BNPL businesses don't run on a single core system — they run on a chain of vendors: KYC providers doing identity
checks in milliseconds, bureau data feeding underwriting decisions, processors moving money at checkout, and
collections agencies chasing missed payments on our behalf. When any link in that chain fails, it isn't an internal
inconvenience — it's a customer who can't check out, a credit decision made on bad data, or a regulator asking why
a critical service went down with no warning.
As Vendor Risk Manager, you will own our third-party risk program end to end, from the first due diligence
questionnaire to the day a vendor is offboarded. You will be the person who can tell leadership, in plain terms,
which vendors carry the most risk and why, and you will make sure vendor failures never become customer failures.
Due Diligence & Onboarding- Run due diligence on new vendors before contracts are signed, including financial health checks, SOC 2 / ISO 27001 review, breach history, and subprocessor mapping.
- Issue a clear risk rating for every prospective vendor, with conditions attached rather than a simple pass or
fail, covering KYC, identity verification, fraud detection, credit bureau, payment processing, card issuing,
banking, and collections partners. - Sit inside the contracting process with Legal and Procurement to secure the terms that matter: audit rights,
breach notification windows, data localization commitments, exit assistance clauses, and SLAs tied to real penalties.
Risk Assessment & Ongoing Monitoring- Own vendor risk assessments across our active third-party portfolio, prioritizing critical and high-risk vendors for annual deep-dive reviews.
- Build and run tiered monitoring cadences — quarterly for critical vendors such as KYC, payment processing, and banking partners, annual for the rest — tracking control drift, subprocessor changes, and
adverse media. - Maintain the concentration risk and critical-vendor register, and be ready to explain single points of failure, such as one bureau covering the majority of underwriting volume, and what the contingency plan actually
is.
Cross-Functional Partnership- Work with Product before new vendor integrations go live — you're in the room when a new checkout partner or fraud model vendor is being evaluated, not brought in after the contract is signed.
• Prepare vendor risk reporting for the Risk Committee and Board, translating control gaps and incident
trends into decisions leadership can act on.
Offboarding & Exit Management- Manage the offboarding process for exited vendors, confirming data deletion, access revocation, and transition continuity for anything customer-facing.
- Ensure regulatory and contractual exit obligations are met and documented, particularly for vendors
classified as critical or important.
- 3–4 years in third-party risk management, vendor risk, or operational risk, ideally at a payments company, lender, bank, or fintech where vendor failure has direct customer or regulatory consequences.
- Working knowledge of NIST CSF, ISO 27001, SOC 2, and standardized assessment tools like SIG or
CAIQ — you know how to read a SOC 2 report and spot what's missing, not just file it away. - Familiarity with the regulatory landscape vendors sit inside: consumer credit rules, data privacy obligations
(GDPR/CCPA depending on footprint), PCI-DSS for anything touching card data, and
outsourcing/operational resilience expectations for critical third parties. - Comfort negotiating directly with vendors — you've pushed back on a processor's standard MSA, gotten a
fraud vendor to commit to a real SLA, and know when “our legal team will follow up” means the deal
needs to walk. - Ability to translate risk findings for people who don't think in risk terms, including explaining to a
commercial lead why a cheaper KYC vendor isn't worth the onboarding delay it will cause six months later. - Strong analytical skills with the ability to interpret vendor performance and control data to support
operational decisions. - Excellent communication and interpersonal skills, with the ability to interact effectively across all levels of
the organization. - Full professional proficiency in English required; Arabic is a plus.
Nice to have:- Direct BNPL or consumer credit experience — you've worked with bureau data, alternative credit scoring
- vendors, or collections agencies specifically.
- Hands-on experience with a GRC platform such as OneTrust, ProcessUnity, or Archer for assessment
- workflows and vendor inventory.
- CTPRP, CRISC, CISA, or CISM certification.