Governance, Risk & Compliance

The MLRO Annual Report: What to Include

What to put in your MLRO annual report under SYSC 6.3.9R, the FCA Financial Crime Guide and JMLSG guidance: systems and controls, SARs, training and more.

9 min read Published 17 Jul 2026
The MLRO Annual Report: What to Include

The MLRO annual report is the document through which a firm's money laundering reporting officer tells the board and senior management how well the firm's anti-money laundering systems and controls are actually working. It is not an administrative formality. It is a governance instrument that gives senior managers the information they need to own the firm's financial crime risk, and it is one of the clearest pieces of evidence a supervisor will look for when it wants to see whether AML is being taken seriously at the top of the firm.

The requirement sits in the FCA Handbook. Firms subject to SYSC 6.3 must appoint an MLRO under SYSC 6.3.9R, and they must ensure appropriate provision of information to the governing body and senior management, including a report at least annually by the MLRO on the operation and effectiveness of the firm's systems and controls against money laundering. The Money Laundering Regulations 2017 and the FCA's Financial Crime Guide sit alongside this rule, and the Joint Money Laundering Steering Group has published a suggested framework to help MLROs decide what to cover.

This article sets out what the annual report should include, why each section matters, and how to produce a report that informs decisions rather than just filing statistics. Every requirement below is drawn from the primary sources cited at the end, and nothing is invented. Where the sources describe a suggested contents list rather than a fixed rule, that is made clear.

Where the requirement comes from

The starting point is the FCA Handbook. SYSC 6.3 requires firms within its scope to take reasonable care to establish and maintain effective systems and controls to counter the risk that the firm might be used to further financial crime. As part of that, the firm must ensure appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer on the operation and effectiveness of those systems and controls. SYSC 6.3.9R then requires the firm, unless it is a sole trader with no employees, to appoint an individual as MLRO with responsibility for oversight of its compliance with the FCA's rules on systems and controls against money laundering.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 reinforce the governance around this. Regulation 21 requires a relevant person, where appropriate to the size and nature of its business, to appoint one individual who is a member of the board or of senior management as the officer responsible for compliance with the Regulations, and to appoint a nominated officer under Regulation 21(3). Regulation 21 also requires an independent audit function to examine and evaluate the adequacy and effectiveness of the firm's policies, controls and procedures. The FCA's Financial Crime Guide confirms that where SYSC 6.3.9R requires a firm to have an MLRO, that individual can be the same person appointed under Regulation 21, so the two regimes join up in practice.

The annual report is where these threads meet. It is the MLRO's structured account of whether the arrangements required by the Regulations are working, delivered to the people the FCA holds responsible for AML. The Financial Crime Guide is explicit that senior management should take responsibility for the firm's anti-money laundering measures, which includes knowing about the money laundering risks to which the firm is exposed and ensuring that steps are taken to mitigate those risks effectively.

The report's governance role

The value of the report lies in what senior management do with it. The FCA's Financial Crime Guide sets out a set of self-assessment questions for firms on governance, and one of them asks directly how regularly senior management commission reports from the MLRO, noting that this should be at least annually, what they do with the reports they receive, and what follow-up there is on any recommendations the MLRO makes. A report that is written, tabled and then ignored fails that test.

The Guide draws the point out further in its examples of good and poor practice. Among the examples of poor practice, it lists the situation where the board never considers MLRO reports. Among the good practice examples for governance, it points to documentation provided to senior management that gives an accurate picture of the risk to which the firm would be exposed. The message is consistent: the report exists to support informed decisions and challenge at board level, not to sit in a folder.

This is why the report should conclude, not just describe. The MLRO is expected to reach a view on the effectiveness of the firm's systems and controls and to make recommendations where improvement is needed, so that senior management have something to act on. A strong report ends with a clear position and a short, prioritised set of actions with owners and timelines, so that the follow-up the FCA expects can actually be tracked.

What the report must cover

SYSC frames the report around the operation and effectiveness of the firm's systems and controls, so that assessment is the spine of the document. The FCA's Financial Crime Guide then describes the kinds of management information that senior management should receive, and this maps closely onto the content an annual report should draw together. That information includes an overview of the financial crime risks to which the firm is exposed, information about emerging risks and any changes to the firm's risk assessment, legal and regulatory developments and their impact on the firm's approach, and an overview of the effectiveness of the firm's financial crime systems and controls.

The Guide's management information examples also cover relevant information about individual business relationships. These include the number and nature of new business relationships, in particular those that are high risk, the number and nature of relationships terminated due to financial crime concerns, the number of transaction monitoring alerts, details of any true sanction hits, and information about suspicious activity reports considered or submitted where relevant. The Guide notes that this information may come from more than one source, including the compliance department, internal audit, the MLRO or the nominated officer, which is exactly why the annual report is useful as a single consolidated view.

The Joint Money Laundering Steering Group has published a suggested aide memoire for the MLRO annual report. It is presented as a helpful framework rather than formal guidance, and it stresses that the report should focus on outcomes rather than simply listing a lot of statistics, and should conclude on the effectiveness of the firm's AML systems and controls while making recommendations for improvement, including on resources. The table below brings together the areas the sources point to.

Section of the reportWhat it should cover
Assessment of systems and controlsA conclusion on the operation and effectiveness of the firm's AML systems and controls, which is the requirement SYSC 6.3 places at the centre of the report.
Risk assessment updateChanges to the firm's business, customers, products, geographies and delivery channels over the year, and how these affected the money laundering risk the firm is exposed to.
Regulatory and legal developmentsLegal and regulatory developments and the impact these have on the firm's approach, as flagged in the FCA's management information examples.
SARs and internal reportsInformation about suspicious activity reports considered or submitted, and how internal disclosures to the nominated officer were handled.
Transaction monitoring and sanctionsThe number of transaction monitoring alerts and details of any true sanction hits, plus the firm's arrangements for sanctions screening.
Customer relationshipsThe number and nature of new, high risk and terminated relationships, giving senior management a picture of the changing customer book.
TrainingThe firm's training policy, delivery and coverage, and whether staff are equipped to recognise and deal with money laundering risk.
Control failures and breachesAny material control failures identified, including issues that may amount to rule breaches, and the remedial action taken.
Resourcing and recommendationsWhether the MLRO function is adequately resourced, and prioritised recommendations for improvement for senior management to act on.
Areas the MLRO annual report should draw together, based on SYSC 6.3, the FCA Financial Crime Guide and the JMLSG suggested framework.

Assessing systems, controls and the risk assessment

The core of the report is the MLRO's honest assessment of whether the firm's AML systems and controls are working. This is where the report earns its place, because SYSC 6.3 asks specifically for a view on the operation and effectiveness of those controls rather than a description of what they are. The MLRO should look across the whole control environment, from customer due diligence and ongoing monitoring to escalation and reporting, and say plainly which parts are effective, which are under strain and which need investment.

The report should also revisit the firm's risk assessment. The FCA's management information examples include an overview of the financial crime risks to which the firm is exposed, information about emerging risks, and any changes to the firm's risk assessment. The annual report is a natural moment to check whether the business-wide risk assessment still reflects reality, given any new products, new markets, new customer types or new delivery channels the firm has taken on during the year.

Where the assessment identifies weaknesses, the report should be specific about them. The JMLSG framework suggests summarising details of any material control failures identified, including issues that may amount to rule breaches, together with any remedial action taken. Being candid here protects the firm as well as the MLRO, because it demonstrates that problems are surfaced to senior management and dealt with, which is precisely the follow-up the FCA expects. A single place to log and track those actions, such as the control workspace, makes it far easier to show that recommendations were owned and closed.

SARs, monitoring, training and resourcing

Suspicious activity reporting is central to the firm's AML obligations, so the annual report should give senior management a clear view of it. The FCA's management information examples reference information about suspicious activity reports considered or submitted. In practice a good report will cover the volume of internal disclosures made to the nominated officer, how many progressed to external reports to the National Crime Agency, and any themes in what was reported, so that senior management can see whether the firm's detection and escalation routes are working.

Alongside SARs, the report should address ongoing monitoring and sanctions. The Financial Crime Guide's management information examples include the number of transaction monitoring alerts and details of any true sanction hits. The JMLSG framework suggests describing the firm's arrangements for sanctions compliance, such as the lists used, the frequency of checks and who is screened. Training is another expected theme, and the JMLSG framework suggests summarising the firm's training policy along with the timing of any rolling programme, so that senior management can judge whether staff are properly equipped.

Finally, the report should address resourcing. The JMLSG aide memoire is explicit that the report should consider whether resources to assist the MLRO function are sufficient, and the Financial Crime Guide's self-assessment questions ask whether the MLRO has sufficient resources, experience, access and seniority to carry out the role effectively. Raising a resourcing gap in the annual report, in front of the board, is one of the most effective ways an MLRO can secure the support the role needs.

Financial crime management information the FCA cites

Examples of financial crime management information that senior management should receive, drawn from the FCA Financial Crime Guide, that the annual report can consolidate.

Risk overview and emerging risks1%
Legal and regulatory developments1%
Effectiveness of systems and controls1%
New and high risk relationships1%
Transaction monitoring alerts1%
True sanction hits1%

How to produce the annual report

A useful report is built over the year, not assembled the night before the board meeting. Because the FCA's management information examples span risk, controls, relationships, monitoring, sanctions and SARs, the MLRO needs data feeds from several functions, so it helps to agree in advance what information will be gathered and from where. The JMLSG framework is a helpful starting scaffold, but each firm should tailor it to its own business, since SYSC and the Regulations both require arrangements that are proportionate to the size and nature of the business.

The steps below set out a practical way to produce the report. The aim throughout is the outcome the FCA's governance self-assessment describes: a report that senior management genuinely consider, act on and follow up. Structuring the firm's wider financial crime controls and governance records in one place makes the annual data-gathering exercise far less painful.

One final point on tone. The report should conclude, as the JMLSG framework suggests, on the effectiveness of the firm's AML systems and controls, and should carry forward clear, prioritised recommendations. A report that reaches a view and drives a small number of well owned actions will do more for the firm, and for the MLRO personally, than a long document that lists activity without judgement.

1
Agree scope early
Set the report's scope and data feeds at the start of the year, tailored to the firm's size and risk.
2
Gather the data
Collect MI on risk, controls, relationships, monitoring, sanctions, SARs and training from each function.
3
Assess effectiveness
Reach a clear view on whether the AML systems and controls are operating effectively.
4
Record failures
Summarise material control failures and possible breaches, with the remedial action taken.
5
Make recommendations
Set out prioritised improvements, including resourcing, with owners and timelines.
6
Present and follow up
Table the report to senior management and track follow-up on every recommendation.

Conclusion

The MLRO annual report is a governance document with a clear regulatory home. SYSC 6.3 requires firms to provide their governing body and senior management with a report at least annually from the MLRO on the operation and effectiveness of the firm's systems and controls against money laundering, and the Money Laundering Regulations 2017 and the FCA's Financial Crime Guide set the wider expectations around the roles and the information senior management should receive. Built around an honest assessment of effectiveness, and covering risk, SARs, monitoring, sanctions, training, control failures and resourcing, the report gives the board what it needs to own the firm's financial crime risk.

The test the FCA applies is not whether the report exists but whether senior management commission it, consider it and act on its recommendations. The JMLSG framework is a helpful guide to content, but the judgement, the conclusion on effectiveness and the prioritised recommendations are what make a report worth reading. If you want a single place to gather the evidence, track the recommendations and demonstrate that follow-up happened, you can request a demo to see how a structured platform can support the annual report end to end.

Frequently asked questions

Is the MLRO annual report a legal requirement?

For firms within scope of SYSC 6.3, yes. SYSC 6.3 requires the firm to ensure appropriate provision of information to its governing body and senior management, including a report at least annually by the firm's MLRO on the operation and effectiveness of the firm's systems and controls against money laundering. SYSC 6.3.9R separately requires the firm to appoint an MLRO.

How often must the MLRO report to senior management?

SYSC 6.3 sets a minimum of at least annually. The FCA's Financial Crime Guide reinforces this, noting in its governance self-assessment questions that senior management should commission reports from the MLRO at least annually. Firms with higher risk profiles often report more frequently, but annual is the regulatory floor.

What should the MLRO annual report include?

At its core, an assessment of the operation and effectiveness of the firm's AML systems and controls. Drawing on the FCA's management information examples and the JMLSG suggested framework, it should also cover risk assessment updates, regulatory developments, suspicious activity reports, transaction monitoring, sanctions, customer relationships, training, any material control failures, and resourcing with recommendations.

What does the FCA expect senior management to do with the report?

The Financial Crime Guide asks what senior management do with the reports they receive and what follow-up there is on any recommendations the MLRO makes. It cites a board that never considers MLRO reports as poor practice. Senior management are expected to consider the report, act on it and track follow-up on the MLRO's recommendations.

How does the JMLSG guidance relate to the MLRO annual report?

The Joint Money Laundering Steering Group has published a suggested aide memoire to help MLROs decide what to include in the annual report. It is presented as a helpful framework rather than formal guidance. It suggests the report should focus on outcomes rather than statistics and should conclude on the effectiveness of the firm's AML systems and controls with recommendations for improvement.

Who is responsible for producing the annual report?

The MLRO. Under SYSC 6.3.9R the firm must appoint an individual as MLRO with responsibility for oversight of its compliance with the FCA's rules on systems and controls against money laundering, and the Financial Crime Guide describes the MLRO as the focal point for the firm's AML activity. The MLRO owns the report, drawing MI from compliance, internal audit and other functions.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide