MLRO Handover Checklist

What is the MLRO Handover Checklist?

When an MLRO leaves, the compliance program doesn't pause. Regulators don't either.

Under the FCA's Senior Managers and Certification Regime, the incoming MLRO takes personal accountability for the AML program from the moment of appointment. They inherit whatever state the program is in, whether they know what that state is or not. The MLRO Handover Checklist is the document that bridges that gap.

This template is a structured Word document covering open SAR/STR filings, live investigations, transaction monitoring alert volumes and rule configurations, customer due diligence review schedules, staff training records, active regulatory correspondence, and program gaps from the most recent internal or external audit.

The duty to maintain program continuity is grounded in FATF Recommendation 1's risk-based approach: a firm's AML posture is a documented, verifiable state, not institutional memory held by one person. FATF's 40 Recommendations, and the domestic regulations that implement them, place board-level responsibility for program continuity irrespective of who holds the MLRO title on a given day.

Regulators expect evidence that AML controls function without interruption. A firm that can't demonstrate the compliance state at the moment of an MLRO change has an unnecessary gap in its audit trail. This checklist closes that gap before it opens.

The checklist is formatted for completion in sequence, with space for status notes, owner attribution, and review dates in each section. It's designed to be completed during the notice period and signed off by both the outgoing officer and the CCO before the last day.

Who needs the MLRO Handover Checklist?

The outgoing MLRO fills this in. The incoming MLRO (or interim designee) uses it to get to working competence fast.

Beyond that core pair, a wider set of roles depends on the document. The Chief Compliance Officer typically reviews and co-signs before the handover is formally complete. Internal audit uses it as a baseline when assessing program continuity in the 60 to 90 days after a transition. Board Risk Committees and Audit Committees may request it as governance evidence, particularly at institutions with formal succession requirements under SM&CR or equivalent. Legal and HR sometimes need it when the departure is contentious or involves regulatory notification.

By institution type, the checklist applies to retail banks, investment banks, building societies, payment institutions, e-money institutions, credit unions, life insurers with AML obligations, and DNFBPs (Designated Non-Financial Businesses or Professions) carrying a formal MLRO appointment.

The trigger moments are often predictable. Planned departures are the obvious case. But the checklist is equally important in less planned situations: sudden resignations, regulatory-mandated removals, and internal promotions where a deputy steps up without a formal transition record. In M&A situations, the acquiring firm should request a completed handover document as part of compliance due diligence, even if the target's MLRO is staying on during the integration period.

Firms preparing for a scheduled examination should also have a current version on file, even without an active transition. Regulators occasionally assess MLRO succession planning as a lens on governance maturity.

What's inside the MLRO Handover Checklist?

The document is structured in eight sections. Each includes fields for current status, responsible owner, and date last reviewed.

Section 1: Program overview

• MLRO appointment date and formal regulatory approval status
• Deputy MLRO: name, authority level, and readiness to assume the role
• Last board-approved AML policy version and review date
• Pending policy updates: owner and target completion date
• AML risk appetite statement: current version, whether it reflects actual exposure

Section 2: SAR/STR filing status

• Total SARs filed year-to-date and the same period in the prior year
• Open/pending SARs: reference numbers, stage, assigned analyst, consent deadline where applicable
• Consent SARs awaiting NCA or FinCEN response: outstanding items and the legal position while waiting
• Average time-to-submission against the internal service level target
• SARs that required legal escalation or board notification in the past 12 months

Section 3: Regulatory correspondence

• Regulator, case reference, subject, and last communication date
• Outstanding information requests and response deadlines
• Most recent examination: findings, agreed remediation plan, and current status of each action
• Voluntary self-disclosures made in the past 12 months

Section 4: Transaction monitoring configuration

• Alert volumes over the past 30, 60, and 90 days
• Current false-positive rate and open tuning tickets
• Rules under review, pending approval, or recently changed
• Suppression lists: reason, approval date, and expiry review date

Section 5: High-risk customers and EDD

• Total count of customers rated high-risk or very high-risk
• Enhanced due diligence reviews overdue: count and oldest case date
• PEP screening and sanctions screening system status: last batch-run date and known coverage gaps
• EDD cases in progress: customer identifier, reason, assigned analyst, next review date

Section 6: Staff and training

• Team org chart with names and seniority levels
• AML training completion rates by role (from the LMS export, not from memory)
• Vacancies, agency contractors on-site, and anyone on extended leave

Section 7: Vendor and system inventory

• Core AML platform(s): contract expiry date, account manager contact, escalation path for priority incidents
• Open support tickets affecting monitoring or screening functions
• Upcoming system changes or upgrades and their expected operational impact

Section 8: Governance and reporting

• Board and committee reporting calendar with next due dates
• Internal audit schedule and any open findings
• Outstanding management action plans: owner, due date, and current completion status

How to use the MLRO Handover Checklist

1. Start no later than 10 working days before departure. Two to three weeks is safer. The outgoing MLRO needs live system access to pull current data, and sections covering HR, IT, and audit require input from other teams. Starting on the last day means completing the document from memory, with gaps.

2. Work through sections in order. The sequence is deliberate. Section 1 establishes the baseline. Section 2 reveals where live SAR exposure sits right now. Section 3 shows whether time-sensitive regulatory obligations transfer immediately. Don't leave the regulatory correspondence section until last. Examiners have escalated matters where the incoming MLRO simply didn't know an information request was outstanding at the time of handover.

3. Assign a co-reviewer. The CCO or deputy MLRO should review each section for completeness before sign-off. "Not reviewed" fields are governance gaps. A co-reviewer catches them before an examiner does.

4. Hold a structured handover meeting. The document doesn't replace a face-to-face session. Use it as the meeting agenda. Spend the most time on Sections 2 and 3. For consent SARs with outstanding NCA or FinCEN responses, walk the incoming MLRO through the current legal position. These don't wait for the new officer to settle in.

5. File it formally. Store the completed document in the compliance governance file with signatures from both MLROs and the CCO. Date it. Under SM&CR, the incoming MLRO's accountability is live from day one. The signed handover document is their evidence of due diligence at the point of assumption.

6. Schedule a 30-day review. After 30 days in role, the incoming MLRO should revisit the checklist and note what was accurate, what was incomplete, and what changed immediately. This is particularly useful before an examination. For a broader view of AML exam preparation, see staying continuously exam-ready.

For teams dealing with a SAR backlog inherited at transition, including how to prioritize and work down the queue, the resource on clearing the SAR filing backlog covers the practical workflow adjustments.

Common mistakes to avoid

Starting too late. The most common failure: the outgoing MLRO begins filling this in on their last day. System access is often restricted by then, and sections requiring data from HR, IT, and audit take longer than expected. Two weeks is the hard minimum. Three is safer.

Treating open SARs as "in progress, someone will handle it." Open SARs have legal timelines, and consent SARs with outstanding NCA or FinCEN responses carry obligations that don't pause during a role change. The incoming MLRO needs reference numbers, deadlines, and the current legal position on day one, not week three.

Completing training rates from memory. This section must come from the LMS export. Regulators have found significant discrepancies between what outgoing officers remembered and what the records actually showed. Pull the report.

Omitting the vendor inventory. AML systems break. Contracts expire. If the incoming MLRO doesn't know who to call when the transaction monitoring platform raises a critical alert out of hours, that's a day-one operational gap. Include account manager names and escalation paths.

No CCO co-signature. A document signed only by the outgoing MLRO has limited governance weight. The CCO's signature confirms the organization has reviewed and endorsed the handover state. Without it, the document is personal rather than institutional.

Ignoring PEP-specific obligations at transition. FATF Recommendation 12 requires enhanced monitoring of politically exposed persons on a continuous basis. That monitoring doesn't pause during a personnel change. The incoming MLRO must know which PEP relationships have outstanding EDD reviews and what the current approval status is for each. Not knowing isn't a defense.

How FluxForce automates this

The manual work this checklist captures, including tracking open SAR pipelines, managing alert volumes, maintaining PEP screening and sanctions screening schedules, and keeping EDD reviews current, is what FluxForce's AI agents handle continuously. When an MLRO transition happens, the data needed for the handover document already exists, is current, and is audit-ready. No last-minute exports. No gaps filled from memory. The incoming MLRO sees an accurate program state from day one. Book a demo to see how FluxForce supports AML program continuity through leadership transitions.