The UK Financial Intelligence Unit received approximately 901,000 Suspicious Activity Reports in the 2022–23 reporting year. The volume of SARs filed by regulated firms has increased substantially over the past decade. The quality of SARs has not kept pace with the quantity.

The NCA is explicit about this in its annual SARs regime reports. A large proportion of the SARs received each year contain insufficient intelligence to support any law enforcement action. They satisfy the reporter’s legal obligation — the filing of a SAR provides a statutory defence against money laundering charges — but they provide no actionable intelligence to the UKFIU. They are, in the language the compliance profession uses internally, defensive SARs.

An MLRO whose team files large volumes of low-quality SARs has not built an effective financial crime reporting framework. They have built a volume-processing operation that generates compliance cover but limited intelligence value. This matters for two reasons. First, it means the firm’s financial crime controls are not actually contributing to the detection and disruption of money laundering and terrorist financing. Second, it creates risk — poor quality SARs are less likely to be acted on quickly, which matters considerably if the firm later needs to file a DAML and expects a timely consent decision.

What the UKFIU actually does with a SAR

The UKFIU’s primary function is to receive, analyse and disseminate financial intelligence. A SAR that contains actionable intelligence — specific individuals, account details, amounts, dates, and a clear articulation of why the reporter suspects criminal activity — can be disseminated to law enforcement agencies, police forces, HMRC, the NCA’s own operational units, and international partners. This dissemination is what makes SARs useful to the law enforcement system.

A SAR that says a customer “made unusual transactions inconsistent with their profile” without specifying the amounts, the transactions, the suspicion or the predicate offence cannot be disseminated. It goes into the UKFIU’s database as a data point. It may be useful if it can be matched with intelligence from other sources, but it generates no proactive action.

NCA reviewers are looking for intelligence that helps them join dots — connecting a subject to known criminal networks, corroborating intelligence they already hold, or identifying new threats. The SAR that achieves this is qualitatively different from the SAR that merely records that the reporter noticed something and felt they should report it.

The four elements of an intelligence-grade SAR

Who

The SAR should identify the subject as precisely as possible. Full name, date of birth, address, account numbers, national insurance number if held, company names and registration numbers for corporate customers, and any known aliases or associated individuals. The more precisely the UKFIU can identify who the SAR relates to, the more effectively it can be matched with existing intelligence and disseminated to the right recipient.

A SAR about a customer named “John Smith” with no further identifying information has limited intelligence value. A SAR about John Smith of a specific address, with a specific account number, who uses a business account for a company with a specific Companies House number, is a SAR that can be acted on.

What

The specific transaction or activity that gave rise to the suspicion should be described precisely. Amounts, currencies, transaction references, dates, and the counterparties involved — both the parties identifiable through the firm’s own records and any third-party information available. Where the SAR relates to a pattern of transactions rather than a single event, the pattern should be described with sufficient specificity to be reproducible — dates, amounts, counterparty account details where available.

Vague characterisations — “large cash deposits”, “frequent transfers to high-risk jurisdictions”, “transactions inconsistent with stated business activity” — are not sufficient on their own. They describe the type of activity but not the specific activity. The NCA needs the specific details to investigate.

When

Precise dates matter. The period over which the suspicious activity occurred, the date of the most recent transaction, and the date on which the MLRO formed the suspicion should all be included. The UKFIU uses date information to correlate SARs from different reporters and to establish timelines of criminal activity. A SAR that describes activity “over the past year” without specific dates is significantly less useful than one that identifies the activity with transaction-level dates.

Why

The articulation of why the reporter suspects criminal activity is the element most commonly done poorly. The “why” should identify: the specific observations that gave rise to suspicion, the predicate offence that the reporter believes may underlie the activity, any information about the customer’s stated business or circumstances that makes the activity inconsistent with expectations, and any additional intelligence the reporter holds that supports the suspicion.

The predicate offence — what crime the reporter suspects the funds derive from or will be used for — is particularly important. Fraud, tax evasion, drug trafficking, bribery and corruption, sanctions evasion, and cybercrime each attract different law enforcement responses and different dissemination routes. A SAR that identifies a specific predicate offence can be routed to the relevant specialist team. A SAR that says the activity is “suspicious” without any indication of the underlying offence leaves the UKFIU to guess.

Common quality failures

The most prevalent quality failure is the defensive SAR — filed to satisfy the reporting obligation without genuine intent to provide intelligence. These SARs typically have vague language (“unusual activity inconsistent with customer profile”), minimal transaction detail, and no identification of a predicate offence. They are recognisable to experienced UKFIU reviewers and they generate no action.

The second common failure is filing on the basis of a customer complaint or dispute rather than genuine suspicion of money laundering or terrorist financing. A customer who disputes a charge, refuses to cooperate with a process, or behaves erratically is not necessarily involved in criminal activity. Filing a SAR in these circumstances without genuine suspicion is not only unhelpful to the UKFIU — it also misuses the SAR regime in a way the NCA has specifically criticised.

Third is the failure to identify and include linked accounts and associated parties. Where the MLRO suspects money laundering, the activity typically involves multiple accounts, multiple parties or multiple transactions. A SAR that relates only to the primary account without referencing the related accounts or the ultimate beneficiary of the funds is a SAR that captures part of the picture. The UKFIU may already hold intelligence on the related parties — but it needs the connection to be made in the SAR to recognise it.

Fourth is inadequate description of the timeline. SARs that describe suspicious activity in general terms without dates are difficult to act on. The NCA processes SARs against live investigations and time-sensitive intelligence requirements. A SAR about activity that occurred in a specific three-week window in a specific month is far more useful than one that describes “activity over recent months.”

The relationship between SAR quality and the DAML regime

The quality of a firm’s SAR filing has a direct relationship with the responsiveness of the NCA’s DAML consent decisions. A firm that is known to the UKFIU as a high-quality reporter — whose SARs contain reliable, precise intelligence — is a firm whose DAML requests are treated with the seriousness they deserve. A firm whose SARs are consistently vague and uninformative is a firm whose DAML requests are processed in a queue with no particular urgency.

The practical implication is that an MLRO who prioritises SAR quality over SAR quantity is not just contributing to better law enforcement outcomes — they are also building the intelligence relationship with the UKFIU that makes the consent regime work effectively for the firm when it needs it.

The MLRO’s role in quality assurance

SAR quality starts with training the first line of defence — the relationship managers, onboarding teams and operations staff who generate the initial internal reports. Staff who do not understand what makes a useful report will not provide the information the MLRO needs to construct a quality SAR. But SAR quality is ultimately the MLRO’s responsibility. Before filing, the MLRO should satisfy themselves that the SAR contains sufficient who, what, when and why to be actionable — and should return incomplete internal reports to the first line for additional information rather than filing with what is available.

FD Capital places MLROs with the experience to build financial crime reporting frameworks that produce intelligence-grade SARs, not merely volume. Where the firm is an advisory business like Interpath, a regulated investment manager, or a payments institution dealing with high volumes of potentially suspicious transactions, the quality of the MLRO’s SAR programme is one of the key metrics by which the FCA and the NCA assess the adequacy of the firm’s AML controls.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• SMCR Compliance Recruitment

Related Guides

• SMF17 — MLRO Function Guide
• DAML Requests: How the Consent Regime Works
• Source of Funds vs Source of Wealth
• PEP Screening: False Positives at Scale
• KYC: A Complete Guide for UK Regulated Firms

The Defence Against Money Laundering request — universally referred to as a DAML — is one of the most misunderstood mechanisms in the UK’s financial crime framework. It is distinct from a standard Suspicious Activity Report. It has a specific legal structure, precise timelines, and a consequence — deemed consent — that operates automatically in the reporter’s favour if the National Crime Agency does not respond within the statutory period. Yet MLROs who have never had to use the DAML mechanism are routinely unfamiliar with how it actually works, and those who have used it often discover that the operational reality differs from the theoretical framework in ways that matter.

This article sets out the consent regime as it operates in practice — the legal framework, the timelines, the procedural requirements, and the points where firms most commonly make avoidable mistakes.

When a DAML is required — and when a standard SAR suffices

The distinction between a SAR and a DAML is the distinction between reporting suspicion about a past or completed transaction and seeking authorisation to proceed with a transaction that would otherwise expose the firm to criminal liability.

A standard SAR is filed where the firm knows or suspects that criminal property has passed through its systems, or that a customer has been involved in money laundering or terrorist financing. Filing the SAR satisfies the reporting obligation under the Proceeds of Crime Act 2002. The firm is not seeking permission to do anything — it is disclosing information about what has happened or what it suspects.

A DAML is required where the firm is about to carry out a transaction — or is currently holding funds pending a decision — that it knows or suspects involves criminal property. Processing the transaction without authorisation would constitute a money laundering offence under sections 327, 328 or 329 of POCA 2002. The DAML is the mechanism through which the firm seeks the NCA’s consent to proceed, thereby obtaining a statutory defence to what would otherwise be criminal conduct.

The practical trigger is a proposed transaction combined with suspicion that the proceeds are criminal. A customer instructing a transfer that the MLRO suspects represents the proceeds of fraud, a redemption request where the MLRO suspects the invested funds were criminal in origin, or a payment instruction that the MLRO believes would constitute money laundering if executed — each of these requires a DAML, not merely a SAR.

The seven-day moratorium

Once a DAML is submitted through SARs Online and received by the NCA’s UK Financial Intelligence Unit, a seven-working-day moratorium begins. During this period the firm must not process the transaction. The NCA has seven working days to either grant consent or refuse it.

If the NCA grants consent, the firm can proceed. If the NCA refuses consent, a further moratorium of 31 calendar days begins, during which the NCA investigates and may apply to a court for a restraint order or other enforcement action. If the NCA does not respond within the initial seven working days, consent is deemed to have been granted — the firm can proceed as if it had received explicit authorisation.

The deemed consent mechanism is significant in practice. The NCA receives several hundred thousand SARs per year and a much smaller number of DAMLs. Not all DAMLs receive an explicit response within seven working days. Where deemed consent operates, the firm has a complete statutory defence to any money laundering charge arising from the transaction — provided the DAML was properly submitted and the seven working days elapsed without a refusal.

What the NCA actually needs to process a DAML

A DAML that does not contain sufficient information to allow the NCA to assess it promptly is a DAML that risks being processed slowly or generating a request for further information that extends beyond the seven-day window. The NCA needs enough intelligence to make a decision — and the intelligence in the DAML is what it has to work with.

An effective DAML contains: the specific transaction the firm is seeking consent to process, including the amount, currency, counterparties and account details; the basis for the suspicion — not just that there is suspicion, but why; the predicate offence suspected, to the extent the MLRO can identify it; any intelligence about the parties involved that the firm holds, including account history and any previous SAR activity; and a clear statement that this is a consent request rather than a standard disclosure. DAMLs submitted through SARs Online should be clearly flagged as consent requests at the outset.

The quality of the DAML matters for the speed of the NCA’s response. A well-constructed DAML that clearly articulates the transaction, the suspicion and the predicate offence gives the UKFIU reviewer enough to make a rapid decision. A vague or incomplete DAML requires the reviewer to seek additional information, which consumes time that the firm may not have if there is a customer relationship, a payment deadline or a legal obligation to execute the instruction.

The 31-day moratorium and what happens during it

Where the NCA refuses consent within the initial seven working days, the 31-day moratorium begins. During this period the firm continues to hold the funds or decline to process the transaction. The NCA uses the 31 days to investigate and, where it has grounds, to apply to the Crown Court for a restraint order under the Proceeds of Crime Act. A restraint order, if granted, freezes the relevant assets and gives law enforcement time to pursue confiscation proceedings.

If the 31-day moratorium expires without a court order being obtained, the firm can proceed with the transaction on the basis that it has a deemed consent to do so. In practice, a refusal followed by a 31-day moratorium typically indicates that the NCA has identified the funds as linked to known criminal activity and is actively seeking to restrain them. The realistic expectation is that a court order will follow.

The firm’s obligations during the 31-day moratorium include maintaining the hold on the funds and not tipping off the customer about the DAML or the moratorium. The tipping-off offence under POCA 2002 applies with full force — the firm cannot tell the customer that it has filed a DAML or that their transaction is being held pending law enforcement review.

Common MLRO mistakes with the DAML regime

The most frequent error is failing to recognise when a situation requires a DAML rather than a standard SAR. An MLRO who files a SAR and then processes the transaction — because they believe filing the SAR satisfies their obligations — has not sought consent and therefore has no statutory defence if the processed transaction constitutes a money laundering offence. The SAR discloses the suspicion. The DAML is what authorises the firm to proceed despite that suspicion.

The second common error is submitting a DAML too late. The seven-day moratorium begins from the date the NCA receives the DAML — not from the date the MLRO identified the suspicion. If the customer’s instruction has a payment deadline and the MLRO delays submitting the DAML for two or three days while investigating further, the effective moratorium is shortened and the firm may find itself in a position where deemed consent has not yet operated but the customer is demanding their funds.

The third error is inadequate documentation of the moratorium period. The firm should record precisely when the DAML was submitted, when the seven working days expire, whether a response was received and when, and on what basis the decision to proceed or continue holding was made. This documentation is what the firm relies on if the transaction is later scrutinised by law enforcement, the FCA or a court.

FD Capital places MLROs and deputy MLROs in FCA-regulated firms across all sectors. Understanding the DAML regime — and designing the internal processes that make it work effectively under operational pressure — is a core competency for any MLRO at a firm where the risk of dealing in criminal property is material.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Recruitment for FCA Regulated Firms

Related Guides

• SMF17 — MLRO Function Guide
• Source of Funds vs Source of Wealth
• PEP Screening: False Positives at Scale
• KYC: A Complete Guide for UK Regulated Firms

The Money Laundering Regulations 2017 apply to cryptoasset businesses registered with the FCA in the same way they apply to banks, payment firms and investment businesses. The obligation to conduct customer due diligence, enhanced due diligence for higher-risk relationships, and ongoing monitoring of transactions is the same in law. In practice, however, the implementation of CDD at a cryptoasset firm looks substantially different from CDD at a traditional financial institution — and the differences create specific operational and compliance challenges that MLROs at crypto firms navigate in ways their counterparts in conventional finance do not.

This article sets out where the practical differences lie and what they mean for the design of a crypto firm’s CDD framework.

Wallet verification instead of account verification

Traditional CDD establishes that the person opening an account is who they say they are, and that the account belongs to them. In the crypto context, the equivalent process involves verifying both the identity of the customer and their ownership or control of the wallet addresses they are transacting from or to. These are not the same thing.

A customer can pass identity verification while transacting through wallet addresses they do not beneficially own — using wallets controlled by third parties, custodial wallets with split control arrangements, or multi-signature wallets where the customer is one of several signatories. Equally, a verified customer can transact to external wallets whose ownership the firm has no direct visibility over. Standard account-based CDD frameworks do not encounter this problem in the same way — when a bank transfers funds to another account at the customer’s instruction, the account has an identifiable owner at the receiving institution.

CDD frameworks at crypto firms need to address wallet ownership verification as a distinct step — not just identity verification of the customer, but verification of the relationship between the customer and the wallets involved in their transactions.

The Travel Rule

The UK implemented the Travel Rule for cryptoasset transfers in January 2023. The rule requires that Virtual Asset Service Providers transmit originator and beneficiary information alongside transfers above a de minimis threshold — the equivalent of the information that accompanies a SWIFT payment under correspondent banking arrangements. This is a significant departure from how crypto transfers have historically worked, and the implementation challenges are considerably more complex than in traditional finance.

In traditional wire transfers, the sending and receiving institutions are both regulated financial entities with established Know Your Institution frameworks and standardised messaging protocols. In crypto, the counterparty VASP may be in a jurisdiction with minimal regulatory oversight, may not have implemented the Travel Rule in a compatible format, or — in the case of transfers to unhosted wallets — may not be a VASP at all. The MLRO at a UK-registered crypto firm needs to have a clear policy for how Travel Rule information is collected, transmitted and received, and what the firm does when it cannot obtain complete Travel Rule information for a transfer.

Blockchain analytics as a CDD tool

The most significant operational difference between crypto CDD and traditional CDD is the role of blockchain analytics. Transactions on public blockchains are visible to anyone with access to the chain data — every transaction, every wallet address, every amount moved, and in many cases a probabilistic assessment of the counterparties involved, is accessible through analytics tools such as Chainalysis, Elliptic and TRM Labs. This creates an obligation and an opportunity that has no equivalent in traditional CDD.

The obligation: a crypto firm that does not use blockchain analytics to screen wallet addresses and transaction histories has an obviously incomplete CDD framework. The fact that on-chain data is publicly available means the firm cannot credibly claim it was unable to identify the risk signals that the data would have disclosed. The FCA’s expectation — consistent with its registered firm requirements and its broader financial crime guidance — is that crypto firms use analytics tools proportionate to their risk profile.

The opportunity: blockchain analytics can surface risk signals that traditional CDD simply cannot generate. A transaction to or from a wallet cluster associated with a sanctioned entity, a mixing service, a darknet marketplace or a known ransomware address is identifiable through analytics before the transaction is processed or immediately after. This gives the MLRO a qualitatively different set of suspicious transaction indicators to work with compared to traditional finance, where transaction monitoring depends on pattern analysis rather than direct linkage.

Unhosted wallets and the enhanced due diligence question

The FCA and FATF have been explicit that transactions involving unhosted wallets — wallets not held at a regulated VASP, typically self-custodied by the wallet holder — carry higher inherent risk and require enhanced due diligence in higher-risk cases. The practical challenge is that the unhosted wallet is by definition outside the regulated perimeter. The firm cannot verify the owner through the Travel Rule, cannot rely on a counterparty VASP’s CDD, and must depend on its own analysis of on-chain data and the customer’s representations about the wallet’s purpose.

MLRO policy on unhosted wallets needs to address: what information the firm requires from customers transacting to or from unhosted wallets, what blockchain analytics screening applies to those wallet addresses, what the threshold is for enhanced due diligence, and what the firm does when the customer cannot or will not provide satisfactory information about the destination of their funds. This is an area where the regulatory expectation has been clear but the operational implementation varies significantly across registered firms.

Source of funds and source of wealth for crypto customers

Source of funds verification for a customer whose assets are denominated in cryptoassets presents specific challenges. A customer stating that their Bitcoin derives from mining activity in 2013, or from an early investment in a now-defunct exchange, or from proceeds of DeFi liquidity provision, is describing a source of funds that is difficult to verify through the documentary routes that work for conventional source of funds enquiries. Payslips, bank statements and solicitor completion letters do not help here.

On-chain data can partially substitute — the transaction history of a wallet may be consistent or inconsistent with the claimed source of funds, and analytics tools can identify whether the wallet has received funds from mining pools, exchanges, or higher-risk sources. But the MLRO’s framework needs to be clear about what constitutes adequate source of funds verification for crypto-origin assets, and what level of on-chain evidence is required before the firm accepts the customer’s account of the origin of their wealth.

Ongoing monitoring and on-chain versus off-chain transactions

Ongoing monitoring of customer activity in traditional finance relies primarily on transaction monitoring systems that flag unusual patterns in account activity. In crypto, the equivalent obligation covers both the on-chain transactions processed through the firm’s platform and — where relevant — the off-chain activity that the customer’s wallet history discloses. A customer whose on-chain history shows recent interaction with a high-risk wallet cluster, even in a transaction not processed through the firm, is a customer whose risk profile has changed.

This does not mean that firms are obliged to perform continuous blockchain surveillance of all their customers’ non-firm wallets. It does mean that the ongoing monitoring framework should incorporate periodic rescreening of known customer wallet addresses through analytics tools, not just monitoring of transactions processed through the firm’s own systems.

FD Capital places MLROs and compliance professionals in FCA-registered cryptoasset businesses and in regulated firms with cryptoasset exposure. The specific technical knowledge required to design and oversee a CDD framework in this context is distinct from conventional compliance expertise, and we understand the difference.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms

Related Guides

• SMF17 — MLRO Function Guide
• KYC: A Complete Guide for UK Regulated Firms
• Customer Due Diligence Guide
• Politically Exposed Persons Guide

Source of funds and source of wealth are two distinct customer due diligence concepts that are regularly conflated in practice. The confusion is understandable — both concern the origins of a customer’s money, and in some cases the information required to satisfy one overlaps with the information required for the other. But they are not the same thing, and treating them as interchangeable creates compliance risk. A firm that believes it has conducted adequate source of wealth due diligence because it has verified source of funds, or that substitutes a source of funds declaration for the deeper enquiry that source of wealth requires, is likely to fail FCA scrutiny when that scrutiny arrives.

This article sets out the distinction between the two concepts, when each is required, what adequate verification looks like, and where regulated firms most commonly go wrong.

The definitions

Source of funds refers to the origin of the specific funds involved in a particular transaction or business relationship. Where did the money for this transaction come from? The answer to this question is transactional and specific: the funds came from the customer’s salary, from the proceeds of a property sale, from a business dividend, from an inheritance received last year. Source of funds information relates to the particular flow of money that the firm is facilitating or handling.

Source of wealth refers to the origin of the customer’s overall wealth — the economic activities that have generated the totality of their assets and financial position. How did this person accumulate what they have? Source of wealth is biographical and holistic: the customer built a business and sold it, or had a career as a senior professional, or inherited family wealth, or generated wealth through investment activity over many years. Source of wealth information relates to the customer’s overall economic history rather than any specific transaction.

The relationship between the two is that source of funds should be consistent with source of wealth. If a customer’s source of wealth is a career as a salaried professional and their source of funds for a particular transaction is described as the proceeds of a business sale, that inconsistency requires explanation. Source of funds information that cannot be reconciled with what the firm knows about source of wealth is a risk signal that warrants further enquiry.

When each is required

The Money Laundering Regulations 2017 do not specify precisely when source of funds verification is required and leave significant discretion to firms. The general expectation — reinforced by JMLSG guidance — is that source of funds should be verified where the transaction or business relationship warrants it given the customer’s risk profile and the nature of the transaction. For high-value transactions, for transactions that appear inconsistent with the customer’s known profile, or for customers in higher-risk categories, source of funds verification is a core component of the CDD process.

Source of wealth is specifically required in several contexts. It is a mandatory component of enhanced due diligence for PEPs — the MLRs require firms to establish the source of wealth and source of funds of PEPs and their family members and close associates. It is also expected as part of EDD for high-risk third country relationships and for any customer relationship where the risk assessment indicates that standard CDD is insufficient to adequately understand and manage the money laundering risk.

In practice, most wealth management firms and private banks apply source of wealth requirements to all high-net-worth or ultra-high-net-worth clients, not just those who are PEPs, because the AML risk profile of managing substantial assets from complex or opaque origins warrants this level of enquiry regardless of whether the customer holds a prominent public function.

What adequate verification looks like

Source of funds verification

Source of funds cannot be satisfied by declaration alone. A customer stating that the funds came from a property sale requires the firm to verify that a property sale occurred, that the proceeds were consistent with the amount described, and that the funds received can plausibly be traced to that event. Verification does not require forensic certainty — it requires that the firm takes reasonable steps to satisfy itself that the customer’s explanation is plausible and consistent with available evidence.

Verification methods will vary with the transaction and the customer. For a large incoming transfer described as property sale proceeds, a solicitor’s completion statement or conveyancing correspondence may be appropriate. For funds described as salary or bonus, recent payslips or an employer confirmation letter. For business sale proceeds, the sale agreement or board minute. The appropriate evidence depends on what is proportionate given the transaction value and the customer’s overall risk profile.

The key compliance failure in source of funds verification is accepting declarations without supporting documentation, or accepting supporting documentation without considering whether it adequately evidences what it purports to. A bank statement showing a credit described as “property sale” does not verify that a property was sold — it shows that a credit was received with that description. The firm needs to consider whether the available evidence actually answers the question it needs to answer.

Source of wealth verification

Source of wealth verification is more substantive than source of funds and typically requires a biographical understanding of the customer. For a PEP or a high-net-worth client, the firm needs to understand not just the headline claim — “I built a business” or “I had a career in finance” — but enough of the underlying detail to assess whether the stated source of wealth is plausible given what the firm can independently verify or observe.

Verification approaches include: company registry searches to verify business ownership and activity; LinkedIn and other open-source checks to verify employment history and seniority; press coverage or publicly available information for customers who are genuinely prominent; property registry searches for customers whose wealth is primarily in real estate; and for customers from jurisdictions where the stated source of wealth is inherently higher risk, more intensive enquiry that may include specialist due diligence providers.

The FCA’s expectation for PEP source of wealth verification is explicit: firms should not rely solely on the customer’s self-declaration. The information provided by the customer should be tested against what the firm can independently verify, and any material inconsistencies should be escalated and documented. A PEP who claims a source of wealth that is inconsistent with their known public role and salary — where the wealth significantly exceeds what their stated career would plausibly generate — is a material risk signal that requires a clear documented response.

Common failures in practice

Confusing the two concepts

The most common failure is treating source of funds verification as equivalent to source of wealth enquiry. A firm that collects bank statements showing where the money came from for a specific transaction, files them as “source of wealth documentation,” and proceeds has not conducted source of wealth due diligence. It has conducted source of funds verification — and incomplete source of funds verification at that, since the bank statement shows origin but may not explain how the funds arrived in that account.

Accepting unverified declarations

The second most common failure is accepting customer declarations without verification. “Mr X states that his wealth derives from a successful IT business” is not source of wealth verification. It is a record of what Mr X has told the firm. Verification requires that the firm has taken steps to satisfy itself that Mr X did indeed build an IT business, that the business generated the level of wealth being described, and that this history is consistent with other information the firm holds. The difference between a declaration and a verified fact is exactly where the FCA finds firms falling short in thematic reviews and enforcement cases.

Failing to identify the inconsistency between source of funds and source of wealth

Where source of funds information is inconsistent with source of wealth — where the transaction involves amounts or origins that cannot be reconciled with the customer’s economic history — the firm needs to treat this as a risk signal requiring escalation and further enquiry. Firms that collect both pieces of information but do not compare them, or that compare them and record the inconsistency without escalating it, are failing at exactly the point where the controls matter most.

The MLRO’s role in setting standards

The quality of source of funds and source of wealth verification across a firm is determined primarily by the policies, training, and oversight that the MLRO establishes. An MLRO who has defined clear standards for what constitutes adequate verification, trained the first and second line on those standards, and established a review process that identifies inadequate verifications before they create regulatory exposure is providing the oversight the function requires. An MLRO who has delegated this to written policies without checking whether those policies are being applied in practice is not.

FD Capital places MLROs, financial crime specialists and compliance leaders in FCA-regulated firms across all sectors, including wealth management, private banking and investment management where source of wealth due diligence is a central component of the AML framework. We understand the technical requirements of the role and the standard that regulated firms need from their MLRO appointment.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Investment Firm CFO Recruitment
• Risk and Compliance Recruitment

Related Guides

• SMF17 — MLRO Function Guide
• Politically Exposed Persons: FCA Guide
• KYC: A Complete Guide for UK Regulated Firms
• Individual Conduct Rules Guide

PEP screening generates more false positives than almost any other component of a regulated firm’s customer due diligence process. A common name, a partial name match, an incorrectly configured screening threshold — each of these can flood the alert queue with matches that have no connection to political exposure whatsoever. The operational consequence is significant: compliance teams spend substantial time reviewing and clearing alerts that do not represent genuine risk, and the volume of false positives creates two related problems. The first is operational — the cost and time of clearing alerts. The second is regulatory — a firm that is drowning in false positives may clear genuine ones too quickly, under time pressure and alert fatigue.

Managing PEP screening effectively at scale is therefore not primarily a technical question about which screening vendor to use. It is a risk management question about how to configure the screening process to identify genuine PEPs accurately while minimising the operational burden of false positives — and how to document that approach in a way that satisfies FCA scrutiny.

What the regulations require

The Money Laundering Regulations 2017 require regulated firms to identify customers who are PEPs, family members of PEPs, and known close associates of PEPs. The definition of a PEP under the regulations applies to individuals who are or have been entrusted with a prominent public function — heads of state, members of parliament, senior government officials, senior executives of state-owned enterprises, senior figures in international organisations, and similar. The definition extends to family members and known close associates of such individuals, though the close associate category presents its own identification challenges.

For domestic PEPs — those holding public functions in the UK — the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 introduced a risk-based approach that distinguished between UK PEPs and foreign PEPs. The regulations made clear that the risk associated with UK domestic PEPs should be assessed as lower than that associated with foreign PEPs, unless specific factors indicate higher risk. This was reinforced by FCA guidance in 2023 and the subsequent Dear CEO letter to retail banks about the treatment of domestic PEPs — a communication prompted in part by high-profile cases in which UK political figures had complained about being denied banking services based on their PEP status.

The practical effect of this guidance is that regulated firms should not apply the same level of enhanced due diligence to a UK MP as they would to a senior official of a higher-risk foreign government. Both require identification and assessment. The proportionate response to that identification is different.

Why false positives occur at scale

False positives in PEP screening have three main causes. The first is name matching methodology. Screening systems that match on partial names or phonetic equivalents will generate matches for common surnames and given names. A firm that screens all customers against PEP databases using fuzzy matching at a 70% threshold will generate substantial volumes of matches for any customer whose name has even a loose resemblance to a listed PEP. The challenge is that reducing the matching threshold increases the risk of missing genuine PEPs. The appropriate configuration depends on the firm’s customer base, business model, and risk appetite — and it requires ongoing calibration rather than a one-time setting.

The second cause is database scope. Most commercial PEP databases include not just current PEPs but former PEPs, family members, and close associates. The further these individuals are from the original PEP, the lower the regulatory risk they represent in most cases — but the screening system will generate matches regardless. A firm whose screening vendor includes distant relatives of former government officials in its PEP database will generate alerts for individuals who represent no meaningful enhanced risk, and managing those alerts consumes compliance resources.

The third cause is inadequate risk stratification in the post-alert review process. Even where the initial match is genuine — where the alert correctly identifies a customer who is or is related to a PEP — the question of what to do with that identification depends on the risk assessment. A UK local councillor is a PEP. A former head of state of a country with high corruption risk is a PEP. The same alert process should not be applied to both.

A risk-based approach to reducing false positives

Calibrate the matching threshold by customer segment

The appropriate matching threshold is not the same for every customer. For higher-risk customer segments — where the consequences of missing a genuine PEP are most significant — a lower threshold (generating more alerts, including more false positives) is appropriate. For lower-risk customer segments — domestic retail customers with straightforward profiles — a higher threshold reduces alert volume without materially increasing the risk of missing genuine PEPs.

This segmented approach needs to be documented. The firm’s AML risk assessment should explain why different thresholds apply to different segments, and the calibration decision should be reviewed periodically — particularly when the customer base composition changes or when typology trends suggest that PEP-related risk in particular segments is changing.

Establish tiered alert disposition processes

Not all PEP alerts warrant the same investigation depth. A tiered disposition process — where alerts are stratified by risk profile immediately after they are generated, and the level of investigation proportionate to that stratification — reduces the time spent on low-risk false positives and focuses enhanced scrutiny where it is most needed.

A typical tiering approach might distinguish between alerts that are clearly false positives (name match only, no other matching data, domestic low-risk profile), alerts that require basic review (some matching characteristics but low-risk jurisdiction and position), and alerts that require full enhanced due diligence (genuine PEP match, higher-risk jurisdiction, complex source of wealth). The parameters of this tiering need to be documented and reviewed by the MLRO.

Use negative screening data systematically

Many false positives can be cleared efficiently if the firm maintains and uses a negative screening list — a documented record of individuals who have been reviewed, determined not to be genuine PEPs, and cleared. Re-screening the same individual repeatedly without reference to previous review decisions generates unnecessary alert volume and review burden.

The negative screening record should be maintained with the date of the review, the reason for the clearance, and the reviewer’s name. It should be subject to periodic refresh — an individual who was correctly cleared three years ago may have since taken on a prominent public function — but for most individuals the refresh cycle can be extended beyond the standard screening frequency without material risk.

Review database scope with your vendor

Commercial PEP database providers offer different configurations of who is included in their datasets. Some include former PEPs indefinitely; others apply a time decay — reducing the risk score of individuals who left prominent public functions some years ago. Some include close associates defined broadly; others take a narrower approach. Working with your screening vendor to configure the database scope appropriate to your firm’s business model and customer base — rather than accepting a default configuration — can materially reduce alert volume without compromising the effectiveness of the screening programme.

MLRO accountability for PEP screening quality

Under SMCR, the MLRO (SMF17) holds personal accountability for the adequacy of the firm’s AML framework, including the PEP screening process. This means the MLRO cannot treat false positive management as a purely operational matter delegated to the compliance team. The MLRO needs to satisfy themselves that the screening configuration is appropriate, that the threshold and tiering decisions are documented and defensible, that the alert disposition process is consistently applied, and that the volume and nature of PEP alerts is reported to them with sufficient frequency to identify emerging issues.

In an FCA supervisory review, the MLRO will be expected to explain the firm’s PEP screening methodology, including the threshold calibration decisions and the rationale for them. A firm that has not documented these decisions — where the threshold is whatever the vendor defaulted to and no one can explain why — is in a materially weaker position than one where the MLRO can demonstrate that the screening configuration is a deliberate risk management decision.

FD Capital places MLROs and financial crime specialists in FCA-regulated firms across all sectors. Where the MLRO role requires specific expertise in transaction monitoring, PEP screening, or the design of AML frameworks, we understand the technical requirements and can identify candidates with the relevant experience.

Related Services

• MLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment
• SMCR Compliance Recruitment

Related Guides

• SMF17 — MLRO Function Guide
• KYC: A Complete Guide for UK Regulated Firms
• Politically Exposed Persons: FCA Guide

UK MLRO salary 2026: what an MLRO earns by firm type and size

The Money Laundering Reporting Officer role has changed significantly over the past five years. Increased FCA enforcement activity, the expansion of the sanctions compliance function into most MLRO remits, the growing sophistication of financial crime typologies, and the personal accountability that SMCR imposes on SMF17 holders have all combined to raise both the demand for experienced MLROs and the market rate for attracting them. What an MLRO earns in 2026 depends substantially on the firm type, the regulatory complexity of the role, and whether the individual is holding the function on a full-time or shared basis.

The figures below draw on FD Capital’s placement data across FCA-regulated sectors and reflect current market conditions. They represent base salary only unless otherwise stated and do not include bonuses, which in most regulated firms are constrained by the remuneration code applicable to the firm’s regulatory category.

Small FCA-only regulated firms (under £50m revenue, limited AML risk)

At the smaller end of the market — consumer credit firms, small investment advisers, recently authorised payment institutions — the MLRO role is typically a combined appointment. The individual holds SMF17 alongside a broader compliance remit, and the MLRO function constitutes perhaps 40–60% of their overall role. In this context the relevant salary benchmark is the total compensation for the combined role rather than for the MLRO function alone.

For a Head of Compliance and MLRO at a firm of this size, market rates in 2026 sit in the range of £55,000–£75,000. Firms at the lower end of this range are typically those with simpler regulatory profiles — a single FCA permission, a UK-only customer base, modest transaction volumes. Firms at the upper end have more complex permissions, higher-risk customer segments, or are in sectors where AML typologies are more sophisticated.

Where the MLRO function is genuinely shared — an individual holding SMF17 for multiple firms on a fractional basis — the day rate for experienced practitioners typically runs at £400–£600 per day, with the allocation across firms reflecting the total time commitment to each.

Payment institutions and e-money institutions

Payment firms and e-money institutions present a specific AML risk profile. The high transaction volumes, the speed of payment processing, and the prevalence of authorised push payment fraud and mule account activity make the MLRO role at these firms demanding in ways that are qualitatively different from most other regulated firm types. The MLRO at a mid-size payment institution is typically managing a substantial transaction monitoring operation and dealing with AML typologies that evolve rapidly.

Dedicated MLRO salaries at payment institutions typically range from £70,000–£100,000 for smaller to mid-size firms, rising to £100,000–£130,000 at larger firms with significant transaction volumes or complex product sets including crypto asset services where the AML risk is elevated and specialist knowledge commands a premium.

Investment management and wealth management firms

The MLRO at an investment management or wealth management firm deals primarily with source of wealth verification, PEP management, and the risk of managing assets that may derive from corruption, tax evasion, or unexplained wealth. The complexity of these assessments — particularly for ultra-high-net-worth clients and clients from higher-risk jurisdictions — makes this a technically demanding variant of the MLRO role.

At smaller wealth management firms (AUM under £1bn), MLRO salaries typically range from £70,000–£95,000. At mid-market firms (AUM £1bn–£10bn), the range is £90,000–£130,000. At large asset managers and major wealth management businesses (AUM above £10bn), senior MLRO appointments command £130,000–£180,000, reflecting both the complexity of the role and the supply constraints in finding individuals with the specific combination of technical AML knowledge and wealth management sector experience.

Retail and commercial banking

MLROs at UK retail and commercial banks operate within the most heavily regulated segment of the AML market. The combination of PRA oversight, the expectation of a dedicated and adequately resourced financial crime function, and the regulatory history that follows most UK banks from previous AML enforcement actions means that MLRO appointments at this level command a significant premium.

At smaller challenger banks and specialist lenders, MLRO salaries sit in the range of £100,000–£140,000. At mid-size banks with significant retail deposit bases, the range is £130,000–£180,000. At the major clearing banks and international banking subsidiaries, senior MLRO and Deputy MLRO appointments can reach £180,000–£250,000, though appointments at this level often involve candidates with either previous regulatory approval at major institutions or direct experience of FCA or NCA engagement.

Insurance firms

Insurance presents a specific set of AML challenges — premium finance arrangements, the use of insurance products for layering purposes, and the cross-border complexity of reinsurance and specialty lines. The MLRO at an insurance firm needs sector-specific AML knowledge that is not directly transferable from banking or investment management.

At smaller insurers, MLRO salaries typically range from £65,000–£90,000. At mid-size and Lloyd’s market firms, the range is £90,000–£130,000, rising to £130,000–£160,000+ for complex roles at major insurance groups with international operations and significant specialty or life insurance exposure.

Consumer credit firms

Consumer credit MLROs typically operate at the lower end of the market rate range, reflecting both the relatively contained AML risk profile of most consumer lending businesses and the fact that the MLRO role is frequently combined with a broader compliance function. Salaries at consumer credit firms typically range from £55,000–£80,000 for combined compliance and MLRO appointments, rising toward £80,000–£100,000 at the largest consumer finance businesses where the transaction volumes and fraud typologies warrant a more senior and dedicated appointment.

Deputy MLRO (AMLRO) salary benchmarks

The Deputy MLRO or Anti-Money Laundering Reporting Officer (AMLRO) receives internal SARs from staff and manages the first stage of the triage process, escalating to the MLRO where appropriate. The AMLRO role is a substantial one at larger firms — managing a team of financial crime analysts, overseeing the transaction monitoring alert queue, and making initial filing assessments on a volume that the MLRO cannot manage alone.

AMLRO salaries generally benchmark at 70–80% of the firm’s MLRO salary, reflecting the seniority differential and the fact that the AMLRO does not hold personal SMF approval. Across firm types, this translates approximately to:

• Payment institutions: £55,000–£85,000
• Investment and wealth management: £65,000–£110,000
• Banking: £85,000–£150,000
• Insurance: £55,000–£100,000

What drives salary above or below the mid-point

Within each of these ranges, specific factors move an individual’s compensation toward the upper or lower end. Existing SMF17 approval commands a premium — candidates who are already FCA-approved as an MLRO remove the approval timeline risk for the recruiting firm and are typically more experienced as a result. Sector-specific experience, particularly in higher-risk sectors, commands a premium over general AML expertise. Direct experience of FCA supervisory engagement — thematic reviews, skilled person reviews under Section 166, or enforcement proceedings — is particularly valued given the personal accountability that SMF17 carries.

Candidates who have built and led financial crime functions from a relatively early stage — who have hired teams, designed frameworks, and managed regulatory relationships rather than inherited established programmes — also command a premium, particularly at firms that are building rather than maintaining their AML capability.

FD Capital places MLROs and AMLROs across all FCA-regulated sectors. If you are benchmarking an MLRO appointment or seeking guidance on current market rates, we are happy to provide a detailed discussion based on your specific firm type and requirements.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment

Outsourcing the MLRO function: when it works and when it doesn’t

The question of whether an FCA-regulated firm can outsource its MLRO function — and if so, how — is one that generates significant confusion. The answer depends on the firm’s regulatory category, its size, and the specific structure of the outsourced arrangement. Some regulated firms can legitimately appoint an external MLRO on a shared or hosted basis. Others cannot. And even where outsourcing is permissible in principle, it carries risks and operational constraints that many firms do not fully consider before proceeding.

This article sets out the regulatory framework for MLRO outsourcing under FCA rules, the conditions under which it works effectively, and the circumstances in which it creates more problems than it solves.

The regulatory framework — what the rules actually permit

The Money Laundering Regulations 2017 require that firms appoint an individual as MLRO. The regulations do not expressly prohibit outsourcing this function to an individual employed by a third party — a consultancy, a compliance services firm, or a professional individual working as an independent contractor. The FCA’s SYSC sourcebook similarly does not categorically prohibit MLRO outsourcing for all firm types.

However, SMCR significantly constrains the outsourcing option for most regulated firms. Under SMCR, the MLRO function is SMF17 — a Senior Manager Function that requires the individual to be personally approved by the FCA as a Senior Manager of that specific firm. The key implication is that the FCA must approve the individual in their MLRO capacity for your firm specifically. An individual who holds SMF17 approval for Firm A does not automatically have approval to act as MLRO for Firm B. Each approval is firm-specific.

For dual-regulated firms — banks, building societies, certain investment firms regulated by both the FCA and PRA — the PRA has been explicit that the MLRO must be an employee of the firm and cannot be outsourced. This reflects the PRA’s view that the personal accountability and independence requirements of the MLRO function cannot be adequately maintained through an outsourced arrangement in a systemically important or deposit-taking institution.

For FCA-only regulated firms — consumer credit firms, most payment institutions, smaller investment firms, and others — the position is less categorical but still constrained. The FCA expects the MLRO to have genuine independence, adequate time to fulfil the function, and meaningful access to the firm’s systems and information. An external MLRO who divides their time across multiple client firms can meet these requirements for smaller firms with lower AML risk profiles. It becomes increasingly difficult to demonstrate as the firm’s size and regulatory complexity increase.

When outsourcing works

Very small regulated firms with limited AML risk

The clearest case for a shared or outsourced MLRO is a small FCA-only regulated firm — a consumer credit firm, a small investment adviser, or a recently authorised payment firm — where the volume and complexity of AML activity does not justify a full-time MLRO appointment. A firm with twenty employees that processes a modest number of transactions per month, has a predominantly UK retail client base, and operates a simple business model does not need a full-time MLRO. The regulatory obligation requires the appointment and the function to be performed adequately; it does not require the individual to be dedicated solely to that firm.

In these circumstances, a shared MLRO arrangement — where a specialist compliance professional holds SMF17 approval for multiple small firms simultaneously — can be both regulatory-compliant and commercially sensible. The shared MLRO must be approved by the FCA for each firm separately. They must have adequate time allocated to each firm. They must have genuine access to each firm’s transaction data, customer information, and internal reporting systems. And the arrangement must be documented in a way that the FCA could review and find adequate.

During the FCA authorisation phase

A firm applying for FCA authorisation needs to demonstrate to the FCA that it has identified and appointed its key SMF holders as part of the application. An external MLRO — someone who can hold SMF17 on an interim or shared basis during the authorisation process — allows the applying firm to fulfil this requirement without making a permanent appointment before the business is generating the revenue to support one.

This is a legitimate and common use of the outsourced MLRO model. The expectation, on the FCA’s part and commercially, is that as the firm grows it will transition to a dedicated internal MLRO at an appropriate point. The trigger for that transition is typically the point at which the firm’s AML risk profile — the volume of transactions, the complexity of the customer base, the geographical reach of the business — makes the shared model inadequate.

As a stopgap during MLRO succession

When a firm’s MLRO departs and the replacement has not yet completed the SMF17 approval process, the firm faces a period of MLRO vacancy. An interim external MLRO — individually approved by the FCA for that firm on a temporary basis — can hold the function during this period. This is a practically important use of the outsourced model and is considerably better than leaving the firm without a formally approved MLRO during what can be a 10–16 week approval window.

When outsourcing doesn’t work

Dual-regulated firms

As noted above, the PRA’s position effectively precludes MLRO outsourcing for PRA-regulated firms. Banks, building societies, and major investment firms need an employed, dedicated MLRO. This is not a case where a firm can structure its way around the requirement with a carefully worded contract. The PRA’s concern is about personal accountability and independence, and it is not satisfied by an outsourced arrangement regardless of how it is structured.

Firms with material AML risk

As a firm’s AML risk profile increases — higher transaction volumes, more complex customer relationships, higher-risk geographies or business lines — the outsourced MLRO model becomes progressively less adequate. The MLRO at such a firm needs to be deeply embedded in the firm’s operations. They need to understand the specific customer relationships, the transaction patterns, the business lines that carry higher risk, and the individuals internally who are the first line of defence against financial crime. An external MLRO dividing their time across multiple clients cannot develop or maintain this depth of understanding.

The FCA will assess not whether the outsourced arrangement is permissible in the abstract but whether it is adequate for the specific firm. A firm with a material and growing AML risk profile that continues to use a shared MLRO is making a regulatory bet that will eventually not pay off. When a SAR goes unfiled, when a high-risk customer slips through the EDD process, when the annual MLRO report reveals that the function has been inadequately resourced — the outsourced model is typically part of the explanation.

Where cultural and operational integration is critical

The MLRO’s effectiveness depends substantially on their relationship with the first line of defence — the relationship managers, the onboarding teams, the operational staff who encounter potential financial crime risk daily. An MLRO who is not present in the firm, who does not attend the relevant internal meetings, who is not part of the firm’s culture, cannot adequately discharge the training, culture, and oversight functions that go alongside the formal MLRO obligations.

The MLRO who visits the firm once a month to review SAR decisions and sign off on the annual report is not performing the MLRO function adequately. They are performing a subset of it. For firms where the internal financial crime culture — the awareness of the first line, the quality of internal escalation, the tone around compliance — is a material component of the AML framework, the embedded internal MLRO is not just preferable. It is necessary.

Structuring an outsourced MLRO arrangement correctly

Where outsourcing is genuinely appropriate, the arrangement needs to be documented and structured in a way that withstands FCA scrutiny. The key elements are: a written agreement with the outsourced MLRO that clearly defines the scope, time allocation, and responsibilities of the arrangement; confirmation of the FCA’s approval of the individual as SMF17 for the firm; documented evidence that the MLRO has adequate access to the firm’s systems, data, and personnel; and a clear process for escalation, SAR decision-making, and board reporting.

The firm’s board should understand and formally approve the outsourcing arrangement. It should appear in the firm’s outsourcing register where applicable. And the firm should have a contingency arrangement documented — what happens if the outsourced MLRO is unavailable, resigns, or becomes unsuitable to hold the function.

FD Capital places MLROs in FCA-regulated firms at all stages — including interim and shared arrangements during authorisation or succession periods, and permanent internal MLROs where firms have grown beyond the outsourced model. If you are reviewing your MLRO arrangement or transitioning from an outsourced to an internal model, we would welcome a conversation.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• FCA Authorisation CFO Recruitment
• SMCR Compliance Recruitment

The Money Laundering Reporting Officer is one of the most consequential senior hires an FCA-regulated firm makes. It is a personal accountability role — the individual who holds SMF17 under SMCR is personally responsible to the FCA for the firm’s AML and CTF framework. When that framework fails, when a Suspicious Activity Report is not filed that should have been, when a PEP is onboarded without adequate enhanced due diligence, the accountability does not rest with the firm in the abstract. It rests with the MLRO as a named individual.

Recruiting for this role requires a different approach to most senior finance or risk appointments. Technical knowledge of the Money Laundering Regulations 2017 and the JMLSG guidance is necessary but not sufficient. The MLRO must also navigate the FCA’s approval process as an SMF17 holder, operate with genuine independence from the commercial function, and carry the weight of personal regulatory accountability in a way that most professionals have not experienced before.

This guide sets out what regulated firms need to understand before they start the search, what to look for in candidates, how the SMF17 approval process works, and where hiring most commonly goes wrong.

Who needs an MLRO under FCA rules

The requirement to appoint an MLRO applies to any firm within scope of the Money Laundering Regulations 2017. For FCA-regulated firms, this includes banks, building societies, credit unions, payment institutions, electronic money institutions, investment firms, wealth managers, consumer credit firms, and others. The specific form of the appointment — whether the MLRO must be an employee of the firm or can be an external appointment — depends on the firm’s regulatory category and size, and is discussed further in the context of outsourcing below.

For firms within SMCR enhanced or core scope, the MLRO function corresponds to SMF17. The individual holding this function must be individually approved by the FCA and PRA (for dual-regulated firms) as a Senior Manager. This approval requirement has material implications for the recruitment process and timeline.

The SMF17 approval process — recruitment timeline implications

The single most important planning consideration for MLRO recruitment is the SMF17 approval timeline. Once a candidate is selected, the firm must submit an individual SMF application to the FCA before the candidate can formally hold the function. The FCA’s statutory timeline for determining complete applications is three months, though the actual timeline depends significantly on the completeness of the application and whether further information is requested.

In practice, firms should plan for a minimum of 10–14 weeks from selection to approval for a straightforward application — a candidate with a clear employment history, no disclosable events, and existing SMF approval from a previous role. For candidates without previous SMF approval, or where the application generates requests for further information, the timeline can extend to 16–20 weeks.

The practical consequence is that the search process needs to begin significantly earlier than for most senior appointments. A firm that identifies the need to recruit an MLRO in January and wants the new hire in post by April should have begun the search no later than October. Firms that approach the search as they would an executive hire — beginning when the departure is confirmed, expecting to have someone in the role within three months — consistently find themselves with a gap in MLRO coverage that creates regulatory risk.

During the approval period, the outgoing MLRO should continue to hold the function where possible. Where the outgoing MLRO has already left, the firm needs to make interim arrangements — either a temporary MLRO appointment approved by the FCA or, in some cases, an internal appointment of a suitable individual on an interim basis while the permanent candidate’s approval is processed.

What to look for — the four essential qualities

Technical AML/CTF knowledge

The MLRO must have a substantive understanding of the UK’s AML/CTF framework — the Money Laundering Regulations 2017, the Terrorism Act 2000, the Proceeds of Crime Act 2002, and the relevant JMLSG guidance for the firm’s sector. This is not a role where general compliance knowledge is a substitute for specific AML expertise. The MLRO will be making personal decisions about whether to submit Suspicious Activity Reports to the National Crime Agency, setting policy on customer due diligence and enhanced due diligence, and maintaining the firm’s AML risk assessment. Each of these requires genuine technical knowledge, not familiarity with the general compliance framework.

In 2026, the technical knowledge requirement has expanded. The FCA’s increasing focus on sanctions compliance — particularly following the Russia sanctions regime from 2022 onwards — means MLROs at most regulated firms now carry meaningful responsibility for the firm’s sanctions screening programme alongside the traditional AML and CTF functions. Knowledge of OFSI and the financial sanctions regimes is increasingly a core expectation rather than a bonus.

Judgment and the willingness to file

The most technically capable MLRO is inadequate if they lack the judgment to make sound decisions under uncertainty and the willingness to file SARs even when doing so is commercially inconvenient. The purpose of the MLRO function is to identify and report suspicion, not to confirm it to a forensic standard before acting. The test for filing under POCA 2002 is suspicion — a lower threshold than most commercial contexts would apply to a major decision.

An MLRO who allows commercial pressure to delay or prevent filing — who treats SAR submission as a last resort rather than a professional obligation — is an MLRO who creates regulatory and legal risk for the firm. Identifying candidates with the right filing culture requires probing during the interview process: how do they approach uncertainty, what is their experience of internal pushback on AML decisions, how have they handled situations where the commercial team has disagreed with their assessment?

Board standing and communicative authority

The MLRO must present the annual MLRO report to the board and must be able to communicate AML risk in terms that non-specialist directors understand and take seriously. This requires a different set of skills to the analytical and investigative aspects of the role. An MLRO who is technically excellent but unable to engage a board in a substantive conversation about the firm’s financial crime risk profile cannot fulfil the governance function that the role requires.

This consideration is particularly important for smaller regulated firms where the MLRO may not have the organisational support of a wider financial crime team. The MLRO at a 50-person firm is doing everything — writing policy, training staff, managing the CDD process, reviewing alerts, making filing decisions, and presenting to the board — and needs to be effective across all of those dimensions.

Genuine independence from the commercial function

JMLSG guidance and FCA expectations are clear that the MLRO should have genuine independence from the business development and relationship management functions of the firm. This independence needs to be structural — the MLRO should not report to a business line head whose commercial performance depends on the clients the MLRO might restrict or exit — and cultural. A firm that treats its MLRO as a risk to be managed rather than an oversight function to be supported will not retain good MLROs for long, and will eventually face the regulatory consequences of a culture in which financial crime controls are treated as an obstacle to business.

Sector-specific considerations in 2026

The MLRO role varies materially by sector. At a payment institution or e-money institution, the typologies that matter most are payment fraud, authorised push payment fraud, and the layering of criminal proceeds through payment rails. The MLRO at a wealth manager or private bank is dealing primarily with source of wealth verification, PEP management, and the risk of managing assets derived from corruption or tax evasion. The MLRO at a consumer credit firm faces a different profile again — smaller individual transaction values but high volumes, with fraud typologies prevalent.

Sector-specific experience is therefore not merely preferable — in most cases it materially affects the quality of the MLRO’s judgment and the adequacy of the firm’s AML framework. An MLRO recruited from retail banking into a wealth management firm may have strong technical foundations but will need time to develop the sector-specific knowledge that effective oversight of the wealth management financial crime risk requires. The better the sector fit at the point of hire, the lower the time-to-effectiveness and the lower the transitional risk to the firm.

Where MLRO recruitment most commonly goes wrong

The most common failure in MLRO recruitment is beginning the process too late. The approval timeline makes this appointment uniquely unforgiving of a slow start. A firm that loses its MLRO unexpectedly — through resignation, dismissal, or personal circumstances — and begins searching the following week is already behind.

The second most common failure is treating the role as primarily a compliance appointment rather than a personal accountability appointment. Candidates who have operated within compliance teams but have never held personal SMF accountability are making a material step change when they take the MLRO role. The responsibility is qualitatively different. Not all strong compliance professionals are ready for that transition, and the interview process should explicitly test for it.

The third failure is under-weighting cultural fit with the board and senior leadership. An MLRO whose relationship with the CEO or CFO breaks down — whose escalations are ignored, whose judgments are routinely challenged commercially, who feels unable to file SARs without internal conflict — will either compromise their standards or leave. Either outcome represents a failure of governance with regulatory consequences.

FD Capital places MLROs and Deputy MLROs exclusively in FCA-regulated firms. We understand the SMF17 approval process, the sector-specific knowledge requirements, and the cultural conditions that make MLRO appointments successful. If you are recruiting for this role or planning succession, we would welcome a conversation.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms

Related Guides

• SMF17 — MLRO Function: A Complete Guide
• FCA Conduct Rules Guide
• SMCR: A Complete UK Guide

This article examines what FCA enforcement cases and supervisory communications reveal about how whistleblowing culture fails in regulated firms, why the accountability consequences under SMCR are becoming more acute, and what senior leadership genuinely committed to building a whistleblowing culture needs to do differently.

What enforcement cases actually reveal

The Barclays case: the board’s response to whistleblowing matters as much as the disclosure itself

The Barclays whistleblowing case remains the most instructive UK enforcement example. When an anonymous letter raising concerns about a senior hire was received by the board in 2016, the then-CEO Jes Staley made repeated attempts to identify the author, engaging the bank’s security function in that effort. The FCA and PRA jointly fined Staley £642,430 and found that he had failed to act with due skill, care and diligence.

The significance of the case extends beyond the individual sanction. The FCA’s findings made clear that the regulatory standard for how senior managers respond to whistleblowing concerns is not merely that they refrain from active retaliation — it is that they actively protect the process. A CEO who instructs a security function to identify a whistleblower, even if their motivation is to understand the concern rather than to punish the person raising it, has undermined the entire premise on which internal disclosures operate.

The case also illustrated the board’s responsibility. The board was aware of Staley’s attempts to identify the whistleblower. Its response to that situation — and specifically whether board members with relevant oversight responsibilities fulfilled them — was part of the regulatory assessment. This is what SMCR personal accountability looks like in the context of whistleblowing: not just accountability for the person who caused the harm but scrutiny of those who were aware of it and did not act.

Financial crime cases: whistleblowing failure as a systemic indicator

A significant proportion of the major financial crime cases that have resulted in FCA enforcement action — and particularly those involving money laundering, sanctions breaches, and market abuse — have shared a common feature: internal concerns were raised by staff before the regulatory investigation identified the problem, and those concerns were not adequately acted on. This pattern is not coincidental.

Staff who are close to the business — traders, operations teams, relationship managers — often identify suspicious patterns before the compliance function does. Where the firm’s culture does not support raising those concerns, or where concerns raised are managed rather than investigated, the regulatory exposure accumulates. The FCA’s assessment of firms in enforcement processes routinely considers whether internal disclosures were made and how they were handled, because the answer informs the question of whether the firm was genuinely trying to manage compliance risks or was operating with wilful blindness.

Non-financial misconduct: the emerging enforcement priority

The FCA’s focus on non-financial misconduct — harassment, discrimination, bullying — as a regulatory matter has sharpened significantly. The FCA has been clear that it views non-financial misconduct as directly relevant to an individual’s fitness and propriety under SMCR and to a firm’s overall governance and culture standards. Whistleblowing is the primary mechanism through which non-financial misconduct is brought to the attention of senior leadership.

Firms where the whistleblowing culture does not support reporting non-financial misconduct — because the culture is one where such behaviour is normalised, where senior individuals are protected, or where those who raise concerns find their career progression affected — are firms where the FCA increasingly expects to find other governance failings. The Dear CEO letter on diversity, equity and inclusion published in 2023, and the subsequent focus on non-financial misconduct in enforcement, have made this connection explicit.

The common patterns of whistleblowing culture failure

Tone from the top that contradicts the policy

Many regulated firms have whistleblowing policies that are formally adequate but culturally inert. The policy describes channels, guarantees confidentiality, and prohibits retaliation. Senior leaders speak about the importance of speaking up. And yet staff do not raise concerns internally, or raise them and find the experience discouraging enough that they do not do so again.

The gap between policy and culture is almost always explained by what senior leaders actually do rather than what they say. A CEO who responds defensively to concerns about their own behaviour, a business line head whose team knows that raising concerns will affect their relationship with that leader, or an HR function that is seen as protecting the firm from employment claims rather than protecting staff from misconduct — each of these creates a cultural reality that no policy document can overcome.

Investigation processes that are not genuinely independent

The independence of the whistleblowing investigation process is fundamental to whether the process works. Where disclosures are investigated by people who report to, or have significant professional relationships with, the individual about whom the disclosure has been made, the investigation is structurally compromised before it begins. This is not always a deliberate choice — it is often the result of investigation processes designed for efficiency rather than independence.

Firms need to think carefully about who investigates what. A concern about a senior business line head should not be investigated by someone who requires that individual’s approval for their own career progression. A concern about conduct in a regional office should not be investigated by the regional manager. These arrangements are common and they reliably produce investigation outcomes that do not reflect what actually happened.

Confidentiality failures — accidental and otherwise

Confidentiality is the threshold requirement for an effective whistleblowing process. If the person making a disclosure believes — correctly or not — that their identity will become known to those they have disclosed about, they will not make the disclosure. Firms underestimate how permeable their internal processes are. A disclosure received by a small compliance team in a business where relationships are close, where the nature of the concern makes the identity of the discloser obvious, or where the investigation process itself reveals the identity of the complainant, is not confidential in any meaningful sense.

The FCA’s requirements extend beyond confidentiality — firms must take reasonable steps to ensure that employees who make disclosures are not victimised as a result. Victimisation does not require direct retaliation. Exclusion from projects, being passed over for promotion, being subjected to additional performance management scrutiny — these are forms of victimisation that are harder to identify and address than dismissal but are equally damaging to whistleblowing culture.

No feedback loop for those who disclose

One of the most consistent findings in research on effective whistleblowing cultures is that individuals who raise concerns and receive no feedback about the outcome — who never know whether their concern was investigated, whether it was found to have merit, or what was done about it — are significantly less likely to raise concerns in future and significantly more likely to report externally to the FCA or other authorities. Firms that treat the disclosure as the end of their obligation to the discloser rather than the beginning of a process that should include appropriate communication back have not understood why their arrangements are failing.

What genuine cultural change requires from senior leadership

The FCA has been explicit that senior leaders cannot delegate culture. The tone, the practical reality of what happens when staff raise concerns, and the signal sent by how the firm responds to specific cases are functions of what senior leaders do rather than what they say. Genuine change in whistleblowing culture requires senior leaders who are willing to be held personally accountable for how the firm responds to disclosures — including disclosures about their own behaviour or the behaviour of their peers.

This creates a specific challenge for SMCR firms. The SMF function holders who are personally accountable for governance and culture — the CEO (SMF1), the Head of Internal Audit (SMF5 equivalent in many firms), the Chief Compliance Officer (SMF16 in its compliance oversight incarnation) — need to be people whose response to a disclosure about a senior colleague is to ensure it is properly investigated rather than to protect the relationship. This is a character and values question as much as a competency question, and it is one that boards need to take seriously when making SMF appointments.

The Whistleblowing Champion NED exists specifically to provide board-level oversight that is independent of management. Where that individual is genuinely performing the function — reviewing patterns, forming independent views, holding management to account for the adequacy of the firm’s arrangements — they provide a structural counterweight to the cultural pressures that otherwise tend to suppress internal disclosure. Where the appointment is nominal, that counterweight does not exist.

Practical steps that signal genuine commitment

Firms that are genuinely committed to building a whistleblowing culture share certain practical characteristics. They use multiple disclosure channels — not just a single internal reporting line — including channels that allow disclosures to be received without passing through line management. They conduct regular culture surveys that specifically ask about willingness to raise concerns and perception of what happens when concerns are raised, and they track responses over time. They review the pattern of disclosures against the size of the firm and the complexity of its business, asking whether the volume is plausible — very low disclosure rates in a large, complex firm are often a sign of suppression rather than good behaviour. They train managers specifically on how to respond when a concern is raised — not just on what to do procedurally but on the behaviours that either support or undermine the culture of speaking up. And they review outcomes of disclosures regularly at board level, with the Whistleblowing Champion leading that review.

FD Capital places senior compliance professionals, risk leaders, and Non-Executive Directors in FCA-regulated firms. Where the requirement is an MLRO, CCO, or Whistleblowing Champion NED who has the combination of regulatory expertise and personal qualities that genuine whistleblowing oversight requires, we work exclusively in the regulated financial services space and understand the practical reality of these leadership roles in an SMCR context.

Related Services

• Compliance Recruitment
• NED Recruitment
• MLRO Recruitment
• SMCR Compliance Recruitment
• Financial Crime Recruitment
• Risk and Compliance Recruitment
• Recruitment for FCA Regulated Firms

This article sets out who needs to appoint a Whistleblowing Champion, what the role formally requires, what it demands in practice, and what distinguishes an effective appointment from a nominal one.

Which firms must appoint a Whistleblowing Champion

The requirement to appoint a Whistleblowing Champion applies to UK banks, building societies, credit unions, PRA-designated investment firms, UK branches of overseas banks, and insurers within the scope of Solvency II. For FCA-only regulated firms, the requirement does not apply universally — the FCA’s whistleblowing rules in SYSC 18 apply to firms within the FCA’s enhanced scope for SMCR purposes.

For enhanced scope SMCR firms — which includes most banks, major investment firms, and large insurers — the appointment of a Whistleblowing Champion as a specific board-level NED role is mandatory. For core scope SMCR firms, the requirements are less prescriptive but firms are still expected to have adequate internal whistleblowing arrangements including clear accountability for overseeing them.

The specific requirement is set out in SYSC 18.4, which requires in-scope firms to appoint a Senior Manager to champion the interests of whistleblowers. For dual-regulated firms, this means appointing an SMF function holder — specifically a Non-Executive Director — to hold this responsibility at board level.

What the role formally requires

The Whistleblowing Champion’s formal responsibilities under SYSC 18.4 include: overseeing the integrity, independence and effectiveness of the firm’s internal whistleblowing arrangements and policies; ensuring that those who make disclosures are not victimised as a result; and reporting annually to the board on the operation of the firm’s whistleblowing arrangements.

These formal requirements are deceptively brief. The practical content of the role is substantially more demanding than a reading of SYSC 18.4 alone might suggest. The FCA’s expectation — reinforced by its enforcement approach and its Dear CEO letters on culture — is that the Whistleblowing Champion is a genuine oversight function, not a reporting mechanism.

What the role actually demands in practice

Understanding the whistleblowing framework in detail

An effective Whistleblowing Champion must understand the firm’s whistleblowing policy in substantive terms — not merely know that one exists. This means understanding the channels available to staff, the process by which disclosures are received and investigated, who investigates disclosures and under what independence arrangements, how the firm protects the confidentiality of those who make disclosures, and how the firm identifies and responds to potential victimisation.

A Whistleblowing Champion who cannot describe how a disclosure made by a junior member of staff in a regional office would be handled — who would receive it, who would investigate it, whether the investigator reports to the individual against whom the disclosure is made, and how the outcome would be communicated — has not yet understood the role.

Genuine independence from management

The Whistleblowing Champion must be genuinely independent of executive management in a way that allows them to receive concerns about management behaviour without those concerns being suppressed or managed by the people they concern. This is the structural purpose of requiring the role to be held by a Non-Executive Director rather than an executive. A NED who is not genuinely independent — because of professional relationships, financial interests, or social proximity to executive leadership — cannot provide the oversight that the role requires.

The Barclays case, in which the then-CEO Jes Staley attempted to identify a whistleblower who had raised concerns directly with the board, illustrated with exceptional clarity why this independence matters. The FCA and PRA imposed a joint fine of £642,430 on Staley for breaching the requirement to act with due skill, care and diligence. The case also highlighted the board’s role in responding to that behaviour — and the specific responsibility of the Whistleblowing Champion to ensure that internal processes protect, rather than expose, those who raise concerns.

Oversight of patterns — not just individual cases

The Whistleblowing Champion should not be receiving individual disclosures directly as a first port of call — that is an executive function. What the Champion should be receiving is aggregated, anonymised information about the pattern of disclosures made to the firm: the volume, the categories of concern raised, the outcomes of investigations, and any patterns that suggest systemic issues rather than individual incidents.

This requires the firm to have MI systems that provide the Champion with genuinely useful information, and it requires the Champion to have the analytical capability and independence to draw conclusions from that information and escalate them to the full board. A Whistleblowing Champion who receives an annual summary prepared by the compliance function, reads it at a board meeting, and notes no concerns is not exercising oversight — they are receiving a report.

The annual board report

SYSC 18.4 requires the Whistleblowing Champion to report to the board at least annually on the operation of the firm’s whistleblowing arrangements. This report should cover: the number and nature of disclosures received; how they were investigated and by whom; the outcomes; cases where victimisation was identified or alleged and how they were handled; the Champion’s assessment of whether the firm’s culture is one in which staff genuinely feel able to raise concerns; and any recommendations for improvement.

A board report that consists primarily of quantitative data without qualitative assessment of whether the whistleblowing function is working does not meet the standard. The Champion is being asked to form a view about culture, not merely to transmit statistics.

What makes a good appointment

The Whistleblowing Champion role requires a NED with a specific combination of characteristics that is rarer than it might appear.

First, genuine independence. This is not merely the formal independence test for NED status — it is independence from the management of the firm in a way that would allow the Champion to pursue a concern about a senior executive without the relationship making this effectively impossible.

Second, the confidence to act on concerns. The value of the Whistleblowing Champion is not tested in normal conditions — it is tested when a disclosure has been made about someone with significant power within the firm, when management’s instinct is to manage the situation rather than investigate it transparently, and when the Champion must decide whether the board needs to know something that management would prefer it did not. This requires a NED with the seniority, credibility and personal confidence to hold that line.

Third, relevant regulatory understanding. A Whistleblowing Champion who does not understand the Protected Disclosures Act, the FCA’s whistleblowing rules, and the SMCR accountability framework cannot effectively oversee whether the firm’s arrangements are adequate. This does not mean the Champion needs to be a lawyer or a compliance specialist, but they need sufficient familiarity with the regulatory context to ask the right questions.

Fourth, the time to do the role properly. A NED who is serving on multiple boards and is attending the Whistleblowing Champion function principally because they had capacity in their schedule is not the right appointment. This is a role that requires active engagement between board meetings — reviewing MI, engaging with the compliance function, and occasionally engaging directly with a specific concern.

Common appointment failures

Firms most commonly fail in the Whistleblowing Champion appointment in three ways. First, they appoint whoever is available on the board rather than whoever is best suited to the role. Second, they treat the role as a formal compliance requirement rather than a substantive governance function, with the consequence that the Champion never meaningfully engages with the whistleblowing framework between annual board reports. Third, they appoint a NED who is too close to the executive team to provide genuine independence — often a former executive of the firm, a long-standing professional associate of the CEO, or someone whose other board positions create conflicts of interest.

The FCA’s culture agenda makes this more than a box-ticking concern. A firm whose Whistleblowing Champion is nominal is a firm that does not in practice have adequate oversight of its internal disclosures process — and where a significant disclosure is made and mishandled, the inadequacy of the oversight function will be a significant factor in the regulatory response.

FD Capital places Non-Executive Directors in FCA-regulated firms, including those with specific SMCR function requirements. Where the requirement is a Whistleblowing Champion NED with the genuine independence, seniority and regulatory understanding that the role demands, we work exclusively in the regulated financial services space and understand both the formal requirements and the practical qualities that distinguish an effective appointment.

Related Services

• NED Recruitment
• SMCR Compliance Recruitment
• Compliance Recruitment
• Risk and Compliance Recruitment
• Financial Crime Recruitment
• Recruitment for FCA Regulated Firms