MLRO Substance Requirements for EU CASPs: A 2026 Comparison

Why MLRO substance is harder than it looks

MiCA’s CASP authorisation requirement says the MLRO function must have “adequate seniority, independence, and resources”. That formula is intentionally non-prescriptive — it leaves the operational interpretation to national competent authorities and their AML supervisors. In 2025 most regulators applied a light interpretation as they built MiCA-specific capacity. In 2026 the interpretations have diverged sharply, and getting the MLRO arrangement wrong is the single most common substance-related deficiency in CASP filings across the EU.

The supervisory expectations cluster into three groups:

• Strict jurisdictions (Estonia, Malta, Ireland) — local-resident MLRO, defined FTE floor, prior CASP-relevant experience.

• Middle jurisdictions (Lithuania, Czech Republic) — local-resident, scaled FTE expectation by licence class, language capability.

• Lighter jurisdictions (Cyprus) — local-resident, AML qualification, more flexibility on FTE and role-combination.

Firms passporting between groups need to plan to the strictest applicable rule, not the lightest. Several recent supervisory cases involved firms whose MLRO arrangement satisfied the home regulator but not the host.

How does each EU regulator define MLRO substance in 2026?

The detailed expectations differ enough that a generic MLRO arrangement does not satisfy multiple jurisdictions. Here is what each regulator looks for in 2026.

Estonia (FSA / Finantsinspektsioon)

Strict end of the EU spectrum in practitioner reports. The FSA expects:

• A meaningful FTE allocation set per file (no published numerical floor; supervisory practice typically expects more than a token allocation)
• Estonian residency
• Significant AML experience in a regulated financial-services firm
• Estonian-language capability for FIU (Rahapesu Andmebüroo) communication
• CAMS, ICA, or equivalent AML certification expected (not strictly required)

MLRO substance is a frequently-flagged area in supervisory deficiency notices.

Lithuania (Bank of Lithuania)

Mid-tier strictness with class-based scaling in supervisory practice:

• Class 1 lighter than Class 2/3 in expected FTE allocation
• Lithuanian residency
• AML experience requirement scales with class — Class 3 custody firms expected to demonstrate custody-specific AML risk-typology experience

The Bank of Lithuania accepts MLROs whose primary professional language is English, provided they have functional Lithuanian for FIU correspondence (or a documented arrangement for translation).

Cyprus (CySEC)

Lightest formal expectation among the active jurisdictions:

• Cyprus residency
• AML qualification (CAMS, ICA International Diploma, or equivalent) expected
• No published FTE floor — sufficient to perform the function
• Outsourcing to a CySEC-registered AML services firm is acceptable for small firms

The Cyprus practice, established under the AML/CFT Law and CySEC Directive on CASPs since 2021, has not gold-plated the residency expectation that some peer jurisdictions apply; the Cyprus expectation in supervisory practice is residency plus availability rather than mandatory full-time presence.

Malta (MFSA)

Strictest functional-separation expectation in the EU:

• Malta residency
• Full-time engagement expected for Class 3 firms
• MLRO and Compliance Officer functions expected to be independent (separate persons) for firms above the small-firm threshold
• Crypto-asset-specific risk-typology experience expected

MFSA practice in supervisory correspondence treats combined MLRO/Compliance Officer roles in above-threshold files as a substantive deficiency.

Czech Republic (ČNB / FAÚ)

Middle-tier strictness with language emphasis:

• Czech residency
• Czech-language functional capability for FAÚ liaison
• Prior FAÚ correspondence experience preferred (not required)
• AML certification expected

The ČNB places more weight on FAÚ-correspondence experience than other EU regulators, reflecting the close operational relationship between the FAÚ (which retains AML supervision) and the ČNB (which now holds MiCA authorisation supervision).

Ireland (CBI)

Most demanding overall expectation in practitioner reports, mirroring the CBI’s broader supervisory style:

• Irish residency
• Full-time engagement expected for all CASP classes
• Significant AML experience in a regulated financial-services firm (typically banking or payments)
• Banking-grade governance experience expected — board reporting, three-lines-of-defence integration
• AML certification expected (CAMS or ICA International Diploma)

The CBI’s expectation reflects the agency’s broader practice of applying banking-grade standards to non-bank firms.

Planning the MLRO arrangement for a CASP file

Three principles for 2026 filings:

1. Plan to the strictest applicable jurisdiction. If the firm intends to passport from Cyprus into Estonia, the MLRO should satisfy the FSA’s expectation, not CySEC’s. The cost differential is small; the friction cost of upgrading post-passporting is large.

2. Match MLRO experience to firm risk profile. Class 3 custody firms need MLROs with experience of high-volume transaction monitoring and self-hosted-wallet customer due diligence. Class 1 advisory firms need less specialised experience.

3. Document the MLRO appointment with the same rigour as senior management. Most regulators ask for fitness-and-probity documentation on the MLRO that mirrors what they ask for on directors. Source-of-funds documentation is sometimes required for MLROs holding significant equity in the firm.

Working with counsel on the MLRO arrangement

The single most useful diagnostic is whether counsel can describe specific supervisory positions on edge cases — combining MLRO and Compliance Officer in growing firms, language-capability requirements, outsourcing thresholds. Counsel that gives generic answers (“the MLRO must be appropriate”) has not handled enough recent files to have calibrated views.

Counsel that can describe what specific regulators rejected on specific files has the operational knowledge that matters for substance-edge cases. The firms in our index that have processed five or more multi-jurisdiction CASP files since 2024 are listed below.