1. The role the whole framework hangs on
A DMCC precious-metals firm can have a flawless AML policy on the shelf and still fail an inspection on the first question, because the policy is not the obligation — the person who runs it is. Every Designated Non-Financial Business and Profession, and a DMCC dealer in precious metals and stones is one, must appoint a Money Laundering Reporting Officer (MLRO): a named individual, appointed in writing, with the seniority and independence to actually stop a transaction and the authority to file a report over the owner's objection. The appointment requirement sits in Article 21 of Cabinet Resolution 134 of 2025, the same article that fixes the firm's internal compliance programme and its staff-training duty.
Not appointing one — or appointing one in name only — is among the most serious failings a supervisor looks for, because it is the keystone: no MLRO means no one is accountable for screening, for reporting, for the risk assessment, or for the training. This guide covers who can hold the role, how to appoint them so the appointment stands up, what the job actually involves, and where firms get it wrong.
2. What an MLRO actually is
The MLRO is the single point of accountability for the firm's AML/CFT programme. In practice the role carries four jobs that no one else in the firm can do:
- Receive and assess internal escalations. When a staff member sees something — a customer who won't evidence source of funds, a transaction that doesn't fit the profile — it goes to the MLRO, who decides whether it rises to a report.
- File to the FIU on goAML. The MLRO is the registered user who submits Suspicious Transaction Reports, Suspicious Activity Reports and the Dealer in Precious Metals and Stones Report (DPMSR) through the Financial Intelligence Unit's goAML portal — the reporting duty set in Article 18 of Federal Decree-Law 10 of 2025.
- Report to senior management. The MLRO owes the firm's leadership a periodic written account of the AML programme — what's been filed, what's been screened, what training was delivered, what's outstanding (more on that report below).
- Own the programme. The risk assessment, the screening discipline, the training, the policies staying current — these roll up to the MLRO.
Crucially, the MLRO operates under the tipping-off prohibition in Article 29 of FDL 10/2025: a report to the FIU, and the suspicion behind it, must stay confidential — the customer is never told. That confidentiality is one reason the role has to sit with a specific, trusted, senior person rather than "whoever is on the counter."
3. Who can hold the role
This is where small firms get anxious, usually without need. The requirements are about function, not headcount.
Seniority and authority. The MLRO must sit at managerial level or above, with direct reporting access to senior management (and the board, where there is one) and enough authority and resources to do the job — including the authority to challenge a management decision and to halt or refuse a transaction. An MLRO who cannot say "no" to the owner is not really an MLRO.
Independence. The role must be functionally independent of the firm's revenue-generating activity — the person deciding whether to file a report cannot be the same person whose bonus depends on closing the deal. In a large firm that means a dedicated compliance function; in a small one it means the role is structurally separated even if the person wears other hats.
Can it be the owner? In a small DPMS firm, yes — the MLRO is often the owner or a director, and that is perfectly acceptable, provided it is formal: a written appointment, a defined role, and real authority. What is not acceptable is the informal version — "we all keep an eye on it between us." A diffuse, unnamed responsibility is exactly the gap an inspection is built to find.
Can it be outsourced? Yes. The law requires you to designate a compliance officer; it does not require that person to be a full-time employee, so a DPMS firm that can't appoint a suitably qualified person internally may engage an external MLRO. If you do, three conditions matter: the outsourced officer must genuinely understand your business and have the relevant expertise; they must have full access to your systems, records and people; and the contract must set out roles, responsibilities and reporting lines clearly. One thing you can never outsource is the accountability — ultimate responsibility for the firm's compliance stays with the firm's senior management and board, whoever files the reports.
4. Appointing one so it stands up
An MLRO appointment that an inspector, a bank or an auditor will accept is documented, not assumed. Three things make it real:
- A written appointment. A formal letter from senior management appointing the named individual, stating their authority, their independence, and their reporting line. This is the document a bank asks for at account opening and an inspector asks for first.
- A defined role. A job description that sets out the MLRO's responsibilities, authority and competence — so the role is a real set of duties, not a title.
- Identification to the supervisor and the FIU. The MLRO is the named, registered user on the firm's goAML account, and is identified to the Ministry of Economy and Tourism (MoET) — your federal AML supervisor — through the firm's AML registrations. Keep that current: if the MLRO leaves, you must appoint a replacement (or arrange interim cover) immediately and update the registrations, or you lose the ability to file at the exact moment you might need to.
5. What the MLRO does month to month
Appointment is the start, not the substance. The role is an operating rhythm:
- Ongoing — receive and assess escalations; decide and file STRs/SARs/DPMSRs on goAML within the reporting windows; keep screening and monitoring running; keep the confidentiality the tipping-off rule demands.
- Periodically — produce a written compliance report for senior management. It typically covers the AML monitoring activity for the period, the STRs and DPMSRs filed, the sanctions-screening summary, the training delivered, the status of the risk-assessment and policy reviews, and progress against any corrective actions from an inspection. The semi-annual cadence is the convention carried over from the prior regime; CR 134/2025 codifies the reporting obligation under the same internal-programme article (Article 21) without fixing a frequency, so semi-annual is a sensible default rather than a hard statutory interval.
- Annually — drive the business-wide risk-assessment review, the policy review, the all-staff training refresh, and the independent AML audit.
The point of the periodic report is not bureaucracy — it is the evidence trail. An MLRO who operates the programme but never writes it down has, from an inspector's point of view, not operated it at all.
6. What it costs to get wrong
A weak or absent MLRO is not a paperwork nicety; it is a fineable violation in its own right and the root of several others. Administrative fines run from AED 10,000 to AED 5,000,000 per violation under Article 17 of FDL 10/2025, with the DNFBP schedule set by Cabinet Resolution 71 of 2024 (AED 50,000–1,000,000, doublable on repeat), alongside non-monetary measures up to suspension of activity and licence revocation.
What makes the MLRO failing expensive is the cascade. No properly appointed MLRO usually means no one filed the STR that should have been filed, no one produced the compliance report, no one kept the screening current — so a single root failing becomes several findings on the inspection sheet. "We all handle it between us" reads, in that context, as the absence of the keystone, and the rest of the wall is judged accordingly.
7. The operator's checklist
If you run a DMCC DPMS firm, you should be able to answer "yes" to each of these without checking:
- Is there a named MLRO, appointed in writing, with a job description?
- Does that person sit at managerial level, independent of sales, with the authority to refuse a transaction?
- Is the MLRO the registered goAML user, and is the registered person still the one actually in the role?
- If the MLRO left tomorrow, is there a replacement or interim-cover plan — or would you simply be unable to file?
- Does the MLRO actually produce the periodic compliance report, in writing, and file it with senior management?
If any of those is a "let me check," that is the gap to close — and unlike a transaction-monitoring overhaul, formalising the MLRO is a fast fix.
8. Where this sits in the kit
The MLRO role is governance, and governance is documents the firm signs and operates. The Assay DMCC DPMS Compliance Starter Kit ships the three that make the appointment stand up: the MLRO Appointment Letter, the MLRO Job Description, and the MLRO Compliance Report Template — the written appointment, the defined role, and the periodic report an inspector expects to see, drafted against this framework and ready to sign.
Not sure whether your MLRO arrangement would survive an inspection? The free 5-minute Self-Assessment scores your firm against the MLRO requirement and the rest of the framework, and tells you plainly what's missing.
Last updated 31 May 2026. Drafted against the UAE AML framework in force May 2026 — Federal Decree-Law 10 of 2025 (Articles 17, 18, 29), Cabinet Resolution 134 of 2025 (Article 21, the internal-programme/compliance-officer/training article), and Cabinet Resolution 71 of 2024 (the DNFBP administrative-fines schedule), with current Ministry of Economy and Tourism and UAE FIU guidance on the compliance-officer function. Not legal advice — for your firm's specific situation, consult a UAE-qualified compliance professional.