MLRO Responsibilities Under UK Law: A Complete Guide

The Money Laundering Reporting Officer (MLRO) is the single most legally exposed individual in any regulated financial services firm's compliance structure. The role carries personal criminal liability under the Proceeds of Crime Act 2002 and the Terrorism Act 2000, regulatory accountability under the FCA's Senior Managers and Certification Regime, and professional obligations that span strategic programme design, day-to-day operational management, and direct engagement with law enforcement. Understanding the full scope of MLRO responsibilities — and the legal consequences of failing to discharge them — is essential for anyone appointed to the role or considering doing so.

The Legal Foundation: POCA 2002 and TACT 2000

The MLRO role is created by statute. Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires regulated firms to appoint a nominated officer — the MLRO — who is responsible for receiving internal suspicious activity reports from employees and deciding whether to file external SARs with the NCA. This obligation implements Article 8 of 4AMLD but is backed by domestic criminal law in two primary statutes:

Proceeds of Crime Act 2002: Section 331 creates the offence of "failure to disclose: nominated officers in the regulated sector." The MLRO commits this offence if, having received an internal report, they know, suspect, or have reasonable grounds to suspect that a person is engaged in money laundering and fail to disclose this to the NCA as soon as practicable. The maximum sentence is five years' imprisonment. Section 333A creates the tipping off offence that constrains the MLRO's ability to discuss SAR decisions with customers or other parties.

Terrorism Act 2000: Section 19A (as amended) creates equivalent disclosure obligations for the financing of terrorism. The MLRO who receives an internal report of terrorist financing and fails to disclose it to the NCA commits a serious criminal offence.

Critically, these are personal criminal obligations — not corporate ones. The MLRO cannot hide behind the firm's decisions, and the firm cannot indemnify the MLRO against criminal liability. This makes the independence and authority of the MLRO function essential: an MLRO who lacks the authority to file SARs without commercial approval, or who faces pressure from management not to report, is in a structurally untenable position.

SM&CR and Individual Accountability

For FCA-regulated firms, the MLRO is a Senior Management Function (SMF17) under the Senior Managers and Certification Regime. This means the MLRO must be individually approved by the FCA before taking on the role, and bears personal accountability for their prescribed responsibilities as set out in their Statement of Responsibilities. The FCA can take enforcement action against an MLRO personally where there has been a material failure of the AML programme within their area of responsibility.

The combination of SM&CR accountability and POCA criminal exposure means that the MLRO must actively satisfy themselves — on an ongoing basis — that the firm's AML programme is adequate, that internal SAR processes are functioning, that training is being conducted, and that suspicious activity is being reported. Passive reliance on management assurances is not sufficient; the MLRO must maintain independent visibility over programme performance.

Internal SAR Process

A core operational responsibility of the MLRO is managing the internal SAR process — the mechanism by which employees of the firm make disclosures to the MLRO rather than directly to the NCA. The internal process must be documented in the firm's AML policies and procedures, communicated to all employees, and actively managed.

The MLRO's obligations in the internal SAR process include:

• Receiving and acknowledging all internal reports promptly — typically within one business day
• Investigating each report with sufficient diligence to form a view on whether a POCA or TACT disclosure obligation arises
• Filing an external SAR with the NCA where there are grounds for suspicion, or documenting the reasons for declining to file
• Where a consent SAR (DAML) is required, managing the consent process within the statutory timelines
• Maintaining records of all internal reports and the MLRO's decisions, for a minimum of five years
• Providing feedback to employees who submitted reports, where this can be done without creating tipping off risk

The MLRO must never allow commercial considerations to influence SAR decisions. The decision to file or not file must be based solely on whether there are grounds for suspicion — not on the value of the customer relationship, the seniority of the person suspected, or the commercial convenience of the outcome.

Training Obligations

Regulation 24 of MLR 2017 requires regulated firms to take appropriate measures to ensure employees are aware of the law relating to money laundering and terrorist financing, and to provide training on how to recognise and deal with transactions and situations that may relate to money laundering or terrorist financing. The MLRO is responsible for ensuring this training is designed, delivered, and documented.

AML training must be: role-specific (a front-line customer-facing employee needs different training from a back-office operations analyst); regularly refreshed (typically annual re-training as a minimum, with more frequent updates when typologies or regulations change); practically applicable (focused on the specific red flags relevant to the firm's business); and completion-tracked with records retained. Generic annual e-learning that is identical for all employees is not adequate for a growing payment institution with a high-risk customer base.

The MLRO should review training content at least annually and update it whenever there are material changes to: the regulatory framework; the firm's product set or customer base; identified financial crime typologies; or lessons from SAR filing patterns, transaction monitoring outcomes, or regulatory examination findings.

Record-Keeping Requirements

Regulation 40 of MLR 2017 requires firms to retain CDD records for five years from the end of the business relationship (or, for occasional transactions, five years from the transaction date). Transaction records must also be retained for five years. The MLRO is responsible for ensuring these record-keeping obligations are implemented operationally and that records are available to the FCA, HMRC, or NCA on request without undue delay.

FCA and HMRC Supervision

FCA-regulated payment institutions are supervised for AML compliance by the FCA, which has powers to examine the firm's AML programme and take enforcement action against both the firm and the MLRO individually. HMRC supervises non-FCA-supervised MSBs (including many currency exchange firms) and has its own AML examination regime. The MLRO should maintain awareness of which supervisory body has AML oversight of their firm, understand that body's inspection priorities, and prepare for supervisory engagement proactively rather than reactively.

Annual reporting obligations — including the MLRO's annual report to the Board on the state of the AML programme, SAR statistics, training completion rates, and any material compliance issues — should be treated as a governance document in their own right, not a formality. In a supervisory examination, the quality of the MLRO's annual reports is one of the first indicators assessed of programme maturity.