The Money Laundering Reporting Officer is the single most consequential hire on a CASP authorisation file — and the most common reason authorisation programmes stall. Bank of Lithuania, Central Bank of Ireland, BaFin, CySEC and MFSA all require the MLRO to be regulator-approved before they can take office, and all of them apply a fit-and-proper bar that has tightened materially through 2025–2026. A weak MLRO file delays authorisation by 6–9 months. A strong MLRO file accelerates everything that follows.
The role is also among the hardest to recruit for. Crypto AML is a thin labour market — fewer than 800 individuals in the EEA combine MiCA-relevant CASP / VASP MLRO experience with the local-residency the NCA requires, and competition for that pool has driven mid-career MLRO compensation up 30–50% over the last three years. Compensation now sits at €100,000–€200,000 base plus 20–50% bonus depending on jurisdiction, scale of the CASP, and whether the candidate has prior NCA-approved status.
This guide explains what an MLRO actually does, the fit-and-proper expectations the NCA applies, the skills and experience that pass first review, salary benchmarks by jurisdiction, where to find candidates, the interview structure that filters real expertise from polished CVs, the local-residency requirements, and when an outsourced MLRO is operationally acceptable as a bridge. Read this before you brief the recruiter — a misaligned hire here is hard to remediate without re-applying.
What the MLRO Actually Does
The MLRO is the natural person legally responsible for the AML/CTF programme inside the CASP. The role is fixed by MiCA Article 68 in combination with the EBA Guidelines on ML/TF risk and member-state AML laws transposing the Sixth Anti-Money Laundering Directive. The duties are non-delegable in legal effect even if operationally distributed.²[1]³[2]⁵[3]
Own the AML programme. Maintain the written ML/TF risk assessment, CDD/EDD policy, transaction monitoring rules, sanctions screening procedure, and Travel Rule policy.
File Suspicious Activity Reports. The MLRO is the legal filer to the national FIU; the decision to file or not file rests with the MLRO personally.
Brief the board. Quarterly board reporting on ML/TF risk, alert volume, SAR count, supervisory engagement, programme performance.
Liaise with the NCA. Single point of contact for AML supervision, on-site inspection coordination, regulatory dialogue on typologies.
Train staff. Annual training of all employees on AML obligations, role-specific training for customer-facing teams.
Approve high-risk relationships. Senior management approval of EDD relationships, PEPs, high-risk-third-country exposure.
The Fit-and-Proper Bar in 2026
Joint EBA/ESMA Guidelines on suitability shape NCA expectations across the EEA. Each NCA layers its own application but the consensus expectations are now reasonably consistent: NCAs assess reputation, knowledge, experience, independence of mind, and time commitment. The MLRO file submitted for pre-approval typically runs 30–60 pages and includes the items below.⁴[4]
MLRO fit-and-proper file — what NCAs expect to see for pre-approval (2026).
| Element | What it must contain | Common rejection reason |
|---|---|---|
| Detailed CV | Full employment history, AML-relevant roles, regulatory engagements, gaps explained | Gaps unexplained; AML experience overstated |
| Criminal record check | Recent (≤6 months) clean record from country of residence + countries of meaningful prior residence | Older than 6 months; missing residency countries |
| Educational and professional certifications | ACAMS / ICA / CAMS certification + degree-level qualification | No formal AML certification; degree only |
| AML-specific experience | ≥5 years in MLRO or deputy AML role; ≥2 years crypto-specific | Generic financial-services AML; no crypto exposure |
| Personal financial position | Bankruptcy declaration, conflicts of interest, source of wealth | Undisclosed insolvency; conflicts not surfaced |
| References | ≥2 senior referees from prior regulated employers | Same-firm references only; insufficient seniority |
| Time commitment | Evidence of ≥80% allocation to the CASP; cap on parallel directorships | Multiple parallel MLRO roles undisclosed |
| Local residency proof | Tax residency, lease, utility bills, proof of physical presence | Nominal residency only; no physical presence |
| Knowledge assessment | Some NCAs (BaFin, Central Bank of Ireland) administer a written AML knowledge interview | Failure of substantive interview |
The Skills Matrix — What to Actually Look For
An effective CASP MLRO combines four skill axes. Mid-career hires usually excel on two or three; the strongest senior candidates excel on all four. Score every shortlisted candidate on each.
MLRO skills matrix — what to assess in shortlisted candidates.
| Skill axis | What to assess | How to test in interview |
|---|---|---|
| 1. Regulatory craft | Reading regulation, filing SARs, NCA dialogue, pre-approval history | Walk through a recent SAR they filed; ask about a recent NCA exchange they handled |
| 2. Crypto fluency | Wallet attribution, blockchain analytics, mixers, peel chains, Travel Rule typologies | Ask them to talk through a Tornado Cash exposure they investigated |
| 3. Operational discipline | Building rules engines, false-positive tuning, three-lines-of-defence ownership | Ask about a transaction monitoring rule they tuned and why |
| 4. Strategic communication | Board reporting, supervisory letter response, customer impact framing | Ask them to draft a board memo on a hypothetical incident in 30 minutes |
Salary Benchmarks by Jurisdiction
Compensation has shifted materially since 2023. Pre-MiCA, MLRO salaries clustered at €80,000–€140,000 across most EEA jurisdictions. Post-MiCA application and through 2026, the mid-career range is €100,000–€200,000 with the senior tier (>10 years' experience, prior NCA-approved status, multi-jurisdiction track record) reaching €220,000+ in Ireland and Germany.
MLRO compensation benchmarks for a mid-career candidate (5–8 years' AML experience, ≥2 years crypto-specific, regulator-approved at least once) — base salary plus typical bonus.
| Jurisdiction | Base salary range | Typical bonus | Total comp |
|---|---|---|---|
| Lithuania | €90,000–€150,000 | 20–30% | €110,000–€195,000 |
| Cyprus | €80,000–€140,000 | 20–30% | €95,000–€180,000 |
| Malta | €90,000–€150,000 | 25–35% | €110,000–€200,000 |
| Ireland | €140,000–€220,000 | 30–50% | €180,000–€330,000 |
| Germany | €140,000–€220,000 | 20–40% | €170,000–€310,000 |
| Estonia | €80,000–€130,000 | 15–25% | €90,000–€165,000 |
| Senior MLRO (>10 yrs, multi-jurisdiction) | +€40,000–€80,000 over band | 30–50% | Add 30–50% to band totals |
Most candidates ask for retention guarantees and clear escalation pathways before accepting an MLRO role. The combination of personal criminal liability under 6AMLD and the personal-reputation impact of a failed authorisation makes MLROs commercially careful in negotiations. Plan a 4–6 week negotiation window and a strong D&O insurance package alongside the salary offer.
Where to Find MLRO Candidates
Specialist recruiters. Selby Jennings, Robert Walters Compliance, Brunel — strong on Tier-1 candidates but premium retainers (€20,000–€40,000 per placement).
Compliance professional networks. ACAMS European chapters, ICA membership lists, ESMA Crypto-Assets Standing Committee adjacent professionals.
Outbound from competitor CASPs. Most mid-career CASP MLROs are reachable via LinkedIn; a discreet outbound from a sponsor partner is often more effective than recruiter sourcing.
Legacy fintech / EMI alumni. EMI MLROs from Lithuanian and Maltese fintechs frequently retrain into CASP roles with a 6–9 month learning curve on crypto-specific typologies.
Banking AML alumni. Tier-1 bank AML / financial-crime-investigations alumni have the regulatory craft but need crypto-specific upskilling — usually a 12-month bridge.
Interview Structure That Filters Real Expertise
A 4-stage process surfaces the gap between real expertise and polished interview answers. Most weak hires pass stage 1 and fail stage 3 unrecoverably.
Stage 1 (45 min): screening with HR + Head of Compliance. CV walkthrough, motivation, residency confirmation, salary expectations.
Stage 2 (90 min): technical with the existing compliance team. SAR walk-through, Travel Rule typology test, blockchain analytics tool fluency.
Stage 3 (60 min): board-level with CEO + non-exec director. Board reporting, escalation discipline, regulator communication. Ask for a written 1-page board memo on a hypothetical incident.
Stage 4 (case study): take-home — review a fictitious 50-page AML programme and write a 2-page critique with prioritised remediation. Pay €1,500–€3,000 for the work; only candidates serious about the role complete this.
Reference calls: 2–3 senior referees from regulated employers. Conducted by Head of Compliance personally, not delegated.
When Outsourced MLRO Is Acceptable (and When It Isn't)
Outsourced or fractional MLRO services are widely advertised in Cyprus, Malta and Lithuania. The truthful position is narrow: outsourced MLRO is a credible bridge for the application phase or for very small Class 1 CASPs; it is a liability for any CASP at meaningful scale.
Acceptable: pre-application phase up to authorisation grant — a regulator-approved external MLRO holds the file while you recruit the permanent hire.
Acceptable: Class 1 CASP (advisory only) with very low transaction volume.
Borderline: Class 2 CASP under €50M annual volume — accepted by Lithuania and Cyprus, less favoured by Ireland and Germany.
Not acceptable: Class 3 CASP with custody; Significant CASP candidates; any CASP under ESMA direct supervision. NCAs will require an in-house MLRO with full-time commitment.
Common MLRO Hiring Pitfalls
Hiring before the regulator pre-approves. Issuing an offer letter before NCA approval risks a wasted hire if pre-approval is refused. Always offer subject to regulatory pre-approval.
Confusing AML certification with crypto fluency. ACAMS / ICA certification is necessary but not sufficient — a generalist AML certified candidate without crypto-specific exposure will fail Stage 2 of a serious interview.
Underpaying for the role. The MLRO labour market is thin and tightening. Below-band offers extend the search by 4–8 weeks and signal to senior candidates that the firm undervalues compliance.
No succession plan. NCAs ask 'who acts in the MLRO's absence?' — a designated Deputy MLRO with documented training is mandatory.
Reporting line through Operations or Finance. The MLRO must report to the board on AML matters, not through a non-compliance executive who can suppress reporting. CEO-direct or board-direct only.
Sole-residency on paper. Several NCAs (Bank of Lithuania, Central Bank of Ireland) test physical presence — flying-in MLROs do not satisfy ordinary residency requirements.
Frequently Asked Questions
Can the MLRO also be the CEO or COO?
No. MiCA Article 68 and the EBA Guidelines on suitability require the MLRO function to be independent from operational management — the role conflicts with revenue-generating responsibilities. Several jurisdictions (Ireland, Germany) explicitly prohibit dual-hatting CEO + MLRO; others (Lithuania, Cyprus) permit it only for the smallest Class 1 entities. Plan for a separate hire.
How long does NCA pre-approval take?
Lithuania: 4–8 weeks if file is complete. Cyprus: 6–10 weeks. Ireland: 8–14 weeks (Central Bank of Ireland runs structured interviews). Germany: 10–16 weeks (BaFin's PQ process is the most demanding). Malta: 6–10 weeks. Submit the pre-approval file as soon as the offer is verbally agreed; do not wait for written acceptance.
What if the candidate isn't currently NCA-approved?
First-time approval is not unusual but extends the timeline by 4–8 weeks and increases the file's substance burden. Expect the NCA to dig deeper into prior employment, request additional references, and (in some cases) administer a knowledge test. A senior banking AML hire moving into their first crypto MLRO role should plan for a 12–20 week pre-approval window from offer to start date.
Does the MLRO need to be locally resident?
In most EEA jurisdictions yes, with degrees of flexibility. Bank of Lithuania, Central Bank of Ireland, BaFin and CySEC all expect physical presence with EEA tax residency in the licence jurisdiction; Malta is slightly more flexible. Remote-working MLROs based outside the licence jurisdiction are routinely rejected. Plan for relocation as part of the offer package.
Yes, generally. Group structures with multiple regulated entities often share a Deputy MLRO across two or three subsidiaries, with documented allocation of time and clear escalation. The substantive MLRO must be dedicated; the deputy can be cross-allocated provided independence and capacity tests are met.
AMLR codifies harmonised MLRO standards including minimum experience, training, and independence requirements across the EU. The substantive bar is unlikely to drop; pre-approval frameworks will likely converge upward. Significant CASPs subject to AMLA direct supervision from 2028 will face additional MLRO-level scrutiny — including possible AMLA pre-approval rights for the MLRO of any directly-supervised entity.
Hiring an MLRO for your CASP authorisation programme? Finconduit makes vetted introductions to crypto-experienced MLRO candidates across Lithuania, Cyprus, Ireland, Germany and Malta and supports the fit-and-proper file submission. Get a free MLRO recruitment scope.
Book AssessmentMiCA Compliance Guide for CASPs: Authorisation walkthrough — capital, governance, supplier stack
AML Compliance for Crypto Firms: What the 6AMLD requires from CASPs and VASPs
Chainalysis vs Elliptic vs TRM Labs: Choosing blockchain analytics in 2026
MiCA Travel Rule Providers Compared: Notabene vs Sumsub vs Sygna vs Veriscope
The MLRO is the highest-leverage hire in a CASP authorisation programme — the wrong hire delays the licence, the right hire compresses the timeline and lowers ongoing supervisory friction. Pay at the top of band for senior crypto-experienced candidates, document the residency rigorously, build the fit-and-proper file with the substance the NCA actually examines, and avoid outsourced models beyond the application phase. The compensation is materially higher than three years ago. The cost of getting the role wrong is materially higher again.
Footnotes & Citations