Head of Compliance & Privacy

ePayPolicy•Austin, TX

3d•Hybrid

About The Position

Every day, ePayPolicy helps over 10,000 insurance companies speed up incoming and outgoing payments. By helping them move from manual, outdated forms of payment collection to modern payment tools, we help their companies work faster and more efficiently. Our expert, live support team helps deliver exceptional care every day, with an industry-leading 97% customer retention rate. Founded in 2014, our growing team is based in Austin, TX, and has clients in all 50 US states. We’ve grown over 300% in the last three years - with big plans for the future. We are seeking a highly motivated, hands-on Head of Compliance & Privacy to lead, scale, and operationalize our payments, regulatory, technical compliance, and data privacy programs. Reporting directly to the Sr. Director of Legal & Compliance, you will own the day-to-day operations of our compliance and privacy frameworks in a fast-paced fintech/insurtech environment. You are the ideal candidate if you are deeply knowledgeable about the nuances of payment processing (specifically ACH and credit card), possess a proven track record managing PCI-DSS audits, understand the strict data privacy mandates governing financial and consumer data, and enjoy turning complex regulatory requirements into practical, scalable business workflows.

Requirements

5-7 years of professional legal experience plus 2-3 years of dedicated compliance experience within the payments, FinTech, InsurTech, or Payment Facilitator (PayFac) space.
Direct, hands-on experience leading a company through a PCI-DSS compliance audit (ideally Level 1 or Level 2) and managing relationships with external QSAs.
Practical experience implementing and managing data privacy programs under GLBA, CCPA/CPRA, and/or PIPEDA within a financial services or cloud software context.
Deep understanding of NACHA Operating Rules, card network operating regulations, FinCEN compliance, and BSA/AML protocols.
Strong execution skills; you are comfortable rolling up your sleeves to draft policies, map data flows, audit logs, and test controls yourself.
Excellent written and verbal communication skills. Ability to translate dense regulatory and privacy concepts into digestible insights for non-legal stakeholders.
An "Optimistic Grit" and "No Ego, Amigo" attitude, thriving in a high-growth, fast-paced environment where priorities dynamically evolve.
Juris Doctor (J.D.) degree from an accredited law school, active membership in a State Bar, and license to practice law in good standing.

Nice To Haves

Professional privacy or compliance certifications (e.g., CIPP/US, CIPP/C, CAMS, CISA, or equivalent) preferred.
Experience with cross-border payment compliance and international privacy rules (specifically US-Canada payment operations) is a major asset.
Experience integrating compliance tooling into GRC platforms, Salesforce, or client-onboarding workflows.

Responsibilities

Maintain, update, and audit internal frameworks to ensure 100% alignment with NACHA Operating Rules (including Phase 2 monitoring and compliance).
Monitor and enforce compliance with Visa, Mastercard, Discover, and American Express rules, with a particular focus on merchant surcharge regulations and state-level limits.
Track state-by-state money transmission laws, FinCEN requirements, and coordinate required regulatory filings, reports, and disclosures.
Serve as the primary point of coordination for annual AML audits, managing timelines and cross-functional responses in close partnership with the Payment Operations and Risk teams.
Serve as the internal program manager for our annual PCI-DSS Level 1 certification. Act as the primary liaison with our external Qualified Security Assessor (QSA).
Build, maintain, and scale ePayPolicy's data privacy compliance framework. Ensure strict compliance with applicable US federal laws (GLBA, Regulation E/EFTA), state-level privacy mandates (such as CCPA/CPRA and state insurance laws), and Canadian privacy legislation (PIPEDA).
Conduct regular data inventory mapping, lead Privacy Impact Assessments (PIAs) for new system integrations, and manage consumer privacy rights response workflows (DSARs).
Work closely with our internal IT, Security (InfoSec), and Engineering teams to manage ongoing compliance control testing, penetration testing schedules, and vulnerability scans.
Collaborate on the annual assessment calendar for vendors, reviewing vendor SOC reports, vendor security profiles, and privacy practices to evaluate third-party data sharing risks.
Review inbound procurement requests from a compliance and contractual perspective, and update client-facing compliance terms, including Data Processing Agreements (DPAs) and Proprietary Information Agreements (PIAs).
Draft, update, and manage company-wide compliance manuals, Incident Response Plans, Business Continuity policies, and external-facing Privacy Policies.
Provide practical, high-judgment compliance and privacy guidance to Product, Engineering, and Sales teams during the development of new products, regional expansions (such as Canadian setup), and third-party integrations (Salesforce, DocuSign, etc.).

Benefits

Competitive salary
Comprehensive benefits package with employer-paid basic life and disability premiums
401K
Flexible Paid Time Off Policy (FTO)
Company-sponsored quarterly “ePayItForward” initiatives
Supportive and inclusive company culture with a focus on work/life balance
Fully-stocked kitchen
Lunch stipend when working onsite
Open communication
Huge opportunity for growth