A Money Laundering Reporting Officer's (MLRO) report is far more than a box-ticking exercise. In fact, it's one of the most effective tools a regulated entity's senior management and board have at their disposal. It helps them demonstrate compliance and understand the firm's financial crime prevention capabilities.
For MLROs, the report is an opportunity to highlight how the company's systems and controls protect the business and steer its financial crime framework. With that in mind, we've collated top tips for making the most of your MLRO Report.
What is an MLRO report?
As per the FCA's Financial Crime handbook, an enterprise should ensure its systems and controls provide "appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's MLRO on the operation and effectiveness of those systems and controls".
With that in mind, an MLRO Report reviews the organisation's anti-money laundering (AML) and counter-terrorist financing (CTF) control framework, which is in place to protect them against risk. It also gives assurance that the MLRO is aware of all relevant AML and CTF risks and manages them according to best practices.
An MLRO Report is a regulatory requirement, written and presented to senior management and the board once a year. On top of that, regulators and crime prevention agencies can view the document if they deem it necessary.
What is the purpose of an MLRO report?
Often, an MLRO Report complements financial crime-related updates made to senior management throughout the year. With that in mind, an MLRO Report shouldn't contain any surprises. Its purpose is to:
- Record the duties of the MLRO and their team
- Review the firm's AML and CTF controls
- Reassure senior management and the board
- Be transparent, honest and accurate
- Acknowledge any breaches and highlight lessons learned
- Identify system limitations and remedial action
- Recommend actions to address risks
- Secure buy-in for proposals
Non-compliance with money laundering prevention obligations can lead to heavy penalties. The FCA fined Canara Bank £896,100 and imposed a trading restriction for failing "to maintain adequate AML systems and take sufficient steps to remedy identified weaknesses."
As part of the investigation, "the lack of management information provided" was noted, meaning board members didn't fully understand the bank's risk exposure. This example emphasises the importance of creating a fair and balanced MLRO Report.
How can MLROs make the most of an MLRO report?
Every organisation is different, so there's no one-size-fits-all approach when it comes to an MLRO Report – aspects like product suite, turnover, and compliance culture come into play. However, there are pointers to keep in mind, helping ensure salient information is covered and the document fulfils its purpose.
1. Company details
This section sets the scene in terms of basic information: the date of incorporation, number of employees and geographical locations. These facts enable readers of the report to understand the remit of the report and the extent of the organisation's potential risk exposure.
It's also a good place to state the firm's AML and CTF risk appetite. How can the MLRO assure board members the firm is protected if that crucial factor isn't made clear at the outset?
2. Regulatory framework
Here, MLROs need to indicate the date your company became regulated by the FCA, whether you're an authorised payment institution, and which guidance you adhere to – for example, the Joint Money Laundering Steering Group (JMLSG). Additional things to communicate include:
- Whether you've operated within applicable regulations, legislation and guidance, and if not, what breaches have occurred
- Information on the current regulatory landscape and what's upcoming
3. MLRO's details, resources & access
The MLRO should give their name and the date they were approved by the board. It's also an opportunity to summarise their responsibilities as the MLRO. For example, the MLRO is often the Nominated Officer – the person in charge of MLRO reporting to the National Crime Agency (NCA). However, that's not always the case. And so, if someone else conducts MLRO reporting, state their name too.
Additionally, the MLRO should indicate whether they're well-supported and have appropriate access to resources. If the answer is no, they should have the confidence to be honest in the report.
4. Governance structure
This involves stipulating that the MLRO is the second line of defence in a 'three lines of defence model'. It's also important to summarise any factors that have hindered the MLRO's effectiveness within that approach. This is a relatively brief section, before you move on to company policies and procedures.
5. AML & CTF systems & controls
Here, it's about outlining AML and CTF policies and procedures. Have they been updated, and if so why, when and how? Including the following, too:
- Risk assessment of the entire firm – a crucial element. Consider numerically scoring risks according to their severity and suggest controls to reduce risks to an acceptable level, in line with risk appetite.
- Compliance monitoring plan – this is an overview of how controls are designed, applied and tested.
- Audits – state how many external and internal inspections have occurred, what was evaluated, and summarise the results and action taken (if applicable).
- Thematic reviews – keep track of AML and CTF news and address related risks regarding your clients and within your control framework
- Conclusion – how effective are your systems and controls and do they need enhancing?
6. Customer due diligence
This section involves outlining the risk profile of your client base. Has it changed over the last year, by how much, and why? It's also useful to give the following details:
- Screening and customer relationship management systems – how old and effective are they?
- Overdue periodic reviews – for example, if there are outstanding Know Your Customer (KYC) audits, how delayed are they? There's a big difference between one week and three months, so be precise.
7. Reporting & training
Specify core AML and CTF management information, including:
- How many new clients and high-risk relationships are there compared to last year?
- How many breaches and near misses occurred, and what corrective action was implemented?
- How many internal Suspicious Activity Reports (SARs) were received relative to the year before?
- How many SARs were submitted to the NCA as part of MLRO reporting?
- How many Defence Against Money Laundering (DAML) requests were made?
This section also outlines training policies and modules, such as who receives guidance, when and how frequently. Include pass/fail statistics and highlight employees who have gained professional qualifications throughout the year.
8. Summary & recommendations
Pull the threads together from earlier sections by reiterating key risks and indicating whether the firm is in a better position than the previous year. Point out potential risks for the next 12 months and formally record recommendations for senior management and the board to approve.
Prioritise proposals and clarify whether they're 'must do' versus 'nice to do'. Finally, note the submission date of the MLRO Report and when the recommendations were approved.
It's worth noting that these tips are by no means mandatory or exhaustive. For instance, if you rely on outsourcing, include details on its effectiveness and whether service-level agreements have been respected.
On top of that, consider starting the report with an executive summary and ending it with an annexe containing supporting evidence for your conclusions and recommendations.
Why is an MLRO Report important?
An MLRO Report carries internal and external weight, so it should be comprehensive, well-structured and fair. It offers:
- Relevant information to show compliance with financial crime prevention obligations
- Effectiveness of the chosen risk approach, plus recommended actions if gaps or problems are uncovered
For an MLRO, it's a chance to communicate vital information to the most senior people in the company, such as:
- Key financial crime messages and trends
- Risks and opportunities
- Action plans (where necessary)
On the flip side, the report shows senior management how the business deals with risk. Armed with that information, they can take action if necessary. As such, MLROs and executives can get a lot out of an MLRO Report.
How can you protect your firm with an MLRO report?
When well-created, an MLRO Report offers senior management and the board an accurate, unbiased, well-balanced and honest assessment of AML and CTF systems and controls and their effectiveness. It also provides compliance, risk exposure and management insights, plus action points for the forthcoming year.
Senior management and the board should feel confident the MLRO Report is robust and fulfils its primary role: protecting the business.
Want to learn more about Financial Crime?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.