Who should be your AMLCO?
Who is the best option for a compliance officer for your AML program?
One of the most important decisions in AML implementation is often treated as an administrative one: who should be appointed as the AML Compliance Officer?
Was the question I was asked while taking part in panel on AML Tranche 2 Reforms recently. The correct answer is: It is not an administrative decision. It is a governance decision.
Not the answer I gave, which was....
"They need to be the right mix of knowledgeable, engaging, charismatic, and a little bit annoying!"
I stand by that both statements can and are equally correct. The wrong appointment can leave a business with nominal compliance ownership but no real control. The right appointment can materially improve implementation discipline, issue escalation, decision quality, and executive visibility over risk.
Many businesses begin by asking who has capacity, who already sits in legal or compliance, or who can be named on the structure chart quickly. Those questions are understandable, but they are incomplete. The better question is this: who in the organisation is best placed to exercise informed oversight of the AML program and drive accountability across the parts of the business where risk actually sits?
The role requires more than technical familiarity with AML concepts. A credible AMLCO usually needs enough authority, access, judgement, and organisational standing to ensure the program does not remain theoretical. Policies do not implement themselves. Controls do not embed themselves. Exceptions do not escalate themselves. Someone needs to be able to push issues into decision-making channels and hold the line when commercial pressure collides with compliance discipline.
That is why the best AMLCO is not always the person with the most technical knowledge on paper. In some businesses, it may be a senior compliance professional. In others, it may be a risk leader, legal counsel, head of operations, or another executive-level figure with the authority to drive implementation and oversight. The answer depends on the size, structure, complexity, and maturity of the business.
There are several characteristics that matter.
The first is authority. The AMLCO should be able to obtain information, require action, escalate concerns, and be taken seriously by business leaders. If the person is junior, isolated, or dependent on others for every decision, the role can quickly become symbolic rather than effective.
The second is access. The AMLCO needs visibility across onboarding, customer activity, operational practices, high-risk matters, incidents, and internal reporting. If the role sits too far from how the business actually functions, the officer may only see issues after they have already become problems.
The third is judgement. AML implementation is not only about reading rules. It involves assessing risk, deciding when enhanced review is necessary, weighing incomplete information, determining when a matter should be escalated, and identifying where weak controls could create exposure. Businesses should be cautious about appointing someone who is technically diligent but unable to make balanced risk decisions under pressure.
The fourth is independence of thought. The AMLCO does not need to be detached from the business, but the person does need enough standing to challenge practices that are convenient commercially but weak from a control perspective. Where the role is given to someone whose primary performance incentives are tied to sales, volume, or client acquisition, there is an obvious risk that hard compliance decisions will be softened or delayed.
The fifth is implementation discipline. An AMLCO must often do more than maintain a policy. The role typically includes coordinating uplift work, driving remediation, overseeing training, monitoring control performance, documenting decisions, and reporting to leadership. This requires follow-through, not just subject matter knowledge.
Businesses also need to be realistic about what the role is not. Appointing an AMLCO does not remove leadership responsibility. The board, owners, directors, or executive team still carry accountability for ensuring the business has an appropriate framework, adequate resourcing, and active oversight. A common failure point is expecting the AMLCO to “own” the problem while the rest of the business continues to operate as though AML is a back-office technical matter. It is not.
There is also no universal rule that the AMLCO must be fully internal in every practical sense. Some businesses will rely on external advisory support, particularly during implementation or early-stage uplift. That can be sensible where the business needs technical depth or temporary capability. But even then, someone internally still needs to hold the line operationally. External advisers can support design, review, training, and remediation. They cannot replace internal accountability.
For small and medium-sized businesses, the practical answer may be a hybrid model: a senior internal decision-maker supported by external AML expertise. That can work well where the internal appointee understands the business and has authority, while the external support helps build the framework, guide risk settings, and challenge weak assumptions. The critical point is clarity. Everyone should understand who is accountable, who is advising, who is escalating, and who is making final decisions.
When choosing your AMLCO, it helps to test the appointment against a few hard questions.
Can this person challenge a high-risk client decision and be heard?
Can this person obtain cooperation across operations, finance, legal, and frontline staff?
Can this person recognise when an issue is not routine and requires escalation?
Can this person explain the program to leadership in a way that supports decisions and accountability?
Can this person sustain the role once the initial implementation effort settles into ongoing monitoring and oversight?
If the answer to those questions is uncertain, the appointment may need to be reconsidered.
The role should not go to the person who is merely available. It should go to the person most capable of maintaining program integrity in the real conditions of the business.
That is the standard worth applying.
