What is an MLRO?

The full answer

An MLRO (Money Laundering Reporting Officer) is the designated compliance officer at a regulated firm with statutory responsibility for the anti-money laundering function. The UK legal term is "nominated officer," defined in Regulation 21 of the Money Laundering Regulations 2017. Every firm within scope of those regulations must appoint one at management level. In practice, every regulated UK financial institution uses the title MLRO.

The role has a specific legal function: receive internal suspicious activity reports from staff, review them, and decide whether grounds for suspicion exist. If yes, file a SAR with the National Crime Agency (NCA). If no, document the reasoning. That decision gateway is the MLRO's core job. Everything else, the risk assessment, board reporting, staff training, and CDD framework, follows from it.

Under section 331 of the Proceeds of Crime Act 2002, a nominated officer who knows or suspects money laundering and fails to disclose it commits a criminal offence carrying up to five years' imprisonment. This is personal criminal liability for the individual, not the firm. The MLRO who decides not to file a SAR owns that decision entirely.

The FCA designates the MLRO as Senior Management Function 17 (SMF 17) under the Senior Managers and Certification Regime (SMCR). The person must be individually FCA-approved before taking up the role. That approval can be revoked. Conduct failures can result in prohibition from working in financial services. The framework is designed to tie AML accountability to a named, approved individual.

SAR volumes and the consent window

The NCA's SARs Annual Report recorded approximately 901,000 SARs filed in the UK in the year to September 2023. Most came from the banking sector. A mid-size bank with active transaction monitoring programmes might generate several thousand internal reports a year, with false positive rates running at 90-95% on automated alerts. The MLRO can't personally review each one. They must build and supervise a triage process that holds up to scrutiny.

Where a transaction hasn't yet occurred, the MLRO can file a Defence Against Money Laundering (DAML) consent request with the NCA. The NCA then has 7 working days to grant or refuse consent. Getting this wrong, whether by filing too late or proceeding without consent, carries serious legal consequences.

MLRO vs. BSA Officer

The US equivalent is the BSA Compliance Officer, required under 31 CFR Part 1020 for banks. The BSA officer files SARs with FinCEN within 30 days of detecting suspicious activity (60 days when no suspect is identified). The title differs. The accountability doesn't.

CDD and programme ownership

Beyond SAR decisions, the MLRO owns the firm's customer due diligence and enhanced due diligence standards. That includes defining when EDD applies, setting how often customer risk ratings get refreshed, and deciding whether the firm moves to a perpetual KYC model for continuous monitoring rather than periodic review cycles.

Why this matters

The MLRO sits at the intersection of individual criminal liability and institutional AML risk. When that function fails, the consequences are severe and public.

HSBC's 2012 Deferred Prosecution Agreement with the US Department of Justice, totalling $1.92 billion, included a mandatory monitorship because the BSA officer function had been structurally inadequate for years. Standard Chartered's 2019 settlements with US and UK authorities reached $1.1 billion, partly because correspondent banking controls that an effective AML function should have flagged had been ignored. These cases aren't anomalies; they're the reference points regulators cite when examining other institutions.

The practical pressure is scale. What happens when a bank fails an AML exam typically involves consent orders, mandatory remediation, and sometimes a monitorship. Before the exam, the MLRO is the primary contact during supervisory review. After a finding, the MLRO owns the remediation plan, whether or not they keep their job.

There's also a calibration problem. FinCEN's definition of suspicious activity includes a broad category of "unusual" transactions that don't fit a standard typology. The MLRO must develop judgment about where the threshold sits. Too high and the firm misses genuine laundering. Too low and the NCA receives a flood of low-quality SARs, which creates its own regulatory exposure.

Related questions

• Who files a SAR: the MLRO or the compliance officer?
• How long do banks have to file a SAR?
• What triggers a regulatory exam?
• What happens when a bank fails an AML exam?
• How does FinCEN define suspicious activity?

Related concepts and regulations

• What is the difference between CDD and EDD?
• What is perpetual KYC?
• What percentage of AML alerts are false positives?
• Can AI be used for AML transaction monitoring?
• What is the difference between AML and CFT?