Operational Resilience is Not a Dashboard: Mahesh Paolini-Subramanya on DORA and Bank Architecture

Rajashree Goswami, March 10, 2026 | 9 min read

AI and Tech Leadership This interview series is grounded in lived experience. It explores how technology leaders move AI from experimentation into day-to-day operations, where decisions carry real consequences for teams, customers, and the business. Through conversations with practitioners who have led transformations at scale, the series examines how AI reshapes execution, accountability, and outcomes.

On the first anniversary of the Digital Operational Resilience Act (DORA), Europe’s sweeping regulatory push to fortify financial institutions against technology failures, a question hangs over the industry: Are banks as resilient as they think they are?

For Mahesh Paolini-Subramanya, the answer is clear. Not yet.

A technologist with nearly four decades of experience spanning the dot-com boom, telecom collapse, crypto banking surge, and now digital banking infrastructure, Mr. Paolini-Subramanya has seen enough cycles to know that systems rarely fail the way risk models predict.

They fail at the seams in the quiet gaps between silos, in the legacy dependencies no one dares to untangle, and, most often, in the data itself.

Today, as CTO of BKN301, a London-headquartered fintech architecture provider building modular core banking infrastructure for growth markets, he spends his time rethinking how financial systems are built from the ground up.

You’ve been building systems for nearly four decades, from the early internet to crypto banking. When you look at DORA today, do you see evolution or repetition?

Mahesh Paolini-Subramanya:
I’ve been doing this for almost 40 years at this point.

If you’re around long enough, you get to see every bubble. I started off during the dot-com era in the early 90s. My company was building out e-commerce infrastructure and web servers for Netscape — which was essentially the origin of the internet boom.

Mahesh Paolini-Subramanya, CTO, BKN301

After that exit, I decided to start a phone company. That was perfectly timed for the telecom crash. But telecom taught me something important: it’s fundamentally about billing. That was my introduction to finance. We built large billing and revenue recognition systems, which led me into FX, lending, and later supply chain finance.

From there, I went to BlockFi, which at the time was the first and perhaps largest crypto bank. We essentially pioneered stablecoin-based rapid lending, crypto-backed asset management, current accounts, and a full digital banking stack.

After that, I founded a digital bank in Mexico, moved to Italy, and now I’m focused on building infrastructure that allows growth markets to launch digital and retail banking services rapidly. The idea is simple: countries should be able to build their own digital banking infrastructure instead of relying on a handful of global neobanks.

Subscribe to our bi-weekly newsletter

Get the latest trends, insights, and strategies delivered straight to your inbox.

DORA forces institutions to move beyond prevention toward detection, response and recovery. One year in, is bank architecture genuinely more resilient, or just more documented?

Mr. Paolini-Subramanya:
No. And I don’t say that lightly.

What DORA gets absolutely right is the acknowledgment that you cannot always prevent ICT incidents. Systems will fail. What matters is whether you can detect incidents early, report them accurately, assess the impact correctly, and learn from them fast.

Regulators now expect institutions to classify incidents quickly and demonstrate mitigation plans. That’s good. That’s necessary.

The problem is that many banks are trying to do this with fragmented data. Inconsistent definitions. Duplicated records. Limited visibility across dozens of systems. When an incident happens, clarity is critical, and that’s precisely when many organizations are guessing.

DORA has forced institutions to look at themselves. And what they’re finding is that self-certification often translates to paper compliance, not operational reality.

When you talk to CTOs, where do you see the biggest disconnect between how resilience is defined in regulation and how systems are actually architected?

Mr. Paolini-Subramanya:
Banks think in silos. Resilience doesn’t.

Large organizations look at individual systems and ask, “Is this resilient?” If each silo answers yes, leadership assumes the bank is resilient. But failure doesn’t happen in silos. It happens in the interactions between them.

If your core banking system goes down, your loan systems don’t work. Your underwriting models don’t work. Payments stop. It’s not that each component wasn’t hardened — it’s that everything depended on one backbone.

Most organizations optimize for stability within silos. What they fail to examine is the dependency chain across silos. That’s the mismatch.

DORA implicitly pulls technology, risk, and compliance into the same room. In practice, does that create clarity or tension?

Mahesh Paolini-Subramanya:
Absolutely. Historically, risk was broken into smaller pieces. Each department assessed its own risks in isolation. You’d end up with a spreadsheet with 8,000 rows, each representing a tiny component, and then someone would multiply them together in a model.

DORA asks a much simpler, and much more uncomfortable, question: what happens in an incident?

Not what happens to one component. What happens to the bank?

What happens if your primary data center shuts down? Can customers withdraw money from ATMs? Basic questions. But those basic questions expose very uncomfortable truths.

Data has been the Achilles’ heel of banking for decades. Is DORA exposing structural weaknesses that bank architecture institutions have quietly tolerated?

Mahesh Paolini-Subramanya:
These are really good questions. Large banks grew through mergers and acquisitions. Each acquisition brought its own systems, data models, and definitions. To manage that, banks built massive data warehouses and lakes.

But those systems were designed for reporting , not for real-time operational awareness. You’re lucky if you can get a reliable answer within 24 hours. In an incident, 24 hours is a lifetime. Banks are now discovering that data standardization and visibility are not reporting exercises. They are resilience infrastructure.

That realization is long overdue. There’s been enormous spending on monitoring and observability tools. Are institutions confusing visibility dashboards with structural resilience?

There’s been enormous spending on monitoring and observability tools. Are institutions confusing visibility dashboards with structural resilience?

Mr. Paolini-Subramanya:
One hundred percent. Monitoring tools are necessary. But they are tools. They are not the solution. It’s like wanting to hang a painting and obsessing over buying the best screwdriver. The screwdriver isn’t the solution. It’s just the tool you use.

The real work is architectural. It’s about how systems connect, how dependencies are reduced, how data flows in real time. Without that, monitoring just gives you more dashboards, not more resilience.

If you were advising a Tier-1 bank rebuilding its core today under DORA constraints, would you modernize or start over?

Mr. Paolini-Subramanya:
Throw 99 percent of it away. At BlockFi, between 2019 and 2020, we built a full retail banking stack from scratch, including current accounts, savings, payments, lending, and institutional services. That system would be DORA compliant today, not just on paper but in spirit. The advantage was that we didn’t have to maintain decades of backward compatibility.

Legacy banks carry the burden of 20 or 30 years of infrastructure decisions. Sometimes it’s easier to rewrite than to retrofit.

As AI becomes embedded in decision-making, underwriting, and fraud detection, does it amplify resilience or expose even deeper fragility?

Mr. Paolini-Subramanya:
Again, a good question. Data. And not just data quality. Speed. Synchronization. Visibility.

AI is forcing banks to confront this. You can’t build intelligent systems on top of fragmented, delayed, inconsistent data. The bottom of the pyramid is data. Above that are systems and processes. Above that is architecture. But if the foundation is weak, everything else is fragile.

If you strip away the regulatory language and the dashboards, what is the single most important resilience decision CTOs must make in the next 18 months?

Mr. Paolini-Subramanya:
Going to answer a slightly different question. What CTOs should do is figure out what products are actually being used by the company and figure out how to make sure that those products are sustainable. By sustainable, I mean it can stay up.

So the point here is, we’re so fixated on things like, “We need to keep Oracle up.” You tend to forget about things like people need to be able to withdraw their money. The product is people need to be able to withdraw their money. Oracle is just what you use under the hood to do that.

So go talk to the product folks. Go talk to the business. That is the single biggest advice I could give folks. You’d be surprised at how often this stuff gets neglected.

About BKN301

BKN301 positions itself as a financial operating system, combining accelerator services and plug-and-play orchestration technology to help banks and fintechs scale securely. Recently recognized by CBI Insights as one of the most promising fintech companies of 2025, the firm argues that resilience must be architectural, not procedural.

About the Speaker: Mahesh Paolini-Subramanya is a veteran technology executive with nearly four decades of experience building financial and telecommunications infrastructure across multiple market cycles. He began his career during the early internet era, developing e-commerce infrastructure and web server technology at the dawn of the dot-com boom. Over the years, his work has spanned telecom billing systems, foreign exchange platforms, digital lending, crypto banking and core banking architecture. He later served in senior technology leadership roles within digital asset banking, where he helped architect full-stack retail and institutional financial platforms. His career has taken him across North America, Latin America and Europe, including founding and scaling a digital bank in Mexico before relocating to Italy to focus on modular financial infrastructure for growth markets. Today, as Chief Technology Officer, he works at the intersection of bank architecture, operational resilience and data systems design, advising institutions on how to modernize legacy infrastructure without sacrificing stability. His perspective is shaped by building through boom cycles, market collapses and regulatory resets, giving him a pragmatic view of resilience not as compliance, but as engineering discipline.

AI in the Industry, In Conversation Q&A

Is AI-native Architecture Shifting the Focus? Denis Romanovskiy, Chief AI Officer Weighs In

In Conversation Q&A

Operational Resilience is Not a Dashboard: Mahesh Paolini-Subramanya on DORA and Bank Architecture

Rajashree Goswami

Rajashree Goswami is a professional writer with extensive experience in the B2B SaaS industry. Over the years, she has honed her expertise in technical writing and research, blending precision with insightful analysis. With over a decade of hands-on experience, she brings knowledge of the SaaS ecosystem, including cloud infrastructure, cybersecurity, AI and ML integrations, and enterprise software. Her work is often enriched by in-depth interviews with technology leaders and subject matter experts.

Subscribe to the CTO Magazine Newsletter

Operational Resilience is Not a Dashboard: Mahesh Paolini-Subramanya on DORA and Bank Architecture

You’ve been building systems for nearly four decades, from the early internet to crypto banking. When you look at DORA today, do you see evolution or repetition?

Subscribe to our bi-weekly newsletter

DORA forces institutions to move beyond prevention toward detection, response and recovery. One year in, is bank architecture genuinely more resilient, or just more documented?

When you talk to CTOs, where do you see the biggest disconnect between how resilience is defined in regulation and how systems are actually architected?

DORA implicitly pulls technology, risk, and compliance into the same room. In practice, does that create clarity or tension?

Data has been the Achilles’ heel of banking for decades. Is DORA exposing structural weaknesses that bank architecture institutions have quietly tolerated?

There’s been enormous spending on monitoring and observability tools. Are institutions confusing visibility dashboards with structural resilience?

If you were advising a Tier-1 bank rebuilding its core today under DORA constraints, would you modernize or start over?

As AI becomes embedded in decision-making, underwriting, and fraud detection, does it amplify resilience or expose even deeper fragility?

If you strip away the regulatory language and the dashboards, what is the single most important resilience decision CTOs must make in the next 18 months?

About BKN301

Related

Rajashree Goswami

Related posts

Is AI-native Architecture Shifting the Focus? Denis Romanovskiy, Chief AI Officer Weighs In

Cybersecurity Leadership 2026 in the Age of AI Impersonation

What AI Readiness Framework Actually Demands: Sean Blanchfield Explains

Scaling Agentic AI: When AI Takes Action, the Real Challenge Begins

AI for Good in Practice: A Conversation with Gabe Kopley and Felicia Curcuru

Why Data Governance Frameworks Are No Longer Optional: Ananya Sundar on What’s Changed

What AI Leadership Gets Right, and What It Often Gets Wrong: Lessons from Deependra Chokkasamudra

CTO Sven Oehme on Building Scalable AI Infrastructure

AI Governance and Growth in Fintech — Lessons from FIS’s CTO

AI Deregulation Is Reshaping How AI Is Built: Cris Kinross Explains Why

Leadership in AI Era: Olson on Building SaaS Teams That Last

AI in Hiring: Insights from Edge CEO Iffi Wahla

Building Enterprise-Grade AI: Insights from PwC’s AI Factory Leader

Dr. Oliver Bastert on Digital Twin Technology Beyond the AI Hype

Cyber Resilience in Healthcare: Chao Cheng Shorland on Designing Systems That Never Stop

Trust, Transparency and AI in Healthcare: A Strategic Dialogue with Wolters Kluwer’s CTO

How CIO Peer Networks and AI Are Reshaping Enterprise Tech Strategy

Deloitte’s Managing Director Anjali Shaikh on the Quiet Power Shift in the C-Suite

Dr. Darren Williams on Shadow AI: The Hidden Threat Leaders Can No Longer Ignore

The Rise of Predictive Analytics: A Conversation with Dr. Zohar Bronfman

Building Safer Spaces: How AI Is Changing Threat Detection with Steve Roskowski

Vijay Guntur on How Human-AI Collaboration Can Drive Enterprise Success in 2026 and Beyond

Building Smart, AI-Powered Supply Chain Management with Beth Hendriks

Sam Allen on How AI Will Reshape Every Marketing Touchpoint

Winning the Holiday Season with AI: Majaz on Smarter, Real-time Inventory Management

Gregory Shein on the Rise of AI Models: DeepSeek and OpenAI

Intelligent, Space-Native Robots: Jamie Palmer on Redefining Automation Beyond Earth

Building a Responsible Digital Future: Nguyen Anh Tuan on AI Ethics, Innovation, and Global Leadership

Beyond the Sales Funnel: Curtis Sparrer on How AI Platforms Decide Which Brands Win

Building the Future of Payments: CTO Phillip Goericke on AI, Embedded Finance, and Frictionless Payments

Balancing Burnout and Breaches: Sterling Wilson on The New Face of Cybersecurity Leadership

AI in Cybersecurity Through the Lens of a CTO, Rajan Koo

Security Considerations for a Connected, Highly Volatile World: Expert Insights from Joel Thayer

Chris Gibson on the Skills of Leaders Who Turn Adversity into Advantage

From the CIA to the Boardroom: Andrew Bustamante on Leadership Style That Endures

The Human Factor in Cybersecurity: Dewayne Hart on What CTOs Overlook

AI-Powered ETFs: Exploring the Next Evolution in Investing with Jack Fu, CEO of Draco Evolution

AI and Sustainability: Insights from Futurism Speaker Birju Shah

AI and E-Commerce: Indranil Guha on What’s Next for Marketing Innovation

Edge AI and Everyday Trust: A Conversation with Dr. Rajesh Natarajan, CTO of Gorilla Technology

Geospatial Intelligence, Reinvented: Spexi CTO Peter Szymczak on AI’s Next Frontier

AI in Marketing Has a Trust Problem — Karla Wentworth Explains Why

Consumer Tech and Vertical SaaS: Inside Carle Stenmark’s Investment Playbook

From Strategy to Impact: Chris Whitaker’s Vision for Leadership and Innovation at Comcast

Cybersecurity Leadership with Jadee Hanson, CISO at Vanta

The Unbossing Revolution with Shane Elahi, Co-Founder and COO of Software Finder

Blending Search and Chat: Vikas Jha on the Next Era of Conversational Commerce

AI in Retail Ecommerce, with Benoit Jacquemont, CTO and co-founder of Akeneo

Innovative Leader Spotlight: Chris Soukup’s Vision for Communication Equity

Humanoid Robots: CTO Jarad Cannon Reveals the Big Breakthroughs

AI Conferences and the Road Ahead: Marcus Jecklin on the Trends to Watch

AI Leadership with Kieran Gilmurray: Navigating the Tech-Driven Future

Trent Gillespie on AI Acceleration and Empowering Innovation at Every Level

DEI Rollback Leaves Women Leaders Facing New Career Barriers

Sorin Hilgen, EG America’s CIO & CDO on Convenience Store Digital Transformation

AI Implementation in Business: In Conversation with Mr. Sanjay Varnwal, Co-Founder & CEO, Spyne

Customer Engagement 2.0: Textdrip’s CTO Dhaval Gajjar on What’s Next

Rogayeh Tabrizi’s Vision for Ethical, Human-Centric AI Leadership

Cloud Cost Optimization: In Conversation with Deepak Mittal, CEO of CloudKeeper

Women in Leadership: A Candid Conversation with Amber Foucault, Global VP of Product Applications

Open-Source AI and Enterprise Tech’s Evolution: A Conversation with Praveen Akkiraju

Inside Tech Leadership with GoTrust CEO Himanshu Gautam

Unpacking Enterprise AI with Conor Twomey, CEO of AI One

In Conversation: Exploring AI in Medical Affairs with Sarah Snyder