How POCA 2015 defines your MLRO's training responsibilities

The Proceeds of Crime Act 2015 (POCA 2015) is Gibraltar's primary anti-money laundering statute. It applies to all firms that fall within the definition of a regulated sector under Schedule 2, which includes DLT providers, remote gambling operators, financial services firms, and several other categories.

Most compliance professionals in Gibraltar are familiar with POCA's substantive offences: the three principal money laundering offences under sections 7, 8, and 9, and the failure to disclose offence under section 35. Fewer are equally familiar with the training obligations POCA places on firms, and specifically on the nominated officer.

The nominated officer obligation

Section 28 of POCA 2015 requires regulated firms to appoint a nominated officer (the MLRO) with specific functions including receiving internal SARs, determining whether to make a disclosure to the Gibraltar Financial Intelligence Unit (GFIU), and maintaining the firm's AML policies, controls, and procedures.

What is less frequently cited is the obligation under section 28(4): the nominated officer must ensure that relevant employees receive appropriate training on the identification of money laundering and the firm's reporting procedures. This is not a delegable function. The MLRO is personally responsible for the adequacy of training across the firm.

What constitutes adequate training

The GFSC's AML/CFT Guidance Notes (currently in their seventh edition) provide the most detailed elaboration of what POCA requires in practice. Chapter 6 of the Guidance Notes specifies that adequate training must:

• Cover the nature of money laundering and terrorist financing
• Address the specific risk factors relevant to the firm's business model and customer base
• Explain the firm's internal SAR reporting process, including the tipping-off restrictions under section 37
• Be refreshed at appropriate intervals, which the GFSC interprets as no longer than 12 months for staff in customer-facing or high-risk roles
• Be recorded in a way that allows the firm to demonstrate completion and comprehension

The distinction between completion and comprehension is important. The GFSC has noted in supervisory feedback that attendance logs alone do not satisfy the adequacy standard. Training that involves assessment, where staff are required to demonstrate understanding, is significantly stronger from an evidential perspective.

Common failures

The most frequent AML training failures identified in GFSC supervisory reviews and GFIU feedback are:

Training that is not role-specific. A customer support agent at a crypto exchange and the firm's MLRO face entirely different money laundering risks. Training that treats both identically fails to meet the risk-based standard POCA requires.

Training that does not reference Gibraltar law. Generic AML e-learning built for the UK or EU market will reference POCA 2002 and the Money Laundering Regulations 2017, neither of which applies in Gibraltar. Staff trained on UK law are not trained on Gibraltar law.

No record of the tipping-off restrictions. Section 37 of POCA 2015 is one of the most practically significant provisions for front-line staff. Many training programmes omit it entirely.

Insufficient MLRO-specific content. The MLRO must understand how to evaluate an internal SAR, when to make a GFIU disclosure, and how to handle a request for a defence against money laundering (DAML). Generic staff training does not cover this adequately.

The MLRO's personal position

It is worth being direct: if a firm suffers a money laundering failure and the GFSC or GFIU investigates, one of the first documents they will request is the training record. An MLRO who cannot demonstrate that staff received adequate, regular, Gibraltar-specific training faces personal regulatory exposure, not only reputational risk for the firm.

The training obligation under POCA 2015 is not a box to tick. It is a substantive control, and the GFSC treats it as one.