MLRO Responsibilities at an EMI: The Role, Requirements and Practical Obligations

The Money Laundering Reporting Officer (MLRO) is simultaneously one of the most important and most exposed roles in a regulated financial institution. The MLRO is the individual designated under the Proceeds of Crime Act 2002 (POCA 2002) and the MLR 2017 as the person responsible for receiving internal suspicion reports, deciding whether to make Suspicious Activity Reports (SARs) to the National Crime Agency (NCA), and overseeing the firm's overall AML and counter-terrorist financing (CTF) compliance programme. At an FCA-authorised EMI, the MLRO also holds Senior Management Function 17 (SMF17) under the SM&CR, making them personally accountable to the FCA for the adequacy of the firm's financial crime controls. This combination of criminal law exposure (personal liability under POCA 2002) and regulatory accountability makes the MLRO role one of the most consequential in financial services compliance. This article sets out the practical scope of MLRO responsibilities at an EMI.

The Legal Foundations of the MLRO Role

The MLRO role at a UK-regulated EMI is grounded in three overlapping legal frameworks. First, POCA 2002: Section 330 of POCA 2002 creates the offence of "failure to disclose" by a person in the regulated sector who knows or suspects, or has reasonable grounds to suspect, that another person is engaged in money laundering and fails to disclose to the NCA as soon as practicable. The MLRO's designation is the mechanism through which the firm complies: employees report suspicions to the MLRO (internal SAR), the MLRO evaluates the report and decides whether to submit an external SAR to the NCA. If the MLRO fails to submit an external SAR where one was required, the MLRO commits the Section 330 offence — a potentially custodial criminal offence.

Second, MLR 2017: Regulation 21 requires relevant persons to appoint a nominated officer — the MLRO — and to establish and maintain policies and procedures covering risk assessment, customer due diligence, ongoing monitoring, record-keeping, and employee training. The MLRO's oversight of these policies and procedures is an ongoing compliance function, not a one-time setup exercise. The MLR 2017 requires these policies to be updated as the business evolves and the risk environment changes.

Third, FCA SM&CR: Under the Senior Managers and Certification Regime, the MLRO performs SMF17 (Money Laundering Reporting Officer function). SMF17 requires the individual to have reasonable steps to ensure the firm complies with its AML and CTF obligations. FCA enforcement action against MLROs has included public censure, financial penalties, and prohibition orders. The FCA's expectations of MLROs are set out in its guidance on SM&CR and in supervisory publications including Dear CEO letters directed at specific sectors.

Day-to-Day MLRO Responsibilities

The practical scope of an MLRO's responsibilities at an EMI handling high-risk business sectors includes:

Internal SAR review and external SAR decisions: The MLRO receives internal reports from staff who have identified potential suspicion. Each report must be evaluated: does it meet the threshold for external SAR submission to the NCA? The standard is whether the MLRO knows or suspects, or has reasonable grounds to suspect, that the reported activity involves the proceeds of crime or terrorist financing. The MLRO must document their decision (to report or not report) with a contemporaneous record of their reasoning. The volume of internal SARs at an EMI serving high-risk sectors can be significant; a well-designed transaction monitoring programme that calibrates alerts appropriately is essential to avoid the MLRO being overwhelmed by false positives.

Transaction monitoring programme oversight: The MLRO is responsible for ensuring the firm's transaction monitoring rules are appropriate for its business and risk profile. This includes: reviewing and approving the rule set at least annually, reviewing alert volumes and false positive rates to ensure the programme is calibrated correctly, and ensuring that escalation from automated alerts to human review is functioning effectively. For EMIs serving iGaming and crypto clients, transaction monitoring rules must be calibrated to the specific risk patterns relevant to those sectors — the rules appropriate for retail banking are not appropriate for crypto on/off-ramp operations.

KYC and EDD oversight: The MLRO oversees the adequacy of the firm's customer due diligence processes, reviews EDD files for higher-risk customers, and has the authority to approve or reject customer onboarding decisions where compliance concerns are identified. At CCYFX, GP has direct sign-off on EDD decisions for highest-risk client categories including offshore structures and crypto businesses.

AML training programme: MLR 2017 Regulation 24 requires regulated persons to take measures to make relevant employees aware of the law relating to money laundering and terrorist financing and to regularly train those employees on how to recognise and deal with transactions that may be related to money laundering or terrorist financing. The MLRO is typically responsible for the design and maintenance of the AML training programme, ensuring it is tailored to the roles of different staff and updated to reflect regulatory and typological developments.

Annual MLRO report: Best practice at regulated firms — and FCA expectation in practice — is for the MLRO to produce an annual report to the Board summarising: SAR volumes and outcomes, transaction monitoring performance, key risk themes identified during the year, KYC/EDD programme performance, training completion, and any recommendations for compliance programme improvement. This report creates a documented record of the MLRO's oversight and provides the Board with the information it needs to satisfy itself that the firm's AML controls are adequate.

SAR Regime: Practical Operation

Submitting a SAR to the NCA via the UK Financial Intelligence Unit (UKFIU) is a legal obligation when the MLRO's threshold is met, but the mechanics must be properly understood. SARs submitted to the NCA create a "moratorium period" — once a SAR is submitted, the firm cannot carry out a prohibited act (continuing to manage or assist with the suspected proceeds of crime) until either the NCA consents (grants a "consent SAR" or "defence against money laundering" — DAML) or the seven-day moratorium expires. In practice, for high-value transactions where the SAR relates to a pending activity, this DAML process must be managed carefully to avoid both tipping off the customer and inadvertently committing a money laundering offence by proceeding without consent.

The UK National Crime Agency reported over 901,000 SARs submitted in 2022/23, of which approximately 25,000 were DAML SARs seeking consent before proceeding. The quality of SAR submissions — specificity of suspicion, completeness of supporting information — is a factor in NCA's ability to act on intelligence; the FCA has highlighted concerns about low-quality SARs that provide insufficient information for law enforcement use.

GP at CCYFX has direct responsibility for SAR submission decisions and maintains the firm's SAR register, including documentation of all internal reports received, decisions made, and reasoning. Our approach to SAR management prioritises quality over volume — each report is evaluated carefully rather than submitted reflexively on the basis of automated alerts alone.