Why Banks and Cloud Providers Are Choosing Collaboration Over Fragmentation
At Sibos 2025, I had the pleasure of moderating a panel with Allison Nachtigall (Microsoft) and Aric Rosenbaum (Red Hat) on the benefits of bringing together financial institutions and technology vendors to define common controls and how open collaboration can accelerate modernization in the financial sector — from cloud adoption to AI risk governance.
Author: Luca Borella, FINOS, Program Manager, AI Strategic Initiative
Our discussion revolved around a simple but urgent question: Earlier in June, five major FSIs (BMO, Citi, Morgan Stanley, Bank of America and Royal Bank of Canada) joined cloud services providers and vendors in publicly announcing that they are building common AI controls in the open. Why and what are the benefits?
Setting the Scene: From Fragmented Controls to Shared Foundations
For more than a decade, financial institutions have tried to modernize — embracing the cloud, automating compliance, and now exploring AI. But every step forward has been slowed by the same invisible drag: fragmentation.
Each bank builds its own control framework (up to 15,000–20,000 active controls for Tier 1 banks with global operations). Each cloud service provider maps to it differently. Each vendor fills in another version of the same spreadsheet. Multiply that by thousands of institutions and you get an industry spending billions to reinvent the same governance wheel — in silos.
If even 5–10% of total compliance cost in FS is wasted on duplicative control mapping and fragmented assurance, we’re talking $15–30B/year of inefficiency globally.
And yet, the risks we face are shared. The regulatory expectations are shared. Even the technologies — the cloud, the models, the APIs — are shared.
So why shouldn’t the controls be shared too?
The FINOS Common Cloud Controls Project: A Shared Language for Risk
This is where FINOS (the Fintech Open Source Foundation) steps in. As the vertical Foundation working within the Linux Foundation, FINOS brings together over 100 financial services members — banks, CSPs, and technology vendors — to do what we call “the undifferentiated heavy lifting.”
One of the cornerstone initiatives of FINOS is the Common Cloud Controls (CCC) project. It provides machine-readable definitions for common cloud services — such as storage, compute, networking, and databases — along with their associated risks and controls.
By harmonizing these controls across institutions and providers, the CCC reduces duplication, strengthens risk governance, and enables faster — yet safer — cloud adoption.
From Microsoft’s perspective, as Allison Nachtigall highlighted, this work helps payments, finance and banking firms “move to the cloud with confidence,” leveraging a consistent control framework that can be tested, automated, and shared across the ecosystem.
Red Hat’s Aric Rosenbaum added that open source implementation is key:
“Codifying controls into transparent, repeatable tooling allows institutions to mitigate risks automatically — making compliance auditable, scalable, and predictable.”
From Cloud to AI: The Next Trust Frontier
The next frontier is AI. Generative AI introduces novel risks, from data leakage to model bias, that demand new categories of controls. That’s why the FINOS Community has been building the AI Governance Framework (AIGF), which provides the overarching structure for evaluating, testing, and continuously governing AI systems within regulated environments.
The goal isn’t another white paper; it’s to create codified, reusable, and testable controls that both regulators and the industry can trust. See here for example the controls for the GenAI service.
By shifting collaboration left, FINOS enables banks and CSPs to co-develop controls before deployment — reducing friction, eliminating redundant assurance work, and turning compliance into a shared, positive-sum game.
- For financial institutions, this means leveraging an industry-wide framework instead of maintaining thousands of bespoke control mappings.
- For cloud providers, it means aligning once against a standard framework — rather than responding to 16,000 individual spreadsheets.
The outcome: faster modernization, stronger governance, and a more resilient financial ecosystem and opportunity to agree standards which get ahead of the regulation.
Call to Action
If you’re in banking technology, risk, or compliance, the question isn’t whether open collaboration will reshape governance — it’s whether you’ll be part of shaping it.
Because the future of trust in financial services will not be written behind closed doors. It will be built — line by line, control by control — in the open.
Join FINOS and its members to co-create the frameworks that define how financial institutions and technology providers innovate safely, together.
In regulated innovation, open source isn’t a choice — it’s the only way trust scales.
- Watch this video on Common Controls for AI Services
- Contribute to the controls
- Join the CCC (Common Cloud Controls) and AI Governance Framework Meetings
FINOS Good First Issues - Looking for a place to contribute? Take a look at good first issues across FINOS projects and get your feet wet in the FINOS community.
State of Open Source in Financial Services Report 2024 - Learn about what is really happening around open source in FSI.
This Week at FINOS Blog - See what is happening at FINOS each week.
FINOS Landscape - See our landscape of FINOS open source and open standard projects.
Community Calendar - Scroll through the calendar to find a meeting to join.
FINOS Slack Channels - The FINOS Slack provides our Community another public channel to discuss work in FINOS and open source in finance more generally.
Project Status Dashboard - See a live snapshot of our community contributors and activity.
Events - Check out our upcoming events or email marketing@finos.org if you'd like to partner with us or have an event idea.
FINOS Open Source in Finance Podcasts - Listen and subscribe to the first open source in fintech and banking podcasts for deeper dives on our virtual "meetup" and other topics.
