An Open SDLC Controls Framework for Financial Services

kosli logo
Kosli
Nov 13, 2025
Kosli

How can financial institutions align on software delivery governance without slowing down innovation?

At FINOS OSFF New York 2025, Deutsche Bank and Morgan Stanley introduced the new SDLC Governance Working Group — an open collaboration under FINOS to create a Common Controls Catalogue for software delivery.

Kosli's Mike Long helped form and participates this group, contributing expertise in continuous compliance automation and controls engineering to connect the engineering and policy communities.

Together, these institutions are working to standardize how the financial industry defines, automates, and proves its SDLC controls — turning governance from opinion into evidence.

00:00 – Introduction: Why SDLC Controls Matter

01:20 – What Are SDLC Controls?

03:00 – The Pull Request Example: Different Risks, Same Control

05:00 – Understanding Risk Categories (Operational, Security, Quality, Regulatory)

08:00 – How Controls Are Created and Maintained

12:00 – The Problem: Duplication Across Institutions

15:00 – Why We Need a Common Vocabulary

18:00 – The Solution: The Common Controls Catalogue

21:00 – From Policy to Proof: Standardization for Audit and Automation

23:30 – Industry Collaboration: Banks, Vendors, and Regulators

26:00 – Q&A: What’s Missing from Current Frameworks (NIST, SALSA, etc.)

30:00 – Audience Discussion: Integrations, SBOMs, Meta Models, and Future Work

🏦 About the FINOS SDLC Governance Working Group

The SDLC Governance Working Group is a FINOS initiative co-created by Deutsche Bank, Morgan Stanley, and Kosli, under the DevOps Automation SIG.
Its mission is to define a shared, open framework for SDLC controls — creating a common language, taxonomy, and catalogue of risk mitigations that can be reused, automated, and audited across the financial industry.

Learn more or join the group:
https://www.finos.org/osff-nyc-2025-videos

🎙️ Speakers

  • Aaron Searle, Morgan Stanley — Controls Engineering
  • Toby Weston, Deutsche Bank — Software Governance

With contributions from Kosli, supporting the formation and facilitation of the Working Group

Subscribe to Kosli for more on Software Delivery Governance and Continuous Compliance Engineering.

#FINOS #SDLCControls #SoftwareGovernance #ComplianceEngineering #DevOps #OpenCollaboration #Kosli #MorganStanley #DeutscheBank #OpenFinance

Copyright © 2026 OpsMatters™. All rights reserved.