Can a football club outsource its AML and compliance function? Yes, and here is how

EU Regulation 2024/1624 requires professional football clubs to have a functioning AML compliance framework from July 2029. It does not require them to build or staff it internally. Outsourcing the compliance function is expressly permissible, and for most clubs, the more practical option. But outsourcing does not transfer legal responsibility. The club remains the obliged entity. The club remains accountable to its regulator. What outsourcing transfers is the operational delivery of the compliance function, not the obligation itself.

What the regulation requires and what it does not

Under Article 3 of EU Regulation 2024/1624, professional football clubs become obliged entities from 10 July 2029. The regulation requires clubs to conduct customer due diligence, verify beneficial ownership, screen for sanctions and PEPs, analyse source of funds, file suspicious activity reports where warranted, and operate a board-approved governance framework. It requires, under Article 9, the designation of a compliance officer at management level and a Money Laundering Reporting Officer responsible for AML matters.

What the regulation does not require is that these functions be performed by employees of the club. Neither EU Regulation 2024/1624 nor the UK Money Laundering Regulations require in-house delivery as a condition of compliance. Outsourcing the compliance function and the MLRO role to a qualified external provider is permissible and is a model used by regulated entities across financial services, legal and payment sectors for years.

However, and this matters, outsourcing the function does not outsource the obligation. The club is the obliged entity. The club's board is accountable for the adequacy of the AML framework. If the outsourced provider makes an error, misses a concern or fails to file a SAR that should have been filed, the regulatory exposure sits with the club, not the provider. This is not a reason to avoid outsourcing. It is the reason to choose the right provider, engage them properly, and maintain appropriate board-level oversight of the outsourced function throughout its operation.

Why most clubs should consider outsourcing rather than hiring

The economics of building an in-house AML compliance function deserve to be examined honestly. A senior compliance professional with the regulatory knowledge required to design, implement and operate an EU AML-compliant framework for a professional football club -- with experience of beneficial ownership verification, sanctions screening, source-of-wealth analysis and transfer-window oversight -- does not come cheaply. Total employment cost for a senior compliance hire at that level, including salary, National Insurance, benefits and recruitment fees, is likely to exceed one hundred thousand pounds per year before any technology, training or supervision costs are added.

That is the cost for a single hire. It produces one individual, covering one area of expertise, available during business hours, potentially unfamiliar with football's specific risk profile and transaction patterns. An outsourced compliance function delivers a team. Multiple practitioners, different specialisms, cover arrangements for absence, institutional knowledge of football's regulatory environment, and a service level agreement that does not depend on any single person's availability. For Championship and lower-tier clubs for whom a six-figure compliance hire is commercially unjustifiable, and for Premier League clubs that want specialist football AML expertise rather than a generalist compliance hire, outsourcing addresses both problems simultaneously.

Outsourced Compliance Capability Callout

An outsourced compliance function is not a cheaper version of an in-house team. It is a more capable version, with broader expertise, better coverage and institutional knowledge that a single hire cannot replicate. But the legal obligation remains with the club.

What outsourcing does and does not transfer: the legal position

This point is important enough to address directly in its own section, because it is the most common source of misunderstanding about outsourced compliance arrangements.

When a football club engages an outsourced AML provider, it is engaging a third-party service supplier, not transferring its regulated status. The club is the obliged entity under Article 3 of EU Regulation 2024/1624. It is the club's licence, the club's regulatory relationship and the club's legal exposure. Outsourcing the operational delivery of the compliance function to a specialist provider does not change any of those facts.

What this means in practice: the board of the club must still approve the AML policy. The club must still maintain records in its own name. The MLRO designation under Article 9, while it can be fulfilled through an outsourced arrangement, is a designation that the club makes of a responsible person -- that person's accountability runs to the club and through the club to the regulator. If the outsourced provider's MLRO fails to file a SAR that should have been filed, the supervisory action comes to the club, not to the provider's office.

The practical consequence is that outsourcing the compliance function requires more governance, not less. The board needs to understand what the outsourced function covers, receive regular reporting from it, maintain genuine oversight of its performance, and retain the ability to challenge and direct it. A club that outsources its compliance function and then treats it as invisible has not reduced its regulatory risk. It has simply moved the operational delivery off-site while retaining full legal exposure to any failures that occur.

A well-structured outsourcing arrangement addresses this through clear contractual scope, regular board reporting, annual independent review of the outsourced function's performance, and defined escalation paths for significant concerns. The best outsourced providers build these governance mechanisms into the service by default, because they understand that the club's accountability and the provider's reputation are both served by a relationship with genuine oversight rather than nominal delegation.

Board Outsourced Compliance Obligations

What the board of a club with an outsourced compliance function needs to do

Approve the AML policy and risk appetite statement.
These remain board-level decisions regardless of who drafts them.
Receive and review regular compliance reporting.
At minimum quarterly, covering counterparty screening status, SARs filed or considered, any material concerns identified and the state of the control framework.
Understand the scope of what the outsourced function covers and what it does not.
Ensure any gaps are identified and filled. The board cannot exercise meaningful oversight of a function whose boundaries it does not understand.
Maintain the ability to challenge and direct the outsourced provider.
The relationship should be actively supervised, not passively accepted.
Ensure the outsourcing arrangement is documented in a written agreement.
Clearly defining responsibilities, reporting obligations, escalation procedures and the process for reviewing the provider's performance.

What an outsourced AML function for a football club includes

With the legal position clearly understood, the operational case for outsourcing is straightforward. A full-service model for a professional football club covers four interconnected areas.

The first is ongoing advisory and MLRO support. AML advice available in real time to the club's finance, legal and transfer teams; fulfilment of the MLRO function including suspicious activity report assessment, triage and filing with the National Crime Agency or relevant financial intelligence unit; policy updates as the regulatory environment evolves; and escalation support for complex situations including sanctions events, ownership changes and banking relationship queries. The MLRO role in particular is one that every obliged entity must designate, and that the right outsourced provider can fulfil without requiring the club to recruit a permanent senior compliance officer. The club remains accountable for the quality of those decisions; the outsourced provider is responsible for the operational delivery.

The second is counterparty due diligence. Ongoing KYB, UBO verification, sanctions and PEP screening, and adverse media monitoring for the club's sponsors, agents, investors and ownership structure. Outsourced providers typically combine automated screening technology with expert human review, the technology-plus-judgement model that screening-alone approaches cannot provide.

The third is transfer-window oversight. Pre-commitment review of transfer structures and payment flows; agent commission validation; intermediary assessment; red-flag analysis; source-of-funds review for high-value transactions; documented decision trails through every window. This is time-intensive, specialist work that most clubs' finance and legal teams cannot absorb on top of their existing responsibilities during the most pressured weeks of the commercial calendar.

The fourth is governance and board reporting. Annual AML independent review; quarterly board reporting on the compliance position; banking support for AML questionnaires and correspondent bank reviews; regulatory support if a supervisory review is initiated. This is the governance layer that keeps the board informed, informed enough to maintain meaningful oversight and to discharge their own accountability for the club's compliance position.

The outsourced MLRO: what it is and why it matters

The Money Laundering Reporting Officer is the individual designation that EU Regulation 2024/1624 and equivalent national legislation require every obliged entity to make. The MLRO is responsible for receiving internal suspicious activity reports, assessing whether they warrant external reporting to the relevant financial intelligence unit, maintaining the SAR log, and acting as the first regulatory point of contact on AML matters.

An outsourced MLRO arrangement provides specialist expertise, ongoing regulatory awareness and structural independence from the club's commercial operations. But the designation itself remains with the club. The club designates a person, typically the outsourced provider's lead practitioner on the engagement, to fulfil the MLRO function. That person's legal accountability flows through the club's regulatory relationship. The outsourced provider supplies the expertise and operational capability; the club supplies the governance framework within which that capability is exercised.

Outsourced AML Provider Checklist

What to look for in an outsourced AML provider for football

Football-native expertise, not generic compliance.
A provider that has adapted bank compliance frameworks for football is not the same as one that has built football compliance frameworks from the ground up.
Genuine governance integration.
The provider should produce regular board-level reporting, participate in annual reviews and maintain a relationship with the club's senior management -- not simply deliver outputs into a void. A provider that does not actively support board oversight of the outsourced function is not a suitable outsourced partner.
Technology-enabled, not technology-only.
Screening tools are essential but insufficient. The provider needs to interpret results, conduct beneficial ownership analysis through multi-layer structures, and make risk-based decisions that technology cannot make on its own.
Genuine MLRO capability, not a nominal designation.
The MLRO function requires practitioner expertise. Assess what the provider's MLRO support actually covers: SAR assessment and filing, escalation decision-making, regulatory liaison and post-event review.
Transfer-window capacity.
A provider that cannot scale its response during a window is not a suitable outsourced compliance partner for a club with active transfer market activity.

Your AML function. Run by the specialists who built it. Accountable to your board.

Lagom Sports Compliance's outsourced AML and compliance service is built specifically for professional football. The service covers ongoing MLRO support and SAR management, counterparty due diligence, transfer-window oversight, annual independent review and quarterly board reporting -- with governance integration as a standard feature of the engagement, not an optional add-on. The club retains full visibility and board-level oversight throughout. Lagom handles the operational delivery.

The obligation is clear. The legal responsibility stays with the club. The question is not whether you need a compliance function -- it is whether you are better served building one, hiring one, or outsourcing one.

Frequently asked questions: outsourcing AML compliance for football clubs 

Previous
Previous

EU AML 2024/1624 and football agents: the definitive guide to what applies to you from July 2029

Next
Next

How banks are changing the rules for football clubs: enhanced due diligence, de-risking and what it means for your banking relationships