What is the role of the MLCO?

Every business regulated under the UK’s Money Laundering Regulations must have robust systems to prevent financial crime. That includes appointing a senior person responsible for making sure those systems are designed, maintained and working effectively: the Money Laundering Compliance Officer (MLCO).

The MLCO oversees your firm’s anti-money laundering (AML) framework, ensuring your policies, controls and procedures (PCPs) meet regulatory standards and that compliance is properly embedded across your business. Here’s what that role involves and how it fits alongside the MLRO.

What the law says

Under Regulation 21 of the Money Laundering Regulations 2017, every regulated business must, where appropriate to its size and nature, appoint two key individuals:

• An officer responsible for compliance with the Regulations, commonly known as the Money Laundering Compliance Officer (MLCO)
• A nominated officer responsible for assessing internal reports of suspicious activity, the Money Laundering Reporting Officer (MLRO)

The MLCO’s duties are laid out in Regulations 19–21, which require firms to establish and maintain effective policies, controls and procedures (PCPs) to mitigate money laundering and terrorist financing risks. Essentially, it’s their role to keep the entire AML framework sound, current and consistently applied. In smaller businesses, the same person may perform both roles.

The purpose of the MLCO

The MLCO acts as the strategic lead for AML compliance, ensuring your firm’s defenses are designed to meet legal obligations and withstand regulatory scrutiny. Their responsibilities include:

• developing, implementing and reviewing AML policies, controls and procedures.
• overseeing firm-wide and client risk assessments.
• monitoring compliance and addressing weaknesses.
• ensuring AML training is delivered, logged and understood.
• reporting to other senior management on compliance performance.

The MLCO’s authority should be sufficient to influence policy, allocate resources and take corrective action where compliance gaps are identified.

Keeping your AML framework effective

The MLCO is responsible for ensuring your firm’s AML systems and documentation stay accurate and practical. This includes confirming that written policies, controls and procedures are:

• reviewed at least annually or whenever risks or regulations change.
• tailored to the firm’s size, services and client base.
• directly reflecting the risks identified in the business-wide risk assessment.
• supported by clear audit trails and version control.

The MLCO must also ensure that compliance isn’t treated as a static task. Outdated or generic documentation is one of the most common reasons firms fail AML inspections.

Overseeing risk management

The business-wide risk assessment (BWRA) forms the foundation of your AML framework. The MLCO ensures that:

• the business-wide risk assessment is complete, reviewed, documented and kept up to date.
• client-level and business risk assessments reflect real, not theoretical, risks.
• higher-risk clients receive appropriate enhanced due diligence.
• findings from reviews are incorporated into policies and procedures.

They should also verify that the firm’s controls address the risks identified, not just the minimum required by regulation.

Training and staff awareness

Regulation 24 requires firms to train their staff, but it’s the MLCO’s role to ensure this training is effective and continuous. They should:

• track completion of training across all staff, including contractors.
• provide role-specific modules for high-risk areas.
• ensure updates are issued when regulations or threats change.
• reinforce awareness through reminders and internal communications.

A strong AML training programme is key evidence of a “culture of compliance”,  something regulators increasingly look for during reviews.

Working with the MLRO

The MLCO and MLRO roles complement each other. The MLCO oversees the framework, while the MLRO manages suspicious activity reporting. Together they ensure both proactive and reactive elements of AML are covered.

In smaller firms, these roles may be combined, but the individual must still demonstrate that both sets of responsibilities are being met and recorded distinctly.

Staying alert to new risks

The MLCO must ensure the firm stays informed and responsive to evolving threats such as:

• AI-generated IDs and deepfake fraud
• Sanctions evasion linked to geopolitical conflict
• Cryptocurrency-related transactions
• Weaknesses in digital onboarding and verification

They should review the National Risk Assessment (NRA), guidance from supervisory bodies and internal feedback to keep the business’ risk assessment current.

Liaising with regulators and management

The MLCO is accountable to the senior management team and often acts as the point of contact during AML audits or supervisory visits. They should be ready to provide:

• the business’ latest AML policies, controls and procedures
• business-wide and client risk assessments
• training logs and staff acknowledgements
• internal monitoring and testing results

Good record-keeping demonstrates that compliance is not just policy, it’s practice.

Who can be the MLCO?

The Regulations do not require specific qualifications, but the MLCO must have senior authority, competence and independence. In most firms this means a partner, director or senior manager with:

• in-depth knowledge of AML regulations.
• enough time and resources to manage the role effectively.
• the confidence to challenge and influence decisions.

Why the MLCO role matters

The MLCO isn’t simply a compliance figurehead. They set the tone for how seriously your business takes AML, guiding staff behaviour and ensuring the firm stays on the right side of both regulation and reputation.

For regulated professionals, the MLCO’s oversight provides the assurance that your systems are working, your team is protected, and your business can demonstrate compliance when it matters most.