What it takes to read a CFA Móvil member's accounts programmatically

Behind CFA Móvil's two-key login sits a Medellín cooperative's member ledger: contributions (aportes), savings, a CFA Express low-amount electronic deposit, credits and the rotating cupo de más cuota, plus the debit-card and authorization controls a member toggles from the phone. CFA Móvil is the transactional channel of the Cooperativa Financiera de Antioquia, and per its Google Play listing it ships under the package com.areamovil.cfa. The app is in Spanish. None of that ledger leaves the cooperative's core unless an authenticated session asks for it, and a second key gates anything that moves money. That shape — rich per-member state, a layered key model, and a country whose open-finance rules are mid-transition — is what an integrator is actually dealing with here.

The practical read: the durable data is the per-member product set and its movements, reachable through an authorized analysis of the app's own session traffic. Bre-B turns the transfer surface into something an integrator can act on, not just observe. We treat the regulated open-finance path as the long game and the authorized interface as the spine that works today.

What a member sees inside CFA Móvil

Each row below is a surface the app actually presents to a logged-in member, named the way CFA names it.

Getting at that data — the routes that fit CFA

Authorized interface analysis under your authorization

We study the app's own authenticated session — the call that exchanges a member's document and 4-digit clave de inicio for a session, the product-list and movement calls, and the transactional-key step that precedes any movement. Reachable: every domain in the table. Effort is moderate; the auth chain is the bulk of it. Durability is good between front-end revisions, and we keep a check that re-confirms field names and the OTP step when CFA updates the app. Access is set up with you during onboarding against a consenting test member.

Colombia's Finanzas Abiertas (open finance) path

Decreto 1297 de 2022 added a voluntary open-finance scheme to Decreto 2555 de 2010, covering consented data sharing and payment initiation under the Superintendencia Financiera de Colombia. Coverage reported in 2026 indicates Colombia has moved this toward a mandatory system under Decreto 0368 de 2026, with the SFC's standardization schedule and compliance windows not yet published. We build the connector so the consent-grant and data-share calls slot in when CFA is brought into scope, without reworking the data model.

User-consented credential access

Where a member explicitly consents, the integration runs the app's flow with the member's own keys and the registered-device binding. Same reach as the interface route; the difference is who holds the credential and the consent record.

Native export

The certificados-tributarios generator and statement documents are a clean fallback for periodic records where a live feed is unnecessary.

For CFA we would build on the authorized interface analysis as the working core, carry the user-consented variant for members who prefer to hold their own keys, and wire the open-finance grant in as a switchable path so the integration is ready the moment the mandatory scheme reaches the cooperative. Native export covers tax season cheaply.

A login-then-products call against the CFA core

Illustrative shapes only — exact field names, the token mechanism and the transactional-key channel are confirmed during the build against a consenting account.

# 1. Start session: member document + 4-digit clave de inicio
POST /auth/session
{ "docType": "CC", "docNumber": "<member-id>",
  "claveInicio": "<4-digit start key>",
  "deviceId": "<registered-device fingerprint>" }
-> 200 { "sessionToken": "...", "expiresIn": 600,
         "txKeyMode": "SMS_OTP" }   # or FIXED_4 / EMAIL_OTP

# 2. List the member's products
GET /products            (Authorization: Bearer <sessionToken>)
-> 200 { "aportes":   { "balance": ... },
         "ahorro":   [ { "id": ..., "balance": ... } ],
         "cfaExpress":{ "balance": ..., "state": "ACTIVE" },
         "creditos": [ { "id": ..., "outstanding": ..., "cupo": ... } ] }

# 3. Movement (transfer / Bre-B) needs the transactional key
POST /transfers
{ "from": "<ahorro-id>", "amount": ...,
  "target": { "llave": "<Bre-B alias>" } | { "account": ... },
  "txKey": "<fixed 4-digit | OTP per txKeyMode>" }
-> 200 { "status": "APPLIED", "feeDisclosed": ..., "ref": ... }
-> 409 { "error": "TX_KEY_REQUIRED" | "LLAVE_NOT_FOUND" | "LIMIT_EXCEEDED" }

The integrator-relevant detail is step 3: a read-only sync never needs the transactional key, but anything that moves value does, and the key's form depends on what the member chose. The connector negotiates that, it does not assume a fixed PIN.

What lands at the end of a CFA Móvil build

Concretely, tied to the surfaces above:

• An OpenAPI specification covering session start, product list, movement/statement reads, transfer + Bre-B initiation, and the certificate export.
• A protocol and auth-flow report documenting the clave-de-inicio session, the transactional-key step and its SMS/email/fixed variants, token lifetime and the device binding.
• Runnable source for the key endpoints in Python and Node.js — login, product fetch, statement pull, and a guarded transfer/Bre-B call.
• Automated tests against the documented responses, including the 409 transactional-key and llave-not-found paths.
• Interface documentation a member-facing or back-office team can build on, plus data-retention and consent-logging guidance for an SFC-supervised counterpart.

Finanzas Abiertas, FOGACOOP and member consent

CFA is a deposit-taking cooperativa financiera, which places it under the Superintendencia Financiera de Colombia, with member deposits insured through FOGACOOP — both consistent with CFA's own site and the SFC register of cooperative financial entities. Sharing a member's data rests on prior, express and informed authorization, the Habeas Data standard in Ley 1581 de 2012, and the open-finance authorization model Decreto 1297 de 2022 set up. We operate on authorized or user-consented access only, keep consent and access records, minimize fields to what the integration needs, and work under an NDA where the counterpart requires it. Colombia's shift from voluntary to mandatory open finance under Decreto 0368 de 2026 changes the timeline, not this posture; because the SFC schedule is unpublished, we treat the open-finance calls as a planned switch rather than a present obligation for CFA.

Things we plan around in a CFA integration

Two-key model. CFA runs a 4-digit clave de inicio for authentication and a separate transactional key for movements, and the member can set the transactional key as a fixed 4-digit code or a variable code delivered by SMS or email — switchable at any time. We design the auth flow to carry both keys and to branch on the member's current transactional-key mode so a payment job does not stall waiting for an OTP it never requested.

Bre-B alias resolution. A transfer can address a recipient by their Bre-B llave rather than an account number, settling across participating institutions on Banco de la República's interoperable rail. We model the alias-resolution step and the rail's response codes so a transfer integration reconciles outcomes correctly instead of guessing from a generic success flag.

Registered-device and SMS binding. CFA expects the member's information current within roughly a year and the cell number authorized for text messages, and ties the session to the registered device. We account for that binding in the session design and arrange a consenting test member with you during onboarding, so the device and SMS path is exercised as part of the build rather than discovered after it.

CFA Express lifecycle. The electronic deposit can be opened in-app from identity and phone data and then blocked or cancelled by the member, so its state is not static. We track product state transitions so an aggregation does not keep reading a deposit the member has closed.

Three jobs this integration typically does

• Member balance dashboard. A periodic read of aportes, ahorro, CFA Express and crédito outstanding into one normalized view — no transactional key needed, since nothing moves.
• Obligation reconciliation. Pull the cupo de más cuota bill and crédito instalments, match them against a back-office ledger, and flag what is due.
• Consented Bre-B payout. With member consent and the transactional key, initiate a Bre-B transfer to a beneficiary llave and reconcile the rail's status against the disclosed fee.

Screens from the listing

Other Colombian cooperative and wallet apps in the same picture

These are real apps an integrator often sees alongside CFA when building a unified view of a member's money in Colombia. Listed as ecosystem context, not a ranking.

• Confiar Móvil — Confiar Cooperativa Financiera; member savings, credit and inter-bank transfers, similar cooperative-core data.
• JFK Móvil — JFK Cooperativa Financiera; deposit, credit and contribution records for its members.
• Cotrafa Cooperativa Financiera — savings and credit products with a comparable Antioquia member base.
• Coofinep Cooperativa Financiera — ahorro, crédito and investment products under SFC supervision.
• Coltefinanciera — savings and financing products with a mobile channel.
• Bancoomeva — the Coomeva group's bank, holding accounts, cards and loans for a cooperative-linked membership.
• Banco Cooperativo Coopcentral — the cooperative-sector bank connecting many smaller cooperatives to national rails.
• Nequi — Bancolombia's digital wallet; balances and transfers, frequently aggregated next to cooperative accounts.
• Daviplata — Davivienda's wallet; low-amount deposits and transfers across the same Bre-B rail.

Questions integrators ask about CFA Móvil

Can the integration read aportes and CFA Express balances as separate products, or only a combined view?

Separately. CFA Móvil presents aportes, ahorro, CFA Express, créditos and the cupo de más cuota as distinct products with their own balances and movements, and we model each as its own resource so a member dashboard can show them apart rather than netted together.

Does CFA Móvil's Bre-B support mean a transfer integration can pay to any Colombian institution?

Bre-B is Banco de la República's interoperable instant-payment rail, so a transfer can target a recipient at another participating institution by their llave (alias) rather than an account number. We model the alias resolution step and the rail's response codes; per-transaction limits and fees stay governed by CFA's own rules and are surfaced before confirmation as the app does.

Which authority governs sharing a CFA member's data, and is the open finance route usable today?

CFA is a deposit-taking cooperativa financiera supervised by the Superintendencia Financiera de Colombia, with deposits insured through FOGACOOP. Colombia moved open finance from the voluntary scheme in Decreto 1297 de 2022 toward a mandatory system under Decreto 0368 de 2026, but the SFC standardization schedule and compliance windows are not yet published, so authorized interface work is the dependable route now and the open-finance path is built in to switch on as it lands.

Do you need a CFA member account to build this?

To get going we need the app name and what you want from its data. A consenting test member, the registered-device and SMS binding CFA requires, and any access are arranged with you during onboarding rather than asked of you up front.

Sources checked for this brief

Checked on 2026-05-17: CFA's own description of the app and its products and Bre-B support; Banco de la República's Bre-B interoperable instant-payments material; the Superintendencia Financiera's open-finance pages; and the text of Decreto 1297 de 2022 on Función Pública's normative repository. Where a fact was not publicly stated — exact endpoint names, token mechanism, the SFC mandatory-scheme timeline — it is marked illustrative or noted as not yet published rather than asserted.

CFA — ¿Qué es la App CFA Móvil? · Banco de la República — Bre-B · SFC — Finanzas Abiertas · Decreto 1297 de 2022

OpenBanking Studio · integration desk — notes from a CFA Móvil mapping, May 2026.

A CFA Móvil build runs one to two weeks. Source-code delivery starts at $300 and is billed only after we hand the work over and you are satisfied with it; alternatively, call our hosted endpoints and pay per call with nothing upfront. You give us the app name and what you need from its data — the consenting test member, the device and SMS binding, and any access are arranged together as part of the work. Start the conversation at /contact.html with what you want CFA's member data to do.