managing-open-banking-integration
Structures open banking API integration with data sharing, consent management, and security requirements. Use when implementing open banking, managing API integrations, or evaluating data sharing frameworks.
Best use case
managing-open-banking-integration is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Structures open banking API integration with data sharing, consent management, and security requirements. Use when implementing open banking, managing API integrations, or evaluating data sharing frameworks.
Teams using managing-open-banking-integration should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/managing-open-banking-integration/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How managing-open-banking-integration Compares
| Feature / Agent | managing-open-banking-integration | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Structures open banking API integration with data sharing, consent management, and security requirements. Use when implementing open banking, managing API integrations, or evaluating data sharing frameworks.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Managing Open Banking Integration ## When To Use - Onboarding a new third-party provider (TPP) or data aggregator that needs API access to customer accounts - Evaluating or upgrading an existing open banking platform (e.g., migrating from screen-scraping to API-based access) - Preparing for regulatory compliance under PSD2, Open Banking Standard (UK), Consumer Data Right (AU), or CFPB Section 1033 (US) [VERIFY jurisdiction-specific framework] - Designing or auditing the consent lifecycle for customer-permissioned data sharing - Coordinating multi-party integration across account-servicing payment service providers (ASPSPs), payment initiation service providers (PISPs), and account information service providers (AISPs) ## Inputs To Gather - **Regulatory scope**: Applicable open banking regime and mandatory API standards (Berlin Group NextGenPSD2, UK OBIE, FDX, etc.) [VERIFY which standard governs the target market] - **API specification**: Target version of the open banking API spec, supported endpoints (AIS, PIS, CBPII), and sandbox/production URLs - **TPP registry entries**: Provider eIDAS certificates or registry status (e.g., FCA register, national competent authority directory) [VERIFY registry source] - **Consent parameters**: Data clusters to be shared (account balances, transaction history, standing orders), consent duration, and re-authorization cadence - **Current architecture**: Existing core banking APIs, middleware/gateway stack, authentication protocols (OAuth 2.0 / FAPI profile), and token management approach - **Security posture**: TLS requirements, certificate pinning policy, mutual TLS (mTLS) configuration, and penetration test schedules - **Customer experience flows**: Screen mockups or journey maps for consent grant, dashboard management, and consent revocation ## Workflow 1. **Scope the integration** - Identify participating roles: ASPSP, AISP, PISP, CBPII provider - Confirm regulatory classification of each party and required permissions [VERIFY license/registration status of each TPP] - Define data-sharing perimeter: which account types, data fields, and payment rails are in scope 2. **Map the consent lifecycle** - Design the Strong Customer Authentication (SCA) flow for initial consent grant (redirect vs. decoupled vs. embedded approach) - Define consent object attributes: permissions requested, expiration policy, frequency-of-access limits - Specify re-authorization triggers (90-day SCA renewal under PSD2 RTS, or equivalent) [VERIFY re-auth cadence per local regulation] - Document revocation paths: customer-initiated (dashboard, call center), TPP-initiated, and ASPSP-initiated 3. **Configure API gateway and security layer** - Register TPP client credentials; validate eIDAS QWAC/QSeal certificates or equivalent [VERIFY certificate scheme] - Implement OAuth 2.0 authorization code flow with PKCE; enforce FAPI 1.0 Advanced or FAPI 2.0 profile if required - Enable mTLS between TPP and ASPSP; configure certificate rotation schedules - Set rate limits, throttling tiers, and error-response standards per API specification 4. **Build and test data-sharing endpoints** - Implement account information endpoints (GET /accounts, GET /transactions, GET /balances) conforming to target spec - Implement payment initiation endpoints if PIS is in scope (POST /payments, GET /payment-status) - Validate response payloads against official schema validators (e.g., OBIE Conformance Suite, Berlin Group test harness) - Run functional, performance, and negative-path test suites in sandbox before production cutover 5. **Establish operational monitoring** - Instrument API availability and latency dashboards; define SLA thresholds (e.g., 99.5% uptime, <500 ms P95 latency) [VERIFY SLA commitments per regulatory mandate] - Set up alerting for consent anomalies: unusual spike in consent grants, bulk revocations, or repeated SCA failures - Create incident-response runbook for data-breach scenarios involving shared account data - Schedule quarterly TPP access reviews and annual penetration tests 6. **Compile integration report** - Summarize integration status per TPP: onboarded, in testing, blocked, decommissioned - Document outstanding issues, dependency risks, and remediation timelines - Include consent analytics: active consent volume, revocation rates, re-authorization success rates - Flag items requiring escalation to compliance, information security, or executive stakeholders ## Output The deliverable is a **Management Report** containing: - **Integration status matrix**: TPP name, role (AISP/PISP/CBPII), onboarding stage, go-live date, and current health status - **Consent lifecycle summary**: Flow diagrams, consent duration policies, re-authorization schedule, and revocation statistics - **Security configuration record**: Authentication profile, certificate details, mTLS status, rate-limit settings, and last penetration test date - **API performance dashboard snapshot**: Uptime percentage, latency percentiles, error rates, and SLA compliance - **Risk and issue log**: Open items with severity, owner, and target resolution date - **Recommendations**: Next-phase integrations, spec version upgrades, or regulatory changes requiring action ## Quality Checks - Every TPP listed has a verified registration/license entry in the applicable regulatory directory [VERIFY] - Consent flows comply with SCA requirements for the governing regulation; 90-day re-auth rule addressed if PSD2 applies [VERIFY] - API responses validated against the official schema; no undocumented fields exposed - Security configuration meets or exceeds FAPI profile requirements; mTLS enforced for all production traffic - Rate limits and error codes align with the published API specification - Report includes no inferred compliance statuses — any unconfirmed item is marked [VERIFY] - Customer-facing consent language reviewed for clarity and completeness (plain-language requirement under most regimes) [VERIFY]