Who needs an MLRO?
Quick answer
Any UK firm in the regulated sector under the Money Laundering Regulations 2017 must appoint an MLRO. This covers banks, payment institutions, crypto exchanges, solicitors, accountants, and estate agents. FCA-authorized firms must also register the MLRO as Senior Manager function SMF17. ---
The full answer
Any UK firm in the regulated sector under the Money Laundering Regulations 2017 (MLRs 2017) must appoint a nominated officer, commonly called an MLRO. The obligation isn't limited to banks. It runs across a wide range of commercial activities, from crypto exchanges to solicitors advising on property transactions.
The MLRs 2017, amended in 2019 to add cryptoasset businesses, apply to "relevant persons" in these categories:
- Credit institutions: banks, building societies, credit unions
- Financial institutions: payment institutions, e-money institutions, investment firms, money service businesses, life insurance intermediaries
- Cryptoasset exchange providers and custodian wallet providers
- Auditors, insolvency practitioners, external accountants, and tax advisers
- Independent legal professionals: solicitors, notaries, and others advising on financial or real property transactions
- Trust or company service providers (TCSPs)
- Estate agents and letting agents handling monthly rents of €10,000 or more
- High value dealers: businesses accepting cash payments of €10,000 or more for goods
- Casinos
- Art market participants in transactions of €10,000 or more
The MLRO's central function is receiving internal suspicious activity reports from staff, deciding whether to file an external SAR with the National Crime Agency (NCA), and owning the firm's AML programme, training, and policies. For a closer look at exactly who makes the filing decision, see who files a SAR: the MLRO or the compliance officer?
FCA-authorized firms
If the firm is FCA-authorized, the MLRO holds Senior Manager function SMF17 under the Senior Managers and Certification Regime. The FCA must individually approve the appointment. That approval carries personal accountability: enforcement action for AML failures can be directed at the MLRO, not just the firm. Fines and industry prohibition are both on the table.
Sole traders and small firms
There's no minimum headcount exemption. A sole practitioner accountant, a two-person TCSP, a single-branch estate agent: all need a nominated officer. The owner or principal can serve in the role, but the obligation applies regardless of size.
Non-appointment is a criminal offence
Operating in the regulated sector without an MLRO is an offence under both the MLRs 2017 and the Proceeds of Crime Act 2002. The FCA can impose unlimited fines and revoke authorization. HMRC supervises non-FCA entities such as estate agents and high-value dealers and can pursue civil penalties and criminal prosecution under the same framework.
Equivalent roles in other jurisdictions
MLRO is primarily a UK and Irish title. EU member states implementing the Fourth Anti-Money Laundering Directive (4AMLD) and its successors require a designated AML compliance officer at management level. In the United States, the Bank Secrecy Act requires a BSA/AML Compliance Officer with comparable duties. Ireland uses the MLRO title directly in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
Why this matters
The MLRO appointment is a compliance obligation, but it's also a single point of accountability. When the FCA or HMRC examines a firm after a suspicious transaction, they ask who the MLRO was, what they knew, and what they decided. An under-resourced or inappropriately junior MLRO creates legal exposure for both the individual and the firm.
We've seen smaller firms appoint a junior compliance analyst to tick this box, only to find the person unsupported and unable to push back on business lines. That arrangement fails the regulatory intent. The MLRO needs genuine authority, direct board access, and enough resourcing to review referrals properly.
Workload is a real constraint. A mid-sized payment firm processing high transaction volumes can generate hundreds of internal SAR referrals monthly. Manual review isn't sustainable without tooling. AI-assisted AML transaction monitoring can reduce that load considerably. Alert quality matters as much as volume: what percentage of AML alerts are false positives? explains the scale of the problem most MLROs are actually managing.
The MLRO's decisions interact directly with regulatory exam risk. Patterns of late SARs, unexplained swings in referral rates, or consistently high no-action ratios draw examiner attention. What triggers a regulatory exam? covers the full picture. And if an exam goes badly, what happens when a bank fails an AML exam? explains the range of consequences the MLRO and the firm face.
Because the MLRO is personally accountable under SMCR, every filing decision needs a clear audit trail: what information was available, what was concluded, and when. How long do banks have to file a SAR? covers the timing constraints the MLRO operates under once a decision to file is made.
Customer due diligence is where most internal SAR referrals originate. Understanding what distinguishes CDD from EDD and how often customer risk ratings need to be refreshed is part of the MLRO's operational picture.
Related questions
- Who files a SAR: the MLRO or the compliance officer?
- How long do banks have to file a SAR?
- What triggers a regulatory exam?
- What happens when a bank fails an AML exam?
- Can AI be used for AML transaction monitoring?
Related concepts and regulations
- What is the difference between AML and CFT?
- What is the difference between CDD and EDD?
- How does FinCEN define suspicious activity?
- What is the difference between a SAR and an STR?
- What percentage of AML alerts are false positives?