Three engines in one: deterministic SCA exemption eligibility under EBA RTS 2023 + UK FCA guidance; consent scope translation across UK OB v3.1, EU PSD3, AU CDR, and US CFPB 1033/FDX; and FAPI 1.0/2.0 JWT payload generation via browser-native WebCrypto. Zero network transit, zero PII.
This engine implements the EBA Final Report on Guidelines on Exemptions from SCA (EBA/GL/2022/15) and UK FCA SCA-RTS as amended. Thresholds are deterministic and sourced from published regulatory texts. This tool does not constitute legal or compliance advice.
UK Open Banking v3.1: OBIE PermissionCodes are the canonical scope identifiers used in consent objects. v3.1.10 is the current production standard; some scopes (e.g. ReadTransactionsDetail) are deprecated in favour of separate credit/debit scopes.
EU PSD3/PSR: PSD3 uses high-level data categories (payment_accounts, account_balance, account_transactions) rather than granular permission codes. Scope mapping from OBIE is therefore often partial.
US CFPB 1033 / FDX v5: FDX uses data cluster identifiers (accounts:read, accounts:balance:read). The CFPB 1033 rule (finalized Oct 2024) does not prescribe specific scope names but delegates to FDX as the recognised standard body. Some OBIE concepts (e.g. Offers, Statements) have no direct FDX equivalent.
AU CDR: CDR scopes follow the bank:accounts.basic:read pattern under the Consumer Data Standards. CDR Data Holders must support all CDR-designated scopes within their sector.
Generate a cryptographically secure PKCE pair using browser-native crypto.getRandomValues() and crypto.subtle.digest('SHA-256'). No private key is generated or stored. Required for FAPI 1.0 RW and FAPI 2.0 conformance.
Assemble a FAPI-conformant authorization request payload. All values are synthetic — no private key signing is performed. The signature section is explicitly labeled as a placeholder.