Who files a SAR - the MLRO or the compliance officer?

The full answer

The MLRO and the compliance officer aren't the same role, though in smaller firms one person holds both. The MLRO is a statutory designation in UK law. Under Section 331 of the Proceeds of Crime Act 2002, the MLRO is the institution's nominated officer: the person who receives internal suspicious activity reports from staff and decides whether to file an external SAR with the National Crime Agency's UK Financial Intelligence Unit.

Staff don't file externally. An analyst who flags suspicious behaviour submits an internal report to the MLRO. The MLRO reviews it and decides whether reasonable grounds exist for disclosure. That review is the MLRO's judgment call. It's not a rubber stamp.

The compliance officer role is broader: policy, training, regulatory relationships, governance. Compliance officers don't carry the direct filing obligation the MLRO holds. In a large bank, the functions are separate. In a 20-person fintech, the same person typically handles both.

Under the FCA's SYSC 6.3, the MLRO is a controlled function. The FCA also requires a named deputy MLRO to cover absences. If neither is reachable when a disclosure is time-sensitive, the institution is still on the hook.

In the US, the Bank Secrecy Act uses the term BSA Compliance Officer. That person is responsible for SAR submissions to FinCEN under 31 CFR § 1020.320. Filing window: 30 days from initial detection, 60 days if no suspect is identified at the time. The institution files, but a named officer signs off.

In EU member states under 6AMLD, the same pattern applies. A nominated officer receives internal disclosures and files STRs with the national Financial Intelligence Unit. FATF Recommendations 20 and 29 underpin these requirements globally.

Why this matters

Getting the filing chain wrong creates personal criminal exposure, not just institutional fines.

Under POCA 2002, Section 330, any person in the regulated sector who knows or suspects money laundering and fails to disclose commits a criminal offence. Maximum sentence: five years. The MLRO carries that obligation directly. A compliance officer who isn't the designated MLRO has a narrower personal duty, but the institution faces enforcement action regardless.

The tipping-off prohibition under POCA 2002, Section 333A binds everyone who knows a SAR has been filed. That includes compliance analysts who built the underlying case. They can't tell the customer or a third party a report exists.

False positive rates in traditional rule-based AML systems exceed 90% at most large banks. That means the MLRO's review queue fills with low-quality alerts. Banks that have deployed AI for transaction monitoring route fewer false positives to the MLRO's desk, focusing manual review on cases that actually warrant disclosure decisions.

Missing a filing deadline has consequences. Penalties for missed CTR filings give a sense of the enforcement framework. SAR failures follow the same regulatory logic. When a regulatory exam surfaces a pattern of late or absent SARs, examiners look at the whole chain: internal reporting procedures, MLRO review quality, and filing discipline.

The connection to due diligence matters too. When CDD or EDD processes flag a customer, that finding typically flows to the MLRO before any SAR is considered. The MLRO is the decision point, not the compliance team running the due diligence checks.

Related questions

• How long do banks have to file a SAR?
• What is the penalty for a missed CTR?
• Can AI be used for AML transaction monitoring?
• What triggers a regulatory exam?
• What percentage of AML alerts are false positives?

Related concepts and regulations

• SAR (Suspicious Activity Report)
• STR (Suspicious Transaction Report)
• CTR (Currency Transaction Report)
• Customer Due Diligence (CDD)
• Enhanced Due Diligence (EDD)