Reaching the data behind a Scotiabank sign-in

Behind one sign-in, the Scotia app surfaces chequing and savings ledgers, a Scene+ points balance, a TransUnion credit score the customer can refresh on demand, and cheque images captured straight from the phone camera. That is a lot of per-customer state held server-side at the Bank of Nova Scotia. A third party that wants any of it — for underwriting, reconciliation, or a money dashboard — needs an authorized way in. This page maps what is there and how we get it.

The short version: the richest data is the authenticated account state a logged-in customer already sees, and the dependable basis for reaching it today is that same customer authorizing the access. We would build a consent-based integration against the mobile backend now, and shape it so it ports onto Canada's open-banking read interface when Scotiabank's participant onboarding opens.

What sits behind a Scotia sign-in

Each surface below maps to something a customer can see in the app today. Granularity matters more than the headline: a balance is one number, but transaction activity, a credit report, and a Scene+ ledger are records you can join, dedupe, and re-key.

Authorized ways into the account data

Three routes genuinely apply to this app. They differ in how soon they work and how long they keep working.

Consent-based protocol integration

The account holder authorizes us, and we work with the same mobile backend the signed-in app talks to: a device-bound session, the 2-step verification challenge, then reads against accounts, rewards, and the credit-score tile. This returns the full set of authenticated surfaces and works now. It needs maintenance when Scotiabank ships an app update that moves a field or changes the login flow.

Regulated account information services (AIS)

Under the Consumer-Driven Banking Act, read access to designated data is being stood up for Phase 1 (early 2026), with Scotiabank among the mandatory participants. Once accredited-participant onboarding opens, this becomes the most durable route — a standardized read interface, no front-end fragility. It is not callable by third parties yet, which is why it is the target to grow into, not the one to wait on.

Native statement export

For document-level data, the statements a customer can download from online banking are a low-effort fallback: monthly PDFs that we parse into structured rows. Narrow, but reliable for accounts where activity-level reads are not needed.

For a Scotia integration starting now, we would build against the consent-based protocol route, because it returns the same chequing activity, Scene+ balance, and credit-score data a logged-in customer sees, and the schema we ship maps cleanly onto the CDBA read interface once that path is callable. The export route stays in the toolkit for statement documents; AIS is where the build migrates, not where it begins.

The Canadian rulebook, where it actually stands

Scotiabank's accounts here are Canadian, so the governing instrument is Canada's Consumer-Driven Banking Act, passed in 2024. The detail that matters for a 2026 build: oversight moved from the Financial Consumer Agency of Canada to the Bank of Canada under Bill C-15 (Royal Assent in March 2026), and the framework runs in phases — read access first (early 2026), payment initiation later (targeted mid-2027). Read access, accreditation, consent and authentication rules, and a ban on screen scraping are part of the Act; what is not yet in place is live third-party participation. We treat the customer's own authorization as the dependable basis, keep consent scoped and time-bound with revocation honored, log every access, minimize what we store, and sign an NDA where the engagement calls for one. That posture is how the studio operates regardless of which route is active.

What you receive

Deliverables are tied to the surfaces above, not a generic checklist:

• An OpenAPI/Swagger specification for the endpoints we map — account activity, Scene+, the credit-score tile, deposits.
• A protocol and auth-flow report covering the device-bound session, the 2-step verification challenge, and token refresh as they behave on the Scotia backend.
• Runnable source for the key reads, in Python or Node.js, with a normalized schema that lands chequing, lending, and rewards data in one shape.
• Automated tests against recorded responses, so a Scotiabank app update that breaks a field is caught before it reaches your data.
• Interface documentation, plus consent-handling and data-retention guidance written for the Canadian framework.

A pull, sketched

Illustrative only — field names are confirmed during the build, not copied from any published spec. It shows the shape: consented session, then reads across two backends.

# Consent-based session against the Scotia mobile backend
POST /auth/session
  { "card": "<consented>", "device_id": "...", "otp": "<from customer>" }   # 2-step verification
  -> { "session_token": "...", "refresh_token": "...", "expires_in": 900 }

# Account activity for a date range
GET /accounts/{id}/activity?from=2026-05-01&to=2026-05-31
  Authorization: Bearer <session_token>
  -> { "account": "chequing", "currency": "CAD",
       "txns": [ { "posted": "2026-05-14", "amount": -42.30,
                   "desc": "INTERAC e-Transfer", "balance": 1180.55 } ] }

GET /rewards/sceneplus/balance     -> { "points": <int>, "redemptions": [ ... ] }
GET /credit-score/transunion       -> { "score": <int>, "as_of": "2026-05-01" }   # soft pull, monthly

# On 401, refresh once, then re-issue the read; surface a typed AuthExpired error otherwise

Build details we plan around

Two things about this app shape the engineering, and we handle both as part of the work.

• Shared sign-on into iTRADE. One Scotia session can reach both the banking app and Scotia iTRADE, but balances and brokerage positions sit in different backends. We map which surface answers from which backend, so portfolio data is pulled from iTRADE and joined to the banking ledger rather than expected from a single endpoint.
• The credit score is a soft, monthly pull. The TransUnion score is fetched at zero impact and its history is monthly, so we sync it on that cadence instead of polling. That keeps the integration honest with how the app itself treats the data and avoids needless refreshes.
• Device binding and 2-step verification. The app records device model, OS version, and IP, and runs a 2-step challenge. We design the consented session setup around the customer's MFA so it establishes cleanly and the token refreshes without re-prompting on every read.
• Canada-only scope. The app states it covers accounts held in Canada; we scope the integration to that backend and do not assume Scotiabank endpoints in other countries behave the same way.

Access to a consenting account or a sandbox is arranged with you during onboarding — it is a step we run, not a form you fill out before we start.

Where this data goes

• A lender combines chequing activity with the consented TransUnion score for a faster, document-light underwriting pass.
• A money app folds Scene+ points and Smart Money spend categories into one balance-and-rewards view.
• An accounting tool reconciles mobile cheque deposits against open invoices, matching on cheque number and amount.
• A wealth dashboard joins banking balances with iTRADE positions so a customer sees cash and holdings together.

Screens we worked from

Store screenshots used while mapping the visible surfaces. Tap to enlarge.

Other Canadian banking apps in the same picture

If you are aggregating across Canadian banks, the Scotia integration is one node. These hold comparable per-customer data and would attach to a unified layer the same way.

• RBC Mobile — Royal Bank chequing, savings, cards and Avion rewards; another Big Six mandatory participant.
• TD app — TD Canada Trust accounts, transfers, and statements, with similar authenticated activity data.
• CIBC Mobile Banking — accounts, payments, and Aventura/rewards balances behind a single login.
• BMO Mobile Banking — Bank of Montreal deposit and lending accounts plus transaction history.
• National Bank — NBC accounts and activity, a Big Six participant outside the top five marketing grouping.
• Tangerine — Scotiabank-owned online bank; no-fee accounts and a distinct backend from the Scotia app.
• Simplii Financial — CIBC's direct bank, accounts and activity reachable under consent.
• Desjardins (AccesD) — Quebec cooperative holding accounts, cards, and statements for its members.
• Scotia iTRADE — Scotiabank's own brokerage app, the investment backend joined to the banking data above.

Questions integrators ask about the Scotia app

Does Canada's consumer-driven banking framework mean I can read Scotia accounts through an open interface today?

Not yet. The Consumer-Driven Banking Act passed in 2024 and Phase 1 read access is being stood up for early 2026, with oversight moved from the FCAC to the Bank of Canada under Bill C-15. Third-party participant onboarding is not live, so the dependable basis right now is the account holder's own consent and protocol-level integration. We build so the work ports onto the read interface once Scotiabank's participant onboarding opens.

Can you reach Scene+ points and the TransUnion credit score, or only balances?

Both. The Scene+ balance and redemption history and the TransUnion score with its monthly history are separate surfaces inside the app, and each gets mapped on its own. The credit score is a soft pull at zero impact, so we sync it on its monthly cadence rather than polling it.

How do investments held in Scotia iTRADE fit into a Scotia banking integration?

iTRADE is a separate app reachable through the same sign-on. Positions and holdings live in a different backend from chequing and savings, so we map them as a second source and join them to the banking data rather than assuming one endpoint returns everything.

What is captured in the mobile cheque deposit flow, and is it reconcilable?

The deposit flow records the cheque number, institution transit number, account number and amount alongside the camera image, as the app's own disclosure describes. Those records are reconcilable per deposit, which makes them useful for deposit audit and accounting workflows.

How this mapping was put together

Checked on 15 June 2026 against the app's Google Play listing and feature pages, the federal Department of Finance materials on the Consumer-Driven Banking Framework, and the FCAC mandate announcement. The data domains come from the app's described features and privacy disclosure; the regulatory timeline and the FCAC-to-Bank-of-Canada oversight shift come from the government sources below.

• Department of Finance — Budget 2025, Consumer-Driven Banking Framework
• FCAC welcomes new mandate to oversee the framework (2024)
• Scotiabank Mobile Banking on Google Play
• Scotiabank — Scotia app features

OpenBanking Studio · integration desk, June 2026.

A Scotia integration ships as runnable source for the mapped reads — chequing activity, Scene+, the credit-score tile — from $300, billed only after delivery once you have checked it works; or skip the build and call our hosted endpoints instead, paying per call with nothing upfront. Either way the cycle is one to two weeks. Tell us the app and what you need from its data on the contact page and we will scope it.