A small Fintech required change in the way they were developing their products and solutions since moving from exclusively providing Open Banking Payments APIs, to adding to their portfolio front-end solutions in the form and shape of Mobile Payments Apps (integrated with their existing APIs), obviously supporting both iOS and Android platforms.

At the same time, since leadership and sales were busy in discussing commercial partnerships with large financial institutions, including a Tier-1 bank, the need to develop their operations so that these could successfully pass a SOC 2, Type 2 audit became a business development priority.

• Designing a new Product Development Methodology for Product and Engineering teams.
• Coaching on the adoption of the Methodology with emphasis on validating problem statements, formulating ideas, carrying out a Data Protection Impact Analysis (GDPR) of the proposed feature and execution of work according to Scrum and Kanban principles.
• Overseeing the processing of Product Backlog items and their prioritisation.
• Documenting new procedures and best practices spanning across Product Management, Operations and People Management.
• Creating a Risk Register with items covering Fraud, Security, People, Processes and Business Continuity.
• Hardening the security posture by implementing an Endpoint Detection & Response system (CrowdStrike) and establishing a security awareness training programme.
• Developing all the evidence required by the independent auditor appointed for SOC 2 Type 2 attestation.
• Coordinating work as well as testing all of the internal controls developed according to SOC 2 standards during the review period.
• Finalising with auditor the end-of-audit attestation report.

• Conducted a gap analysis of existing Product Development & Engineering practices set against the most common Agile frameworks (Scrum and Kanban).
• Scheduled “lunch & learn” sessions with the teams to mentor on best practices to follow across the whole SDLC, including the adoption of (best) coding and quality assurance practices.
• Conducted a gap analysis of existing controls and documentation set against ISO 27001.
• Transformed operations by complementing and coordinating my work on the tech functions with what the COO was developing for the non-tech functions.
• Developed a method for a Lean-Agile post-attestation review and update of SOC 2 controls and policies required to maintain the operational status.

• Product Owners and Engineers having fully adopted the newly implemented Delivery Methodology (adoption measured through specifically developed metrics).
• Product Owners and Engineers able to autonomously shift internal development capacity across back-end and front-end working groups to accomodate for spikes in planned feature releases.
• Establishing a “Privacy by Design” approach to feature development so that data minimisation is an early requirement given also the fact that products and solutions were used in a very highly regulated industry.
• The Endpoint Detection & Response platform integrated with the ticketing system to generate incidents requiring investigation and resolution.
• SOC 2 audit + review period completed with all required evidence submitted and accepted; the company successfully demonstrated the operational alignment to SOC 2 (Type 2) requirements.

• Product Development
• Product Lifecycle Management
• Business Operational Design

• Organisational Agility & Effectiveness
• Process Effectiveness & Automation

• Financial Services