Open Source in Finance Forum London 2025

The Digital Operational Resilience Act (DORA) is a game-changer for the EU financial services industry, establishing uniform ICT risk management, incident reporting, and third-party risk regulations. Unlike previous sector-specific frameworks, DORA mandates a horizontal implementation across entire firms, ensuring a ‘Minimum Viable Bank’—continuity of critical services amid disruption.
DORA aligns with the financial sector’s shift toward decentralised technology models, where hybrid cloud adoption has introduced operational complexity. While regulatory compliance may seem burdensome, DORA presents an opportunity: fostering a tech-first mindset, enhancing resilience, and driving strategic modernization. However, challenges remain—smaller firms may struggle with costly penetration testing, while managing fourth- and fifth-party risks requires increased supply chain visibility.
A successful DORA implementation hinges on open hybrid cloud platforms, enabling interoperability, scalability, and AI-driven innovation. Rather than a regulatory checkbox, DORA should be seen as an industry-wide resilience strategy, securing financial services for the future.

In a broad and detailed appraisal of end-to-end AI security for FINOS members we examine how to run LLM agent workloads on Kubernetes using the AI Readiness Governance Framework — without getting lost in the Matrix.

GPU megaclusters, operationalising LLM agnents at scale, and securely deploying GPU-bound workloads are covered, with real-world experience in some of the world's most complex deployments with the industry's latest, bleeding-edge offensive and defensive tooling.

In this talk we:
- enumerate the threats and controls in the AI Readiness Governance Framework with real infrastructure and examples, and examine how they fix FSI concerns
- investigate how to attack and defend against a range of historical and current AI CVEs, both with the FINOS AI Readiness and FINOS CCC/CFI projects
- analyse where misconfigurations and advanced threats are at the greatest risk and impact to your AI systems
- introduce AI Red Teaming and our work in the OpenAI Red Teaming Network
- look at the future growth and ambitions of the governance framework, and at how other critical FINOS projects intersect to support the mission

Regulated fintech organizations must ensure compliance with stringent data regulations while maintaining cost efficiency in the cloud. However, compliance-driven choices—such as data residency requirements, encryption mandates, and audit logging—can lead to hidden costs, especially in cloud storage and database management. This talk breaks down how cloud adoption impacts database architectures in fintech, why public cloud pricing models often penalize compliance-heavy workloads, and how open-source database solutions can help financial organizations regain control over performance, security, and cost.

For highly regulated firms, aligning security and compliance in the cloud is a persistent challenge. The FINOS community has been tackling this issue head-on, defining technology-specific control catalogs informed by security frameworks and regulations, while enabling automated compliance validation and compliant delivery mechanisms.

Join two project maintainers of the Common Cloud Controls (CCC) project as they showcase how it streamlines the creation of threat-informed controls and integrates them into reusable assets via the Compliant Financial Infrastructure (CFI) project. This session will provide insights into building scalable, open-source security controls that help financial institutions accelerate cloud adoption while maintaining regulatory compliance.

Who should attend? Leaders and individual contributors in compliance, security, and cloud infrastructure who are looking to bridge the gap between governance requirements and real-world cloud implementations.

Lightening talk showcasing an architects persona using CALM (Common Architecture Language Model).

CALM enables software architects to define, validate, and visualize system architectures in a standardized, machine-readable format, bridging the gap between architectural intent and implementation.

CALM aims to move architecture beyond static diagrams by providing a common language that both humans and machines can understand, ensuring that architectural decisions are consistently applied and easily auditable.

As microservices and complex platforms become the standard, ensuring secure connectivity while maintaining a smooth developer experience is a significant challenge. Traditional security models often introduce friction, slowing down innovation and deployment. Regulated industries must balance stringent security controls with the need for agility.

In this session, you will learn how Architecture as Code with CALM, an open-source initiative from FINOS, provides a structured approach to defining Patterns and Architectures that incorporate security and resilience from the start. You will see how CALM CLI can generate and validate architectures against predefined patterns, ensuring security compliance without compromising developer experience.

Through a live demo, you will observe how an initial deployment lacks security and how a threat model can be applied to highlight vulnerabilities. You will then learn how controls enforce security requirements, including Zero Trust principles to lock down the cluster. Finally, you will discover CalmHub and the Visualizer, tools that help review and maintain architectures over time.

In the highly regulated world of financial services, trust is paramount. This talk explores how internal teams can trust open-source software (OSS) to provide a compliant financial infrastructure, using romantic comedies as analogies. Just as trust in relationships is built over time, so too is trust in technology, especially where compliance, security, and risk management are critical. We'll cover the basics of OSS, its transparency, and community-driven development, likening it to the openness seen in films like 'You've Got Mail.' We'll address the trust deficit in regulated industries, highlighting cybersecurity risks and compliance with regulations like GDPR. By adopting OSS, financial institutions can gain greater visibility into their software, allowing for more rigorous security audits and compliance checks. The talk will explore building trust through visible code and peer reviews, and leveraging OSS in industries like healthcare and finance. We'll discuss overcoming adoption barriers, emphasising data privacy, incident response, and community support. Looking to the future, we'll explore how AI and blockchain can enhance OSS security.

As financial institutions accelerate their digital transformation, the integration of third-party code has become a necessity—but also a hidden risk. The rise of AI-assisted development is increasing the prevalence of internal forks, where modified external code becomes unmanaged and invisible to traditional security and compliance processes. In a highly regulated industry like financial services, these forks pose significant challenges, including security vulnerabilities, compliance gaps, and technical debt that can impact operational resilience. This session will explore how AI is reshaping software integration, why financial firms must proactively address internal forks, and how modern Software Composition Analysis (SCA) tools can provide much-needed visibility and control. Learn how to leverage AI-driven development while maintaining the highest standards of security, compliance, and risk management.