Financial Services, delivered in the open.
Banking, asset management and market infrastructure live under NIS2, DORA and an audit trail that never sleeps — on top of legacy core systems nobody dares touch. Domain fit here means regulatory fluency, not just clean code: every application we build for a financial institution assumes the examiner will read it. Auditable process applications, client and advisor portals, and data platforms regulators can follow — EU-sovereign from the first commit.
What actually breaks
Regulation compounds faster than systems adapt
DORA's operational-resilience obligations, NIS2, AML and conduct reporting — each new rule lands on systems designed before it existed.
— Compliance implemented as manual workarounds— Evidence assembled per audit, not per process— Every new obligation spawns a spreadsheet— The change backlog grows faster than delivery
Legacy cores nobody dares touch
The core works; touching it is the risk. So processes bend around it instead.
— Integration by nightly file drop— Workarounds harden into unofficial systems— Vendor roadmaps dictate your pace— The people who understand it are retiring
Four-eyes everywhere, evidence nowhere
Approvals, exceptions and overrides are controlled on paper but invisible in practice.
— Sign-offs living in inboxes— Exceptions without an audit trail— Controls tested by sampling, not by design— Remediation findings recur year after year
Client experience versus control
Clients expect digital self-service; risk expects control of every step. Most institutions get neither cleanly.
— Onboarding measured in weeks— KYC refresh a permanent project— Advisors re-keying between systems— Portals that stop at brochureware
Named problems, worked answers
An asset manager runs client onboarding and KYC refresh across email, shared drives and a core system that predates the regulation.
- Onboarding & KYC workflow applications with evidence captured at every step
- Four-eyes enforced by the system, not by habit
- Integration that reads the core without touching it
- Audit views an examiner can follow unassisted
Operational-resilience reporting demands registers, tests and incident trails the current tooling never anticipated.
- Registers as applications — ICT third parties, incidents, tests — built to the regulation's shape
- Automated assembly with human sign-off on every submission
- EU-resident data platforms your regulator can follow
Advisors work across five systems; clients see none of it. The portal project keeps slipping.
- Client & advisor portals on one governed data layer
- Secure document exchange with full logging
- Every client-facing action recorded — service and compliance from the same trail
Capabilities
- Auditable process applications: onboarding, KYC, exceptions, approvals
- Portals: client and advisor experiences on governed data
- Data platforms: EU-resident, regulator-followable
- Integration: respects the core — reads without rewriting
- Platform fit: Dynamics 365 and the Power Platform as components where they earn their place
How we deliver
| How we deliver | What it means for you |
|---|---|
| Audit-ready by construction | Every workflow records its evidence as it runs — audits become retrieval, not reconstruction |
| EU-sovereign infrastructure | Moonbase-run platforms hosted in the EU (Germany); your data's residency is demonstrable |
| NIS2-minded delivery | Security posture visible in the Moonbase Portal — compliance on the record, not on request |
| Fixed price, gated method | AFD Confidence Gates with evidence at every stage — procurement-safe, no surprises |
Moonbase is new — the people aren't. 15+ years of senior delivery in sectors like this one, a method you can audit before you commit, and every product we ship tracked in the open.
See the gates, the fixed price and the compliance roadmap before you commit.