Responsible for the oversight, execution, and ongoing effectiveness of the Bank's Information Security Program as it applies to Banking‑as‑a‑Service (BaaS) fintech partners.
This role ensures that bank‑grade information security, safety and soundness, and regulatory requirements are consistently applied to fintech and BaaS ecosystems. Responsibilities include identifying information assets and associated risks, assessing control effectiveness, and driving remediation through preventive, detective, and corrective controls in alignment with federal regulations.
Core Accountabilities
BaaS & Fintech Information Security Oversight
Perform risk‑based information security reviews of fintech partners, middleware providers, and critical third parties supporting BaaS offerings.
Evaluate partner alignment with the Bank's Information Security Program, standards, and control expectations, including protection of NPPI and customer data.
Assess fintech security architectures, control implementations, and operating models to ensure they meet bank regulatory and safety & soundness expectations, not just industry norms.
Translate regulatory requirements into clear, actionable security expectations for fintech partners.
Risk Assessment & Issue Management
Facilitate and review information security risk assessments for BaaS partners, platforms, products, and material changes.
Identify control gaps, weaknesses, or non‑compliance relative to:
GLBA Safeguards Rule
FFIEC IT Examination Handbooks
FDIC Appendix B (Safety & Soundness)
FDIC Appendix J (Information Security Standards)
Document findings, assess risk severity, and drive remediation through issue management, action plans, and committed timelines.
Monitor remediation progress and provide credible challenge where risk acceptance is proposed.
Third‑Party & Program Governance
Support the Bank's third‑party risk management lifecycle for BaaS relationships, including onboarding, ongoing monitoring, and periodic reassessment.
Review and evaluate:
Information security policies and programs
SOC reports and independent audits
Penetration testing and vulnerability management results
Incident response and business continuity capabilities
Provide guidance to internal stakeholders on regulatory defensibility of BaaS security decisions.
Incident Response & Regulatory Readiness
Participate in information security incident response activities, including fintech‑related incidents impacting Bank customers or systems.
Assess partner in incident response preparedness, escalation procedures, and notification obligations.
Support examination readiness by ensuring documentation, risk decisions, and control assessments are clear, consistent, and defensible to regulators.
Advisory & Continuous Improvement
Serve as an information security advisor to internal teams and fintech partners, balancing innovation with regulatory conservatism.
Stay current on emerging fintech risks, cloud security patterns, API security, and regulatory guidance impacting BaaS.
Proactively identify opportunities to strengthen the Bank's BaaS program's security posture, governance, and standards.
General
Interacts harmoniously and effectively with others, focusing upon the attainment of bank goals and objectives through a commitment to teamwork.
Assists in ensuring that the Bank is in compliance with local, state and federal regulations.
Conforms to acceptable punctuality/attendance standards as expressed in the Employee Handbook
Must be able to work in a fast-paced environment with demonstrated ability to juggle multiple competing tasks and demands.
Skills & Knowledge
Bachelor's degree or equivalent education and experience required.
Experience in Information Security, Risk Management, or Technology Risk, preferably within banking, fintech, or regulated financial services.
Strong working knowledge of:
GLBA Safeguards Rule
FFIEC IT Examination Handbooks
Third‑party and fintech risk management
Strong analytical, documentation, and communication skills with the ability to explain risk to both technical and non‑technical audiences.
Understanding of modern security concepts (cloud, APIs, encryption, access control, vulnerability management), with emphasis on oversight and risk assessment rather than tool operation.
Role Levels
Level I
Developing foundational knowledge of the Bank's Information Security Program and BaaS risk framework.
Performs security reviews and assessments with guidance and oversight.
Focused on learning regulatory expectations and risk documentation standards.
Level II
Fully proficient in performing independent BaaS and fintech security assessments.
Operates with minimal supervision and provides informed risk recommendations.
Regularly engages with fintech partners.
Level III
Deep expertise in BaaS information security risk and regulatory expectations.
Leads complex assessments, drives issue resolution, and influences program direction.
Provides mentorship, identifies systemic risk themes, and supports examination strategy.
Physical Demands/Conditions Requirements:
Equipment Used:
External and internal applicants, as well as position incumbents who become disabled must be able to perform the essential functions (as listed) either unaided or with the assistance of a reasonable accommodation to be determined by management on an individual basis.