The regulatory basis
The key-personnel requirements live in the VARA Company Rulebook, particularly Part II (Authorised Persons and Governance), supplemented by category-specific provisions in each of the seven activity Rulebooks. Cross-cutting AML/CFT requirements for the MLRO are set out in the Compliance and Risk Management Rulebook and the underlying federal AML/CFT framework (Federal Decree-Law 20/2018 and Cabinet Decision 10/2019).
The framework is approval-based: VARA must positively approve each named individual before they can take office. The approval is personal — it does not transfer to another individual or another entity.
The four core "approved persons" (every category)
1. Authorised Senior Manager (CEO / Managing Director equivalent)
The day-to-day leader of the VASP, accountable to VARA for the conduct of the business.
- Residency: UAE-resident on a visa sponsored by the licensed VASP. Cannot be on an Investor Visa from a different entity.
- Experience: Senior-management experience in financial services, virtual assets, or comparable regulated industry. Typically 7-10+ years in a senior role.
- Time commitment: Full-time. Cannot hold equivalent senior positions at competing entities.
- Fit-and-proper: Clean regulatory history, no relevant criminal convictions, sound personal financial standing, demonstrable competence.
2. Money Laundering Reporting Officer (MLRO)
Independent oversight of the VASP's AML/CFT framework, with direct reporting to the board and authority to file suspicious-activity reports without management interference.
- Residency: UAE-resident, full-time, on a visa sponsored by the VASP.
- Qualifications: Recognised AML certification — ICA (International Compliance Association), ACAMS (Association of Certified Anti-Money Laundering Specialists), CFCS, or equivalent. VARA also accepts comparable qualifications from FATF-equivalent regulatory regimes.
- Experience: 3-5+ years AML experience in financial services, ideally with prior regulator-facing experience.
- Reporting line: Direct to the board (not to the CEO). The MLRO must be able to escalate suspicious activity reports independently.
- Fit-and-proper: Same standards as the Authorised Senior Manager, with particular focus on independence and integrity.
3. Compliance Officer
Day-to-day compliance management — implementing the compliance manual, training staff, monitoring transactions, and conducting internal compliance reviews.
- Residency: UAE-resident, full-time, visa-sponsored by the VASP.
- Qualifications: Compliance certification (ICA Diploma, ACAMS, or equivalent) typically required.
- Experience: 3-5+ years compliance experience in financial services or a comparable regulated industry.
- Separation from MLRO: For Categories 1 and 2 (Issuance, Advisory), the Compliance Officer and MLRO can sometimes be the same person if appropriately credentialed and scaled. For Categories 3-7, the functions must be separate.
4. Finance Officer (or CFO)
Accountable for accurate books and records, prudential reporting to VARA, and compliance with the Capital Requirements set out in each Rulebook.
- Residency: UAE-resident or regular UAE presence; ideally visa-sponsored.
- Qualifications: CPA / CA / CFA / FCCA or equivalent recognised accounting / finance qualification.
- Experience: 5+ years in finance / treasury roles, ideally with prior regulated-entity experience.
Additional roles for Category 4 (Custody) and Category 5 (Exchange)
Higher-risk categories require additional approved persons:
5. Chief Information Security Officer (CISO)
- Residency: UAE-resident, full-time, visa-sponsored.
- Qualifications: Recognised information-security certification (CISSP, CISM, CISA) and demonstrable experience operating cybersecurity frameworks at scale (typically ISO 27001-aligned).
- Experience: 5-7+ years in information security, ideally with prior virtual-asset or financial-services experience.
6. Independent Non-Executive Director (INED)
For Cat 4 and Cat 5, the board must include at least one INED — independent of management and shareholders, with relevant industry experience. Common profiles: retired regulators, ex-Big-4 partners, former fund managers, former financial-services CEOs.
Fit-and-proper assessment — what VARA looks for
Each named individual goes through a personal assessment:
| Dimension | What VARA assesses |
|---|---|
| Regulatory history | Past sanctions, censures, licence revocations or refusals by any UAE or foreign regulator |
| Criminal record | Convictions or pending charges for offences of dishonesty, fraud, financial crime, or AML/CFT |
| Financial standing | Bankruptcy, insolvency, IVAs, county-court judgments, tax compliance |
| Competence | Qualifications, experience, demonstrable track record in a comparable role |
| Integrity | References, reputation in industry, ability to be straightforward with the regulator |
| Conflicts of interest | Personal trading, related-party arrangements, competing engagements |
The five common rejection / stall reasons
- "We will hire the MLRO when we get the licence." The single most common application stall. VARA requires the MLRO in place, UAE-resident, and visa-sponsored before licence grant. Sourcing 8-12 weeks ahead is essential.
- Part-time or fractional MLRO arrangements. Rejected at application stage. VARA requires a full-time MLRO. Shared-MLRO models across multiple entities are not accepted.
- Non-UAE-resident "MLRO" on Investor Visa. Does not satisfy the residency requirement. The MLRO must be on a work visa sponsored by the VASP itself.
- Founders trying to serve as their own MLRO or Compliance Officer. Independence requirements typically preclude this — VARA will require a separate, qualified individual unless the founder genuinely has the qualifications and is willing to wear the independence constraints.
- CISO without ISO 27001-aligned operational experience. For Cat 4 / Cat 5 applications, a CISO purely with certifications but without genuine ISMS-operational experience is often pushed back.
Sourcing playbook
The market for UAE-resident, MLRO-grade compliance professionals is tight. Practical sourcing routes:
- Specialist recruiters: Robert Half, Hays, Michael Page, BPS World — all have UAE compliance / regulatory desks.
- ICA / ACAMS UAE chapters: Active membership networks; many MLRO-grade professionals are members.
- Outgoing big-bank compliance teams: Compliance professionals exiting Standard Chartered, HSBC, Citi, ENBD often look for VASP-scale roles.
- Ex-regulator hires: Former VARA, DFSA, FSRA or CBUAE staff sometimes move into VASP MLRO roles after their cooling-off period.
- Outsourced / fractional MLRO services: Several specialist firms offer outsourced MLRO services that satisfy VARA's residency and qualification requirements while you build the in-house team. Acceptable for Cat 1-2; less so for Cat 3-7.
Salary benchmarks (2026)
| Role | Typical annual cost (AED) |
|---|---|
| Authorised Senior Manager (CEO) | AED 800,000 - 1,500,000+ |
| MLRO | AED 400,000 - 800,000 |
| Compliance Officer | AED 300,000 - 600,000 |
| Finance Officer / CFO | AED 500,000 - 1,200,000 |
| CISO (Cat 4 / 5) | AED 500,000 - 1,000,000 |
| Independent NED (Cat 4 / 5) | AED 150,000 - 350,000 (part-time) |
Add ~25-35% for total cost of employment (gratuity, visa, medical, allowances). Sourcing through a specialist recruiter typically adds 18-25% of first-year salary as a one-off fee.
What we do
Neo Legal has assembled approved-person teams for over 30 VARA, DFSA and FSRA applications. We maintain a vetted shortlist of UAE-resident MLRO, Compliance Officer and CISO candidates and can run the recruitment / approval process in parallel with the IDQ and full licence application — typically saving 8-12 weeks vs the founders trying to source independently.
