MLROs, COLPs, and COFAs sit in an unusual position under Section 250. They are the compliance officers who may be running firm-wide gap analyses — but whether they themselves fall within the s.250(3) "senior manager" test depends on whether their role involves organisational authority over a substantial part of activities, or oversight and advisory functions that sit outside that boundary.
The question compliance officers are asking
Since the Crime and Policing Act 2026 received Royal Assent on 29 April 2026, one of the most-asked questions in UK compliance communities has been: am I in scope myself?
For an MLRO (Money Laundering Reporting Officer), a COLP (Compliance Officer for Legal Practice, under the SRA Handbook), or a COFA (Compliance Officer for Finance and Administration, also SRA), the question is not abstract. These are the individuals often leading their firm's Section 250 gap analysis. They are, in a real sense, deciding who is in scope — but they also need to apply the same functional test to their own role.
This guide applies the s.250(3) test to compliance-officer roles honestly. The answer is: it depends on what the role actually involves, and the answer is different for different firms and different individuals holding nominally the same title.
The s.250(3) test: what it actually asks
Section 250(3) of the Crime and Policing Act 2026 (c.20) defines a senior manager as an individual who plays a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities.
Two things matter here for compliance officers. First, the test is about organisational authority over activities — not advisory or oversight of those activities. Second, "substantial part" refers to the organisation's activities broadly, not just the compliance function or the regulated parts of the business.
A compliance officer who designs and owns policy across the whole firm — who decides what the firm can and cannot do across all its activities — is in a different position from a compliance officer who advises on policy, flags breaches, and escalates to the executive team, but does not make decisions about how the business runs.
The s.250(3) test is functional, not title-based. Two people called "MLRO" at different firms may get different answers.
MLROs: advisory oversight or decision-making authority?
Under the Money Laundering Regulations 2017, the MLRO must be an officer (or member of senior management) of the regulated entity. They receive internal suspicious activity reports, decide whether to make SARs to the National Crime Agency, and own the firm's AML/CTF programme. Their statutory function is oversight and reporting — they are a control function, not a business manager.
For most FCA-regulated firms, the MLRO's role in managing the firm's activities is advisory and supervisory: they set and enforce policy, they report to the board, they do not direct how the business lines run. If that describes the MLRO in your firm — a dedicated compliance or legal function with oversight authority but no executive line management of business activities — they likely do not meet the s.250(3) test.
However, the MLRO may meet the test where: (i) they hold a dual role that combines AML compliance with executive authority over a substantial part of the business; (ii) at a smaller firm, the MLRO is effectively the head of operations or risk, making decisions that shape how a substantial part of the business runs; or (iii) the AML/CTF programme they own is so central to the firm's authorised activities that owning the programme is equivalent to managing those activities.
The size and structure of the firm matters. An MLRO at a firm of five people, who effectively manages compliance, operations, and risk, is in a different position from an MLRO at a 2,000-person firm who leads a dedicated AML team that reports to the General Counsel.
COLPs and COFAs: the SRA framework
COLPs and COFAs are roles required under the SRA Handbook for SRA-regulated entities (law firms and similar). The COLP (Compliance Officer for Legal Practice) must take all reasonable steps to ensure compliance with the SRA's regulatory requirements. The COFA (Compliance Officer for Finance and Administration) must take all reasonable steps to ensure compliance with the SRA Accounts Rules and similar financial obligations.
For s.250 purposes, the analysis is similar to the MLRO analysis. The statutory function of a COLP is compliance oversight — ensuring the firm meets regulatory obligations, flagging breaches, reporting to the SRA. It is a control function. Whether it crosses into "significant role in deciding how a substantial part of the firm's activities are managed" is a facts-and-circumstances question.
A COLP who holds the role alongside a management position — for example, a partner who is also the managing partner — is likely in scope for s.250(3), on the managing-partner role. A COLP who is a dedicated compliance function with no executive management authority over the firm's activities is less likely to meet the test on the basis of the COLP function alone.
For COFAs: the same logic applies. A finance officer who manages the firm's finances in the sense of executing financial procedures and reporting is an oversight role. A COFA who effectively decides how the firm allocates resources and structures its financial activities — making decisions that shape how a substantial part of the firm runs — is closer to the test.
What compliance officers should do
Compliance officers running a Section 250 gap analysis for their firm should apply the functional test to their own role, using the same methodology they use for everyone else.
The first question: do you make decisions about how a substantial part of the firm's activities are to be managed or organised? If the honest answer is yes — you have executive authority over business activities, not just compliance oversight — you meet the test and should be included in the gap analysis.
The second question: is there a risk that a court would regard your role as meeting the test even if you believe it does not? Where there is genuine ambiguity — because the role is broad, the firm is small, or the documentation is unclear — the safer course is to include the individual in the gap analysis and obtain a declaration.
For firms: a compliance officer who believes they do not meet the s.250(3) test should record that reasoning in the gap analysis, with reference to their actual role description. That reasoning is part of the methodology documentation. If the question arises later, the gap analysis will show that the question was considered and a reasoned decision made, not overlooked.
For any individual with genuine uncertainty about their own scope, independent legal advice is appropriate — particularly for MLROs and COLPs at smaller firms where roles often span compliance, operations, and executive decision-making.
Related articles
Group Entities and Subsidiaries: Who Is a Senior Manager of What Under Section 250?
8 min read
Who qualifies as a senior manager under Section 250? A role-by-role guide
9 min read
Section 250 Gap Analysis: The Complete Compliance Checklist
5 min read
SM&CR vs Section 250: What Is the Difference?
5 min read
What Is Section 250 of the Crime and Policing Act 2026?
8 min read
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250 (c.20)www.legislation.gov.uk/ukpga/2026/20/section/250
- Money Laundering Regulations 2017, reg.21 (MLRO appointment)www.legislation.gov.uk/uksi/2017/692/regulation/21
- SRA Handbook — COLP and COFA requirementswww.sra.org.uk/solicitors/guidance/colp-cofa/
- FCA — Senior Managers and Certification Regimewww.fca.org.uk/firms/senior-managers-certification-regime