The MLRO Role in an Accountancy Firm: Duties and Responsibilities

The MLRO Role in an Accountancy Firm: Duties and Responsibilities

The Money Laundering Reporting Officer (MLRO) is the person in an accountancy firm legally responsible for receiving internal suspicious activity reports, deciding whether to report them to the authorities, and acting as the firm's main point of contact on money laundering matters. In the UK, the Money Laundering Regulations 2017 (MLR 2017) call this person the nominated officer; in Ireland, the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 imposes equivalent reporting structures on designated persons. In practice, most firms use the title MLRO, and the role carries personal legal exposure that partners should not take lightly.

Is an MLRO a legal requirement for accountancy firms?

Yes, in almost all cases. Under regulation 21 of MLR 2017, a UK firm must appoint a nominated officer to receive internal reports of suspected money laundering and decide whether a Suspicious Activity Report (SAR) should be made to the National Crime Agency (NCA). Where the firm has a board or senior management body, it must also appoint a member of that body as the officer responsible for compliance with the regulations — often called the Money Laundering Compliance Principal (MLCP) or compliance officer. In smaller firms one person frequently holds both roles, and a sole practitioner is typically their own MLRO by default.

In Ireland, designated persons — which include external accountants, auditors and tax advisers — must have procedures for staff to report suspicions internally and for the firm to report onwards to the authorities. While the Irish legislation does not use the term MLRO, supervisory bodies such as Chartered Accountants Ireland expect firms to nominate a specific senior individual to own this process, and inspections will ask who that person is.

Who can be an MLRO?

The MLRO should be a senior individual with sufficient authority, independence and access to information to do the job properly. Supervisors look for:

• Seniority: typically a partner, director or member of senior management who can challenge client-facing colleagues and refuse to act where necessary.
• Access: unrestricted access to client files, due diligence records and engagement information across the firm.
• Capacity: enough time to handle internal reports promptly. A common supervisory finding is that the MLRO role is bolted onto an already overloaded partner with no protected time.
• Approval: in the UK, beneficial owners, officers and managers (BOOMs) of supervised firms must be approved by their supervisor under regulation 26, which includes criminal record checks. The MLRO will almost always be a BOOM.
• Training: deeper and more current AML knowledge than the rest of the firm, refreshed regularly through structured CPD.

Outsourcing judgement is not permitted: a firm can buy in compliance support, but the nominated officer must be part of the firm and personally makes the reporting decision.

What are the core duties of the MLRO?

The role breaks down into five operational workstreams:

1. Receiving and evaluating internal reports

Every member of staff must know how to escalate a suspicion to the MLRO, and the MLRO must assess each internal report on its own merits. The decision is whether the firm has knowledge or suspicion (or reasonable grounds for suspicion) of money laundering or terrorist financing. The MLRO should document the reasoning behind every decision — including decisions not to report externally, which are the ones supervisors scrutinise hardest.

2. Making external reports

In the UK, the MLRO submits SARs to the NCA through the SAR Online portal, using the NCA's glossary codes so the UK Financial Intelligence Unit can triage the report. Where the firm would otherwise commit a money laundering offence by continuing to act — for example, handling funds it suspects are criminal property — the MLRO requests a Defence Against Money Laundering (DAML). The NCA has seven working days to respond; if it refuses, a 31-day moratorium period applies before the firm can proceed. In Ireland, suspicious transaction reports are made on a dual basis: to the Financial Intelligence Unit (FIU Ireland) via the GoAML system and to the Revenue Commissioners.

3. Guarding against tipping off

The MLRO controls who within the firm knows that a report has been made. Telling a client, or anyone else, in a way that could prejudice an investigation is the criminal offence of tipping off. Practical control points include restricting access to the SAR log and scripting how client-facing staff respond to questions while a DAML is pending.

4. Oversight of the firm's AML framework

Even where a separate compliance officer exists, the MLRO is usually central to maintaining the firm-wide risk assessment, AML policies and procedures, client due diligence standards, staff screening and the training programme. The MLRO should report to the board or partners at least annually on the state of AML compliance, SAR volumes and emerging risks.

5. Liaising with the supervisor

The MLRO typically handles supervisory questionnaires, inspection visits and follow-up actions from the firm's professional body supervisor — and, in the UK, should be tracking the planned transfer of AML supervision to the Financial Conduct Authority, announced by the government in 2025 and expected to take several years to implement.

What records must the MLRO keep?

A defensible MLRO file is the single best protection in an inspection or investigation. It should contain:

• A register of all internal reports received, with dates, the staff member reporting, and the outcome.
• Documented rationale for every decision to report or not report externally.
• Copies of SARs/STRs submitted, NCA or FIU acknowledgements, and DAML decisions.
• The annual MLRO report to partners or the board.
• Evidence of the MLRO's own training and supervisor approval.

Records supporting due diligence and transactions must generally be retained for five years. Common supervisor findings include internal reports handled informally by email with no register, no documented reasoning for "no report" decisions, and MLROs who cannot evidence their own AML training.

How should an MLRO structure their year?

The MLROs who sail through inspections tend to run the role to a calendar rather than reactively. A workable annual cycle for a small or mid-sized practice looks like this:

• Quarterly: review the internal report register and SAR log; check that any DAML moratorium dates and NCA responses are recorded; sample a handful of new client files for due diligence quality; review sanctions and high-risk country list changes affecting existing clients.
• Twice yearly: run or refresh staff training, including tailored sessions for higher-risk teams such as insolvency, payroll or company secretarial; test that staff actually know how to make an internal report by asking them.
• Annually: lead the review of the firm-wide risk assessment and the AML policies and procedures; deliver the MLRO report to the board or partners covering report volumes, training completion, file review findings and regulatory developments; refresh your own training and record it.
• Event-driven: update procedures when the regulations change, when the firm adds a service line or office, and when the supervisor publishes new sectoral guidance or thematic review findings.

Putting this cycle in writing — and minuting that it happened — converts the MLRO role from an abstract appointment into demonstrable activity, which is precisely what supervisors test for. ICAEW's thematic review of the MLRO role, for instance, focused not on whether firms had appointed someone but on whether that person could evidence what they actually did.

How does the MLRO role differ between the UK and Ireland?

The substance is similar but the reporting plumbing differs, which matters for firms operating in both jurisdictions. UK reports go to a single destination — the NCA's UKFIU — and the DAML consent mechanism, with its seven-working-day notice period and 31-day moratorium, has no direct Irish equivalent in the same form. Irish suspicious transaction reports are made to two bodies, FIU Ireland (via GoAML) and the Revenue Commissioners, and the Irish offence framework sits in the Criminal Justice Act 2010 rather than the Proceeds of Crime Act 2002. A firm with offices in Belfast and Dublin therefore needs its MLRO arrangements to handle two reporting regimes, two supervisors and two sets of guidance — a point worth addressing explicitly in the firm's procedures rather than leaving to improvisation when a cross-border suspicion arises.

Can the MLRO be personally liable?

Yes. A nominated officer who receives an internal report and fails to pass it on to the NCA where the statutory test is met commits an offence under the Proceeds of Crime Act 2002, punishable by imprisonment. Tipping off and prejudicing an investigation are separate offences. In Ireland, failure to report under the Criminal Justice Act 2010 is likewise a criminal offence. This is why the role demands genuine seniority, protected time and continuing education — not just a name in the firm's procedures manual.

Study with Learnsignal

If you are stepping into the MLRO role or refreshing your firm's AML framework, Learnsignal offers CPD-accredited AML and compliance training designed for busy accountancy professionals. Courses are fully online and flexible, so you can build the knowledge your supervisor expects to see evidenced — on your own schedule. Explore the full library at Learnsignal CPD.