Over the past year I’ve spent many hours speaking with MLROs in my consulting work, business development discussions and at various industry events. This has been an incredible way to develop a picture of what is occupying leaders’ thoughts, what they see as priorities and where concern is building - and I’d like to share that with you.
The themes won’t surprise you. Regulatory expectations feel ever more nebulous, the push for technology to deliver cost improvement is accelerating, and teams are always under strain. If this doesn’t resonate, try raising the idea of parallel-running your existing operations team while you embed new technology with your CFO, and watch out for the stapler being thrown in your general direction!
As we move towards the new year, my aim in writing this piece is to encourage you to carve out some time and space to look ahead, take stock of your fundamentals and make proper inroads into one or two larger strategic priorities before BAU activity takes over again.
The observations that follow reflect the topics I hear most often and which, in my view, merit careful thought as you plan the months ahead.
-2.png)
Effectiveness of KYC, governance, customer risk assessment and BWRA remain the first areas supervisors examine. These areas are where all the easy ‘gotchas’ can be found, and where firms tend to slip up.
A strong start to the year will depend on frameworks that reflect how your business operates today, with clear roles, accurate thresholds and language that avoids historic assumptions. For example, a BWRA should guide decisions by showing where risk sits, not generate broad commentary that could fit almost any firm.
It is worth revisiting your core documents with a fresh eye. Small refinements to definitions or ownership can improve clarity as much as wholesale rewrites. Checking whether your BWRA output genuinely informs prioritisation is particularly important.
A short external review can help here. It offers neutral challenge, highlights gaps internal teams may have stopped seeing and provides useful benchmarking ahead of your next regulatory interaction.
Technology change continues to arrive at pace, often driven by group functions or cost-reduction programmes. Many MLROs are being asked to consider automation and AI before guardrails, governance and data readiness are fully formed. Don’t be fooled into thinking everyone is ahead of you – on the whole, they are not, but there are many firms experimenting with certain use cases. These experiments require time, energy and investment to get right, so you need to be strategic about where you’ll get the biggest bang for your buck. That could be pKYC, functional or repeatable tasks in transaction monitoring or screening, or something more progressive. Whatever it is, begin the journey now. That said, invest in your operating model, processes and data first before investing in platforms and apps. Getting the foundations right will save you considerable expense in implementation and embedment time.
Before committing to any new tool, it is vital to understand how it makes decisions, which data it depends on, and how reliably you can monitor its performance. Regulators will expect you to explain the logic – and that requires confidence in both the control design and the surrounding processes.
Start by mapping where controls will sit once the technology lands. Check that the required data exists and is of sufficient quality. Clarify roles and hand-offs early so the business understands its responsibilities. Many implementation issues are rooted not in weak technology, but in insufficient preparation.
If capacity is limited, or if past implementations have been painful, drawing on people with experience of similar transitions can help avoid predictable pitfalls and reduce disruption.
Many operating models have evolved through repeated tweaks to structure, ownership or process. Over time this creates blurred responsibilities, slow decisions and friction between teams. MLROs frequently describe a sense that the model no longer reflects the risks they manage or the volume of work they face.
An honest look at how work flows through your function is valuable. Where do decisions stall? Where is ownership unclear? Which activities absorb disproportionate effort? A coherent model makes expectations clear, reduces the need for heavy oversight and eases pressure on already stretched teams.
For some leaders, external perspective helps bring neutrality to these conversations and introduces practical comparisons with approaches used elsewhere.
Assurance expectations continue to rise. Regulators want credible evidence that controls operate effectively, especially where technology plays a role. Most teams are already at capacity, so assurance must therefore be tightly focused on the risks that matter most and on the controls that genuinely mitigate them.
Control mapping isn’t a regulatory requirement, but without it a BWRA tends to describe control strength without being able to show it.
Skilled Persons, Independent Experts and Monitors invariably ask the same question: how do you know every material risk is covered? Without an explicit link between risks and controls, firms struggle to answer convincingly.
A single control may mitigate several risks, and particular risks may require multiple controls. Making these links visible removes ambiguity, exposes overlaps and gaps, and enables assurance to test what matters rather than interpret spreadsheets. Although mapping takes effort, its absence often makes BWRAs slow, subjective and open to criticism.
The same applies to RCSAs. When financial crime elements are weak or excluded, the organisation loses the discipline of a consistent control framework. Building a reliable control library may be politically and operationally challenging, but once established it gives leaders a dependable view of control effectiveness.
Where specialist review is needed - during a major change or to validate reorganised controls - targeted external support can deepen assurance without adding permanent workload.
The shift in recent years of more ownership to the first line makes sense, but doesn’t always work smoothly. The second line can appear to be making demands; the first line can feel under pressure and under-resourced. If left unaddressed, this tension slows progress and undermines control effectiveness.
A shared understanding of expectations is essential. Senior leaders on both sides of the fence need to interpret policies and standards in the same way and send consistent messages to their teams.
It is often helpful to convene leaders from both lines for a facilitated, structured discussion about how they intend to work next year. This can allow long-standing frustrations to surface and be resolved in a constructive way, clearing the path for smoother execution.
This time of year gives many MLROs a brief respite to reconsider their strategic aims and whether the function is on track. The most forward-looking leaders I speak with are concentrating on stronger fundamentals, readiness for technology change and operating models that allow both lines to perform without friction. Alongside this sits focused assurance and control mapping that demonstrates credible oversight without exhausting the team.
Some of this work can be done in-house; some may benefit from specialist external support to accelerate progress or bring clarity to difficult issues. Whatever the mix, the direction needs to be set by you. The aim is a programme that runs securely day to day, withstands scrutiny and improves steadily over time - giving you and your organisation confidence in the road ahead.
-1.png)