Compliance Officer — Fintech (RBI & NPCI Regulated)

Position- Compliance Officer

Department- Risk, Governance & Compliance

Experience Required

3+ years overall experience in information security / compliance. of which 2 years' experience working directly with RBI-regulated entities (bank, NBFC, or payment aggregator), including hands-on involvement in at least one RBI System Audit Report (SAR) cycle and/or NPCI compliance audit.

Qualification- Graduation (any discipline); a background in IT, Information Security, Finance, or Law is preferred

Mandatory Certification- CISA (Certified Information Systems Auditor)

Core KPIs- Zero Audit Non-Compliance & 100% System Uptime

Role Overview

The Compliance Officer will own the end-to-end regulatory and certification compliance posture of the organization, acting as the primary liaison between the company, its auditors, the partner bank, NPCI, and regulatory bodies including RBI and CERT-In. This role is critical to maintaining the company's license to operate within India's payments ecosystem and requires direct, demonstrable experience navigating RBI and NPCI compliance cycles.

Key Responsibilities

Audit Ownership

• Lead the end-to-end certification process for ISO 27001, PCI DSS, and SOC 2 Type II.
• Own preparation, evidence collection, and closure for all internal and external audits.

Technical Liaison

• Manage the relationship with CERT-In auditors for annual and quarterly VAPT cycles.
• Coordinate VAPT scope, remediation tracking, and closure across network, application, and cloud layers.

Regulatory Reporting

• Prepare and submit "Cyber Security Adequacy" reports to the partner bank and NPCI (for UPI/Card interactions) on a quarterly/annual basis as per applicable SLAs.
• Own preparation and submission of the annual RBI System Audit Report (SAR) via a CERT-In empanelled auditor.
• Ensure ongoing compliance with RBI's Master Directions on IT Governance and the Cyber Security Framework for Payment System Operators.

Privacy by Design

• Act as the Data Protection Officer (DPO), including maintaining Records of Processing Activities (RoPA) and handling data principal requests under the DPDP Act, 2023.

Incident Response

• Maintain a Board-approved Cyber Crisis Management Plan (CCMP).
• Report any breach to the RBI/CERT-In within the mandatory 6-hour window.
• Conduct periodic incident response drills and tabletop exercises.

NPCI & Payments Compliance

• Ensure ongoing compliance with NPCI's UPI Procedural Guidelines as applicable.
• Support vendor and third-party risk reviews in line with RBI outsourcing guidelines.

Required Certifications

• CISA (Certified Information Systems Auditor) — Essential for RBI audits.
• ISO 27001 Lead Auditor, or PCI DSS QSA/ISA — preferred, but not mandatory.

Required Experience

• Minimum 2 years' experience working directly with RBI-regulated entities (bank, NBFC, or payment aggregator).
• Hands-on involvement in at least one RBI System Audit Report (SAR) cycle and/or NPCI compliance audit.
• Demonstrable familiarity with RBI's Master Directions on IT Governance, Cyber Security Framework, and CERT-In breach reporting requirements.
• Prior experience preparing or reviewing Cyber Security Adequacy reports is highly desirable.

Key Attributes

• Ability to translate regulatory requirements into actionable engineering and operational tasks.
• Strong stakeholder management skills — comfortable presenting to the Board's Risk/Audit Committee.
• High attention to detail with a track record of zero critical audit findings.
• Calm, structured decision-making under incident/crisis conditions.

Core KPIs

• Zero critical audit non-compliances across ISO 27001, PCI DSS, SOC 2, and RBI/NPCI audits.
• 100% on-time submission of regulatory reports (SAR, CCMP, Cyber Security Adequacy reports).
• Breach reporting completed within the 6-hour RBI/CERT-In mandatory window, where applicable.
• 100% System Uptime.

Job Type: Permanent

CTC: Up to ₹6.50 LPA

Joining: Immediate joiners preferred

Interested candidates can send their CVs to seema@paydoh.in.