Bring City of Boston Credit Union account data, deposits and transfers into your fintech stack
City of Boston Credit Union (CBCU) is a Boston-headquartered, member-owned credit union serving City employees, public servants and their families across Massachusetts. The mobile app, published under package com.cityofbostoncu.com.imobile, is the primary digital surface through which members check share balances, monitor mortgages and auto loans, deposit checks by photo, move money between accounts and other financial institutions, and manage Bill Pay. We turn that surface into clean, callable APIs.
What we deliver
Each engagement ships as a small, reviewable bundle: an OpenAPI specification, a written protocol report describing how the CBCU mobile client authenticates and how each endpoint is reached, and runnable reference code in Python and Node.js. You decide whether to host the resulting service yourself or call our managed endpoints on a per-request basis.
Deliverables checklist
- OpenAPI 3.1 / Swagger specification for every endpoint we expose
- Protocol & auth-flow report (token lifecycle, device binding, MFA prompts)
- Runnable Python and Node.js reference clients with request signing
- Postman collection plus pytest / Jest test harness
- Compliance addendum: NCUA Part 748, CFPB 1033, GLBA Safeguards Rule mapping
Engagement options
- Source code delivery from $300 — runnable code and docs, paid only on acceptance.
- Pay-per-call hosted API — call our managed endpoints; no upfront cost, billed per request, with usage caps.
- Hybrid — start with hosted endpoints to validate, then take ownership of the source once the integration proves out.
Data available for integration
The table below maps the data surfaces visible inside the CBCU mobile app to the structures we expose through the integration layer. The list is consistent with the CFPB's covered-data definition for credit unions and with what aggregators such as MX, Plaid, Yodlee and Finicity already retrieve from US credit unions.
| Data type | Source (app screen) | Granularity | Typical use |
|---|---|---|---|
| Share & share-draft balances | Accounts dashboard, Fast Balances widget | Per account, current and available, refreshed near real-time | Cash-position dashboards, treasury automation, low-balance alerts |
| Transaction history | Account detail, transaction list | Posted & pending, ≥24 months, with merchant, amount, date, category, fees | Personal finance management, reconciliation, ML transaction enrichment |
| Loan balances (mortgage, auto, personal) | Loans tab inside Accounts | Principal, interest accrued, next payment date and amount | Net-worth tools, debt-to-income scoring, refinancing offers |
| Remote Deposit Capture | Deposit Checks flow | Image hash, deposit status, hold release date | Accounting reconciliation, audit trails, fraud monitoring |
| Bill Pay & recurring payments | Bill Pay tray | Payee, amount, frequency, next-run timestamp | Cash-flow forecasting, subscription tracking, household budgeting |
| Statements / eDocuments | eDocuments centre | PDF + parsed JSON, monthly cadence | Tax preparation, mortgage applications, audit packages |
| Account alerts & preferences | My Profile menu | Channel, threshold, status | UX migration into multi-bank super-apps and white-label PFM products |
Typical integration scenarios
1. Multi-institution PFM dashboard
A Boston-area fintech aggregates CBCU share balances and transactions alongside the member's brokerage and credit-card accounts. We expose GET /accounts and GET /accounts/{id}/transactions, refresh balances on a 15-minute cadence and stream new transactions through a webhook, mirroring the OpenBanking pattern used by CFPB Section 1033.
2. Small-business accounting reconciliation
A QuickBooks plug-in pulls CBCU business-checking transactions nightly, matches them to invoices using merchant strings, and posts the unreconciled balance back to the GL. RDC submissions captured through the CBCU app are paired with their corresponding deposit batches by image hash so that bookkeepers can close the month without manual entry.
3. Mortgage and auto-loan refinancing
A lender consumes CBCU loan-balance and statement data to pre-fill refinancing offers. The integration calls GET /loans, parses statement PDFs into a normalized JSON schema, and feeds the result into a credit-decision engine — replacing screen scrapes with explicit, member-consented data flows.
4. Internal treasury & payroll automation
A municipal employer that uses CBCU as its primary payroll-deposit destination automates net-pay verification: after each payroll run, an internal job calls the share-balance and transaction endpoints to confirm the ACH credit posted, then triggers a notification through the existing HRIS.
5. Compliance & audit reporting
An audit team needs read-only access to 24 months of statements and transactions for a sample of member accounts. We provision a scoped, time-boxed token, expose GET /statements and GET /transactions?type=ACH, and ship signed JSON evidence packets that satisfy NCUA examination requests without exposing PINs or full PANs.
Technical implementation
Below are abridged, sanitized examples of the request/response shapes we generate. Real fields, signing methods and error envelopes are documented in the deliverables bundle and tuned to the customer's runtime (Python, Node.js, Go, or a managed hosted endpoint).
Member authorization (token exchange)
POST /api/v1/cbcu/auth/token
Content-Type: application/json
{
"member_id": "M-78231",
"device_fingerprint": "ios|18.4|FaceID",
"factor": {
"type": "biometric",
"assertion": "<WebAuthn assertion or app-issued nonce>"
}
}
200 OK
{
"access_token": "eyJhbGciOi...",
"refresh_token": "rt_...",
"expires_in": 1800,
"scopes": ["balances:read", "transactions:read", "rdc:write"]
}
Transaction history (Section 1033 shape)
GET /api/v1/cbcu/accounts/ACC-441/transactions
?from=2026-01-01&to=2026-04-30&limit=200
Authorization: Bearer <ACCESS_TOKEN>
200 OK
{
"account_id": "ACC-441",
"currency": "USD",
"transactions": [
{
"id": "tx_9f2a",
"posted_at": "2026-04-21T14:08:00Z",
"amount": -42.18,
"merchant": "MBTA Charlie",
"category": "transit",
"status": "posted",
"fees": 0.00
}
],
"next_cursor": "eyJwYWdlIjoyfQ=="
}
Remote Deposit Capture submission
POST /api/v1/cbcu/rdc/deposits
Authorization: Bearer <ACCESS_TOKEN>
Content-Type: multipart/form-data
front_image: <jpeg, <= 4 MB>
back_image: <jpeg, <= 4 MB>
amount: 125.00
account_id: ACC-441
202 Accepted
{
"deposit_id": "dep_2c91",
"status": "received",
"expected_hold_release": "2026-05-04",
"image_hash": "sha256:6f4a..."
}
# Webhook callback (status changes)
POST https://your.app/webhooks/cbcu
{
"deposit_id": "dep_2c91",
"status": "posted",
"available_amount": 125.00
}
Compliance & privacy
Regulatory alignment
CBCU is a US federally insured credit union, regulated by the National Credit Union Administration (NCUA). Our integrations follow NCUA Part 748 information-security guidance, the Gramm-Leach-Bliley Act Safeguards Rule, and the data-minimization principles introduced in the CFPB's October 2024 Personal Financial Data Rights final rule (Section 1033). We also track the August 2025 reconsideration proceedings so that integrations remain compatible if the rule's effective dates shift.
Operational safeguards
- TLS 1.3 in transit, AES-256 at rest, HSM-backed key storage
- Account numbers masked to last four digits in logs and webhook payloads
- Member consent records persisted for the life of the access grant plus 24 months
- Scoped tokens with revocation; no long-lived shared service credentials
- Audit-ready event logs covering authentication, RDC submission and ACH transfers
Data flow & reference architecture
A typical CBCU integration is built as a thin pipeline so that the customer can swap any segment without rewriting the rest:
- Mobile / web client (or back-office job) initiates a member-consented request.
- Ingestion gateway handles authentication, request signing and rate limiting.
- Protocol adapter translates the call into the upstream CBCU mobile-banking endpoint and refreshes tokens as needed.
- Storage & enrichment layer persists raw payloads, normalizes them into a Section 1033-style schema, and applies categorization (similar to the cleaning step provided by aggregators such as MX or Yodlee).
- API / webhook output serves the consumer (PFM dashboard, accounting tool, treasury automation) with JSON, CSV or OFX.
Market positioning & user profile
CBCU is a community credit union focused on Boston-area municipal employees, first responders, teachers and their relatives. Its members skew toward steady wage earners with payroll deposits, mortgage and auto loans, and modest investment accounts — exactly the kind of accounts where unified personal finance dashboards, automated reconciliation and refinancing tools deliver the highest ROI. The mobile app is published for both Android and iOS, which means our deliverables target both platforms by default and pay particular attention to biometric-first authorization flows (Touch ID and Face ID) that members already trust.
Screenshots
Tap any thumbnail to view a larger version. These screens map directly to the data surfaces listed in the integration table above.
Similar apps & integration landscape
Members and fintechs often work with several New England and US credit-union apps in parallel. The list below outlines apps in the same ecosystem; consolidating their data into one OpenBanking-style API is one of the most common reasons teams reach out.
Digital Federal Credit Union (DCU)
The largest credit union in Massachusetts by assets and membership. Members frequently hold a CBCU checking account alongside a DCU savings or auto-loan account, and want their balances and transactions exported into one dashboard.
Hanscom Federal Credit Union
A Massachusetts-based federal credit union with a strong mobile-first product. Common request: unified ACH-transfer logs across Hanscom and CBCU for household budgeting tools.
Metro Credit Union
Greater Boston commuter-favourite with deep mobile-banking features. Integration projects often ask for combined RDC and Bill-Pay activity feeds across Metro and CBCU.
Greylock Federal Credit Union
Western Massachusetts community institution. Useful for multi-region PFM products that need to cover both Eastern and Western MA member behaviour.
Align Credit Union
Massachusetts community credit union with a similar product mix to CBCU. Frequently appears in side-by-side integration scopes for Boston-area accountants.
All One Credit Union
Provides accessible digital banking across Massachusetts. Comparable transaction and statement schemas make it a natural pair for shared aggregation work.
Massachusetts Family Credit Union
Community-focused credit union; clients sometimes consolidate it with CBCU into a single business-banking dashboard.
Workers Credit Union
One of the largest credit unions in Massachusetts. Often appears in Greater-Boston aggregation requests alongside CBCU and DCU.
Boston Firefighters Credit Union
Serves the Boston public-safety community, overlapping with the same membership pool that CBCU draws from. Shared employer payroll feeds make a natural integration target.
Plaid / MX / Yodlee / Finicity
Not banks, but the dominant US data-aggregation networks. Many CBCU integration projects start by checking whether the institution is reachable through these aggregators and adding a tailored protocol adapter when coverage is incomplete.
About us
OpenFinance Lab is an independent technical studio focused on mobile-app protocol analysis and OpenBanking-style API integration. The team brings hands-on experience from US and European banks, payment processors and aggregator vendors. We have shipped credit-union and community-bank integrations on Android and iOS, and we know how NCUA examinations, CFPB rulemaking and state privacy laws shape what a clean integration should look like.
- Credit unions, community banks and digital-first neobanks
- Payments, mobile RDC, ACH, Bill Pay and account aggregation
- Custom Python / Node.js / Go SDKs and request-signing libraries
- End-to-end pipeline: protocol analysis → build → validation → compliance review
- Source code delivery from $300 — runnable code and documentation, paid only on acceptance
- Pay-per-call hosted API — no upfront cost, billed per request
Contact
Tell us which CBCU surfaces you need exposed (balances, transactions, RDC, transfers, statements) and on what timeline. We will respond with a fixed-fee quote and a sample of the resulting API contract.
Engagement workflow
- Scope confirmation: which surfaces (balances, transactions, RDC, ACH, Bill Pay, statements).
- Protocol analysis and API design (2–5 business days, complexity-dependent).
- Build and internal validation against a member sandbox (3–8 business days).
- Documentation, sample clients and test cases (1–2 business days).
- First delivery typically 5–15 business days; aggregator handshakes may extend timelines.
FAQ
Is City of Boston Credit Union an open API?
Which CBCU data can be exposed via API?
How long does a CBCU integration take?
How do you stay compliant with NCUA and CFPB rules?
📱 Original app overview (appendix)
Easily access all of your accounts and features right at your fingertips with the City of Boston Credit Union mobile app. Manage your accounts, deposit checks, make transfers, pay bills and more.
Manage Your Accounts
- Monitor your checking and savings accounts (current and available)
- View mortgage, auto loan and other account balances
- Set up Account Alerts and adjust your preferences
Quick Access
- Enable Touch ID® or Face ID® for a fast and safe way to access your account
- View your balances on the go with Fast Balances
Enhanced Navigation
- My profile menu to manage notifications and personal preferences
- Navigation tray with quick access to top used features
- Hamburger menu with all the transactional tools needed to stay on top of finances
Deposit Funds
- Deposit checks by taking photos of checks to deposit them
- Instantly view the processing deposit in your account
Make Transfers and Payments
- Transfer funds between your accounts and to other financial institutions
- View and manage your bills and recurring payments in one place
Disclosure
- The mobile app is free; mobile-carrier message and data rates may apply
- Some features are only available for eligible account holders and/or accounts