TPP Registration
Register your Third-Party Provider (TPP) application using Dynamic Client Registration (DCR). Requirements vary by regionโselect your jurisdiction below.
Select Your Region
Open Banking regulations differ by region. Select your jurisdiction to see specific requirements:
๐ฌ๐ง United Kingdom
The UK was a pioneer in Open Banking, mandated by the Competition and Markets Authority (CMA) in 2016.
Regulatory Framework
Regulator
Financial Conduct Authority (FCA)
Authorizes and supervises TPPs
Directory
Open Banking Implementation Entity (OBIE)
Issues SSAs and maintains TPP registry
Security Profile
FAPI 1.0 Advanced
Mandatory for all production TPPs
Certificates
OBWAC / OBSEAL
eIDAS-equivalent certificates from OBIE
TPP Roles
| Role | Full Name | FCA Registration | APIs Available |
|---|---|---|---|
AISP | Account Information Service Provider | Required | Accounts, Balances, Transactions, Standing Orders, Direct Debits |
PISP | Payment Initiation Service Provider | Required | Domestic Payments, International Payments, Standing Orders |
CBPII | Card-Based Payment Instrument Issuer | Required | Funds Confirmation |
Prerequisites
FCA Authorization
Register with the FCA as a Payment Institution or Electronic Money Institution
OBIE Directory Enrollment
Enroll in the Open Banking Directory at directory.openbanking.org.uk
Transport Certificates
Obtain OBWAC (transport) and OBSEAL (signing) certificates
Software Statement
Generate an SSA from the OBIE Directory for your software
OBIE Directory
| Environment | Directory URL | JWKS Endpoint |
|---|---|---|
| Production | directory.openbanking.org.uk | keystore.openbanking.org.uk/keystore/openbanking.jwks |
| Sandbox | directory.openbankingtest.org.uk | keystore.openbankingtest.org.uk/keystore/openbanking.jwks |
UK Transition
The UK Open Banking ecosystem is transitioning to a new entity. Existing OBIE registrations remain valid during the transition period.
๐ช๐บ European Union
PSD2 (Payment Services Directive 2) mandates Open Banking across all EU member states.
Regulatory Framework
Regulation
PSD2 (EU) 2015/2366
Payment Services Directive 2
Technical Standards
Berlin Group NextGenPSD2
Common API specification
Security Profile
FAPI 1.0 Advanced
Required by EBA RTS on SCA
Certificates
QWAC / QSEAL
eIDAS qualified certificates
TPP Roles
| Role | PSD2 Term | NCA Authorization | APIs Available |
|---|---|---|---|
AISP | Account Information Service Provider | Registration | Accounts, Balances, Transactions |
PISP | Payment Initiation Service Provider | Authorization | Payment Initiation (SEPA, Instant, Cross-border) |
PIISP | Payment Instrument Issuing Service Provider | Authorization | Funds Confirmation |
Prerequisites
NCA Authorization
Obtain authorization/registration from your National Competent Authority (BaFin, ACPR, DNB, etc.)
eIDAS Certificates
Obtain QWAC and QSEAL certificates from a qualified trust service provider (QTSP)
EBA Register Entry
Verify your organization appears in the EBA's public register of payment institutions
Passporting
If operating cross-border, ensure passporting notifications are complete
eIDAS Certificate Requirements
| Certificate Type | OID | Purpose | Required Fields |
|---|---|---|---|
QWAC | 0.4.0.19495.3.1 | TLS client authentication | organizationIdentifier, PSD2 roles |
QSEAL | 0.4.0.19495.3.2 | Message signing | organizationIdentifier, PSD2 roles |
The organizationIdentifier must follow format: PSDXX-NCA-NNNNNN (e.g., PSDDE-BAFIN-123456)
No Central Directory
Unlike the UK, the EU does not have a central directory. TPP validation uses eIDAS certificates directly. We validate certificates against the European Commission's trusted list.
๐บ๐ธ United States
Section 1033 of the Dodd-Frank Act establishes consumer data access rights, with FDX providing technical standards.
Regulatory Framework
Regulation
Dodd-Frank Section 1033
Consumer Financial Protection Act
Regulator
CFPB
Consumer Financial Protection Bureau
Technical Standard
FDX API
Financial Data Exchange specification
Security Profile
OAuth 2.0 + PKCE
Standard OAuth with security extensions
Data Recipient Types
| Type | Description | Requirements | APIs Available |
|---|---|---|---|
Data Recipient | Accesses consumer financial data | FDX certification | Accounts, Balances, Transactions |
Data Aggregator | Aggregates data on behalf of recipients | FDX certification + agreements | All read APIs |
Payment Initiator | Initiates payments | State licenses may apply | Payment Initiation (ACH, Wires) |
Prerequisites
FDX Membership
Join Financial Data Exchange (financialdataexchange.org) as a certified member
Security Assessment
Complete FDX security certification and assessment
Data Agreement
Execute bilateral data access agreement with Hamster Bank
State Licensing
If initiating payments, ensure compliance with state money transmission laws
US-Specific Registration
US registration differs from other regionsโno SSA is required. Instead:
{
"fdx_member_id": "FDX-12345",
"redirect_uris": ["https://app.example.com/callback"],
"token_endpoint_auth_method": "private_key_jwt",
"grant_types": ["authorization_code", "refresh_token"],
"region": "us",
"data_recipient_type": "data_recipient",
"contact_email": "api@example.com"
}Section 1033 Implementation
CFPB's Section 1033 rulemaking is ongoing. Requirements may evolve. We currently support FDX 5.x APIs with OAuth 2.0 + PKCE.
๐ฆ๐บ Australia
The Consumer Data Right (CDR) is a government-led data portability framework starting with banking.
Regulatory Framework
Regulation
Consumer Data Right (CDR)
Treasury Laws Amendment Act 2019
Accreditor
ACCC
Australian Competition & Consumer Commission
Technical Standard
CDR Data Standards
data.gov.au/cdr
Security Profile
FAPI 1.0 Advanced
Mandatory for all ADRs
CDR Participant Types
| Type | Full Name | ACCC Accreditation | APIs Available |
|---|---|---|---|
ADR | Accredited Data Recipient | Full accreditation | All banking data APIs |
ADR-A | ADR Acting as Agent | Sponsored | Via sponsoring ADR |
CDR Rep | CDR Representative | Principal arrangement | Limited to principal's consent |
Prerequisites
ACCC Accreditation
Apply for accreditation via the CDR Register (cdr.gov.au)
Insurance Requirements
Obtain professional indemnity insurance (minimum $5M)
Security Assessment
Complete IRAP assessment or equivalent
CDR Register Entry
Receive your ADR Brand ID and Software Product ID
CDR Register
| Environment | Register URL | JWKS Endpoint |
|---|---|---|
| Production | register.cdr.gov.au | api.cdr.gov.au/cdr-register/.well-known/jwks |
| Sandbox | register.sandbox.cdr.gov.au | api.sandbox.cdr.gov.au/cdr-register/.well-known/jwks |
CDR Software Statement
Australian SSAs use CDR-specific claims:
{
"iss": "cdr-register",
"iat": 1702512000,
"exp": 1734048000,
"org_id": "adr-brand-id-123",
"org_name": "Example Fintech Pty Ltd",
"software_id": "software-product-id-456",
"software_roles": ["data-recipient-software-product"],
"scope": "openid bank:accounts.basic:read bank:transactions:read",
"redirect_uris": ["https://app.example.com.au/callback"],
"jwks_uri": "https://app.example.com.au/.well-known/jwks"
}CDR Expansion
CDR is expanding beyond banking to energy and telecommunications. Your ADR accreditation covers all CDR sectors.
๐ณ๐ฟ New Zealand
New Zealand operates a voluntary, industry-led Open Banking framework through Payments NZ.
Regulatory Framework
Framework
Voluntary Industry-Led
No mandatory regulation
Standards Body
Payments NZ
API Centre standards
Technical Standard
NZ Banking API Standard
Based on UK OBIE
Security Profile
FAPI 1.0 Advanced
Recommended but not mandatory
Participant Types
| Type | Description | Requirements | APIs Available |
|---|---|---|---|
API Consumer | Third party accessing bank APIs | API Centre membership | Accounts, Balances, Transactions |
Payment Initiator | Initiates payments via API | API Centre + bank agreement | Domestic Payments, Enduring Payments |
Prerequisites
API Centre Membership
Join Payments NZ API Centre (apicentre.paymentsnz.co.nz)
Bilateral Agreement
Execute API access agreement with participating banks
Technical Onboarding
Complete technical onboarding with each bank
Security Review
Pass security assessment (requirements vary by bank)
NZ Registration Approach
New Zealand uses a hybrid approach. You can register via:
Option 1: SSA-based (Recommended)
If you have an SSA from the API Centre or another recognized directory, use standard DCR.
Option 2: Direct Registration
For API Centre members without an SSA, register directly with your membership credentials.
NZ-Specific: Enduring Payment Consent
New Zealand supports Enduring Payment Consent for recurring variable paymentsโa consent type unique to NZ:
{
"type": "enduring-payment",
"frequency": "Monthly",
"maximum_amount": {
"amount": "500.00",
"currency": "NZD"
},
"from_date": "2024-01-01",
"to_date": "2025-01-01",
"debtor_account": {
"scheme": "NZ.BECS",
"identification": "01-1234-1234567-00"
}
}Voluntary Framework
As NZ Open Banking is voluntary, not all banks participate. Check our supported banks list for coverage.
Registration Endpoint
Regardless of region, all TPPs use the same DCR endpoint. The request format adapts based on your regulatory framework:
/registerRegister a new TPP client using your Software Statement Assertion or registration token.
Request
{
"software_statement": "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9...",
"redirect_uris": [
"https://tpp.example.com/callback"
],
"token_endpoint_auth_method": "private_key_jwt",
"grant_types": [
"authorization_code",
"refresh_token"
],
"response_types": ["code"],
"region": "uk"
}Response
{
"client_id": "550e8400-e29b-41d4-a716-446655440000",
"client_id_issued_at": 1702512000,
"registration_access_token": "reg_abc123...",
"registration_client_uri": "/register/550e8400-...",
"redirect_uris": ["https://tpp.example.com/callback"],
"scope": "openid accounts transactions",
"token_endpoint_auth_method": "private_key_jwt",
"organisation_name": "Example TPP Ltd",
"roles": ["AISP"],
"region": "uk"
}Client Authentication Methods
Supported authentication methods vary by region's security requirements:
| Method | UK | EU | US | AU | NZ | Security Level |
|---|---|---|---|---|---|---|
private_key_jwt | โ Required | โ Required | โ Optional | โ Required | โ Optional | FAPI |
tls_client_auth | โ Required | โ Required | โ | โ Required | โ Optional | FAPI |
client_secret_jwt | โ | โ | โ Optional | โ | โ Optional | OAuth 2.0 |
client_secret_basic | โ | โ | โ Legacy | โ | โ Legacy | Legacy |
private_key_jwtRecommendedClient authenticates by signing a JWT with its private key. Required for FAPI compliance.
curl -X POST "https://auth.hamsterbank.ai/token" \\
-d "grant_type=authorization_code" \\
-d "code={auth_code}" \\
-d "redirect_uri=https://tpp.example.com/callback" \\
-d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \\
-d "client_assertion={signed_jwt}"tls_client_authFAPIClient authenticates via mutual TLS. Requires QWAC (UK/EU) or CDR certificate (AU).
curl -X POST "https://auth.hamsterbank.ai/token" \\
--cert client.crt \\
--key client.key \\
-d "grant_type=authorization_code" \\
-d "code={auth_code}" \\
-d "client_id={client_id}"Managing Your Registration
After registration, use your registration_access_token to manage your client:
/register/{clientId}Retrieve your current registration details
/register/{clientId}Update registration (e.g., add redirect URIs)
/register/{clientId}Delete your registration (cannot be undone)
Keep Your Token Safe
Store the registration_access_token securely. It cannot be recoveredโif lost, you'll need to re-register.
Error Responses
| Error Code | HTTP Status | Description |
|---|---|---|
invalid_software_statement | 400 | SSA is malformed, expired, or signature verification failed |
invalid_redirect_uri | 400 | Requested redirect URI not in SSA |
duplicate_registration | 409 | Software ID already registered |
unsupported_region | 400 | Region not supported or invalid regulatory framework |
certificate_mismatch | 400 | mTLS certificate doesn't match SSA organization |
access_denied | 403 | Organization status is not active in directory |