OverviewWe are seeking a highly motivated, hands-on
Head of Compliance & Privacy to lead, scale, and operationalize our payments, regulatory, technical compliance, and data privacy programs. Reporting directly to the
Sr. Director of Legal & Compliance, you will own the day-to-day operations of our compliance and privacy frameworks in a fast-paced fintech/insurtech environment.
You are the ideal candidate if you are deeply knowledgeable about the nuances of payment processing (specifically ACH and credit card), possess a proven track record managing
PCI-DSS audits, understand the strict data privacy mandates governing financial and consumer data, and enjoy turning complex regulatory requirements into practical, scalable business workflows.
KEY RESPONSIBILITIES1. Payments & Regulatory Compliance Oversight- ACH & NACHA Operations: Maintain, update, and audit internal frameworks to ensure 100% alignment with NACHA Operating Rules (including Phase 2 monitoring and compliance).
- Card Network & PayFac Compliance: Monitor and enforce compliance with Visa, Mastercard, Discover, and American Express rules, with a particular focus on merchant surcharge regulations and state-level limits.
- Licensing & Regulatory Monitoring: Track state-by-state money transmission laws, FinCEN requirements, and coordinate required regulatory filings, reports, and disclosures.
- AML Compliance & Audit Coordination: Serve as the primary point of coordination for annual AML audits, managing timelines and cross-functional responses in close partnership with the Payment Operations and Risk teams.
2. Security Compliance, PCI-DSS, & Data Privacy Ownership- PCI-DSS Level 1 Maintenance: Serve as the internal program manager for our annual PCI-DSS Level 1 certification. Act as the primary liaison with our external Qualified Security Assessor (QSA).
- Privacy Program Management: Build, maintain, and scale ePayPolicy's data privacy compliance framework. Ensure strict compliance with applicable US federal laws (GLBA, Regulation E/EFTA), state-level privacy mandates (such as CCPA/CPRA and state insurance laws), and Canadian privacy legislation (PIPEDA).
- Data Mapping & Impact Assessments: Conduct regular data inventory mapping, lead Privacy Impact Assessments (PIAs) for new system integrations, and manage consumer privacy rights response workflows (DSARs).
- Audit Readiness & GRC: Work closely with our internal IT, Security (InfoSec), and Engineering teams to manage ongoing compliance control testing, penetration testing schedules, and vulnerability scans.
- Third-Party Risk Management (TPRM): Collaborate on the annual assessment calendar for vendors, reviewing vendor SOC reports, vendor security profiles, and privacy practices to evaluate third-party data sharing risks.
3. Policy Drafting, Procurement & Business Enablement- Contractual & Procurement Reviews: Review inbound procurement requests from a compliance and contractual perspective, and update client-facing compliance terms, including Data Processing Agreements (DPAs) and Proprietary Information Agreements (PIAs).
- Internal Policies: Draft, update, and manage company-wide compliance manuals, Incident Response Plans, Business Continuity policies, and external-facing Privacy Policies.
- Cross-Functional Advisory: Provide practical, high-judgment compliance and privacy guidance to Product, Engineering, and Sales teams during the development of new products, regional expansions (such as Canadian setup), and third-party integrations (Salesforce, DocuSign, etc.).
REQUIRED QUALIFICATIONS- Experience: 5-7 years of professional legal experience plus 2-3 years of dedicated compliance experience within the payments, FinTech, InsurTech, or Payment Facilitator (PayFac) space.
- Technical Compliance & PCI-DSS: Direct, hands-on experience leading a company through a PCI-DSS compliance audit (ideally Level 1 or Level 2) and managing relationships with external QSAs.
- Data Privacy Expertise: Practical experience implementing and managing data privacy programs under GLBA, CCPA/CPRA, and/or PIPEDA within a financial services or cloud software context.
- Regulatory Knowledge: Deep understanding of NACHA Operating Rules, card network operating regulations, FinCEN compliance, and BSA/AML protocols.
- Strategic Thinker, Practical Executor: Strong execution skills; you are comfortable rolling up your sleeves to draft policies, map data flows, audit logs, and test controls yourself.
- Communication Skills: Excellent written and verbal communication skills. Ability to translate dense regulatory and privacy concepts into digestible insights for non-legal stakeholders.
- Adaptable Mindset: An "Optimistic Grit" and "No Ego, Amigo" attitude, thriving in a high-growth, fast-paced environment where priorities dynamically evolve.
- Education: Juris Doctor (J.D.) degree from an accredited law school, active membership in a State Bar, and license to practice law in good standing.
PREFERRED QUALIFICATIONS- Professional privacy or compliance certifications (e.g., CIPP/US, CIPP/C, CAMS, CISA, or equivalent) preferred.
- Experience with cross-border payment compliance and international privacy rules (specifically US-Canada payment operations) is a major asset.
- Experience integrating compliance tooling into GRC platforms, Salesforce, or client-onboarding workflows.
Why ePayPolicy- Competitive salary
- Comprehensive benefits package with employer-paid basic life and disability premiums
- 401K
- Flexible Paid Time Off Policy (FTO)
- Company-sponsored quarterly "ePayItForward" initiatives
- Supportive and inclusive company culture with a focus on work/life balance
- Fully-stocked kitchen
- Lunch stipend when working onsite
- Open communication (We won't box you in! If you have a cool idea for a product improvement or a suggestion on how to improve the customer experience, let's talk about it. We value everyone's ideas and opinions.)
- Huge opportunity for growth
We operate on a hybrid schedule for in-office employees. Standard schedules are three days per week in the office, however, the cadence and days are determined by each team and manager.
