Every UK firm that falls inside the regulated sector under the Money Laundering Regulations 2017 must appoint a nominated officer - usually styled as the Money Laundering Reporting Officer (MLRO) - and that officer is expected to produce an annual report for senior management. Despite the fact that regulators (HMRC, ICAEW, ACCA, CIOT, IPA, AAT, CILEx Regulation) have repeatedly flagged the MLRO report as a high-risk area at supervision visits, a striking number of practices either skip it or produce a two-paragraph memo that simply restates the regulations.
This guide walks through what an MLRO report should actually contain in 2026, organised in the same order most accountancy supervisors expect to see it. Treat it as the skeleton you adapt; do not copy and paste it verbatim into your firm.
Why the report exists in the first place
Regulation 21 of MLR 2017 obliges relevant firms to establish and maintain policies, controls and procedures to mitigate the risks of money laundering and terrorist financing. The MLRO annual report is the document that proves to senior management - and to your supervisor when they ask - that those controls have been tested, that weaknesses have been surfaced, and that you have a remediation plan with named owners and deadlines.
Crucially, the report is addressed to the firm's senior management. It is not addressed to HMRC or to the National Crime Agency. The board or partners must read it, formally accept or reject the recommendations, and minute that decision. A report sitting unread in a SharePoint folder fails its own purpose.
Section 1 - Period covered, scope and methodology
Open with the reporting period (typically a 12-month window aligned to your firm's year end), the legal entities covered, and the methodology you used to gather evidence. State clearly how many client files were sampled, how the sample was selected (random, risk-weighted, or both), and which procedures were tested.
A common weakness flagged at HMRC visits is reports that describe an "ongoing review" without quantifying it. "We sampled 40 client files across the three highest-risk service lines, weighted 60% toward EDD clients and 40% toward standard CDD" is the level of specificity required.
Section 2 - The firm-wide risk assessment refresh
Confirm whether the firm-wide risk assessment (Regulation 18) has been reviewed in the period, what changed, and what triggered the review. Triggers should include changes to the client base, new service lines, new jurisdictions, regulatory updates such as updates to the National Risk Assessment or the supervisor's sectoral risk assessment, and any internal incidents.
If nothing changed, say so - and justify why. A firm-wide risk assessment that has not been touched in three years is a red flag even if the underlying client base is stable.
Section 3 - CDD, EDD and ongoing monitoring outcomes
Quantify the work. How many new clients were onboarded? How many required EDD? How many existing clients had a periodic refresh? How many failed initial CDD and were either declined or escalated?
A useful structure here is a small table: total clients, % classified low/standard/high risk, number of EDD files opened, number of source-of-funds enquiries raised, number of client relationships terminated for AML reasons. Operationally, this data is much easier to compile if your practice management system records risk ratings and document expiry dates against each client profile - Accupe's Compliance Radar, for example, holds this data in one place rather than across spreadsheets and email folders.
Section 4 - Internal SARs and external SARs to the NCA
Report the number of internal disclosures made to the MLRO during the period, the number that were escalated to the NCA as external SARs, and the number of DAML (Defence Against Money Laundering) requests made. Where internal reports were not escalated, briefly summarise the reasoning (without identifying the client or breaching tipping-off rules in your own internal records).
Comment on the quality of internal reporting. If only one internal report was raised in a 12-month period across a 40-person firm, that itself is a finding - it usually means staff are not confident in spotting suspicion, not that nothing suspicious occurred.
Section 5 - Training delivered and training gaps
List training delivered in the period: who attended, what was covered, who delivered it (in-house, supervisor webinar, external provider), and how attendance was evidenced. Identify staff who did not complete training and the remediation plan. Note any topic gaps - for example, if the firm took on its first trust client mid-year but the trust-specific AML training has not yet been rolled out.
Section 6 - Sanctions and PEP screening
Describe how the firm screens new and existing clients against the UK sanctions list maintained by OFSI, against UN and EU consolidated lists where relevant, and against politically exposed person (PEP) databases. State the screening frequency for the existing book - daily, monthly, or event-driven - and justify the cadence against the firm's risk profile.
Many firms underestimate how often sanctions lists change. OFSI updates can land mid-week with immediate effect, and the obligation is absolute. Firms running screening through Accupe's OpenSanctions integration get automated re-screens against the current consolidated lists; firms running on PDF checklists rarely do.
Section 7 - Findings, recommendations and management response
This is the section senior management actually needs to read. List each finding, its severity, the recommended action, the owner, and the target date. Leave a column for the management response so the board can sign off finding-by-finding rather than approving the document as a whole.
Common findings worth pre-empting include: inconsistent risk ratings applied by different team members, gaps in periodic refresh for long-standing clients, ID documents accepted past their stated expiry, and missing source-of-funds documentation on EDD files.
Section 8 - Forward plan
Close with a forward plan for the next 12 months: training topics, sampling targets, system changes, and any new regulatory developments the firm needs to absorb (for example, ongoing changes flowing from the Economic Crime and Corporate Transparency Act). The forward plan is your insurance policy at the next supervision visit - it shows the firm is thinking about AML as a live programme, not an annual chore.
Closing
A good MLRO annual report is around 8-15 pages, written in plain English, evidenced with quantified sampling, and signed off by the partners with documented actions. If yours is shorter than three pages or has never produced a single follow-up action, treat the next reporting cycle as a chance to rebuild it properly. The cost of producing it well is trivial compared with the cost of an adverse supervision visit finding.