Pulling statements, transfers and alerts from The Bank of Billings mobile app
The Bank of Billings is a state-chartered community bank in Billings, founded in 1889, FDIC certificate 16959, ABA routing 081505964. Its mobile application, published on iOS as "Bank of Billings Mobile" (App Store ID 6504369272) and on Android as com.thebankofbillings.grip, sits in front of the same Internet Banking back end customers reach on the web: alerts, account transfers, remote check deposit, statement viewing, debit card reorder, and branch/ATM locator. There is no disclosed third-party platform vendor for the app, and the "grip" suffix in the package name is not attributed to any named provider in public sources. That makes the app surface itself the working contract for any integration.
What the app actually exposes
The reachable data divides cleanly into five families, each backed by a distinct screen in the published feature list. We map them to keep one origin per row so the contract stays inspectable when a screen layout changes.
| Domain | Origin in the app | Granularity | Typical use |
|---|---|---|---|
| Accounts & balances | Account list landing screen | Per account: type, masked number, current and available balance | Cash-position dashboards, treasury sweeps |
| Transaction history | Account detail · history tab | Per posted item: id, date, description, amount, running balance | Bookkeeping ingest, expense categorisation |
| Statements (PDF) | Statement viewing | Per cycle: period start/end, PDF blob, account reference | Loan packets, audit archives |
| Internal transfers | Account transfers screen | Per transfer: from, to, amount, scheduled date, status | Cash-management automation |
| Alerts | Alerts inbox | Per alert: sequence number, type, body, timestamp | Fraud signal, low-balance triggers |
| Remote deposit | Mobile check deposit flow | Per item: front/back image, amount, status, hold release | AR posting, deposit reconciliation |
Three viable ways in
Order them on what the customer can sign for, not on convenience.
- Authorised protocol read of the mobile session. With the account holder's written consent we instrument the same JSON-over-TLS calls the published iOS and Android apps make, learn the auth handshake, the session token lifetime, and the response shapes, then drive them from a server.
- Consented aggregator route. Plaid, MX or Finicity may carry The Bank of Billings on a credential-based connection. Coverage at long-tail community banks is uneven: aggregators build direct OAuth/FDX links primarily for the top ~500 institutions and reach the rest through credential vaults or resold connections, so this route delivers transactions reliably but rarely a clean statement PDF or an alert stream.
- Customer-driven native export. The web Internet Banking surface allows the customer to download statement PDFs and transaction CSVs. For low-volume use, a folder-drop ingestion against those exports is the cheapest path and avoids any session against the bank at all.
A polling sketch you can read in 30 seconds
The shape that survives a flaky mobile session is a cursor walk. Each consumer holds its own watermark; a cold run pages backwards through history, a warm run only fetches what is newer than the watermark.
# Warm-tail poll: fetch only what is newer than the stored watermark
GET /mobile/v3/sessions/{sid}/accounts/{acct}/transactions
?since_cursor=eyJwb3N0ZWQiOiIyMDI2LTA1LTI4VDE0OjAwOjAwWiIsImlkIjoidHhuXzg4MTcyMyJ9
&page_size=100
&direction=forward
Host: m.thebankofbillings.example
Authorization: Bearer <session-token>
X-Client: com.thebankofbillings.grip/2.x (delta-runner)
200 OK
{
"account_id": "acct_4f1c",
"items": [
{"id":"txn_881904","posted":"2026-05-30T18:11:07Z","amount":-42.18,"desc":"ACH WD CITY OF BILLINGS UTIL"},
{"id":"txn_881905","posted":"2026-05-30T22:46:02Z","amount": 1860.00,"desc":"DEP MOBILE CHECK #2041"}
],
"next_cursor": "eyJwb3N0ZWQiOiIyMDI2LTA1LTMwVDIyOjQ2OjAyWiIsImlkIjoidHhuXzg4MTkwNSJ9",
"has_more": false
}
# Cold backfill: walk older pages until has_more=false or oldest_allowed reached
GET /mobile/v3/sessions/{sid}/accounts/{acct}/transactions
?before_cursor=...&page_size=200&direction=backward
# Statement archive (separate surface, returns PDF blobs)
GET /mobile/v3/sessions/{sid}/accounts/{acct}/statements?year=2026
# Alerts inbox (cursor on sequence number, not timestamp)
GET /mobile/v3/sessions/{sid}/alerts?since_seq=44218
The watermark stored between runs is three small values per account: last posted date plus last id, last statement period fetched, last alert sequence number. That keeps a repeated read cheap, and a missed run only costs the gap, not the archive.
What ships to you
- Python and Node.js polling client libraries with the cursor walk implemented, watermark persistence pluggable to Postgres or a flat file.
- A delta-sync runner with a tunable schedule, designed to be parked under cron, systemd or a container scheduler.
- A retry/backoff layer around 401/429/5xx and silent session-drop, with circuit-breaker counters per account.
- An automated test suite that replays captured fixtures end-to-end, so a future app update fails a test instead of a production run.
- An OpenAPI document describing the surfaces we exercise, generated from the same fixtures (secondary to the runnable code).
- An auth-flow report and a short compliance memo for the customer's risk file (secondary, written for the legal reader).
Posture under US bank regulation and §1033
The dependable consent basis is the customer's own written authorization to access their own data on their behalf. The Bank of Billings is FDIC-insured (cert 16959) and supervised by Montana's Banking and Financial Institutions Division alongside its federal regulator; that posture is professional context, not a permission to act. The CFPB's Personal Financial Data Rights rule under 12 CFR Part 1033 was enjoined by a federal court in October 2025 (Forcht Bank, N.A., et al. v. CFPB) and the agency has opened reconsideration via an August 2025 ANPR. It is on the books, but it is not in force, and we do not present it as governing.
Studio-side engineering notes for this app
- We instrument the polling cadence around the institution's mobile session-timeout so a long backfill does not trip a security lockout; the keep-alive worker is decoupled from the read worker for this reason.
- We map the mobile check deposit upload channel separately because its multipart envelope, image fields and asynchronous status callback differ from the JSON statement read and would corrupt a single-shape parser.
- We treat alerts as a sequence-ordered stream, not a time-ordered one, because the alert id is monotonic where posted-time can be revised after a backdated event.
- We hold one set of session tokens per consumer, never share across tenants, and rotate the underlying credential under the same written authorization that signed the original mandate.
How we checked this and where it came from
Institution facts were taken from the FDIC BankFind record for cert 16959 and the bank's own published site; the iOS app metadata came from the App Store listing; the Section 1033 status was checked against the cited federal-register and law-firm summaries of the October 2025 injunction. Where vendor identity for the Android package is not publicly disclosed, that gap is left as a gap rather than guessed.
- FDIC BankFind — certificate 16959
- Bank of Billings Mobile on the App Store
- Cozen — Section 1033 enjoined and under reconsideration
- Federal Register — Personal Financial Data Rights Reconsideration ANPR
Reliability and freshness notes
Two failure modes dominate at long-tail community banks. The first is a silent shape drift, where a field renames between app releases and the parser starts returning nulls; the test suite that ships with the build catches this on the next CI pass and points to the exact field. The second is a session-policy change at the upstream — a shorter idle window, a new device-attestation header — which the keep-alive worker surfaces as an auth error within the first poll cycle rather than as creeping data loss. Both are visible, both are fixable in hours.
Other Montana and western community-bank apps in the same landscape
Common questions about pulling data from this app
How does the polling cadence handle the bank's mobile session timeout?
We tune the cursor poll interval below the institution's idle-logout, then re-auth on a separate keep-alive worker so a long history walk does not get cut mid-page. The cadence is configurable per consumer; default is a slow walk at first, faster on the warm tail once the watermark is anchored.
What does the cursor watermark actually persist between runs?
Per account, the last seen transaction id plus its posted-date, the last statement period fetched, and the last alert sequence number. A new run resumes from those three anchors instead of re-scanning the full archive, which keeps repeated reads cheap on the upstream.
Is the mobile-deposit image upload part of the same feed?
No. Remote check deposit moves over a multipart upload channel and we wire it as a distinct surface from the JSON statement read. Treating them together would lose the binary envelope and the deposit status callback.
Does The Bank of Billings publish open data under CFPB Section 1033 yet?
No. The Section 1033 Personal Financial Data Rights rule was enjoined in October 2025 and the CFPB has opened reconsideration; compliance dates are not in effect. Customer-authorised access remains the working basis.
Pricing is concrete. $300 buys the source delivery — the polling clients, the delta-sync runner, the retry layer, the fixtures and the test suite — and is paid after delivery once you have run it against a live consented session and are satisfied. The hosted alternative is pay-per-call against our endpoint with no upfront fee, and is suited to teams that would rather treat the data as a billable API than operate a runner. Either way, the consent paperwork comes first. To start a scoped quote, write to us via /contact.html with the accounts you intend to authorise and the cadence you need.
App profile (appendix)
Publisher: The Bank of Billings — Billings, Montana, USA. Established 1889.
Charter / insurance: State-chartered; FDIC insured, certificate 16959.
ABA routing: 081505964.
Regulators: Montana Department of Administration — Banking and Financial Institutions Division; FDIC.
Android package: com.thebankofbillings.grip.
iOS app: "Bank of Billings Mobile", App Store ID 6504369272.
Feature surface published by the bank: account list, transactions, statement viewing, account transfers, remote check deposit, debit card reorder, alerts, branch/ATM locator.
Disclosed mobile-banking platform vendor: none publicly disclosed; "grip" suffix is not attributed in public sources and is not asserted here.