Compliance Program Manager

📋 Description

• • At OpenFX, we are at a critical juncture of global expansion within a highly regulated financial landscape. As we scale into new international markets, the expectations from regulators, auditors, and enterprise partners are clear: they demand provable, continuously operating security controls, not merely theoretical frameworks or infrequent audits. The increasing complexity and pace of compliance requirements, including standards like DORA, GDPR, SOC 2, ISO 27001, and various region-specific regulations, are outpacing our current capacity to embed them directly into our production systems. Failing to address this challenge proactively poses significant risks, including the potential to slow down our market expansion efforts, encounter failures during audits or regulatory examinations, and deploy security controls that appear robust on paper but lack true operational effectiveness.
• • This pivotal role has been established to empower OpenFX as we continue to grow our institution-grade, regulator-facing infrastructure. We are seeking an exceptional individual who can bridge the gap between abstract regulatory mandates and tangible, operational security controls. Your primary mission will be to transform complex compliance requirements into real, functioning systems and then provide irrefutable evidence to auditors that these controls are not only in place but are actively and effectively safeguarding our operations. You will be the linchpin in ensuring our infrastructure meets and exceeds the stringent security and compliance standards demanded by the global financial industry.
• • In the first 6-12 months, you will take full ownership of the security controls and the evidence required to satisfy regulators and auditors, managing the entire lifecycle from design to ongoing maintenance. Your responsibilities will encompass the design, implementation, and meticulous maintenance of both technical and operational controls crucial for SOC 2, ISO 27001, GDPR, DORA, and any emerging regional regulatory frameworks. A key aspect of your role will be to ensure these controls are not just documented in policies but are actively enforced across our AWS, Kubernetes, and application layers, providing a robust and verifiable security posture.
• • You will serve as the essential technical counterpart to our Legal, Compliance, and Risk teams. This involves translating intricate regulatory language into precise, actionable security mechanisms and collaborating closely with these departments to monitor evolving regulations and proactively assess their technical implications. A critical part of your function will be to judiciously determine what constitutes 'good enough' for compliance purposes versus what might be over-engineered, striking a balance between robust security and operational efficiency.
• • A significant focus will be on transforming our approach to audits from a reactive process to a proactive, managed operation. You will own the entire audit preparation process, including evidence collection, conducting walkthroughs with auditors, and meticulously tracking remediation efforts. The goal is to build repeatable, automated evidence pipelines that eliminate the need for last-minute scrambles, ensuring that you are the trusted point person auditors rely on when they ask, “Show me how this actually works.”
• • Furthermore, you will be instrumental in embedding compliance directly into the fabric of our platform. You will collaborate with engineering teams to design systems that are inherently secure by default and demonstrably defensible to regulators. This includes ensuring that critical areas such as logging, access controls, encryption, monitoring, and change management consistently meet and exceed regulatory expectations.
• • Automation will be a cornerstone of your strategy. You will build and deploy tooling and scripts to continuously validate controls, covering aspects like access reviews, logging coverage, and configuration drift. The overarching aim is to progressively reduce manual compliance efforts by integrating checks directly into our code and infrastructure, creating a more efficient and reliable compliance program.
• • Success in this role will be measured by tangible outcomes: the successful completion of SOC 2 and ISO 27001 audits with zero high-severity findings; the establishment of clear control ownership, a governance cadence, and a scalable compliance roadmap; readiness for GDPR and DORA compliance, including effective regulator-facing engagement and response; the ability to answer regulatory requests with concrete evidence rather than mere explanations; the seamless implementation of new regional regulatory requirements without impeding product launches; a measurable decrease in audit preparation time quarter-over-quarter due to automation; and engineering teams consistently shipping features without accumulating compliance debt. Ultimately, if audits become predictable and routine, you are excelling in this position.