Open Banking Scenarios

The following scenarios using three personas will walk you through the user stories about banks’ and third-party service providers (TSPs)’ requirements of API management in response to Taiwan’s three-phased open banking program rollout, and further illustrate how resource owners (bank customers) leverage the services in the context of open banking. These scenarios aim to help you apply the use cases to your business operations in practice, and guide you to understand the benefits of open banking to the banking industry.

Scenario Overview

Open Banking refers to the practice of providing third-party service providers (TSPs) open access to financial data of bank customers (resource owners) with their consent through the use of open application programming interface (OpenAPI), which enables more diverse and convenient services for customers.

Bank: TPI Bank

In compliance with open banking infrastructure, TPI Bank opens up shared data to third-party service providers, including specific personal information granted access by the users, facilitating greater service flexibility and value-added applications.

Third-Party Service Provider (TSP): Enjoy Life

Enjoy Life provides connection and integration of various services (including some personal financial services), accesses specific personal information from banks with the consent of users, and offers a single-interface integrated service platform to bring more convenience to users’ lives.

Bank Customer (Resource Owner): Steve

As a user of digital services and an individual (i.e. consumer) who can grant access to protected resources, Steve hopes to use banking services via integrated resources rather than separate platforms.

Bank Scenarios

Scenario 1: API Authorization Specification

In this scenario, you will learn how digiRunner platform fully meets Taiwan’s Open Banking specifications for banks when it comes to opening up APIs to third-party service providers. It features OAuth 2.0 for authentication and authorization, and configuration of expiration period and validity times for access token & refresh token.

User Story

TPI Bank needs to provide its cooperative third-party service provider (TSP) “Enjoy Life” with the open access to the APIs. Enjoy Life has been granted an account “tsp2” to access the developer portal for authorized API resources. For this client (tsp2), TPI Bank has limited the expiration period and the number of validity times for access token & refresh token to prevent API abuse. Access token of cooperative TSP of TPI Bank expires: 3 times a day; Refresh token expires: 3 times every 7 days.


Step 1: Client Management
Click [Client Management] > [Client Management] to find the account (tsp2) you want to configure.
Step 2: Security
Click [Security] in the Action column on the right for advanced settings.
Step 3: Token Setting

Select “Token Setting” tab and enter the required information.

Access token expires: 3 times a day

Refresh token expires: 3 times every 7 days

  • Please take customers’ actual needs into account and refer to the specifications when configuring the restriction of Access/Refresh token.

Scenario 2: API Security - Token Encryption

In this user story, you will learn how to leverage the digiRunner management platform to configure JWT encryption for your APIs with ease in compliance with Taiwan’s Open Banking regulations on token encryption mechanism in different phases. Whenever you want JWS format for a request or JWE encryption for a response, all can be achieved through digiRunner.

User Story

TPI Bank has encrypted the request/response of APIs in compliance with OpenAPI specification for open banking. According to the API specification, the “Personal Account Query” requires JWE encryption for responses, while the “Account Application Service” requires both JWE encryption for responses and JWS for requests to ensure its non-repudiation.
Here we take two functions as examples: “demandDeposit/accounts” and “creditCards/roadsideAssistance”.


Step 1: API List
Click [API Management] > [API List], and click [Search] to select the target API.
Step 2: Update Settings

Click [Update] in the action column on the right to modify JWT settings.

  • demandDeposit/accounts
    Request: Do not use
    Response: JWE
  • creditCards/roadsideAssistance
    Request: JWS
    Response: JWE
Step 3: JWT Settings
You will see the updated JWT status in the API list after completing the setting.
  • demandDeposit/accounts
  • creditCards/roadsideAssistance

Third-Party Service Provider (TSP) Scenarios

Request an account to access API resources

In this scenario, you will learn how third-party service providers can apply for an account to view/request access to API resources through digiRunner developer portal when API resources are shared by banks. Banks can easily approve the request through the Admin Console of digiRunner.

User Story

TPI Bank has many collaborative third-party partners to expand its service scope and provide end users/customers with better service experience. However, it would take much effort to set up accounts one by one. Through digiRunner’s developer portal, TSP partners can conduct self-service account requests and view available APIs. The API developers (tsp2) of Enjoy Life also create their own accounts on their own through the developer portal and request authorization to access the APIs.


Step 1: Register a Portal User
Log in to the portal and click [Sign Up]; after entering the information required, click [Create an Account], and a message “Registration Completed” will be displayed.
Step 2: Verification
*The verification of the account request will be processed in the digiRunner Admin Console based on the internal approval flow of the organization.

For the approval flow, please refer to the API Management Scenarios – Scenario 13: API Developer Portal.

Step 3: My Account
After logging in with “tsp2” account, click [My Account]> [My Profile], and you will see the profile details.
Step 4: API Application
Click [My Account] > [API Application] to request API authorization.
Select the API you wish to request, click [Submit], and a message “Request submitted successfully” will be displayed.
Step 5: Approval
Click “Status”, confirm the request form and click [Submit]; a message “Request submitted successfully” will be displayed.
*The approval of the submitted request will be processed in the digiRunner Admin Console based on the internal approval flow of the organization.

For the approval flow, please refer to the API Management Scenarios – Scenario 13: API Developer Portal.

Step 6: My API
After the request is approved, the developers of Enjoy Life can log in to the portal with the user account tsp2. They can search for the authorized APIs by clicking [My Account]> [My API].

Resource Owner Scenarios

(This scenario usually happens in the interaction between third-party service providers and users, and is not directly related to banks. Banks only perform user verification, and provide user personal data to TSPs for value-added services after being granted consent from users. The actual process may vary depending on a TSP’s business model and service design.)

User Service Procedure

This scenario is intended to help banks and third-party service providers (TSPs) better understand how open banking leads to changes of consumer behavior and optimized service experience through resource owners (consumers)’ access to banking services via TSPs.

User Story

Anne is a typical user of digital services. She uses online banking and other online financial services to conduct financial transactions in her daily life. One day, she started to feel that it is such a hassle trying to manage a number of applications/accounts/portals. She was looking for an integrated platform where she can access the services simply through a single portal, and she chose the platform Enjoy Life.
In her use of Enjoy Life, Anne only needed to grant the platform access to her specific protected information in banks following the instructions, and she could enjoy the integrated services provided by Enjoy Life. Moreover, Anne could cancel the unneeded services anytime, and Enjoy Life would no longer obtain the relevant information of her from banks without information security concerns.


Step 1: Enter the TSP service interface.
Log in to Enjoy Life
Step 2: Authorize TSPs and go to the bank interface for identity verification.
Enjoy Life Interface (TSP): Click [Bank Account Operation] to grant Enjoy Life access to her bank account information, and enter integrated service interface of Enjoy Life.
When users select the services they want to use for the first time (the information that has not been granted access by banks), they will be automatically redirected to the bank verification system for verification and authorization.
Step 3: Bank authentication (identity verification)
TPI Online Banking Interface: Enter the account number and password, and click [login].
Step 4: Read and agree to the terms and conditions to access personal information.
TPI Online Banking Interface: Tick the box “I have read and agreed to the Privacy Policy” and select [Agree].
Step 5: Select specific data you allow banks to grant the TSP access to.
Bank Authorization Interface: After selecting the items you authorize the sharing with the TSP, click [Authorize] to finish the process.
Step 6: After the authorization is completed, you will be redirected back to the "TSP" service interface.
You will be redirected back to the Enjoy Life (TSP) service interface automatically after the authorization is completed. Now users will be able to access services authorized by the bank from a single service interface of Enjoy Life (TSP) (illustrated in step 7).
Step 7-1: Access Service: View time deposit balance
Enjoy Life Interface (TSP): Click [View Time Deposit Balance], and click [Query].
Step 7-2: Access Service: Request credit card roadside assistance.
Enjoy Life Interface (TSP): Click [Request Credit Card Roadside Assistance], enter the “Credit Card Number” and “Vehicle Plate Number”, and click [Request].
Step 8-1: Reset authorization items according to personal needs.
Cancel the permission to access “View Demand Deposit Balance” and “View Time Deposit Balance”. Repeat the service authorization steps: to give consent to access personal information, please refer to the figures above. On the “Select Authorization Items” page, check “CreditCards” only, and then click [Authorize] to complete the authorization item adjustment.
Step 8-2: Unauthorized services query
For unauthorized items (e.g. View Demand Deposit Balance), a message “the user has not authorized this function” will be displayed.