News

The Insiders – David Biczok Interview

1. Hello David, can you tell us more about yourself and your role as Head of Risk at Payconiq Luxembourg?

I joined Payconiq as Head of Risk in early 2024, after spending over 16 years in the online payments industry. Throughout my career, I have gained extensive experience across various areas including risk management, data protection, finance, payments, outsourcing, business continuity, and project management. I have had the opportunity to work in both regulated and non-regulated environments, which has broadened my understanding of the industry. I actually began my career in Budapest, working for an online payment service provider, before arriving in Luxembourg over a decade ago. There, I worked with an e-commerce merchant listed on the French stock exchange and later joined a regulated electronic money institution. At that institution, I had “two hats” as Head of Risk and Data Protection Officer. All of these experiences naturally led me to my current role at Payconiq. At Payconiq, I oversee the entire risk function, ensuring that risk is a key consideration in the company’s strategic decisions. Additionally, I manage Payconiq’s audits, regulatory compliance, policies and procedures, as well as outsourcing and third-party vendor management. I am also heavily involved in business continuity and information security initiatives. It is a role that brings together all the aspects of risk and operational management that I have been passionate about throughout my career.

2. How does your team collaborate with cybersecurity to protect against data breaches and payment fraud? 

At Payconiq, compliance and security are top priorities. We align with all applicable regulations and implement robust information security and data protection measures that adhere to industry standards and best practices. My team plays a key role in this, working closely with various departments – such as our dedicated security and IT teams, the Data Protection Officer, compliance, product, legal, and finance teams – to ensure that risk and security considerations are integrated into every decision. Beyond mandatory regulatory audits, we also conduct multiple information security audits to continuously improve our operational resilience. Employee training is a big focus as well. We run regular sessions on cyber threats, data protection, phishing, social engineering, and malware to ensure everyone is equipped to identify and respond to potential risks. Right now, like many in the financial sector, we are preparing for the upcoming DORA Regulation. We have set up a task force that brings together members from security, IT, risk, and legal teams. This collaborative approach helps us ensure we are fully addressing all aspects of digital operational resilience as we work to meet the new requirements.

3. What criteria do you use to evaluate the risk profile of partners and payment processors you work with?

At Payconiq, we strictly adhere to the requirements of the EBA Guidelines on Outsourcing, Circular 22/806, and the upcoming DORA regulations when it comes to third-party vendors. To ensure we partner with only trustworthy and reliable providers, we conduct thorough due diligence and risk assessments, involving various departments to make well-informed decisions. Our legal team at Payconiq plays a crucial role in this process, helping us identify and mitigate any legal risks, and ensuring that all vendor contracts include the necessary provisions. We also collaborate closely with our DPO to manage any privacy concerns effectively. Our Security team is equally involved, ensuring that our vendors implement appropriate information security controls in line with industry standards. On the Risk side, we continuously monitor our vendors’ performance and compliance with regulatory requirements. Vendor management is something we take very seriously. It is a critical part of delivering exceptional services to our clients, users, and merchants.

4. How do you foster a risk-aware culture within Payconiq, especially among teams not directly involved in risk management?

Over the years, Payconiq has developed a strong risk-centric approach, supported by a mature risk management framework. One key aspect of this is our regular Risk Committee meetings, which are hosted by the Risk Department. These meetings bring together the Heads of Departments, whose expertise and input are essential in promoting a risk-aware culture across the company. The Risk Committee acts as an advisory body to the various Boards at Payconiq, providing a platform for open dialogue. Members can raise any topic for discussion, which not only strengthens decision-making but also ensures that risk considerations are integrated into our operations. The Committee is crucial in being the entry point for information that requires decisions or approvals, reinforcing the importance of risk awareness in our day-to-day activities. In addition to this, the Risk Department maintains a “Policy House,” a kind of centralised resource where all our policies are easily accessible to employees. This helps staff across the organisation familiarise themselves with our processes, not just in risk management but in other operational areas as well, fostering a more comprehensive understanding of how we operate.

5. How do you align the risk management strategy with the Payconiq’s overall business objectives? 

At Payconiq, our risk management framework is designed to be straightforward and effective, with our risk appetite being central to everything we do. We set our risk appetite at a level that allows for growth, while still maintaining a healthy risk profile. I would say it is all about finding the right balance. We continuously monitor our risk appetite statement against our actual risk profile and business outcomes to ensure they stay aligned. This approach is embedded in all our business processes. The Risk Department works closely with different teams to provide risk assessments, implement controls, and ensure proper monitoring. In summary, we operate within a streamlined risk management framework where risk is a key part of the decision-making process. Our risk strategy is fully integrated into the broader business strategy, which reinforces its importance across the organisation.