.
Contact : +91 9820 771 922

Helped a FINANCIAL institution strengthen governance controls.

  1. Home
  2. Helped a FINANCIAL institution strengthen governance controls.

Open-Source License Risk Review for a BFSI Mobile Application

(How Aatxe identified AGPL exposure, validated compliance, and built lasting OSS governance)

Context:
A top-tier financial institution developed a customer-facing app to simplify digital services. What started as an internal innovation later caught the attention of the legal team — a scan suggested that open-source components like iText and Apache PDFBox were embedded in the app’s code. The concern: AGPL obligations and redistribution risks that could violate compliance standards. The CIO brought in Aatxe Analytics to trace the code lineage, validate license obligations, and protect the organization from potential liability.

Challenge:

  • No documentation of open-source libraries or their license versions.
  • AGPL and LGPL components potentially bundled into public-facing applications.
  • Code sourced from multiple vendors and offshore developers, with poor traceability.
  • No internal OSS policy or approval workflow.
  • High legal sensitivity due to BFSI data governance regulations.
  • The app was already in customer use — urgent validation required.

Aatxe Analytics Approach:

  • Conducted a forensic code scan using appropriate Toolkit across Android, Flutter, and Java repositories.
  • Identified each OSS component, version, and license type (AGPL, MPL, LGPL, MIT, Apache).
  • Segregated components by linking behavior — runtime, dynamic, or static — to assess redistribution implications.
  • Verified source provenance from vendor repositories and third-party contractors.
  • Created an OSS Component Register linking each dependency to license obligations.
  • Collaborated with the client’s legal team to categorize licenses as acceptable, restricted, or forbidden.
  • Drafted a governance policy defining approval workflow for future OSS use.
  • Conducted developer training to embed open-source due diligence in the SDLC.

Results & Impact:

  • Confirmed that the released version had no active AGPL redistribution risk.
  • Delivered a validated OSS register and license compliance matrix.
  • Enabled legal and IT to co-own OSS risk management.
  • Prevented a potential audit and public disclosure issue.
  • Instituted proactive OSS review as part of every new project build.

Closing Reflection:
What began as an anxiety-driven risk check became a blueprint for policy. The client no longer treats open-source as a gray area — they’ve turned it into a governed asset class.

Aatxe Analytics