BaaS Information Security Analyst

About The Position

Requirements

• Bachelor’s degree or equivalent education and experience required.
• Experience in Information Security, Risk Management, or Technology Risk, preferably within banking, fintech, or regulated financial services.
• Strong working knowledge of: GLBA Safeguards Rule, FFIEC IT Examination Handbooks, Third‑party and fintech risk management.
• Strong analytical, documentation, and communication skills with the ability to explain risk to both technical and non‑technical audiences.
• Understanding of modern security concepts (cloud, APIs, encryption, access control, vulnerability management), with emphasis on oversight and risk assessment rather than tool operation.

Nice To Haves

• Level I: Developing foundational knowledge of the Bank’s Information Security Program and BaaS risk framework. Performs security reviews and assessments with guidance and oversight. Focused on learning regulatory expectations and risk documentation standards.
• Level II: Fully proficient in performing independent BaaS and fintech security assessments. Operates with minimal supervision and provides informed risk recommendations. Regularly engages with fintech partners.
• Level III: Deep expertise in BaaS information security risk and regulatory expectations. Leads complex assessments, drives issue resolution, and influences program direction. Provides mentorship, identifies systemic risk themes, and supports examination strategy.

Responsibilities

• Perform risk‑based information security reviews of fintech partners, middleware providers, and critical third parties supporting BaaS offerings.
• Evaluate partner alignment with the Bank’s Information Security Program, standards, and control expectations, including protection of NPPI and customer data.
• Assess fintech security architectures, control implementations, and operating models to ensure they meet bank regulatory and safety & soundness expectations, not just industry norms.
• Translate regulatory requirements into clear, actionable security expectations for fintech partners.
• Facilitate and review information security risk assessments for BaaS partners, platforms, products, and material changes.
• Identify control gaps, weaknesses, or non‑compliance relative to: GLBA Safeguards Rule, FFIEC IT Examination Handbooks, FDIC Appendix B (Safety & Soundness), FDIC Appendix J (Information Security Standards).
• Document findings, assess risk severity, and drive remediation through issue management, action plans, and committed timelines.
• Monitor remediation progress and provide credible challenge where risk acceptance is proposed.
• Support the Bank’s third‑party risk management lifecycle for BaaS relationships, including onboarding, ongoing monitoring, and periodic reassessment.
• Review and evaluate: Information security policies and programs, SOC reports and independent audits, Penetration testing and vulnerability management results, Incident response and business continuity capabilities.
• Provide guidance to internal stakeholders on regulatory defensibility of BaaS security decisions.
• Participate in information security incident response activities, including fintech‑related incidents impacting Bank customers or systems.
• Assess partner in incident response preparedness, escalation procedures, and notification obligations.
• Support examination readiness by ensuring documentation, risk decisions, and control assessments are clear, consistent, and defensible to regulators.
• Serve as an information security advisor to internal teams and fintech partners, balancing innovation with regulatory conservatism.
• Stay current on emerging fintech risks, cloud security patterns, API security, and regulatory guidance impacting BaaS.
• Proactively identify opportunities to strengthen the Bank’s BaaS program’s security posture, governance, and standards.
• Interacts harmoniously and effectively with others, focusing upon the attainment of bank goals and objectives through a commitment to teamwork.
• Assists in ensuring that the Bank is in compliance with local, state and federal regulations.
• Conforms to acceptable punctuality/attendance standards as expressed in the Employee Handbook.
• Must be able to work in a fast-paced environment with demonstrated ability to juggle multiple competing tasks and demands.

Benefits

• internal and external training
• internships
• lateral training
• management training
• tuition reimbursement
• holistic health and wellness programs
• pay, rewards, recognition, and incentive programs