MLRO Substance Requirements for EU CASPs: A 2026 Comparison

Why MLRO substance is harder than it looks

MiCA Article 59 says the MLRO function must have “adequate seniority, independence, and resources”. That formula is intentionally non-prescriptive — it leaves the operational interpretation to national competent authorities and their AML supervisors. In 2025 most regulators applied a light interpretation as they built MiCA-specific capacity. In 2026 the interpretations have diverged sharply, and getting the MLRO arrangement wrong is the single most common substance-related deficiency in CASP filings across the EU.

The supervisory expectations cluster into three groups:

• Strict jurisdictions (Estonia, Malta, Ireland) — local-resident MLRO, defined FTE floor, prior CASP-relevant experience.

• Middle jurisdictions (Lithuania, Czech Republic) — local-resident, scaled FTE expectation by licence class, language capability.

• Lighter jurisdictions (Cyprus) — local-resident, AML qualification, more flexibility on FTE and role-combination.

Firms passporting between groups need to plan to the strictest applicable rule, not the lightest. Several recent supervisory cases involved firms whose MLRO arrangement satisfied the home regulator but not the host.

How does each EU regulator define MLRO substance in 2026?

The detailed expectations differ enough that a generic MLRO arrangement does not satisfy multiple jurisdictions. Here is what each regulator looks for in 2026.

Estonia (FSA / Finantsinspektsioon)

Strictest formal expectation in the EU. The FSA published guidance in February 2026 specifying:

• 0.5 FTE minimum allocation across all CASP classes
• Estonian residency required
• 5+ years of AML experience in a regulated financial-services firm
• Estonian-language capability for FIU (Rahapesu Andmebüroo) communication
• CAMS, ICA, or equivalent AML certification expected (not strictly required)

Two refused CASP applications in Q1 2026 cited MLRO substance as a contributing reason.

Lithuania (Bank of Lithuania)

Mid-tier strictness with class-based scaling:

• Class 1: 0.3 FTE minimum, Lithuanian residency, 3+ years AML experience
• Class 2: 0.5 FTE minimum
• Class 3: 0.5 FTE minimum, custody-specific AML risk-typology experience

The Bank of Lithuania accepts MLROs whose primary professional language is English, provided they have functional Lithuanian for FIU correspondence (or a documented arrangement for translation).

Cyprus (CySEC)

Lightest formal expectation among the active jurisdictions:

• Cyprus residency required
• AML qualification (CAMS, ICA International Diploma, or equivalent) expected
• No formal FTE floor — sufficient to perform the function
• Outsourcing to a CySEC-registered AML services firm is acceptable for small firms

The 2025 Cyprus CASP Law lifted the explicit local-resident requirement that applied under prior frameworks; the expectation now is residency plus availability rather than full-time presence. Industry comments suggest CySEC will tighten in 2027 as supervisory experience accumulates.

Malta (MFSA)

Strictest functional-separation expectation in the EU:

• Malta residency required
• Full-time minimum for Class 3 firms
• 0.5 FTE minimum for Class 1-2
• MLRO and Compliance Officer functions must be independent (separate persons) for firms above the small-firm threshold
• Crypto-asset-specific risk-typology experience expected

The MFSA refused at least two transitional CASP applications in 2026 citing combined MLRO/Compliance Officer roles in firms that exceeded the small-firm threshold.

Czech Republic (ČNB)

Middle-tier strictness with language emphasis:

• Czech residency required
• Czech-language functional capability for FAÚ liaison
• 0.5 FTE minimum across all classes
• Prior FAÚ correspondence experience preferred (not required)
• AML certification expected

The ČNB places more weight on FAÚ-correspondence experience than other EU regulators, reflecting the close operational relationship between the FAÚ and the supervisor.

Ireland (CBI)

Most demanding overall expectation, mirroring the CBI’s broader supervisory style:

• Irish residency required
• Full-time minimum for all CASP classes
• 7+ years of AML experience in a regulated financial-services firm (typically banking or payments)
• Banking-grade governance experience expected — board reporting, three-lines-of-defence integration
• AML certification required (CAMS or ICA International Diploma)

The CBI’s expectation is materially above the EU mid-tier and reflects the agency’s broader practice of applying banking-grade standards to non-bank firms.

Planning the MLRO arrangement for a CASP file

Three principles for 2026 filings:

1. Plan to the strictest applicable jurisdiction. If the firm intends to passport from Cyprus into Estonia, the MLRO should satisfy the FSA’s expectation, not CySEC’s. The cost differential is small; the friction cost of upgrading post-passporting is large.

2. Match MLRO experience to firm risk profile. Class 3 custody firms need MLROs with experience of high-volume transaction monitoring and self-hosted-wallet customer due diligence. Class 1 advisory firms need less specialised experience.

3. Document the MLRO appointment with the same rigour as senior management. Most regulators ask for fitness-and-probity documentation on the MLRO that mirrors what they ask for on directors. Source-of-funds documentation is sometimes required for MLROs holding significant equity in the firm.

Working with counsel on the MLRO arrangement

The single most useful diagnostic is whether counsel can describe specific supervisory positions on edge cases — combining MLRO and Compliance Officer in growing firms, language-capability requirements, outsourcing thresholds. Counsel that gives generic answers (“the MLRO must be appropriate”) has not handled enough recent files to have calibrated views.

Counsel that can describe what specific regulators rejected on specific files has the operational knowledge that matters for substance-edge cases. The firms in our index that have processed five or more multi-jurisdiction CASP files since 2024 are listed below.