• Detect, triage, and respond to fraud attacks (e.g., card testing, account takeover, refund/chargeback abuse, synthetic identity) using internal and external tools • Own incident response for risk events: contain, investigate, document, and drive remediation; participate in on-call/escalation coverage as needed • Perform high-judgment investigations and make consistent allow/deny/hold decisions for transactions, accounts, and partner activity • Build decision frameworks and escalation paths that balance fraud loss, customer experience, and regulatory/compliance constraints • Own dispute operations end-to-end, including monitoring and responding to dispute inquiries/alerts, customer communications, evidence gathering, representment submission, and deadline management • Maintain clean case notes and audit trails; ensure timely, accurate responses that maximize win rate while minimizing customer friction • Analyze dispute reason codes and inquiry drivers; implement prevention tactics to reduce repeat disputes and friendly fraud • Define and track core risk metrics (fraud loss, net loss, chargeback rate, approval rate, manual review rate, false positives, backlog health) • Build reporting and propose/implement controls: velocity rules, blocklists/allowlists, step-up verification, 3DS/issuer strategy and policy updates • Work closely with Product/Engineering/Data to translate patterns into tooling and product changes • Manage external relationships as needed (processors/acquirers, fraud vendors, card networks/issuers) and drive to underlying fixes, not just band-aids

Employee Applicant Privacy Notice Who we are: Shape a brighter financial future with us. Together with our members, we’re changing the way people think about and interact with personal finance. We’re a next-generation financial services company and national bank using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. Join us to invest in yourself, your career, and the financial world. The role: The Operational Risk Challenge & Advisory Senior Analyst is a Second Line of Defense (2LOD) role responsible for providing credible challenges in accordance with SoFi’s Operational Risk Credible Challenge Standard. This role moves beyond traditional oversight, acting as both a challenger and a strategic advisory partner. You will apply a deep understanding of operational risk to provide informed, independent, and constructive feedback of SoFi’s risk-taking activities, ensuring they align with the Company’s risk appetite and regulatory expectations. This is a unique opportunity to expand the Senior Analyst’s footprint and take on increased responsibility within a critical second line of defense (2LOD) function. The senior analyst will work independently with minimal supervision, using data and a risk-based approach to get to the truth. They'll run after and solve complex problems, helping to proactively address emerging risks and influence strategic decisions. What you'll do: ● Lead and support a diverse set of 2LOD credible challenge activities, including Targeted Reviews, Operational Risk Issue Validations, Risk and Control Self-Assessment (RCSA) reviews, and New Activity Reviews ● Serve as a strategic partner to the business, providing consultation on risk mitigation strategies and offering independent insights into emerging risks and new business initiatives ● Proactively identify and communicate potential risks to management to gain alignment and ensure effective mitigation ● Assist in the continuous improvement of operational risk methodologies and practices, including the development of new approaches ● Collaborate with cross-functional partners to drive decisions and progress toward shared goals ● Maintain awareness of current regulatory/industry trends impacting the operational risk management program ● Maintain familiarity of, and technical expertise with, business unit(s) organizational structure, personnel, activities and products, new product development, financial performance, and risk and problem areas What you'll need: ● Bachelor's degree ● 5+ years of relevant operational risk credible challenge, regulatory, examination or Internal Audit experience ● Understanding of control frameworks, testing methodologies, and risk assessments ● Proven ability to work independently with minimal oversight and manage multiple priorities in a fast-paced environment ● Excellent analytical and problem-solving skills with a track record of resolving the root causes of complex issues ● Highly effective interpersonal and communication skills with the ability to build trust and influence stakeholders ● Understanding of risk governance and the second line of defense processes used to review and challenge front line business unit risk management processes ● Familiarity with regulatory requirements and industry best practices ● Experience in banking and/or fintech industry, including regulatory experience ● Data visualization skills Nice to have: ● Tableau data visualization and analysis ● Experience working in Google Docs, Sheets and Slides ● Advanced degree; relevant industry certifications, for example, CPA, CCRM, ACAMS; Certified Internal Auditor (CIA); ability to drive innovation, new practices; experience interacting with regulators (Federal Reserve, OCC, CFPB) ● Multi-lingual (Spanish) Compensation and Benefits The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location. To view all of our comprehensive and competitive benefits, visit our Benefits at SoFi page! SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law.The Company hires the best qualified candidate for the job, without regard to protected characteristics.Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.New York applicants: Notice of Employee RightsSoFi is committed to an inclusive culture. As part of this commitment, SoFi offers reasonable accommodations to candidates with physical or mental disabilities. If you need accommodations to participate in the job application or interview process, please let your recruiter know or email accommodations@sofi.com.Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time.Internal Employees If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.

• Support the CI Risk Control team’s efforts to modernize stakeholder reporting and enhance analytics capabilities • Provide hands-on experience in data management, dashboard development, and business-focused reporting • Apply and sharpen analytical, problem-solving, and communication skills • Leverage data and visualization tools to transform data into meaningful insights for stakeholders

Company Description It all started in sunny San Diego, California in 2004 when a visionary engineer, Fred Luddy, saw the potential to transform how we work. Fast forward to today — ServiceNow stands as a global market leader, bringing innovative AI-enhanced technology to over 8,100 customers, including 85% of the Fortune 500®. Our intelligent cloud-based platform seamlessly connects people, systems, and processes to empower organizations to find smarter, faster, and better ways to work. But this is just the beginning of our journey. Join us as we pursue our purpose to make the world work better for everyone. Job Description As the Risk Manager on the Digital Technology GRC team, you will play a central role in advancing our federal compliance posture and GRC program maturity. You will guide initiatives related to CMMC (Cybersecurity Maturity Model Certification) Level 2 readiness, NIST framework implementation, and enterprise-wide risk assessment across infrastructure, endpoints, identity, cloud, and data protection domains. You will partner closely with Security Architecture, IT Operations, SecOps, Internal Audit, Legal & Compliance, and Executives to assess risk, implement controls, and ensure our organization meets the rigorous standards required for federal contracting. You will drive compliance and risk management across key areas such as: - CMMC 2.0 Level 2 Assessment Readiness & Certification - NIST SP 800-171 / NIST CSF Control Mapping & Implementation - Enterprise Risk Assessment & Remediation Planning - System Security Plans (SSP) & Plan of Action & Milestones (POA&M) - GRC Process Maturity & Automation - Federal Compliance Documentation & Evidence Management - This is a high-impact, high-visibility role designed for someone who combines deep knowledge of federal cybersecurity frameworks with the ability to translate technical compliance requirements into actionable plans and executive-ready communications. Risk Assessment & Management - Conduct comprehensive risk assessments across infrastructure, endpoints, identity management, data protection, and cloud environments. - Identify, document, and track security gaps and remediation activities in the enterprise risk register. - Perform control effectiveness testing and support continuous monitoring initiatives to ensure ongoing compliance posture. - Cross-Functional Collaboration & Communication - Partner with Security Architecture, IT Operations, SecOps, Internal Audit, and Legal & Compliance to align security controls and risk mitigation strategies. - Translate complex technical findings and compliance status into executive-ready reports, dashboards, and briefings for senior principals. - Act as a subject matter expert for CMMC and NIST compliance across the organization, providing guidance and training to stakeholders. GRC Program & Process Maturity - Support the development and maturation of GRC processes, including policy management, control mapping, audit support, and evidence management workflows. - Evaluate and recommend GRC tooling and automation opportunities to increase efficiency and accuracy of compliance operations. - Contribute to enterprise-wide assessment campaigns and support regulatory change management activities. What You Get to Do in This Role ServiceNow Platform & GRC Tooling - Leverage ServiceNow IRM (Integrated Risk Management) modules — including Risk Management, Policy & Compliance Management, Audit Management, and Vendor Risk Management — to manage and operationalize compliance workflows. - Utilize ServiceNow SecOps (Security Incident Response, Vulnerability Response), CMDB/APM, ITSM, and IT Asset Management to support integrated security and compliance operations. - Build and maintain GRC dashboards, reports, and Performance Data views to provide executive visibility into risk posture, control coverage, and compliance status. - Drive workflow automation within the ServiceNow platform to streamline evidence collection, control testing, risk scoring, and remediation tracking. Risk Assessment & Management - Conduct comprehensive risk assessments across infrastructure, endpoints, identity management, data protection, and cloud environments. - Identify, document, and track security gaps and remediation activities in the enterprise risk register. - Perform control effectiveness testing and support continuous monitoring initiatives to ensure ongoing compliance posture. - Cross-Functional Collaboration & Communication - Partner with Security Architecture, IT Operations, SecOps, Internal Audit, and Legal & Compliance to align security controls and risk mitigation strategies. - Translate complex technical findings and compliance status into executive-ready reports, dashboards, and briefings for senior principals - Act as a subject matter expert for CMMC and NIST compliance across the organization, providing guidance and training to stakeholders. GRC Program & Process Maturity - Support the development and maturation of GRC processes including policy management, control mapping, audit support, and evidence management workflows. - Evaluate and recommend GRC tooling and automation opportunities to increase efficiency and accuracy of compliance operations. - Contribute to enterprise-wide assessment campaigns and support regulatory change management activities. - ServiceNow Platform & GRC Tooling - Leverage ServiceNow IRM (Integrated Risk Management) modules — including Risk Management, Policy & Compliance Management, Audit Management, and Vendor Risk Management — to manage and operationalize compliance workflows. - Utilize ServiceNow SecOps (Security Incident Response, Vulnerability Response), CMDB/APM, ITSM, and IT Asset Management to support integrated security and compliance operations. - Build and maintain GRC dashboards, reports, and Performance Data views to provide executive visibility into risk posture, control coverage, and compliance status. - Drive workflow automation within the ServiceNow platform to streamline evidence collection, control testing, risk scoring, and remediation tracking. Qualifications Required - 7–8 years of experience in cybersecurity, information security, GRC, or federal compliance roles. - Deep working knowledge of CMMC 2.0, NIST SP 800-171, NIST SP 800-53, and NIST Cybersecurity Framework (CSF). - Hands-on experience leading or supporting CMMC assessments, including application scoping, control mapping, gap analysis, and remediation planning. - Strong understanding of federal contracting compliance requirements, including DFARS 252.204-7012 and CUI (Controlled Unclassified Information) handling. - Experience developing and maintaining SSPs, POA&Ms, and compliance documentation for federal authorization. - Proven ability to conduct risk assessments across enterprise environments covering endpoints, identity, cloud, and data protection. - Working knowledge of the ServiceNow platform, including familiarity with IRM, SecOps, CMDB, or ITSM modules for managing security and compliance workflows. - Excellent written and verbal communication skills with demonstrated ability to present technical findings to executive audiences. - Experience working cross-functionally with IT, security, audit, and legal teams in a large enterprise environment. Preferred - Professional certifications such as CISSP, CISM, CISA, CAP (Certified Authorization Professional), or CMMC Registered Practitioner (RP). - Hands-on experience with ServiceNow IRM (Integrated Risk Management), including Risk Management, Policy & Compliance Management, Audit Management, and Vendor Risk Management modules. - Experience with broader ServiceNow platform capabilities including CMDB/APM, SecOps (Security Incident Response, Vulnerability Response), ITSM, and IT Asset Management for integrated security and compliance workflows. - Familiarity with ServiceNow reporting, dashboards, Performance Analytics, and workflow automation to drive GRC program efficiency and executive visibility. - Familiarity with FedRAMP, FISMA, FIPS 140-2/3 encryption requirements, and DoD cybersecurity policies. - Background in evaluating dual-environment architectures (e.g., O365 commercial vs. GCC High) for compliance alignment. - Experience with SIEM, EDR (e.g., CrowdStrike), vulnerability management tools, and security architecture review processes. - Knowledge of identity and access management frameworks, including Okta, Active Directory, and SailPoint integrations. - Prior experience in enterprise-scale assessment campaigns involving 50+ applications or business units. - Experience in building or consuming continuous monitoring, control hygiene, or AI-enabled risk/issue automation workflows (e.g., automated control testing, continuous controls monitoring, risk scoring, AI/ML-driven issue remediation). For positions in this location, we offer a base pay of $114,200 - $199,900, plus equity (when applicable), variable/incentive compensation and benefits. Sales positions generally offer a competitive On Target Earnings (OTE) incentive compensation structure. Please note that the base pay shown is a guideline, and individual total compensation will vary based on factors such as qualifications, skill level, competencies, and work location. We also offer health plans, including flexible spending accounts, a 401(k) Plan with company match, ESPP, matching donations, a flexible time away plan and family leave programs. Compensation is based on the geographic location in which the role is located and is subject to change based on work location. Additional Information Work Personas We approach our distributed world of work with flexibility and trust. Work personas (flexible, remote, or required in office) are categories that are assigned to ServiceNow employees depending on the nature of their work and their assigned work location. Learn more here. To determine eligibility for a work persona, ServiceNow may confirm the distance between your primary residence and the closest ServiceNow office using a third-party service. Equal Opportunity Employer ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements. Accommodations We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact [email protected] for assistance. Export Control Regulations For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities. From Fortune. ©2025 Fortune Media IP Limited. All rights reserved. Used under license. - Employee Type: Regular - Region: AMS - North America and Canada - Work Persona: Flexible or Remote