BaaS Information Security Analyst

Responsible for the oversight, execution, and ongoing effectiveness of the Bank's Information Security Program as it applies to Banking‑as‑a‑Service (BaaS) fintech partners.

This role ensures that bank‑grade information security, safety and soundness, and regulatory requirements are consistently applied to fintech and BaaS ecosystems. Responsibilities include identifying information assets and associated risks, assessing control effectiveness, and driving remediation through preventive, detective, and corrective controls in alignment with federal regulations.

Core Accountabilities

BaaS & Fintech Information Security Oversight

* Perform risk‑based information security reviews of fintech partners, middleware providers, and critical third parties supporting BaaS offerings.

* Evaluate partner alignment with the Bank's Information Security Program, standards, and control expectations, including protection of NPPI and customer data.

* Assess fintech security architectures, control implementations, and operating models to ensure they meet bank regulatory and safety & soundness expectations, not just industry norms.

* Translate regulatory requirements into clear, actionable security expectations for fintech partners.

Risk Assessment & Issue Management

* Facilitate and review information security risk assessments for BaaS partners, platforms, products, and material changes.

* Identify control gaps, weaknesses, or non‑compliance relative to:

* GLBA Safeguards Rule

* FFIEC IT Examination Handbooks

* FDIC Appendix B (Safety & Soundness)

* FDIC Appendix J (Information Security Standards)

* Document findings, assess risk severity, and drive remediation through issue management, action plans, and committed timelines.

* Monitor remediation progress and provide credible challenge where risk acceptance is proposed.

Third‑Party & Program Governance

* Support the Bank's third‑party risk management lifecycle for BaaS relationships, including onboarding, ongoing monitoring, and periodic reassessment.

* Review and evaluate:

* Information security policies and programs

* SOC reports and independent audits

* Penetration testing and vulnerability management results

* Incident response and business continuity capabilities

* Provide guidance to internal stakeholders on regulatory defensibility of BaaS security decisions.

Incident Response & Regulatory Readiness

* Participate in information security incident response activities, including fintech‑related incidents impacting Bank customers or systems.

* Assess partner in incident response preparedness, escalation procedures, and notification obligations.

* Support examination readiness by ensuring documentation, risk decisions, and control assessments are clear, consistent, and defensible to regulators.

Advisory & Continuous Improvement

* Serve as an information security advisor to internal teams and fintech partners, balancing innovation with regulatory conservatism.

* Stay current on emerging fintech risks, cloud security patterns, API security, and regulatory guidance impacting BaaS.

* Proactively identify opportunities to strengthen the Bank's BaaS program's security posture, governance, and standards.

General

* Interacts harmoniously and effectively with others, focusing upon the attainment of bank goals and objectives through a commitment to teamwork.

* Assists in ensuring that the Bank is in compliance with local, state and federal regulations.

* Conforms to acceptable punctuality/attendance standards as expressed in the Employee Handbook

* Must be able to work in a fast-paced environment with demonstrated ability to juggle multiple competing tasks and demands.

Skills & Knowledge

* Bachelor's degree or equivalent education and experience required.

* Experience in Information Security, Risk Management, or Technology Risk, preferably within banking, fintech, or regulated financial services.

* Strong working knowledge of:

* GLBA Safeguards Rule

* FFIEC IT Examination Handbooks

* Third‑party and fintech risk management

* Strong analytical, documentation, and communication skills with the ability to explain risk to both technical and non‑technical audiences.

* Understanding of modern security concepts (cloud,…