SOC 2 for Fintech Engineers: The Playbook Nobody Gave You

The Conversation You Did Not Want to Have

Someone from compliance, legal, or a prospective enterprise customer just told your engineering team: "We need SOC 2." Maybe it is a contract requirement. Maybe your banking partner mandated it. Maybe your CEO got the question on a sales call and committed to a timeline without consulting you.

Here is what nobody tells you upfront: SOC 2 is not a technology problem. It is a controls documentation problem that happens to require technology. The audit does not care what language your backend is written in. It cares whether you can prove, with evidence, that you consistently apply security controls to the systems that handle customer data.

For embedded finance companies, this is harder than it sounds. You are handling financial data across multiple systems -- your own application, your banking-as-a-service provider, payment processors, and potentially a ledger or reconciliation layer. Each system boundary is a place where controls can break down and auditors will probe.

This playbook covers the architecture decisions and engineering work required to pass a SOC 2 Type II audit for an embedded finance platform, written for the engineer who has to actually build it.

SOC 2 Fundamentals for Engineers

What SOC 2 actually evaluates

SOC 2 is a framework from the AICPA (American Institute of Certified Public Accountants) that evaluates an organization's controls against five Trust Services Criteria:

1. Security (required) -- Protection against unauthorized access. This is the only mandatory category
2. Availability -- System uptime and operational reliability
3. Processing Integrity -- Data processing is complete, valid, accurate, and authorized
4. Confidentiality -- Protection of confidential information
5. Privacy -- Personal information handling

For fintechs handling financial data, you will almost certainly need Security, Availability, and Processing Integrity. Confidentiality is common too. Privacy depends on whether you handle PII directly.

Type I vs. Type II

• Type I -- Point-in-time assessment. "Do these controls exist as of this date?" Useful for getting something on paper fast, but sophisticated customers and banking partners will ask for Type II
• Type II -- Assessment over a period (usually 6-12 months). "Were these controls consistently operating over this period?" This is what actually matters. It requires sustained evidence collection, not a one-time cleanup

The engineering implication

Type II means your controls must be operational and producing evidence for months before the audit. You cannot cram for it. If your audit window is Q3, your controls need to be running and collecting evidence no later than Q1.

The Audit Trail: Your Most Critical Architecture Decision

An audit trail is not a nice-to-have for SOC 2 in fintech. It is the foundation that most other controls depend on. Auditors will ask: "Can you show me who did what, when, and what changed?"

What to log

Every action that touches financial data or system configuration must be logged:

• Data access -- Who queried sensitive data, what they queried, and when
• Data mutations -- Every create, update, and delete on financial records. Log the before and after state
• Authentication events -- Login, logout, failed attempts, MFA challenges, session creation
• Authorization decisions -- Access grants, denials, role changes, permission modifications
• System configuration changes -- Infrastructure changes, feature flag toggles, environment variable updates
• Reconciliation actions -- Manual overrides, exception resolutions, approval decisions. See how NAYA's controls layer handles this natively

Immutability requirements

Audit logs must be tamper-proof. An engineer (including yourself) should not be able to modify or delete log entries after they are written. Common implementation patterns:

• Append-only database tables -- Use database permissions to prevent UPDATE and DELETE on audit tables. The application user should have INSERT-only access
• Write-once object storage -- Ship logs to S3 with Object Lock enabled (WORM -- Write Once Read Many). Even a root AWS account cannot delete objects during the retention period
• Third-party log aggregation -- Services like Datadog, Splunk, or a SIEM. The key requirement: your engineering team cannot delete logs from the third-party system
• Cryptographic chaining -- Hash each log entry with the previous entry's hash, creating a tamper-evident chain. If anyone modifies a historical entry, the chain breaks

For most fintech startups, the pragmatic approach is append-only tables for real-time operational logs combined with periodic export to locked object storage for long-term retention.

Retention policy

Auditors will ask about your retention policy. Define it before the audit:

• Financial transaction logs -- 7 years minimum (regulatory requirement for most financial activity)
• Access and authentication logs -- 1-3 years depending on your risk assessment
• System configuration logs -- Duration of the audit period plus 1 year

Document the policy. The documentation itself is evidence.

Access Control Architecture

The principle of least privilege, for real this time

Everyone says they follow least privilege. Auditors will test whether you actually do. For embedded finance, this means:

• Database access -- Production database credentials are not shared. Individual service accounts with scoped permissions per service. No engineer has direct write access to production financial tables
• Cloud infrastructure -- IAM roles scoped to specific services. No wildcard permissions. Session-based access for humans (AWS SSO, GCP Workload Identity), not long-lived credentials
• Application roles -- Role-based access control (RBAC) with clearly defined roles that map to job functions. Document what each role can and cannot do
• Third-party systems -- API keys and tokens for payment processors, banking partners, and other services should be scoped to the minimum required permissions

Segregation of duties

Auditors will check whether a single person can both initiate and approve sensitive actions. In financial operations, this typically means:

• The person who initiates a manual payout cannot approve it
• The person who creates a new bank account linkage cannot activate it
• The person who resolves a reconciliation exception above a threshold cannot also audit the resolution

Implement this in code, not in policy documents. Approval workflows with enforced role separation are easier to prove than written policies that depend on people following rules.

Access reviews

SOC 2 Type II requires periodic access reviews -- evidence that you regularly verify who has access to what and revoke access that is no longer needed. Quarterly reviews are the standard cadence.

Automate what you can:

• Script a quarterly dump of all IAM users, roles, and permissions across your cloud accounts
• Script a dump of all application-level users and their roles
• Auto-detect dormant accounts (no login in 90 days) and flag for review
• Integrate with your HR system or directory (Okta, Google Workspace) to auto-deprovision when someone leaves the company

The output of these scripts -- timestamped, stored in your audit log -- becomes your evidence.

Evidence Collection Automation

Why manual evidence collection fails

SOC 2 Type II requires evidence that controls operated consistently over the audit period. If you are collecting this evidence manually -- screenshots, spreadsheets, email threads -- you will:

• Miss evidence for controls that operated correctly (nobody screenshots routine operations)
• Spend weeks scrambling before the audit, reconstructing evidence after the fact
• Produce evidence that auditors find unconvincing because it lacks timestamps or continuity

What to automate

Build automated evidence collection for these control categories:

• Change management -- Pull request history, code review records, deployment logs. If you use GitHub/GitLab, your PR history is already structured evidence. Ensure every production change goes through a PR with at least one reviewer
• Incident response -- Incident tickets, response timelines, postmortems. Use a structured incident management tool (PagerDuty, Opsgenie, or even a dedicated Slack channel with a bot that logs timestamps)
• Vulnerability management -- Dependency scanning results (Snyk, Dependabot), container image scans, penetration test reports. Automate scanning and store results
• Backup and recovery -- Automated backup logs, recovery test results. Run and document a recovery test quarterly
• Monitoring and alerting -- Uptime monitoring data, alert history, response times. Your monitoring platform (Datadog, Grafana, etc.) is a rich source of evidence

The evidence pipeline pattern

Build a lightweight pipeline that periodically collects evidence artifacts and stores them in a structured, timestamped, tamper-resistant location:

1. Collection -- Cron jobs or scheduled tasks that query your systems (GitHub API for PR data, cloud provider APIs for IAM state, monitoring APIs for uptime data)
2. Normalization -- Transform raw data into a consistent format with timestamps, actor identifiers, and descriptions
3. Storage -- Write to an append-only evidence store (locked S3 bucket, dedicated database)
4. Indexing -- Tag evidence by control category so you can quickly produce the right artifacts during the audit

This pipeline runs continuously throughout the audit period, not just before the audit.

Fintech-Specific Controls

Transaction integrity controls

For embedded finance, auditors will pay special attention to processing integrity -- ensuring that financial transactions are processed completely and accurately:

• Double-entry validation -- Every financial transaction must produce balanced entries. If money moves from account A to account B, the system must enforce that the debit and credit are equal
• Reconciliation controls -- Automated reconciliation between your system and external systems (banking partner, payment processor). Evidence of daily reconciliation runs with match rates and exception handling
• Idempotency enforcement -- Proof that your system prevents duplicate transaction processing. Log idempotency key checks and duplicate rejections

Data integrity at system boundaries

Embedded finance means data crosses system boundaries constantly -- between your application, your BaaS provider, payment processors, and your ledger. Each boundary is a risk point:

• API contract validation -- Validate incoming data from partners against expected schemas. Log validation failures
• Webhook verification -- Verify webhook signatures from payment processors and banking partners. Log verification results
• Reconciliation at every boundary -- Do not assume data transmitted equals data received. Reconcile counts and amounts at every system boundary

Encryption requirements

• Data at rest -- Encrypt all financial data at rest. AES-256 is the standard. For cloud databases, enable provider-managed encryption at minimum; customer-managed keys (CMEK) for higher assurance
• Data in transit -- TLS 1.2+ for all connections. No exceptions. Audit your TLS configuration with tools like SSL Labs
• Key management -- Use a cloud KMS (AWS KMS, GCP Cloud KMS) or HSM. Document your key rotation policy and automate rotation

The Audit Timeline

Month 1-2: Gap assessment and planning

• Identify which Trust Services Criteria you need
• Map your current controls to SOC 2 requirements
• Identify gaps -- controls that do not exist or are not producing evidence
• Prioritize by risk and effort

Month 3-4: Control implementation

• Build missing controls
• Deploy audit trail infrastructure
• Implement access control changes
• Start evidence collection automation

Month 5-6: Evidence accumulation

• Controls are running and producing evidence
• Review evidence quality weekly
• Fix any controls that are not producing clean evidence
• Train the team on procedures (incident response, access reviews, change management)

Month 7-12: Audit period

• Controls operate normally
• Evidence accumulates
• Conduct your own internal reviews monthly to catch issues before the auditor does
• Engage the audit firm. They will request evidence, ask questions, and test controls

After the audit

• Address any findings or exceptions from the audit report
• Maintain controls year-round (not just during audit season)
• Automate more evidence collection based on what was painful during the audit

Common Mistakes

Over-scoping

You do not need to achieve SOC 2 compliance for your entire company and every system on day one. Scope the audit to the systems and processes that handle customer financial data. This is called the "system boundary." A smaller, well-controlled scope is better than a broad scope with gaps.

Treating it as a one-time project

SOC 2 Type II is an ongoing commitment. If your controls degrade after the audit period, your next audit will reflect that. Build controls that are sustainable, not controls that are impressive but require heroic effort to maintain.

Ignoring your vendors

If your BaaS provider, payment processor, or infrastructure provider does not have their own SOC 2 report, you inherit their risk. Request SOC 2 reports from critical vendors and review them annually. Map their controls to yours and identify gaps in the handoff.

Not involving engineering early

SOC 2 in fintech is fundamentally an engineering problem. Compliance teams can define policies, but engineers build the controls. Involve engineering from the gap assessment onward, not after policies are written and deadlines are set.

FAQ

How long does it take to get SOC 2 Type II for a fintech startup?

Plan for 9-12 months from kickoff to completed report. The first 3-4 months are control implementation and tooling. The remaining 6+ months are the observation period where your controls must be operating and producing evidence. Some audit firms accept a 3-month observation window for first-time audits, but 6 months is more common and produces a stronger report.

How much does a SOC 2 audit cost?

Audit firm fees typically range from 30,000 to 100,000 USD for a Type II audit, depending on scope and complexity. The bigger cost is engineering time: expect 1-2 engineers spending 30-50% of their time on control implementation for 2-3 months, plus ongoing maintenance effort of roughly 5-10 hours per week for evidence monitoring and access reviews.

Do I need SOC 2 if my BaaS provider already has it?

Yes. Your BaaS provider's SOC 2 covers their systems and controls, not yours. When you build on top of a BaaS platform, you introduce your own systems, access patterns, and data handling that are outside their scope. Enterprise customers and banking partners will want to see your SOC 2 report, not just your vendor's.

What is the difference between SOC 2 and PCI DSS for fintechs?

PCI DSS applies specifically to cardholder data (credit card numbers, CVVs). SOC 2 is broader, covering security, availability, and processing integrity of any system. Most fintechs need both: PCI DSS if they handle card data, SOC 2 for the broader platform. They have significant overlap in controls (access management, encryption, logging) but different audit processes and requirements.

Should I use a compliance automation platform?

Platforms like Vanta, Drata, and Secureframe can accelerate SOC 2 readiness by automating evidence collection, policy templates, and control monitoring. They are genuinely useful for reducing manual work. However, they do not eliminate the need for engineering work -- you still need to implement the actual controls in your systems. They automate the evidence gathering and compliance management layer on top. For fintech-specific controls like transaction integrity and reconciliation audit trails, you will need domain-specific tooling regardless.

How do I handle SOC 2 evidence for financial reconciliation processes?

Financial reconciliation is a core processing integrity control for fintechs. Auditors will want evidence of: (1) automated reconciliation runs with timestamps and results; (2) exception detection and resolution workflows; (3) approval chains for manual overrides; (4) historical reconciliation accuracy metrics. If you are building this from scratch, the evidence collection burden is significant. Platforms like NAYA's controls layer generate audit-ready evidence as a byproduct of normal reconciliation operations, which reduces the engineering overhead of SOC 2 evidence collection for financial processes.