Compliance & Risk Manager

Full-time
USA
$95k-$105k per year
Mid Level
Posted 1 hour ago
Apply for this position → Go ad-free with Premium ×

FLSA Classification: Exempt

Reports To: Chief Financial Officer (CFO)

Job Summary:

The Compliance & Risk Manager is responsible for managing and executing Blossom’s compliance and risk management programs. Reporting to the CFO, this role oversees day-to-day compliance operations across all regulatory, security, and audit functions—including SOC 2 Type II, PCI DSS, and all compliance obligations associated with Blossom’s hardware and software products while maintaining a risk management framework that identifies, tracks, and mitigates operational, financial, regulatory, and strategic risks. This role collaborates closely with Engineering, Product, Legal, HR, and Operations to support a culture of compliance and risk awareness across the organization. This role works in close partnership with the IT and Infrastructure function, which retains ownership of technical security controls, HSM/key management, and PCI Security; the Compliance & Risk Manager owns program management, audit coordination, the enterprise risk framework, and policy.

Supervisory Responsibilities:

  • Support the recruitment and onboarding of compliance and risk staff; provide day-to-day guidance and oversight to any direct reports within the function.

Duties/ Responsibilities:

Audit & Certification Management

  • Own the end-to-end SOC 2 Type II audit lifecycle: scope definition, control design, evidence collection, auditor coordination, and remediation tracking.

  • Lead PCI DSS compliance efforts across applicable business units, including scope management, gap assessments, and coordination with Qualified Security Assessors (QSAs).

  • Manage relationships with external auditors, assessors, and certification bodies; serve as primary point of contact during audit engagements.

  • Maintain a comprehensive controls inventory; ensure all controls are documented, tested, and operating effectively.

  • Track and manage audit findings and remediation plans through to closure in collaboration with control owners.

Enterprise Risk Management

  • Manage and maintain the enterprise risk management (ERM) framework, ensuring risks across operational, regulatory, financial, strategic, and technology domains are identified, assessed, prioritized, and tracked.

  • Maintain and update the company-wide risk register; coordinate with risk owners to ensure mitigation and remediation plans are tracked to resolution.

    • Conduct periodic enterprise risk assessments; summarize findings and risk trends for CFO review.

    • Collaborate with Product, Engineering, Finance, HR, and Operations to identify and flag risks associated with new initiatives, product launches, and process changes.

    • Support operational risk programs including business continuity planning (BCP), disaster recovery readiness, and incident response protocols in coordination with IT and Engineering.

    • Administer the third-party and vendor risk assessment process, evaluating vendors for security, financial stability, regulatory alignment, and contractual risk.

    • Monitor the evolving risk landscape—including emerging cyber threats, regulatory changes, and market developments—and flag potential impact to leadership.

    • Support the CFO in maintaining the company’s risk appetite and tolerance thresholds; help ensure business decisions align with established risk parameters.

    • Respond to credit union client risk and security due diligence requests, including vendor questionnaires and risk assessments.

    • Maintain required risk documentation including the risk register, risk appetite statements, and reporting artifacts in a manner that supports executive review and external audit.

Regulatory & Policy Compliance

  • Monitor and interpret federal, state, and credit union-specific regulatory requirements applicable to Blossom’s software and hardware products (e.g., NCUA guidance, FFIEC frameworks, GLBA, applicable state laws).

  • Maintain and update company-wide compliance policies, standards, and procedures; ensure alignment with regulatory requirements and industry best practices.

  • Conduct regular internal audits and control testing to evaluate compliance with applicable laws, regulations, and internal policies.

Hardware & Software Product Compliance

  • Ensure Blossom’s hardware and software products comply with applicable regulatory standards, including security and interoperability requirements for financial technology solutions used by credit unions.

  • Collaborate with Product and Engineering teams to embed security and compliance requirements into the SDLC and hardware release processes.

  • Advise on compliance and risk implications of new product features, APIs, and data integrations with credit union core systems and third-party platforms.

  • Ensure the organization meets all data privacy requirements, including applicable provisions of state privacy laws and any credit union member data obligations.

Security Awareness & Training Oversight

  • Partner with HR to support compliance training integration into onboarding and ongoing employee development.

  • Promote a compliance- and risk-aware culture by supporting cross-functional teams with guidance on regulatory obligations and risk.

Oversee training completion tracking across mandatory platforms (e.g., NINJIO, Udemy Business) and ensure role-specific training obligations are met, including Swipe team PCI requirements.

  • Develop and deliver compliance communications, training materials, and policy updates to employees across all departments.

  • Coordinate with HR and department heads to ensure annual policy acknowledgments and required compliance certifications are completed on schedule.

  • Own the enterprise Security Awareness Training program, ensuring compliance with PCI DSS Requirement and other applicable mandates.

Reporting & Executive Partnership

  • Serve as a key point of contact for compliance and risk-related questions and escalations across the organization.

  • Provide regular updates to the CFO on the status of the compliance and risk programs, including audit outcomes, risk register updates, and remediation progress.

  • Prepare compliance metrics, risk dashboards, and audit findings summaries for CFO and executive review.

  • Coordinate with external auditors, regulators, and credit union compliance and risk stakeholders as the day-to-day point of contact.

  • Identify and escalate emerging compliance and risk issues to the CFO, with recommended mitigation steps and timelines.

  • Collaborate with Legal, Finance, HR, and Operations to support alignment of the compliance and risk programs with company strategy and growth objectives.

  • Performs other related duties as assigned.

Required Skills/ Abilities:

  • Deep knowledge of SOC 2 Trust Services Criteria (TSC) and experience leading or managing SOC 2 Type II audit engagements from preparation through report issuance.

  • Working knowledge of PCI DSS requirements and experience applying them within a fintech, payments, or software organization.

  • Familiarity with financial services regulatory frameworks including FFIEC, GLBA, NCUA guidelines, and applicable state consumer protection and data privacy laws.

  • Experience developing, implementing, and managing enterprise compliance policies, procedures, risk registers, and controls inventories.

  • Demonstrated experience building or managing an enterprise risk management (ERM) framework, including risk registers, risk appetite statements, and risk reporting.

  • Strong organizational and project management skills; able to manage multiple compliance and risk workstreams simultaneously with attention to detail.

  • Exceptional written and verbal communication skills; able to translate complex regulatory requirements into clear, actionable guidance for technical and non-technical audiences.

  • Experience partnering with Engineering and Product teams to embed compliance into software and product development processes.

  • Comfort with GRC platforms and risk management tools (e.g., Drata, Vanta, LogicGate, ServiceNow GRC, or similar).

  • High integrity, strong judgment, and the ability to operate as a trusted advisor to senior leadership.

  • Ability to navigate ambiguity and execute within a fast-growing fintech environment with evolving compliance and risk needs.

  • Proficiency with Google Workspace or Microsoft 365 and standard business productivity tools.

Education and Experience:

  • Bachelor’s degree in Business, Finance, Legal Studies, Information Systems, or a related field required; Master’s degree a plus.

  • Minimum 4+ years of progressive experience in compliance, risk management, audit, or related fields; experience within fintech, payments, or financial services strongly preferred.

  • 2 or more years of hands-on experience with SOC 2 audits (as preparer, auditee, or program contributor); experience with PCI DSS compliance strongly preferred.

  • 2 or more years of experience in a compliance, risk, or audit role with increasing responsibility, preferably in a growth-stage or mid-market company.

  • Prior experience working with or supporting credit unions, community financial institutions, or regulated financial services clients strongly preferred.

  • Experience supporting fintech, SaaS, or B2B technology companies serving regulated industries is a plus.

  • Relevant professional certifications strongly preferred: CISA, CISM, CRISC, CCEP, CIPP, CFE, or equivalent.

Physical Requirements:

  • Prolonged periods sitting at a desk and working on a computer.

  • Must be able to lift up to 15 pounds at times.

What We Offer:

  • Health, fully covered: Company-paid medical, dental, and vision insurance.

  • Life & AD&D: Company-paid life and accidental death & dismemberment coverage.

  • Income protection: Company-paid short- and long-term disability.

  • 401(k) with match: Save for the long run, and we’ll match.

  • Remote allowance: Cell phone and internet connectivity expenses support.

  • Flexible spending: FSA and Dependent Care (DCSA) accounts to stretch your pre-tax dollars.

  • Unlimited PTO: Take the time you actually need.

  • Employee Assistance Program (EAP): Confidential support for life’s harder moments.

  • Supplemental coverage: Voluntary insurance options to round out your plan.

Go ad-free with Premium ×
Apply for this position →
Check if your resume is a good fit
25/100
Get Full Report
+ 1,284 new jobs added today
30,000+
Remote Jobs

Don't miss out — new listings every hour

Join Premium

Compliance & Risk Manager

FLSA Classification: Exempt

Reports To: Chief Financial Officer (CFO)

Job Summary:

The Compliance & Risk Manager is responsible for managing and executing Blossom’s compliance and risk management programs. Reporting to the CFO, this role oversees day-to-day compliance operations across all regulatory, security, and audit functions—including SOC 2 Type II, PCI DSS, and all compliance obligations associated with Blossom’s hardware and software products while maintaining a risk management framework that identifies, tracks, and mitigates operational, financial, regulatory, and strategic risks. This role collaborates closely with Engineering, Product, Legal, HR, and Operations to support a culture of compliance and risk awareness across the organization. This role works in close partnership with the IT and Infrastructure function, which retains ownership of technical security controls, HSM/key management, and PCI Security; the Compliance & Risk Manager owns program management, audit coordination, the enterprise risk framework, and policy.

Supervisory Responsibilities:

  • Support the recruitment and onboarding of compliance and risk staff; provide day-to-day guidance and oversight to any direct reports within the function.

Duties/ Responsibilities:

Audit & Certification Management

  • Own the end-to-end SOC 2 Type II audit lifecycle: scope definition, control design, evidence collection, auditor coordination, and remediation tracking.

  • Lead PCI DSS compliance efforts across applicable business units, including scope management, gap assessments, and coordination with Qualified Security Assessors (QSAs).

  • Manage relationships with external auditors, assessors, and certification bodies; serve as primary point of contact during audit engagements.

  • Maintain a comprehensive controls inventory; ensure all controls are documented, tested, and operating effectively.

  • Track and manage audit findings and remediation plans through to closure in collaboration with control owners.

Enterprise Risk Management

  • Manage and maintain the enterprise risk management (ERM) framework, ensuring risks across operational, regulatory, financial, strategic, and technology domains are identified, assessed, prioritized, and tracked.

  • Maintain and update the company-wide risk register; coordinate with risk owners to ensure mitigation and remediation plans are tracked to resolution.

    • Conduct periodic enterprise risk assessments; summarize findings and risk trends for CFO review.

    • Collaborate with Product, Engineering, Finance, HR, and Operations to identify and flag risks associated with new initiatives, product launches, and process changes.

    • Support operational risk programs including business continuity planning (BCP), disaster recovery readiness, and incident response protocols in coordination with IT and Engineering.

    • Administer the third-party and vendor risk assessment process, evaluating vendors for security, financial stability, regulatory alignment, and contractual risk.

    • Monitor the evolving risk landscape—including emerging cyber threats, regulatory changes, and market developments—and flag potential impact to leadership.

    • Support the CFO in maintaining the company’s risk appetite and tolerance thresholds; help ensure business decisions align with established risk parameters.

    • Respond to credit union client risk and security due diligence requests, including vendor questionnaires and risk assessments.

    • Maintain required risk documentation including the risk register, risk appetite statements, and reporting artifacts in a manner that supports executive review and external audit.

Regulatory & Policy Compliance

  • Monitor and interpret federal, state, and credit union-specific regulatory requirements applicable to Blossom’s software and hardware products (e.g., NCUA guidance, FFIEC frameworks, GLBA, applicable state laws).

  • Maintain and update company-wide compliance policies, standards, and procedures; ensure alignment with regulatory requirements and industry best practices.

  • Conduct regular internal audits and control testing to evaluate compliance with applicable laws, regulations, and internal policies.

Hardware & Software Product Compliance

  • Ensure Blossom’s hardware and software products comply with applicable regulatory standards, including security and interoperability requirements for financial technology solutions used by credit unions.

  • Collaborate with Product and Engineering teams to embed security and compliance requirements into the SDLC and hardware release processes.

  • Advise on compliance and risk implications of new product features, APIs, and data integrations with credit union core systems and third-party platforms.

  • Ensure the organization meets all data privacy requirements, including applicable provisions of state privacy laws and any credit union member data obligations.

Security Awareness & Training Oversight

  • Partner with HR to support compliance training integration into onboarding and ongoing employee development.

  • Promote a compliance- and risk-aware culture by supporting cross-functional teams with guidance on regulatory obligations and risk.

Oversee training completion tracking across mandatory platforms (e.g., NINJIO, Udemy Business) and ensure role-specific training obligations are met, including Swipe team PCI requirements.

  • Develop and deliver compliance communications, training materials, and policy updates to employees across all departments.

  • Coordinate with HR and department heads to ensure annual policy acknowledgments and required compliance certifications are completed on schedule.

  • Own the enterprise Security Awareness Training program, ensuring compliance with PCI DSS Requirement and other applicable mandates.

Reporting & Executive Partnership

  • Serve as a key point of contact for compliance and risk-related questions and escalations across the organization.

  • Provide regular updates to the CFO on the status of the compliance and risk programs, including audit outcomes, risk register updates, and remediation progress.

  • Prepare compliance metrics, risk dashboards, and audit findings summaries for CFO and executive review.

  • Coordinate with external auditors, regulators, and credit union compliance and risk stakeholders as the day-to-day point of contact.

  • Identify and escalate emerging compliance and risk issues to the CFO, with recommended mitigation steps and timelines.

  • Collaborate with Legal, Finance, HR, and Operations to support alignment of the compliance and risk programs with company strategy and growth objectives.

  • Performs other related duties as assigned.

Required Skills/ Abilities:

  • Deep knowledge of SOC 2 Trust Services Criteria (TSC) and experience leading or managing SOC 2 Type II audit engagements from preparation through report issuance.

  • Working knowledge of PCI DSS requirements and experience applying them within a fintech, payments, or software organization.

  • Familiarity with financial services regulatory frameworks including FFIEC, GLBA, NCUA guidelines, and applicable state consumer protection and data privacy laws.

  • Experience developing, implementing, and managing enterprise compliance policies, procedures, risk registers, and controls inventories.

  • Demonstrated experience building or managing an enterprise risk management (ERM) framework, including risk registers, risk appetite statements, and risk reporting.

  • Strong organizational and project management skills; able to manage multiple compliance and risk workstreams simultaneously with attention to detail.

  • Exceptional written and verbal communication skills; able to translate complex regulatory requirements into clear, actionable guidance for technical and non-technical audiences.

  • Experience partnering with Engineering and Product teams to embed compliance into software and product development processes.

  • Comfort with GRC platforms and risk management tools (e.g., Drata, Vanta, LogicGate, ServiceNow GRC, or similar).

  • High integrity, strong judgment, and the ability to operate as a trusted advisor to senior leadership.

  • Ability to navigate ambiguity and execute within a fast-growing fintech environment with evolving compliance and risk needs.

  • Proficiency with Google Workspace or Microsoft 365 and standard business productivity tools.

Education and Experience:

  • Bachelor’s degree in Business, Finance, Legal Studies, Information Systems, or a related field required; Master’s degree a plus.

  • Minimum 4+ years of progressive experience in compliance, risk management, audit, or related fields; experience within fintech, payments, or financial services strongly preferred.

  • 2 or more years of hands-on experience with SOC 2 audits (as preparer, auditee, or program contributor); experience with PCI DSS compliance strongly preferred.

  • 2 or more years of experience in a compliance, risk, or audit role with increasing responsibility, preferably in a growth-stage or mid-market company.

  • Prior experience working with or supporting credit unions, community financial institutions, or regulated financial services clients strongly preferred.

  • Experience supporting fintech, SaaS, or B2B technology companies serving regulated industries is a plus.

  • Relevant professional certifications strongly preferred: CISA, CISM, CRISC, CCEP, CIPP, CFE, or equivalent.

Physical Requirements:

  • Prolonged periods sitting at a desk and working on a computer.

  • Must be able to lift up to 15 pounds at times.

What We Offer:

  • Health, fully covered: Company-paid medical, dental, and vision insurance.

  • Life & AD&D: Company-paid life and accidental death & dismemberment coverage.

  • Income protection: Company-paid short- and long-term disability.

  • 401(k) with match: Save for the long run, and we’ll match.

  • Remote allowance: Cell phone and internet connectivity expenses support.

  • Flexible spending: FSA and Dependent Care (DCSA) accounts to stretch your pre-tax dollars.

  • Unlimited PTO: Take the time you actually need.

  • Employee Assistance Program (EAP): Confidential support for life’s harder moments.

  • Supplemental coverage: Voluntary insurance options to round out your plan.