Dynamic Client Registration in Open Banking: UK, Brasil, and FDX Compared
Dynamic Client Registration (DCR) is a key component of Open Banking infrastructure, allowing fintechs and banks to onboard securely and automatically. But not all implementations are created equal. Here's how the UK, Brazil, and FDX differ.
What is Dynamic Client Registration (DCR)?
DCR is part of the OpenID Connect specification. It defines a standard way for clients (usually fintech apps) to register with an identity provider or authorisation server dynamically—without manual intervention.
In a traditional OAuth 2.0 setup, client credentials are manually issued. With DCR, registration becomes automated, allowing clients to provide metadata such as redirect URIs, scopes, and cryptographic keys during onboarding. This is particularly critical in Open Banking ecosystems, where registration must be secure, auditable, and scalable.
Why DCR Matters in Open Banking
Open Banking ecosystems often involve hundreds of regulated entities. DCR enables TPPs (Third Party Providers) to onboard with banks or data holders programmatically, reducing friction while maintaining strong security guarantees.
Modern DCR flows support software statements (SSAs), mTLS client authentication, and metadata validation—ensuring the onboarding is both secure and standards-compliant.
DCR in the UK
In the UK Open Banking ecosystem, DCR is used by TPPs to register with ASPSPs (banks). Registration must include a valid Software Statement Assertion (SSA), issued by the Open Banking Directory. This SSA encodes metadata such as redirect URIs and scopes.
Key features include:
- SSA signed by the UK OB Directory
- Client ID returned by the ASPSP is persistent and unique
- mTLS and JWT-based authentication
- Support for FAPI profiles
DCR in Brazil (Open Finance Brasil)
Brazil's implementation follows the FAPI and OpenID specs but adds specific requirements via the Open Finance Brasil governance structure. SSAs are issued by the Brazilian Directory and signed using a national root CA.
Unique aspects include:
- Custom SSA claims mandated by Brazil's governance
- Registry-based ecosystem with TPPs pre-vetted
- Explicit key rotation handling and software versioning
- Certificate-bound client credentials and JWKS URI validation
DCR in North America (FDX)
The Financial Data Exchange (FDX) in North America also supports DCR, although adoption varies more widely. FDX defines a registration API that can be used for both static and dynamic client onboarding, but SSA support is optional.
Distinctions in FDX:
- SSAs are not always mandated
- Focus on OAuth 2.0 with extensions for financial use cases
- More flexibility in client metadata formats
- Support for DCR is up to the data holder's implementation
Summary: Comparing the Flavours
| UK | Brazil | FDX | |
|---|---|---|---|
| SSA Required | Yes (Open Banking Directory) | Yes (Brazil Directory) | Optional |
| Governance | Central Directory | Central Directory | Decentralised |
| mTLS Required | Yes | Yes | Recommended |
| Key Rotation Standardised | Partially | Yes | Up to implementer |