Open Banking RFP Checklist: What to Include Before You Send It
Procurement teams issue an open banking RFP when multiple business units, legal, or group policy require three comparable bids before signing. Without a tight scope, you receive fifty-page PDFs that answer different questions — and six months later you still do not know which provider clears your top banks. This checklist structures what to include in an open banking RFP so responses are testable, scored consistently, and tied to payment success and ops outcomes — not generic “PSD2 compliance” essays.
Open banking RFP: A formal request for proposal sent to regulated open banking providers, specifying your use cases, countries, required banks, technical requirements, commercial scenarios, and evaluation criteria — so vendors answer the same questions with evidence you can score.
What belongs in the RFP executive summary?
State the business outcome first — lower cost per successful payment, faster account verification, fewer reconciliation hours — then the regulatory context in one line. Buyers who open with directive summaries get directive-shaped answers.
Include:
- Company profile — industry, B2B vs B2C mix, EU entities
- Primary use cases — pay by bank checkout, invoice collection, payouts, affordability, onboarding verification
- Geography — countries live in year one vs roadmap
- Volume bands — monthly successful payments or API calls (ranges are fine)
- Timeline — RFP issue date, clarification window, demo week, award target
- Decision committee — payments, product, engineering, finance, legal, procurement
Attach a mandatory bank list (top 20 institutions by customer volume). Require vendors to mark support per bank for initiation and data separately.
Which technical requirements force comparable answers?
Technical sections should be answerable yes/no with evidence links, not marketing narrative.
Integration and APIs
- REST API version and deprecation policy
- Sandbox parity with production for your listed banks
- Webhook events, retries, signing, and replay documentation
- Idempotency keys on payment create
- Error code catalogue with recommended handling
Coverage and flows
- Institution list export format and update frequency
- Mobile deep link support per listed bank
- SEPA Instant vs standard credit transfer behaviour
- Refund and payout APIs if applicable
- Consent UX ownership (embedded vs redirect)
Security and data
- ISO 27001 / SOC 2 status and report availability under NDA
- Data residency (EU-only processing requirement if applicable)
- Subprocessor list
- Incident notification SLA
- Penetration test summary date
Require vendors to complete a matrix — not prose — for each listed bank: PIS yes/no, AIS yes/no, notes.
What commercial and legal sections prevent surprise fees?
Commercial questions should model your real payment mix, not a single list price.
Ask for pricing in writing for:
- Successful payment initiation
- Failed or abandoned attempts (if charged)
- Account verification or data calls
- Monthly minimums or platform fees
- Onboarding and professional services
- FX or cross-border if relevant
Include three scenario tables vendors must fill:
| Scenario | Example |
|---|---|
| Low volume pilot | 5k successes / month, DE+NL |
| Base case | 50k successes / month, 4 countries |
| Growth | 200k successes / month, SEPA Instant share 40% |
Legal should reference your standard DPA, liability caps, and insurance minimums. Flag if you need pass-through regulatory status documented (who holds the licence relationship with the payer bank).
How should you score RFP responses?
Publish a weighted scoring rubric with the RFP so vendors know what matters. Example for payments-led procurement:
| Section | Weight | Score 1–5 guidance |
|---|---|---|
| Bank coverage (attached list) | 30% | 5 = all mandatory banks proven in sandbox |
| Technical fit | 20% | Webhooks, idempotency, docs quality |
| Commercial fit | 15% | Transparent scenario pricing |
| Security & compliance | 15% | Reports available, EU residency met |
| Support & roadmap | 10% | Named CSM, incident process |
| References | 10% | Similar industry, similar scale |
Assign section owners: engineering scores API, finance scores pricing, legal scores contracts. Procurement aggregates — they should not alone score bank coverage.
Disqualify on hard gates: missing mandatory banks without credible dated roadmap, no EU data residency when required, refusal to provide webhook documentation.
What should you run before the RFP goes out?
Run a two-week pilot with two finalists before issuing the RFP when possible. Attach pilot results as an appendix — vendors then compete on gaps you already measured, not claims.
Minimum pre-RFP internal prep:
- Signed-off use case priority list
- Bank list from analytics (not guessed)
- Draft scorecard approved by decision committee
- Clarification contact and deadline
- NDA template if sharing sensitive volumes
Browse open banking providers to ensure your invited list matches the capability tags you need — then still validate in sandbox.
If you are still framing how to compare vendors, read open banking provider comparison before locking RFP sections.
What belongs in vendor demos after the RFP?
Demos should replay your flow, not a vendor’s generic slide deck.
Script:
- Create a payment or verification for a mandatory bank in sandbox
- Show webhook delivery to your test endpoint
- Show reconciliation fields (IBAN, reference, status)
- Show failure handling (user cancels at bank)
- Engineering Q&A on rate limits and incident comms
Score demos with the same rubric weights. Record who attended from each vendor — account turnover matters for open banking relationships.
What should the contract include after RFP award?
The RFP wins on paper; the contract wins in production. Before signature, attach exhibits that mirror what you scored.
Essential exhibits:
- Service schedule with uptime target and maintenance windows
- Bank list appendix updated quarterly or when provider publishes institution changes
- Data processing agreement with EU residency and subprocessors
- Pricing exhibit tied to your three volume scenarios with renewal caps
- Exit terms — data export, transition assistance, notice period
Negotiate SLA credits tied to webhook delivery or API availability if payments are core revenue — not only generic platform uptime. Define what happens when a major ASPSP outage blocks your mandatory bank: communication cadence, not silence.
Plan a ninety-day post-go-live review with the same scorecard weights. If initiation success on mandatory banks drops below the RFP threshold, trigger remediation before annual renewal.
How do you handle clarifications without giving one vendor an edge?
Publish clarifications to all bidders on the same channel with the same deadline extension rules. Common questions — data residency, webhook format, refund support — should get written answers every vendor sees.
Forbidden patterns:
- Private Slack answers to one finalist
- Changing mandatory banks after responses without re-bid
- Letting a vendor demo a bespoke feature not offered in standard product without labeling it roadmap
Appoint a single clarification owner from product or engineering so technical answers stay consistent with your internal architecture decisions.
Frequently Asked Questions
What is an open banking RFP?
It is a structured procurement document sent to licensed open banking providers, defining your use cases, technical requirements, bank coverage, pricing scenarios, and scoring criteria so you can compare bids fairly.
How long should an open banking RFP process take?
Eight to twelve weeks is common for mid-market EU teams: two weeks internal prep, three weeks responses, two weeks clarifications and demos, two weeks commercial negotiation. Pilots run in parallel when timelines are tight.
Should I include AIS and PIS in the same RFP?
Include both if you need both in year one. Split scoring sections so payment initiation vendors are not judged on data features they do not offer — or issue separate lots with clear lot winners.
What banks must I list in the RFP?
List the institutions that represent the majority of your customer payment volume per country. Vendors cannot honestly respond without a named list.
Can startups respond to an enterprise open banking RFP?
Yes if they meet hard gates: licence status, bank coverage on your list, security reports, and financial stability acceptable to your risk team. Size alone is not a criterion — fit is.
Do I need a consultant to write an open banking RFP?
Not always. Use this checklist and a pilot if you have a technical owner. Consultants help when multiple EU entities share one framework contract.
How does an RFP differ from a proof of concept?
A POC tests whether the product works for your flow. An RFP is a formal bid process with legal and commercial terms. Best practice: POC on two vendors, then RFP referencing POC results.
Conclusion
A strong open banking RFP ties every section to outcomes — successful payments, verified accounts, reconciled ledger rows — and forces comparable answers with bank-level matrices, scenario pricing, and published weights. Prepare internally, pilot before you score marketing PDFs, and use a provider directory to align your invite list with your use cases. The goal is a contract that survives your top banks in production, not the best-written compliance introduction.
Related articles
- How to Choose an Open Banking Provider in the EU
Choosing an open banking provider in the EU is less about reading feature grids and more about matching your markets, use cases, and billing model to what a ve…
- How to Shortlist Open Banking Providers Without a Six-Week Bake-Off
You do not need a six-week bake-off to get from twenty open banking providers to a short list of three. Most wasted time comes from comparing vendors before yo…
- Income Verification With Open Banking: A Guide for EU Lenders
Manual payslips and uploaded PDFs slow underwriting and still miss what actually hits the borrower’s account. Income verification open banking lets applicants…