Compliance Officer / Head of Risk / Data Protection Officer

About This Role

Role Overview

MOSAIK is seeking a Compliance Officer who will also serve as Head of Risk Function and Data Protection Officer. This is a combined role permitted under VARA’s Company Rulebook (Rule I.D.2), provided the individual is separate from the CISO and MLRO functions.

You will be responsible for the company’s overall compliance framework, enterprise risk management, and data protection obligations. This is a founding role — you will build and own these functions as the company progresses through VARA licensing and into live operations.

Key Responsibilities

Compliance Officer:

• Own the company’s regulatory compliance framework across all VARA rulebooks;
• Monitor regulatory developments (VARA, CBUAE, SCA) and assess impact on MOSAIK’s operations;
• Manage the compliance monitoring programme, including periodic testing of controls;
• Ensure all VARA reporting obligations are met (monthly, quarterly, annual);
• Oversee the outsourcing compliance framework and monitor third-party service providers;
• Maintain the Conflict of Interest Register and Insider Trading Register;
• Coordinate with the internal and external auditors on compliance-related findings;
• Advise the Board and senior management on compliance risks and regulatory obligations;
• Serve as primary liaison with VARA on non-AML compliance matters.

Head of Risk Function:

• Own and maintain the Enterprise Risk Management (ERM) Framework;
• Conduct and update the enterprise-wide risk assessment at least annually;
• Maintain the risk register, tracking all identified risks with owners, controls, and residual ratings;
• Report to the Board quarterly on the risk dashboard, emerging risks, and risk appetite utilisation;
• Oversee operational risk management, including technology risk (in coordination with CISO), credit risk, market risk, and liquidity risk;
• Monitor key risk indicators (KRIs) and escalate breaches to the Board;
• Coordinate BCDR testing outcomes and track remediation of identified gaps.

Data Protection Officer:

• Ensure compliance with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection and any applicable VARA data protection requirements;
• Maintain the data processing register and conduct data protection impact assessments for new products or processes;
• Handle data subject access requests and manage data breach notification procedures (72-hour VARA notification window);
• Advise on data minimisation, consent management, and cross-border data transfer requirements;
• Coordinate with the CISO on information security matters that intersect with data protection.

Requirements

Essential:

• Minimum 5 years’ experience in compliance, risk management, or regulatory affairs within financial services, fintech, or virtual asset businesses;
• Strong knowledge of UAE regulatory landscape (VARA, CBUAE, SCA, UAE PDPL);
• Experience building or managing an ERM framework;
• Understanding of virtual asset markets, blockchain technology, and tokenization;
• Ability to operate independently and build compliance and risk functions from scratch;
• Strong written and verbal communication skills for Board reporting and regulatory correspondence;
• UAE resident or willing to relocate immediately;
• Must meet VARA’s Fit & Proper Person requirements.

Preferred:

• Professional compliance or risk qualification (ICA Diploma, CRCM, FRM, or equivalent);
• Experience with VARA-regulated entities or VARA application processes;
• Data protection qualification or certification (CIPP, CIPM, or equivalent);
• Experience with real-world asset (RWA) tokenization or DeFi/CeFi compliance;
• Arabic language skills (advantageous but not required).

What We Offer

• Triple-hatted founding role — Compliance, Risk, and Data Protection ownership from day one;
• Direct Board reporting line across all three functions;
• Competitive salary commensurate with experience (to be discussed);
• Opportunity to define the compliance and risk culture of a VARA-regulated platform;
• Small, fast-moving team with direct access to the CEO and Board.

Work Location: In person