Job Description
FLSA Classification: Exempt
Reports To: Chief Financial Officer (CFO)
Job Summary:The Compliance & Risk Manager is responsible for managing and executing Blossom's compliance and risk management programs. Reporting to the CFO, this role oversees day-to-day compliance operations across all regulatory, security, and audit functions-including SOC 2 Type II, PCI DSS, and all compliance obligations associated with Blossom's hardware and software products while maintaining a risk management framework that identifies, tracks, and mitigates operational, financial, regulatory, and strategic risks. This role collaborates closely with Engineering, Product, Legal, HR, and Operations to support a culture of compliance and risk awareness across the organization. This role works in close partnership with the IT and Infrastructure function, which retains ownership of technical security controls, HSM/key management, and PCI Security; the Compliance & Risk Manager owns program management, audit coordination, the enterprise risk framework, and policy.
Supervisory Responsibilities:- Support the recruitment and onboarding of compliance and risk staff; provide day-to-day guidance and oversight to any direct reports within the function.
Duties/ Responsibilities:Audit & Certification Management- Own the end-to-end SOC 2 Type II audit lifecycle: scope definition, control design, evidence collection, auditor coordination, and remediation tracking.
- Lead PCI DSS compliance efforts across applicable business units, including scope management, gap assessments, and coordination with Qualified Security Assessors (QSAs).
- Manage relationships with external auditors, assessors, and certification bodies; serve as primary point of contact during audit engagements.
- Maintain a comprehensive controls inventory; ensure all controls are documented, tested, and operating effectively.
- Track and manage audit findings and remediation plans through to closure in collaboration with control owners.
Enterprise Risk Management- Manage and maintain the enterprise risk management (ERM) framework, ensuring risks across operational, regulatory, financial, strategic, and technology domains are identified, assessed, prioritized, and tracked.
- Maintain and update the company-wide risk register; coordinate with risk owners to ensure mitigation and remediation plans are tracked to resolution.
- Conduct periodic enterprise risk assessments; summarize findings and risk trends for CFO review.
- Collaborate with Product, Engineering, Finance, HR, and Operations to identify and flag risks associated with new initiatives, product launches, and process changes.
- Support operational risk programs including business continuity planning (BCP), disaster recovery readiness, and incident response protocols in coordination with IT and Engineering.
- Administer the third-party and vendor risk assessment process, evaluating vendors for security, financial stability, regulatory alignment, and contractual risk.
- Monitor the evolving risk landscape-including emerging cyber threats, regulatory changes, and market developments-and flag potential impact to leadership.
- Support the CFO in maintaining the company's risk appetite and tolerance thresholds; help ensure business decisions align with established risk parameters.
- Respond to credit union client risk and security due diligence requests, including vendor questionnaires and risk assessments.
- Maintain required risk documentation including the risk register, risk appetite statements, and reporting artifacts in a manner that supports executive review and external audit.
Regulatory & Policy Compliance- Monitor and interpret federal, state, and credit union-specific regulatory requirements applicable to Blossom's software and hardware products (e.g., NCUA guidance, FFIEC frameworks, GLBA, applicable state laws).
- Maintain and update company-wide compliance policies, standards, and procedures; ensure alignment with regulatory requirements and industry best practices.
- Conduct regular internal audits and control testing to evaluate compliance with applicable laws, regulations, and internal policies.
Hardware & Software Product Compliance- Ensure Blossom's hardware and software products comply with applicable regulatory standards, including security and interoperability requirements for financial technology solutions used by credit unions.
- Collaborate with Product and Engineering teams to embed security and compliance requirements into the SDLC and hardware release processes.
- Advise on compliance and risk implications of new product features, APIs, and data integrations with credit union core systems and third-party platforms.
- Ensure the organization meets all data privacy requirements, including applicable provisions of state privacy laws and any credit union member data obligations.
Security Awareness & Training Oversight- Partner with HR to support compliance training integration into onboarding and ongoing employee development.
- Promote a compliance- and risk-aware culture by supporting cross-functional teams with guidance on regulatory obligations and risk.
Oversee training completion tracking across mandatory platforms (e.g., NINJIO, Udemy Business) and ensure role-specific training obligations are met, including Swipe team PCI requirements.- Develop and deliver compliance communications, training materials, and policy updates to employees across all departments.
- Coordinate with HR and department heads to ensure annual policy acknowledgments and required compliance certifications are completed on schedule.
- Own the enterprise Security Awareness Training program, ensuring compliance with PCI DSS Requirement and other applicable mandates.
Reporting & Executive Partnership- Serve as a key point of contact for compliance and risk-related questions and escalations across the organization.
- Provide regular updates to the CFO on the status of the compliance and risk programs, including audit outcomes, risk register updates, and remediation progress.
- Prepare compliance metrics, risk dashboards, and audit findings summaries for CFO and executive review.
- Coordinate with external auditors, regulators, and credit union compliance and risk stakeholders as the day-to-day point of contact.
- Identify and escalate emerging compliance and risk issues to the CFO, with recommended mitigation steps and timelines.
- Collaborate with Legal, Finance, HR, and Operations to support alignment of the compliance and risk programs with company strategy and growth objectives.
- Performs other related duties as assigned.
Required Skills/ Abilities:- Deep knowledge of SOC 2 Trust Services Criteria (TSC) and experience leading or managing SOC 2 Type II audit engagements from preparation through report issuance.
- Working knowledge of PCI DSS requirements and experience applying them within a fintech, payments, or software organization.
- Familiarity with financial services regulatory frameworks including FFIEC, GLBA, NCUA guidelines, and applicable state consumer protection and data privacy laws.
- Experience developing, implementing, and managing enterprise compliance policies, procedures, risk registers, and controls inventories.
- Demonstrated experience building or managing an enterprise risk management (ERM) framework, including risk registers, risk appetite statements, and risk reporting.
- Strong organizational and project management skills; able to manage multiple compliance and risk workstreams simultaneously with attention to detail.
- Exceptional written and verbal communication skills; able to translate complex regulatory requirements into clear, actionable guidance for technical and non-technical audiences.
- Experience partnering with Engineering and Product teams to embed compliance into software and product development processes.
- Comfort with GRC platforms and risk management tools (e.g., Drata, Vanta, LogicGate, ServiceNow GRC, or similar).
- High integrity, strong judgment, and the ability to operate as a trusted advisor to senior leadership.
- Ability to navigate ambiguity and execute within a fast-growing fintech environment with evolving compliance and risk needs.
- Proficiency with Google Workspace or Microsoft 365 and standard business productivity tools.
Education and Experience:- Bachelor's degree in Business, Finance, Legal Studies, Information Systems, or a related field required; Master's degree a plus.
- Minimum 4+ years of progressive experience in compliance, risk management, audit, or related fields; experience within fintech, payments, or financial services strongly preferred.
- 2 or more years of hands-on experience with SOC 2 audits (as preparer, auditee, or program contributor); experience with PCI DSS compliance strongly preferred.
- 2 or more years of experience in a compliance, risk, or audit role with increasing responsibility, preferably in a growth-stage or mid-market company.
- Prior experience working with or supporting credit unions, community financial institutions, or regulated financial services clients strongly preferred.
- Experience supporting fintech, SaaS, or B2B technology companies serving regulated industries is a plus.
- Relevant professional certifications strongly preferred: CISA, CISM, CRISC, CCEP, CIPP, CFE, or equivalent.
Physical Requirements:- Prolonged periods sitting at a desk and working on a computer.
- Must be able to lift up to 15 pounds at times.
What We Offer:- Health, fully covered: Company-paid medical, dental, and vision insurance.
- Life & AD&D: Company-paid life and accidental death & dismemberment coverage.
- Income protection: Company-paid short- and long-term disability.
- 401(k) with match: Save for the long run, and we'll match.
- Remote allowance: Cell phone and internet connectivity expenses support.
- Flexible spending: FSA and Dependent Care (DCSA) accounts to stretch your pre-tax dollars.
- Unlimited PTO: Take the time you actually need.
- Employee Assistance Program (EAP): Confidential support for life's harder moments.
- Supplemental coverage: Voluntary insurance options to round out your plan.