BOPTI FCU API integration & OpenBanking data export

OpenData · OpenFinance · FDX API · Section 1033

Connect BOPTI FCU member accounts, statements, and mobile check deposits to your stack

BOPTI Federal Credit Union, headquartered in San Pedro, California, runs its mobile banking on the CU*Answers / It's Me 247 platform. Its app exposes balance enquiry, transfers, bill pay, mobile remote deposit capture (mRDC), and card controls. Each of these screens is backed by structured, server-side data — and that is precisely what an OpenBanking-style integration can surface as APIs.

Transaction history for share draft (checking), savings, and loan accounts — the highest-value dataset for accounting sync and reconciliation.
Mobile check deposit events with timestamp, amount, and clearing status — useful for SMB cashflow dashboards.
Card activity and lock status from the in-app "Manage My Cards" screen, ideal for fraud-monitoring overlays.

Account login & session APIs — Mirror the It's Me 247 authentication handshake, including device binding and step-up MFA, exposed as a clean OAuth-style token service for downstream apps.

Statement & transaction export — Paginated transaction history for share, share draft, money market, and loan accounts, with date filters, type filters (ACH, debit card, mRDC, dividend posting), and exports to JSON, CSV, or OFX.

Mobile Remote Deposit Capture (mRDC) feed — Webhook plus pull endpoints for deposit submissions, ratified status, hold release, and any returned items.

Card controls API — Read recent card activity, toggle the temporary card lock, and subscribe to per-transaction notifications, all aligned with the in-app behaviour.

Data available for integration

The table below summarises the structured datasets that BOPTI Federal Credit Union holds for an authorised member, mapped to the screen they originate from in the mobile app, and the most common downstream business use of each one. Granularity is shown so consumers know what they can actually filter or aggregate on.

Data type	Source screen / feature	Granularity	Typical use
Account list & balances	Home / Accounts tab	Per share / share-draft / loan, current and available, refreshed on view	Cash position dashboards, treasury sweeps, member onboarding KYC
Transaction history	Account detail screen	Per posting; date, amount, type, merchant or counterparty, running balance	Reconciliation, BI, expense categorisation, fraud analytics
Mobile check deposit (mRDC)	"Deposit a Check" flow	Per submission: amount, front/back image hash, hold expiry, status	SMB cashflow, audit trail, deposit-volume reporting
Card activity & controls	"Manage My Cards" in More menu	Per card, per authorisation; lock status as a boolean	Fraud overlays, real-time spend alerts, lost-card workflows
Bill pay payees & history	Bill Pay tab	Per payee; per scheduled / completed payment	Recurring obligation tracking, accounts-payable sync
Member messages	Message Center	Per thread; subject, body, read flag, timestamps	Customer-care integration, compliance-record retention
Branch & ATM directory	Branch & Contact info	Per location; address, hours, geo, services	Locator widgets, mapping mashups, in-store routing

What we deliver

Deliverables checklist

OpenAPI 3.1 specification covering login, accounts, transactions, mRDC, and card endpoints
Protocol and authentication flow report (token chain, MFA challenge, device binding, error codes)
Runnable source code in Python (FastAPI) and Node.js (TypeScript) with example clients
Postman collection and pytest / Vitest integration tests
Compliance pack: GLBA safeguards mapping, Section 1033 readiness checklist, NCUA RDC examiner notes

Technical implementation snippets

Three vary-by-purpose snippets (statement pull, mRDC webhook, card lock) follow. They mirror the FDX v6.4 envelope and the It's Me 247-style session model that BOPTI FCU's mobile platform uses.

// 1) Pull a transaction statement (FDX-style)
POST /api/v1/bopti/statement
Content-Type: application/json
Authorization: Bearer <ACCESS_TOKEN>

{
  "accountId": "share-draft-0042",
  "fromDate": "2026-04-01",
  "toDate":   "2026-04-30",
  "types":    ["ACH", "DEBIT_CARD", "MRDC", "DIVIDEND"],
  "page":     { "limit": 200, "cursor": null }
}

200 OK
{
  "accountId": "share-draft-0042",
  "currency":  "USD",
  "transactions": [
    {
      "postedTimestamp": "2026-04-21T15:04:11Z",
      "amount":          -42.18,
      "type":            "DEBIT_CARD",
      "description":     "Trader Joe's #181 San Pedro CA",
      "runningBalance":  1284.07,
      "fdxCategory":     "GROCERIES"
    }
  ],
  "page": { "nextCursor": "eyJvIjoyMDB9" }
}

// 2) Mobile check deposit webhook (mRDC event)
POST {your_endpoint}
X-OFL-Signature: sha256=...
Content-Type: application/json

{
  "event":     "mrdc.cleared",
  "memberId":  "m_8f12...",
  "depositId": "dep_2026_05_07_19F",
  "amount":    1750.00,
  "submittedAt": "2026-05-07T13:22:09Z",
  "clearedAt":   "2026-05-08T15:00:00Z",
  "holdExpiry":  "2026-05-09T08:00:00Z",
  "status":      "CLEARED",
  "imageRef": { "frontHash":"...","backHash":"..." }
}

// 3) Toggle card lock (mirrors the "Manage My Cards" screen)
PUT /api/v1/bopti/cards/{cardId}/lock
Authorization: Bearer <ACCESS_TOKEN>

{ "locked": true, "reason": "MEMBER_REQUEST" }

200 OK
{ "cardId":"crd_77...","locked":true,"updatedAt":"2026-05-09T08:31:02Z" }

// Errors
401  invalid_or_expired_token
409  card_already_in_target_state
423  step_up_mfa_required

Typical integration scenarios

These are end-to-end use cases we have shipped for community credit-union sized members similar to BOPTI Federal Credit Union. Each one maps to a clear OpenData / OpenFinance pattern under FDX and Section 1033.

1. Small-business accounting sync (QuickBooks / Xero)

A San Pedro contractor runs payroll and AP through BOPTI FCU and books in QuickBooks Online. We attach the /api/v1/bopti/statement endpoint to a nightly job that pulls the previous day's share-draft postings, maps each fdxCategory to a chart-of-accounts code, and posts the entries via QuickBooks's JournalEntry resource. The mRDC webhook closes the loop by marking customer cheque deposits as cleared in the AR ledger.

2. Personal financial management aggregator onboarding

Members want to link BOPTI accounts to apps like YNAB or Monarch. Instead of credential-share screen scraping, we implement an FDX v6.4-aligned /accounts and /transactions endpoint, fronted by a Plaid- or MX-compatible consent flow. This is exactly the scraping-to-API migration that America's Credit Unions and CU Insight describe as the typical first quarter outcome of an open-banking program.

3. Mobile deposit cashflow dashboard for member SMBs

Many credit-union members are dock workers, port logistics firms, and harbour-area trades who deposit cheques daily through mRDC. The mrdc.submitted and mrdc.cleared webhooks feed a dashboard that distinguishes "submitted but on hold" balances from collected funds. NCUA examiners specifically expect Remote Deposit Capture programmes to track this distinction; the API exposes it natively.

4. Lost-card and fraud overlay

An issuer-processor fraud model flags an unusual point-of-sale tap. Our integration calls PUT /cards/{cardId}/lock to freeze the card the same way the member would in "Manage My Cards", then triggers a Message Center notification. This converts a model alert into a one-second containment action without involving a call-centre agent.

5. Section 1033 third-party data recipient onboarding

Once the CFPB Section 1033 implementation timeline resumes after the August 2025 advance notice review, larger covered institutions must serve covered data on demand. We pre-package an FDX v6.4 endpoint set, a consent dashboard, and an audit log so a credit union of any size can act as a data provider — or as an authorised third-party recipient — without re-architecting its core.

Compliance & privacy

All endpoints are designed against published US standards. Member data flows are governed by the CFPB's Personal Financial Data Rights final rule (Section 1033), which became effective on January 17, 2025, and by the Gramm-Leach-Bliley Act safeguards rule. mRDC flows follow the NCUA Examiner's Guide on Remote Deposit Capture, including dual-presentment and image-retention controls.

The data model is FDX v6.4 — the Spring 2025 release of the Financial Data Exchange standard, recognised by the CFPB as a standard-setting body in January 2025 — so consent records, scopes, and entity envelopes are already in a shape that any FDX-compliant aggregator can consume. Note that credit unions with $850 million or less in assets are currently exempt from the Section 1033 final rule; this implementation still anticipates the standard so future expansion does not force a rewrite.

Data flow / architecture

The pipeline is intentionally short and auditable. Each hop is logged with member-id, scope, and consent-id so any pull is reconstructable.

BOPTI FCU mobile app / It's Me 247 backend — the source of truth (balances, postings, mRDC events, card status).
Adapter layer — translates the credit-union core's native messages into FDX v6.4 envelopes.
API gateway & consent service — token issuance, scope enforcement, rate limiting, audit logs.
Downstream consumer — your accounting stack, BI warehouse, fraud model, or member-facing PFM app.

Market positioning & user profile

BOPTI Federal Credit Union is a small, community-chartered institution based in San Pedro, California, serving members tied historically to the harbour, port, and surrounding trades. Its members are predominantly retail consumers and small-business operators who use the app on Android and iOS for everyday balance checks, mobile cheque deposit, and bill pay. This profile is typical of the "long tail" of US credit unions — the ones that benefit most from buying open-banking infrastructure rather than building it. Industry coverage in 2024 and 2025 (including CU Insight's open-banking playbook) repeatedly notes that smaller credit unions see a meaningful shift from credential scraping to API-based access in the first quarter after go-live.

Screenshots

Click any thumbnail to view full size. These come from the public Google Play listing and illustrate the screens whose underlying datasets the API surfaces.

Similar apps & integration landscape

Members who hold accounts at BOPTI Federal Credit Union frequently bank in parallel with one of the larger US credit unions below, especially for joint-membership households or cross-institution PFM use. We list these strictly to position the integration landscape — each name describes a comparable data surface that benefits from the same FDX-aligned APIs.

Navy Federal Credit Union — the largest US credit union by assets; users who also work with Navy Federal often need unified transaction exports across both institutions for household budgeting.
Alliant Credit Union — an online-only credit union whose mobile-first members typically demand FDX-compatible aggregator links for the same accounts they hold at smaller community institutions.
PenFed Credit Union — branch-light national credit union; integrators frequently pair PenFed and community-CU statements for whole-of-wallet dashboards.
A+ Federal Credit Union — recognised by Global Finance's 2025 World's Best Consumer Digital Bank Awards as Best Mobile Banking App in North America; a useful reference for what a top-tier mobile data surface looks like.
SchoolsFirst Federal Credit Union — California-based, education-sector focused; co-resident with BOPTI in many household profiles in southern California.
First Tech Federal Credit Union — technology-sector credit union with strong digital-only use cases that map cleanly to OpenBanking endpoints.
Credit Union of America — community credit union with mobile-first features comparable to BOPTI's; integration patterns for both look almost identical.
University of Wisconsin Credit Union — a public reference customer for Plaid open-banking APIs, illustrating how mid-size credit unions expose data to the fintech ecosystem.

About us

OpenFinance Lab is an independent technical studio focused on mobile-app protocol analysis, OpenData, OpenFinance, and OpenBanking integration. Our team has shipped production APIs for community banks, credit unions, payment gateways, and cross-border payment rails. We know the practical realities of CU*Answers / It's Me 247-style cores, the FDX v6.4 envelope, and the Section 1033 timeline.

Community banking, credit unions, retail brokerage, insurtech
API gateway rollouts, consent management, FDX adapter design
Custom Python, Node.js, and Go SDKs plus full test harnesses
End-to-end pipeline: protocol analysis → adapter build → validation → compliance pack
Source code delivery from $300 — runnable API source code and full documentation; pay after delivery upon satisfaction
Pay-per-call API billing — access our hosted endpoints and pay only per call, no upfront cost

Contact

For quotes or to submit your target app and requirements, open our contact page:

Contact page

Engagement workflow

Scope confirmation: which BOPTI FCU data surfaces matter (login, accounts, transactions, mRDC, card lock).
Protocol analysis and FDX-aligned API design (2–5 business days, depending on auth complexity).
Build and internal validation against staging (3–8 business days).
Documentation, sample clients, Postman collection, and test cases (1–2 business days).
First delivery typically lands within 5–15 business days; third-party approvals or member-side authorisation can extend timelines.

FAQ

What do you need from me to start a BOPTI FCU integration?

Member-side authorization for the BOPTI Federal Credit Union account, the data scope you want (balances, transaction history, mobile check deposit events, card status), and any existing back-office systems we need to push to (ERP, accounting, BI). For business members, we also accept aggregator credentials such as Plaid, MX or Finicity.

How long does delivery take?

Typical first delivery is 5 to 12 business days for read-only endpoints (login, balance, statement export). Mobile check deposit and webhook-driven flows usually add another 3 to 7 business days for end-to-end testing against the credit union's core and our staging gateway.

Is this compliant with US open banking regulation?

Yes. All flows are designed against the FDX API v6.4 specification and the CFPB Section 1033 Personal Financial Data Rights rule (effective January 17, 2025). We follow GLBA safeguards, NCUA examination guidance for Remote Deposit Capture, and member consent records, with audit logs for every data pull.

📱 Original app overview (appendix)

BOPTI Federal Credit Union is a community-chartered, not-for-profit credit union headquartered in San Pedro, California. Per the credit union's own description, its mobile app gives members convenient access to BOPTI Federal Credit Union's mobile website, mobile check deposit, mobile banking, branch & contact information, and help.

The app is published under package com.boptifcu.boptifcu on Google Play and is also available on the iOS App Store. Its mobile banking sits on top of the CU*Answers / It's Me 247 platform, which is widely used by community credit unions in the US.

Balance enquiry across share, share-draft, money-market, and loan accounts
Transfers between own accounts and to other members
Bill pay integrated with online banking and mobile banking
Mobile remote deposit capture (mobile check deposit)
"Manage My Cards" screen — recent card activity, temporary card lock, configurable per-transaction notifications
Message Center with swipe to delete or mark messages as read
Updated tab-bar UI, customisable favourite accounts and features, full tablet rotation support
Branch and contact information directory

Recent change: in the last two years the app has shipped a redesigned tab-bar UI, customisable favourites, and an upgraded Manage My Cards screen with per-card notifications and temporary lock — exactly the surface area an OpenData integration can mirror as APIs.