MLRO meaning — the UK guide to the Money Laundering Reporting Officer role
What MLRO stands for, the legal basis, what the role actually does day-to-day, who can hold it, and how it differs from MLCO and Nominated Officer.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •MLRO means Money Laundering Reporting Officer — the legally appointed individual who receives internal disclosures of suspicion and decides whether to submit a SAR to the National Crime Agency.
- •The MLRO role exists under POCA 2002 (the SAR reporting duty) and is reinforced by MLR 2017 Regulation 21. In SRA-regulated law firms it sits alongside the MLCO, who owns the firm-wide AML programme.
- •Any business within the scope of MLR 2017 — accountants, solicitors, estate agents, TCSPs — must appoint an MLRO in writing. The role cannot be left vacant.
- •The MLRO must be sufficiently senior to act on suspicion without being overruled, and competent enough to apply legal judgement to grey-area cases.
- •Failure to appoint, or to act on, suspicious-activity reporting is itself a criminal offence under POCA s.330 — carrying up to 5 years' imprisonment for the individual responsible.
Answer-first summary
What does MLRO mean?
MLRO stands for Money Laundering Reporting Officer. The role is required under POCA 2002 — which creates the SAR reporting duty for regulated businesses — and reinforced by MLR 2017 Regulation 21, which requires firm-wide AML oversight. The MLRO is the named individual who receives internal disclosures of suspicion from staff, decides whether to file a Suspicious Activity Report with the National Crime Agency, and oversees the firm's overall response to money laundering risk. In SRA-regulated law firms, the MLRO sits alongside (or doubles as) the Money Laundering Compliance Officer (MLCO).
- Required for every business within the scope of MLR 2017
- Statutory function: receive disclosures (POCA s.330), file SARs (POCA s.338)
- Personally liable — up to 5 years' imprisonment for failure to report
- Must be sufficiently senior to act without being overruled
What an MLRO actually does
Six core responsibilities, drawn from POCA 2002, MLR 2017, and the LSAG / supervisory-body AML guidance:
Receive internal disclosures
Every staff member who knows or suspects money laundering must report it to the MLRO. The MLRO logs each internal disclosure, reviews the evidence, and decides whether to escalate.
File SARs with the NCA
Where suspicion is well-founded, the MLRO files a Suspicious Activity Report through the NCA's SAR Online portal. Where consent is needed to continue with a transaction, the MLRO files a Defence Against Money Laundering request (DAML).
Train and brief the team
The MLRO ensures every relevant employee receives AML training appropriate to their role, with refresher training at least annually. Training records must be retained for inspection.
Liaise with the supervisor
The MLRO is the firm's named contact for HMRC, the SRA, ICAEW, ACCA, or whichever body supervises the practice under MLR 2017. Inspection follow-ups, thematic reviews, and policy changes flow through the MLRO.
Manage tipping-off risk
Once a SAR has been considered or filed, the MLRO controls who in the firm knows about it. Disclosing a SAR to a client — or anyone who could prejudice an investigation — is a criminal offence under POCA s.333A.
Maintain the SAR register
The MLRO keeps a confidential record of every internal disclosure received, every decision made, and every SAR or DAML submitted. This register is the audit trail HMRC or the SRA will ask for first at inspection.
Who can hold the MLRO role
There is no licensing requirement — but six practical eligibility tests:
- Sufficiently senior — typically a partner, director, or owner — so they can act on suspicion without being overruled by a more senior colleague
- Knowledgeable about the firm's client base, services, and risk profile
- Competent on UK AML law: MLR 2017, POCA 2002, Terrorism Act 2000, and the relevant supervisory body's AML guidance
- Available — the MLRO must be reachable when staff need to escalate; long absences require a deputy
- Independent enough to file a SAR against a major client without commercial pressure overriding the decision
- Not the same person whose conduct is under suspicion (conflicts must trigger escalation to a deputy or supervisor)
MLRO vs MLCO vs Nominated Officer
The terms are often used interchangeably. They are not the same.
MLRO
POCA 2002 ss.330, 338Focus: SAR reporting — receives internal disclosures, files SARs and DAMLs
Typical in: All MLR-regulated firms (accountants, solicitors, estate agents, TCSPs)
MLCO
MLR 2017 Regulation 21Focus: Compliance programme — owns the firm-wide AML system, training, policies, supervisory liaison
Typical in: Larger firms — particularly SRA-regulated law firms — where the MLCO and MLRO are different people
Nominated Officer
POCA 2002 s.330(3) and s.338Focus: Same as MLRO — the POCA term for the person who receives disclosures and reports SARs
Typical in: Used interchangeably with MLRO in most practices
Five common MLRO mistakes
From supervisory enforcement actions, LSAG thematic reviews, and HMRC inspection findings:
Treating the role as a tick-box appointment
Naming the most junior partner without giving them the time, training, or authority to act creates personal criminal exposure for that individual and a foreseeable supervisory finding for the firm.
Skipping the 'I'd rather not file' default
POCA s.330 makes failure to report a criminal offence. The default position for the MLRO must be: if knowledge or suspicion exists, report. Anything else needs a documented reason.
Mixing SAR records with general client files
SAR records, DAML requests, and the MLRO's reasoning must be kept in a confidential register accessible only to the MLRO chain — not on the client matter file where staff outside the chain could see them.
Allowing the client relationship to leak the SAR
Tipping off under POCA s.333A is one of the most common AML failures. Coded language to clients ('we need to pause your matter for a regulatory reason') can still amount to tipping off if the client could infer a SAR has been filed.
No deputy MLRO
An MLRO on annual leave still has staff reporting suspicion. A deputy, formally appointed in writing, prevents the SAR pipeline from stalling.
FAQ
Answer-first summary
What does MLRO stand for?
MLRO stands for Money Laundering Reporting Officer — the individual within a regulated business who is legally responsible for receiving internal disclosures of suspicion about money laundering, deciding whether to submit a SAR to the National Crime Agency, and overseeing the firm's AML compliance programme. The role is required under both POCA 2002 (for SAR reporting) and MLR 2017 Regulation 21 (for firm-wide oversight).
Answer-first summary
Who can be an MLRO in a UK accountancy or law firm?
Any sufficiently senior, competent individual within the firm — typically a partner, director, or sole practitioner. The MLRO must be able to act on suspicion without being overruled, be reachable to receive disclosures, and have working knowledge of MLR 2017, POCA 2002, and the relevant supervisor's AML guidance. There is no licensing requirement, but most firms expect the MLRO to complete formal AML training annually.
Answer-first summary
Is the MLRO personally liable for AML failures?
Yes. POCA s.330 creates individual criminal liability for failing to report suspicion. An MLRO who knows or suspects money laundering and does not file a SAR — or fails to put a system in place that enables staff to report to them — can face up to 5 years' imprisonment. This is one of the reasons the appointment must be backed by training, authority, and time.
Answer-first summary
What's the difference between an MLRO and a Nominated Officer?
Practically, none. 'Nominated Officer' is the POCA 2002 term (s.330(3) and s.338) for the person who receives disclosures and submits SARs. 'MLRO' is the more commonly used title that covers the same statutory function plus the wider firm-wide oversight required under MLR 2017 Reg 21. Most UK firms use 'MLRO' on letterheads and in policies; either title satisfies the legal requirement.
Answer-first summary
What's the difference between an MLRO and an MLCO?
The MLRO owns SAR reporting (a POCA duty). The MLCO — Money Laundering Compliance Officer — owns the firm's overall AML system (an MLR 2017 Reg 21 duty): firm-wide risk assessment, policies, training, supervisor liaison. In small firms the same person typically holds both roles. In SRA-regulated law firms above a certain size, the SRA expects them to be separate people.
Answer-first summary
How often does the MLRO need to be trained?
Annual refresher training is the practical minimum. The MLRO should also be the first person trained on any material MLR 2017 update — the 2022 update on proliferation financing, for example — because they then cascade the change through firm policies and staff training. Training records must be retained for at least five years for inspection.
Answer-first summary
Can the MLRO refuse to file a SAR if they disagree with the reporting member of staff?
Yes — the MLRO's role is to apply judgement. They can decline to escalate an internal disclosure if the suspicion is not well-founded, provided they document the reasoning. The risk is that if the MLRO's threshold is consistently too high, the firm's SAR rate will be implausibly low for its risk profile, and a supervisor will notice.