Beyond the lone guardian: Protecting the firm when you can't

Remember that scene from "Succession" where Logan Roy's health crisis throws his empire into chaos? While the drama series might be fictional, the sudden absence of a key figure, especially in compliance, can create equally dramatic consequences in the real world of financial crime prevention. Just ask the numerous firms who received those rather uncomfortable 'Dear CEO' letters from the FCA in late 2021.

While we're not dealing with billion-pound media empires, we are facing an equally critical challenge in the compliance world: who steps in when the MLRO steps out? With the FCA taking aim at firms with high MLRO turnover (three or more in three years), this question isn't just keeping board members awake at night - it's attracting serious regulatory scrutiny.

In this paper, we'll investigate the hidden risks of poor MLRO succession (and holiday) planning and run a thought experiment: what if you, the MLRO, unexpectedly ended up in hospital? We'll wrap it up with practical strategies to ensure your exec team understands the risks and your organisation never faces a compliance leadership vacuum - or worse, a hefty fine like so many firms are currently receiving.

The lonely guardian.

From suspicious activity reporting to regulatory liaison, MLROs stand as the guardians of financial integrity. But unlike Superman or Wonder Woman, you can't be everywhere at once (or as the FCA might put it, "have adequate resources and autonomy to do the role effectively"). And you definitely need holidays. Companies push for lean compliance teams because it's cost-effective, but as Nikhil Rathi's data-driven FCA has made clear, this creates dangerous points of failure.

The regulatory imperative.

In recent years, the FCA has significantly ramped up its focus on operational resilience. They're not just asking "Do you have an MLRO?" but "Why can't you keep one?" The message is clear: high turnover in this critical function compromises effective oversight and has a "detrimental impact on the firm's wider anti-money laundering framework." And how do you keep an MLRO? Minimise the chance of burnout.

So what are the risks?

The knowledge vault

As Bruce Schneier might say about cybersecurity, the biggest risk in MLRO succession isn't what we talk about - it's what we don't. Sure, you can document processes and create handover notes, but what about the years of accumulated knowledge, relationship nuances, and pattern recognition that sits in an MLRO's head?

The experience gap

And as compliance becomes more complex (just ask HSBC about their £63.9m fine for "serious weaknesses" in AML processes), the gap between an MLRO and their potential successor grows wider. Those subtle judgement calls, the ability to spot the unusual in the ordinary, the confidence to make tough decisions under pressure - these aren't skills you can transfer in a handover document.

A thought experiment.

The Monday morning crisis

Let's run a scenario. It's Monday morning, and while crossing the street an errant driver hits you, sending you to hospital in a serious but recoverable condition. You obviously don’t show up to work. At the office you have:

• Three SARs needing review
• A board meeting in two hours
• An ongoing regulatory investigation
• A very wealthy, but potential high-risk client waiting for onboarding approval

In one corner, we have your deputy MLRO:

Technically competent but never had to make the big calls. They know the processes but have been largely shielded by you on making the tough calls. They can see the suspicious activity reports, but do they have the confidence to defend their decisions to both the board and the regulator?

In the other corner, we have reality:

The regulator doesn't care that you’re in the hospital. They’re concerned about compliance no matter the situation or size of the firm. Just look at the £24,123 fine handed to Oldham firm Wrigley Claydon Solicitors, after failing to have a documented risk assessment, or the £1.5m penalty for Gatehouse Bank's compliance oversights. The board needs answers. The SARs have deadlines. The high-value, high-risk client is threatening to take their business elsewhere. What will they do?

The fight for control

Under the Senior Managers and Certification Regime (SM&CR), this isn't just about having a backup for when the unthinkable happens - it's about having a succession pipeline that ensures your organisation never skips a beat in its compliance obligations. Remember, in today's regulatory environment, personal liability means these decisions can't wait for your return from the hospital.

The path forward.

Knowledge transfer 

What could this look like in practice? Perhaps weekly case review sessions where potential successors present their decisions to you. Or maybe rotating deputy MLROs through different aspects of the role - from regulator interactions to board presentations. After all, having policies is one thing - having people who can implement them effectively is another entirely.

Beyond box-ticking

Gone are the days when the regulators would accept a tick-box approach to anything AML-related. As Nikhil Rathi's data-driven regime has shown, they're looking for substance over form. This means:

• Real succession planning, not just naming a deputy
• Genuine knowledge transfer, not just process documentation
• Active development of future MLROs, not just compliance training
• True delegation of authority, not just temporary cover

Humans for the win.

As with our previous discussion about AML, AI and biometrics, the biggest defence against compliance failures is people. When organisations invest in developing their compliance talent pipeline, give them real experience, and create space for growth, they build resilience. 

The future of MLRO succession isn't about documentation - it's about development. It's about creating an environment where compliance leadership can flourish, ensuring that when (not if) you as the MLRO needs to step away, your organisation's integrity remains uncompromised.

Because in the end, as recent enforcement actions have shown, size doesn't matter to the regulators - compliance culture does.