OpenBankingScopes — PSD2 / Open Banking OAuth Scope Audit
22 PSD2 / Open Banking OAuth grants audited. AISP (account info), PISP (payment init), CBPII (card-based payment instrument issuer). Per grant: scope, 90-day reconfirmation status (RTS on SCA), SCA exemptions used, FAPI 2.0 conformance. Surfaces 4 past-90d reconfirmation + 2 with insufficient SCA + 1 deprecated FAPI 1.0.
What it is
The scope-audit register for open-banking integrations. PSD2 + RTS on SCA + Common Standards drive complex per-grant rules.
What’s in it
- 22 grants across UK (HSBC, Barclays, Lloyds, NatWest, Monzo, Starling, Revolut), EU (Deutsche Bank, BNP Paribas, Santander, ING), TPP aggregators (Truelayer, Tink, Yapily), US (Plaid, MX), and CBPII (Amex)
- Per grant: AISP/PISP/CBPII role, scope, grant age, 90-day reconfirmation status, SCA exemption used, FAPI conformance
- Surfaces FAPI 1.0 legacy grants (Santander) + insufficient-SCA cases + multi-bank aggregator coordination
Why this shape
PSD2 Reg (EU) 2015/2366 + RTS on SCA + Common Standards on Communication require strict 90-day reconfirmation cadence. FAPI 2.0 (Financial-grade API) is the modern security profile. CFPB §1033 (US) introduces parallel obligations for US open banking.
How it ships
Single HTML file, ~12KB. Zero dependencies. 22 grants × per-grant FAPI/SCA/reconfirmation in 100 lines of vanilla JavaScript.