IT GRC
Xendit provides payment infrastructure across Southeast Asia and is expanding to Greater China and LATAM. We process payments, power marketplaces, disburse payroll and loans, provide KYC solutions, prevent fraud, and help businesses grow exponentially. We serve our customers by providing a suite of world-class APIs, eCommerce platform integrations, and easy to use applications for individual entrepreneurs, SMEs, and enterprises alike.
Our main focus is building the most advanced payment rails for Southeast Asia, with a clear goal in mind — to make payments across and within SEA simple, secure and easy for everyone. We serve thousands of businesses ranging from SMEs to multinational enterprises, and process millions of transactions monthly. We’ve been growing rapidly since our inception in 2015, onboarding hundreds of new customers every month, and backed by global top-10 VCs. We’re proud to be featured on among the fastest growing companies by Y-Combinator.
About the Job
At Xendit, we are looking for a mid-level/senior-level IT GRC Analyst to sit at the intersection of technology, compliance, and risk — not just for Indonesia, but across all of Xendit's operating markets. As an individual contributor, you will be responsible for ensuring our IT systems, processes, and controls meet the regulatory obligations and certification standards of every jurisdiction we operate in. You will be our regional GRC go-to person, coordinating directly with regulatory bodies across the regions (Bank Indonesia / OJK, BSP, BOT, etc). Beyond regulatory compliance, you will own and drive the full lifecycle of our IT certifications such as PCI-DSS and ISO 27001. You will work closely with engineering, security, product, and legal teams to embed compliance into how we build and operate. This is a role for someone who is detail-oriented, thrives in multi-market complexity, and can translate a wide range of regulatory requirements into practical, actionable controls in a fast-moving fintech environment.
Minimum Qualifications
- 3–5 years of hands-on experience in IT GRC, IT Risk Management, or IT Compliance roles
- Solid working knowledge of PCI-DSS, ISO 27001 frameworks, including implementation, certification, and audit readiness
- Familiarity with Bank Indonesia (BI) and OJK IT governance regulations applicable to payment service providers in Indonesia
- Exposure to or willingness to take regulatory requirements in at least one other Southeast Asian or international market (e.g., BSP, BOT, MAS, BNM, or equivalent)
- Proven experience conducting IT risk assessments, control testing, and gap analyses
- Demonstrated ability to develop, review, and maintain IT policies, standards, and procedures
- Strong analytical skills with the ability to translate diverse regulatory requirements into technical and operational controls
- Effective communicator who can engage both technical and non-technical stakeholders across multiple countries and time zones
Preferred Qualifications
- Prior experience navigating Bank Indonesia's PJP (Penyelenggara Jasa Pembayaran) Category 1 or Category 2 licensing requirements, including ongoing IT compliance obligations and regulatory examination readiness
- Hands-on experience managing end-to-end certification processes — scoping, readiness assessment, evidence preparation, auditor coordination, and post-certification surveillance — for ISO 27001, PCI-DSS, or SOC 2
- Direct experience coordinating IT audits or regulatory examinations with regional bodies such as BSP (Philippines), BOT (Thailand), MAS (Singapore), BNM (Malaysia), etc
- Relevant professional certifications such as CISA, CRISC, ISO 27001 Lead Implementer, or ISO 27001 Lead Auditor
- Prior experience in fintech, digital payments, or financial services in a multi-market Southeast Asian or global context
- Exposure to cloud environments and understanding of cloud security control frameworks
- Background in working cross-functionally with engineering and product teams to embed compliance-by-design principles
Responsibilities
- Own and support Xendit's compliance programs for certification and regulatory audits, ensuring controls are implemented, tested, and evidenced effectively
- Serve as the primary GRC point of contact for regional regulatory needs, coordinating IT-related audit and examination processes with regional regulatory bodies
- Manage the full certification lifecycle for applicable frameworks — from initial scoping and gap analysis through certification issuance and ongoing surveillance — ensuring timely renewals and continuous compliance
- Conduct periodic IT risk assessments across markets, maintain a consolidated IT risk register, and track remediation activities through to closure
- Perform internal control testing and assessments to evaluate the design and operating effectiveness of IT controls across Xendit's regional entities
- Identify compliance gaps across markets and work with relevant teams to develop and execute remediation plans
- Develop, review, update, and enforce IT policies, standards, and procedures in line with multi-jurisdictional regulatory and framework requirements
- Coordinate regulatory and third-party audits end-to-end, including preparing evidence packages, managing auditor requests, and facilitating examiner meetings
- Monitor the evolving regulatory landscape across all operating markets and assess the impact of new or updated requirements on Xendit's IT environment
- Produce compliance dashboards, regional status reports, and management briefings to keep stakeholders informed of GRC posture across all markets
- Collaborate with engineering, product, security, and legal teams to embed compliance and risk considerations into project delivery and system design
- Support continuous improvement of GRC processes, tooling, and automation to scale compliance operations efficiently across a growing number of markets
