Press Releases

Press Releases

FINOS Announces the Open Sourcing of FINOS Common Cloud Controls to Address Cybersecurity, Compliance and Cloud Concentration Risks in Financial Services

October 24, 2023

Open standard launches following monumental industry-wide support with more than 100 participants from 20+ firms during formation phase.

Las Vegas, NV – October 24, 2023 – The Fintech Open Source Foundation (FINOS), the foundation of open innovation in financial services and part of The Linux Foundation, today announced that FINOS Common Cloud Controls (FINOS CCC), a set of open standards that describes consistent controls for compliant cloud deployments in the financial services sector, is now open sourced through FINOS under the Community Specification License. Built upon the approach developed by FINOS Platinum member Citi and following the formation phase which started in July, FINOS CCC is officially open for participation and contribution at

FINOS Common Cloud Controls creates a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers (CSPs). In developing a unified taxonomy of common services and associated threats, the project also sets out to alleviate the systemic risk of cloud concentration within the financial services industry.

The launch of FINOS CCC was announced during a panel at Money 20/20, featuring speakers from FINOS, Google Cloud, Goldman Sachs, and BMO. This comes on the heels of the projects’ three month formation phase, where FINOS members, including more than 100 participants from 20+ financial institutions, cloud service providers, technology vendors, industry associations, and regulatory bodies were invited to start shaping the open standard’s roadmap to ensure broad representation of all constituents involved in the shared responsibility model.

“The financial services industry pace of cloud adoption has been drastically accelerating for some time now, yet there has been no truly open standardization in the risk mitigation approach when it comes to cybersecurity concerns, cloud vendor lock-in, and response to regulatory inquiries, until now,” said Gabriele Columbro, Executive Director of FINOS and General Manager of Linux Foundation Europe. “I am incredibly excited this project has already attracted some of the most relevant names in the industry, under openly governed workstreams that bring together financial institutions, cloud service providers, and technology vendors to address systemic issues with cloud security and concentration. This goes to show these issues are very much top of mind in the industry’s C-Suite, and regulators alike, as we saw the White House put out an RFI on harmonizing cybersecurity controls just weeks after FINOS CCC’s launch.” 

During the formation of FINOS Common Cloud Controls banks, tech firms, and cloud experts joined forces to redefine how common cloud services are provided to the financial services industry. As part of the initial delivery phase, the National Institute of Standards and Technology (NIST) is consulting on the use of NIST’s OSCAL to enable the standard to be consumed and extended by FINOS contributors. Additionally, FINOS CCC created the Taxonomy and MITRE ATT&CK Framework working groups to ensure FSI cyber security cloud experts collaborate to mitigate financial services cloud threats across services described in a common cloud service taxonomy created in conjunction with banks and cloud service providers.

FINOS Common Cloud Controls will be prominently showcased at FINOS’s annual event, the Open Source in Finance Forum (OSFF) in New York on November 1, 2023. The event features leaders from many of the world’s largest financial organizations, regulatory bodies, technology providers, and more. To learn more about and register for OSFF, visit

Member organizations that have participated in FINOS CCC’s formation and definition phase include Adaptive, BMO, Citi, Container Solutions, ControlPlane, Discover, GitHub, GitLab, Goldman Sachs, Google Cloud, Leading Point, Lloyds Banking Group, London Stock Exchange Group (LSEG), Morgan Stanley, NatWest Group, Red Hat, Royal Bank of Canada (RBC), Scott Logic, Societe Generale, Symphony, and Wellington Management. ComplianceCow and StormForge, new members to FINOS, have joined to participate in and contribute to FINOS CCC specifically.

FINOS Members and FINOS CCC Community React:

“The open sourcing of FINOS Common Cloud Controls marks a groundbreaking milestone not only in cloud computing, but for the entire financial services industry,” said Jim Adams, Chief Technology Officer at Citi. “This project leverages the power of collaboration to address critical challenges, and will establish consistent industry-standard controls for essential Cloud Service Provider (CSP) solutions.”

“The importance of establishing open standards for cloud deployment in financial services cannot be understated,” said Phil Venables, Chief Information Security Officer at Google Cloud. “The FINOS CCC project is an essential component of this, and Google Cloud is proud to be a part of it as we continue to drive a more compliant public cloud ecosystem.”

“Financial service companies around the globe expect high-assurance, resilient cloud ecosystems able to accommodate the security needs of highly regulated markets,” said Dr. Michaela Iorga, OSCAL Strategic Director and Senior Cloud Security Technical Lead at NIST. “Working through FINOS with both financial services companies and cloud service providers, we will define threat-resilient common security baselines for the cloud ecosystems harboring financial data and services, setting in this way the foundation for standards-based assessment automation and continuous monitoring with NIST’s Open Security Controls Assessment Language (OSCAL).”

To learn more about FINOS Common Cloud Controls and getting involved in the open standards, visit To learn more about joining FINOS as a member, please visit


The Fintech Open Source Foundation (FINOS) is an independent nonprofit organization focused on promoting open innovation during a period of unprecedented technological transformation within financial services. FINOS believes that organizations that embrace open source software and common standards will be best positioned to capture the growth opportunities presented by this transformation.

Media Contact:

Ross Stevens

Caliber Corporate Advisers for FINOS





This Week at FINOS Blog - See what is happening at FINOS each week.

FINOS Landscape - See our landscape of FINOS open source and open standard projects.

Community Calendar - Scroll through the calendar to find a meeting to join.

FINOS Slack Channels - The FINOS Slack provides our Community another public channel to discuss work in FINOS and open source in finance more generally.

All FINOS Project Good First Issues - A good place to start contributing to, and making a difference in, open source in financial services is by taking a look at the FINOS Good First Issues (GFI) List on GitHub.

Project Status Dashboard - See a live snapshot of our community contributors and activity.

Events - Check out our upcoming events or email if you'd like to partner with us or have an event idea.

FINOS Open Source in Fintech Podcasts - Listen and subscribe to the first open source in fintech and banking podcasts for deeper dives on our virtual "meetup" and other topics.

Interested in FINOS open source projects? Click the link below to see how to get involved in the FINOS Community.

Get Involved