Insights on Open Banking, Open Data, OAuth, FAPI, and financial API architecture - straight from the people who helped shape the specs.
Case Study: Modernising API Security & Onboarding How Opendata Consult helped a leading UK payments processor transform an insecure, brittle API stack into a PCI DSS-ready, FAPI-conformant platform with faster onboarding and stronger security. Highlights Replaced legacy HTTP & VPN connections with mTLS-secured APIs Wrapped SOAP endpoints in mTLS protection Upgraded REST APIs to FAPI 1.
Open Banking Pilot for a Leading Canadian Bank Client: A top-5 Canadian retail bank • Sector: Retail Banking • Region: Canada Names and parties anonymised. Hostnames are masked for confidentiality. Executive Summary A major Canadian bank wanted to prove Open Banking readiness ahead of regulation.
Case Study: Santander UK - Open Banking DCR That Actually Works When PingFederate didn't support UK OBUK-style Dynamic Client Registration out of the box, we built it - safely, deterministically, and auditably - and enabled Santander UK to onboard TPPs at pace. Highlights Custom Golang DCR microservice/plugin extending PingFederate for OBUK SSA (RFC 7591) CBAT-style enforcement before CBAT: transport certificate checked against cnf claim SSA persistence in PingFederate extended properties + SSA hash stored for integrity/audit Support for UK OB DCR profile and RFC 7592-style client management semantics Deterministic client_id strategy to prevent duplicate client sprawl Full documentation & knowledge transfer to Santander teams Client Overview Santander UK needed to enable Open Banking onboarding for third-party providers (TPPs) using the UK Open Banking (OBUK) profile.
Case Study: Banco Santander - Delivering Open Banking at Scale How a hybrid Apigee + PingFederate architecture enabled multi-brand Open Banking with secure mobile and web journeys, streamlined TPP onboarding, and full knowledge transfer. Client Overview Banco Santander, one of the world's largest retail and commercial banks, needed to evolve its digital infrastructure to meet Open Banking requirements across multiple sub-brands and customer journeys.
I Helped Build UK Open Banking - Here's What Canada Needs to Know Canada is on a mandated path to introduce Open Banking to consumers. They follow in the footsteps of other jurisdictions which have already trodden this path. Here's a timeline which compares Canada's obligations to what has already happened in the UK.
TLS Certificate Expiry is Changing: Why You Must Automate Now In less than four years, public TLS certificates will only last 47 days. Manual renewals are dead. Automation is no longer optional. Here's what's changing and how to stay ahead. 🔐 The Timeline: Shorter and Shorter Certs The CA/Browser Forum has formally agreed to reduce certificate lifespans incrementally.
DPoP, PKCE, and mTLS: Modern OAuth Defences Demystified 2 June 2025 • by Opendata Consult Ltd Introduction OAuth 2.0 has long been the backbone of secure API access. But as threats evolved, so did the defences. Whether you're a fintech developer, an identity architect, or just someone who's been burned by a bad token design, understanding how to bind, constrain, and protect tokens is key.
The Rise of Federation in Open Banking: Beyond DCR and Into the Future Federation is gaining traction in Open Banking ecosystems that are looking to scale securely. In this article, we unpack what Federation is, how it differs from Dynamic Client Registration (DCR), who's adopting it, and how fintechs can get ahead of the curve.
Understanding Optional SSAs in FDX: DCR with and without Software Statements In the world of Dynamic Client Registration (DCR), one acronym tends to trip up even experienced implementers: SSA. While Open Banking specs like the UK's and Brazil's mandate Software Statement Assertions, the FDX spec takes a different approach-SSAs are optional.
Dynamic Client Registration in Open Banking: UK, Brasil, and FDX Compared Dynamic Client Registration (DCR) is a key component of Open Banking infrastructure, allowing fintechs and banks to onboard securely and automatically. But not all implementations are created equal. Here's how the UK, Brazil, and FDX differ.
The End of the Implicit Flow: Why OAuth 2.1 Matters for Modern Apps 28 March 2025 • by Opendata Consult Ltd In the world of web security, it's not often that deprecating a feature is cause for celebration. But with OAuth 2.1, that's exactly what's happening. The removal of the implicit flow is one of the most significant and welcome changes in the evolution of OAuth - especially for those building modern, secure fintech apps.
What's New in FAPI 2.0: The Future of Open Banking Security 27 March 2025 • by Opendata Consult Ltd With the ratification of FAPI 2.0 in early 2025, the OpenID Foundation has delivered a major update to the standards underpinning secure financial APIs.
Why FAPI is the Backbone of Secure Open Banking 26 March 2025 • by Opendata Consult Ltd Open Banking has reshaped how consumers and institutions interact with financial data. At the heart of this transformation lies the need for secure, interoperable APIs that can handle sensitive information without compromise.
OAuth has come a long way since its early days. In this article, we explore its evolution from OAuth 1.0 to OAuth 2.0, the rise of FAPI, and what fintech developers need to know about securing APIs in the age of Open Banking and decentralised identity.
👋 Enjoyed the article?
Book a Call with Us