Compliance Calendar Template: Tracking Regulatory Deadlines, Filings, and Internal Reviews

TL;DR

• A compliance calendar is the operating system of your compliance program. Without one, you’re managing regulatory deadlines from email reminders and someone’s memory — and that’s how you miss filings.
• The 2026 calendar has changed: HMDA filing deadline is March 2, 2026; FinCEN’s investment adviser AML rule extended to January 1, 2028; Section 1071 compliance date pushed to January 1, 2028.
• Every entry needs the same six fields: owner, frequency, source citation, evidence artifact, escalation contact, and validation method.
• SAR filing deadline is 30 days from detection (60 if no suspect). Missed SAR filings show up in nearly every BSA/AML enforcement action of the last decade.

You walk into the office Monday morning and your CEO forwards you a regulator email asking for confirmation that your annual GLBA Safeguards review was completed. The deadline was last week. You don’t have evidence it was done because the person responsible left in February and nobody picked up the work.

This is the most preventable compliance failure there is — and it shows up in nearly every CFPB, OCC, and state AG consent order. Not because the underlying control was weak. Because nobody owned the calendar.

A compliance calendar isn’t a spreadsheet of dates. It’s the layer that turns your written program into actually-executed work. This post walks through what goes in it, what fields you need, the 2026 deadlines that just shifted, and how to build one that holds up when an examiner asks.

What a Compliance Calendar Actually Is

A compliance calendar is a centralized, owner-assigned, evidence-tracked schedule of every recurring obligation your organization has under federal regulation, state law, contractual commitment, and internal policy. It includes:

• External filings (Call Reports, HMDA LAR, SARs, CTRs, 1071 LAR, NMLS renewals)
• Recurring assessments and reviews (BSA/AML risk assessment, OFAC sanctions risk assessment, GLBA Safeguards review, annual fair lending analysis)
• Examination and audit milestones (regulatory exam preparation windows, internal audit testing, SOC 2 readiness)
• Board and committee reporting (quarterly compliance reports, annual risk appetite review, audit committee briefings)
• Training cycles (BSA/AML annual training, code of conduct, fair lending, cybersecurity, AI governance)
• Policy refresh cycles (every policy needs an owner and a review date — typically annual or biennial)
• Vendor and third-party reviews (annual reviews for high-risk vendors, biannual for mid-tier)
• License and registration renewals (state money transmitter licenses, MSB registration, broker-dealer renewals)

If it has a deadline and it doesn’t get done, your regulator finds out. That’s the rule.

The Six Fields Every Entry Needs

If your compliance calendar is a list of dates and descriptions, it’s not a calendar — it’s a wishlist. Every entry needs these six fields, no exceptions.

Field	What It Captures	Why It Matters
Owner	Named individual + role	”Compliance” doesn’t show up to do work. People do.
Frequency	One-time, weekly, monthly, quarterly, annual, ad-hoc	Drives the recurrence engine in your tracker
Source citation	Statute, regulation, FAQ, internal policy	When an examiner asks “why is this on your list,” you have an answer
Evidence artifact	Filing confirmation, signed memo, board minute reference, completed checklist	Proof of completion; what an auditor pulls
Escalation contact	Backup owner + executive sponsor	What happens when the owner leaves or misses
Validation method	Internal audit testing, second-line review, board attestation	Confirms the work was effective, not just done

The fields that get skipped most often are evidence artifact and validation method — and those are the fields examiners ask about first.

2026 Federal Filing Deadlines — A Reference Table

These are the dates and rules in effect right now for federally regulated banks, fintechs, and credit unions. Verify each one against your specific charter, license type, and asset size — but this is your starting point.

Banking & Financial Filings

Filing	Deadline	Source
Call Report (FFIEC 031/041/051)	30 days after quarter-end (Q1 due Apr 30, Q2 due Jul 30, Q3 due Oct 30, Q4 due Jan 30)	FFIEC Reporting Forms
Call Report revisions effective	June 30, 2026 report date	FDIC FIL-2025
HMDA LAR submission	March 2, 2026 (for 2025 data); HMDA Platform opens Jan 1 each year	CFPB HMDA FAQ
CRA performance evaluation	Schedule set by primary regulator; typical cycle is every 3 years for community banks	OCC/FDIC/FRB schedules
Reg E error resolution acknowledgment	10 business days from notice (extended to 45 days for investigation; 90 days for new accounts)	12 CFR 1005.11
Reg Z annual escrow analysis	At least once every 12 months	12 CFR 1024.17

BSA/AML & OFAC

Filing	Deadline	Source
SAR — initial filing	30 calendar days from initial detection (60 days if no suspect)	FFIEC BSA/AML SAR Manual
SAR — continuing activity	Within 120 days of initial SAR (90-day review window + 30-day filing)	FinCEN SAR FAQs October 2025
CTR	15 calendar days after the date of the transaction (25 days if filed electronically with magnetic media)	31 CFR 1010.306
314(a) information requests	Search within 14 days of FinCEN posting; results returned per FinCEN portal	FinCEN 314(a) procedures
OFAC SDN list updates	Continuous (real-time screening); annual report due Sept 30 if institution holds blocked property	OFAC Reporting Regulations 31 CFR 501
FinCEN MSB registration renewal	Every 2 years (renewal due by Dec 31 of expiration year)	31 CFR 1022.380
AML/CFT program for investment advisers	Compliance date now January 1, 2028 (extended Jan 2026)	Federal Register 2026-01-02

Consumer Compliance

Filing	Deadline	Source
Section 1071 small business lending — first data collection	January 1, 2028	CFPB Section 1071 final rule (May 1, 2026)
Section 1071 — first LAR filing	June 1, 2029	CFPB Section 1071 final rule
GLBA Safeguards Rule — annual program review	Annually; written report to board	16 CFR 314.4(i)
Adverse action notices (Reg B)	30 days from notice of adverse action decision	12 CFR 1002.9
Reg E annual error resolution disclosure	At account opening + at least once per calendar year	12 CFR 1005.7, 1005.8

Securities & Investment Adviser

Filing	Deadline	Source
Form ADV annual amendment	90 days after fiscal year-end	SEC Investment Advisers Act
Form CRS delivery (initial + amendments)	At account opening + within 30 days of material amendment	SEC Reg BI
Form 13F (institutional investment managers >$100M AUM)	45 days after quarter-end	SEC Section 13(f)

State & Cross-Cutting

Filing	Deadline	Source
State money transmitter license renewals	Per state schedule (most due by Dec 31 or anniversary date); NMLS-tracked	State regulator + NMLS
State breach notification	Varies (CA: “without unreasonable delay”; FL: 30 days; CO: 30 days; etc.)	State statute
CCPA/CPRA annual data subject request metrics	Disclosed in privacy notice if processing 10M+ CA residents	Cal. Civ. Code 1798.130

For a deeper walkthrough of the breach-notification side specifically, our state breach notification laws guide covers all 50 states with specific deadline tracking guidance.

Recurring Internal Obligations You Can’t Forget

The federal filings get attention because they’re public. The internal obligations are where banks fail quietly.

Annual

• BSA/AML risk assessment — board-approved, documented methodology
• OFAC sanctions risk assessment — board-approved
• GLBA Safeguards Rule program review — written report to board
• Information security program review and update
• Compliance program risk assessment — drives your monitoring and testing plan
• Fair lending statistical analysis — HMDA data + complaint data
• UDAAP risk assessment — products + complaints + marketing
• Vendor risk concentration analysis
• Code of conduct attestation — every employee
• Conflicts of interest disclosure — directors + officers
• Annual board approval of policies (many require board sign-off)
• Insurance renewals (D&O, cyber, E&O, fidelity)

Quarterly

• Compliance program report to board / committee
• Issues management aging report
• KRI / KPI dashboard refresh
• Internal audit issue tracking review

Monthly

• Sanctions screening tuning review
• Transaction monitoring tuning review
• High-risk customer review (CDD/EDD refresh schedule)
• Vendor performance review for critical vendors

Ad-Hoc / Triggered

• Significant change in business activity → updated risk assessment
• New product launch → new product risk review
• New jurisdiction → state licensing analysis
• Acquisition / strategic transaction → integration compliance review
• Material incident → incident response, breach notification analysis, regulator communication

Building the Tracker — Tool Choice and Structure

The “right” tool depends on your size and existing infrastructure. Here’s the practitioner reality:

Org Size	Recommended Approach
Solo / early fintech	Structured spreadsheet (Excel/Google Sheets) with date-driven conditional formatting + email reminders
20–100 employees	Spreadsheet + project management tool (Asana, Linear, Monday) for task assignments
100–500 employees	GRC-lite tools (LogicGate, OneTrust, Hyperproof) or structured Notion/Confluence database
500+ employees / regulated bank	Enterprise GRC (RSA Archer, ServiceNow GRC, MetricStream) with automated workflows

Don’t over-engineer. A well-maintained spreadsheet beats an unmaintained GRC platform. The discipline is in the recurrence engine, the owner accountability, and the evidence pipeline — not the software.

Minimum Schema

If you’re building this in a spreadsheet, every row should have these columns:

Obligation ID | Obligation Name | Source Citation | Frequency |
Next Due Date | Owner | Backup Owner | Executive Sponsor |
Status (Open/In-Progress/Completed/Past Due) |
Evidence Link | Validation Method | Last Validated | Notes

Conditional formatting: any row where Next Due Date < TODAY + 30 days and Status ≠ Completed turns yellow. Past due turns red. That’s your visual escalation trigger.

The Recurrence Engine — Where Most Calendars Break

A compliance calendar is only as good as its ability to roll deadlines forward. Most fail because the next-due-date doesn’t auto-increment when the current one is closed. Manual rollover means people forget.

If you’re using a spreadsheet, build a formula like:

=IF(Status="Completed", EDATE(LastCompleted, RecurrenceMonths), NextDueDate)

If you’re using a GRC tool or project manager, configure recurring task templates that automatically create the next instance when one is completed.

The other failure mode: dependencies. The annual BSA risk assessment feeds the AML monitoring tuning review, which feeds the compliance program report to the board. If the risk assessment slips, downstream work slips. Map dependencies explicitly so you can see cascade risk early.

Linking the Calendar to Regulatory Change

This is what separates a real compliance program from a paperwork exercise. Your calendar is the recurring obligations. Your regulatory change management program tracks new obligations. They have to be linked.

When a new rule lands — say, the October 2025 OCC/FDIC NPR on MRAs — the regulatory change log records the rule, the comment period, the effective date, and the implementation owner. When the rule is finalized, the implementation milestones move from the change log into the calendar as recurring obligations.

This is how your compliance program adapts. Rules don’t just appear on the calendar magically — somebody has to put them there, with the right frequency and the right citation.

Governance — Who Owns the Calendar

The calendar itself needs an owner. In most organizations:

• Compliance Officer / CCO owns the calendar at the program level
• Line-of-business compliance leads own the entries for their domain
• Internal audit validates a sample of completed items quarterly
• Board / Audit Committee receives a quarterly status report including past-due items

The calendar should be on the audit committee’s standard agenda. Past-due items should escalate automatically. The CCO should not be discovering past-due filings via examiner letter.

What Examiners Ask About

When examiners come in, they don’t ask “do you have a compliance calendar?” They ask:

1. “Show me how you track when your BSA risk assessment is due.” They want to see a system, not a memory.
2. “Walk me through the last SAR you filed — when was the activity detected, when did the SAR get drafted, when did it get filed?” They’re checking your 30-day window and your audit trail.
3. “What’s your evidence that the GLBA Safeguards Rule annual review was completed and approved?” They want the artifact, not your word.
4. “What’s past due, and why?” Past-due items aren’t disqualifying. Past-due items with no escalation are.

If your calendar can answer those four questions in under five minutes, you’ll do fine. If it can’t, you have work to do.

So What? — The Practitioner’s Move

You don’t need to build the perfect compliance calendar. You need to build the one your team will actually maintain. The two failure modes are equally bad: too sparse to catch what matters, and too elaborate that nobody updates it.

Start with this minimum viable build:

1. List every external filing with a hard deadline
2. List every annual internal review your written program commits to
3. Assign a named owner to each
4. Add the source citation
5. Build the recurrence formula
6. Schedule a 15-minute monthly review

Build that in a week. Iterate. Layer in the quarterly and monthly obligations once the annual ones are running. Don’t try to ship a 200-row enterprise calendar from day one.

If you want a head start with the schema, recurrence formulas, and a pre-mapped 2026 federal filing reference table, our Compliance Essentials Bundle includes a structured calendar template alongside the policies, risk assessments, and committee charters that feed into it. Faster than building from a blank spreadsheet — and the formats are already aligned with what examiners look for at validation.

Quick Reference: 2026 Calendar Anchors

Month	Anchor Events
January	Q4 Call Report (Jan 30); HMDA Platform opens; OFAC SDN list refreshed (continuous); annual training kickoff
February	HMDA validation window; year-end SAR continuing activity reviews
March	HMDA LAR due March 2; Form ADV annual amendment (calendar-year FYE)
April	Q1 Call Report (Apr 30); Q1 board reporting cycle
May	Annual BSA/AML risk assessment refresh (typical cycle)
June	Mid-year compliance program assessment; Call Report revisions effective June 30
July	Q2 Call Report (Jul 30); Q2 board reporting cycle
August	Annual policy refresh window (typical cycle)
September	OFAC annual blocked property report (Sep 30 if applicable)
October	Q3 Call Report (Oct 30); Q3 board reporting cycle
November	Annual budget + program planning for next year
December	State licensing renewals; FinCEN MSB renewals (biennial); year-end attestations; final board reporting

Print this. Tape it to your monitor. Then build the actual tracker around it — with owners, evidence, and validation. That’s the part nobody can skip.