Ongoing Compliance Obligations Calendar — Monthly Requirements for UAE VASPs

Ongoing Compliance Obligations Calendar for UAE VASPs

Obtaining a license is the beginning, not the end, of regulatory compliance. Licensed VASPs across VARA, ADGM, and DFSA jurisdictions face continuous compliance obligations with specific deadlines, filing requirements, and audit expectations. This calendar provides compliance officers with a structured month-by-month framework for managing ongoing obligations.

The Morpheus Software (Fuze) enforcement case demonstrates the consequences of failing to maintain compliance controls after licensing. Building a functioning compliance calendar is a core operational requirement.

Q1: January through March

January

• Annual compliance plan finalization: Finalize the year’s compliance work plan, including planned training sessions, policy reviews, risk assessment updates, and audit schedules
• FATF high-risk jurisdiction list review: Update screening procedures against the latest FATF lists, aligned with VARA’s January 2026 circular on FATF High-Risk Jurisdictions
• Qualified investor controls review: Assess compliance with VARA’s January 2026 circular on Qualified Investors
• Capital adequacy confirmation: Verify ongoing compliance with minimum capital requirements at year-end
• Board reporting: Prepare and submit annual compliance report to the board, covering prior year’s compliance activities, STR statistics, monitoring results, and key risk indicators

February

• Travel rule compliance assessment: Review travel rule implementation against VARA’s February 2026 circular on UAE Virtual Assets Travel Rule Requirements
• Sanctions list update cycle: Verify that sanctions screening databases are current and functioning correctly
• Training needs assessment: Identify AML/CFT training needs for the year based on regulatory updates, enforcement trends, and staff turnover
• ADGM Electronic Prudential Reporting: Submit required prudential returns per FSRA reporting schedule (ADGM-regulated firms)

March

• AML/CFT program review: Conduct comprehensive review of AML/CFT program against VARA’s March 2026 AML/CFT/CPF circular
• Enterprise-wide risk assessment update: Update the ML/TF risk assessment to reflect any changes in customer base, product offerings, geographic exposure, or regulatory landscape
• Regulatory circular compliance check: Review all VARA, ADGM, and DFSA circulars issued in Q1 and assess compliance impact
• Q1 compliance monitoring report: Compile quarterly compliance monitoring results for management and board review

Q2: April through June

April

• Annual financial statement preparation: Begin preparation of annual financial statements for submission to the applicable regulator
• External audit engagement: Confirm external auditor engagement for annual financial statement audit (ADGM requires registered auditors from its approved list)
• KYC refresh cycle: Initiate periodic KYC refresh for high-risk customers due for annual review
• Transaction monitoring rule calibration: Review and recalibrate transaction monitoring rules based on Q1 alert statistics and false positive rates

May

• AML/CFT training delivery: Conduct annual AML/CFT refresher training for all staff, covering regulatory updates, new typologies, and enforcement case lessons
• VARA enforcement register review: Review VARA’s published enforcement register for new actions and extract compliance lessons — the 2025 enforcement wave and subsequent actions provide ongoing case studies
• Outsourcing compliance review: Review compliance of all outsourced functions against regulatory requirements
• ADGM annual fee payment: Pay annual registration and authorization fees to ADGM (ADGM-regulated firms)

June

• Annual financial statement submission: Submit audited financial statements to the applicable regulator within the required deadline
• Compliance officer self-assessment: Conduct self-assessment of compliance function effectiveness, resource adequacy, and independence
• Q2 compliance monitoring report: Compile quarterly compliance monitoring results
• Mid-year board report: Present mid-year compliance update to the board including enforcement trends, regulatory developments, and program effectiveness metrics

Q3: July through September

July

• Policy and procedure annual review: Begin annual review cycle for all compliance policies and procedures, including AML manual, KYC/CDD procedures, travel rule procedures, and STR procedures
• Technology infrastructure review: Assess compliance technology effectiveness including blockchain analytics tools (Chainalysis, Elliptic, Crystal Blockchain), KYC platforms, and sanctions screening systems
• Capital adequacy mid-year assessment: Verify ongoing capital adequacy compliance
• Regulatory engagement: Schedule regulatory meetings with VARA/FSRA/DFSA supervisory contacts to discuss compliance program and any emerging issues

August

• Internal audit planning: Plan the scope and timing of internal audit review of compliance function
• Incident response testing: Test cybersecurity and compliance incident response procedures
• FATF plenary monitoring: Review outcomes of FATF plenary meetings for changes to standards, country assessments, or guidance affecting UAE VASPs
• Business continuity testing: Conduct business continuity plan testing including compliance function continuity

September

• Updated policies publication: Finalize and publish updated compliance policies following annual review
• Q3 compliance monitoring report: Compile quarterly compliance monitoring results
• Board reporting: Present Q3 compliance update to the board
• Regulatory change log update: Document all regulatory changes from Q1-Q3 and confirm compliance program alignment

Q4: October through December

October

• Internal audit execution: Conduct internal audit of AML/CFT program and compliance function
• Customer risk score recalibration: Review and recalibrate customer risk scoring methodology based on year-to-date data and regulatory guidance
• Budget preparation: Prepare compliance function budget for the following year, including technology, staffing, training, and advisory costs
• Medium-risk customer KYC refresh: Initiate periodic KYC refresh for medium-risk customers on biennial or triennial refresh cycles

November

• Internal audit findings remediation: Address any findings from internal audit review
• Annual compliance report drafting: Begin drafting the annual compliance report to the board
• VARA/FSRA/DFSA regulatory update review: Assess all regulatory circulars, guidance notes, and rulebook amendments issued during the year
• Enforcement case log update: Update internal enforcement case study log with lessons from all enforcement actions published during the year (reference our enforcement cases section)

December

• Year-end compliance assessment: Conduct year-end assessment of compliance program effectiveness
• Q4 compliance monitoring report: Compile quarterly compliance monitoring results
• Annual compliance report finalization: Finalize and submit annual compliance report to the board
• Following year planning: Develop compliance work plan for the following year incorporating regulatory changes, enforcement trends, and internal audit recommendations
• Capital adequacy year-end confirmation: Verify compliance with capital requirements at financial year-end

Ongoing (Monthly/Continuous) Obligations

Certain obligations operate on a continuous or monthly cycle independent of the quarterly calendar:

• STR filing: Report suspicious transactions to the UAE FIU through goAML within mandated timeframes — continuously as suspicion arises
• Sanctions screening updates: Update sanctions lists upon publication and re-screen customer base
• Transaction monitoring: Continuous monitoring with daily/weekly alert review cycles
• Material change notifications: Notify the applicable regulator immediately of any material changes to ownership, management, licensed activities, or operational arrangements
• Regulatory correspondence management: Respond to regulatory requests for information within specified timeframes
• Compliance incident logging: Document all compliance incidents, near-misses, and remediation actions

Cost Implications

Ongoing compliance obligations carry significant cost: staff time for reporting and monitoring, technology subscription fees, external audit fees, internal audit costs, training delivery, and regulatory fees. For cost modeling, see our total cost of compliance model and jurisdiction-specific fee breakdowns in our cost analysis section.

Jurisdiction-Specific Variations

While this calendar provides a general framework, specific deadlines and reporting formats vary by regulator. Compliance officers must verify exact deadlines with their applicable regulator:

• VARA: Check VARA’s published regulatory notices and circulars at vara.ae
• ADGM: Reference FSRA’s published guidance and Electronic Prudential Reporting requirements at adgm.com
• DFSA: Reference the DFSA Rulebook and reporting requirements at dfsa.ae

Regulatory Circular Implementation Calendar

Beyond routine obligations, licensed VASPs must implement new regulatory requirements as they are published. VARA’s Q1 2026 circulars create specific implementation demands:

March 2026 — AML/CFT/CPF Circular: Requires review and potential update of the complete AML program, including governance structures, risk assessment methodology, transaction monitoring calibration, and suspicious transaction reporting procedures. Implementation timeline should be assessed against VARA’s expectations.

February 2026 — Travel Rule Circular: Requires deployment of travel rule compliance solutions, integration with transaction processing infrastructure, and establishment of counterparty VASP identification processes. See our travel rule implementation guide for implementation details.

January 2026 — FATF High-Risk Jurisdictions Circular: Requires updating FATF high-risk jurisdiction screening in KYC platforms (Sumsub) and blockchain analytics systems (Chainalysis, Elliptic, Crystal Blockchain), and implementing enhanced due diligence workflows for affected customer relationships.

January 2026 — Qualified Investors Circular: Requires reviewing customer classification processes and marketing restrictions to align with qualified investor criteria.

Technology Maintenance Calendar

Compliance technology platforms require regular maintenance to remain effective:

• Sanctions list updates: Automated updates following OFAC, UN, and EU designation changes (continuous)
• FATF list updates: Manual or automated updates following FATF plenary meetings (three times per year — typically February, June, October)
• Blockchain analytics platform updates: Software updates, new blockchain support, and attribution database updates (vendor-dependent frequency)
• KYC platform updates: Document template updates for new identity document formats and updated fraud detection algorithms (quarterly or more frequent)
• Transaction monitoring rule calibration: Review and adjustment of alert thresholds based on false positive rates and alert quality metrics (at least quarterly)

Enforcement Monitoring Calendar

Active enforcement monitoring should be conducted on a regular schedule:

• Monthly: Check VARA’s enforcement register for new actions. Review our enforcement action dashboard for analysis.
• Quarterly: Assess enforcement trends and update risk assessments. See our VARA enforcement trends analysis.
• Annually: Conduct a comprehensive enforcement landscape review, comparing VARA enforcement patterns with ADGM and DFSA approaches.

The enforcement register demonstrates continuous activity — from Vesta Prime Portal (January 2026) through the 2025 enforcement wave and back to the initial 2024 actions. Licensed VASPs should use enforcement data to calibrate their compliance program intensity.

Cost of Ongoing Compliance

The ongoing compliance obligations described in this calendar carry annual costs estimated in our total cost of compliance model. Key annual cost components include compliance staffing (USD 250,000 to USD 600,000), technology platform subscriptions (USD 85,000 to USD 350,000), external audit fees (USD 30,000 to USD 100,000), advisory support (USD 50,000 to USD 200,000), and regulatory fees (USD 30,000 to USD 150,000). For jurisdiction-specific cost analysis, see the cost comparison dashboard.

For audit preparation, see our compliance audit preparation guide. For the licensing obligations that establish this compliance baseline, see our licensing process section. For advisory support in meeting ongoing obligations, see entity profiles for Deloitte Middle East and PwC Middle East.

For regulatory context, visit UAE Tokenization Regulations and Dubai Tokenisation.