OpenBanqing is built compliance-first.

Payment Services Directive — Strong Customer Authentication, secure communication, TPP authorisation, consent.

Status: API contract aligned with Berlin Group NextGenPSD2 v1.3.12. Conformance run-throughs against the published test suite are part of CI.

Financial-grade API Baseline + Advanced security profile — DPoP, MTLS, PAR, JAR.

Status: Authorisation pipeline implemented to FAPI 2.0 Baseline + Advanced. OpenID Foundation conformance certification is on the roadmap.

North American open-banking API standard (US, Canada).

Status: Schema parity with FDX 6.0. FDX membership and conformance certification scheduled — confirm current status with compliance@.

UK CMA Order Part 4 specifications — AISP, PISP, CBPII rails and consent flows.

Status: Schema parity with the latest OBIE specification. OBIE Directory registration is a customer-licence concern; we provide the technical infrastructure underneath.

Capital adequacy, LCR, NSFR — patterns for real-time calculation in the banking-core integration layer.

Status: RWA / LCR / NSFR computation patterns ship as part of the analytics rails. Customer-side actuarial review remains a regulated entity's responsibility.

Expected credit-loss provisioning across stages 1, 2, and 3 with structured lineage.

Status: Ledger schema and event lineage support stage-based ECL modelling. Scenario calibration remains the customer's responsibility.

Security, availability, confidentiality, processing integrity, privacy — Trust Services Criteria.

Status: Type I scoping engaged with an independent auditor. Type II observation window opens once Type I is signed. Report shared under NDA when complete.

Information Security Management System (ISMS).

Status: ISMS documented; gap assessment complete; Stage 1 audit scheduled with a UKAS-accredited registrar. Certificate shared once issued.

Universal financial-messaging standard.

Status: All payment and settlement messages are modelled natively against ISO 20022. End-to-end coverage tracks the SWIFT MX migration timetable.

Data protection regulation — lawful basis, data minimisation, right to erasure, data portability, breach notification.

Status: DPO appointed; DPIA template applied to every new feature; sub-processor list maintained with 30-day change notice.

ICT risk management, incident reporting, third-party register, threat-led penetration testing.

Status: Register of information maintained. ICT risk-management framework documented. TLPT scheduling depends on supervisory authority requirements per region.

Cardholder data environment — applicable to issuer / acquirer rails when in scope.

Status: Scope-reduction architecture in place (tokenisation at the edge). QSA engagement scheduled for the cardholder-data environment.

Customer due diligence, sanctions screening, transaction monitoring, SAR / STR rails.

Status: Sanctions screening integrates with industry list providers (OFAC, EU, UN, UK, AUSTRAC). Provider selection is configurable per tenant.