We know that writing an annual MLRO report can be daunting. Aside from the fact that it is a regulatory requirement, it can be a powerful tool for securing board support, resources and budget. Getting it right is important!
Our MLRO report framework provides guidelines to assess the effectiveness and compliance of your AML/ CTF control framework. The recommended areas incorporate the Financial Conduct Authority Senior Management Arrangements, Systems and Controls Sourcebook and JMLSG guidance.
We outline key areas for inclusion and guidance on what your report should contain. As there is no ‘one-size-fits-all’ approach, the MLRO report should be unique to your business and risks. This framework will help to give you focus on the critical elements to include and the purpose of each section.
Best Practices for Writing an Annual MLRO Report
Let us set out our stall - we’re here to make the case that writing a good annual MLRO report is one of the most useful things a money laundering reporting officer (MLRO) will do during the course of the year.
Yes, sometimes they can feel like an obligation - a box-ticking exercise to meet a regulatory requirement.
Yes, they can involve a lot of effort and take a lot of time.
Yes, sometimes they are merely skimmed through and not given the attention they deserve by readers.
But if done properly and conducted in the right spirit, MLRO reports are a unique opportunity to get valuable board attention, make other people aware of the things keeping you up at night, secure budget and resources, and ensure company-wide support for the compliance function. So getting it right is important, and we’re here to help you do that!
-
Let’s start with the basics. Regulated financial institutions in the UK are required to have a designated MLRO who is responsible for the firm’s anti-financial crime programme. One of the MLRO’s obligations is to produce an annual report to be presented to senior management and the board to keep them abreast of financial crime-related issues. Regulators and partner banks may also ask to see the report.
As well as meeting a regulatory requirement, a good MLRO report enables the compliance department to attract senior management attention and set out clearly what is needed to enable them to achieve their mandate over the next 12 months. It is a chance to make a compelling argument for additional resources, technological tools, budget, support from other departments etc. As well as winning over internal stakeholders, the report can also be a great resource for the MLRO themself to work from over the next year - allowing them to document key AML performance and risk indicators, identify their main priorities, plan their future activities, and track their progress.
-
To answer this question, let’s reflect on what an MLRO report is designed to do. Broadly speaking, it is intended to review the firm’s anti-money laundering and counter-terrorist financing (AML/CTF) controls; identify any new or emerging risks; acknowledge any failures and weaknesses; and recommend actions to address any residual weaknesses, gaps or shortcomings, and highlight the resources needed.
The Joint Money Laundering Steering Group (JMLSG) offers some great advice on what makes a good MLRO report. It says that reports should focus on outcomes rather than statistics - it is important that the MLRO themself has access to a full set of management information (MI) but weighing down the report with too much granular detail may mean key messages are lost. You only get so much senior management time and attention to talk about compliance, so focus on the results you need from the exercise.
As with most components of a compliance regime, a one-size-fits-all approach is not appropriate. Make sure your MLRO report is designed to serve your firm and reflects your risk profile and operations; the amount of time you spend focusing on each area should reflect the degree of risk you face. Your readership will be different too - is your senior management fairly knowledgeable about financial crime matters or should you include more explanatory information to make sure your analysis and requests make sense? Is there any organisational context that should be reflected - e.g. does the report address recent or upcoming changes to the business model which will affect the risk profile, or any organisational changes that affect the compliance department
Remember that the MLRO report is not the only communication between compliance and senior management. Rather, it is a round-up of all the communication throughout the year. It should thus contain no real surprises - any weaknesses, breaches or new risks should already have been raised to the board and senior management.
-
Having said that each report will be different, there are some key themes which every report should address:
Record the duties of the MLRO and their team, and the structure within which they operate. This sets out the framework within which the report is being issued and makes it clear who owns the recommended actions.
Identify any new or emerging risks, or significant changes to the company’s risk profile. The assessment contained in the report must be based on a strong understanding of the risks.
Review the firm’s AML/CTF control framework, highlighting both where it works well and any areas of weakness.
Be critical and transparent about any significant residual risks, areas of weakness, system limitations and any failures or breaches over the review period.
Make practical recommendations for actions to address and mitigate the risks and areas of weakness identified. Articulate what support you need from senior management and/or other departments. Be specific about the time, resources and budget needed to achieve your goals.
-
To make all this advice as implementable as possible, FINTRAIL has created a detailed template to help make the task of drafting your next MLRO report that bit easier. Given the caveat that there is no one-size-fits-all approach, the framework is intended to serve as a guide rather than an exhaustive or prescriptive list. Having said that, by outlining key areas to include and providing guidance on the purpose of each section, this template can give MLROs reassurance and make the report drafting process much more straightforward.
If you would like additional support in drafting your MLRO report, or in related activities like conducting a risk assessment or assessing your control framework, please do get in touch.