FLSA Classification: Exempt
Reports To: Chief Financial Officer (CFO)
Job Summary:
The Compliance & Risk Manager is responsible for managing and executing Blossom’s compliance and risk management programs. Reporting to the CFO, this role oversees day-to-day compliance operations across all regulatory, security, and audit functions—including SOC 2 Type II, PCI DSS, and all compliance obligations associated with Blossom’s hardware and software products while maintaining a risk management framework that identifies, tracks, and mitigates operational, financial, regulatory, and strategic risks. This role collaborates closely with Engineering, Product, Legal, HR, and Operations to support a culture of compliance and risk awareness across the organization. This role works in close partnership with the IT and Infrastructure function, which retains ownership of technical security controls, HSM/key management, and PCI Security; the Compliance & Risk Manager owns program management, audit coordination, the enterprise risk framework, and policy.
Supervisory Responsibilities:
Support the recruitment and onboarding of compliance and risk staff; provide day-to-day guidance and oversight to any direct reports within the function.
Duties/ Responsibilities:
Audit & Certification Management
Own the end-to-end SOC 2 Type II audit lifecycle: scope definition, control design, evidence collection, auditor coordination, and remediation tracking.
Lead PCI DSS compliance efforts across applicable business units, including scope management, gap assessments, and coordination with Qualified Security Assessors (QSAs).
Manage relationships with external auditors, assessors, and certification bodies; serve as primary point of contact during audit engagements.
Maintain a comprehensive controls inventory; ensure all controls are documented, tested, and operating effectively.
Track and manage audit findings and remediation plans through to closure in collaboration with control owners.
Enterprise Risk Management
Manage and maintain the enterprise risk management (ERM) framework, ensuring risks across operational, regulatory, financial, strategic, and technology domains are identified, assessed, prioritized, and tracked.
Maintain and update the company-wide risk register; coordinate with risk owners to ensure mitigation and remediation plans are tracked to resolution.
Conduct periodic enterprise risk assessments; summarize findings and risk trends for CFO review.
Collaborate with Product, Engineering, Finance, HR, and Operations to identify and flag risks associated with new initiatives, product launches, and process changes.
Support operational risk programs including business continuity planning (BCP), disaster recovery readiness, and incident response protocols in coordination with IT and Engineering.
Administer the third-party and vendor risk assessment process, evaluating vendors for security, financial stability, regulatory alignment, and contractual risk.
Monitor the evolving risk landscape—including emerging cyber threats, regulatory changes, and market developments—and flag potential impact to leadership.
Support the CFO in maintaining the company’s risk appetite and tolerance thresholds; help ensure business decisions align with established risk parameters.
Respond to credit union client risk and security due diligence requests, including vendor questionnaires and risk assessments.
Maintain required risk documentation including the risk register, risk appetite statements, and reporting artifacts in a manner that supports executive review and external audit.
Regulatory & Policy Compliance
Monitor and interpret federal, state, and credit union-specific regulatory requirements applicable to Blossom’s software and hardware products (e.g., NCUA guidance, FFIEC frameworks, GLBA, applicable state laws).
Maintain and update company-wide compliance policies, standards, and procedures; ensure alignment with regulatory requirements and industry best practices.
Conduct regular internal audits and control testing to evaluate compliance with applicable laws, regulations, and internal policies.
Hardware & Software Product Compliance
Ensure Blossom’s hardware and software products comply with applicable regulatory standards, including security and interoperability requirements for financial technology solutions used by credit unions.
Collaborate with Product and Engineering teams to embed security and compliance requirements into the SDLC and hardware release processes.
Advise on compliance and risk implications of new product features, APIs, and data integrations with credit union core systems and third-party platforms.
Ensure the organization meets all data privacy requirements, including applicable provisions of state privacy laws and any credit union member data obligations.
Security Awareness & Training Oversight
Partner with HR to support compliance training integration into onboarding and ongoing employee development.
Promote a compliance- and risk-aware culture by supporting cross-functional teams with guidance on regulatory obligations and risk.
Oversee training completion tracking across mandatory platforms (e.g., NINJIO, Udemy Business) and ensure role-specific training obligations are met, including Swipe team PCI requirements.
Develop and deliver compliance communications, training materials, and policy updates to employees across all departments.
Coordinate with HR and department heads to ensure annual policy acknowledgments and required compliance certifications are completed on schedule.
Own the enterprise Security Awareness Training program, ensuring compliance with PCI DSS Requirement and other applicable mandates.
Reporting & Executive Partnership
Serve as a key point of contact for compliance and risk-related questions and escalations across the organization.
Provide regular updates to the CFO on the status of the compliance and risk programs, including audit outcomes, risk register updates, and remediation progress.
Prepare compliance metrics, risk dashboards, and audit findings summaries for CFO and executive review.
Coordinate with external auditors, regulators, and credit union compliance and risk stakeholders as the day-to-day point of contact.
Identify and escalate emerging compliance and risk issues to the CFO, with recommended mitigation steps and timelines.
Collaborate with Legal, Finance, HR, and Operations to support alignment of the compliance and risk programs with company strategy and growth objectives.
Performs other related duties as assigned.
Required Skills/ Abilities:
Deep knowledge of SOC 2 Trust Services Criteria (TSC) and experience leading or managing SOC 2 Type II audit engagements from preparation through report issuance.
Working knowledge of PCI DSS requirements and experience applying them within a fintech, payments, or software organization.
Familiarity with financial services regulatory frameworks including FFIEC, GLBA, NCUA guidelines, and applicable state consumer protection and data privacy laws.
Experience developing, implementing, and managing enterprise compliance policies, procedures, risk registers, and controls inventories.
Demonstrated experience building or managing an enterprise risk management (ERM) framework, including risk registers, risk appetite statements, and risk reporting.
Strong organizational and project management skills; able to manage multiple compliance and risk workstreams simultaneously with attention to detail.
Exceptional written and verbal communication skills; able to translate complex regulatory requirements into clear, actionable guidance for technical and non-technical audiences.
Experience partnering with Engineering and Product teams to embed compliance into software and product development processes.
Comfort with GRC platforms and risk management tools (e.g., Drata, Vanta, LogicGate, ServiceNow GRC, or similar).
High integrity, strong judgment, and the ability to operate as a trusted advisor to senior leadership.
Ability to navigate ambiguity and execute within a fast-growing fintech environment with evolving compliance and risk needs.
Proficiency with Google Workspace or Microsoft 365 and standard business productivity tools.
Education and Experience:
Bachelor’s degree in Business, Finance, Legal Studies, Information Systems, or a related field required; Master’s degree a plus.
Minimum 4+ years of progressive experience in compliance, risk management, audit, or related fields; experience within fintech, payments, or financial services strongly preferred.
2 or more years of hands-on experience with SOC 2 audits (as preparer, auditee, or program contributor); experience with PCI DSS compliance strongly preferred.
2 or more years of experience in a compliance, risk, or audit role with increasing responsibility, preferably in a growth-stage or mid-market company.
Prior experience working with or supporting credit unions, community financial institutions, or regulated financial services clients strongly preferred.
Experience supporting fintech, SaaS, or B2B technology companies serving regulated industries is a plus.
Relevant professional certifications strongly preferred: CISA, CISM, CRISC, CCEP, CIPP, CFE, or equivalent.
Physical Requirements:
Prolonged periods sitting at a desk and working on a computer.
Must be able to lift up to 15 pounds at times.
What We Offer:
Health, fully covered: Company-paid medical, dental, and vision insurance.
Life & AD&D: Company-paid life and accidental death & dismemberment coverage.
Income protection: Company-paid short- and long-term disability.
401(k) with match: Save for the long run, and we’ll match.
Remote allowance: Cell phone and internet connectivity expenses support.
Flexible spending: FSA and Dependent Care (DCSA) accounts to stretch your pre-tax dollars.
Unlimited PTO: Take the time you actually need.
Employee Assistance Program (EAP): Confidential support for life’s harder moments.
Supplemental coverage: Voluntary insurance options to round out your plan.
Skills Required
- Bachelor's degree in Business, Finance, Legal Studies, Information Systems, or related field
- Minimum 4+ years progressive experience in compliance, risk management, audit, or related fields
- 2+ years hands-on experience with SOC 2 audits (preparation, evidence collection, remediation)
- Working knowledge of PCI DSS and experience applying PCI in a fintech or payments environment
- Familiarity with financial services regulatory frameworks (FFIEC, GLBA, NCUA, state privacy laws)
- Experience developing, implementing, and managing an enterprise risk management (ERM) framework and risk register
- Experience managing audit and certification lifecycles and tracking remediation to closure
- Experience administering third-party and vendor risk assessment processes
- Comfort with GRC platforms and risk management tools (e.g., Drata, Vanta, LogicGate, ServiceNow GRC)
- Experience partnering with Engineering and Product to embed compliance into the SDLC and product release processes
- Relevant professional certifications (CISA, CISM, CRISC, CCEP, CIPP, CFE, or equivalent)
- Proficiency with Google Workspace or Microsoft 365 and standard business productivity tools
- Strong organizational, project management, and communication skills
- Experience working with fintech, payments, credit unions, or regulated financial services clients
- Master's degree in a related field
What We Do
Blossom is a growing ecosystem of fully integrated core banking, digital banking and payments solutions. Born in the cloud and reimagined with credit unions to replace outdated systems and patchwork tools, one vendor at a time. Founded in 2020, Blossom acquired HomeCU in the same year, went live with its new platform in 2023 and acquired CUProdigy in 2024. Today, the company serves close to 400 credit unions, thousands of employees and millions of members. Headquartered in Ogden, UT and Coral Gables, FL, Blossom is on a mission to build the first intelligent banking system that puts credit unions at the center of their members' financial lives, helping local communities thrive and transforming the way people experience money.
.png)


_1.png)





