Every UK cryptoasset business must appoint a Money Laundering Reporting Officer before it can register with the FCA — and the FCA expects that individual to lead the application, remain in place through it, and withstand a fitness and propriety assessment designed specifically around cryptoasset risk. This guide covers the crypto MLRO role in full: the legal foundation, the FCA’s stated expectations, the day-to-day responsibilities, the candidate profile, and how firms should approach the hire.
Of all the appointments a cryptoasset firm makes on its way into the UK regulatory perimeter, none carries more application risk than the MLRO. The FCA has refused cryptoasset registrations on the strength of the MLRO assessment alone. It has said, in terms, that it will refuse applications where the MLRO lacks fitness and propriety, and that changing the MLRO during an application may cause significant delays to the overall outcome. As the sector moves toward full FSMA authorisation — with the application gateway opening on 30 September 2026 — the MLRO becomes an approved person under SMF17, adding personal regulatory accountability to a role that already carries personal criminal law exposure under the Proceeds of Crime Act.
Firms that treat the MLRO as a checkbox appointment discover the cost at interview stage. Firms that treat it as the strategic hire it is — made early, made well, and given genuine authority — consistently move through the FCA gateway faster. FD Capital has placed MLROs into cryptoasset registration processes, digital asset lenders, payments firms and fintechs at authorisation stage since 2018, and this guide distils what we have learned about the role and the market for it.
The legal foundation: Regulation 21 of the MLRs
The requirement originates in Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Regulation 21(3) requires relevant firms to appoint an individual as a nominated officer — the person to whom internal suspicious activity reports are made, and who decides whether to make external disclosures to the National Crime Agency. In FCA-supervised firms this individual is the MLRO. The regulation requires the appointee to be of sufficient seniority to discharge the function: a member of the board or senior management with the authority to act independently, access all relevant information, and commit the firm’s resources to financial crime prevention.
For cryptoasset businesses, the FCA’s application guidance goes further than the bare regulation. The FCA states that an applicant must appoint an MLRO/Nominated Officer under Regulation 21(3) and that it expects this individual to have appropriate knowledge of UK regulation, experience — explicitly including knowledge of cryptoassets — and training, together with the authority and independence to monitor and manage compliance with the firm’s policies, procedures and controls. The FCA’s page on how to apply for cryptoasset registration lists appointing an MLRO among the preparatory steps a firm should complete before it even opens the application forms.
Layered on top of the MLRs sits the Proceeds of Crime Act 2002, which creates the criminal law framework the MLRO operates within. The MLRO is the designated recipient of internal SARs from staff who know or suspect that a transaction involves criminal property, applies the legal test, and decides whether to disclose to the NCA — with personal criminal liability for failures in the nominated officer role. Few functions in UK financial services combine regulatory and criminal law exposure so directly, which is precisely why the candidate pool is thin and the FCA’s assessment is searching.
What the FCA assesses — and why crypto MLROs face a higher bar
The FCA assesses the fitness and propriety of every cryptoasset MLRO as part of the registration application, and its published expectations are unusually specific. Four points deserve particular attention from any firm preparing an application.
Probity and track record
The FCA assesses whether the individual has acted, and may be expected to act, with probity. Regulatory history, previous refusals or withdrawals, adverse findings and credit and criminal checks all feature. Candidates with a clean history across previous approved or registered roles carry a visible advantage.
Skills and experience specific to cryptoassets
The FCA assesses whether the MLRO has adequate skills and experience to act in the role, especially for cryptoassets, and to identify and manage the money laundering, terrorist financing and proliferation financing risks inherent in the specific business model. This is the point on which strong traditional-finance candidates most often fall short at interview. An MLRO who has run a SAR function at a retail bank but cannot speak fluently about blockchain analytics tooling, wallet clustering, mixer and privacy-coin exposure, cross-chain transaction tracing, or the typologies specific to exchange and custody businesses will struggle. The assessment is business-model specific: the risk profile of a custodian differs from that of a trading platform, a lender, or a stablecoin issuer.
UK presence
The FCA has said it will look carefully at MLROs and Nominated Officers who are not based in the UK, and that fitness and propriety interviews are normally arranged at an FCA office with candidates generally expected to attend in person. For international groups establishing a UK entity, parachuting in a group MLRO based overseas is a known application weakness. The FCA wants a UK-based individual embedded in the UK entity’s day-to-day operations.
Involvement in the application itself
The FCA expects the MLRO to be heavily involved in preparing the application for registration, and to remain in place throughout the application process and beyond if the firm is registered. It warns that changing the MLRO may result in significant delays. The message to firms is unambiguous: hire the MLRO first, then write the application with them — not the other way around. An MLRO who authored the business-wide risk assessment and policy suite defends them credibly at interview; one who inherited a consultant’s documents does not.
The role in practice: what a crypto MLRO actually does
Beyond the application, the MLRO owns the firm’s entire AML/CTF/CPF framework on an ongoing basis. In a cryptoasset business the workload has distinctive features worth understanding before defining the role.
The business-wide risk assessment
The foundation document of the framework, mapping the firm’s products, customers, geographies, delivery channels and transaction types against money laundering and terrorist financing risk. In crypto this must engage with on-chain risk: exposure to sanctioned addresses, darknet markets, mixers, high-risk exchanges and cross-chain bridges. The FCA expects the assessment to be genuinely tailored — generic templates are a recognised refusal trigger.
Customer due diligence and transaction monitoring
The MLRO designs and oversees the CDD framework — identity verification, source of funds and wealth, enhanced due diligence for PEPs and high-risk customers — and the monitoring arrangements. Crypto monitoring is a hybrid discipline: traditional fiat transaction monitoring plus blockchain analytics platforms (Chainalysis, Elliptic, TRM Labs are the common stack) for on-chain screening. The MLRO needs enough technical fluency to calibrate these tools, set risk thresholds, and explain the calibration to the FCA.
SAR management
The MLRO receives internal reports, applies the POCA test, submits external SARs to the National Crime Agency, manages the consent (defence against money laundering) regime, and maintains a defensible audit trail — all while managing tipping-off risk. Exchange businesses with retail volume generate high internal report flows, so the MLRO must be able to run a SAR function at scale rather than handle reports ad hoc.
Sanctions
OFSI financial sanctions compliance has become a front-line crypto risk, with designated wallet addresses now a standard feature of the UK sanctions list. The MLRO typically owns sanctions screening across both fiat and on-chain activity, and the reporting obligations that follow a match.
Training, reporting and the annual MLRO report
The MLRO delivers financial crime training across the firm, reports to the board on the effectiveness of the framework, and produces the annual MLRO report that supervisors expect to see. Under FSMA authorisation, board reporting formalises further within SMCR governance.
From nominated officer to SMF17: what FSMA authorisation changes
Under the incoming FSMA regime — applications open 30 September 2026, regime start expected 25 October 2027 — authorised cryptoasset firms come within the Senior Managers and Certification Regime, and the MLRO function becomes SMF17, requiring individual FCA approval before the person takes up the role. The practical changes are covered fully in our guides to the cryptoasset FSMA authorisation regime and to SMF16 and SMF17 in cryptoasset firms, but three points matter for MLRO planning specifically.
First, the approval process adds a Statement of Responsibilities, regulatory references from previous employers covering six years, and conduct rules that apply personally. Second, an MLRO who has already been assessed for a cryptoasset registration carries a helpful history into SMF17 approval — continuity of the individual across the transition is an advantage worth planning for. Third, the duty of responsibility under SMCR means an approved SMF17 can be held personally accountable where a firm breaches financial crime requirements in their area and they failed to take reasonable steps — raising the stakes, and the compensation expectations, of the role.
The candidate market: who does this job, and what they cost
The pool of MLROs who combine FCA approval history, hands-on crypto experience and the willingness to hold personal accountability at an early-stage firm is small. In our placement work the strong candidates come from three backgrounds: MLROs at existing FCA-registered cryptoasset firms (the scarcest and most contested group); MLROs from payments, e-money and fintech businesses who have added crypto capability, often through a registration project; and senior financial crime professionals from banking or blockchain analytics providers stepping into their first named role. Qualifications that carry weight include the ICA International Diploma in Anti Money Laundering, the ACAMS CAMS designation, and — increasingly — certifications from the main blockchain analytics vendors. Familiarity with the JMLSG guidance and the FCA’s Financial Crime Guide is assumed at this level.
Compensation reflects scarcity and personal risk. Permanent crypto MLRO packages in London typically run from around £90,000 at smaller registered firms to £180,000 and beyond at scaled exchanges and issuers, with equity participation common at venture-backed businesses. Interim day rates for registration and authorisation projects sit meaningfully above the equivalent payments-sector rates. Notice periods for approved individuals tend to be long, so hiring timelines of three to six months from brief to start date are normal — a planning fact that collides directly with the FSMA gateway timetable for firms that have not yet begun.
Full-time, fractional or interim: choosing the engagement model
There is no regulatory requirement for the MLRO to be full-time, provided the function is genuinely performed: the individual must be contactable, actively reviewing SARs, and able to demonstrate real oversight. For smaller cryptoasset firms — and for firms in the pre-revenue application phase — a fractional MLRO, engaged for a defined number of days per week, is a legitimate and increasingly common model, and one the FCA accepts where capacity is credible. The fractional model suits stablecoin issuers and infrastructure businesses in their sandbox or build phase particularly well: full regulatory competence without a full-time cost base ahead of launch. FD Capital’s fractional MLRO service covers this route in detail.
Interim MLROs suit two situations: covering an unplanned departure (where the FCA’s warnings about MLRO changes make speed critical), and leading a registration or authorisation application as a defined project, with a permanent hire following the grant. Both are established patterns in our placement history — including a digital asset business that needed an interim MLRO within ten days of its previous holder resigning without notice.
How firms should run the hire
Four practical recommendations from our mandate experience. First, hire before you draft: the application should be written by the MLRO who will defend it. Second, test crypto fluency directly at interview — walk candidates through your actual business model and ask them to identify its highest-risk flows; generic AML answers reveal themselves quickly. Third, verify claimed approvals against the FCA Register and take regulatory references seriously; CV-stated approvals do not always survive checking. Fourth, be honest about authority: the FCA probes whether the MLRO can genuinely escalate, challenge the commercial side, and commit resources — an MLRO positioned as a junior function is an application weakness regardless of the individual’s quality.
Preparing the MLRO for the FCA interview
Where the FCA decides to interview a cryptoasset MLRO — normal practice for registration applications and standard for SMF17 approvals it has questions about — the interview is the single highest-stakes hour of the application. Firms that prepare their candidate deliberately fare visibly better than those that assume experience will carry the day. From our placement debriefs, the interview reliably covers five territories.
The business model, in the candidate’s own words. Interviewers open by asking the MLRO to describe the firm’s activities, customer base and money flows. Hesitation here is fatal — it signals the MLRO was bolted onto the application rather than embedded in the business. Candidates should be able to walk the full customer journey, fiat and on-chain, without notes.
The risk assessment, defended line by line. The FCA probes why particular risks were rated as they were, what mitigations map to each, and — the classic follow-up — what the MLRO considers the firm’s single highest residual risk and why. Candidates who wrote the assessment answer naturally; candidates who inherited it get found out.
Scenario testing. Interviewers pose live judgment cases: a customer whose deposits trace to a mixer, a spike in flows from a high-risk jurisdiction, a wallet screening hit against a sanctioned address mid-withdrawal. They are testing the POCA reasoning, the escalation instinct and the willingness to stop business — including whether the MLRO would hold the line against commercial pressure from founders.
Authority and resources. Expect direct questions about reporting lines, budget, headcount, veto rights over high-risk customers and products, and what the MLRO would do if overruled. The FCA is assessing independence as much as knowledge.
Capacity. For fractional and combined SMF16/17 candidates, a precise account of how the days divide and what triggers additional resource. Vague answers about “scaling as needed” land poorly; a defined resourcing trigger framework lands well.
Sensible preparation is straightforward: a structured mock interview with someone who has sat on the regulator’s side or been through the process, a full re-read of the submitted application (candidates are questioned on the document as filed, not as they remember it), and a briefing on any FCA supervisory correspondence in the firm’s history. We connect placed candidates with interview preparation support as standard on application mandates.
The MLRO’s first ninety days
For firms hiring ahead of an application, what the new MLRO does in the first quarter determines the submission date. A well-run first ninety days typically sequences as follows. Weeks one to four: a gap assessment of the existing framework against the FCA’s published expectations — the business-wide risk assessment, policy suite, CDD arrangements, screening stack and governance — producing the remediation plan the application timetable hangs off. Weeks five to eight: rebuild of the risk assessment in the MLRO’s own analysis and voice, selection or recalibration of the blockchain analytics and screening tooling, and design of the SAR handling process with its audit trail. Weeks nine to twelve: the financial crime sections of the application drafted, board reporting established (the FCA expects evidence the board hears from the MLRO), training rolled out, and the MLRO’s own interview preparation begun. Firms should protect this runway in the project plan: compressing the MLRO’s ninety days to thirty, to hit an arbitrary filing date, produces the thin applications that spend a year in requisitions.
Frequently asked questions
Can our MLRO be based outside the UK?
The FCA has said it will look carefully at MLROs who are not UK-based, and expects fitness and propriety interviews to be attended in person at its offices. For a UK cryptoasset registration or authorisation, a UK-based MLRO embedded in the UK entity is strongly advisable; overseas group MLROs are a recognised application weakness.
Can the MLRO also hold the compliance oversight function?
Yes. Combining SMF16 and SMF17 in one individual is common at smaller firms and accepted by the FCA where the person has the capacity and skills for both. The combined role raises the bar for the hire — see our guide to SMF16 and SMF17 for cryptoasset firms.
Can we outsource the MLRO function?
The nominated officer must be an individual within the firm’s management — the function itself cannot be outsourced to a provider, although firms may use outsourced support for elements such as screening and monitoring, with the FCA requiring oversight arrangements and the firm remaining ultimately responsible. A fractional MLRO — a named individual engaged part-time and appointed to the role — is different from outsourcing and is an accepted model.
What happens if our MLRO resigns mid-application?
Notify the FCA promptly, appoint a credible replacement quickly, and expect delay: the FCA has said MLRO changes may significantly affect application timelines and outcomes. This is a scenario worth planning for contractually — notice periods and handover obligations in the MLRO’s terms matter more than for most senior hires.
Does the MLRO need to be a director?
Not necessarily, but Regulation 21 requires management-level seniority, and the FCA expects genuine authority and independence. In smaller firms the MLRO is often a board member; in larger firms a senior manager reporting to the board with a direct escalation line.
Related guides and services
- Cryptoasset Compliance Recruitment
- Cryptoasset FSMA Authorisation: The Complete Guide
- MLR Registration vs FSMA Authorisation for Crypto Firms
- MLRO Recruitment (SMF17)
- Fractional MLRO
- AMLRO Recruitment
- Financial Crime Recruitment
External resources
- FCA — What we expect to see in your cryptoasset registration application
- FCA — Cryptoassets: how to apply for registration
- Money Laundering Regulations 2017
- Proceeds of Crime Act 2002
- National Crime Agency — Suspicious Activity Reports
- Joint Money Laundering Steering Group
- International Compliance Association
- ACAMS
About the Author
Adrian Lawrence FCA is the founder of FD Capital Recruitment and a Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW member record). Adrian holds a BSc from Queen Mary College, University of London and an ICAEW practising certificate in his own name.
FD Capital places permanent, interim and fractional MLROs into FCA-regulated and MLR-registered firms across the UK — including cryptoasset businesses at registration and authorisation stage, digital asset lenders, payments firms and fintechs. Adrian personally screens candidates for MLRO appointments given the personal accountability the role carries. FD Capital Recruitment Ltd (Companies House no. 13329383) is associated with Adrian’s ICAEW registered practice.
Hiring a crypto MLRO? Call FD Capital on 020 3287 9501 or email recruitment@fdcapital.co.uk. MLRO shortlists typically within 5–10 working days, including fractional and interim options for firms at application stage.




