Hire an FD/CFO contactus
HIRE AN FD/CFO CONTACT US

SMF17 Explained: The MLRO Function in FCA-Regulated Firms

  • Home
  • SMF17 Explained: The MLRO Function in FCA-Regulated Firms

SMF17 Explained: The MLRO Function in FCA-Regulated Firms

SMF17 Recruitment: Find a Money Laundering Reporting Officer Who Has Done This Before

SMF17 is the Senior Management Function under the FCA’s Senior Managers and Certification Regime (SM&CR) that designates the Money Laundering Reporting Officer — the senior individual responsible for the firm’s compliance with the Money Laundering Regulations 2017 and related financial crime obligations. The holder is named on the FCA Register, has personal regulatory liability under both SMCR and the MLR 2017, and serves as the firm’s regulated point of contact with the National Crime Agency for Suspicious Activity Reports.

This guide covers what SMF17 actually means in practice — the scope of the MLRO responsibility, the personal liability position under both SM&CR and the MLR 2017, how the role differs across firm types, and what FD Capital looks for when placing SMF17-approved candidates. It also covers compensation benchmarks, the specific reasons MLRO recruitment is one of the tightest specialist markets in regulated firm recruitment, and what hiring firms get wrong when treating SMF17 as a generic compliance hire.

What’s missing from most online explanations of SMF17 is the practical recruitment perspective and the dual liability framework — MLROs face personal liability under both the SMCR regime AND the MLR 2017 (which carries criminal sanctions), and this materially affects the candidate market. That’s the gap this guide fills.

What SMF17 Means and Where It Sits

SMF17 is the MLRO function under SM&CR. The role combines two distinct regulatory obligations:

  1. Under MLR 2017 (Regulation 21): The MLRO is the firm’s nominated officer for receiving internal SARs from staff, deciding whether to file external SARs with the NCA, and serving as the firm’s nominated point of contact for the NCA. This obligation derives from the underlying anti-money laundering legislation and applies to firms within scope of MLR 2017 regardless of FCA regulation.
  2. Under SM&CR: SMF17 is a Senior Management Function carrying SMCR responsibilities — pre-approval by the FCA, Statement of Responsibilities, Duty of Responsibility under section 66B FSMA, and Conduct Rules accountability.

The two frameworks operate together. Most firms within scope of MLR 2017 are also FCA-regulated and require both MLRO designation under MLR 2017 and SMF17 approval under SM&CR. The two designations are typically held by the same individual, but they are technically distinct.

SMF17 is required for all FCA-regulated firms in scope of MLR 2017 above the Limited Scope tier. This includes essentially all investment firms, fund managers, payments firms, e-money institutions, banks, certain consumer credit firms, and others. The full list of firms in scope of MLR 2017 is set out in Regulation 8 of the MLR 2017.

The MLR 2017 Liability Framework — Distinct from SMCR

The most important feature of SMF17 — and the one that genuinely differentiates it from other SMF roles — is the dual liability framework. SMF17 holders carry SMCR liability for the function under section 66B of FSMA, but they ALSO carry personal liability under the Money Laundering Regulations 2017, which includes potential criminal sanctions.

The MLR 2017 personal liability framework includes:

  • Regulation 86 — failure to comply with the Regulations: An offence punishable by up to 2 years imprisonment and an unlimited fine, applying to individuals (including MLROs) who breach specific MLR 2017 obligations.
  • Section 330 of the Proceeds of Crime Act 2002: Failure to disclose suspected money laundering — applicable to MLROs who fail to file SARs when they should have done. Up to 5 years imprisonment.
  • Section 333A of the Proceeds of Crime Act 2002: Tipping-off offences — applicable to MLROs who improperly disclose SAR-related information to the subject. Up to 2 years imprisonment.

This dual liability framework — civil regulatory under SMCR plus criminal under POCA/MLR 2017 — is what makes SMF17 candidates particularly cautious about firms they will join, particularly the firm’s AML risk appetite, the quality of the AML programme, and the board’s willingness to support difficult decisions.

The practical recruitment implication is that the SMF17 candidate market is one of the most due diligence-heavy in UK financial services. Experienced MLROs investigate the firms they consider — talking to their networks, reviewing the firm’s history, examining publicly available enforcement information. Firms with weaker AML histories, ongoing FCA dialogue on financial crime issues, or recent SAR-related concerns find it materially harder to recruit experienced SMF17s than firms with cleaner histories.

SMF17 Combined with SMF16 — The Smaller Firm Pattern

In firms below approximately £20m revenue, it is common for a single individual to hold both SMF17 (MLRO) and SMF16 (Compliance Oversight). This is permitted under SM&CR provided the firm has assessed that the combination is appropriate for the firm’s size, complexity and risk profile.

The combined role is typically titled “Head of Compliance and MLRO” or “Chief Compliance Officer and MLRO”. The candidate profile combines compliance leadership with AML expertise — a common combination in mid-market regulated firms.

In larger firms (typically £30m+ revenue), the SMF16 and SMF17 roles are usually separated:

  • SMF16 leads the broader compliance function — regulatory change, monitoring, advisory, FCA relationship management, Consumer Duty
  • SMF17 leads the AML programme — financial crime risk assessment, transaction monitoring, customer due diligence framework, sanctions screening, SARs investigation and filing, financial crime training, NCA relationship

Where the roles are separated, SMF17 typically reports operationally to SMF16 within a unified compliance and financial crime function. The reporting line is operational; the regulatory accountability remains personal to SMF17.

Day-to-Day Responsibilities of an SMF17

The SMF17’s day-to-day responsibilities are extensive and operationally demanding:

  • Firm-wide AML risk assessment: Maintaining the firm’s risk-based assessment of money laundering and terrorist financing risk under MLR 2017 Regulation 18. Updated at least annually and triggered by material changes.
  • Customer due diligence framework: Owning the firm’s CDD methodology, including approach to higher-risk customers, PEP identification, source of funds and source of wealth verification, and ongoing monitoring. See our CDD Guide for detail.
  • Enhanced due diligence: Ensuring EDD is applied appropriately to higher-risk customers and relationships.
  • Transaction monitoring: Overseeing the firm’s transaction monitoring framework, alert triage, investigation processes, and the underlying technology.
  • Sanctions screening: Owning the firm’s sanctions screening framework and ensuring effectiveness against UK, EU, US and UN sanctions regimes.
  • Internal SAR receipt and external SAR filing: Receiving internal disclosures from staff, investigating, deciding whether to file with the NCA, and managing the consent (DAML) regime where applicable. See our SARs Guide.
  • NCA relationship management: Acting as the firm’s nominated point of contact for the NCA, managing requests for information, coordinating responses to production orders.
  • FCA relationship for AML matters: Engaging with FCA supervisory dialogue on financial crime, responding to FCA financial crime thematic reviews, leading the firm’s preparation for FCA financial crime examinations.
  • Annual MLRO Report: Preparing the annual MLRO report to the board on the effectiveness of the firm’s AML systems and controls — a standard governance output expected by the FCA.
  • Financial crime training: Designing and delivering AML training across the firm, including specific role-based training for higher-risk roles.
  • Financial crime function leadership: Recruiting, managing and developing the financial crime team, including any Certification Regime employees in financial crime roles.

The proportion of time spent on each area varies materially by firm size and AML risk profile. In a smaller firm with combined SMF16/17 responsibility, AML work is one component of a broader compliance role. In a larger firm with high AML risk exposure (e.g., a payments firm processing diverse international flows), SMF17 is a fully dedicated specialist role often supported by a substantial financial crime team.

Sector-Specific SMF17 Variations

SMF17 candidates are not interchangeable across sectors. The dominant AML risks, the regulatory environment, and the operational demands vary substantially.

SMF17 in payments and e-money firms

Payments firms typically face the highest AML risk profile in the regulated population — high volumes of cross-border transactions, diverse customer bases, fast onboarding, and increasingly aggressive FCA scrutiny. Payments SMF17s typically have heavy transaction monitoring backgrounds and extensive SAR investigation experience. The candidate market here is the tightest of any SMF17 specialism.

SMF17 in wealth management firms

Wealth management AML focuses on source of funds and source of wealth verification, PEP identification, and the specific risks of high-net-worth and ultra-high-net-worth client relationships. Wealth management SMF17s typically have deep CDD expertise rather than transaction monitoring focus.

SMF17 in asset management firms

Asset management AML risk is generally lower than wealth or payments — most fund-level investor onboarding is delegated to the fund’s transfer agent, and the firm’s direct AML exposure is more limited. SMF17 in pure asset management is often a part-component of a broader compliance role.

SMF17 in cryptoasset firms

Cryptoasset firms registered under MLR 2017 (whether fully FCA-authorised or solely registered for AML purposes) face specific challenges around source of funds verification, blockchain analytics, and the FCA’s particular focus on the sector. SMF17 candidates with crypto experience are genuinely scarce.

SMF17 in firms under FCA financial crime supervisory pressure

Firms with active FCA financial crime dialogue, recent thematic review participation, or active or threatened enforcement action need experienced SMF17 candidates who can operate under regulatory scrutiny. The premium for experience operating under pressure is substantial.

SMF17 Compensation Benchmarks (UK 2026)

Role profile Base salary range Total package range
Combined SMF16/17 in smaller firm £90k-£140k £105k-£170k
Standalone SMF17 (mid-size firm) £110k-£170k £130k-£220k
Standalone SMF17 (larger Core / smaller Enhanced) £150k-£230k £180k-£320k
SMF17 in Enhanced payments firm £200k-£300k+ £260k-£500k+
SMF17 in PE-backed Enhanced firm £200k-£280k £350k-£800k+ (with sweet equity)

Payments-sector SMF17 compensation has risen materially since 2023 reflecting tight candidate supply and intensified FCA scrutiny. The premium for crypto-experienced SMF17s is similar.

Fractional and interim SMF17 placements have grown rapidly, particularly for smaller payments and e-money firms post-authorisation that need a specialist MLRO but cannot justify a full-time appointment. Day rates for established SMF17 candidates run £900-£1,400 with payments-sector specialists at the upper end. See our MLRO Recruitment page for more on the fractional model. Some firms now use the term “fractional MLRO” or “outsourced MLRO” — these are typically the same engagement model with different commercial framing.

Hiring an SMF17 — What FD Capital Looks For

Prior SMF17 (or pre-2019 CF11) approval

Candidates with prior SMF17 approval — or pre-SMCR CF11 approval — have the fastest FCA approval path. First-time SMF candidates can be approved with strong substantiation of capability.

Sector match

A wealth management SMF17 is rarely the right candidate for a payments firm. The transaction monitoring tooling, customer profiles and AML risk profile are too different. Sector-specific match matters significantly.

Operational AML experience

The strongest SMF17 candidates have hands-on operational AML backgrounds — they have personally investigated SARs, made the call on filing decisions, designed transaction monitoring scenarios, and led specific remediation programmes. Candidates whose AML experience is purely strategic or governance-level often struggle in roles requiring detailed operational oversight.

NCA and law enforcement engagement

Strong candidates have managed live NCA engagement — DAML requests, production orders, ad-hoc information requests. Candidates whose NCA contact has been limited to standard SAR filings rarely have the experience needed for complex matters.

Financial crime culture and challenge

Experienced SMF17s are characterised by a willingness to escalate concerns and challenge commercial decisions where AML risk is being inappropriately managed. The firm’s culture matters — boards that view AML as a constraint to be managed around rather than a genuine risk to be controlled struggle to retain experienced SMF17s.

Reference depth

SMF17 reference checking is the most thorough of any SMF placement. Mandatory Regulatory References under SM&CR are augmented by detailed commercial reference work — prior board members, prior auditors, prior NCA contacts where appropriate, and senior peers from the candidate’s previous firms.

The Payments-Sector SMF17 Market — Genuinely Tight

The payments and e-money SMF17 candidate market is the tightest specialist market FD Capital recruits in. The combination of high transaction volumes, diverse customer bases, intensified FCA scrutiny, and growing enforcement activity has created strong demand for a small experienced candidate population. Firms in this segment should plan for 20-30 week recruitment cycles, benchmark at the upper end of compensation ranges, and consider fractional or interim arrangements as bridges to permanent appointments.

SMF17 and the Wider SMF Framework

  • SMF16 (Compliance Oversight): Frequently combined with SMF17 in smaller firms; reports to SMF16 in most larger firm structures.
  • SMF2 (Chief Finance Function): SMF17 owns AML risk; SMF2 owns financial crime in transaction processing only where it intersects with payments and finance functions. The roles intersect on SAR-related cost recovery, sanctions-related transaction blocks and similar.
  • SMF4 (Chief Risk Function): Where the firm has SMF4, financial crime risk fits within the broader enterprise risk framework owned by SMF4. SMF17 retains operational AML accountability.
  • SMF18 (Other Overall Responsibility): In some firm structures, fraud or specific financial crime areas (e.g., authorised push payment fraud) are allocated to an SMF18 holder rather than SMF17.
  • SMF24 (Chief Operations Function): Where SMF24 exists, transaction monitoring technology and SAR investigation operational delivery may sit within their accountability.

For the broader regulatory framework, see our complete SMCR guide. For AML topics specifically, see our MLRO Guide, CDD Guide, SARs Guide and Third-Party Risk Management Guide.

Common SMF17 Recruitment Pitfalls

Underestimating timeline. SMF17 mandates take 18-30 weeks end-to-end including notice and FCA approval. Payments-sector mandates often run longer.

Sector mismatch. Trying to recruit cross-sector typically fails — wealth management to payments, asset management to crypto, etc.

Pricing at non-payments market rates for payments roles. The payments-sector SMF17 premium is substantial and not flexible.

Combined role unclear. Smaller firms that haven’t decided whether to combine SMF16 and SMF17 confuse candidates.

Insufficient AML budget visible to candidates. Experienced SMF17 candidates ask probing questions about transaction monitoring tooling, financial crime team headcount, training budgets and external advisory access. Firms with under-resourced AML programmes find experienced candidates walking away.

Regulatory history not addressed honestly. Open thematic reviews, ongoing remediation programmes, prior enforcement findings — these need to be disclosed early in process.

A Note from Our Founder — Adrian Lawrence FCA

SMF17 is the role where the personal liability dimension matters more than for any other senior management function. The combination of SMCR civil regulatory exposure plus the criminal liability framework under POCA and MLR 2017 means that experienced MLROs are particularly thoughtful about the firms they join — and rightly so. The conversation I have with candidates accepting SMF17 mandates almost always involves a detailed discussion of the firm’s AML history, current programme, board engagement and willingness to support difficult decisions.

The conversation I have with hiring boards is often about the difference between “compliance officer who will also do AML” and “specialist MLRO”. The qualified candidate populations are genuinely different. Firms that need a specialist MLRO — particularly in payments, wealth management with high-net-worth clients, or any sector with elevated AML risk — should plan to recruit at the SMF17 level with appropriate compensation and timeline. Firms that try to recruit MLROs as part of a broader compliance role at non-specialist salary levels typically end up either with under-qualified candidates or with the search dragging out for months.

Payments and e-money firms are now the most active part of our SMF17 market. The combination of FCA enforcement activity in the sector, growing customer volumes, and increased focus on authorised push payment fraud and sanctions screening means demand exceeds supply for experienced candidates. Hiring boards in this segment should take the timeline and compensation reality seriously from day one — and consider fractional or interim SMF17 arrangements as bridges where appropriate.

At FD Capital we work on SMF17 mandates regularly, with particular concentration in payments, wealth management and FCA-authorisation candidates. If you are recruiting an SMF17 — permanent, interim or fractional — I’m happy to have a direct conversation about your specific situation.

Speak to Adrian about an SMF17 appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire an SMF17 MLRO

SMF17 placements require sector-specific AML expertise, FCA approval process knowledge and an understanding of the dual liability framework that combines SMCR with MLR 2017 personal exposure. FD Capital places SMF17 candidates on permanent, interim and fractional engagements with specific concentration in payments, wealth management and FCA-authorisation segments.

020 3287 9501

MLRO Recruitment › | Contact Us

Further Reading and Authoritative Sources

For the FCA’s authoritative guidance on Senior Management Functions, see FCA Handbook SUP 10C. For the Money Laundering Regulations 2017 themselves, see the legislation on legislation.gov.uk. The FCA’s Financial Crime pages provide practical regulatory guidance.

For SAR filing and the NCA framework, the NCA’s SAR pages are the authoritative reference. The JMLSG Guidance (Joint Money Laundering Steering Group) provides the industry-recognised practical AML compliance framework.

Related Guides: SMCR, AML and Financial Crime

Part of FD Capital’s series of practical guides for FCA-regulated firms: SMCR — The Complete UK Guide | SMF2 — The Chief Finance Function | SMF4 — The Chief Risk Officer Function | SMF16 — The Compliance Oversight Function | SMF18 — The Other Overall Responsibility Function | SMF24 — The Chief Operations Function | MLRO Guide | CDD Guide | SARs Guide

FD Capital
FD Capital
FD Capital

FD Capital Recruitment Ltd is registered at Companies House (no. 13329383) and has been providing CFOs and Finance Directors since 2018 and is operated by an ICAEW-registered practice. Our founder Adrian Lawrence FCA holds an ICAEW practising certificate.