MLRO Responsibilities and Reporting Essentials

Q: What is a Money-laundering Reporting Officer?

The role of MLRO was enshrined in UK law back as far as 2007. But over a decade later, even the definitions of institutions like the Law Society can seem at best ambiguous or at worst vague. Many think the first task is to undertake a financial crime risk assessment. It's not. Step one is to get clear guidance from senior management on the firm's overall risk assessment and risk appetite, as these are the primary drivers for the financial crime risk assessment. An MLRO needs clear written guidance on the risks their firm has identified, the level of appetite to take on the various risk levels and a commitment to provide adequate resources to manage these risks. Everything from there on follows a relatively structured model.

While our focus is on UK Money Laundering Reporting Officers (MLROs), the role of an AML compliance officer is similar in other jurisdictions, especially across the EU, where the risk-based approach stands at the core of a financial crime risk mitigation programme.

MLRO role, responsibilities and reporting

What is a Money Laundering Reporting Officer?
What are the key responsibilities of an MLRO?
Can you train to become a 'qualified' MLRO?
Tips for your MLRO report

What is a Money Laundering Reporting Officer?

A Money Laundering Reporting Officer (MLRO) is a senior position within a company that is responsible for overseeing all activities related to anti-money laundering (AML). They are tasked with ensuring that the company complies with all relevant AML regulations and procedures.

Therefore, the MLRO needs sufficient authority and seniority to challenge any frontline or senior management decisions that may conflict with the firm's risk appetite and subsequent controls.

If the MLRO decides that something needs reporting, they must not be overruled, yet unfortunately, it can happen. Management can update the risk assessment, risk appetite and subsequent controls to support a different view, but these changes must be reasoned and documented.

What are the key responsibilities of an MLRO?

We've created a checklist of the 20 key responsibilities that may fall under the MLRO's remit. Every firm has a different organisational structure. You can use the list for a self-assessment to help you create the role from scratch or benchmark your existing setup.

Act as an Approved Person undertaking Controlled Function SMF17 to prevent money laundering.
Develop and maintain the firm's anti-money laundering and counter-terrorist financing policy in line with evolving statutory and regulatory obligations.
Support and coordinate management focus on the money laundering risk in individual business areas.
Assist management in developing and maintaining an effective anti-money laundering and counter-terrorist financing compliance culture.
Ensure that the firm's risk management policies, risk assessment profile, and application are adequately documented.
In consultation with management, create and maintain the money laundering risk-based approach and the risk assessment of the firm's customers, products and services.
Establish and maintain appropriate risk-based monitoring processes proportionate to the firm's operations' scale, nature, and complexity.
Develop internal procedures in line with the requirements of the legislation and the relevant industry guidance.
Document the firm's risk-based strategies and the basis for risk assessment and monitoring.
Ensure the immediate investigation of all internal suspicious activity reports received.
Ensure the submission of a SAR to the relevant law enforcement agency regarding all suspicions that have substance.
Ensure that all staff are aware of their personal obligations and the firm's policies and procedures and that the basis for the firm's risk-based approach is understood and applied.
Ensure that staff comply with the stated policy and monitor operations and development of the policy to this end.
Ensure that all relevant staff are adequately trained in money laundering and terrorist finance prevention, that the standards and scope of the training are appropriate, and that appropriate training records are kept.
Regularly review the effectiveness of money laundering compliance policies and procedures to prevent money laundering and counter the financing of terrorism.
Provide management information as necessary, including an Annual Report each year for the Bank's Board and senior management on the firm's compliance with its obligations.
Make recommendations for action to remedy any deficiencies in policies, procedures, systems or controls and follow up on those recommendations.
Represent the firm to all external agencies, e.g. regulators or law enforcement agencies, and in any other third-party enquiries related to money laundering prevention, investigation or compliance.
Remain aware of any relevant sanctions, prohibitions or advisory notices. Also, if necessary, advise management and relevant staff of the names of any detected individuals and institutions on the sanctions list.
Promptly respond to any reasonable request for information from the regulator and/or law enforcement agencies.

Can you train to become a 'qualified' MLRO?

Not really. Even though some claim to be 'qualified' MLROs, there is no such qualification. Seniority and authority come with experience, and a firm's senior management fully backs the MLRO even when the MLRO's stance is not commercially attractive.

Effective training and communication are not enough. The Board must promote a culture where compliance is not just a good thing but an essential part of the firm's cultural fabric. Too often, firms run AML courses for everyone without ensuring that the training focuses on understanding the risks the firm is exposed to and how to deal with unusual and suspicious activity.

Senior management needs continuous and focused training to understand their individual accountability in the context of financial crime. Finally, a firm needs to have a clear and comprehensive training strategy that ensures that its financial crime teams (including the MLRO) are equipped to stay informed of regulations and evolve with the ever-changing regulatory and criminal landscape.

Tips for your MLRO report

A Money Laundering Reporting Officer's (MLRO) report is far more than a box-ticking exercise. In fact, it's one of the most effective tools a regulated entity's senior management and board have at their disposal. It helps them demonstrate compliance and understand the firm's financial crime prevention capabilities.

An MLRO Report is a regulatory requirement, written and presented to senior management and the board once a year. Regulators and crime prevention agencies can also view the document if they deem it necessary.

For MLROs, the report is an opportunity to highlight how the company's systems and controls protect the business and steer its financial crime framework. With that in mind, we've collated top tips for making the most of your MLRO Report.

What is the purpose of an MLRO report?

Often, an MLRO Report complements financial crime-related updates made to senior management throughout the year. With that in mind, an MLRO Report shouldn't contain any surprises. Its purpose is to:

Record the duties of the MLRO and their team
Review the firm's AML and CTF controls
Reassure senior management and the board
Be transparent, honest and accurate
Acknowledge any breaches and highlight lessons learned
Identify system limitations and remedial action
Recommend actions to address risks
Secure buy-in for proposals

MLRO reporting essentials

1. Company details

This section sets the scene in terms of basic information: the date of incorporation, number of employees and geographical locations. These facts enable readers of the report to understand the remit of the report and the extent of the organisation's potential risk exposure. It's also a good place to state the firm's AML and CTF risk appetite.

2. Regulatory framework

Here, MLROs need to indicate the date your company became regulated by the FCA, whether you're an authorised payment institution, and which guidance you adhere to – for example, the Joint Money Laundering Steering Group (JMLSG). Additional things to communicate include:

Whether you've operated within applicable regulations, legislation and guidance, and if not, what breaches have occurred
Information on the current regulatory landscape and what's upcoming

3. MLRO's details, resources & access

The MLRO should give their name and the date they were approved by the board. It's also an opportunity to summarise their responsibilities as the MLRO. For example, the MLRO is often the Nominated Officer – the person in charge of MLRO reporting to the National Crime Agency (NCA).

Additionally, the MLRO should indicate whether they're well-supported and have appropriate access to resources. If the answer is no, they should have the confidence to be honest in the report.

4. Governance structure

This involves stipulating that the MLRO is the second line of defence in a 'three lines of defence model'. It's also important to summarise any factors that have hindered the MLRO's effectiveness within that approach. This is a relatively brief section before you move on to company policies and procedures.

5. AML & CTF systems & controls

Here, it's about outlining AML and CTF policies and procedures. Have they been updated, and if so, why, when and how? Including the following, too:

Risk assessment of the entire firm – consider numerically scoring risks according to their severity and suggest controls to reduce risks to an acceptable level.
Compliance monitoring – overview of how controls are designed, applied and tested.
Audits – state how many external and internal inspections have occurred, what was evaluated, and summarise the results and action taken (if applicable).
Thematic reviews – keep track of AML and CTF news and address related risks
Conclusion – how effective are your systems and controls?

6. Customer due diligence

This section involves outlining the risk profile of your client base. Has it changed over the last year, by how much, and why? It's also useful to give the following details:

Screening and customer relationship management systems – how old and effective are they?
Overdue periodic reviews – for example, if there are outstanding Know Your Customer (KYC) audits, how delayed are they?

7. Reporting & training

Specify core AML and CTF management information, including:

How many new clients and high-risk relationships are there compared to last year?
How many breaches and near misses occurred, and what corrective action was implemented?
How many internal Suspicious Activity Reports (SARs) were received relative to the year before?
How many SARs were submitted to the NCA as part of MLRO reporting?
How many Defence Against Money Laundering (DAML) requests were made?

This section also outlines training policies and modules, such as who receives guidance, when, and how frequently. Include pass/fail statistics and highlight employees who have gained professional qualifications throughout the year.

8. Summary & recommendations

Pull the threads together from earlier sections by reiterating key risks and indicating whether the firm is in a better position than the previous year. Point out potential risks for the next 12 months and formally record recommendations for senior management and the board to approve.

Prioritise proposals and clarify whether they're 'must do' versus 'nice to do'. Finally, note the submission date of the MLRO Report and when the recommendations were approved.

Want to learn more about Financial Crime?

We've created a comprehensive AML roadmap to help you navigate the compliance landscape, supported by several financial crime prevention courses in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!