ScotiaMóvil MX API integration & Open Finance data services

Account login & session management

We mirror the ScotiaWeb / ScotiaMóvil authentication handshake — device fingerprint, e-Llave / biometric factors and session token rotation — and expose it as a clean /auth endpoint with refresh and revocation. Useful for personal finance apps that need delegated read access without asking customers to re-enter credentials on every session.

Transaction history & statement export

Retrieve up to 12 months of transactions per product (debit, credit, investments) with normalized fields: amount, currency, clave_rastreo, concepto, referencia_numerica, counterparty CLABE, and channel. Use for reconciliation, cash-flow dashboards, and SAT tax-prep feeds.

CoDi QR & SPEI transfer integration

Generate and validate CoDi 0.2 QR / push payment requests, poll SPEI status via clave_rastreo, and stream confirmations to your webhook. Typical use: point-of-sale order completion, donation platforms, and invoice settlement within seconds.

Card services & dynamic CVV

Surface card-on/card-off toggles, virtual-card issuance, dynamic CVV regeneration, and ATM cash-without-card codes. Useful for fraud-prevention dashboards, gig-economy payout products, and corporate expense controls.

Apartados (savings goals) automation

Create one-time or recurring Apartados, update contribution rules, and track goal progress. Budgeting apps use this to turn Scotiabank accounts into programmable savings envelopes without building their own ledger.

Bill pay, airtime & investments

Pay CFE, Telmex, Izzi, gas, and mobile top-ups; also read investment holdings and download investment statements. Used by aggregators that want one unified "pay and view" surface across Mexican utilities.

1. SME accounting sync with ContPAQi / Aspel

Context: Mexican SMEs that keep operating accounts at Scotiabank need to push daily movements into their accounting stack for SAT reporting.

Data / API: /statements/scotiamx returns movements with clave_rastreo, concepto, counterparty CLABE and reference. Our ingestion service maps each row to a ContPAQi/Aspel polizas record and flags duplicates via hash.

Open Finance mapping: This is the CNBV-defined transactional data category — our integration always carries explicit customer consent artifacts and per-record audit trails.

2. Marketplace SPEI + CoDi settlement

Context: A marketplace receives buyer payments via SPEI or CoDi and needs near-instant order confirmation.

Data / API: /webhooks/spei-in fires on inbound transfers; the payload carries clave_rastreo, amount, sender CLABE, and referencia_numerica (used as order ID). CoDi flows use /codi/request + push confirmation.

Open Finance mapping: Matches the aggregate + transactional data exchange pattern under Article 76 of the Fintech Law.

3. Personal finance / PFM aggregation

Context: A PFM app wants a unified view of a user's Scotiabank debit, credit, and Apartados goals next to cards from other Mexican banks.

Data / API: /accounts returns all products; /apartados returns goal progress; statements are pulled incrementally with a cursor to support mobile background sync.

Open Finance mapping: The aggregator acts as a Data Petitioner; our integration layer provides consent-management hooks compatible with CNBV's expected API topology.

4. Credit origination & underwriting

Context: A digital lender wants 6–12 months of verified bank statements to underwrite a personal loan without paper PDFs.

Data / API: /statements/export?format=pdf&range=12m delivers a signed PDF plus a normalized JSON feed with income detection and recurring expense buckets.

Open Finance mapping: Reduces fraud risk compared to user-uploaded PDFs; integrates with CNBV-style consent logs so the lender can prove the data origin during audits.

5. Treasury & corporate payroll verification

Context: A corporate HR platform must confirm that payroll dispersions have landed in employees' Scotiabank accounts before closing the payroll cycle.

Data / API: Batch /payroll/verify takes a CSV of CLABE + expected amount and returns per-employee status using inbound SPEI rows; investment and loan data is optional for higher-tier compliance tooling.

Open Finance mapping: Payroll verification is a frequent use case cited in Mexico Fintech Law secondary regulations for legitimate aggregated-data exchange.

Auth & session (OAuth-style token)

POST /api/v1/scotiamx/auth/login
Content-Type: application/json

{
  "username": "user_alias",
  "credential_ref": "e-llave://session-123",
  "device_id": "fp_8f1c...",
  "consent_id": "consent_2026_04_a1b2"
}

200 OK
{
  "access_token": "eyJhbGciOi...",
  "refresh_token": "rft_9c...",
  "expires_in": 900,
  "consent": {
    "scope": ["accounts.read","statements.read","codi.push"],
    "expires_at": "2026-07-20T00:00:00Z"
  }
}

Statement query

POST /api/v1/scotiamx/statement
Authorization: Bearer <ACCESS_TOKEN>

{
  "account_clabe": "044180XXXXXXXXXXXX",
  "from_date": "2026-01-01",
  "to_date":   "2026-03-31",
  "types": ["SPEI_IN","SPEI_OUT","CARD","BILL_PAY"],
  "page_size": 100,
  "cursor": null
}

200 OK
{
  "items": [
    {
      "posted_at": "2026-03-28T14:03:11-06:00",
      "amount": -1250.00,
      "currency": "MXN",
      "type": "SPEI_OUT",
      "clave_rastreo": "SCT20260328A1B2",
      "counterparty_clabe": "012180XXXXXXXXXXXX",
      "concepto": "PAGO PROVEEDOR #4421",
      "referencia_numerica": "4421"
    }
  ],
  "next_cursor": "c_7f3..."
}

CoDi push notification webhook

POST /your-app/webhooks/scotiamx/codi
X-Signature: sha256=...

{
  "event": "codi.payment.confirmed",
  "merchant_order_id": "ORD-9871",
  "amount": 499.00,
  "currency": "MXN",
  "payer_alias": "5255XXXXXXX",
  "clave_rastreo": "SCT20260419CODIZ",
  "timestamp": "2026-04-19T22:15:44Z"
}

Error model (shared across endpoints):
4xx -> { "code": "CONSENT_EXPIRED", "message": "...", "trace_id": "..." }
5xx -> retry with exponential backoff, idempotency key required

Compliance & privacy

Mexico's Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera) and its 2023–2024 secondary regulations require regulated institutions — including Scotiabank Mexico — to expose standardized APIs for open data, aggregate data, and transactional data. The CNBV supervises compliance; obligations for Data Providers became enforceable from June 2024. Our integration layer records explicit consent, maintains immutable audit logs and file-style incident reports compatible with CNBV templates. For personal data handling we follow the LFPDPPP (Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

Cross-border clients can request additional alignment with GDPR (EU), LGPD (Brazil), or SOC 2 controls; we document data minimization, retention windows and deletion workflows for each deployment.

Data flow / architecture

1. ScotiaMóvil MX client channel — authenticated session with consent artifacts.
2. Ingestion & normalization — protocol-level adapters map raw responses into typed records (balances, statements, CoDi, cards).
3. Consent & audit store — per-customer consent, scope, expiry, and access log.
4. Integration API / webhook gateway — exposes /accounts, /statements, /codi, /cards and event streams to your backend, with rate limiting and per-tenant keys.
5. Analytics / storage — optional warehouse sink (BigQuery, Snowflake, Redshift) for BI dashboards and risk models.

Deliverables checklist

• OpenAPI / Swagger specification of the ScotiaMóvil MX integration surface
• Protocol & authentication report (session flow, device binding, token lifecycle)
• Runnable source code for login, statement, CoDi and card endpoints (Python or Node.js)
• Webhook receiver skeleton for SPEI and CoDi events, with signature verification
• Postman collection and automated test suite with sandbox fixtures
• Compliance pack: consent template, audit log schema, CNBV incident-report mapping

Engagement models

Source-code delivery from $300 — ideal for teams that want to own and host the integration. We hand over runnable API source code, documentation and tests; payment is released after you validate the delivery.

Pay-per-call hosted API — ideal for teams that prefer to call a managed endpoint and avoid maintaining protocol adapters. You pay per successful call, with no upfront cost.

About our studio

We are an independent technical studio specializing in mobile app protocol analysis and authorized API integration, with a focus on fintech and banking across Latin America, APAC and EMEA. Our engineers have worked on mobile security, payment switches, core banking integrations and Open Banking rollouts under PSD2 (EU), UPI/RBI (India), Open Finance Brazil, and now Mexico's Fintech Law framework.

• Protocol analysis → API design → runnable build → compliance pack
• Languages and runtimes: Python, Node.js, Go, Kotlin, Swift
• Secure delivery: signed builds, SBOM, isolated sandbox credentials
• NDAs and region-specific legal coverage on request
• Dedicated technical owner per project, not a ticket queue

Contact

Send us the target app name (already ScotiaMóvil MX), the data surfaces you need, and any sandbox credentials or partner letters you have. We'll respond with scope, timeline and a fixed quote.

Open contact page

For ScotiaMóvil MX-specific inquiries, mention the package ID com.scotiabankmx.scotiamovil in your message so we can route it to the right engineer.

Engagement workflow

1. Scope confirmation — integration surfaces (login, statements, CoDi, cards, Apartados), target volume, compliance scope.
2. Protocol analysis & API design — 2–5 business days depending on complexity.
3. Build & internal validation — 3–8 business days with automated tests.
4. Documentation, examples and handover call — 1–2 business days.
5. First delivery typically 5–15 business days end-to-end; third-party approvals may extend timelines.

FAQ

Do you have official Scotiabank partner status?

Can you deliver only the hosted API?

How do you handle data privacy?