The CO/MLRO Imperative: Inside the UAE's Joint Guidance on Compliance Leadership

The United Arab Emirates has issued its most comprehensive unified framework to date governing the Compliance Officer (CO) and Money Laundering Reporting Officer (MLRO) function. Jointly established by the UAE Supervisory Sub-Committee (SSC), the guidance applies across every regulated sector Licensed Financial Institutions, Designated Non-Financial Businesses and Professions, and Virtual Asset Service Providers covering entities supervised by the CBUAE, CMA, DFSA, FSRA, VARA, MOJ, MOET, and GCGRA. The message is unambiguous: the CO/MLRO role is no longer a technical checkbox. It is, in the document's own words, the cornerstone of an effective AML/CFT/CPF framework. 

The Legal Foundation 

The guidance is anchored in three primary instruments: Federal Decree Law No. (10) of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation Financing; Cabinet Resolution No. (134) of 2025, its executive regulations; and Cabinet Decision No. (74) of 2020 on Terrorism Lists Regulation and the Implementation of UN Security Council Resolutions on Targeted Financial Sanctions. The guidance does not replace these laws, it translates supervisory expectations into operational clarity. 

Independence Is Non-Negotiable 

The governance section establishes independence not as a best practice but as a structural requirement. The CO/MLRO must hold a senior position, be free from conflicts of interest whether pecuniary or otherwise, and be empowered to challenge business decisions without facing undue pressure. Critically, where the role is held by someone with dual responsibilities, that person cannot simultaneously hold day-to-day responsibility for sales or customer relationship management. Compliance cannot serve revenue and risk at the same time. 

The guidance creates a direct Board reporting line, not merely to senior management. The CO/MLRO is expected to brief the Board on the institution's evolving ML/TF/PF risk exposure, regulatory changes, business-wide risk assessment results, program effectiveness including failures, STR statistics, and findings from internal and supervisory audits. The Board, in turn, is explicitly obligated to provide the CO/MLRO with the necessary human resources, transaction monitoring tools, sanctions screening systems, and timely access to data. Resource deprivation is a governance failure, not an operational constraint. 

Appointment: Fit, Proper, and Documented 

Before any CO/MLRO or Alternate CO/MLRO is appointed, a formal fit and proper assessment is mandatory. The candidate must demonstrate high integrity, relevant qualifications, and a well-established, documented professional track record in the AML/CFT/CPF field. Credentials alone are insufficient, the professional path must be traceable. Regulators use the FATF framework to conduct annual reviews to ensure ongoing fitness for the role. 

The Outsourcing Boundary 

The guidance draws a hard line on outsourcing. The CO/MLRO role cannot be outsourced under any circumstances. The entire Compliance Function cannot be outsourced under any circumstances. Specific tasks, Enhanced Due Diligence, AML/CFT training, framing controls, system support, may be outsourced, but only after obtaining a formal Letter of No Objection from the relevant supervisory authority. This prohibition directly targets the common multinational practice of satisfying local compliance requirements through regional or group-level appointments while leaving UAE operations structurally under-governed. 

Eleven Responsibilities, Each Carrying Weight 

Article 22 of Cabinet Resolution No. (134) of 2025 defines the CO/MLRO mandate. The guidance operationalises this into eleven distinct responsibilities. Transaction monitoring requires the CO/MLRO to understand not just the outputs of their TM system, but its design, scenario coverage, and internal alert-handling procedures both on an ongoing and retrospective basis. For suspicious transaction and activity reports, the CO/MLRO must review, scrutinise, and prioritise internal reports promptly, with high-risk cases addressed first. If a decision is made not to notify the Financial Intelligence Unit, the rationale must be documented in full. 

The customer due diligence responsibility contains one of the guidance's most structurally significant provisions: the CO/MLRO must be consulted before any final decision is made on onboarding or retaining a high-risk customer. If senior management proceeds against the CO/MLRO's advice, they must document their rationale and explicitly state how the institution will mitigate the identified risks. This creates an accountability trail that falls squarely on the decision-makers, not the compliance function. 

Beyond these, the CO/MLRO is responsible for maintaining internal AML/CFT/CPF policies and procedures, designing the overall AML/CFT/CPF program, conducting or overseeing the institutional risk assessment, developing the Sanctions Compliance Program in line with Cabinet Decision No. 74 of 2020, delivering training to all staff including the Board, serving as primary liaison with the FIU and supervisory authorities, submitting a Bi-Annual Compliance Report to senior management and regulators, and ensuring all transaction and CDD records are retained for a minimum of five years. 

What Supervisors Have Actually Found 

Appendix 1 of the guidance is drawn from real supervisory assessments, making it among the most operationally valuable sections. Examiners have observed: compliance tasks outsourced to regional offices with minimal UAE-level oversight; CO/MLROs excluded from decisions on sanctions screening and transaction monitoring tuning; limited oversight of CDD quality assurance; no oversight of FIU freeze and unfreeze orders; absence of a dedicated senior CO/MLRO; inadequate remediation of identified gaps; poor reporting to the Board and supervisory authorities; insufficient knowledge of UAE statutory obligations; lack of accountability; insufficient seniority; and failure to execute a program that is genuinely tailored to the institution's risk profile. These are not hypothetical risks, they are documented failures. 

FATF: The Indirect but Binding Layer 

FATF Recommendation 18 forms the international backbone of the CO/MLRO requirement, mandating management-level appointment with board access and program oversight. FATF does not regulate individual officers directly, it sets the standards that national regulators like the CBUAE and VARA then embed into local law. The February and June 2025 FATF updates to Recommendation 1 (financial inclusion) and Recommendation 16 (cross-border payment transparency) both carry operational consequences that CO/MLROs must understand and incorporate into their risk frameworks. 

The Architecture Behind the Document 

Reading the guidance as a whole, what emerges is not simply a list of duties. It is a deliberate governance architecture, one that positions the CO/MLRO as an institution-wide second line of defence with genuine authority in high-stakes decisions, legally insulated from commercial pressure, and structurally connected to the Board. The UAE is not asking institutions to have a compliance officer. It is asking them to build a compliance function that can actually function — and it has now specified, in precise terms, exactly what that looks like.