ComfirstCU API integration & OpenBanking data export

OpenData · OpenFinance · CFPB 1033 · FDX 6.4

Connect ComfirstCU member data to your accounting, fintech or compliance stack

ComfirstCU (package com.communityfirstcu.communityfirstcu) is the digital banking app of Community First Credit Union members. It exposes balances, transaction history, mobile check deposit, internal transfers, bill pay and Co-Op ATM data — the exact surface that personal-finance dashboards, accounting platforms and lending underwriters need to query.

Transaction history API — date-range, ACH/POS/ATM/Bill Pay channels, signed amounts, running balance.
Balance & account profile — share, share-draft, money market and loan accounts with current and available balance.
Mobile check deposit (RDC) — capture, MICR parse, hold/availability schedule, confirmation webhook.

Member login & OAuth handoff — mirror the in-app authorization flow with token refresh, biometric (Touch ID / Face ID) gating, and FAPI 1.0 baseline.

Statement export — pull historical PDF/eStatement records and structured JSON with paging and filters; downstream-ready for QuickBooks, Xero, NetSuite or risk dashboards.

Transfers & Bill Pay — member-to-member, A2A external transfers via the Co-Op shared branching network, plus scheduled Bill Pay payee/recipient management.

Card services — freeze/unfreeze, travel notice, dispute initiation and contactless wallet (Apple Pay, Google Pay, Samsung Pay) provisioning hooks.

What we deliver

Deliverables checklist

OpenAPI 3.1 specification covering login, accounts, transactions, transfers, RDC and Bill Pay
Protocol & auth flow report: TLS pinning, OAuth handshake, token refresh, biometric step-up
Runnable Python and Node.js reference clients with sample fixtures
Pytest / Jest test harness, mocked sandbox + record/replay traces
Compliance brief: CFPB 1033 mapping, FDX 6.4 field crosswalk, retention notes
Optional Postman collection and a Banno / Jack Henry-shaped JSON adapter

API example: ComfirstCU statement query

// Pull a member's transactions in FDX-shaped JSON
POST /api/v1/comfirstcu/transactions
Content-Type: application/json
Authorization: Bearer <ACCESS_TOKEN>

{
  "accountId": "share-1234",
  "fromDate": "2026-04-01",
  "toDate":   "2026-04-30",
  "types":    ["DEBIT_CARD","ACH","BILL_PAY","RDC"],
  "page":     { "limit": 100, "cursor": null }
}

200 OK
{
  "accountId": "share-1234",
  "currency":  "USD",
  "transactions": [
    {
      "transactionId": "tx_9f2…",
      "postedDate":    "2026-04-12",
      "amount":        -42.18,
      "description":   "PUBLIX #0142 JACKSONVILLE FL",
      "category":      "GROCERY",
      "channel":       "DEBIT_CARD",
      "runningBalance": 1284.55
    }
  ],
  "page": { "nextCursor": "eyJvZmZzZXQ…" }
}

API example: mobile check deposit (RDC) ingest

// Submit front + back check images for clearing
POST /api/v1/comfirstcu/rdc/deposit
Content-Type: multipart/form-data
Authorization: Bearer <ACCESS_TOKEN>

- account_id:   share-1234
- amount:       250.00
- front_image:  <jpeg>
- back_image:   <jpeg>
- micr:         "T031309123T 9876543C 0123"

201 Created
{
  "depositId":         "dep_5e1…",
  "status":            "PENDING_REVIEW",
  "holdReleaseDate":   "2026-05-12",
  "availabilityCents": 25000,
  "duplicateRisk":     "low"
}

API example: posted-transaction webhook

// Webhook delivered when a transaction settles
POST <your-callback-url>
X-Signature: t=1746,v1=9c3a…
Content-Type: application/json

{
  "event":  "transaction.posted",
  "memberId": "mbr_77a…",
  "accountId": "share-1234",
  "transaction": {
    "transactionId": "tx_9f2…",
    "amount": -42.18,
    "channel": "DEBIT_CARD"
  }
}

// HMAC verification (Node.js)
const sig = crypto
  .createHmac("sha256", WEBHOOK_SECRET)
  .update(rawBody).digest("hex");
if (sig !== headers["x-signature"].split(",v1=")[1]) reject();

Data available for integration

This inventory enumerates the structured datasets ComfirstCU holds and how each maps to a typical OpenData consumer. Columns mirror the FDX v6.4 entity model so a downstream FDX-compliant aggregator can ingest the feed without custom adapters.

Data type	Source screen / feature	Granularity	Typical downstream use
Account profile	"View Balances" tab	Per share / share-draft / loan account	Account aggregation, KYC enrichment
Current & available balance	Balance card on Home	Real-time, per account	Cashflow forecasting, NSF prevention
Transaction history	"Transaction History"	Per transaction, posted & pending, signed	Bookkeeping, expense categorization, fraud rules
Mobile check deposit	"Mobile Check Deposit"	Image, MICR, hold schedule, status	Lending verification, AR matching
Bill Pay payees & payments	"Bill Pay"	Payee record + scheduled / completed payments	Bill management apps, financial wellness
Internal & A2A transfers	"Transfer Funds"	From/to account, amount, frequency	Treasury, automated savings, payroll splits
Card controls	"Card Services"	Lock state, travel notice, dispute case	Card-control widgets, fraud response
Branch & Co-Op ATM directory	"Locate Branches"	Geo, hours, services, surcharge-free flag	Map widgets, ATM finder partners
eStatements	Online banking record	Monthly PDF + structured summary	Mortgage underwriting, audit packages

Typical integration scenarios

1. Personal-finance dashboard (PFM)

A budgeting startup wants to surface a member's ComfirstCU checking balance and last 90 days of transactions next to their other US bank feeds. We map the /transactions endpoint to FDX TransactionList, normalize categories against an MCC dictionary, and ship daily incremental sync via the transaction.posted webhook so the dashboard never re-pulls history.

2. SMB bookkeeping & reconciliation

A small-business member runs payroll out of Community First Credit Union and reconciles to QuickBooks. We expose a Bill Pay payee API plus a posted-transaction stream; reconciliation matches each AP entry to its corresponding ACH posting, eliminating manual statement uploads and removing the "missing receipts" review queue.

3. Lending & underwriting

A consumer-lending partner needs three months of bank statements and a mobile check deposit history to verify income. The integration combines /statements (PDF + JSON) with /rdc/deposit records, signs the package with our webhook key, and forwards it to the partner's underwriting pipeline — FDX field names map cleanly to the lender's Akoya-shaped contract.

4. Compliance & audit logging

Internal audit needs a tamper-evident copy of every consent the member gives. Our consent ledger records OAuth scope grants, FAPI x-fapi-interaction-id values, IP, device, and the FDX ConsentReceipt — enough to satisfy a Section 1033 audit and to revoke access on a single API call.

5. ATM / branch locator embed

A travel app wants to surface surcharge-free Co-Op ATMs near the user. The /locations feed returns geo, opening hours and surcharge-free flag; we ship a simple GeoJSON adapter so the partner's existing Mapbox integration renders pins without a redeploy.

Compliance & privacy

Every flow is built around the CFPB’s Section 1033 Personal Financial Data Rights rule finalized on 22 October 2024, plus the FDX API v6.4 specification released in Spring 2025 (24 new RFCs, the CSDF Security Model and a Consent API Behavioral Specification). We implement OAuth 2.0 with FAPI 1.0 baseline, capture explicit member consent for each scope, log every data pull, and never store raw member credentials. The integration also respects the Gramm-Leach-Bliley Act safeguards rule and applicable NCUA member-data guidance for US credit unions.

Because Community First Credit Union sits below the $850M asset threshold described in the final rule, it is currently exempt from the mandatory 1033 timeline — but member-permissioned data sharing remains explicitly protected, and any production integration we ship is forward-compatible with the FDX-based developer interface that larger US institutions are required to expose from April 2026 onward.

Auth & security baseline

OAuth 2.0 authorization code + PKCE; FAPI 1.0 baseline message signing
Mutual TLS for server-to-server endpoints
Rotating webhook HMAC secret, replay-window enforcement
Scoped tokens: account.read, tx.read, rdc.write, billpay.write
Consent receipts retained for 7 years per audit guidance
Optional FAPI 2.0 profile for partners aligning with the Mastercard FDX dev hub

Data flow & reference architecture

The reference pipeline is intentionally compact: ComfirstCU mobile / online banking → OpenFinance Lab API gateway → FDX-shaped storage → partner consumer (PFM, accounting, underwriting). Authentication terminates at the gateway, which holds short-lived access tokens and persists only consent metadata. Storage is partitioned per member with row-level encryption. Outbound delivery is either pull (REST query) or push (HMAC-signed webhook) so consumers can choose the model that matches their own queue or warehouse. A separate observability lane streams metrics and audit events to Grafana / OpenSearch so partners can prove SLA and consent compliance during a 1033 examination.

Market positioning & user profile

The ComfirstCU app serves Community First Credit Union members — primarily Northeast Florida households and small businesses, plus their family members nationwide. The user base skews retail consumer with a long tail of independent contractors and SMBs that rely on shared-branch and Co-Op ATM access. Both Android and iOS clients are actively maintained, with a 2024 release that refreshed the accounts view, mobile deposit and navigation experience, and added Zelle, eStatements and digital-wallet provisioning (Apple Pay, Google Pay, Samsung Pay). For OpenData partners, the typical buyer is a US-focused fintech, a state-licensed lender, or an accounting platform looking to add credit-union coverage without negotiating directly with every individual cooperative.

Screenshots

Click any thumbnail to view the larger image.

Similar apps & integration landscape

Members of ComfirstCU often hold accounts at other US credit unions or use national digital-banking apps. Listing them here is purely an ecosystem reference: each name is a parallel data source, and partners that integrate one frequently want unified coverage across several. We have built or shipped equivalent FDX-shaped pipes against most of these.

Alliant Credit Union — Chicago-based digital-first credit union. Similar account, transactions and mobile deposit data; common alongside ComfirstCU in nationwide PFM dashboards.
Navy Federal Credit Union — Largest US credit union by assets. High-volume transaction data and a feature-rich mobile app; partners often request Navy Federal + a regional CU like Community First in the same export.
PenFed (Pentagon Federal Credit Union) — 2.8M members on a unified Salesforce-backed digital channel; a frequent comparison point when discussing member-360 data exports.
Suncoast Credit Union — Florida-headquartered, ~80 branches. Closest geographic peer to Community First Credit Union; many Florida residents hold accounts at both.
First Tech Federal Credit Union — Tech-employee focused CU. Strong card-controls and lending data, popular in fintech-employee PFM stacks.
Consumers Credit Union (CCU) — Illinois-based, known for high-yield checking. Mirrors the Community First product set with checking, savings, mortgages and personal loans.
Empower Federal Credit Union — New York. Listed as a peer competitor to Community 1st Credit Union; similar account-aggregation surface area.
Premier America Credit Union — California. Frequently appears in West-Coast credit-union benchmarks alongside the institutions above.
Heritage Financial Credit Union — Hudson Valley, NY. Useful as a structured peer when scoping a multi-CU rollout.
Banno (Jack Henry digital banking) — Not a credit union but the underlying digital-banking platform many US credit unions, including peers of Community First, run on. Knowing the Banno API surface accelerates any CU integration.

Aggregator-side, we routinely interoperate with Plaid, MX, Akoya, Finicity and Yodlee; a dedicated ComfirstCU pipe complements those channels when an aggregator does not have the credit union onboarded directly.

About OpenFinance Lab

We are an independent studio focused on US fintech and credit-union API integration. The team includes former Jack Henry, Banno and core-banking engineers, mobile reverse-engineering specialists, and compliance reviewers who have shipped against FDX, Plaid, MX and Akoya pipelines.

Credit union, community bank and neobank API delivery
Mobile protocol analysis (Android & iOS) with security review
FDX 6.4 / CFPB 1033 readiness mapping for institutions and partners
Custom Python / Node.js / Go SDKs and Postman collections
End-to-end pipeline: protocol study → build → validation → compliance brief
Source code delivery from $300 — runnable code and documentation, paid after delivery upon acceptance
Pay-per-call hosted API — no upfront cost, usage-based pricing, ideal for proofs of concept

Contact

To request a quote, share your target ComfirstCU integration scope, or ask about hosted endpoints, open the contact page below. Include the data scope you need, your current aggregator (if any), and your expected daily call volume so we can scope the engagement model.

Open contact page

Engagement workflow

Scope confirmation — data fields, call volume, aggregator coverage, compliance posture (1–2 business days).
Protocol & auth analysis — OAuth, TLS pinning, biometric step-up, device-binding signals (2–5 business days).
Build & internal validation — reference Python / Node.js client, fixtures, sandbox traces (3–8 business days).
Documentation, OpenAPI, FDX crosswalk and test cases (1–2 business days).
Acceptance review & handover — you only pay after the deliverables run on your side.

FAQ

What do you need from me to start a ComfirstCU integration?

The ComfirstCU package ID (com.communityfirstcu.communityfirstcu), the data scope you need (balances, transactions, mobile check deposit, transfers), a sandbox or test member credential, and any aggregator account (Plaid, MX, Akoya, Finicity) you already use.

How long does delivery take?

A first source-code drop with login, balance and transaction endpoints typically ships in 5 to 12 business days. Mobile check deposit (RDC) flows or webhook-driven posting jobs add another 3 to 8 business days depending on the back-office endpoints involved.

How do you handle compliance with CFPB Section 1033 and FDX?

We design every flow to align with the CFPB 1033 Personal Financial Data Rights rule and FDX API v6.4: OAuth 2.0 / FAPI authentication, explicit consent capture, scoped tokens, audit logging, and data minimization. We do not store member credentials and we recommend FDX-shaped JSON for downstream consumers.

Do you support both Android and iOS ComfirstCU clients?

Yes. The Android package is com.communityfirstcu.communityfirstcu and the iOS counterpart is published on the App Store. We deliver platform-agnostic API source (Python or Node.js) plus optional native SDK shims for embedded mobile capture.

Original app overview (appendix)

ComfirstCU is the official mobile banking app of Community First Credit Union, a US credit union headquartered in Northeast Florida. The app lets enrolled online-banking members manage their money on the go: check balances before swiping a debit card, deposit a check from home, pay bills, transfer funds, manage card services, and locate branches and Co-Op ATMs. Biometric authentication via Touch ID and Face ID is supported on capable devices, and the app integrates with Apple Pay, Google Pay and Samsung Pay for in-store and online checkout.

Stated in-app feature list:

Mobile Check Deposit
Bill Pay
View Balances & Transaction History
Transfer Funds
Card Services
Touch ID / Face ID
Locate Branches & Co-Op ATMs

Notes: the app requires members to be enrolled in online banking. In its 2024 release cycle the team refreshed the accounts view, mobile deposit and navigation experience, and broadened digital-wallet support. ComfirstCU is published on Google Play under the package com.communityfirstcu.communityfirstcu and on the iOS App Store. For account opening, eligibility, fees and disclosures, visit the credit union's official site at comfirstcu.org — the page you are reading is a technical-integration overview and not an offer of banking products.