Financial Institution Achieves FAPI-Compliant Open Banking Platform

Overview

BankY, a forward-looking financial institution, partnered with Trevonix Technologies to design and implement a secure, standards-based Open Banking platform in line with PSD2, UK Open Banking (OBIE), and FAPI-RW specifications.

The engagement focused on enabling Dynamic Client Registration (DCR) to securely onboard Third Party Providers (TPPs), leveraging OpenID Connect (OIDC), Financial-grade API – Read/Write (FAPI-RW) security profiles, and the OB Read/Write API standard.

The solution was designed to integrate seamlessly with BankY’s existing IAM ecosystem, while ensuring regulatory compliance, strong customer authentication (SCA), and future scalability for expanding Open Banking and upcoming Open Finance capabilities.

Request an IAM Assessment

Talk to an Identity Expert

The Challenge

BankY’s vision for an agile, compliant Open Banking framework required overcoming the following technical and regulatory hurdles:

Dynamic Client Registration Automation – Building secure DCR endpoints to automate OAuth client onboarding for TPPs in compliance with OBIE DCR API profiles.

Certificate-Based Mutual TLS Authentication – Enforcing OBIE Transport Certificates for all TPP interactions and validating Software Statement Assertions (SSAs) issued by the OB Directory.

Custom FAPI Compliance – Implementing OIDC and FAPI-RW features per:

Custom Authentication & Consent Flows – Designing PingFederate adapters for Strong Customer Authentication (SCA), including step-up MFA for high-risk payment flows.

GDPR & PSD2 Compliance – Enforcing customer data minimisation, explicit consent capture, and transaction audit logging.

High Availability & Scalability – Ensuring the IAM layer and API gateway could handle large volumes of secure TPP requests without downtime.

The Solution

Trevonix delivered a FAPI-compliant, security-hardened Open Banking platform by integrating Ping Identity, Kong Gateway, and AWS-native services, alongside custom development for PingFederate adapters and consent orchestration.

1. Dynamic Client Registration (DCR) Implementation

- Developed secure /register endpoints per OBIE DCR specification, supporting POST, GET, PUT, and DELETE operations for OAuth clients.

- Implemented custom PingFederate IdP/SP adapters for:

Validating SSA signatures against OB Directory JWKS endpoints.
Parsing SSA claims to auto-populate client metadata in PingDirectory.
Enforcing sector_identifier_uri and pairwise subject identifiers for privacy compliance.

- Built SSA expiry and revocation checks to block stale or invalid registrations.

2. Ping Identity Integration

- PingFederate configured as the OAuth 2.0 Authorization Server with full FAPI-RW compliance, enforcing mTLS-bound access tokens, JARM, PAR, and Private Key JWT client authentication.

mTLS-bound access tokens.
JARM (JWT Secured Authorization Response Mode) for authorization responses.
PAR (Pushed Authorization Requests) for pre-registration of authorisation parameters.
Private Key JWT client authentication for token endpoint calls.

- PingDirectory used as the centralised TPP metadata store with schema extensions for Open Banking attributes.

- PingOne MFA integrated into consent flows for SCA, delivering OTP via SMS/email and app push.

3. Gateway and API Management

- Kong API Gateway deployed in front of AISP, PISP, and consent microservices.

- Enforced mTLS at the gateway level with certificate pinning against OBIE Transport Certs.

- Implemented rate-limiting, IP allowlisting, and fine-grained scopes for API endpoints.

4. Compliance Alignment

- Mapped implementation to FAPI Part 1 and Part 2 to ensure cryptographic, client authentication, and payload signing requirements were met.

- Captured consent transaction records in an immutable audit store for GDPR and PSD2 traceability.

5. Cloud-Native Deployment

- Containerised all IAM and API gateway components and deployed to AWS EKS.

- Used AWS ALB + WAF for ingress control and protection against common web exploits.

- Implemented multi-AZ HA clustering for PingFederate and PingDirectory.

The Impact

Simplicity

Customer Satisfaction

Want to be a part of Trevonix family?

See our Careers

The Platforms

PingFederate – OAuth 2.0 Authorization Server, FAPI-RW enforcement, SSA validation, JARM

PingDirectory – Centralised identity and TPP metadata storage with custom Open Banking attributes

PingOne MFA – Multi-factor authentication for SCA

Kong API Gateway – mTLS enforcement, rate-limiting, and secure API exposure for AIS/PIS services

Open Banking Read/Write API – OBIE specification-compliant endpoint design

FAPI-RW Part 1 & Part 2 – Implemented advanced security profiles for financial data protection

AWS EKS – Container orchestration, HA clustering, and secure ingress via ALB + WAF

Advancing enterprise security standards

Case studies of identity and access implemented in enterprise environments.

View All Case Studies

UK Bank Migrates to Modern Identity Management Microservices

Lorem ipsum dolor sit amet consectetur adipiscing elit semper dalar elementum tempus hac tellus libero accumsan.

Financial Institution Prepares for Trusted Digital Identity Integration

Lorem ipsum dolor sit amet consectetur adipiscing elit semper dalar elementum tempus hac tellus libero accumsan.

Companies we work with

“Trevonix brought the industry experience, technology expertise and proven best practices necessary to transform our legacy infrastructure to a standards-based, scalable architecture.”

Allica Bank

Head of IAM

“They very quickly managed to get a grasp of the legacy product and the target design, which has helped to deliver this release with top quality, where we have zero post release incidents, which is a rare feat for a release of this massive complexity.”

"Big 4" UK Brand

Identity Product Owner