CFA Móvil API integration & OpenFinance Colombia

OpenData · OpenFinance · Protocol analysis · Bre-B ready

Bring CFA Móvil cooperative-banking data into your accounting, ERP, or analytics stack

CFA Móvil is the mobile transactional channel of Cooperativa Financiera de Antioquia, holding contributions, savings, CFA Express electronic-money deposits, credit balances, and Bre-B payment activity for partners and savers in Antioquia and across Colombia. We turn that data into authorized, well-documented API surfaces.

Transaction history endpoint — Paginated movement export from savings, CFA Express and credit products, with date filters and ISO 4217 currency tagging for reconciliation and bookkeeping.

Balance & product snapshot — Real-time balances for contributions, savings, “más cupo” quotas, and CFA Express e-money wallets, suitable for ERP dashboards and treasury sync.

Bre-B payments bridge — Send and receive Bre-B keys (cédula, mobile, e-mail or alphanumeric code) through a single facade, including settlement-status webhooks.

Feature modules we deliver

Login & key management

CFA Móvil uses a 4-digit start key plus a separate transactional key (fixed, SMS-OTP, or e-mail OTP). We wrap that dual-key flow in a session broker, expose a refresh endpoint, and surface key-recovery callbacks so your stack does not have to model each variant.

Statement export & reconciliation

Export movements for savings, CFA Express, “más cupo”, credit and bill-payment journeys to JSON or Excel. Movement metadata includes counterparty alias, channel (PSE, QR, Bre-B), and the fee disclosed at confirmation time, so accountants can match every line.

Bre-B & PSE payment rails

Bre-B (Banco de la República’s instant rail) went live on 6 October 2025 and now interoperates with five SPBVIs. We expose a unified send/receive endpoint plus a PSE button proxy so your checkout can quote both options without duplicating logic.

Debit card & cardless ATM

Block or replace the CFA debit card, generate cardless-withdrawal codes, and stream lifecycle events as webhooks. Useful for fraud-response automations and customer-service portals that need a one-click freeze.

CFA Express onboarding

A documented public-API flow for opening an electronic-money deposit using only the partner’s national-ID document and mobile number, mirroring the in-app “CFA Express” entry point that bypasses the full associate KYC.

Recharges & agreement bill-pay

Top-up cellular minutes and run bill payments against CFA’s agreement catalogue (utilities, education, public services). We surface the catalogue as a queryable list so your UI can show the same agreement codes the app exposes.

Data available for integration

The table below maps each data type to the in-app surface it originates from, the granularity you can request, and the typical downstream use. We derive this inventory from the published CFA Móvil description and our protocol-analysis playbook.

Data type	Source (screen/feature)	Granularity	Typical use
Account & product list	Home “Mis productos”	Per product (savings, CFA Express, credit, “más cupo”)	Treasury dashboards, KYC enrichment
Transaction history	Movement detail per product	Per movement, ISO date, channel, fee, counterparty alias	Bookkeeping, reconciliation, AML monitoring
Balances & quotas	Product card	Real-time, COP-denominated	Credit decisioning, cashflow forecasting
Bre-B keys & transfers	Bre-B / immediate-payments module	Per key (cédula, móvil, correo, código), per transfer	P2P/P2M payouts, settlement reporting
Bill payments & agreements	“Pagos a convenios”	Agreement code, invoice ID, due amount	Utility resellers, payment-link automations
Authorizations & consents	Security center	Per authorization grant/revocation	OpenFinance consent ledger, audit trail
Card lifecycle events	Debit-card module	Per event (block/unblock/reissue)	Fraud-response webhooks, ops dashboards

Typical integration scenarios

Scenario 1 — Accounting sync for SMEs in Antioquia

Local SMEs that hold contributions and a credit line with CFA need monthly bookkeeping to land in Siigo or Alegra. We pull statements via POST /api/v1/cfa/statement, normalize counterparty aliases (Bre-B handle vs. cooperative member), and push journal entries through the accounting partner’s SDK. This maps directly to the OpenFinance “transactional data” phase the SFC sequenced from 2024 onward.

Scenario 2 — Bre-B-aware checkout for fintech merchants

A Colombian PSP needs to quote both Bre-B and PSE at checkout. We brokered a single endpoint that returns a payment intent, the Bre-B QR payload and PSE handoff URL together; the merchant resolves whichever the buyer chooses. Settlement notifications fan out as webhooks signed with HMAC-SHA256, mirroring the OpenBanking event model used in Pix and UPI ecosystems.

Scenario 3 — Multi-cooperative consent dashboard

Wealth-management tools that aggregate balances across CFA and other cooperativas need a consent ledger compatible with SFC Circular 004. We wire CFA Móvil authorizations into a central consent store so each token carries scope, expiry, and revocation hooks, and we expose a /consents endpoint to renew or revoke without forcing the user back into the mobile app.

Scenario 4 — Credit-scoring enrichment

Lenders evaluating thin-file applicants in Medellín can pull 6–24 months of CFA Express movements and savings cadence as a signal layer. Outputs feed a scoring model alongside DataCrédito / TransUnion Colombia bureau data. Because CFA is a regulated cooperative, the OpenFinance contract is legally cleaner than scraping screenshots of statement PDFs.

Scenario 5 — Cross-border remittance reconciliation

Spanish or US-based remittance operators sending money to Colombian beneficiaries can reconcile arrivals into CFA Express by polling the statement endpoint with a reference filter, then auto-confirm the corridor leg. Latency is sub-minute when paired with Bre-B settlement webhooks.

Technical implementation

Authentication broker (start key + transactional key)

POST /api/v1/cfa/session
Content-Type: application/json

{
  "document_type": "CC",
  "document_number": "10**********",
  "start_key": "<4-digit numeric>",
  "device_id": "1f0a-...-ab",
  "channel": "cfa-movil"
}

200 OK
{
  "access_token": "eyJhbGciOi...",
  "refresh_token": "rt_5c...",
  "expires_in": 1800,
  "tx_key_required": true,
  "tx_key_mode": "OTP_SMS"
}

Statement query (movements export)

POST /api/v1/cfa/statement
Authorization: Bearer <ACCESS_TOKEN>

{
  "product_id": "savings:1234",
  "from_date": "2026-03-01",
  "to_date":   "2026-03-31",
  "channels":  ["BRE_B","PSE","ATM","APP"],
  "page_size": 100
}

200 OK
{
  "items": [
    {
      "id": "mov_9f...",
      "posted_at": "2026-03-04T18:21:09-05:00",
      "amount_cop": 250000,
      "channel": "BRE_B",
      "counterparty_alias": "carlos@bancolombia",
      "fee_cop": 0,
      "balance_after_cop": 1842300
    }
  ],
  "next_cursor": "cur_..."
}

Bre-B transfer webhook

POST {your_webhook}
X-Cfa-Signature: t=1715300000,v1=hmac-sha256(payload, secret)

{
  "event": "bre_b.transfer.settled",
  "data": {
    "ref": "bb_2026_05_04_001",
    "amount_cop": 120000,
    "from_key": "3001234567",       // mobile
    "to_key":   "andres@correo.co", // email
    "settled_at": "2026-05-04T13:11:02-05:00"
  }
}

Errors follow an RFC 7807 problem+json shape. Idempotency is handled with an Idempotency-Key header on every write path so replays during connectivity hiccups cannot duplicate a Bre-B transfer.

Compliance & privacy

Colombian regulatory anchor points

Integrations follow the framework set by the Superintendencia Financiera de Colombia (SFC): External Circular 004 of 2024 on Open Finance architecture, Decree 0368 of 2025 making the regime mandatory for SFC-supervised entities, and External Circular 001 of 2026 which extends the transition timeline from 18 to 30 months. Habeas Data Law 1581 of 2012 governs personal-data handling end-to-end.

Bre-B alignment

Bre-B is operated by Banco de la República and went live on 6 October 2025. Our wrapper preserves the canonical four key types (document, mobile, e-mail, alphanumeric) so consent records remain portable across the 218+ participating entities and the five fully interoperated SPBVIs.

Data flow / architecture

A typical CFA Móvil integration moves through four nodes: CFA Móvil client app or our headless session broker → OpenFinance ingestion gateway (TLS 1.3, mTLS for service-to-service, HMAC-signed webhooks) → normalized storage (Postgres with row-level encryption for PII columns; S3 / object storage for raw statement payloads) → consumer surface (REST/GraphQL for partners, BI warehouse for analytics, fan-out to ERP/accounting). A side-channel publishes Bre-B settlement events to a stream (Kafka or Pub/Sub) for sub-minute reconciliation.

Market positioning & user profile

CFA Móvil serves the partners, savers and customers of Cooperativa Financiera de Antioquia, a regulated cooperative recognized by UNSGSA Queen Máxima’s office for community-banking impact in Medellín. The primary user base is Colombian: B2C members in Antioquia and surrounding departments, plus SMEs that use the cooperative for payroll, credit, and supplier payments. The app ships on Android and iOS; recent feature work has focused on biometric login, virtual queue, PSE payments, QR person-to-person, cardless ATM withdrawals, and Bre-B onboarding from the October 2025 launch wave.

Screenshots

Click any thumbnail to enlarge. Screenshots are sourced from the public CFA Móvil Google Play listing.

Similar apps & integration landscape

Teams that integrate CFA Móvil often need parallel coverage across the wider Colombian fintech stack. The list below is descriptive only — these apps are part of the same regulatory and Bre-B ecosystem, not direct competitors of CFA. Unifying movement and balance exports across them is the most common reason customers extend a CFA project.

Nequi

Bancolombia’s digital spin-off, around 24 million users; processes tens of millions of daily Bre-B transactions and is usually paired with CFA in cross-wallet remittance flows.

Daviplata

Davivienda’s wallet, focused on financial inclusion; useful as a counterparty source in CFA Móvil statement-export reconciliation.

Bancolombia App

The flagship Bancolombia retail-banking app; integrators typically aggregate CFA savings balances next to Bancolombia checking for unified treasury dashboards.

MOVii

One of the three leading neobanking platforms in Colombia; widely used in P2P and recharge flows that also appear in CFA Móvil bill-payment data.

Lulo Bank

A digital-native bank offering savings and personal loans; commonly integrated alongside CFA for credit-comparison and rate-shopping tools.

Nu Colombia

Nubank’s Colombian operation, currently a top-three finance app on Google Play and iOS; cross-platform statement export is a typical extension request.

RappiPay

Rappi’s payment app, available across Latin America; appears as counterparty on QR-person and merchant flows that feed into CFA Móvil movements.

Mercado Pago Colombia

MercadoLibre’s wallet; e-commerce reconciliations frequently need a joined view of CFA cooperative payouts and Mercado Pago settlements.

Wompi

A Bancolombia-affiliated payment gateway; merchants taking Bre-B through Wompi often reconcile against CFA Móvil statements on the buyer side.

What we deliver

Deliverables checklist

OpenAPI 3.1 specification for every endpoint above
Protocol analysis report (start-key + transactional-key flow, refresh, key-recovery)
Runnable Python and Node.js clients (login, statement, Bre-B send/receive)
Postman / Bruno collection plus a Bre-B sandbox harness
Habeas Data & SFC Circular 004 compliance notes

About us

OpenFinance Lab is an independent studio focused on Latin American fintech and open-data API integration. The team blends payments, protocol analysis, and platform-engineering experience from banks, PSPs, and cloud providers. We know SFC, Banco de la República, NPCI UPI, Pix, and CBPR contracts, and we ship financial APIs under security and compliance constraints.

Source-code delivery from $300 — runnable API source and full documentation, paid after delivery upon satisfaction
Pay-per-call API billing — call our hosted endpoints, pay only for what you use, no upfront fee
Full pipeline: protocol analysis → build → validation → compliance review

Engagement workflow

Scope confirmation: which CFA Móvil surfaces matter (login, statements, Bre-B, card lifecycle).
Protocol analysis & API design (2–5 business days).
Implementation, sandbox wiring, and internal validation (3–8 business days).
Documentation, OpenAPI export, sample clients, and test cases (1–2 business days).
Handoff: source-code delivery or hosted API credentials, plus a 14-day support window.

FAQ

What information do you need from us to start a CFA Móvil integration?

Target endpoints you care about (transaction history, CFA Express balance, Bre-B transfers), the test cooperativa accounts you can authorize, and whether you need OAuth-style brokered login or a documented public-API channel only.

How long does a CFA Móvil first delivery take?

A first runnable drop covering login plus statement export typically lands in 5 to 12 business days. Adding Bre-B notifications, debit-card lifecycle endpoints or webhook fan-out extends the timeline to 3 to 4 weeks.

How is Colombian Open Finance regulation handled?

We follow SFC External Circular 004 of 2024, Decree 0368 of 2025 and the 30-month transition timeline set by External Circular 001 of 2026, plus user-consent logging compatible with Habeas Data Law 1581.

Contact

For quotes, scoping, or to submit a CFA Móvil requirement list, open our contact page:

Contact page

📱 Original app overview (appendix)

CFA Móvil is the transactional channel of Cooperativa Financiera de Antioquia (CFA), through which the partner, saver, or customer receives information from CFA and performs financial transactions from their cell phone, easily, economically, and safely.

Request contributions, savings, CFA Express, credits and “más cupo” quota
Make own transfers and to third parties
Pay obligations, “más cupo” bills, or specific uses of “más espacio”
Pay invoices for agreements that CFA has available for its users
Recharge cell phones and other services
Open a CFA Express electronic-money deposit; create or cancel authorizations; block or cancel the product
Block the debit card
Manage login and transactional keys and recover them in case of forgetting

Transactions are attended as long as the balance of the respective account(s) or quota allows it. Rates for transactions that generate collection are informed at the time of each transaction and prior to confirmation; rates are kept available through the CFA website.

To register at CFA Móvil, the user must have their updated information no older than one year and have an authorized cell phone number to receive text messages, otherwise they must update at a CFA office before registration. The application uses two keys: a 4-digit numeric start key (used for authentication on every entry) and a transactional key required for transfers and payments to third parties, key changes, security-element changes, and any operation that moves funds to a different owner. The transactional key can be a 4-digit fixed key, an SMS code, or a code sent by e-mail; the type of key can be changed at any time. The user must report any change of cell phone number; in case of loss or theft of the registered mobile, the user must notify immediately through the channels arranged by CFA for blocking the channel. Non-associates can still download the application and onboard through the CFA Express option in a few minutes using only their identification document and cell phone.