When Morgan Stanley’s engineering team grew weary of software development holdups, they looked for technological solutions. The problem went deeper than code, all the way down to the basic building blocks of an application.
“Architecture is a critical part of the software development lifecycle,” Trevor Brosnan, global head of technology strategy, architecture and modernization, said in an email. “Architecture decisions are complex to change, so getting it right the first time is imperative.”
As technology greases the wheels of software development processes, engineers are still stuck steering through time-consuming internal reviews prior to deployments. Generative AI coding assistants and access to open-source catalogs can speed app building, but enterprises remain wary of flaws that expose security vulnerabilities or run afoul of regulators.
“When you build a solution, you have to pass it in front of your compliance team, your security team, and you need to be able to show them how it works, which you usually do with a diagram,” Olivier Poupeney, field CTO at the Linux Foundation and the affiliated Fintech Open Source Foundation, told CIO Dive.
Navigating the financial sector’s complex web of regulatory imperatives, security concerns and compliance mandates compounded the issue at Morgan Stanley, as developers grappled with the time-consuming process of describing the structure and design of each new app in production.
Morgan Stanley engineers tackled the problem head on, using coding to address the architectural underpinnings of the software development life cycle. The team’s common architectural language model, called Calm, translates the design of an application into code, automating and continuously updating design diagrams, applying security and compliance controls along the way, Morgan Stanley Distinguished Engineer Matthew Bain said, during a June 2024 presentation at the Open Source in Finance Forum in London.
“For the last couple of years now … I've been banging on at anyone that would listen at Morgan Stanley about, how do we change this?” Bain said. “About a year ago, we decided to try and start talking about this through FINOS.”
Morgan Stanley engineers launched an architecture-as-code working group that led to the development of Calm in August 2023, the firm told CIO Dive. Two years later, on Aug. 15, Morgan Stanley open-sourced Calm v1.0 through FINOS.
“Calm is already in use in several firms, where it is being used to document architectures of existing systems, enable pattern-based automated security approvals and has already underpinned well in excess of 2,000 application deployments,” Bain said in a LinkedIn post announcing the release.
The framework supports Morgan Stanley developers and has already eased the path for more than 1,400 internal deployments, the firm said. Among other benefits, it has significantly sped up the process of getting apps from development into production, shortening review processes by months.
“If you don't want to use Calm and you want to go and use something that's not a standardized pattern, you're going to have to involve all the risk people,” Jim Gough, distinguished engineer and API platform lead architect, said during a presentation at the June Open Source in Finance Forum. “It's going to take you six months. So, which do you want? Two weeks or six months?”
The value of shared code
Open source wasn’t an easy sell in the financial sector, initially. But as cloud modernization spread across the industry, the Silicon Valley ethos of sharing code among a community of developers to encourage iterative innovation gained traction.
“The industry was pretty restricted because of a sensitivity around intellectual property,” Morgan Stanley Distinguished Engineer Dov Katz told CIO Dive earlier this year. “A lot of the libraries that we used were probably built in-house.”
Banks warmed up to the benefits of sharing code as technology permeated business processes. Linux, the ubiquitous open-source operating system, helped drive open source adoption among the industry’s largest players, according to Accenture Senior Managing Director and Global Banking Lead Michael Abbott.
A desire for industrywide standards to guide AI development has helped solidify the ethos of collaboration and elevate FINOS as a vehicle for forging open source initiatives. Morgan Stanley, BMO, Citi and RBC joined a coordinated effort by FINOS to establish vendor-neutral AI adoption standards in June.
Compared to AI guardrails, application compliance guidelines were relatively easier to envision, though still difficult to codify.
“This one is a no brainer for everyone,” said Poupeney. “You can have validation of your architecture from your security team faster, which means you move faster to production, which is good for the business.”
A market void
The validation process has many different elements. Requirements also vary from firm to firm. There were no suitable vendor tools on the market to create visual diagrams of an app’s structure through the development life cycle when Morgan Stanley initiated the Calm project, according to Poupeney.
“Developers are much faster at writing code than visual things … so there is often a disconnect between what the diagram represents and the reality of the solution,” Poupeney said.
The process relies on accurate depictions.
“We knew from the start that the visualized component of this was going to be really important,” Morgan Stanley Director Aidan McPhelim said during the 2024 Open Source in Finance Forum presentation. “You can't really talk about architecture without having diagrams.”
Sharing Calm with the developer community encourages incremental improvements in the tool’s capability, which is a win for Morgan Stanley and other adopters.
“Open-sourcing Calm enables it to become the standard for software developers and architects across the industry, streamlining development as it continues to evolve alongside industry needs,” Brosnan said.
Morgan Stanley’s team is continuing to add capabilities, as well.
“We can now get preapproved patterns from a security perspective … and store them in that database and be able to connect it to our security tool,” Bain said. It’s an improvement, he said, on a process that might not reveal security flaws until the very end of the development pipeline.
