Behind the four-digit passcode on CBTKY sits the working ledger of a Citizens Bank & Trust Company customer: balances, the running list of debits and credits, scheduled transfers, bill payments, deposited-check images and a shelf of monthly statements. Citizens Bank & Trust is a Campbellsville, Kentucky institution — FDIC certificate #15675, per the FDIC BankFind record — and the app, published under com.cbtky.grip on Google Play, is the only front door most customers ever use to that data. The question a developer brings us is narrow. How do I read it from somewhere other than a phone screen, and stay on the right side of the bank and the customer while doing it?
The short version: nothing here needs a vendor to publish a feed. The data is already moving between the phone and the bank's servers on every login, and with the accountholder's authorization that same exchange can be driven from your code. Below is what is actually reachable, the route we would take, and the source you would receive.
Account surfaces worth reading
These are the screens the CBTKY description and the bank's online-banking pages actually name, mapped to where each one lives and what an integrator does with it.
| Data domain | Where it shows up in CBTKY | Granularity | Typical use |
|---|---|---|---|
| Balances & account activity | Accounts dashboard | Per account, refreshed on open | Real-time balance feed; low-balance triggers |
| Transactions with notes, images and tags | Activity / transaction detail, with search and tag filters | Per posted item, enriched | Categorization, reconciliation, bookkeeping export |
| Transfers | Transfer screen (one-time, future-dated, repeating) | Per instruction + schedule | Cash movement and sweep orchestration |
| Bill Pay | Payments to companies or people | Payee records + payment status | Payables automation, payment-status sync |
| Mobile check deposit | Remote Deposit Anywhere (front/back capture) | Per deposit + image + status | Deposit confirmation and audit pipeline |
| Monthly statements | View-and-save statement archive | One PDF per cycle | Document retention, statement parsing |
| Balance alerts | Alert settings (threshold rules) | Per-rule configuration | Mirror the bank's alerts into your own monitoring |
Branch and ATM locations are in there too, but that is public geo data and rarely worth wiring up. The value is the authenticated rows.
Inside the app
The published screenshots show the surfaces above as the customer sees them. Open any one full size.
Routes in
Three approaches genuinely apply to CBTKY. They are not exclusive; most builds use the first two together.
Consented session, driven from your code
With the accountholder's authorization, we drive the same authenticated session the app establishes — two-factor sign-in, then the device-bound token the app uses thereafter — and read the JSON the app already receives for balances, activity and statements. Reachable: everything the customer can see. Effort is moderate; durability is good as long as the session model holds. Onboarding, including the customer's consent and a test login, is arranged with you at the start of the project.
Interface mapping / protocol analysis
To make the route above reliable we capture and document the app's own traffic: the endpoints it calls, the token and cookie chain, request and response shapes, pagination and error codes. This is the reverse-engineering-for-interoperability step, and it produces the schema everything else is built on. Effort is front-loaded; the payoff is a stable contract you can code against.
Native export as backfill
CBTKY lets a customer view and save monthly statements and filter activity. Where a one-off historical load is all that is needed, the saved statements and activity exports are a low-friction backfill that pairs with the live route for recent data. Durability is fine; it just is not real-time.
For most CBTKY work the build runs on the consented session, with the documented traffic map underneath it keeping that session honest; the saved-statement export fills in history that predates the integration. That pairing is what we would recommend here, because the bank's data already moves on every login and the customer's authorization is the clean basis for reading it.
What you get
The deliverable is a working integration, not a report. For CBTKY that means:
- An OpenAPI/Swagger description of the mapped surfaces — accounts, activity, transfers, Bill Pay, deposits, statements — as normalized endpoints.
- A protocol and auth-flow write-up covering the two-factor step, the device-passcode enrollment, and the token-refresh chain CBTKY uses in place of username and password.
- Runnable source for the core calls in Python or Node.js: authenticate, list accounts, page transactions, fetch a statement, read transfer schedules.
- A statement parser that turns the monthly PDFs into line items and totals that reconcile against the live transaction pull.
- Automated tests against recorded fixtures, so a front-end change shows up as a failing test rather than silent drift.
- Interface documentation plus retention and consent-logging guidance, so the next engineer can run and extend it.
Worked example
Illustrative only — field names and the exact auth handshake are confirmed against the live traffic during the build, not guessed. It shows the shape: enroll once, then read transactions and the statement list on a token.
# Consented CBTKY session — illustrative pseudo-code
client = CbtkySession(consent_ref="cust-auth-2026-0531")
# Step 1: two-factor sign-in, then device-passcode enrollment.
# CBTKY swaps the online-banking login for a device-bound token.
client.enroll(passcode="****", device_id=DEVICE_ID) # one time
token = client.refresh() # subsequent runs
# Step 2: list accounts and page recent activity
for acct in client.accounts():
txns = client.transactions(
account_id=acct["id"],
since="2026-04-01",
page_size=100, # follow nextCursor until exhausted
)
for t in txns["items"]:
record(t["postedDate"], t["amount"], t["description"],
t.get("tags"), t.get("note"))
# Step 3: pull the statement shelf, then normalize the PDFs
for stmt in client.statements(account_id=acct["id"]):
pdf = client.statement_pdf(stmt["id"])
rows = parse_statement(pdf) # -> line items + running balance
# Errors we handle explicitly:
# 401 -> token expired, re-run refresh()
# step-up 2FA challenge mid-session -> pause, prompt consenting user
# 429 -> back off; the app's own pacing is the ceiling
Authorization and what governs it
Citizens Bank & Trust is a federally insured US bank (FDIC cert #15675, per FDIC BankFind), so the framework here is US financial-privacy law, not a European or Australian open-banking regime. The dependable basis for reading a customer's data is that customer's own authorization — the same consumer-directed access GLBA already contemplates. We work from a recorded consent, keep an access log, minimize what we pull to the fields the project needs, and sign an NDA where the engagement calls for one.
The forward-looking piece is the CFPB's Personal Financial Data Rights rule under Section 1033. As of this writing it is not in force: a federal court in the Eastern District of Kentucky — the bank's own state — enjoined enforcement while the CFPB reconsiders and re-opens the rule for comment. We treat §1033 as where US open banking may go, not as current law, and we do not build a CBTKY integration on obligations that are presently stayed. If the rule settles into something a bank of this size must support, the consent-based integration is straightforward to move onto it.
Engineering notes for this app
Two things about CBTKY shape how we build, and we handle both as part of the work.
- Device-passcode enrollment. After two-factor sign-in, the app replaces the username/password with a four-digit device passcode and a token bound to that device. We model the enrollment and the refresh cycle so a consented sync presents a valid device identity and does not get bounced back to a full re-login on every run. The step-up challenge that can appear mid-session is caught and surfaced to the consenting user rather than swallowed.
- Statements are documents, not a feed. The monthly statement archive is PDF, so we wire a parser that reconciles each cycle's line items and running balance against the transaction rows pulled live — that reconciliation is what catches a parser drift early. We also schedule a re-validation pass so that when the bank updates the app's front end, the test suite flags the change before it reaches your data.
Cost and timing
A runnable CBTKY integration leaves our desk inside one to two weeks. From there you pick how to pay. The first model is source-code delivery starting at $300: you receive the runnable source, the OpenAPI spec, the tests and the documentation, and you pay only after delivery, once the integration does what you asked. The second is a hosted pay-per-call API — we run the endpoints, you call them, and there is no upfront fee; you pay for the calls you make. Either way you bring two things: the app name and what you want out of its data. Access, the consenting login and any compliance paperwork are arranged with you as the project runs. Tell us what you need from CBTKY and we will scope it.
Sources and review
This mapping draws on the app's Play Store and bank-published descriptions, the FDIC's institution record, and the current regulatory status of US open banking, checked in May 2026.
- FDIC BankFind — Citizens Bank & Trust Company (cert #15675)
- Citizens Bank & Trust — online and mobile banking features
- CFPB — Personal Financial Data Rights reconsideration (§1033)
- Section 1033 rule stayed pending new rulemaking — analysis
Mapped by the OpenBanking Studio integration desk, May 2026.
Similar apps in reach
Other Kentucky community-bank apps hold the same kind of authenticated data, and a normalized schema lets one integration span several. Named here for context, not ranked.
- Community Financial Services Bank (CFSB) — western-Kentucky bank app with checking, transfers and digital-banking records behind a login.
- Field & Main Bank — Kentucky and Indiana app with a customizable dashboard, mobile deposit and transaction tagging.
- Community Trust Bank — regional app covering accounts, payments and loan data.
- Peoples Bank of Kentucky — balances, bill pay and transfers in a single mobile flow.
- Kentucky Farmers Bank (KFB Mobile) — balances, payments, transfers and ATM lookup.
- Citizens Bank of Kentucky — a separate eastern-Kentucky institution with its own banking app and similar account surfaces.
Questions integrators ask
The app makes me set a 4-digit device passcode instead of my password. Does that stop an automated pull?
No. That passcode is a device-enrollment step: after two-factor sign-in, CBTKY trades your online-banking credentials for a token bound to the enrolled device, and that token is what subsequent sessions present. We model the enrollment and refresh so a consented sync keeps reading without you re-typing anything.
CBTKY statements arrive as monthly PDFs. Can those become structured data?
Yes. The statement archive is document-shaped, not a feed, so we add a parser that turns each monthly PDF into line items, running balances and totals that match the transaction records pulled live.
With the CFPB data-rights rule on hold, what is the legal basis for reaching my Citizens Bank & Trust data?
The accountholder's own authorization, which is consistent with how GLBA treats consumer-directed access. Section 1033 is the forward-looking piece and is currently enjoined, so we build on the consenting customer's instruction rather than on a rule that is not in force.
Can the same approach map other Kentucky community-bank apps?
Usually, yes. Apps from CFSB, Field & Main, Community Trust Bank, Peoples Bank of Kentucky and Kentucky Farmers Bank expose the same kinds of surfaces, and a normalized schema lets one integration cover several institutions at once.
App profile — CBTKY at a glance
CBTKY is the mobile banking app for Citizens Bank & Trust Company, a Campbellsville, Kentucky bank (FDIC cert #15675, per FDIC BankFind). Published on Google Play as com.cbtky.grip and on the App Store under the CBTKY name, it lets customers set balance alerts, make payments to companies or people, transfer between accounts, deposit checks by photographing the front and back, view and save monthly statements, and locate branches and ATMs. Sign-in uses two-factor authentication followed by a four-digit device passcode, with biometric login on supported devices. Figures and identifiers above are drawn from the app and bank listings and the FDIC record as cited.