← Back to Site πŸ–¨οΈ Print / Save as PDF πŸ“§ Email Me
Emre Tuncoglu

EMRE TUNCOGLU

Technology Risk & AI Governance Executive
CRISC CISSP TOGAF 9.1 CISA CISM ISO 27001 LA PRINCE2
πŸ“ London, UK
πŸ“§ contact@enftc.co.uk
πŸ”— https://linkedin.com/in/emretuncoglu
🌐 enftc.co.uk

Key Achievements

Regulatory Restrictions Lifted
Closed critical audit with no major findings for Capital.com, enabling removal of new client onboarding restrictions
40% Audit Cost Reduction
Coordinated external audit efforts for UBS Group Technology, achieving significant cost savings
85% Automation Rate
Automated DORA compliance mapping using RAG-model LLM solution at Capital.com
Compliance-by-Design
Designed and implemented a regulatory and policy compliance enforcement system integrated within change management and SDLC methodology at UBS
25+ Years Experience
Financial Services technology risk and compliance expertise
100% Audit Success
All personally managed regulatory audit engagements resulted in favourable outcomes with no repeat or escalated findings

Professional Summary

A Senior Technology Risk & Security Executive with a 25-year tenure in the Financial Services industry. Specializes in leading AI transformations in risk management and navigating the intersection of technical infrastructure and regulatory frameworks (DORA, GDPR, FCA/PRA). From architecting RAG-model solutions for policy automation to steering multi-skilled teams through regulatory audits, provides hands-on expertise for complex remediation and resilience strategies.

Core Competencies

Regulatory Compliance
DORA, EU AI Act
BCBS 239, HKMA/MAS TRM
SOX, FCA/PRA
GDPR, MIFID II
Technical Architecture
AI/LLM Governance
RAG-Model Solutions
Azure & GCP Security
DevSecOps, IAM/PAM
Risk Management
Operational Resilience
IT Audit & Assurance
Control Frameworks
Leadership
C-Suite Engagement
Audit Defense
Crisis Management
Team Coaching & Mentoring

Professional Experience

E&F Technology Risk & AI Consulting Dec 2014 – Present
Director / Principal Consultant Greater London, UK Β· Hybrid
  • Founder of a specialist consultancy providing security architecture, technology risk management, and AI transformation services to clients in Fintech, Banking, and Insurance. All subsequent contract roles from March 2015 onward were delivered through E&F.
  • Developing a fully automated, LLM-enhanced technology risk and regulatory compliance capability β€” built using AI-assisted development workflows (Claude Code) to accelerate policy mapping, control automation, and continuous monitoring tooling (Jan 2026 – present).
  • Architected RAG-model solutions using Large Context Window LLMs to automate policy uplift and regulatory compliance mapping, achieving up to 85% automation rates.
  • Delivered Compliance-as-Code frameworks integrating regulatory checks into CI/CD pipelines for major financial institutions.
Capital.com Sep 2024 – Dec 2025
Technology Risk & Regulatory Compliance SME City of Westminster, London, UK Β· Hybrid
  • AI-Driven DORA Compliance: Spearheaded the DORA implementation programme by architecting a RAG-model solution (using Large Context Window LLMs) to automate policy uplift, ensuring accurate coverage of IT Asset, Change, Access Management, and Vulnerability Management standards. Automated 85% of compliance mapping
  • Compliance as Code: Designed a full set of automated controls, working with DevOps teams to integrate regulatory compliance checks early in the CI/CD pipeline for all major projects.
  • Regulatory Remediation (PAM): Remediated critical, long-standing Privileged Access Management (PAM) non-compliance, bridging Technical/CISO teams and Regulatory Auditors to close a multi-year audit finding. The external auditor validated the remediation and the regulator subsequently lifted all new client onboarding restrictions. βœ… Restrictions lifted
  • Resilience Strategy: Partnered with the CIO to map key business services and dependencies, delivering a prioritized Business Continuity Planning (BCP) and Technology Resilience strategy. BCP & Resilience plan delivered
Bupa Nov 2023 – Feb 2024
Technology Risk Consultant City of London, UK
  • Led validation of a major risk remediation programme, ensuring all critical findings were properly addressed and control gaps closed.
  • Conducted a comprehensive technology risk and controls framework review, identifying areas for improvement in the control environment.
  • Assessed policy compliance against regulatory requirements and internal standards, providing actionable remediation recommendations.
Deloitte Consulting Feb 2022 – Jul 2023
Subject Matter Expert β€” Technology Risk & Architecture Greater London, UK Β· Remote
  • Cloud Security Architecture: Conducted end-to-end security architecture and control assessments for a large insurance firm's migration to Microsoft Azure (2,500+ VMs), identifying and remediating compliance gaps.
  • Challenger Bank Resilience: Defined data management strategies and cyber resilience scenario testing for a challenger bank, ensuring protection against insider threats and compliance with GDPR.
  • Algorithmic Trading Audit: Performed a comprehensive cybersecurity review of a Fintech trading firm to ensure IP protection and MIFID II compliance.
UBS Jun 2020 – Sep 2021
Technology Risk & Security Architecture SME Greater London, UK / Zurich, Switzerland Β· Hybrid
  • Cost Reduction: Coordinated external audit efforts throughout Group Technology, implementing a standardized audit response framework that reduced overall audit costs to UBS by ~40%. ~40% cost reduction
  • Cloud Migration Risk: Performed risk assessments for file transfer technologies migrating to cloud (Azure, AWS), identifying 23 compliance gaps and defining remediation roadmaps.
  • Regulatory Change Management: Managed requirements for MAS TRM and HKMA TPRM, defining remediation roadmaps for non-production environments and insider threat monitoring.
  • Control Implementation: Validated the sustainability of data protection controls for internal auditors and closed critical risk issues related to data corruption detection.
Aviva Group Mar 2020 – Jun 2020
Interim Head of IT Audit – CIO Global Greater London, UK Β· Hybrid
  • Led the global audit function for the CIO domain, covering infrastructure, architecture, strategy, and resilience across all business units.
  • Defined the IT Audit universe and developed a risk-based multi-year audit plan, ensuring comprehensive coverage of critical technology risks.
  • Coached and developed the audit team to improve delivery quality and strengthen stakeholder relationships across the organization.
UBS Jan 2019 – Mar 2020
Infrastructure & Security Architect Greater London, UK Β· Hybrid
  • Designed and implemented a technology infrastructure compliance framework integrated into the SDLC, ensuring security controls were embedded from design through deployment.
  • Enforced compliance across ~800 on-premise and MS Azure assets across US, UK, Switzerland, and Singapore, covering Access Control, Cryptography, and Vulnerability Management.
UBS Β· Group Internal Audit Feb 2018 – Dec 2018
Core IT Audit Director β€” Technology Risk SME Greater London, UK Β· On-site
  • Executed high-profile audits within Cyber Security Governance, Data Governance (BCBS 239), and Middleware, delivering actionable findings to senior management.
  • Assessed the "Cyber Security by Design" framework, reviewing secure development controls for infrastructure and applications to ensure alignment with regulatory expectations.
Lloyds Banking Group Mar 2015 – Dec 2017
Infrastructure Security Architecture & Audit SME (via E&F Consulting) Greater London, UK Β· On-site
  • Delivered end-to-end audits of security architecture design across the Group's infrastructure, including Linux, Windows, IBM Mainframe, and HPE Non-Stop platforms.
  • Identified critical gaps in privileged access, event logging, and patch management, driving significant improvements in the Group's overall security posture.
KPMG UK Oct 2013 – May 2014
Technology Risk Advisory London, UK
  • Delivered technology risk advisory services to financial services clients, focusing on IT controls assessment and regulatory compliance.
Euroclear Group Aug 2008 – Jan 2013
Senior IT Audit Manager Belgium Β· On-site
  • Managed complex IT audit engagements across the Euroclear Group, covering critical financial market infrastructure and settlement systems.
  • Developed audit methodologies and mentored junior team members, building a high-performing audit function.
Dexia Banking Group & Denizbank Jul 2005 – Jul 2008
Head of IT Risk & Controls Brussels Region, Belgium
  • Established and led the IT risk and controls function, designing control frameworks aligned with regulatory requirements for banking operations.
Tekstilbank Oct 2004 – Jul 2005
IT Controls Director Istanbul, Turkey
  • Directed IT controls operations, ensuring compliance with banking regulations and internal control standards.
Pamukbank Apr 2001 – Sep 2004
Senior IT Auditor Istanbul, Turkey
  • Conducted IT audits across banking systems and infrastructure, identifying control weaknesses and providing practical remediation recommendations.

Education

BSc, Electrical & Electronics Engineering
Middle East Technical University (METU), Ankara, Turkey β€’ 1995 – 2000
METU is ranked among the top universities worldwide by Times Higher Education, World University Rankings.

Recommendations & Endorsements

Emre supported our Internal audit team as a subject matter expert in delivering IT audits during my previous role. Emre is highly technical, has a sound knowledge in Mainframe and associated security architecture reviews, where it is scarce to find those expertise these days. He highlighted some key control gaps to management during the mainframe and database audits. He was good at articulating technical and complex issues in a simple business language which helped senior management to effectively understand the business risks and impact.
Arun Subramanian
Director, Information Security Risk and Controls
I worked with Emre at his role in Euroclear. He was self-disciplined, highly-motivated, organized and creative manager. He was both mentor and advisor for me during my Euroclear days. From technical perspective, he is an expert on IT processes, IT governance, IT architecture and converting business needs/expectations into IT language. He is open-minded and always looks into opportunities and risks from different angles, and by doing so he both develops his team and adds value to his organization.
Altuğ Kul
Information Security | Resiliency | IT Compliance
I enjoyed working with Emre as he is very knowledgeable in IT audit and governance. He has strong analytical and technical skills, which allow him to investigate the details. Nevertheless he will always keep the big picture in mind. As such, he is able to find the actual root causes instead of only highlighting symptomatic issues, as per technical standards. His reports are written in understandable language even for non-technical persons. He has very good communication and influencing skills with any type of person.
Tina Pede
Clinical Psychologist / Civil Engineer
Emre is a very talented person in IT technologies and related IT Audit and Advisory. He is self-disciplined, hard-working person. He is also nice, kind person so that you enjoy the times you spend with him.
Erol Lengerli
Guest Lecturer / Consultant β€” Corporate Governance
Emre is an analytical auditor, with vast experience in COBIT, ISF, ITIL process-mapping. He has good assessment skills and the ability to make an impact regardless of work culture (people skills), as demonstrated by the value-adding, organisation-wide audit he carried out in the Nordics. He's able to influence and ensure that the auditee has an understanding of business risk emanating from audit findings.
Mucha Matambanadzo, MBA (Tech Mgt)
Head of Internal Audit | IT Audit | SOX | Cybersecurity | Risk

Detailed Project Experience Appendix

CAPITAL.COM | Technology Risk & Regulatory Compliance SME
September 2024 – December 2025 London, UK
AI-Driven DORA Compliance Programme
Spearheaded DORA implementation using RAG-model solution with Large Context Window LLMs to automate policy uplift. Ensured accurate coverage of IT Asset, Change, Access Management and Vulnerability Management standards. Automated 85% of compliance mapping
Compliance as Code Pipeline Integration
Designed a full set of automated controls, working with DevOps teams to integrate regulatory compliance checks early in the CI/CD pipeline for all major projects.
Regulatory Onboarding Restrictions Lifted
Successfully closed critical audit with no major findings after remediating long-standing Privileged Access Management (PAM) non-compliance. Acted as primary translator between Technical/CISO teams and Regulatory Auditors.
βœ… REMOVAL OF NEW CLIENT ONBOARDING RESTRICTIONS
Technology Resilience Strategy
Partnered with the CIO to map key business services and dependencies, delivering a prioritized Business Continuity Planning (BCP) and Technology Resilience strategy.
UBS | Technology Risk & Security Architecture SME
June 2020 – September 2021 London, UK / Zurich, Switzerland
Audit Cost Optimization
Coordinated external audit efforts throughout Group Technology, implementing standardized audit response framework that reduced overall audit costs to UBS by ~40%.
Cloud Migration Risk Assessment
Performed risk assessments for file transfer technologies migrating to cloud (Azure, AWS), identifying 23 compliance gaps and defining remediation roadmaps.
Regulatory Change Management
Managed requirements for MAS TRM and HKMA TPRM, defining remediation roadmaps for non-production environments and insider threat monitoring.
DELOITTE UK | Technology Risk & Architecture SME
February 2022 – July 2023 London, UK
Cloud Security Architecture Assessment
Conducted end-to-end security architecture and control assessments for a large insurance firm's migration to Microsoft Azure (2,500+ VMs), identifying compliance gaps and recommending remediation measures.
Challenger Bank Resilience Programme
Defined data management strategies and cyber resilience scenario testing for a challenger bank, ensuring protection against insider threats and GDPR compliance.
Algorithmic Trading Cybersecurity Review
Performed comprehensive cybersecurity review of a Fintech trading firm to ensure IP protection and MIFID II compliance, identifying key vulnerabilities in the trading platform architecture.
BUPA UK | Technology Risk Consultant
November 2023 – February 2024 London, UK
Risk Remediation Programme Validation
Led independent validation of a major technology risk remediation programme, verifying that all critical findings were properly addressed and control gaps sustainably closed.
Technology Risk & Controls Framework Review
Conducted comprehensive review of the technology risk and controls framework, assessing policy compliance and identifying areas for control environment enhancement.
AVIVA GROUP | Interim Head of IT Audit – CIO Global
March 2020 – June 2020 London, UK
Global Audit Function Leadership
Led the global audit function for the CIO domain, covering infrastructure, architecture, strategy, and resilience. Defined the IT Audit universe and developed a risk-based multi-year audit plan.
Team Development & Stakeholder Engagement
Coached the audit team to improve delivery quality and strengthened stakeholder relationships across the organization, enhancing the function's strategic value.
LLOYDS BANKING GROUP | Infrastructure Security Architecture & Audit SME
March 2015 – December 2017 London, UK
Cross-Platform Security Architecture Audits
Delivered end-to-end audits of security architecture design across the Group's entire infrastructure estate β€” Linux, Windows, IBM Mainframe, and HPE Non-Stop β€” identifying critical gaps in privileged access, event logging, and patch management.
Security Posture Improvement
Drove significant improvements in the Group's overall security landscape by highlighting key control gaps to senior management and articulating complex technical issues in accessible business language.
Last Updated: July 2026 β€’ London, United Kingdom β€’ www.enftc.co.uk