Guidance for new Money Laundering Compliance Officers (MLCOs) and Money Laundering Reporting Officers (MLROs)

The requirements in the regulations to appoint a MLRO and MLCO are very brief and are set out at regulation 21:

• MLCO: Regulation 21 (1) states:  "Where appropriate with regard to the size and nature of its business, a relevant person must—
• appoint one individual who is a member of the board of directors (or if there is no board, of its equivalent management body) or of its senior management as the officer responsible for the relevant person's compliance with these Regulations."
• MLRO: Regulation 21 (3) states:  "An individual in the relevant person's firm must be appointed as a nominated officer."

Under regulation 3: "nominated officer" means a person who is nominated to receive disclosures under Part 3 (terrorist property) of the Terrorism Act 2000 or Part 7 (money laundering) of the Proceeds of Crime Act 2002.

The provisions give rise to a host of duties and obligations. The main ones are:

• MLRO: must report suspicion of money laundering or terrorist financing to the National Crime Agency (NCA) under legal obligations. Failure to report is a criminal offence under the Proceeds of Crime Act 2002 and Terrorism Act 2000.

• MLCO: will bear ultimate responsibility for any breaches of the regulations. They can delegate some of their tasks, but we expect them to have a detailed knowledge of their firm’s AML regime and to be our point of contact for AML-related queries.

These are substantial roles with considerable responsibilities and should not be undertaken lightly.

Distinct Roles

Below, we have set out a brief guide for new MLCOs and MLROs. These are roles with distinct duties, so we have presented them side-by-side. Most firms, around 90% in fact, choose to have one person hold both roles.

The guidance is intended to apply to those taking up the role whether in a new for or taking over from an established MLCO and/or MLRO. In the latter case, the importance of a proper handover cannot be overstated. If possible, it may be helpful to shadow the previous role holder to get an idea of the work involved.

All firms in scope need to have an MLRO in post. Although the need to appoint an MLCO is expressed in regulation as arising ‘where appropriate to the size and nature of the business’, it is likely to be appropriate in the vast majority of cases.

Practices not needing an MLCO are likely to be:

• Sole practices, who do not need to appoint an MLCO or MLRO if they do not employ, and are not in association with, anyone other than the principal
• Practices which only carry out work that falls within scope of the regulations on a very occasional basis.

Firms need to seek our approval of anyone taking up either AML officer role, which can be done using the firm’s mySRA account. This includes providing a Disclosure and Barring Service check, not more than three months old. 

Am I suitable to hold this role?

The regulations require the MLCO to be "a member of the board of directors (or if there is no board, of its equivalent management body) or of its senior management".

We would consider:

• being a partner, director or LLP member to be equivalent to a board member
• senior management means having sufficient authority to take decisions and exercise control over the management of the business.

Among other things, you should hold sufficient authority to:

• insist that partners, directors and members do what is requested of them.
• make decisions on how firm-wide training should be provided.
• decide what areas of work or clients are within the firm’s risk appetite.

Has the SRA been informed?

You, or somebody in your firm, must inform the SRA when the holders of the MLCO role changes. If this has not been done, it is your responsibility. This must be done within 14 days of your appointment. 

You can do this via your firm’s mySRA account.

 Who are your key colleagues?

• Heads of relevant departments – the main ones are likely to be:
  • conveyancing – both residential and commercial
  • corporate
  • commercial
  • wills & probate
  • tax.
• Finance director and senior finance staff
• Compliance staff.
• Managing director.

Is your firm in scope?

Look at regulations 11 and 12. Does your firm carry out any of these functions?

If not, you are not likely to be in scope.

Some firms have declared themselves to us as being in scope when they do not need to be. You can change your firm’s status in your mySRA account.

Am I suitable to hold this role?

Although there are no explicit requirements of seniority in the regulations, much of your role will involve accountable decision making and giving advice, some of which may be unwelcome.

You should be sufficiently senior in the firm to have a voice of authority and the final say on whether a report should be made to the NCA.

Has the SRA been informed?

You, or somebody in your firm, must inform the SRA when the holders of the MLRO role changes. This must be done within 14 days of your appointment. 

You can do this via your firm's mySRA account.

Has your appointment been announced?

Sadly, criminals will not wait for you to settle into your new role.

Your colleagues need to know to whom they should make internal reports – this gives them a defence under ss.326 & 327 PoCA.

Make sure an announcement is made to everyone at your firm along with the relevant contact details.

Where are your SARs kept?

If you are the firm’s first MLRO, you will need to come up with a system for recording and storing SARs.

These should not be kept on client files, nor should any reference to them be on the file.

They should be centrally and securely stored.

If you are taking over as MLRO, you should make sure that you know where the SARs are stored and that you have access to them.

Register with the NCA to submit SARs

Time may be short when you need to make a SAR, so make sure that you are registered in advance. Register at the NCA website.

Who is going to be your deputy?

Having a deputy is not compulsory but is good practice.

A deputy can provide you with cover during absences, holidays and busy periods.

They can be a useful sounding-board when you need assistance.

Read and consider your firm's AML policies, controls and procedures (PCPs).

Every firm in scope of the regulations must have these in place, irrespective of its size or if only doing small amounts of work in scope.

The PCPs may be spread across several documents, for example:

• separate documents for due diligence
• file-opening forms
• forms given to clients to complete.

If the PCPs are in several places, they must not contradict one another.

If the firm does not have PCPs in place, you must make a report to us under Regulation 3.9 of the SRA Code of Conduct for firms. We will of course take into account the fact that you have self-reported.

Check whether your firm has a firm-wide risk assessment (FWRA) in place

Every firm in scope of the regulations must have these in place, no matter how small it is.

If your firm does not have a FWRA in place, and you are not a new firm, you must:

• immediately take steps to produce one.
• make a report to us under Regulation 3.9 of the SRA Code of Conduct for firms. We will take into account the fact that you have self-reported.

If you have a FWRA in place, read it and consider:

• where do my firm’s vulnerabilities lie?
• does it reflect accurately the business my firm carries out?
• are there any inconsistencies with the firm’s other AML documentation?

Set aside time to read the Legal Sector Affinity Group guidance, the SRA's sectoral risk assessment, and any relevant guidance and warning notices we have issued.

What are my training needs?

As MLCO, you should have a deeper knowledge of AML risk and prevention than your colleagues.

Consider your own knowledge of AML and assess any gaps.

Make arrangements to undergo training, whether this is internal or external.

Set aside time to read the Legal Sector Affinity Group guidance, the SRA's sectoral risk assessment, and any relevant guidance and warning notices we have issued.

Who is going to be your deputy?

Having a deputy is not compulsory but is good practice.

A deputy can provide you with cover during absences, holidays and busy periods.

They can be a useful sounding-board when you need assistance.

Establish how fee earners and others can make internal reports of suspicious activity to you.

This should be set out in the firm's policies, controls and procedures (PCPs), which you should read in full.

Even if you work at an established firm, what worked for your predecessor may not work for you.      

Requiring fee earners to fill out a form is helpful and standardises responses but may prevent them from reporting, particularly where time is short.

Make sure that you are available for colleagues to answer queries or provide advice to determine whether there is cause for suspicion.

Do you know how to make a SAR?

Making a SAR is not always straightforward.

You must understand the difference between:

• A Defence Against Money Laundering (DAML) SAR: this is a notification to the NCA that you intend to conduct a transaction but have identified suspicions of money laundering. You therefore request a defence from any potential money laundering relevant guidance on the NCA website offences before you  proceed with a transaction. For example, when you have received a sum of money for completion of a conveyance which comes from an unexpected and suspicious source. Consent might be sought to either return the funds or to proceed with the transaction.
• Information SARs: these are generally submitted when a transaction or event has already taken place. For example, where you are suspicious about a potential client you decided not to take on, or about a transaction which has already happened.

You should read the NCA’s guidance on how to make an effective SAR and keep up to date with the latest NCA guidance on SAR reporting.

If any SARs were made before you took over the role, take time to read them.

What are my training needs?

As MLRO, you should have a deeper knowledge of AML risk and prevention than your colleagues, as well as an understanding of what money laundering and terrorist financing risks are affecting the legal sector. 

Consider your own knowledge of AML and terrorist financing and assess any gaps.

Arrange to undergo training, whether this is internal or external, and keep your knowledge current.

Set aside time to read:

• the Legal Sector Affinity Group guidance
• the NCA’s National Risk Assessment
• the SRA’s sectoral risk assessment

Check the firm’s PCPs are compliant

Check whether they are up to date with the latest amendments to the regulations.

If these are not up to date, then as a matter of urgency:

• make sure that they are made compliant.
• disseminate to the rest of the firm, highlighting the changes.
• record and evidence that you have done so.

Consider your other roles within the firm

What other roles do you hold?

• COLP
• COFA
• Managing partner or equivalent
• Head of Department
• Staff partner
• CEO
• Complaints partner
• Any other management role.

How will you divide your time between these?

Is it realistic to hold all these roles?

Should somebody else take any of them on, or can some functions be delegated?  Could your deputy assist?

If not, is there scope to reduce it?

Are you a fee earner?

Does your fee earning target take account of your AML role?

• if so, is it adequate?
• if not, is there scope to reduce it?

Make your presence known

You will be more effective as an MLRO, and fee earners will feel more comfortable to come to you, if you are someone they recognise and speak to.

You may want to consider measures like:

• regular floorwalks
• attendance at team and department meetings.
• booking out time for AML clinics.

Consider your other roles within the firm

What other roles do you hold?

• COLP
• COFA
• Managing partner or equivalent
• Head of Department
• Staff partner
• CEO
• Complaints partner
• Any other management role.

How will you divide your time between these?

Is it realistic to hold all these roles?

Should somebody else take any of them on, or can some functions be delegated? Could your deputy assist?

Are you a fee earner?

Does your fee earning target take account of your AML role?

• if so, is it adequate?
• if not, is there scope to reduce it?

Bear in mind that a SAR can take many  hours to prepare and submit, and there may be further  action needed.

Do the firm’s staff know when they should report to you?

Are the PCPs sufficiently clear on what they need to do?

• many PCPs we have seen spend pages on the law behind SAR reporting. This is immaterial to most fee earners.
• the PCPs should make clear when they need to report to you.

Check what training has been put in place, and whether the PCPs are clear on the firm’s training framework.

Consider what reminders or refreshers existing staff may have.

Consider whether you and your role should be part of staff induction.

Assess your firm’s training needs and arrange to address them.

Who must be trained?

• the regulations say that training must be provided to anyone who is, or could be, capable of assisting with identification, mitigation, prevention, or detection of the risk of money laundering.
• this includes any partners, consultants, locums etc who fall within the above.

Consider whether training should be provided internally or externally.

There is no set regularity for training, so you should consider how often it needs to be provided. Consider factors such as:

• regulatory changes
• new areas of work
• mergers with other firms
• findings from the last audit
• SARs submitted.

Continue to monitor this to see whether the training you are providing is up to date and sufficient.

Make arrangements for an audit

First consider whether your firm needs an audit. This is likely to be the case for all but the smallest firms where the MLCO has direct oversight over all work in scope.

An audit, under regulation 21, must be independent but does not need to be provided by someone outside the firm.

• they should not be the MLRO or MLCO.
• related staff such as compliance or AML specialists may also not be suitable, depending on their involvement with preparation of the firm’s PCPs.

Audits must do two things:

• assess the adequacy of the firm’s AML policies, controls and procedures. This means that these documents should be both up to date and suitable for the firm.
• assess the effectiveness of the firm’s AML policies, controls and procedures. This means reviewing whether or not the policies are being followed, and whether they are working as expected.

Has one been conducted?

• if so, have the recommendations been actioned?

Determine how often the firm needs an audit – for example, biennial, annual, or more regularly?  Consider factors such as:

• regulatory changes
• new areas of work
• mergers with other firms
• findings from the last audit
• SARs submitted.

Review the reports you have received and consider any trends.

Do they expose any vulnerabilities in the firm’s AML regime?

Is there anything to be fed into the firm-wide risk assessment?

If you are receiving a small number of queries and reports, or none at all, consider why.

Does this reveal any training needs?

Are there any barriers to reporting suspicions to you?

Finally, remember that help and advice are available:

SRA Professional Ethics helpline: Suitable for most queries regarding ethical and conduct issue.

• In addition, our anti-money laundering guidance and resources are continually being added to.

The Law Society Practice Advice Service: Speak to other solicitors about practical and business issues.

• 020 7320 5675
• practiceadvice@lawsociety.org.uk

The Legal Sector Affinity Group guidance, pages 26-30, sets out guidance on internal governance including the roles of MLCO and MLRO.