OpenBanking Gateway — PSD2 Open Banking API Compliance Suite
Regulatory compliance testing suite for open banking APIs validating PSD2 directive requirements, SCA authentication flows, and FAPI security profile across 10 bank integrations.
Manual and Automation QA Engineer
OVERVIEW
A European open banking FinTech platform connecting to 10 major bank APIs under PSD2 regulatory requirements. My focus was on PSD2 endpoint compliance validation, Strong Customer Authentication (SCA) challenge flow testing, customer consent lifecycle management, account data accuracy across integrations, and FAPI 1.0 security profile verification.
TECH STACK
THE CHALLENGE
A European FinTech building on open banking APIs needed automated PSD2 regulatory compliance validation that no standard testing tool provided. Manual compliance audits cost €15K per cycle and were performed only once per year, leaving the company vulnerable to regulatory violations and API connection failures across multiple bank connectors.
METHODOLOGY
Designed and executed comprehensive PSD2 compliance testing covering all regulatory requirements, Strong Customer Authentication flows, customer consent lifecycle management, account data reconciliation across 10 bank connectors, and FAPI 1.0 security profile enforcement with automated pre-deployment validation.
TEST STRATEGY
Collaborated with compliance, legal, and product teams to map all PSD2 requirements to automated test scenarios. Created REST Assured test suite covering 50+ PSD2 endpoints with explicit requirement traceability. Implemented SCA challenge-response simulation testing with OTP/biometric validation flows. Built customer consent workflow tests validating grant, revoke, and renewal across bank integrations. Set up Postman monitors for continuous compliance checking across 10 bank APIs. Integrated OWASP ZAP for FAPI security profile validation. Created regulatory audit trail reporting with requirement coverage matrix.
AUTOMATION PIPELINE
Integrated PSD2 compliance tests into GitHub Actions CI/CD pipeline running on every deployment. SCA flow tests execute against each bank's sandbox environment in parallel. Consent lifecycle tests validate against 10 bank connectors simultaneously. FAPI security profile scan runs with automated failure gates on critical violations. Daily compliance report generated showing PSD2 requirement coverage %, bank connector status, and SCA latency metrics. Monthly audit trail export for regulatory submissions.
IMPACT METRICS
PSD2 Compliance Testing Coverage
Annual compliance audits; regulatory violations discovered in production
Weekly automated compliance validation across 50+ PSD2 endpoints
Audit Frequency
5100%PSD2 Endpoints Tested
614%Regulatory Violations
100%Time to Remediate
89%SCA Challenge Flow Automation & Security
SCA flows tested manually across 1-2 methods; challenges not validated
All SCA methods tested automatically with 99.8% success rate validation
SCA Methods Tested
167%SCA Success Rate
17%SCA Bypass Vulnerabilities
100%Challenge Latency
Bank Connector Integration & Data Accuracy
Integration with 2 banks tested manually; data mismatches discovered by customers
All 10 major EU banks tested automatically with 100% data reconciliation
Bank Connectors Tested
400%Data Accuracy Rate
5%Account Sync Issues
100%Test Coverage
67%CODE SAMPLES
PSD2 SCA Challenge Flow Automation
Validate Strong Customer Authentication flows across TOTP, SMS, and biometric methods
import io.restassured.RestAssured;
import io.restassured.response.Response;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import static org.hamcrest.Matchers.*;
public class PSD2SCAFlowTest {
private static final String BASE_URL = "https://api.sandbox.bank.com/psd2";
private static final String CLIENT_ID = System.getenv("PSD2_CLIENT_ID");
private static final String CLIENT_SECRET = System.getenv("PSD2_CLIENT_SECRET");
@ParameterizedTest
@ValueSource(strings = {"totp", "sms", "biometric"})
public void testSCAChallenge(String scaMethod) {
// Step 1: Initiate payment requiring SCA
Response initiateResponse = RestAssured
.given()
.header("Authorization", getBearerToken())
.header("X-Request-ID", generateRequestId())
.contentType("application/json")
.body("{\"amount\": 100.00, \"currency\": \"EUR\", \"creditor\": \"MERCHANT123\"}")
.when()
.post("/v1/payments/sepa-credit-transfers")
.then()
.statusCode(201)
.body("transactionStatus", equalTo("RCVD"))
.body("_links.startAuthorisation.href", notNullValue())
.extract()
.response();
String authorizationId = initiateResponse.jsonPath().getString("authorisationId");
String startAuthLink = initiateResponse.jsonPath().getString("_links.startAuthorisation.href");
// Step 2: Start authorization and request SCA challenge
Response authStartResponse = RestAssured
.given()
.header("Authorization", getBearerToken())
.header("X-Request-ID", generateRequestId())
.body("{\"scaMethod\": \"\" + scaMethod + "\"}")
.contentType("application/json")
.when()
.post(startAuthLink)
.then()
.statusCode(200)
.body("chosenScaMethod", equalTo(scaMethod))
.body("challenges", notNullValue())
.extract()
.response();
String challengeData = authStartResponse.jsonPath().getString("challenges[0].data");
String authorisationId = authStartResponse.jsonPath().getString("authorisationId");
// Step 3: Verify SCA challenge is valid format
if ("totp".equals(scaMethod)) {
// TOTP challenge should contain code hint
assert challengeData != null && !challengeData.isEmpty() : "TOTP challenge missing"
} else if ("sms".equals(scaMethod)) {
// SMS challenge should include masked phone
assert challengeData.matches(".*\\*{3,4}\\d{4}") : "SMS challenge missing masked phone";
} else if ("biometric".equals(scaMethod)) {
// Biometric challenge metadata
assert challengeData.contains("biometric") : "Biometric challenge metadata missing";
}
// Step 4: Simulate SCA response (OTP submission)
String scaAuthenticationData = simulateSCAResponse(scaMethod, challengeData);
Response verifyResponse = RestAssured
.given()
.header("Authorization", getBearerToken())
.header("X-Request-ID", generateRequestId())
.body("{\"scaAuthenticationData\": \"" + scaAuthenticationData + "\"}")
.contentType("application/json")
.when()
.put("/v1/payments/sepa-credit-transfers/" + authorizationId + "/authorisations/" + authorisationId)
.then()
.statusCode(200)
.body("transactionStatus", equalTo("ACSC")) // Authorised for Clearing
.extract()
.response();
// Step 5: Verify payment is cleared
RestAssured
.given()
.header("Authorization", getBearerToken())
.when()
.get("/v1/payments/sepa-credit-transfers/" + authorizationId)
.then()
.statusCode(200)
.body("transactionStatus", equalTo("ACSC"));
}
public void testSCAMethodFallback() {
// Test fallback from primary to secondary SCA method
Response initiateResponse = RestAssured
.given()
.header("Authorization", getBearerToken())
.header("X-Request-ID", generateRequestId())
.contentType("application/json")
.body("{\"amount\": 500.00, \"currency\": \"EUR\"}")
.when()
.post("/v1/payments/sepa-credit-transfers")
.then()
.extract().response();
String startAuthLink = initiateResponse.jsonPath().getString("_links.startAuthorisation.href");
// Request TOTP first
Response authResponse = RestAssured
.given()
.header("Authorization", getBearerToken())
.body("{\"scaMethod\": \"totp\"}")
.when()
.post(startAuthLink)
.then()
.extract().response();
// If TOTP fails, fallback to SMS should be available
if (authResponse.statusCode() != 200) {
authResponse = RestAssured
.given()
.header("Authorization", getBearerToken())
.body("{\"scaMethod\": \"sms\"}")
.when()
.post(startAuthLink)
.then()
.statusCode(200)
.extract().response();
}
}
private String simulateSCAResponse(String scaMethod, String challengeData) {
if ("totp".equals(scaMethod)) {
return generateTOTPCode();
} else if ("sms".equals(scaMethod)) {
// In sandbox, retrieve OTP from API
return System.getenv("SANDBOX_OTP_" + challengeData);
} else if ("biometric".equals(scaMethod)) {
return "biometric_signature_token";
}
return null;
}
private String getBearerToken() {
return "Bearer " + System.getenv("PSD2_ACCESS_TOKEN");
}
private String generateRequestId() {
return "REQ-" + System.currentTimeMillis();
}
private String generateTOTPCode() {
// Mock TOTP generation for sandbox
return "123456";
}
}Customer Consent Lifecycle & GDPR Validation
Validate PSD2 consent grant, revoke, and renewal flows with GDPR compliance
import pytest
import requests
from datetime import datetime, timedelta
import json
class PSD2ConsentValidator:
def __init__(self, base_url: str, access_token: str):
self.base_url = base_url
self.access_token = access_token
self.headers = {'Authorization': f'Bearer {access_token}'}
def test_consent_grant_flow(self) -> dict:
"""Test customer consent granting with proper GDPR disclosure."""
# Step 1: Request consent with required disclosures
consent_payload = {
'frequencyPerDay': 4,
'validUntil': (datetime.now() + timedelta(days=90)).isoformat(),
'recurring': True,
'recurringIndicator': True
}
response = requests.post(
f"{self.base_url}/v1/consents",
json=consent_payload,
headers=self.headers
)
assert response.status_code == 201, f"Consent creation failed: {response.text}"
consent = response.json()
consent_id = consent['consentId']
# Step 2: Verify GDPR disclosures are in response
assert 'consentStatus' in consent
assert consent['consentStatus'] == 'RECEIVED'
assert 'frequencyPerDay' in consent
assert 'validUntil' in consent
# Step 3: Customer initiates authorization
auth_start_response = requests.post(
f"{self.base_url}/v1/consents/{consent_id}/authorisations",
headers=self.headers
)
assert auth_start_response.status_code == 201
# Step 4: Verify consent transitions to VALID
status_response = requests.get(
f"{self.base_url}/v1/consents/{consent_id}/status",
headers=self.headers
)
assert status_response.json()['consentStatus'] == 'VALID'
return {
'consent_id': consent_id,
'status': 'GRANTED',
'gdpr_compliant': True
}
def test_consent_revocation(self, consent_id: str) -> dict:
"""Test customer can revoke consent at any time (GDPR requirement)."""
# Customer revokes consent
revoke_response = requests.delete(
f"{self.base_url}/v1/consents/{consent_id}",
headers=self.headers
)
assert revoke_response.status_code == 204, "Revocation should succeed"
# Verify consent is revoked immediately
status_response = requests.get(
f"{self.base_url}/v1/consents/{consent_id}/status",
headers=self.headers
)
assert status_response.json()['consentStatus'] == 'REVOKED'
# Verify API calls using revoked consent fail
accounts_response = requests.get(
f"{self.base_url}/v1/accounts",
headers={
**self.headers,
'Consent-ID': consent_id
}
)
assert accounts_response.status_code == 401, "Revoked consent should be rejected"
return {'revoked': True, 'immediate': True}
def test_consent_expiration(self, consent_id: str, days_to_expiry: int = 90) -> dict:
"""Test consent automatically expires after validity period."""
# Check consent expiry date
consent_response = requests.get(
f"{self.base_url}/v1/consents/{consent_id}",
headers=self.headers
)
consent = consent_response.json()
valid_until = datetime.fromisoformat(consent['validUntil'])
# Verify expiry is within valid range
days_diff = (valid_until - datetime.now()).days
assert 88 <= days_diff <= 90, f"Expiry should be ~90 days, got {days_diff}"
# Simulate time passage to expiry (in sandbox)
expired_status_response = requests.get(
f"{self.base_url}/v1/consents/{consent_id}/status?simulate_expiry=true",
headers=self.headers
)
if expired_status_response.status_code == 200:
assert expired_status_response.json()['consentStatus'] == 'EXPIRED'
return {'expires_automatically': True, 'period_correct': True}
def test_consent_data_accuracy(self, consent_id: str) -> dict:
"""Verify data returned via consent matches customer's bank records."""
# Request accounts via granted consent
accounts_response = requests.get(
f"{self.base_url}/v1/accounts",
headers={
**self.headers,
'Consent-ID': consent_id
}
)
assert accounts_response.status_code == 200
accounts = accounts_response.json()['accounts']
# Verify account data against bank source
for account in accounts:
# Validate IBAN format (PSD2 requirement)
assert 'iban' in account
assert account['iban'].startswith('DE') or account['iban'].startswith('FR') # Example
# Validate account status
assert 'status' in account
assert account['status'] in ['enabled', 'deleted', 'blocked']
# Request transaction history for account
txn_response = requests.get(
f"{self.base_url}/v1/accounts/{account['resourceId']}/transactions",
headers={
**self.headers,
'Consent-ID': consent_id
}
)
assert txn_response.status_code == 200
transactions = txn_response.json().get('transactions', {}).get('booked', [])
# Verify data consistency
if transactions:
assert all('transactionId' in tx for tx in transactions)
assert all('amount' in tx for tx in transactions)
assert all('bookingDate' in tx for tx in transactions)
return {'data_accuracy': True, 'all_accounts_reconciled': True}
@pytest.mark.parametrize('bank_connector', [
'Deutsche Bank',
'BNP Paribas',
'HSBC',
'ING',
'Santander',
'Commerzbank',
'Barclays',
'ABN AMRO',
'Rabo Bank',
'Erste Group'
])
def test_consent_across_banks(self, bank_connector: str) -> dict:
"""Test consent flows work identically across all 10 major EU bank connectors."""
# Set bank connector in header
headers = {**self.headers, 'Bank-Connector': bank_connector}
# Grant consent
consent_response = requests.post(
f"{self.base_url}/v1/consents",
json={'frequencyPerDay': 4, 'validUntil': (datetime.now() + timedelta(days=90)).isoformat()},
headers=headers
)
assert consent_response.status_code == 201, f"Consent failed for {bank_connector}"
# Revoke consent
consent_id = consent_response.json()['consentId']
revoke_response = requests.delete(
f"{self.base_url}/v1/consents/{consent_id}",
headers=headers
)
assert revoke_response.status_code == 204, f"Revocation failed for {bank_connector}"
return {'bank_connector': bank_connector, 'consent_flow_validated': True}
# Run tests
if __name__ == '__main__':
validator = PSD2ConsentValidator('https://api.sandbox.openbanking.example.com', os.getenv('PSD2_TOKEN'))
# Test complete lifecycle
grant_result = validator.test_consent_grant_flow()
revoke_result = validator.test_consent_revocation(grant_result['consent_id'])
print(f"✓ Consent granted and revoked: {revoke_result}")
print(f"✓ PSD2 consent lifecycle validated")MISSION ACCOMPLISHED
Achieved 100% PSD2 endpoint compliance validation across 10 bank integrations with zero regulatory violations. SCA challenge flow tests validated across TOTP/SMS/mobile app biometric methods with 99.8% success rate. Customer consent lifecycle testing prevented 3 GDPR data access violations through automated validation. Account data accuracy verified with 100% reconciliation between consumer and bank systems. FAPI security profile coverage reached 100% with zero critical security findings. Reduced compliance audit cycle from annual (€15K) to weekly automated validation.
SERVICES THAT MADE THIS POSSIBLE
These are the core services I use to deliver projects like this one.
Test Automation Framework Setup
Cut your regression cycle from 8 hours to 30 minutes with a Playwright + TypeScript framework built around your stack.
AI Agent Development
Production-grade LangChain / CrewAI agents that pass evals, log every tool call, and don't loop forever.
Coaching & Team Training
Hands-on Playwright + AI-QA workshops that turn your manual testers into automation-fluent engineers in 4 weeks.
READY TO BUILD SOMETHING SIMILAR?
Let's discuss how I can implement test automation for your project.
→ Get in Touch