- Опыт
- 4+ лет
- Зарплата
- —
- Открытия
- 1
- Опубликовано
- 1 час назад
- Режим работы
- Работа из дома
- Образование
- степень бакалавра
- Критерии отбора
- This opportunity is open to candidates in the United States who can work remotely and meet the stated education, experience, and compliance background requirements.
- Резюме
- Необходимо подать заявку.
Описание работы
Role overview
The Compliance & Risk Manager will run Blossom’s compliance and risk programs end to end. Reporting to the CFO, this position oversees daily compliance work across regulatory, security, and audit areas, including SOC 2 Type II, PCI DSS, and all obligations tied to the company’s hardware and software products. The role also builds and maintains an enterprise risk framework that identifies, monitors, and reduces operational, financial, regulatory, and strategic exposure.
This person will work closely with Engineering, Product, Legal, HR, and Operations to strengthen a company-wide culture of compliance and risk awareness. The role partners with IT and Infrastructure, which retains ownership of technical security controls, HSM/key management, and PCI security, while this position owns program management, audit coordination, enterprise risk governance, and policy oversight.
Key responsibilities
- Lead the full SOC 2 Type II audit process, including defining scope, shaping controls, gathering evidence, coordinating with auditors, and tracking remediation through completion.
- Drive PCI DSS compliance across relevant business areas by managing scope, closing gaps, and working with Qualified Security Assessors.
- Serve as the main contact for external auditors, assessors, and certification bodies during audit work.
- Maintain a complete controls inventory and ensure controls are properly documented, tested, and functioning as intended.
- Monitor audit findings and follow remediation actions until closure with the relevant control owners.
- Own and maintain the enterprise risk management framework across operational, regulatory, financial, strategic, and technology risk areas.
- Keep the company risk register current and coordinate mitigation plans with risk owners until resolution.
- Run periodic enterprise risk assessments and prepare summaries of findings and trends for the CFO.
- Work with Product, Engineering, Finance, HR, and Operations to spot risks tied to new initiatives, product launches, and process changes.
- Support business continuity, disaster recovery, and incident response planning with IT and Engineering.
- Administer third-party and vendor risk reviews, including checks on security posture, financial health, regulatory fit, and contract-related risk.
- Track changes in the risk environment, including cyber threats, regulation updates, and market shifts, and escalate important impacts to leadership.
- Help maintain the company’s risk appetite and tolerance thresholds so decisions stay within approved risk limits.
- Respond to client due diligence requests from credit unions, including questionnaires and risk/security assessments.
- Keep core risk records and reporting materials up to date for executive review and external audits.
- Monitor applicable federal, state, and credit union-specific rules that affect Blossom’s products, including NCUA guidance, FFIEC frameworks, GLBA, and state laws.
- Update company policies, standards, and procedures to keep them aligned with regulations and best practices.
- Perform internal audits and control testing to check compliance with laws, regulations, and internal policy requirements.
- Ensure hardware and software offerings meet relevant security, interoperability, and regulatory expectations for credit union-focused financial technology.
- Partner with Product and Engineering to build compliance and security requirements into the SDLC and hardware release process.
- Advise teams on the compliance and risk implications of new features, APIs, and integrations with core systems and third-party platforms.
- Make sure data privacy obligations are met, including state privacy laws and any member-data requirements.
- Work with HR to support compliance training in onboarding and ongoing employee learning.
- Promote a risk-aware, compliance-minded culture by advising teams on regulatory obligations and risk concerns.
- Track completion of mandatory training across platforms such as NINJIO and Udemy Business, and verify role-based requirements including Swipe team PCI training.
- Create and distribute compliance communications, training content, and policy updates across departments.
- Coordinate with HR and department leaders to ensure annual policy acknowledgments and required certifications are finished on time.
- Own the enterprise security awareness training program and ensure it satisfies PCI DSS and other applicable requirements.
- Act as a central contact for compliance and risk questions or escalations across the company.
- Provide the CFO with regular updates on audits, risk status, and remediation progress.
- Prepare dashboards, metrics, and audit summaries for executive review.
- Work with auditors, regulators, and credit union compliance/risk stakeholders as the day-to-day liaison.
- Escalate emerging compliance or risk issues with recommended actions and timelines.
- Collaborate with Legal, Finance, HR, and Operations to align the program with company strategy and growth goals.
- Take on additional related duties as assigned.
Supervision
The role includes supporting hiring and onboarding for compliance and risk staff, along with providing day-to-day direction and oversight to any direct reports in the function.
Skills and qualifications
- Strong command of SOC 2 Trust Services Criteria and hands-on experience managing SOC 2 Type II audits from preparation through final report issuance.
- Working knowledge of PCI DSS requirements and how they apply in fintech, payments, or software environments.
- Exposure to financial services regulatory frameworks such as FFIEC, GLBA, NCUA guidance, and state consumer protection and privacy laws.
- Experience building and maintaining compliance policies, procedures, controls inventories, and risk registers.
- Proven ability to design or manage an enterprise risk management framework, including risk appetite statements and reporting.
- Excellent organization and project coordination skills with the ability to manage several workstreams at once.
- Clear written and verbal communication skills for both technical and non-technical audiences.
- Experience working with Engineering and Product to integrate compliance into product and software development processes.
- Comfort using GRC and risk management platforms such as Drata, Vanta, LogicGate, ServiceNow GRC, or comparable tools.
- Strong integrity, sound judgment, and the ability to advise senior leaders effectively.
- Ability to work through ambiguity in a fast-moving fintech setting.
- Proficiency with Google Workspace or Microsoft 365 and standard productivity software.
Education and experience
A bachelor’s degree in Business, Finance, Legal Studies, Information Systems, or a related discipline is required. A master’s degree is a plus. The ideal candidate has at least 4 years of progressive experience in compliance, risk, audit, or a related function, preferably in fintech, payments, or financial services. The role also calls for 2+ years of direct SOC 2 audit experience, with PCI DSS experience strongly preferred, and 2+ years in a compliance, risk, or audit position with growing responsibility. Experience supporting credit unions, community financial institutions, or other regulated financial services clients is strongly preferred. Experience with fintech, SaaS, or B2B technology companies serving regulated industries is an advantage. Professional certifications such as CISA, CISM, CRISC, CCEP, CIPP, CFE, or similar credentials are strongly preferred.
Physical requirements
- Extended periods of sitting and computer work are part of the role.
- Occasional lifting of up to 15 pounds may be required.
What we offer
- Fully covered medical, dental, and vision insurance.
- Employer-paid life and accidental death & dismemberment coverage.
- Company-paid short-term and long-term disability protection.
- 401(k) plan with employer matching.
- Support for cell phone and internet costs for remote work.
- Flexible spending accounts, including FSA and Dependent Care (DCSA).
- Unlimited paid time off.
- Employee Assistance Program for confidential personal support.
- Optional supplemental insurance coverage.
Additional employment details
This is an exempt position. The role is full-time and remote within the United States.