Skip to content

Insights AML

MLRO UAE 2026: What the Role Needs, and What an Appointment Letter Costs

Money laundering reporting officer UAE 2026 guide: appointment letter template, Cabinet Decision 10/2019 Article 21 duties, external MLRO cost ranges.

UAE Money Laundering Reporting Officer appointment letter, role definition, external MLRO cost
UAE Money Laundering Reporting Officer appointment letter, role definition, external MLRO cost Photo: Velmont Crest Editorial

Key takeaways

  1. MLRO appointment is mandatory under Cabinet Decision 10 of 2019 Article 21 and must be evidenced in writing
  2. The MLRO files STRs and SARs through goAML and acts as the FIU point of contact
  3. Typical disqualifiers: junior rank, front-line client ownership, no Emirates ID, contractor without written authority
  4. External MLRO market rates run AED 3,000 to 25,000+ per month depending on scope and volume
  5. Larger firms should appoint a deputy MLRO for absence cover and segregation of duties
  6. Penalties for MLRO and AML failures start at AED 50,000 and reach AED 5 million per breach

Every UAE Designated Non-Financial Business or Profession (DNFBP) and every licensed financial institution must appoint a Money Laundering Reporting Officer (MLRO) under Federal Decree-Law 20 of 2018 and Cabinet Decision 10 of 2019, with the appointment requirements set out in Article 21. The appointment has to be in writing and signed by senior management. It has to be recorded in goAML against a named individual with a valid Emirates ID, and refreshed without delay the moment the holder changes. A verbal nomination counts for nothing. Nor does a draft letter sitting unsigned in a folder, or a goAML profile still pointing at someone who left the firm a year ago. Any of those is a finding waiting to happen at the next Ministry of Economy inspection, and the exposure is personal as well as corporate. This guide walks through who qualifies, what the role actually involves, how the appointment letter should read, what the external MLRO market currently charges, and where the AML compliance support we provide stops and your own appointed officer’s accountability begins.

What an MLRO actually does

The MLRO is the named person inside the firm who carries operational responsibility for the AML/CFT programme. One human, identifiable to the regulator, reachable by the Financial Intelligence Unit, accountable to the board. In practice that means assessing internal escalations from colleagues, filing Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) through goAML, dealing with the FIU and the Ministry of Economy, keeping the programme documentation current, making sure training is delivered and recorded, and presenting to senior management on the state of the programme at least once a year. The point worth holding onto: the MLRO isn’t the whole compliance department. They’re the named individual sitting on top of whatever compliance resources the firm decides to put behind them — and that distinction is exactly where under-resourced appointments come apart.

Where the obligation sits in UAE law

The MLRO obligation sits across three layers of UAE law and guidance. Federal Decree-Law 20 of 2018 on anti-money laundering and combating the financing of terrorism is the primary statute, with Articles 16 and 21 carrying the core obligations relevant to internal compliance officers and reporting duties. Cabinet Decision 10 of 2019, which is the executive regulation for Federal Decree-Law 20/2018, sets out the operational detail — Article 21 of the Cabinet Decision specifies the requirement to appoint a compliance officer with adequate competence and authority, to grant them access to all customer information, and to enable them to perform their duties independently. The Ministry of Economy, in its supervisory capacity over the seven DNFBP categories, issues guidance, conducts inspections and imposes administrative penalties. The seven DNFBP categories under UAE supervision are real estate brokers and agents, dealers in precious metals and stones (DPMS), auditors, accountants, corporate service providers, lawyers and notaries, and independent legal professionals — each is required to appoint an MLRO regardless of size.

MLRO appointment letter and Cabinet Decision 10/2019 documentation on UAE office desk

Who actually qualifies

Supervisor expectations around MLRO suitability are clear even where the law leaves room. The appointee needs enough seniority to credibly challenge other senior managers and the board, ideally with board-level access directly or through a documented escalation route. They should be independent of revenue-generating front-line client work wherever the firm’s size lets you segregate. In smaller DNFBPs full independence is rarely achievable, so the supervisor will look for compensating controls: a deputy MLRO and an independent annual audit. The MLRO must be a UAE resident with a valid Emirates ID, reachable by the FIU on a working phone and email, with no adverse regulatory, criminal or insolvency history, and with real AML literacy. That means familiarity with Federal Decree-Law 20/2018, Cabinet Decision 10/2019, the goAML portal and sanctions screening practice, not a one-day certificate from 2019.

A job description that holds up at inspection

A workable MLRO job description should sit inside the appointment letter or be annexed to it, and it needs to be detailed enough that the supervisor, the MLRO and the rest of the firm all read the role the same way. The list below covers the responsibilities that show up in the UAE MLRO mandates we’ve seen survive inspection.

  • Receive and assess all internal STRs and SARs escalated by staff, with documented rationale for filing or not filing.
  • File STRs and SARs through the goAML portal in the prescribed format, without tipping-off the customer or third parties.
  • Maintain the firm-wide Business Risk Assessment (BRA), refreshed at least annually and on material change.
  • Approve onboarding of clients flagged for Enhanced Due Diligence, high-risk jurisdictions or PEP status.
  • Maintain and periodically update the AML/CFT policy and procedures manual.
  • Deliver or commission annual AML/CFT training for all staff, with attendance and assessment records retained.
  • Oversee sanctions screening against the OFAC Specially Designated Nationals (SDN) list, the United Nations 1267 consolidated list and the UAE local terrorist designation list.
  • Maintain the Ultimate Beneficial Owner (UBO) register in line with Cabinet Decision 58 of 2020.
  • Respond to FIU Requests for Information (RFIs) within the prescribed deadline.
  • Present a written annual compliance report to senior management or the board.
  • Liaise with the Ministry of Economy supervisor on inspections, returns and remediation plans.
  • Maintain AML/CFT record retention for the minimum five-year period required by law.
  • Ensure goAML registration data is current and refreshed whenever the MLRO or deputy changes.
  • Coordinate the independent AML audit and oversee remediation of findings.
  • Escalate to the board where the AML programme is under-resourced or where senior management is impeding compliance work.

Inside the appointment letter, clause by clause

The appointment letter is the document a supervisor will ask for first. Below is a structured outline of the clauses that should appear; it is not a fillable form and every firm should have its own letter drafted to reflect its specific governance, but the headings hold across the seven DNFBP categories.

Header. Firm letterhead with trade licence number, registered address, the date of the appointment letter and a unique reference number for the file.

Recipient details. Full legal name of the appointee as it appears on the Emirates ID, the Emirates ID number itself, current designation within the firm, employee number where applicable, and direct contact details.

Appointment statement. Plain language confirming the appointment as Money Laundering Reporting Officer, the effective date, and whether the appointment is indefinite (recommended) or for a fixed term. Example wording: “The Board hereby appoints [Name], Emirates ID [Number], as the firm’s Money Laundering Reporting Officer with effect from [Date], on an indefinite basis subject to the termination provisions below.”

Role and responsibilities. Reference to Cabinet Decision 10 of 2019 Article 21 and Federal Decree-Law 20 of 2018, with the job description annexed in full or summarised in a list of core duties.

Authority and reporting line. Direct access to senior management and the board, authority to require information from any function, authority to freeze onboarding where AML concerns warrant it, and a stated reporting line that bypasses any conflicted intermediate manager.

Resources and budget allocation. Confirmation that the firm will provide adequate staff, training budget, screening tool licences and external advisory access to enable the MLRO to discharge the role.

Acknowledgement of independence. Statement that AML decisions, including STR filings, cannot be overridden on commercial grounds and that no detriment will follow from good-faith reporting.

Termination and handover provisions. Notice period, handover obligations, goAML re-registration on departure, and continued obligations around confidentiality and good-faith reporting.

Signature blocks. Senior management signatory (chair, managing director or CEO depending on governance) and the appointee’s countersignature accepting the role and its responsibilities.

Schedule. Reference to the AML/CFT policy manual version in force at the date of appointment, ensuring the appointee accepts a defined baseline.

Compliance officer reviewing goAML registration and sanctions screening tools at UAE workstation

Five years’ experience, ICA or CAMS preferred

The credible MLRO profile in the UAE market usually has five or more years of relevant compliance, audit, legal or senior finance experience. Working familiarity with Federal Decree-Law 20 of 2018, Cabinet Decision 10 of 2019, the goAML portal workflows and at least one commercial sanctions screening tool is essential. English is non-negotiable. Supervisory correspondence, training material and most screening interfaces all run in English. Qualifications help. The ICA International Diploma in Anti Money Laundering and the ACAMS CAMS designation are the two most commonly cited. Sector-specific knowledge matters as much as generic AML training. An MLRO at a real estate brokerage needs to understand cash-equivalent transactions and beneficial ownership traps that an MLRO at an audit firm would never encounter. CPD should be evidenced annually with at least ten to fifteen hours of focused AML or sanctions training.

What an external MLRO costs in the UAE

This section is informational market context only. Velmont Crest does not act as MLRO on behalf of clients and does not provide outsourced MLRO services — the role must be held by an individual appointed by your firm with appropriate authority and independence. Where firms do choose to engage external MLRO support from licensed compliance consultancies, current UAE market ranges are broadly as follows.

  • Light-touch retainer, suitable for a small DNFBP with low transaction volume and infrequent escalations: roughly AED 3,000 to AED 6,000 per month.
  • Mid-tier engagement, suitable for an active dealer in precious metals and stones or a busy real estate brokerage with steady client onboarding: roughly AED 6,000 to AED 12,000 per month.
  • Full-service arrangement, suitable for a licensed financial institution or high-volume DNFBP with significant cross-border exposure: AED 12,000 to AED 25,000 or more per month.
  • Per-STR filing fee, charged by some providers on top of the retainer for each suspicious transaction report submitted through goAML: roughly AED 500 to AED 1,500 per submission.
  • Initial setup and business risk assessment, typically a one-off mobilisation cost covering BRA, policy drafting, training and goAML registration: AED 8,000 to AED 25,000.

These ranges are indicative and shift with scope, volume, jurisdictional complexity and the seniority of the named officer. They are not a Velmont Crest fee schedule. Any outsourced arrangement must preserve the firm’s own ultimate accountability for AML/CFT compliance and requires careful contractual scoping — including information access, decision rights, escalation routes, conflict management, professional indemnity cover and termination handover. For DPMS-specific context see our note on gold and jewellery accounting in the UAE and for brokers see our guidance on real estate accounting in the UAE.

AED 50K-5M

Penalty per AML breach under Cabinet Decision 10 of 2019 — including MLRO failures

Why we push clients to name a deputy

A deputy MLRO is recommended for any firm that can’t tolerate a single point of failure when the primary MLRO is on leave, sick, travelling or gone. Larger firms, multi-branch operations and any DNFBP with regular cross-border transactions should treat the deputy appointment as effectively mandatory in practice, even where the regulation doesn’t spell it out. The deputy needs to be appointed in writing to the same standard as the primary MLRO, hold parallel goAML access, be trained to the same depth, and be ready to step in when the primary holder is conflicted on a specific client or transaction. Documenting the trigger points (annual leave, sickness, conflict of interest, departure) in the AML policy manual closes a gap inspectors find often.

An MLRO appointment that exists only in the minutes of a board meeting is not an appointment the supervisor will recognise. Get it in writing, get the Emirates ID into goAML, refresh it the day the holder changes.

How Velmont Crest supports the MLRO programme

Velmont Crest sits alongside your appointed MLRO as an advisory and operational support, not as a substitute for the role itself. We do not act as your MLRO and do not hold ourselves out as the named compliance officer on your goAML profile. What we do is draft the appointment letter to a structure that has held up under inspection, build and refresh the Business Risk Assessment against your client base and transaction profile, design the Customer Due Diligence and Enhanced Due Diligence policy to fit your sector, prepare training materials and attendance records, and support the MLRO with the ledger extracts, transaction analysis and beneficial ownership mapping that turn raw bookkeeping into AML-usable intelligence. We maintain the audit trail so that when the supervisor asks for evidence of training delivery in Q2 of last year, the answer arrives within minutes rather than weeks. The accountability for filing decisions, for goAML submissions and for the senior management report remains with your appointed MLRO — that is the boundary, and it is a boundary the law draws rather than a boundary of our choosing. For the bookkeeping discipline that underpins reliable AML work see our accounting and bookkeeping services, and for the tax overlay that frequently shares the same underlying data see our corporate tax services. For the practical mechanics of getting registered on the FIU’s reporting platform itself, our goAML registration and login guide walks through the workflow.

The ten-step appointment checklist

  1. Identify a UAE-resident individual with the required seniority, independence and AML literacy.
  2. Confirm a valid Emirates ID and clean adverse-history record before nomination.
  3. Draft a written appointment letter with the clauses set out above.
  4. Obtain board or senior-management signature and countersignature by the appointee.
  5. Register or update the MLRO record in goAML against the appointee’s Emirates ID.
  6. Annex the job description and reference the AML/CFT policy manual version in force.
  7. Document the reporting line, authority and resource allocation.
  8. Appoint a deputy MLRO with parallel access and training.
  9. Schedule the first annual compliance report and the first independent AML audit.
  10. Calendar a review of the appointment letter, goAML registration and deputy arrangement at least annually and on every change of holder.

If you are reviewing an existing MLRO arrangement against this checklist or need help drafting the letter, policy manual and Business Risk Assessment from scratch, our AML compliance advisory team supports DNFBPs across the seven supervised categories — without ever holding ourselves out as your MLRO. The role is yours; the structure around it is where we add value.

Frequently asked questions

Who can be appointed as MLRO in the UAE?
A UAE-resident natural person with a valid Emirates ID, enough seniority to push back on senior management and the board, real AML/CFT literacy, and — where the firm is big enough to segregate — independence from front-line client work. In smaller DNFBPs that's usually a partner or director; in larger ones, someone in a dedicated compliance, risk or finance function. They also have to be reachable by the Financial Intelligence Unit, carry no adverse regulatory or criminal history, and be appointed in writing by senior management, with the appointment logged in goAML. The writing and the goAML record aren't optional extras.
Can the business owner be the MLRO?
Yes — and in a small DNFBP without the headcount for a dedicated compliance hire, it's often the only realistic option. The problem to manage is independence. The owner is usually the main revenue generator and the key client relationship too, and the supervisor will poke at exactly that. You soften it with documented escalation routes, a deputy who can step in when the owner is conflicted, an independent annual AML audit, and a written acknowledgement that STR decisions outrank commercial ones. The letter still has to exist on paper, and goAML still has to name the real holder.
Can a UAE firm use an external MLRO?
You can — licensed compliance consultancies offer it, mostly to smaller DNFBPs. What you can't outsource is the accountability. Senior management still owns the programme, the policies, the training and the supervisory relationship, full stop. So the arrangement needs tight scoping in the contract. The external MLRO must get genuine authority and information access, the supervisor has to be told where the rules require it, and a real individual still has to be named in goAML. Honestly, most firms land on a hybrid — an internal appointee with external advisory behind them — rather than full delegation.
What skills and qualifications does an MLRO need?
No single qualification is mandated, but supervisors look for five-plus years in compliance, audit, legal or senior finance, plus working knowledge of Federal Decree-Law 20 of 2018, Cabinet Decision 10 of 2019, the goAML portal, sanctions screening tools and the firm's own client base. Certifications like the ICA AML diploma or the ACAMS CAMS designation add credibility, and Ministry of Economy supervisors increasingly expect to see one. English is essential — the correspondence and the screening tools all run in it. And CPD in AML and sanctions should be evidenced every year, not just claimed.
Is a deputy MLRO required in the UAE?
Not for every DNFBP as a hard rule, but strongly recommended — and in practice close to mandatory for larger firms, multi-branch operations, or anyone who can't afford a single point of failure when the MLRO is on leave, off sick or gone. The deputy should meet the same bar: same qualifications, a written appointment, parallel goAML access, and enough training to take over cleanly. There's a second use too — the deputy can step in for segregation where the primary MLRO has a lingering front-line conflict on a particular client or transaction.

Filed under: MLRO, AML compliance, appointment letter, DNFBP, Money Laundering Reporting Officer

Published · Updated