AML Compliance Retainer for CASPs: What's In Scope, What It Costs (2026)

Most CASPs run AML compliance as a hire-and-fire FTE problem. A senior MLRO is hired at authorisation. Twelve months later the supervisor's expectations have moved, the regulatory framework has tightened, and the MLRO either upskills (rare) or is replaced. The replacement spends six months learning the firm. The cycle repeats. The cost is not just salary — it is the compounding institutional memory loss of treating AML as a single-point-of-failure role.

The mature pattern is a compliance retainer — a fixed monthly fee paid to a specialist firm covering MLRO support, scheduled programme reviews, supervisory-engagement assistance, training, regulatory horizon scanning, and emergency response. The retainer wraps around an internal MLRO (which the regulator requires) but provides the depth, breadth, and continuity that a single full-time hire cannot. The internal MLRO remains accountable; the retainer provides the institutional bench.

This guide covers what a retainer actually covers, what it does not, how the engagements are structured, indicative monthly pricing for 2026, and how to evaluate providers.

A single MLRO inside a CASP carries an unrealistic load: programme design, ongoing transaction monitoring oversight, SAR/STR filings, supervisory engagement, training, board reporting, regulatory horizon scanning, vendor management, internal audit liaison. The job has the breadth of a compliance department but the headcount of one person. The CASPs that survive supervisory inspection are the ones that have institutional bench depth around the MLRO — either by hiring a compliance team (expensive) or by retaining external bench (cost-effective).

The pressure on the role is increasing. AMLR (Regulation 2024/1624)¹^[1] applies from 10 July 2027 with prescriptive controls and direct AMLA supervision of selected CASPs. The MLRO who navigated the AMLD-era programme is not necessarily the right MLRO to navigate the AMLR-era programme. Without bench, the firm is forced into a hire-and-fire cycle at exactly the moment regulatory continuity matters most.

Senior compliance professionals on call to support the internal MLRO with judgement calls, novel cases, escalations, and second-opinion reviews. Particularly valuable for on-chain investigations — mixer exposure, cross-chain forensics, sanctions-list address screening — where the internal MLRO may not have specialist depth.

Scheduled review of policies, customer risk model, EDD triggers, transaction monitoring rules, sanctions screening, training records. Aligned to the EBA AML Guidelines²^[2] and the AMLR rulebook. Typically quarterly thematic reviews plus an annual full-programme review. Output: documented findings and remediation plan, board-ready.

Drafting and review of supervisory correspondence, preparation for on-site visits, response to information requests, follow-up on supervisory findings. The retainer firm has comparative visibility across multiple supervised entities, which materially improves the calibration of responses. The internal MLRO sees one supervisor; the retainer firm sees the supervisor's pattern of behaviour across a portfolio.

Major incident support: a sanctions hit, a Tornado Cash deposit, a SAR-trigger event, a supervisory notice, a press inquiry, a banking partner de-risking. Same-day mobilisation of a senior team. The cost of NOT having this on retainer is the four-week procurement cycle to bring in external help during the actual incident.

Annual full-staff AML training; quarterly refresher for higher-risk roles (onboarding, ops, customer service); board-level briefings on emerging regulatory expectations. Training records are an inspection focus and a templated provider rarely meets supervisory expectations on substance and tailoring.

Continuous monitoring of EBA, ESMA, AMLA (from 2027), national NCA publications, FATF, and peer-supervisor enforcement actions. Translated into firm-specific implications and prioritised remediation. The internal MLRO does not have time to read every consultation paper; the retainer firm reads them all and surfaces what matters.

Equally important. A retainer is not a replacement for an internal MLRO. The MLRO function is a regulator-mandated role inside the licensed entity, with personal accountability that cannot be outsourced. The retainer provides depth around the MLRO; the MLRO remains the named accountable person.

• Customer onboarding decisions in BAU — the internal team does these.

• Transaction monitoring operation — the alerts are reviewed by the firm's internal compliance team.

• SAR / STR filings — submitted by the internal MLRO, who is the named contact at the FIU.

• Personal accountability for AML failings — that sits with the firm and the named MLRO, not the retained adviser.

Fixed monthly fee tied to a tier (small / mid / large CASP). Predictable budgeting. Fits firms with stable activity profile. Trade-off: less responsive to spike events without supplementary fees.

Hourly rates against a committed minimum. Fits firms with variable activity (M&A, new product launches, supervisory cycles). Trade-off: less predictable; budgeting requires accurate forecasting.

Fixed monthly retainer for scheduled scope (reviews, training, horizon scanning) plus an on-call bench at preferential rates for emergency or project work. The most common structure for mid-stage CASPs in 2026.

The retainer is the right answer when the firm needs depth and breadth that a single FTE cannot provide, and the volume of compliance work does not yet justify a five-person internal compliance team. Most CASPs sit in this band for the first 3–5 years of operation. Beyond that, the cost-benefit of building internal bench typically wins.

Indicative breakeven: when annual fully-loaded compliance team cost (3+ FTEs at senior level, ~€350,000+ all-in) exceeds the retainer cost by a meaningful margin AND the volume of work justifies the headcount. Below that, retainer-supported single MLRO is the more efficient model.

Generic financial-services AML retainers do not have the on-chain analytical bench, the Travel Rule expertise, or the mixer-policy depth a CASP needs. Probe specifically for Chainalysis / Elliptic / TRM Labs operational fluency and demonstrated CASP supervisory engagement.

Ask for the named individuals you will work with and their CVs. Junior-only bench is a structural disadvantage — you are paying for senior judgement and supervisor-credibility, not for documentation drafting.

CASPs operating in multiple EEA states (and post-Brexit, the UK) need a retainer with bench in each NCA jurisdiction it serves. Single-jurisdiction retainers struggle on cross-border supervisory questions.

Ask the provider for their AMLR readiness roadmap. Providers that cannot articulate how the rulebook changes the firm's programme between now and 10 July 2027 are not the right partners for the next 24 months.

The retainer firm should already have a working view on the Authority for Anti-Money Laundering (AMLA)⁴^[3] selected-entity threshold, the indirect-supervision pathway for non-selected CASPs, and the practical implications for inspection cadence from 2027 onward.

AML advisory firms with audit, recruitment, or vendor-resale arms create conflicts that compromise the advisory relationship. Prefer independent advisers with no resale or recruitment incentive — particularly important on KYC vendor selection or analytics-platform decisions.

No. The MLRO must be a named individual within the licensed entity, accountable to the regulator. A retainer supports the MLRO with depth, bench, and external judgement; it does not assume the MLRO function. Anyone telling you otherwise is mis-selling.

12 months minimum is standard, with quarterly review checkpoints. Multi-year contracts (24–36 months) are available at preferential pricing. Avoid 'rolling monthly' arrangements where the provider has no incentive to invest in deep institutional knowledge.

No — AMLR does not mandate retainers. It does mandate a senior MLRO, an independent control function, and demonstrable programme effectiveness. A retainer is a means to that end, particularly for firms below the headcount threshold for full internal compliance teams. The FATF³^[4] standards underpinning AMLR support this structure but do not prescribe it.

Continuity. A retainer firm builds institutional knowledge of your programme, your supervisor's preferences, your customer base. Ad-hoc consulting starts from scratch every engagement and never gets to the depth that supervisory engagement requires. The cost difference is meaningful but the quality difference is larger.

The retainer team typically attends preparation sessions, reviews documentation packs, runs mock-inspection drills, and is on call during the visit itself. They do not appear in front of the supervisor as the firm's compliance function — the internal MLRO and senior management do that. The retainer's value is in the work that has happened in the 12 months before the inspection, not on the day.

• AML Compliance for Crypto Firms — the underlying programme that the retainer supports.

• MiCA Compliance Guide for CASPs — authorisation framework underpinning the AML obligations.

• Bank Diligence File for a Regulated Crypto Firm — the AML evidence banks demand during diligence.

• Compliance Advisory — the finconduit retainer service: scope, pricing, mobilisation.

AML compliance is increasingly a team sport played by single players inside most CASPs. The retainer model fixes the structural mismatch between the breadth of the role and the depth of one person's bench — without the cost of hiring a five-person internal compliance team that smaller CASPs cannot yet justify. The right retainer is invisible during good times and decisive when something goes wrong.