Assistant Vice President, Technology and Operational Risk

Role Purpose

The Assistant Vice President – Technology and Operational Risk Management is a senior risk management role responsible for providing risk management advisory, business partnership support and regulatory engagement over the technology and operational risk management framework for digital payment services (fiat and cryptocurrency) and insurance-related businesses. The role supports the financial service’s senior management and the Board in ensuring that the technology, cybersecurity, operational and virtual assets risk management and controls are compliance with the HKMA and IA regulatory expectations.

Key Responsibilities

Technology, Cybersecurity and Operational Risk Oversight

• Provide risk stewardship and control oversight of technology, cybersecurity and operational risk management framework and controls across the financial service platforms, APIs, cloud infrastructure, and payment processing systems.
• Review and challenge stakeholders of relevant functions and business unit on the technology risk assessments, operational resilience, and control effectiveness.
• Partner and advise business on new product change management, control design, implementation and customer servicing.

HKMA Cyber Resilience Assessment Framework (C-RAF)

• Act as the licensed business unit’s technology risk management subject-matter expert on HKMA Cyber Resilience Assessment Framework (C-RAF) requirements.
• Review inherent risk assessments and cybersecurity maturity self-assessments conducted by stakeholders of relevant functions and business unit
• Challenge remediation plans and timelines to ensure alignment with HKMA expectations.

Virtual Assets, Blockchain Payment Security Management Risk Oversight

• Provide risk stewardship advisory for a financial service licensee regulated by the HKMA over technology, virtual asset and payment security risk management and control matters arising from the customer onboarding/ongoing monitoring, payment system operations of fiat currency and block-chain related cryptocurrency.
• Assess technology and operational risks related to transaction authorisation, settlement finality, cross-border processing, and dependency on external payment or blockchain networks.

Regulatory Engagement and Governance - HKMA and IA

• This role operates as a regulated licensee’s technology and operational risk management lead, who provides risk stewardship challenge and assurance to senior management and Board-level committees.
• Through effective regulatory engagements, the role represents the licensee’s technology, cybersecurity, operational risk management and corporate governance manager supports transparent, consistent communication with the HKMA and IA.
• Provide technology and operational risk management advisory on the regulatory requirements applicable to HKMA-regulated stablecoin distributor, including governance, safeguarding of client’s money, operational resilience, and incident response.
• Work with relevant cryptocurrency and stablecoin issuers, custodians, exchanges to ensure the virtual assets’ distributor roles and responsibilities are well defined and controls are executed effectively.
• Support the insurance business unit to work with the risk and compliance teams of relevant insurance underwriters/manufacturers as business partners.

Risk Governance & Reporting

• Prepare independent technology, operational, cybersecurity, and virtual asset risk management reports for the senior management and Board-level committees.
• Ensure timely escalation of material risks affecting operational resilience, customer asset protection, or regulatory expectations set by the HKMA and/or IA.

Experience & Qualifications

• 10+ years of experience in technology and operational risk management, cybersecurity assurance and advisory for institutions regulated by HKMA, IA and/or HK SFC.
• Hands-on experience with HKMA Cyber Resilience Assessment Framework and regulatory examinations.
• Demonstrated knowledge of HKMA regulated stablecoins related regulatory requirements and SFC Virtual Asset Service Provider technology expectations.
• Proven experience in blockchain or distributed ledger information security, including wallet security and cryptographic key management.
• Bachelor’s degree or above in Computer Science, Information Technology, Cybersecurity, or related disciplines.
• Professional certifications such as CISA, CISM, CISSP or CRISC preferred.