Cover image for The Open Banking Compliance Gap Checklist: How to Avoid Audit Failure in 2026

The Open Banking Compliance Gap Checklist: How to Avoid Audit Failure in 2026

Open Banking projects rarely collapse because of code. They collapse because of unverified assumptions. This guide is the practical checklist we use to keep programmes audit-ready.

Typical last words before a failed audit:

"We're already FAPI compliant."

"Our vendor said it's fine."

"Legal reviewed it once."

We've seen the same pitfalls across the UK, Brazil, and now Canada. Below is a detailed checklist you can map to owners, automate in CI, and rehearse in pre-audit simulations. If you are building for Canada 2026, this will save months of pain.

1. Security and OAuth / FAPI Flows

This is foundational. A single missing control can invalidate the entire authorisation model.

PKCE (Proof Key for Code Exchange)

  • Enforce PKCE on all public clients (mobile, SPA, browser-based apps).
  • Require code_challenge_method=S256; reject plain.
  • Auth server must reject any request without a valid code_challenge.

JARM (JWT Secured Authorisation Response Mode)

  • No plain redirects carrying raw codes or tokens.
  • AS signs the entire authorisation response; clients verify signature and issuer.
  • Protects against mix-up and code substitution attacks.

PAR (Pushed Authorisation Requests)

  • Clients POST parameters to /par; receive a one-time request_uri.
  • Enforce short expiry (for example 60 seconds) and single use.
  • Migrate any legacy request_uri patterns to PAR-backed flows.

mTLS (Mutual TLS)

  • Use client certs for both client authentication and token binding.
  • Access tokens must include cnf.x5t#S256 (certificate thumbprint).
  • Replay a token with a different client cert should fail immediately.

Replay Protection

  • Include a unique jti in JAR, JARM, ID tokens, and any signed JWTs; store recent values to block replays.
  • state and nonce must be single-use and verified.

Token Lifetimes and Rotation

  • Access tokens no longer than 10 minutes.
  • Mandatory refresh token rotation; previous refresh token invalidated immediately.
  • Policy values configured centrally, not hardcoded in code.

Dynamic Client Registration (DCR) and SSA

  • Validate SSA against directory JWKS; verify software_id, org_id, roles and audience.
  • Regularly re-check directory metadata and JWKS for key rollover.

2. Consent and Authorisation Layer

Where regulatory language meets JSON. This is the number one tripwire in audits.

Consent Object Schema

  • Match the regulator's taxonomy exactly. Do not rename fields for convenience.
  • Maintain a mapping sheet that proves one-to-one parity with the mandated scopes and objects.

Granularity

  • Per-account and per-scope selection must be supported end to end.
  • No "all accounts by default" shortcuts. Auditors will flag this.

Duration and Expiry

  • Consent expiry configurable by regime (for example 90 days UK, 12 months Brazil, TBD Canada).
  • Expired consent should auto-revoke tokens and downstream access, with clear logs.

Revocation Propagation

  • Provide DELETE /consents/{id} or an explicit revoke endpoint.
  • Revocation must invalidate tokens quickly (target under 60 seconds) and consistently across services.

UX Copy and Legal Language

  • Consent screen wording must match regulatory definitions, not developer shorthand.
  • Keep a signed, versioned record of approved copy for audit evidence.

Audit Trail

  • Immutable logging for every consent event (create, refresh, revoke) with timestamps and actor IDs.
  • Consider append-only storage or hashing of consent snapshots.

3. Certificate and Trust Management

Certificates are boring until they are catastrophic. Treat them as a product with owners, SLAs, and tests.

Directory Onboarding and DCR

  • Exercise onboarding with multiple third-party SSAs in sandbox and production-like environments.
  • Validate claim verification rules against the current directory profile.

Renewal and Automation

  • Automate renewals (ACME or vendor API) with 30 day alerts and clear on-call ownership.
  • Avoid manual CSR flows and shared inbox reminders.

Key Rollover

  • Practice rollover in staging with zero downtime.
  • Publish the new key in JWKS before primary key rotation to avoid verification gaps.

CRL and OCSP

  • Enable revocation checking and test with known revoked certificates.
  • Consider stapling and sensible caching to manage latency.

Trust Store Hygiene

  • Separate sandbox and production trust anchors.
  • Load only the CA roots you actually need rather than generic bundles.

Ownership and Policy

  • Name a specific role or person responsible for certificate lifecycle management.
  • Include certs in the CMDB with expiry metadata and escalation paths.

4. Audit and Evidence Readiness

Auditors want proof, not promises. Build an evidence pack as you build the product.

Conformance Testing

  • Run the FAPI conformance suite per environment and store signed results.
  • Re-run quarterly or whenever auth flows change.

Penetration Testing

  • Scope must include Open Banking endpoints, PAR, JARM, token replay and mTLS enforcement.
  • Track remediation to closure and keep evidence with the findings.

API Spec Alignment

  • Deployed API must match the published OpenAPI exactly.
  • Automate diff checks in CI to prevent drift.

End to End Traceability

  • Correlate Consent → Token → Resource → Response with stable correlation IDs.
  • Retain verifiable JWS signatures along the path.

Third Party Dependencies

  • Collect your vendors' FAPI alignment and security evidence.
  • Store with your audit pack and set an annual refresh cadence.

5. Organisational and Process Gaps

A perfect technical build still fails without clear ownership and rehearsal.

Cross Team Knowledge

  • Engineering, Compliance, Legal, and Security should be able to explain the flow in plain English.
  • Publish a shared glossary and short primers on FAPI, PAR, JARM, DCR, and mTLS.

Runbooks

  • Document what to do if a certificate expires, the directory is unavailable, PAR fails, or a token leak is suspected.
  • Tabletop these scenarios at least annually.

Vendor Alignment

  • Get your vendor's supported FAPI profile in writing with version numbers.
  • Track upgrades to avoid surprise regressions.

Mock Audits

  • Run internal audits at least three months before certification.
  • Use an independent reviewer outside the immediate delivery team.

6. Emerging Topics for 2026+

  • FAPI 2.0 - JSON metadata, PAR and JAR consolidation, stronger binding semantics.
  • OAuth 2.1 - removal of implicit flow, stricter refresh token behaviour.
  • OpenID Federation - entity statements and trust chains will matter more for cross market onboarding.
  • Event Based Revocation - near real time push of revoked consents to regulators and directories.

Closing Thoughts

Compliance is not a one off tick box. The teams that sail through audits treat FAPI alignment as culture, not a task. Start by assigning owners to each checklist line, automate the checks you can, and rehearse failure before it happens.

Get the Printable Checklist

If you would like the printable version of this checklist with tick boxes, risk scores, and Canadian alignment notes, click below to gain access to the PDF.

PDF Download Page

👋 Enjoyed the article?

Book a Call with Us