When a critical piece of open-source software fails — or worse, is quietly compromised — the consequences rarely stay contained to the development community that built it. They ripple outward into banks, brokers, trading platforms, and ultimately the investors whose capital depends on the stability of those systems. It is this uncomfortable reality that EXANTE, the global prime broker, is now confronting head-on with the launch of Gecko, an initiative designed to address the structural fragility embedded in the open-source ecosystem that modern finance runs on.
Richard Forss, Chief Technology Officer at EXANTE, has been unusually candid about why the company felt compelled to act. The numbers alone frame the urgency: open-source software currently underpins 70% of businesses worldwide, making it not a peripheral concern but a foundational layer of the global economy. Yet the teams responsible for maintaining much of this infrastructure are small, chronically underfunded, and operating without the institutional support that the scale of their responsibility arguably demands. The gap between the criticality of open-source software and the resources devoted to sustaining it represents one of the most underappreciated systemic risks in technology today.
A Silent Dependency Crisis
The financial sector's relationship with open-source software is particularly acute. Trading infrastructure, risk management engines, data pipelines, and compliance tooling all draw heavily from open-source libraries and frameworks. Prime brokers like EXANTE, sitting at the intersection of institutional liquidity provision and technology-driven execution, are acutely exposed to any degradation in the reliability of that underlying code. A vulnerability in a widely-used open-source library does not discriminate between a startup fintech and a systemically important institution — both are equally dependent, and both face equivalent exposure when something breaks.
This is not a theoretical concern. The 2021 Log4Shell vulnerability, which exploited a flaw in the widely-deployed Apache Log4j logging library, demonstrated precisely how a single open-source component maintained by a small volunteer team could expose hundreds of millions of devices and systems across industries, including financial services. Regulatory bodies including the European Banking Authority and the Bank for International Settlements have since flagged software supply chain risk as a growing area of supervisory concern, reinforcing what practitioners like Forss have long understood from the inside.
What Gecko Represents
EXANTE's response — Gecko — signals a meaningful shift in how a financial institution can engage with the open-source community. Rather than treating open-source dependencies as a free resource to be consumed without reciprocity, the initiative reflects a philosophy of institutional stewardship: the recognition that if your business depends on open-source infrastructure, you bear some responsibility for its health. The precise scope and technical mechanics of Gecko, as articulated by Forss, point to a structured approach to identifying, supporting, and strengthening the open-source components most critical to financial operations.
This model is not entirely without precedent. Technology giants such as Google, Microsoft, and Meta have long maintained open-source offices and dedicated engineering capacity to contribute back to projects they depend upon. What makes EXANTE's move notable is that it comes from within the financial services sector — an industry historically more accustomed to consuming software than contributing to it. For a prime broker to position itself as an active participant in open-source sustainability is a meaningful cultural and strategic signal to the broader fintech ecosystem.
The Systemic Stakes for Financial Markets
The implications extend well beyond EXANTE's own technology stack. Financial markets are, at their core, information processing systems. The speed, accuracy, and security of that processing depend on software that is increasingly open-source in nature. When the teams maintaining that software lack funding, burn out, or simply abandon projects, the technical debt accumulates invisibly — until it doesn't. A fragility that builds slowly can resolve itself catastrophically, and in financial markets, catastrophic resolution carries direct economic consequences for institutions, counterparties, and end investors alike.
Forss's framing of this challenge places EXANTE in a position of both enlightened self-interest and genuine industry responsibility. The launch of Gecko suggests that at least some corners of the financial services world are beginning to internalize what the technology sector has understood for years: open-source software is shared infrastructure, and shared infrastructure requires shared investment to remain sound. Whether other prime brokers, custodians, and trading venues follow suit will determine whether this represents an isolated act of corporate responsibility or the beginning of a broader industry reckoning with its open-source dependencies.
For now, EXANTE and its CTO have placed a clear marker on the table. In an era when regulators are scrutinising operational resilience with growing intensity — from the EBA's Digital Operational Resilience Act requirements to wider supervisory expectations around third-party risk — the decision to invest in the health of open-source foundations is as much a compliance posture as it is a technological one. The question for the rest of the industry is whether they will treat Gecko as a curiosity or a call to action.
Written by the editorial team — independent journalism powered by Codego Press.