Money laundering reporting officer role downgraded, fincrime professionals feel exposed

The money laundering reporting officer (MLRO) role has been downgraded in seniority, leaving financial crime professionals feeling exposed to retaliation, regulatory sanctions, and professional exclusion. Experienced UK MLROs and financial crime subject matter experts (SMEs) are increasingly quitting financial institutions to work as independent contractors and consultants to protect themselves.

“Senior bank executives don’t appreciate the complexity of the MLRO role, and that’s one of the reasons why people are not willing to become MLROs: they don’t feel supported,” said John Flynn, head of advisory services at Gracechurch, a financial crime prevention consultancy in London. MLROs felt vulnerable to prosecution or investigation by the Financial Conduct Authority (FCA), he added.

This reduction in the MLRO’s status, together with a lack of knowledge and experience among financial services senior executives, has contributed to systems and controls failings that leave the UK banking system open to criminal use. FCA data shows it has fined firms almost £717 million for financial crime and anti-money laundering (AML) failures from 2020 to 2024 year-to-date.

“The MLRO role increasingly has no standing with the board, and is increasingly being demoted in governance structures. Many complain that once you start to push back at the board level, you can be seen as someone who is disrupting business when it is a tough time commercially,” said Simran Bharaj, an independent financial crime SME and troubleshooter. “I don’t think regulators releasing the cap on bankers’ bonuses is going to help MLROs’ situation but only encourage commercial interests over proper risk management.”

More than ever, MLROs and other financial crime experts view their positions as high-risk, and fear that making disclosures internally or to the FCA will attract retaliation. Bharaj says in feedback from MLROs, one had reported a situation “where the regulator had named them in correspondence with the firm they were making the disclosures about” which caused them “significant distress and harm”. 

Long way to go

The threat of money laundering to the UK is about £100 billion annually, according to the National Crime Agency (NCA).

The FCA continues to focus on financial crime, AML and sanctions, having written to firms at least three times since 2021 about weaknesses observed in their systems and controls. It has commissioned 77 financial crime skilled persons reviews since 2019/20, with 23 of these in 2023/24, according to its annual report. But experts say there is much more work to do.

“Last year, the UK recovered only £273 million from [suspicious activity reports (SARs)]. Are we really tackling this? No, we’re not. Have we got the whole system right? Not at all,” said Gracechurch’s Flynn, who held MLRO roles at large European banks and insurers before becoming a consultant.

He said 9/11 was the point when banks took notice and had to introduce systems to identify clients under the sanctions, and this has continued to evolve over the past 20 years. “But there’s still a long way to go,” Flynn added.

Limited tenure

Another issue is that MLROs and financial crime staff working inside firms tend not to stay long. Peter Dougherty, a former MLRO at numerous tier one banks, reckons MLROs generally last between 18 months to five years in the senior management function (SMF) 17 role.

“After 18 months or two years of doing the role, your voice has been heard far too often. And while you are saying and doing all the right things, the businesses are jaded or looking for new ideas or a different approach, hoping for an alternate outcome,” said Dougherty, who also chairs the Institute for Money Laundering Prevention Officers, a community for financial crime professionals in the UK. Boards could even bring in a new MLRO “who says the same thing but with a different voice” but then the pattern gets repeated, he adds.

In 2021, the FCA wrote to 635 regulated firms asking for a board-level assessment of the underlying causes of high turnover in the MLRO position, according to a Freedom of Information Act request. The regulator followed that information request with new guidance setting out the “necessary skills and knowledge, from training and experience” for MLROs and heads of compliance to be effective.

It can take 18 months or more for a new MLRO to identify problems with AML systems and controls and then devise a plan to fix them. However, it takes more time to get sign off and budget allocated — by which time the proposed plans are pared back to the point of ineffectiveness, Dougherty said.

“An MLRO really needs to be in the role for four to seven years to do the job, but they don’t always get the continuity of senior management buy-in. As a businessperson, if you’re thinking fincrime and business, you should 99% of the time bring in safe business, and the MLRO should be there to help and to ensure the business doesn’t see financial crime as restrictive but as an added value,” he said.

Access and seniority

There is a disconnect between the serious responsibilities an MLRO carries and their reduction in status. In the UK, the MLRO is a SMF17, which requires regulatory approval and is required to sign up to a statement of responsibility to ensure accountability if things go wrong. The FCA handbook states a MLRO must have “a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility”.

Gracechurch’s Flynn said many people didn’t appreciate that the MLRO is a multi-skilled role. “[It] touches all the aspects of the business. You have to understand the law and regulation, you must understand the risk, communicate well, have commercial awareness, and you’ve also got to act with integrity.” Despite this responsibility — which can be even bigger for a MLRO at a group with multiple entities — the SMF17 does not enjoy the seniority, salary or access of their fellow SMFs.

“MLROs have to be sufficiently senior and independent according to the FCA rules, but then in the guidance it says they must have access to the board. So not actually on the board. It’s sort of self-defeating, because the FCA guidance actually pushes them down a level,” Flynn said.

“Most MLROs sit at least one or two levels away from the executive. Most of them report to the chief compliance officer or the chief risk officer, or sometimes through legal. I think one of the issues is that those messages are not getting to the executives; if executives are aware of an issue and it’s documented, they must take action,” Flynn said.

Gravitas

Outside of the top-tier banks, which tend to attract more experienced MLROs, firms are also hiring younger, less experienced financial crime practitioners to the SMF17 position Both because they are cheaper, and the role is not considered to be as important.

Dougherty said while those who “go in as a 25-year-old or even 30-year-old MLRO” may be just as intelligent as a seasoned MLRO, they don’t have the necessary “business life experience” or the “gravitas” to be taken seriously by people at a senior level.

Younger MLROs are also paid a lot less. Fintechs, in particular, are seeking to pay them between £80,000-£100,000, which is too low, according to experts. “At most of the established banks, the MLRO salary ranges anything between £160,000 and £250,000 depending on whether you’ve got an overseas remit of any multi-jurisdictional scope and the level you are,” Dougherty said.

“The fintechs and challenger banks appeared initially want to do it on the cheap but are learning through enforcement and peer assessment that this is not a prudent approach,” he added.

Fear of retaliation, low confidence in FCA

A call for evidence supported by The Institute earlier this year found 87% of financial crime staff considered the MLRO/SMF17 position to be a high-risk role exposed to internal and external retaliation. Respondents feared putting their career in jeopardy through negative referencing if they did report concerns to the regulator.

“That’s an incredibly high statistic,” Bharaj said. What that indicated is many people felt that they were unsafe in their role, given the responsibilities they have under the Senior Managers Regime. She added that, when asked if they thought it would be helpful to have a specialist regulator dealing with whistleblowing, and part of that would be to consider things that the MLRO disclosures stemming from SMR obligations, 97% agreed.

“It indicated there was a general lack of confidence around the way the FCA is handling whistleblowing from MLROs and financial crime specialists more generally, which needs to be recognised and addressed by the industry and regulators alike,” Bharaj said.

At the Institute’s conference in April, a financial crime professional raised their concern that a protected disclosure they made to the FCA was sent back to their employer in a way they believed they could be identified. Some financial crime professionals said they had similar experiences, or had left firms when they realised their concerns about customers or transactions were ignored.

“Nobody wants to stick their neck out, because they feel exposed. What kind of message is that going to send if they’re working somewhere else and they come across something suspicious? They’re just going to think: ‘last time I did this, it wasn’t worth it. I stuck my neck out and nearly got shot’,” said Dev Odedra, a consultant at Minerva Stratagem Consulting.

Odedra, who has worked in tier-one UK banks financial crime teams, said he has chosen not to become an MLRO.

“The number one reason is I’m not going to be able to do things the way I want to do them. I’ve been further down the ladder, and I’ve not had my way when I’ve been trying to manage risk. My sole remit is to manage the financial crime risk, and then everything else is second — profit, all the other stuff. If you’re not going to let me do the thing that I exist in this organisation for, what is the point of me?” Odedra said.