Being appointed MLRO is a big step up. The Criminal Justice Act makes the MLRO the firm's single point of accountability for AML/CFT. In a Central Bank inspection, you are the person they talk to first. The 100 days after your appointment are the window to walk into an inspection room confident you can show what "good" looks like.
Here's the checklist.
1. Get your appointment letter on file
The board or senior management must formally appoint you, in writing, with defined scope and authority. Central Bank inspectors will ask for this letter. If it doesn't exist, fix it in week one.
2. Read the firm's AML Risk Assessment
Read the Business-Wide Risk Assessment (BWRA) critically. Is it current? Is it rating the risks you can see from the client book? If it's more than 12 months old, or it reads like a template, plan a refresh immediately.
3. Read the firm's AML Policies and Procedures
Your firm's P&Ps must reflect the CJA, current Central Bank guidance, and your BWRA. Look for obvious gaps: beneficial ownership, sanctions, EDD triggers, STR escalation, tipping-off safeguards, training cadence, record retention.
4. Meet the team
Sit down with each team lead. Ask how they apply CDD, when they'd escalate, what they've been trained on, how they'd know a PEP. The gap between policy and practice is where most AML failures live.
5. Review the STR log
How many internal reports were escalated in the last 12 months? How many STRs filed? Is the ratio plausible given client numbers and risk? A low-zero ratio is a red flag. A high ratio with no consequence is also a red flag.
6. Check sanctions screening
Confirm that sanctions screening is happening at onboarding and ongoing. Confirm list coverage (EU, UN, OFAC, HMT where relevant). Ask for evidence of screening on a random sample of clients.
7. Audit the training file
Pull the last 12 months of training records. Are they complete? Is there an exam with a pass mark? Does the content reference the CJA? If the answer is "we did a PowerPoint" — this is your biggest early win.
8. Test sample CDD files
Pull five recent client files across risk categories. Walk through the file as if you were an inspector. Is every element present? Could you defend the risk rating? Does the ongoing monitoring log show real activity?
9. Review the Management Information (MI) flowing to the board
Boards must receive AML MI. Look at the last four board packs. Does AML feature? Does it include training completion, STR volumes, risk assessment refreshes, inspection findings? If not, design a new pack and get it signed off.
10. Test the breach-response process
Run a tabletop exercise — a fake suspicious transaction coming in at 4:45 on a Friday. Does the right thing happen? If the answer is no, build the process and retest within 30 days.
11. Check the record-retention setup
AML records must be retained for six years after relationship end. Check the storage solution, the retention rules, and the disposal process. Many firms discover they have contradictory GDPR and AML retention policies.
12. Plan your own training and development
The Central Bank expects MLROs to be competent, current, and evidenced. Book into ongoing AML training, subscribe to the Central Bank AML bulletins, and diarise quarterly time to review typology updates.
Bonus: the first MLRO report
After 100 days, write a short report to the board: what you've found, what you've fixed, what remains open, and when. Present it, get it minuted. It's the single strongest piece of evidence that you've taken the role seriously.
Where Harrington fits
Items 7 and 12 are where we help most directly. Our AML course gives your whole firm up-to-date, audit-ready training, and our MLRO tools produce the reporting you need for the board and the Central Bank.
Book a 15-minute demo and we'll show you the MLRO dashboard.