Outsourcing the MLRO function: when it works and when it doesn’t

The question of whether an FCA-regulated firm can outsource its MLRO function — and if so, how — is one that generates significant confusion. The answer depends on the firm’s regulatory category, its size, and the specific structure of the outsourced arrangement. Some regulated firms can legitimately appoint an external MLRO on a shared or hosted basis. Others cannot. And even where outsourcing is permissible in principle, it carries risks and operational constraints that many firms do not fully consider before proceeding.

This article sets out the regulatory framework for MLRO outsourcing under FCA rules, the conditions under which it works effectively, and the circumstances in which it creates more problems than it solves.

The regulatory framework — what the rules actually permit

The Money Laundering Regulations 2017 require that firms appoint an individual as MLRO. The regulations do not expressly prohibit outsourcing this function to an individual employed by a third party — a consultancy, a compliance services firm, or a professional individual working as an independent contractor. The FCA’s SYSC sourcebook similarly does not categorically prohibit MLRO outsourcing for all firm types.

However, SMCR significantly constrains the outsourcing option for most regulated firms. Under SMCR, the MLRO function is SMF17 — a Senior Manager Function that requires the individual to be personally approved by the FCA as a Senior Manager of that specific firm. The key implication is that the FCA must approve the individual in their MLRO capacity for your firm specifically. An individual who holds SMF17 approval for Firm A does not automatically have approval to act as MLRO for Firm B. Each approval is firm-specific.

For dual-regulated firms — banks, building societies, certain investment firms regulated by both the FCA and PRA — the PRA has been explicit that the MLRO must be an employee of the firm and cannot be outsourced. This reflects the PRA’s view that the personal accountability and independence requirements of the MLRO function cannot be adequately maintained through an outsourced arrangement in a systemically important or deposit-taking institution.

For FCA-only regulated firms — consumer credit firms, most payment institutions, smaller investment firms, and others — the position is less categorical but still constrained. The FCA expects the MLRO to have genuine independence, adequate time to fulfil the function, and meaningful access to the firm’s systems and information. An external MLRO who divides their time across multiple client firms can meet these requirements for smaller firms with lower AML risk profiles. It becomes increasingly difficult to demonstrate as the firm’s size and regulatory complexity increase.

When outsourcing works

Very small regulated firms with limited AML risk

The clearest case for a shared or outsourced MLRO is a small FCA-only regulated firm — a consumer credit firm, a small investment adviser, or a recently authorised payment firm — where the volume and complexity of AML activity does not justify a full-time MLRO appointment. A firm with twenty employees that processes a modest number of transactions per month, has a predominantly UK retail client base, and operates a simple business model does not need a full-time MLRO. The regulatory obligation requires the appointment and the function to be performed adequately; it does not require the individual to be dedicated solely to that firm.

In these circumstances, a shared MLRO arrangement — where a specialist compliance professional holds SMF17 approval for multiple small firms simultaneously — can be both regulatory-compliant and commercially sensible. The shared MLRO must be approved by the FCA for each firm separately. They must have adequate time allocated to each firm. They must have genuine access to each firm’s transaction data, customer information, and internal reporting systems. And the arrangement must be documented in a way that the FCA could review and find adequate.

During the FCA authorisation phase

A firm applying for FCA authorisation needs to demonstrate to the FCA that it has identified and appointed its key SMF holders as part of the application. An external MLRO — someone who can hold SMF17 on an interim or shared basis during the authorisation process — allows the applying firm to fulfil this requirement without making a permanent appointment before the business is generating the revenue to support one.

This is a legitimate and common use of the outsourced MLRO model. The expectation, on the FCA’s part and commercially, is that as the firm grows it will transition to a dedicated internal MLRO at an appropriate point. The trigger for that transition is typically the point at which the firm’s AML risk profile — the volume of transactions, the complexity of the customer base, the geographical reach of the business — makes the shared model inadequate.

As a stopgap during MLRO succession

When a firm’s MLRO departs and the replacement has not yet completed the SMF17 approval process, the firm faces a period of MLRO vacancy. An interim external MLRO — individually approved by the FCA for that firm on a temporary basis — can hold the function during this period. This is a practically important use of the outsourced model and is considerably better than leaving the firm without a formally approved MLRO during what can be a 10–16 week approval window.

When outsourcing doesn’t work

Dual-regulated firms

As noted above, the PRA’s position effectively precludes MLRO outsourcing for PRA-regulated firms. Banks, building societies, and major investment firms need an employed, dedicated MLRO. This is not a case where a firm can structure its way around the requirement with a carefully worded contract. The PRA’s concern is about personal accountability and independence, and it is not satisfied by an outsourced arrangement regardless of how it is structured.

Firms with material AML risk

As a firm’s AML risk profile increases — higher transaction volumes, more complex customer relationships, higher-risk geographies or business lines — the outsourced MLRO model becomes progressively less adequate. The MLRO at such a firm needs to be deeply embedded in the firm’s operations. They need to understand the specific customer relationships, the transaction patterns, the business lines that carry higher risk, and the individuals internally who are the first line of defence against financial crime. An external MLRO dividing their time across multiple clients cannot develop or maintain this depth of understanding.

The FCA will assess not whether the outsourced arrangement is permissible in the abstract but whether it is adequate for the specific firm. A firm with a material and growing AML risk profile that continues to use a shared MLRO is making a regulatory bet that will eventually not pay off. When a SAR goes unfiled, when a high-risk customer slips through the EDD process, when the annual MLRO report reveals that the function has been inadequately resourced — the outsourced model is typically part of the explanation.

Where cultural and operational integration is critical

The MLRO’s effectiveness depends substantially on their relationship with the first line of defence — the relationship managers, the onboarding teams, the operational staff who encounter potential financial crime risk daily. An MLRO who is not present in the firm, who does not attend the relevant internal meetings, who is not part of the firm’s culture, cannot adequately discharge the training, culture, and oversight functions that go alongside the formal MLRO obligations.

The MLRO who visits the firm once a month to review SAR decisions and sign off on the annual report is not performing the MLRO function adequately. They are performing a subset of it. For firms where the internal financial crime culture — the awareness of the first line, the quality of internal escalation, the tone around compliance — is a material component of the AML framework, the embedded internal MLRO is not just preferable. It is necessary.

Structuring an outsourced MLRO arrangement correctly

Where outsourcing is genuinely appropriate, the arrangement needs to be documented and structured in a way that withstands FCA scrutiny. The key elements are: a written agreement with the outsourced MLRO that clearly defines the scope, time allocation, and responsibilities of the arrangement; confirmation of the FCA’s approval of the individual as SMF17 for the firm; documented evidence that the MLRO has adequate access to the firm’s systems, data, and personnel; and a clear process for escalation, SAR decision-making, and board reporting.

The firm’s board should understand and formally approve the outsourcing arrangement. It should appear in the firm’s outsourcing register where applicable. And the firm should have a contingency arrangement documented — what happens if the outsourced MLRO is unavailable, resigns, or becomes unsuitable to hold the function.

FD Capital places MLROs in FCA-regulated firms at all stages — including interim and shared arrangements during authorisation or succession periods, and permanent internal MLROs where firms have grown beyond the outsourced model. If you are reviewing your MLRO arrangement or transitioning from an outsourced to an internal model, we would welcome a conversation.

Related Services

• MLRO Recruitment
• AMLRO Recruitment
• Financial Crime Recruitment
• Compliance Recruitment
• FCA Authorisation CFO Recruitment
• SMCR Compliance Recruitment