Category
As compliance teams look back on the turbulence of 2025 and turn their attention to the year ahead, one question rises to the top: what will define an effective MLRO in 2026?
In our recent fscom webinar, Associate Director Fred McDowell was joined by Anna Sweeney and Matt Law to unpack the FCA’s most important signals and their practical implications for MLROs navigating another year of heightened regulatory scrutiny.
This blog sets out the most important themes and actionable takeaways to help MLROs shape their 2026 work plans, strengthen control frameworks and elevate the impact of their annual MLRO reports.
The annual MLRO report: from tick-box to strategic tool
The session opened with a poll asking MLROs how valuable they feel their annual MLRO report is. Unsurprisingly, responses were mixed.
As Anna noted, the report can feel “like a waste of time” when it lands in a drawer, barely skimmed. But it does not have to be this way.
Done well, the MLRO report becomes one of the most powerful levers an MLRO has to influence strategic decision making.
How? By framing the report around the below three pillars.
- Effectiveness. This sets out what is working and whether you can evidence outcomes rather than activities.
- Residual risk. This explains where the organisation is still exposed after controls operate.
- Future priorities. This identifies the support, headcount, technology or investment that is required.
Matt emphasised the report’s liability shifting power. When an MLRO documents a risk such as an under-resourced transaction monitoring function, the burden moves to the board to accept or remediate it. Silence, by contrast, leaves liability with the MLRO.
This makes the annual MLRO report as much a strategic protection mechanism as a compliance obligation.
Key priorities for MLROs in 2026
1. Data-led supervision is now the expectation
Supervisors increasingly expect firms to provide high quality, granular data at speed. A request for all cryptoasset linked transactions, for example, in the past 24 hours is no longer hypothetical; firms should be ready to extract, validate and present this information.
2. Crypto risk is becoming a mainstream regulatory obligation
With the evolving UK cryptoasset regime and the implications of Consultation Paper 25/40, even firms that do not classify themselves as crypto businesses must have documented crypto risk appetites, updated enterprise-wide risk assessments (EWRA) and business-wide risk assessments (BWRA), and governance that understands cryptoasset exposure through third party relationships.
3. Fraud and financial crime risk are converging
Under the authorised push payment (APP) reimbursement framework and the Consumer Duty, fraud can no longer be treated as an operational issue. It must be integrated into financial crime frameworks, featured in board reporting and overseen through a governance structure that recognises fraud as a core financial crime risk.
4. Suspicious activity reporting is shifting from volume to value
Firms should focus on narrative quality, evidence-based suspicion, Defence Against Money Laundering refusal trends, tipping off risk in payment freezes and internal suspicious report to SAR conversion. Rising terrorism related reports and smurfing behaviours underline the need for stronger effectiveness metrics.
Using EWRAs and BWRAs to strengthen your risk framework
Your EWRA and BWRA should become your strategic compass.
Anna emphasised the following three steps for strengthening your risk assessments.
- Start with inherent risk using real data across customers, geographies, products, transaction and delivery channels.
- Assess control effectiveness, not just existence.
- Use residual risk to drive action.
Residual risks should map directly to investment decisions, monitoring enhancements or appetite exceptions.
When used correctly, your risk assessments help you:
- justify resources;
- sharpen governance; and
- anticipate emerging threats such as sanctions evasion, proliferation financing and cryptoasset typologies.
Download fscom’s BWRA checklist here or watch our BWRA masterclass here.
Making sanctions reporting meaningful (without scaring the board)
Sanctions remain the highest stakes area of compliance. Boards often perceive them as binary, which is unhelpful.
Matt suggested a powerful approach: report “near misses”.
Instead of:
“We had zero sanctions breaches.”
Try:
“Our screening system stopped three potential true matches this month, preventing likely breaches.”
This reframes sanctions reporting from fear based to value based, demonstrating:
- the system works;
- the team is effective; and
- investment is justified.
KRIs such as sanctions list update speed also help boards to understand process maturity, not just outcomes.
Common FCA control gaps and how to address them
1. Sanctions screening calibration failures
These issues can arise during data migrations or when data quality changes, where degradation becomes a control failure rather than a technology issue.
Fix:
- evidence system logic testing;
- validate new data fields; and
- strengthen governance around algorithm performance.
2. Regulatory perimeter drift
Firms may expand quietly into new activities, such as on ramping or virtual IBANs, without informing the FCA.
Fix:
Conduct a regulatory perimeter audit comparing website promises against regulatory permissions.
3. High growth, low control scaling
Firms scale customer numbers without scaling compliance resourcing.
Fix:
Adopt trigger-based resourcing with thresholds that automatically require additional hires or tools.
Governance, MI and board engagement: making the MLRO report matter
Boards tend to engage most effectively when the report is focused on outcomes, when the risks are presented in commercial terms, and when the insights clearly influence their strategy.
Anna recommends the following steps to strengthen that engagement.
- Speak their language. Focus on risk, customer trust and commercial impact so the message is clear.
- Make it visual. Use dashboards, heat maps and trend lines to highlight changing risks.
- Make it actionable. Set out the top five board decisions required with clear options.
- Connect controls to growth. Show how strong Anti-Money Laundering (AML) controls support faster onboarding, smoother banking relationships and constructive regulator engagement.
Matt noted that if a report receives only “report noted” in board minutes, this is a sign of ineffectiveness. A strong report should provoke challenge and require decisions.
Final reflections: the themes shaping 2026
Across the session, several themes consistently emerged:
- data quality is the new battleground;
- effectiveness matters more than activity;
- residual risk is what the FCA will judge you on;
- fraud and AML must converge; and
- good governance is evidenced, not claimed.
Most importantly, MLROs must use 2026 to turn routine obligations such as the MLRO report, the EWRA and BWRA, and sanctions MI into strategic tools that drive resourcing, influence senior management and protect both the firm and the MLRO.
How fscom can help
At fscom, we support MLROs by strengthening the effectiveness of their control environments, not through box ticking, but through targeted, evidence led interventions. Our specialists provide:
- regulatory insight and practical guidance to help you embed robust, risk-based controls across AML, sanctions, fraud and governance, in addition to independent audits to assess and strengthen your existing controls in AML and financial crime;
- independent, outcomes focused assurance, designed to test the adequacy and effectiveness of your frameworks and highlight where uplift is needed; and
- hands on support throughout implementation, helping MLROs translate regulatory expectations into operational reality and demonstrate control effectiveness to boards and supervisors.
Watch our MLRO webinar here or download our checklist to support your next MLRO report.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
