--- title: "MLRO Hiring Guide for CASPs: What to Look For, What to Pay (2026)" slug: casp-mlro-hiring-guide publishedAt: 2026-05-04T09:00:00Z author: Finconduit Editorial Team tags: MiCA, 6AMLD, AMLR canonicalUrl: https://finconduit.com/resources/casp-mlro-hiring-guide --- # MLRO Hiring Guide for CASPs: What to Look For, What to Pay (2026) MLRO hiring playbook for CASPs — fit-and-proper file, skills matrix, salary benchmarks by jurisdiction (Lithuania, Cyprus, Ireland, Germany, Malta), interview structure, and when outsourced MLRO is acceptable. The **Money Laundering Reporting Officer** is the single most consequential hire on a **CASP authorisation** file — and the most common reason authorisation programmes stall. **Bank of Lithuania**, **Central Bank of Ireland**, **BaFin**, **CySEC** and **MFSA** all require the **MLRO** to be **regulator\-approved** before they can take office, and all of them apply a **fit\-and\-proper** bar that has tightened materially through 2025–2026. A weak **MLRO** file delays authorisation by 6–9 months. A strong **MLRO** file accelerates everything that follows. The role is also among the hardest to recruit for. Crypto **AML** is a thin labour market — fewer than 800 individuals in the EEA combine **MiCA**\-relevant **CASP** / **VASP** **MLRO** experience with the local\-residency the NCA requires, and competition for that pool has driven mid\-career **MLRO** compensation up 30–50% over the last three years. Compensation now sits at **€100,000**–**€200,000** base plus 20–50% bonus depending on jurisdiction, scale of the **CASP**, and whether the candidate has prior NCA\-approved status. This guide explains what an **MLRO** actually does, the **fit\-and\-proper** expectations the NCA applies, the skills and experience that pass first review, salary benchmarks by jurisdiction, where to find candidates, the interview structure that filters real expertise from polished CVs, the local\-residency requirements, and when an **outsourced MLRO** is operationally acceptable as a bridge. Read this before you brief the recruiter — a misaligned hire here is hard to remediate without re\-applying. ## What the **MLRO** Actually Does The **MLRO** is the natural person legally responsible for the **AML/CTF programme** inside the **CASP**. The role is fixed by [MiCA Article 68](https://eur-lex.europa.eu/eli/reg/2023/1114/oj) in combination with the [EBA Guidelines](https://www.eba.europa.eu/) on ML/TF risk and member\-state **AML** laws transposing the [Sixth Anti\-Money Laundering Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018L1673). The duties are non\-delegable in legal effect even if operationally distributed.²[^1]³[^2]⁵[^3] - Own the **AML programme**. Maintain the written **ML/TF risk assessment**, **CDD**/**EDD** policy, **transaction monitoring** rules, sanctions screening procedure, and **Travel Rule** policy. - File **Suspicious Activity Report**s. The **MLRO** is the legal filer to the national **FIU**; the decision to file or not file rests with the **MLRO** personally. - Brief the board. Quarterly board reporting on ML/TF risk, alert volume, **SAR** count, supervisory engagement, programme performance. - Liaise with the NCA. Single point of contact for **AML** supervision, on\-site inspection coordination, regulatory dialogue on typologies. - Train staff. Annual training of all employees on **AML** obligations, role\-specific training for customer\-facing teams. - Approve high\-risk relationships. Senior management approval of **EDD** relationships, **PEP**s, high\-risk\-third\-country exposure. > **Warning:** MLRO is a personal liability role under 6AMLD. The individual can face criminal liability, regulator\-imposed fines, and disqualification for failures in the role. This is why the regulator pre\-approves the appointment and why senior candidates demand both regulator\-grade D&O insurance and clearly\-documented escalation pathways before accepting an offer. ## The Fit\-and\-Proper Bar in 2026 [Joint EBA/ESMA Guidelines on suitability](https://www.eba.europa.eu/) shape NCA expectations across the EEA. Each NCA layers its own application but the consensus expectations are now reasonably consistent: NCAs assess reputation, knowledge, experience, independence of mind, and time commitment. The **MLRO** file submitted for **pre\-approval** typically runs 30–60 pages and includes the items below.⁴[^4] *Table: MLRO fit\-and\-proper file — what NCAs expect to see for pre\-approval \(2026\).* | Element | What it must contain | Common rejection reason | | --- | --- | --- | | Detailed CV | Full employment history, AML\-relevant roles, regulatory engagements, gaps explained | Gaps unexplained; AML experience overstated | | Criminal record check | Recent \(≤6 months\) clean record from country of residence \+ countries of meaningful prior residence | Older than 6 months; missing residency countries | | Educational and professional certifications | ACAMS / ICA / CAMS certification \+ degree\-level qualification | No formal AML certification; degree only | | AML\-specific experience | ≥5 years in MLRO or deputy AML role; ≥2 years crypto\-specific | Generic financial\-services AML; no crypto exposure | | Personal financial position | Bankruptcy declaration, conflicts of interest, source of wealth | Undisclosed insolvency; conflicts not surfaced | | References | ≥2 senior referees from prior regulated employers | Same\-firm references only; insufficient seniority | | Time commitment | Evidence of ≥80% allocation to the CASP; cap on parallel directorships | Multiple parallel MLRO roles undisclosed | | Local residency proof | Tax residency, lease, utility bills, proof of physical presence | Nominal residency only; no physical presence | | Knowledge assessment | Some NCAs \(BaFin, Central Bank of Ireland\) administer a written AML knowledge interview | Failure of substantive interview | ## The Skills Matrix — What to Actually Look For An effective **CASP** **MLRO** combines four skill axes. Mid\-career hires usually excel on two or three; the strongest senior candidates excel on all four. Score every shortlisted candidate on each. *Table: MLRO skills matrix — what to assess in shortlisted candidates.* | Skill axis | What to assess | How to test in interview | | --- | --- | --- | | 1. Regulatory craft | Reading regulation, filing SARs, NCA dialogue, pre\-approval history | Walk through a recent SAR they filed; ask about a recent NCA exchange they handled | | 2. Crypto fluency | Wallet attribution, blockchain analytics, mixers, peel chains, Travel Rule typologies | Ask them to talk through a Tornado Cash exposure they investigated | | 3. Operational discipline | Building rules engines, false\-positive tuning, three\-lines\-of\-defence ownership | Ask about a transaction monitoring rule they tuned and why | | 4. Strategic communication | Board reporting, supervisory letter response, customer impact framing | Ask them to draft a board memo on a hypothetical incident in 30 minutes | ## Salary Benchmarks by Jurisdiction Compensation has shifted materially since 2023. Pre\-**MiCA**, **MLRO** salaries clustered at **€80,000–€140,000** across most EEA jurisdictions. Post\-**MiCA** application and through 2026, the mid\-career range is **€100,000**–**€200,000** with the senior tier \(\>10 years' experience, prior NCA\-approved status, multi\-jurisdiction track record\) reaching €220,000\+ in **Ireland** and **Germany**. *Table: MLRO compensation benchmarks for a mid\-career candidate \(5–8 years' AML experience, ≥2 years crypto\-specific, regulator\-approved at least once\) — base salary plus typical bonus.* | Jurisdiction | Base salary range | Typical bonus | Total comp | | --- | --- | --- | --- | | Lithuania | €90,000–€150,000 | 20–30% | €110,000–€195,000 | | Cyprus | €80,000–€140,000 | 20–30% | €95,000–€180,000 | | Malta | €90,000–€150,000 | 25–35% | €110,000–€200,000 | | Ireland | €140,000–€220,000 | 30–50% | €180,000–€330,000 | | Germany | €140,000–€220,000 | 20–40% | €170,000–€310,000 | | Estonia | €80,000–€130,000 | 15–25% | €90,000–€165,000 | | Senior MLRO \(\>10 yrs, multi\-jurisdiction\) | \+€40,000–€80,000 over band | 30–50% | Add 30–50% to band totals | > **Note:** Most candidates ask for retention guarantees and clear escalation pathways before accepting an MLRO role. The combination of personal criminal liability under 6AMLD and the personal\-reputation impact of a failed authorisation makes MLROs commercially careful in negotiations. Plan a 4–6 week negotiation window and a strong D&O insurance package alongside the salary offer. ## Where to Find **MLRO** Candidates - Specialist recruiters. Selby Jennings, Robert Walters Compliance, Brunel — strong on Tier\-1 candidates but premium retainers \(€20,000–€40,000 per placement\). - Compliance professional networks. **ACAMS** European chapters, **ICA** membership lists, **ESMA** Crypto\-Assets Standing Committee adjacent professionals. - Outbound from competitor **CASP**s. Most mid\-career **CASP** **MLRO**s are reachable via LinkedIn; a discreet outbound from a sponsor partner is often more effective than recruiter sourcing. - Legacy fintech / **EMI** alumni. **EMI** **MLRO**s from **Lithuania**n and Maltese fintechs frequently retrain into **CASP** roles with a 6–9 month learning curve on crypto\-specific typologies. - Banking **AML** alumni. Tier\-1 bank **AML** / financial\-crime\-investigations alumni have the regulatory craft but need crypto\-specific upskilling — usually a 12\-month bridge. ## Interview Structure That Filters Real Expertise A 4\-stage process surfaces the gap between real expertise and polished interview answers. Most weak hires pass stage 1 and fail stage 3 unrecoverably. - Stage 1 \(45 min\): screening with HR \+ **Head of Compliance**. CV walkthrough, motivation, residency confirmation, salary expectations. - Stage 2 \(90 min\): technical with the existing **compliance** team. **SAR** walk\-through, **Travel Rule** typology test, **blockchain analytics** tool fluency. - Stage 3 \(60 min\): board\-level with CEO \+ non\-exec director. Board reporting, escalation discipline, regulator communication. Ask for a written 1\-page board memo on a hypothetical incident. - Stage 4 \(case study\): take\-home — review a fictitious 50\-page **AML programme** and write a 2\-page critique with prioritised remediation. Pay €1,500–€3,000 for the work; only candidates serious about the role complete this. - Reference calls: 2–3 senior referees from regulated employers. Conducted by **Head of Compliance** personally, not delegated. ## When Outsourced **MLRO** Is Acceptable \(and When It Isn't\) Outsourced or fractional **MLRO** services are widely advertised in **Cyprus**, **Malta** and **Lithuania**. The truthful position is narrow: **outsourced MLRO** is a credible bridge for the application phase or for very small Class 1 **CASP**s; it is a liability for any **CASP** at meaningful scale. - Acceptable: pre\-application phase up to authorisation grant — a **regulator\-approved** external **MLRO** holds the file while you recruit the permanent hire. - Acceptable: Class 1 **CASP** \(advisory only\) with very low transaction volume. - Borderline: Class 2 **CASP** under €50M annual volume — accepted by **Lithuania** and **Cyprus**, less favoured by **Ireland** and **Germany**. - Not acceptable: Class 3 **CASP** with custody; Significant **CASP** candidates; any **CASP** under **ESMA** direct supervision. NCAs will require an in\-house **MLRO** with full\-time commitment. > **Tip:** Treat an outsourced MLRO as a temporary measure with a written succession plan. NCAs often grant authorisation conditional on hiring a full\-time MLRO within 6–12 months of operational launch. Build the recruitment search in parallel with the authorisation file rather than after — the longer the outsourced model runs, the more supervisory pressure builds. ## Common **MLRO** Hiring Pitfalls - Hiring before the regulator pre\-approves. Issuing an offer letter before NCA approval risks a wasted hire if **pre\-approval** is refused. Always offer subject to regulatory **pre\-approval**. - Confusing **AML** certification with crypto fluency. **ACAMS** / **ICA** certification is necessary but not sufficient — a generalist **AML** certified candidate without crypto\-specific exposure will fail Stage 2 of a serious interview. - Underpaying for the role. The **MLRO** labour market is thin and tightening. Below\-band offers extend the search by 4–8 weeks and signal to senior candidates that the firm undervalues **compliance**. - No succession plan. NCAs ask 'who acts in the **MLRO**'s absence?' — a designated **Deputy MLRO** with documented training is mandatory. - Reporting line through Operations or Finance. The **MLRO** must report to the board on **AML** matters, not through a non\-**compliance** executive who can suppress reporting. CEO\-direct or board\-direct only. - Sole\-residency on paper. Several NCAs \(**Bank of Lithuania**, **Central Bank of Ireland**\) test physical presence — flying\-in **MLRO**s do not satisfy ordinary residency requirements. ## Frequently Asked Questions ### Can the **MLRO** also be the CEO or COO? No. **MiCA Article 68** and the **EBA Guidelines** on suitability require the **MLRO** function to be independent from operational management — the role conflicts with revenue\-generating responsibilities. Several jurisdictions \(**Ireland**, **Germany**\) explicitly prohibit dual\-hatting CEO \+ **MLRO**; others \(**Lithuania**, **Cyprus**\) permit it only for the smallest Class 1 entities. Plan for a separate hire. ### How long does NCA **pre\-approval** take? **Lithuania**: 4–8 weeks if file is complete. **Cyprus**: 6–10 weeks. **Ireland**: **8–14 weeks** \(**Central Bank of Ireland** runs structured interviews\). **Germany**: **10–16 weeks** \(**BaFin**'s PQ process is the **most demanding**\). **Malta**: 6–10 weeks. Submit the **pre\-approval** file as soon as the offer is verbally agreed; do not wait for written acceptance. ### What if the candidate isn't currently NCA\-approved? First\-time approval is not unusual but extends the timeline by 4–8 weeks and increases the file's substance burden. Expect the NCA to dig deeper into prior employment, request additional references, and \(in some cases\) administer a knowledge test. A senior banking **AML** hire moving into their first crypto **MLRO** role should plan for a 12–20 week **pre\-approval** window from offer to start date. ### Does the **MLRO** need to be locally resident? In most EEA jurisdictions yes, with degrees of flexibility. **Bank of Lithuania**, **Central Bank of Ireland**, **BaFin** and **CySEC** all expect physical presence with EEA tax residency in the licence jurisdiction; **Malta** is slightly more flexible. Remote\-working **MLRO**s based outside the licence jurisdiction are routinely rejected. Plan for relocation as part of the offer package. ### Can the **Deputy MLRO** be a shared resource across group entities? Yes, generally. Group structures with multiple regulated entities often share a **Deputy MLRO** across two or three subsidiaries, with documented allocation of time and clear escalation. The substantive **MLRO** must be dedicated; the deputy can be cross\-allocated provided independence and capacity tests are met. ### What changes when [AMLR](https://eur-lex.europa.eu/eli/reg/2024/1624/oj) and **AMLA** take effect in 2027?⁶[^5] **AMLR** codifies harmonised **MLRO** standards including minimum experience, training, and independence requirements across the EU. The substantive bar is unlikely to drop; **pre\-approval** frameworks will likely converge upward. Significant **CASP**s subject to **AMLA** direct supervision from 2028 will face additional **MLRO**\-level scrutiny — including possible **AMLA** **pre\-approval** rights for the **MLRO** of any directly\-supervised entity. > **Call to action:** Hiring an MLRO for your CASP authorisation programme? Finconduit makes vetted introductions to crypto\-experienced MLRO candidates across Lithuania, Cyprus, Ireland, Germany and Malta and supports the fit\-and\-proper file submission. Get a free MLRO recruitment scope. ## Related Guides - [MiCA Compliance Guide for CASPs](/resources/mica-compliance-guide-casps): Authorisation walkthrough — capital, governance, supplier stack - [AML Compliance for Crypto Firms](/resources/aml-compliance-crypto-6amld): What the 6**AML**D requires from **CASP**s and **VASP**s - [Chainalysis vs Elliptic vs TRM Labs](/resources/blockchain-analytics-providers-compared): Choosing **blockchain analytics** in 2026 - [MiCA Travel Rule Providers Compared](/resources/mica-travel-rule-providers-compared): Notabene vs Sumsub vs Sygna vs Veriscope The **MLRO** is the **highest**\-leverage hire in a **CASP authorisation** programme — the wrong hire delays the licence, the right hire compresses the timeline and lowers ongoing supervisory friction. Pay at the top of band for senior crypto\-experienced candidates, document the residency rigorously, build the **fit\-and\-proper** file with the substance the NCA actually examines, and avoid outsourced models beyond the application phase. The compensation is materially higher than three years ago. The cost of getting the role wrong is materially higher again. ## Footnotes [^1]: MiCA Article 68 — Governance arrangements for CASPs, including fit\-and\-proper requirements for the management body and key function holders. [^2]: EBA Guidelines on the management of money laundering and terrorist financing risks \(EBA/GL/2021/02\), 1 March 2021. [^3]: Directive \(EU\) 2018/1673 \(Sixth Anti\-Money Laundering Directive — 6AMLD\). [^4]: Joint EBA/ESMA Guidelines on the assessment of the suitability of members of the management body and key function holders \(EBA/GL/2021/06\). [^5]: Regulation \(EU\) 2024/1624 \(AMLR\) — applicable from 10 July 2027 — codifies harmonised AML obligations including MLRO requirements. --- Source: https://finconduit.com/resources/casp-mlro-hiring-guide