SMF16 vs SMF17: Who's Liable When AML Breaks Down?

When a firm's AML framework breaks down, the FCA does not cast its net wide. It looks immediately to two named individuals: the SMF16 and the SMF17. What surprises many first-time appointees is how distinct these two roles actually are in practice — and how often they are conflated at smaller firms, sometimes to devastating effect.

What the FCA Actually Expects

SMF16 — Compliance Oversight is a strategic function. The person holding this role is responsible for the framework — ensuring that policies, systems, controls, and governance structures are fit for purpose and appropriately embedded across the firm. The SMF16 answers the question: does this firm have a functioning compliance architecture?

SMF17 — Money Laundering Reporting Officer is an operational function. The MLRO is responsible for receiving, assessing, and actioning disclosures. They are the statutory gateway for Suspicious Activity Reports (SARs). They answer the question: is this firm detecting, escalating, and reporting financial crime correctly, right now?

The distinction matters most when something goes wrong. The FCA's enforcement history is clear: if a firm has structurally inadequate AML policies, the SMF16 faces scrutiny. If individual SARs were mishandled, suppressed, or filed late, the MLRO is in the frame.

The Danger of Doubling Up

At smaller payment firms and emerging fund managers, it is common — and technically permissible under the Senior Managers & Certification Regime — for one individual to hold both SMF16 and SMF17 simultaneously. This is not inherently problematic, but it creates a risk that is worth naming plainly: conflation of oversight and execution.

The SMF16 is supposed to challenge the compliance function. The SMF17 is the compliance function, in one of its most operationally intensive forms. When both hats sit on one head, the challenge function tends to atrophy. The FCA, in its supervision work, has observed this repeatedly — and the 2023 Financial Crime Guide updates reflected it.

Fit and Proper: The Hidden Gate

Both functions require FCA approval. Both are subject to the fit and proper assessment under FIT in the FCA Handbook. In practice, what the FCA is looking for differs:

• For SMF16, the regulator expects governance experience, an understanding of compliance frameworks, and evidence of challenge — not just technical knowledge of rules.
• For SMF17, operational MLRO experience is weighted heavily. Have you filed SARs? Have you managed a MLRO function through a regulatory visit or enforcement investigation?

References and interview outcomes carry significant weight. Firms that present nominees with strong CVs but thin operational histories often encounter friction at the approval stage.

Practical Guidance for Firms

If you are appointing to either role — whether internally or via a nominee service — the following should be your baseline:

1. Define the scope clearly in the Statement of Responsibilities (SoR). Ambiguity in the SoR is the single most common source of enforcement exposure. The FCA will hold the named individual to exactly what the SoR describes.

2. Do not assume one training programme covers both roles. SMF16 and SMF17 require different technical literacy. Compliance oversight demands governance and audit methodology. MLRO demands SAR mechanics, typologies, and escalation protocol under POCA 2002.

3. Build in the challenge dynamic, even if one person holds both. Create a formal mechanism — typically a compliance committee or audit function — through which the SMF16 role can genuinely challenge the operational outputs of the MLRO function.

4. Document everything that flows through the MLRO. The MLRO's decision log — particularly decisions not to file a SAR — is frequently the first document requested in an enforcement investigation.

Both SMF16 and SMF17 are available on a nominee basis for firms requiring experienced, FCA-ready incumbents. For initial discussions around structuring these appointments correctly, direct correspondence is welcomed.