

PEPs and Sanctions Screening

Politically Exposed Persons (PEPs) and individuals or entities subject to financial sanctions represent distinct and heightened risk categories that demand specific MLRO attention. The FCA’s guidance on PEPs, updated in 2024 to reflect ongoing industry criticism of disproportionate de-risking, nonetheless preserves the requirement for EDD on all PEP relationships.

The MLRO must ensure:

  • Robust screening of all customers against PEP databases at onboarding and on an ongoing basis
  • Screening against HM Treasury’s consolidated sanctions list and relevant international designations (OFSI, OFAC where applicable)
  • Senior management sign-off for all PEP relationships
  • Enhanced ongoing monitoring of PEP and sanctioned-adjacent relationships
  • Immediate escalation and, where required, the cessation of dealings where a sanctions match is confirmed

A sanctions breach — even an inadvertent one — can attract criminal liability and substantial regulatory penalties. The MLRO’s screening framework must be sufficiently robust to prevent such breaches, not merely to detect them after the fact.

Personal Liability: What the MLRO Risks if Things Go Wrong

The personal liability attached to the MLRO role is real, material, and should not be underestimated by anyone accepting the appointment. Under POCA, failure to disclose known or suspected money laundering where the obligation has crystallised is a criminal offence carrying a maximum sentence of five years’ imprisonment and an unlimited fine.

Under the MLR 2017, the MLRO (as the designated senior manager) can be held personally accountable for systemic compliance failures. Under SM\&CR, the FCA can pursue enforcement action against the SMF17 holder directly, including prohibition, financial penalties, and public censure. The personal liability exposure means that accepting the MLRO role without genuine authority, adequate resources, and senior management backing is not merely professionally inadvisable — it may expose the individual to consequences that cannot be mitigated after the fact.

The MLRO’s Relationship With the FCA and Other Supervisors

The MLRO is the firm’s primary point of accountability for AML matters during FCA supervisory visits, thematic reviews, and enforcement investigations. The FCA’s AML supervisory framework includes both desk-based reviews and on-site visits, during which the MLRO’s documented decision-making, risk assessments, and SAR records will be examined.

Firms supervised for AML purposes by bodies other than the FCA — such as HMRC, the Gambling Commission, or a legal professional body — will have their MLRO accountable to that supervisor instead, though the underlying obligations under POCA and the MLR 2017 are the same. The MLRO must maintain a supervisory-ready state at all times: documentation must be current, decisions must be evidenced, and training records must be accessible.

Common MLRO Failures and How to Avoid Them

Regulatory enforcement records and supervisory feedback consistently reveal a recurring set of MLRO failures across UK-regulated firms. Understanding them is the first step to avoiding them:

  • Insufficient seniority or authority — the MLRO lacks the standing to challenge commercial decisions or halt transactions
  • Inadequate capacity — the role is treated as a secondary obligation alongside a full primary function
  • Outdated risk assessment — the firm-wide risk assessment has not been reviewed following material changes to the business
  • Poor SAR documentation — decisions to file or not to file SARs are undocumented or inadequately reasoned
  • Generic or stale policies — AML policies are boilerplate documents, not tailored to the firm’s actual risk profile
  • Training deficits — staff training is infrequent, undocumented, or irrelevant to the firm’s specific risk context
  • Nominal MLRO arrangements — the individual holds the title but exercises no genuine function
  • Failure to escalate — suspicious indicators are identified by front-line staff but never reach the MLRO due to inadequate internal reporting culture

Each of these failures has been cited in FCA enforcement notices. None is inevitable with adequate preparation, appropriate resourcing, and a genuinely empowered MLRO.

Outsourcing the MLRO Function: Pros, Cons, and Regulatory Expectations

Some firms — particularly smaller, newly-authorised, or resource-constrained organisations — elect to outsource the MLRO function to an external compliance specialist rather than maintain the role in-house. The FCA permits this arrangement, but with important caveats.

The advantages of an outsourced MLRO include:

  • Access to specialist expertise and current regulatory knowledge without the cost of a full-time senior hire
  • Continuity of function during periods of staff transition
  • Independent perspective, free from internal commercial pressures

However, outsourcing does not transfer legal responsibility. The external MLRO must still:

  • Hold SMF17 approval from the FCA
  • Have genuine authority and unfettered access to the firm’s data, systems, and management
  • Be able to discharge all SAR and compliance obligations in real time, without operational impediment

Firms that outsource the MLRO function and then fail to provide the external appointee with the access and authority they need have outsourced the title but not the function. That structural failure will not insulate the firm — or the individual — from regulatory accountability.

Frequently Asked Questions

Does a small firm really need a dedicated MLRO?
Yes, if the firm operates in the regulated sector under the MLR 2017. Size does not exempt a firm from the obligation to appoint a nominated officer and a senior manager responsible for AML compliance. In smaller firms, a single individual frequently fulfils both functions alongside other responsibilities — but must have demonstrable capacity to do so effectively.

Can the CEO be the MLRO?
Yes, provided the individual is genuinely fit and proper, has sufficient knowledge and capacity, and is approved by the FCA as SMF17. However, a CEO whose commercial incentives might conflict with the MLRO’s duty to file SARs — even where doing so is commercially disruptive — represents an independence risk the FCA will scrutinise carefully.

What happens if the MLRO fails to file a SAR when they should have?
Under POCA, failure to disclose where there is knowledge or suspicion of money laundering is a criminal offence. It carries a maximum custodial sentence of five years and an unlimited fine. The FCA may also take regulatory action under SM\&CR.

How often should the MLRO Annual Report be produced?
At least annually. However, the MLRO should provide management information to senior leadership on a more frequent basis — quarterly is considered best practice — so that material issues are not deferred to an annual report cycle.

What is the difference between a SAR and a DAML?
A SAR (Suspicious Activity Report) is a disclosure to the NCA of known or suspected money laundering. A DAML (Defence Against Money Laundering) is a specific type of SAR where the firm simultaneously seeks the NCA’s consent to proceed with a transaction connected to the suspicion. The NCA has seven working days to refuse consent; absent a refusal, a 31-day moratorium period begins.

Can the MLRO role be shared between two people?
No. The MLRO is a single designated individual holding a specific SMF function. A deputy MLRO may be appointed to assist, and to act as cover during absences, but only one individual can hold the SMF17 function at any given time.

Compliance Consultant has supported firms with MLRO appointments, outsourced MLRO services, and AML framework reviews for over 25 years. To discuss your firm’s requirements, visit complianceconsultant.org, call 0800 689 0190, or book a complimentary assessment at bit.ly/CCDiscovr.

author avatar
Lee Werrell
See Full Bio
Tagged , , , , , , , , , , , , , , , , , , , , ,