FINOS AI Fund and OSERA: Open Source AI Governance for FSI

The News

The Fintech Open Source Foundation (FINOS) and the Linux Foundation announced a cluster of coordinated initiatives aimed at bringing financial services institutions into tighter alignment on open source governance, AI safety, and supply chain security. The headline move is the launch of the FINOS AI Fund, backed by founding members DTCC, Morgan Stanley, RBC, and NatWest, with a dedicated Governing Board focused on agentic AI specifications and AI Governance-as-Code for the financial sector. Alongside this, FINOS and a coalition of major banks (Deutsche Bank, Goldman Sachs, Morgan Stanley, RBC, and TD Bank Group) launched Project OSERA (Open Source Enterprise Resiliency Alliance) to mutualize open source backpatching and accelerate compliant remediation at scale. The announcements also include the release of FDC3 3.0, expanding that interoperability standard beyond intra-firm desktop use to cross-industry connectivity, along with a Deutsche Bank case study on the Fluxnova orchestration platform and the addition of former OCC Acting Comptroller Mike Hsu as a FINOS advisor on machine-readable regulation.

Analyst Take

AI governance in financial services is no longer a back-office concern

This cluster of announcements lands at an inflection point. Financial institutions have been deploying AI capabilities at pace, but the governance layer has lagged. The FINOS AI Fund is a direct attempt to close that gap, not through internal policy alone, but through shared, open specifications that can travel across firm boundaries. That matters because agentic AI, by definition, acts autonomously on behalf of organizations, and in financial services, autonomous action at scale carries regulatory, fiduciary, and systemic risk implications that no single firm can address in isolation.

ECI Research’s 2026 DevSecOps + AppSec survey found that AI code governance is the #1 priority investment area for enterprise security teams heading into 2026. That finding maps directly to what FINOS is building here: a mutualized governance layer that lets firms move faster on AI adoption without each one independently reinventing compliance frameworks. For ITDMs at financial institutions, this is the rare case where industry collaboration genuinely reduces duplicated effort and regulatory exposure simultaneously. The Governing Board structure, with DTCC and the major banks at the table, gives the AI Fund real institutional weight rather than the aspirational posture of many open source working groups.

OSERA addresses the supply chain gap that most organizations are still ignoring

Project OSERA is the announcement that deserves more attention than it will likely receive. Open source supply chain risk is pervasive across every industry, but financial services firms face a specific variant: they are regulated entities that must demonstrate compliant software consumption, and they rely on the same upstream open source components as everyone else, including components that may carry unpatched vulnerabilities for extended periods. The “backpatching” model OSERA proposes, where remediation costs and effort are mutualized across a consortium of banks, is a structurally sound response to a collective action problem.

ECI Research’s 2026 DevSecOps + AppSec data shows that 67.5% of respondents selected “Repository access controls” as a supply chain protection already in place. That’s meaningful adoption of a baseline control, but repository access is a defensive perimeter measure, not a remediation capability. The gap OSERA targets sits downstream of access controls: what happens after a vulnerability is discovered in a component already running in production across multiple regulated firms? The pilot results referenced in the announcement suggest end-to-end remediation is achievable at speed; the fund structure now creates the economic model to sustain it. For developers working inside regulated institutions, this is significant: it potentially reduces the time between a CVE disclosure and an approved, tested patch reaching their production environment.

FDC3 3.0 and the platform maturity signal

The FDC3 3.0 release is worth reading as a maturity indicator. Moving from an intra-firm desktop interoperability standard to a cross-industry connectivity protocol is not a minor version bump. It signals that the financial services community has enough shared deployment experience with FDC3 to extend its trust boundary outward. The addition of security, identity, and AI features in this release ties FDC3 directly to the broader FINOS AI governance agenda, creating a connectivity layer that can carry governed AI interactions between firms, not just data.

ECI Research’s 2026 DevSecOps + AppSec survey found that 83.8% of respondents use code scan tools during CI/CD processes, reflecting how deeply security validation has been normalized in development workflows. The challenge FDC3 3.0 and OSERA both aim to address is the next layer: not whether code is scanned, but whether the provenance, compliance status, and governance lineage of that code can be verified and communicated across organizational boundaries. Mike Hsu’s role as an advisor on machine-readable regulation is a deliberate signal that FINOS is building toward a future where compliance evidence is embedded in the software artifact itself, not produced after the fact in a separate audit process.

Looking Ahead

The FINOS AI Fund and OSERA together represent a bet that the financial services industry can coordinate on foundational infrastructure the way it has coordinated on settlement, messaging, and data standards for decades. That bet is credible because the founding members are not peripheral actors; DTCC alone sits at the center of U.S. securities settlement infrastructure. If the AI Fund succeeds in producing vendor-neutral agentic AI specifications that regulators find credible, it will create a significant competitive advantage for firms that helped shape those specs and an adoption fast lane for everyone else.

Watch for two signals over the next 12 months. First, whether regulatory bodies in the U.S. and EU begin citing FINOS AI governance frameworks in guidance documents, which would validate the machine-readable regulation thesis and accelerate adoption well beyond the founding members. Second, whether OSERA’s mutualized backpatching model attracts participation from non-bank financial institutions, insurers, and asset managers, which would test whether the consortium can scale beyond its current investment banking core. If both signals materialize, FINOS will have built something that functions less like an open source foundation and more like shared critical infrastructure for the financial sector’s AI era.

Authors

  • Paul Nashawaty

    Paul Nashawaty, Practice Leader and Lead Principal Analyst, specializes in application modernization across build, release and operations. With a wealth of expertise in digital transformation initiatives spanning front-end and back-end systems, he also possesses comprehensive knowledge of the underlying infrastructure ecosystem crucial for supporting modernization endeavors. With over 25 years of experience, Paul has a proven track record in implementing effective go-to-market strategies, including the identification of new market channels, the growth and cultivation of partner ecosystems, and the successful execution of strategic plans resulting in positive business outcomes for his clients.

    View all posts
  • With over 15 years of hands-on experience in operations roles across legal, financial, and technology sectors, Sam Weston brings deep expertise in the systems that power modern enterprises such as ERP, CRM, HCM, CX, and beyond. Her career has spanned the full spectrum of enterprise applications, from optimizing business processes and managing platforms to leading digital transformation initiatives.

    Sam has transitioned her expertise into the analyst arena, focusing on enterprise applications and the evolving role they play in business productivity and transformation. She provides independent insights that bridge technology capabilities with business outcomes, helping organizations and vendors alike navigate a changing enterprise software landscape.

    View all posts