In November 2023, a Freedom of information request revealed that the FCA had written to no less than 643 firms earlier in the year, expressing concern about their high turnover of MLROs.

These firms had had three or more MLROs registered with the FCA, across a period of three years.

So, what prompted this sort of turnover, and what can businesses do to keep their MLROs in post – and avoid scrutiny from the FCA?

It's important firstly to note exactly what the role of an MLRO is, and what legal function it holds.

The role of the MLRO

An MLRO – Money Laundering Reporting Officer – is responsible for ensuring that the business is not facilitating any form of money laundering by carrying out its activities. In very small or start-up firms, the MLRO might be the only person carrying out this type of work, whereas in larger organisations, they may have a team reporting to them.

For businesses carrying out regulated activities, there are designated senior manager functions that must be fulfilled. The MLRO usually takes the SMF17 function. In this capacity, they must be approved by the FCA before starting the role, and their name will be added to the FCA register.

"Every SMF holder will have a Duty of Responsibility under the Financial Services and Markets Act 2000 (FSMA). This means that if a firm breaches one of our requirements, the SMF responsible for that area could be held accountable if they did not take reasonable steps to prevent or stop the breach." [FCA – Senior Manager's Regime]

Why the high turnover?

Of course, a high turnover of MLROs does not apply to all or even the majority of financial services businesses. However, there are clear themes coming out of conversations with MLROs that have left or are looking to leave a role after a short period of time.

Culture

If the culture of the business does not facilitate the MLRO to carry out their role within the boundaries outlined by the FCA, as well as to their own standards – then they may feel they have no option but to leave. This could include risk appetites being stretched to accommodate commercial goals, despite the MLRO's recommendations or warnings. It can also be frustrating for an MLRO not to be included in conversations or decisions at leadership and board level, especially considering their personal liability. I've found a key metric for measuring culture is the relationship between sales and compliance, and how the board favours decision making for edge cases that stand to make a lot of money, but are on the very edge of the firms' risk appetite.

Value

MLROs know their own value and worth, but sometimes businesses do not align their remuneration packages with the market value of the MLRO – or the responsibilities and duties they are expected to take on. Some MLROs have reported burn-out and overwork due to non-investment in compliance and financial crime resources by the business.

Risk

As an SMF17, an MLRO could be held accountable for any breaches of FCA requirements. Some MLROs have reported feeling anxious or fearful that the decision-makers in the organisation they are working for, may be authorising activities which leave the firm – and the MLRO – at risk of investigation, fines and reputational damage. At the most serious level, should an MLRO be found to have allowed these activities, this could result in them being removed from the register and their career tarnished.

These three areas can all converge to result in an MLRO feeling unable to stay in their position. At best they may feel undervalued, and at worst that their personal integrity and hard-won career is being compromised.

What can businesses do?

When someone takes a permanent role as an MLRO, in the vast majority of cases they will be expecting to stay in the position for at least a year. To retain them for this amount of time, and longer, businesses can consider the following:

Value the advice

MLROs in most cases are experienced professionals with strong knowledge and experience in their field; use them to accelerate your business. The MLRO can help you stay within the boundaries of regulation while helping you achieve your commercial goals, and should be involved in decision-making throughout.

Value the function

Regulated businesses need to assign an appropriate amount of budget/time/attention to the Compliance and AML function in their business. It's not just a tick box; if funded appropriately, this function can enable your business to excel, grow and succeed, while helping you avoid the huge costs of fines or reputational damage.

Value the person

It's not just about money; in a small or start-up business, MLROs understand that salary may be lower. But look at the whole remuneration package you're offering, and try to make it competitive or you will risk losing your MLRO. It's also important to offer other benefits such as flexible working and pension. You can also make up for what you can't offer in monetary terms, by offering opportunity instead. An MLRO will be likely to stay with a business who gets them involved in all the elements of the journey, and makes it an exciting and inclusive place to be.

Conclusion

As SMF17, the MLRO in a regulated business is of great value. It's important that businesses recruit the right person for their business – but ensure that the environment works both ways in order to retain them. A great working partnership between the MLRO and the business leaders can result in a thriving organisation, which can satisfy regulators and customers alike, while enjoying all the benefits of commercial success.

The best places I've ever worked in are those that realise that compliance is an enabler to do 'good' business, and empowered me to make informed decisions. The worst places I've worked in want the MLRO to be seen and not heard; needless to say, it didn't last long.

*************************************************

 This blog was written in collaboration with Tony Brown, Chief Compliance Officer at Finteva (ProfPGDip(FCC); Dip(FinCrime); Cert(AML); FICA; CAMS).

Passionate about risk management and driving compliance initiatives, Tony leads with a dynamic, forward-thinking approach. As Chief Compliance Officer at Finteva, he shapes a collective vision, which is centred around making profits with purpose and providing first class service to clients. Tony believes in simple solutions to complex problems and has spent over 20 years in industry helping businesses to understand the difference between 'doing things right and doing the right thing'.

Organisations are currently facing increased scrutiny over their conduct risk culture.

In this blog we explore the nature of conduct risk, how businesses can achieve good outcomes, and the relationship between incentive structures, performance metrics, and their impact on shaping the conduct culture in financial institutions.

What is conduct risk?

Conduct risk refers to the potential harm that can arise from the behaviour of individuals within an organisation. It is crucial for companies, especially financial institutions, to measure and assess their conduct risk culture to ensure alignment with their values.

There are many methodologies and frameworks used to measure and evaluate conduct risk culture. The best culture change initiatives will not be one-off exercises, but long term programmes, because it takes time to change embedded assumption, norms and beliefs.

All culture 'journeys' require a consistent and focussed effort from the top of the organisation down - and should look at how to move beyond simply meeting regulations. It is essential that firms do not become complacent; they must regularly re-assess their culture, understand progress to date, take action on gaps and instil an effective and resilient culture.

Culture is lived by the people in the organisation, and things are always fluid; new employees come in bringing new ideas, or the business may have to make changes due to external factors. The most effective firms constantly keep in mind that the culture is evolving all the time – and they shift their strategy to cope with this.

What do the regulators say?

Recently there has been increased regulatory focus on the topic of culture. In 2022, the FCA's Emily Shepperd gave a speech entitled "From Zeroes to Heroes: How culture in financial services can change for everyone's benefit." The FCA has also boosted a cultural shift in financial services with the 2023 Consumer Duty regulations, and their recent consultation paper about Diversity and Inclusion.

The Australian Prudential Regulation Authority (APRA) published their 'Risk culture 10 Dimensions' framework, outlining these 10 key aspects which contribute to risk culture:

APRA's Risk Culture 10 Dimensions:

Risk Behaviours
1. Leadership
2. Decision-making and challenge
3. Communication and escalation
4. Risk capabilities
5. Alignment with purpose and values

Risk Architecture
6. Risk governance and controls
7. Risk appetite and strategy
8. Risk culture assessment and board oversight
9. Responsibility and accountability
10. Performance management and incentives

Measuring and assessing conduct risk culture

To effectively measure and assess conduct risk culture, organisations employ various methodologies and frameworks. The most commonly used framework is the "Three Lines of Defence" model. This model delineates the roles and responsibilities of different stakeholders within an organisation to ensure effective risk management.

The first line consists of the employees who directly interact with customers and clients.
The second line involves risk management and compliance functions.
The third line includes internal audit and independent review functions.

This model facilitates a comprehensive assessment of conduct risk culture by incorporating multiple perspectives.

Another methodology used to measure conduct risk culture is conducting cultural surveys and assessments. These surveys aim to gauge employees' perceptions and behaviours regarding conduct risk. By gathering data through anonymous surveys, businesses can identify potential gaps and areas for improvement. Assessments can also include interviews with key personnel to gain a deeper understanding of the organisation's culture and its impact on conduct risk.

Using appropriate conduct and culture management information will embed and strengthen the methodology used.

Incentives and culture: aligning behaviour with values

The relationship between incentive structures, performance metrics, and conduct culture is important in shaping the behaviour of employees within financial institutions. Incentives play a significant role in motivating individuals to achieve desired outcomes - but they can also inadvertently encourage risky behaviour if not aligned with an organisation's values.

To align behaviour with values, leadership teams should design their incentive structures carefully. This involves setting performance metrics that promote conduct risk awareness and adherence to ethical standards. Examples of these metrics could be:

• Customer satisfaction ratings
• Compliance with regulatory requirements
• Internal reviews from fellow employees
• Adherence to ethical codes of conduct

Linking incentives to these metrics should encourage employees to prioritise responsible behaviour and align their actions with the values of the business.

It's also important to communicate effectively with employees and implement training programmes to help create a strong conduct risk culture. Employees need to understand the importance of conduct risk and how it aligns with the organisation's overall mission and values. Regular training sessions using real life examples or external cases studies can help reinforce the desired behaviour and promote a culture of accountability.

What's the outcome of a strong conduct risk culture?

Measuring and assessing conduct risk culture is a priority for organisations, particularly financial institutions, if they want to mitigate potential harm and align employee's behaviour with their values. The gold standard is for employees to understand the expected behaviours, and to live the values through their work at all times, thereby safeguarding the business and its customers – as well as fostering trust and confidence among stakeholders.

Firms should use methodologies such as the "Three Lines of Defence" model and conducting cultural surveys to gain insights in to their conduct risk culture, as well as make changes in order to strengthen it. And it's also important to align incentives and performance evaluations with values so that the right behaviour is encouraged and rewarded in ways that promote responsible conduct.

Ultimately, a robust conduct risk culture contributes to the long-term success and sustainability of an organisation, the experience of its employees - and more importantly, the safety and satisfaction of its customers.

************************************************

This blog was written in collaboration with Martyn Carvey, Head of Ops Risk and Compliance SMF16 at National Australia Bank. 

Martyn has 20+ years of experience in risk management, regulation, policy-making and leading complex projects across sectors including Corporate Institutional Banking, Asset Financing, Private Banking and Asset Management. Key specialisms include embedding risk management, risk culture, risk reporting, regulatory strategy, ICAAP, stress testing, recovery planning, wind-down analysis and Brexit planning and has a strong background in delivering effective Governance, Risk, Compliance and AML/Financial Crime programmes within the Financial Services industry. Martyn currently is the Head of Operational risk and Compliance holding the SM16 function, as well as Head of Financial crime at National Australia Bank. He is a pragmatic and practical problem solver and leader who enjoys a complex challenge. Martyn has previously Chaired the Risk Network , which consists of 100+ CRO's across all finance sectors and has presented on risk assessment methodology and embedding risk frameworks into organisations. Martyn is a member of various trade associations and industry bodies.