Mobile SBLA API integration & OpenBanking data export

OpenData · OpenBanking · Section 1033 · Community banking

Turn Mobile SBLA account data into an OpenBanking-style API your accounting, ERP or risk stack can call

Mobile SBLA is the customer-facing app for Scottsburg Building and Loan Association, a long-running Indiana thrift institution serving Scott County depositors. We deliver a compliant, account-holder-authorized integration that exposes the same balance, transaction, transfer and mobile-deposit data the app surfaces — as a clean REST API your team can wire into bookkeeping, treasury, or analytics workflows.

Account aggregation API — Single endpoint returns the depositor's full account roster: checking, savings, CDs and money-market balances with available vs. ledger split.

Transaction history export — Paginated statement endpoint returning at least 24 months of activity in JSON, CSV, OFX or PDF, matching the data-window guidance in the CFPB's Section 1033 final rule.

Mobile deposit (RDC) bridge — Programmatic check capture and deposit-status polling: submit front and back images, retrieve clearing state, route exceptions back to your system.

Internal transfer orchestration — Initiate and confirm SBLA-to-SBLA transfers with idempotency keys, dual-approval support, and webhook fan-out for posted events.

Feature modules

Authentication & session

Mirrors the in-app login flow: username and password, multifactor challenge (SMS, email, knowledge-based questions), device binding, and refresh-token rotation. Designed so a downstream service can hold long-lived consent without re-prompting the customer on every call.

Balance & account roster

Returns current and available balance per account, last-statement balance, account type, and routing/account number where customer-authorized. Useful for cash forecasting, dashboard tiles, and reconciliation of internal ledgers against the bank source-of-truth.

Transaction history API

Filterable by date range, account, amount range, and free-text memo. Supports paging cursors and incremental sync via a "since" marker so nightly ETL jobs can pull only new postings. Categorizable through merchant-name normalization on our side.

Internal transfer endpoint

Wraps the SBLA-to-SBLA transfer screen. Accepts source account, destination account, amount, and idempotency key; returns transfer ID and posted timestamp. Webhook callbacks notify your service when a pending transfer clears or is reversed.

Mobile check deposit bridge

Accepts JPEG/PNG front and back images per common RDC patterns, runs OCR for amount and MICR fields, and submits to the bank's deposit pipeline. Status polling and webhook notifications cover queued, deposited, on-hold, and rejected outcomes.

Statement export

Generates monthly or custom-range statements in PDF and OFX. Pairs with our transaction API so reconciliation tools can match a downloaded statement against the same period's raw posting feed without manual line-by-line work.

Data available for integration

The table below maps each surface in the Mobile SBLA app to the structured fields we expose through the integration layer. Use it as a starting checklist when scoping a project.

Data type	Source screen / feature	Granularity	Typical use
Account roster & balances	Accounts overview	Per account, real-time available + ledger balance	Cash-position dashboards, treasury sweeps
Transaction history	Recent activity / statement view	Per posting: date, amount, memo, type, running balance	Bookkeeping sync, lending underwriting, expense categorization
Internal transfer events	Transfer between SBLA accounts	Per transfer: status, amount, source, destination, timestamp	Reconciliation, automated treasury rules
Mobile deposit (RDC) metadata	Deposit a check screen	Per item: image hash, OCR amount, MICR, status, hold info	Receivables automation, cheque float modeling
Account details & routing	Account detail screen	Account number, routing number, product type, open date	ACH set-up, payee verification, KYC
Statement documents	Statements / e-documents	PDF + OFX per statement cycle	Audit trail, tax preparation, customer disclosure
Alerts & notifications	Push notifications, in-app inbox	Per event: type (low balance, deposit posted, transfer cleared)	Event-driven customer messaging, fraud triage

Typical integration scenarios

1. Small-business bookkeeping sync

A Scott County contractor with a Mobile SBLA checking account wants nightly posting into QuickBooks Online or Xero. Our connector authenticates once with depositor consent, pulls new postings via the transaction history endpoint using a "since" cursor, normalizes vendor names, and writes journal entries through the accounting platform's REST API. Maps directly to Section 1033's "consumer authorizes a third party to access account data" model.

2. Cash-flow underwriting for SMB lending

A community lender wants 24 months of inflow/outflow data before issuing a working-capital loan. The integration returns a categorized transaction stream plus running balances, then computes deposit volatility and overdraft frequency. Output mirrors what aggregators such as Plaid Assets emit, but is sourced through the customer-consented Mobile SBLA channel rather than a screen-scraping aggregator.

3. Mobile-deposit-driven AR automation

A property manager receives rent checks. They snap each cheque in Mobile SBLA; our bridge captures the OCR amount, MICR, and deposit ID, and posts a matching AR receipt into the property-management system. When the bank clears or holds the deposit, the webhook updates the receivable status. Removes the manual reconciliation step that normally follows mobile check deposit.

4. Treasury rollup across community-bank accounts

A family office holds accounts at SBLA and several other Indiana community banks. The integration exposes a unified /accounts and /transactions feed across all of them, so a single dashboard shows position, week-over-week deltas, and projected balances. Same auth pattern, different base URLs — reusing the work across the cluster of similar thrifts in the region.

5. Compliance and audit log replication

A wealth advisor under fiduciary obligations must keep a tamper-evident copy of every client transaction. Our integration streams new SBLA postings to the advisor's WORM-mode storage with hash-chained records, plus generates monthly statement PDFs for the client file. Designed to satisfy SEC books-and-records expectations without making the advisor log in to the app daily.

Technical implementation

Three short examples below show the shape of the authorized API surface. Field names are illustrative; final payloads are documented in the OpenAPI spec delivered with the source code.

1. Authorize and exchange for a session token

POST /api/v1/sbla/auth/login
Content-Type: application/json

{
  "username": "j.doe",
  "password": "<encrypted>",
  "device_id": "f4a1-...-9c",
  "mfa_channel": "sms"
}

200 OK
{
  "session_token": "eyJhbGciOi...",
  "expires_in": 3600,
  "refresh_token": "rt_9k...",
  "mfa_required": false
}

2. Pull transaction history with cursor

GET /api/v1/sbla/accounts/{account_id}/transactions
  ?since=2026-04-01
  &cursor=eyJwIjoxMn0
  &limit=100
Authorization: Bearer <session_token>

200 OK
{
  "items": [
    {
      "id": "tx_8af23",
      "posted_at": "2026-05-08T14:02:11Z",
      "amount": -42.17,
      "currency": "USD",
      "memo": "POS PURCHASE - SCOTTSBURG IGA",
      "type": "debit_card",
      "running_balance": 1854.66
    }
  ],
  "next_cursor": "eyJwIjoxM30"
}

3. Submit a mobile check deposit

POST /api/v1/sbla/deposits
Content-Type: multipart/form-data
Authorization: Bearer <session_token>

deposit_account_id=acc_3392
front_image=@front.jpg
back_image=@back.jpg
amount=750.00
idempotency_key=dep_20260510_001

202 Accepted
{
  "deposit_id": "dep_7714",
  "status": "queued",
  "ocr_amount": 750.00,
  "expected_clearing": "2026-05-12"
}

# Webhook (POST to your endpoint) on status change:
{ "deposit_id": "dep_7714", "status": "deposited",
  "available_on": "2026-05-12T13:00:00Z" }

Compliance & privacy

US regulatory context

Personal financial data access in the United States is governed by Section 1033 of the Dodd-Frank Act. The CFPB issued the final Personal Financial Data Rights rule in October 2024 with an effective date of January 17, 2025, currently under reconsideration. The rule applies to depository institutions above an $850M asset threshold and obliges them to deliver consumer-authorized account data to permitted third parties at no charge. Smaller thrifts such as SBLA are not directly covered, but the same data-minimization, revocation, and security principles inform every integration we build.

Operating controls

All access is performed with explicit account-holder authorization. We never store passwords in plain text, rotate session tokens at least hourly, and pin TLS 1.2+ end to end. Each integration includes consent records, immediate revocation hooks (so credentials become unusable the moment the customer withdraws permission), and an event log retained for the lifetime of the integration. NDA and a written scope letter are part of every onboarding.

Data flow & architecture

A typical Mobile SBLA integration moves through four nodes:

Mobile SBLA app surface — consumer-authorized login and screens (Android / iOS).
Integration gateway — our service handles auth, token rotation, request shaping, retries, and per-tenant rate limiting.
Normalized data store — postings, balances, deposits, and statements written into a relational schema (Postgres-compatible) with append-only audit tables.
Outbound API / webhooks — your stack consumes REST endpoints, OFX downloads, or push events; no polling against the bank required.

This boundary keeps the bank-facing credentials and rate behavior isolated from your application code while exposing a stable contract upstream.

Market positioning & user profile

Scottsburg Building and Loan Association is a mutual-style community thrift headquartered in Scottsburg, Indiana, primarily serving Scott County and the surrounding area. Its mobile customers skew toward retail depositors and small local businesses: tradespeople, farms, family-run retailers, and long-tenured savings customers who value branch relationships but want self-service for checks, balances, and transfers. The Mobile SBLA app is published for both Android (via Google Play) and iOS (via the App Store) and reflects the broader US trend in which roughly 600 thrift institutions continue to compete with national banks by leaning on local underwriting and digital basics rather than feature-rich mega-bank apps. That positioning shapes our integration: clean access to the core data, no dependence on consumer-facing flourishes that may not exist on a community-bank app.

Screenshots

Click any thumbnail to view it full-size. These are official Google Play screenshots of the Mobile SBLA app, showing the surfaces our integration maps to.

Similar apps & integration landscape

The Indiana community-bank app cluster sits on a small number of shared digital banking platforms, which means an integration model that works for Mobile SBLA usually transfers cleanly to its peers. Teams that consume Mobile SBLA data often have accounts at one or more of the following apps and want a unified view across them.

Community First Bank Indiana

Mobile app for an Indiana community bank with bill pay, transfers, and mobile deposit. Customers often want the same statement-export feed exposed for Mobile SBLA across this account too.

American Community Bank of IN

Offers 24/7 account access, transaction review, transfers, bill pay, and snapshot check deposit. Sits on a shared digital-banking core with several other small Indiana institutions.

Community Bank's CB2GO

Multi-account digital banking app with credit-score tools and money-movement features. Frequently appears alongside Mobile SBLA in dual-bank household relationships.

People's Community Bank of Monticello

Indiana mutual bank offering mobile and online banking. Same data inventory (balances, postings, deposits) and a natural candidate for re-using SBLA connectors.

First Federal Savings Bank

A regional Indiana thrift with a mobile banking app covering checking, savings, transfers, and check deposit. Common second-account choice for SBLA customers.

Centra Credit Union

Large Indiana credit union with a feature-rich mobile app. Often included in cross-institution treasury rollups for small businesses in southern Indiana.

Mutual Savings Bank

Community mutual bank serving Bartholomew and surrounding counties with a similar mobile feature set. Same OFX / transaction-feed contract works once authorized.

Old National Bank

A larger regional Indiana institution. Appears in unified-balance dashboards as the "primary" account against which community-bank accounts like SBLA are reconciled.

German American Bank

Southern Indiana community bank with mobile banking, transfers, and deposit. Frequently the second institution in regional household and small-business banking setups.

Stock Yards Bank & Trust

Cross-river Louisville-area bank popular with depositors in Scott County. Common counterpart account for SBLA customers wanting consolidated reporting.

What we deliver

Deliverables checklist

OpenAPI / Swagger specification covering auth, accounts, transactions, transfers, and deposits.
Protocol and auth flow report (token exchange, MFA path, refresh, device binding).
Runnable source in Python and Node.js for login, statement export, and webhook receiver.
Automated test suite plus Postman / Insomnia collection.
Compliance guidance: consent record schema, revocation hook, retention windows, data-minimization notes aligned with Section 1033.

Engagement workflow

Scope confirmation: which endpoints, which data types, which downstream consumer.
Protocol analysis and API design (2–5 business days).
Build, internal validation, and security review (3–8 business days).
Docs, sample code, and test cases (1–2 business days).
Hand-off plus a 30-day support window for fixes and questions.

About OpenFinance Lab

We are an independent studio focused on mobile-app protocol analysis, authorized data extraction, and OpenData / OpenBanking integrations. Our engineers come from banks, payment networks, and consumer-finance startups, and we have shipped integrations against everything from international UPI rails to small US community-bank apps. Engagements are scoped, written, and run under explicit customer authorization.

Mobile banking, payments, brokerage, and insurance integrations.
Custom Python, Node.js, and Go SDKs plus webhook receivers.
Full pipeline: protocol analysis → build → validation → compliance review.
Source code delivery from $300 — pay after delivery upon satisfaction.
Pay-per-call API billing — use our hosted endpoints and pay only per call, no upfront cost.

Contact

To request a quote or send target-app details, open the contact page:

Contact page

We respond within one business day. Please include the target app, the data types you need, and your downstream system.

FAQ

What do you need from me to start a Mobile SBLA integration?

The target app name (provided), the data fields you need (balances, transaction history, transfer status, mobile deposit metadata), and any existing credentials, sandbox access, or written consent from the account holder so we can run authorized data extraction.

How long does delivery take for a community-bank app like Mobile SBLA?

A first usable drop with login, balance, and statement endpoints typically lands in 5 to 12 business days. Mobile check deposit hooks and webhook-based transaction streaming may take 2 to 3 weeks depending on the core banking vendor in use.

How do you handle compliance for US bank data?

We work only under written customer authorization or documented public APIs, align with CFPB Section 1033 personal financial data rights principles, and follow data-minimization, encryption, and revocation practices. NDA, retention windows, and audit logs are part of every engagement.

Can the same SDK cover other community banks I work with?

Yes. Many community banks run on shared cores such as Jack Henry or Fiserv DNA. The auth and statement modules we deliver for Mobile SBLA can typically be re-pointed at peer apps with only credential and base-URL changes.

Engagement models

Choose the model that fits the project shape.

Source code delivery from $300 — you receive runnable API source, OpenAPI spec, and tests. Pay after delivery upon satisfaction.
Pay-per-call hosted API — we run the integration; you call our endpoints and pay only for what you use. Ideal for prototypes and short campaigns.
Custom retainer — ongoing maintenance, version tracking, and support across multiple community-bank integrations.

Original app overview (appendix)

Mobile SBLA is the official mobile banking application of Scottsburg Building and Loan Association, Inc., a community thrift institution headquartered in Scottsburg, Indiana. The app is published for both Android (package com.scottsburgbuilding.mobile) and iOS, and is free for SBLA depositors.

According to the app description, Mobile SBLA lets customers bank on the go and manage their accounts from a mobile phone whenever it is convenient. The published feature set is intentionally focused, in line with the bank's community-thrift positioning:

Check account balances — quick view of current available and ledger balances across the customer's SBLA accounts.
View recent activity and transaction history — a chronological feed of postings, useful for spotting unfamiliar charges and tracking pending items.
Transfer money between SBLA accounts — internal transfers between the customer's own accounts at the institution.
Deposit checks by taking a picture — remote deposit capture using the device camera for the front and back of the cheque.

The app's surface is deliberately narrow: there is no investment trading, no large catalog of bill-pay merchants beyond the standard set, and no consumer-facing third-party API. From an OpenBanking standpoint, this concentration is actually a strength — it means the data model is small, well understood, and a clean candidate for a tightly scoped, customer-authorized API. References: the Google Play listing and the bank's official website.