DevOps, API & Application Identity Security

Financial Institution Achieves FAPI-Compliant Open Banking Platform

Overview

BankY, a forward-looking financial institution, partnered with Trevonix Technologies to design and implement a secure, standards-based Open Banking platform in line with PSD2, UK Open Banking (OBIE), and FAPI-RW specifications.

The engagement focused on enabling Dynamic Client Registration (DCR) to securely onboard Third Party Providers (TPPs), leveraging OpenID Connect (OIDC), Financial-grade API – Read/Write (FAPI-RW) security profiles, and the OB Read/Write API standard.

The solution was designed to integrate seamlessly with BankY’s existing IAM ecosystem, while ensuring regulatory compliance, strong customer authentication (SCA), and future scalability for expanding Open Banking and upcoming Open Finance capabilities.

Request an IAM Assessment
Request an IAM Assessment
Talk to an Identity Expert
Talk to an Identity Expert
The Challenge

BankY’s vision for an agile, compliant Open Banking framework required overcoming the following technical and regulatory hurdles:

Dynamic Client Registration Automation – Building secure DCR endpoints to automate OAuth client onboarding for TPPs in compliance with OBIE DCR API profiles.

Certificate-Based Mutual TLS Authentication – Enforcing OBIE Transport Certificates for all TPP interactions and validating Software Statement Assertions (SSAs) issued by the OB Directory.

Custom FAPI Compliance – Implementing OIDC and FAPI-RW features per:

Custom Authentication & Consent Flows – Designing PingFederate adapters for Strong Customer Authentication (SCA), including step-up MFA for high-risk payment flows.

GDPR & PSD2 Compliance – Enforcing customer data minimisation, explicit consent capture, and transaction audit logging.

High Availability & Scalability – Ensuring the IAM layer and API gateway could handle large volumes of secure TPP requests without downtime.

The Solution

Trevonix delivered a FAPI-compliant, security-hardened Open Banking platform by integrating Ping Identity, Kong Gateway, and AWS-native services, alongside custom development for PingFederate adapters and consent orchestration.

1. Dynamic Client Registration (DCR) Implementation

- Developed secure /register endpoints per OBIE DCR specification, supporting POST, GET, PUT, and DELETE operations for OAuth clients.

- Implemented custom PingFederate IdP/SP adapters for:

  • Validating SSA signatures against OB Directory JWKS endpoints.
  • Parsing SSA claims to auto-populate client metadata in PingDirectory.
  • Enforcing sector_identifier_uri and pairwise subject identifiers for privacy compliance.

- Built SSA expiry and revocation checks to block stale or invalid registrations.

2. Ping Identity Integration

- PingFederate configured as the OAuth 2.0 Authorization Server with full FAPI-RW compliance, enforcing mTLS-bound access tokens, JARM, PAR, and Private Key JWT client authentication.

  • mTLS-bound access tokens.
  • JARM (JWT Secured Authorization Response Mode) for authorization responses.
  • PAR (Pushed Authorization Requests) for pre-registration of authorisation parameters.
  • Private Key JWT client authentication for token endpoint calls.

- PingDirectory used as the centralised TPP metadata store with schema extensions for Open Banking attributes.

- PingOne MFA integrated into consent flows for SCA, delivering OTP via SMS/email and app push.

3. Gateway and API Management

- Kong API Gateway deployed in front of AISP, PISP, and consent microservices.

- Enforced mTLS at the gateway level with certificate pinning against OBIE Transport Certs.

- Implemented rate-limiting, IP allowlisting, and fine-grained scopes for API endpoints.

4. Compliance Alignment

- Mapped implementation to FAPI Part 1 and Part 2 to ensure cryptographic, client authentication, and payload signing requirements were met.

- Captured consent transaction records in an immutable audit store for GDPR and PSD2 traceability.

5. Cloud-Native Deployment

- Containerised all IAM and API gateway components and deployed to AWS EKS.

- Used AWS ALB + WAF for ingress control and protection against common web exploits.

- Implemented multi-AZ HA clustering for PingFederate and PingDirectory.

The Impact
Simplicity
Customer Satisfaction
Want to be a part of Trevonix family?
See our Careers
See our Careers

The Outcome

The Open Banking implementation enabled BankY to:

check icon
Programmatically onboard TPPs via a secure, OBIE-compliant DCR API.
check icon
Achieve end-to-end FAPI-RW compliance for both AISPs and PISPs.
check icon
Ensure Strong Customer Authentication through adaptive MFA and custom consent workflows.
check icon
Reduce onboarding timelines by eliminating manual client registration.
check icon
Securely transmit financial data using mTLS-bound, signed JWT access tokens.
check icon
Scale horizontally to accommodate future Open Finance use cases.
The Platforms

PingFederate – OAuth 2.0 Authorization Server, FAPI-RW enforcement, SSA validation, JARM

PingDirectory – Centralised identity and TPP metadata storage with custom Open Banking attributes

PingOne MFA – Multi-factor authentication for SCA

Kong API Gateway – mTLS enforcement, rate-limiting, and secure API exposure for AIS/PIS services

Open Banking Read/Write API – OBIE specification-compliant endpoint design

FAPI-RW Part 1 & Part 2 – Implemented advanced security profiles for financial data protection

AWS EKS – Container orchestration, HA clustering, and secure ingress via ALB + WAF

Partner Ecosystem

Advancing enterprise security standards
Case studies of identity and access implemented in enterprise environments.
View All Case Studies
View All Case Studies
Delivering a Seamless Digital Identity Experience for the United Rugby Championship
The United Rugby Championship (URC) sought to modernise its Customer Identity and Access Management (CIAM) capabilities to support a growing digital ecosystem spanning websites, mobile applications and its TV platform.
UK Bank Migrates to Modern Identity Management Microservices
Replaced legacy PDG platform with a custom microservices-based IAM system, improving performance 7x, cutting annual costs by £220K, and processing 32M+ transactions with zero post-migration issues.

Companies we work with

"A tailored IAM solution delivered where others failed. Strong technical expertise, reliability, and a proactive approach resulted in a far more efficient system. Looking forward to future engagements."
Marketing Effectiveness Platform
Director, Cybersecurity & Privacy
Barclays
"Trevonix keeps us ahead of IAM trends and evolving compliance standards. Their expertise ensures we stay aligned with the latest technologies and industry protocols."
Manufacturing Company
Head of IT
"The pilot demonstrated clear value, saving time, reducing costs, and improving the shopfloor experience. A practical approach that helped identify the right solution quickly."
Retail Chain
Head of IT
"Trevonix turned a stalled PAM deployment into a secure, well-governed capability, eliminating shared passwords, strengthening controls, and improving audit visibility."
UK University
Head of IT
"Trevonix delivered a phased, low-disruption migration, enhancing our CIAM with modern features, seamless integrations, and a smooth customer transition."
Product Company
Owner
“Trevonix’s commitment to proof of concept and maintaining business continuity during implementation demonstrated their value as a trusted technology partner.”
Cinema Operator
Head of IT
“Trevonix rapidly integrated critical systems and implemented a 1-Day Leaver control, significantly strengthening our security posture.”
Energy Company
Head of IT
“Trevonix transformed our IGA onboarding with speed, structure, and automation, turning fragmented processes into a governed, audit-ready capability with measurable global impact.”
Bank
Head of IT
“Trevonix brought strong domain expertise and best practices to transform legacy systems into scalable architecture. Their ability to deliver complex, end-to-end, multi-vendor solutions set them apart.”
Consulting Company
Head of IT
“Trevonix delivered seamless integration across legacy and modern systems. Their commitment to proof of concept and business continuity demonstrated real partnership and ensured a smooth implementation.”
Government Organisation
Head of IT
“Trevonix implemented a flexible, cloud-first identity platform in weeks, improving security and customer experience. Their work simplified our architecture and delivered progress we didn’t think possible in 12 months.”
José Morales
Digital Asset Management Company
“Trevonix combined deep expertise and best practices to modernise our legacy infrastructure into a scalable architecture. Their ability to deliver complex, multi-vendor systems made them the strongest value partner.”
British Bank
Head of IAM
right arrow icon

Our Clientele

More from Trevonix

Learn more about our work, partnerships, and opportunities
Trusted Partnerships
Collaborate with a network of technology and solution partners.
Explore Further
Explore Further
Join Our
Talent-Driven Team
Explore opportunities to grow, innovate, and shape the future of IAM.
Apply Now
Apply Now
Proven Impact,
Real Results
Discover how organisations have transformed their IAM landscape.
Know More
Know More
Govern.
Control.
Protect.
Secure identities.
Simplify access.
Manage continuously
Govern.
Control.
Protect.
Secure identities.
Simplify access.
Manage continuously.

See It in Action

See how our approach works in real scenarios, not slides.
Book an IAM consultation to experience solutions shaped by real world use cases.
Book IAM Consultation
Book IAM Consultation

Looking for a trusted IAM partner?

Solutions By Use cases
Privileged Access ManagementWorkforce Access & Authentication SolutionsUnified IAM OfferingsSecurity & AISupply Chain & Third-Party Identity SecurityIdentity Governance & AdministrationZero Trust Identity ArchitectureIdentity for AI & NHIDevOps, API & Cloud Identity SecurityAI-Assisted IdentityDecentralised Identity & Digital WalletsDynamic Authorisation & Access Control Verified Trust & FraudCustomer & Partner Identity Management
Partners
PingIdentityOktaAuth0SaviyntSlashIDTransmit Security
Industries
Banking & Financial ServicesRetail & E-CommerceTelecommunicationsTechnology & IT ServicesEnergy & UtilitiesOther Industries We Cover
Services
Zero Trust ImplementationStaff Augmentation & Embedded Identity ExpertsIdentity Operations & Managed ServicesIAM Modernisation & Cloud MigrationApplication Onboarding & IntegrationIAM Platform ImplementationExpert Identity Services & Programme RecoveryInterim IAM LeadershipIdentity-as-a-Service Regulatory & Compliance AdvisoryIdentity Maturity AssessmentIAM Strategy & Advisory
Resources
News & EventsCase StudiesBlogs & InsightsWhitepapers & GuidesWebinars & Videos
Company
About UsCareerSuccess StoriesContact Us
Support
+44 7833396917contact@trevonix.comLondon, England
© Trevonix. 2026 | All Rights Reserved.
Terms of UsePrivacy Policy
A global leader in Identity and Access Management (IAM) consulting and managed services, Trevonix specialises in delivering cutting-edge IAM solutions across a range of industries.