Merge Api Header


Frequently asked questions

What is Open Banking?

Open Banking allows for customers' banking data to be safely shared with trusted Third Party Providers (TPPs).

Please refer to the Open Banking website for further details

Who is the developer portal designed for?

The developer portal is for software developers of Third Party Providers (TPPs) to provide the information needed to connect to our APIs.

What Virgin Money products were launched after 2 December 2019?

  • Virgin Money Current Account and Instant Saver
  • Virgin M Account and M Saver

How does a Third Party Provider (TPP) on-board?

We allow Dynamic Client Registration providing you have enrolled with Open Banking and uploaded your certificates.

If you are not enrolled with Open Banking and have suitable eIDAS (QSEAL and QWAC) certificates and appropriate permissions from your relevant NCA please email us at with the subject "Manual Registration" and we will process your request

How do I register for your Service-Now support portal?

Please email

We will respond to your email query during normal office hours, Monday to Friday 9am to 5pm.

To assist us, please include your Open Banking organisation ID.

Who do I contact if I have any Virgin Money Open Banking issues or queries?

Please email, raise a ticket via the Open Banking Service Desk (Problem with an ASPSP -> ClydesdaleBank) or raise a ticket via our Service-Now portal if you are registered.

We will respond to your email query during normal office hours, Monday to Friday 9am to 5pm.

To assist us, please include as much information as possible so we can attempt to replicate your issue including whether the issue is with our merged or standalone APIs.

Which type of certificates do we support on OB for CYBG?

We currently support OB legacy transport and signing certificates for UK TPPs.  For non-UK TPPs we accept eIDAS QWAC and eIDAS QSeal.

We will move to accept OBWAC and OBSeal before July 2021, when OB legacy can no longer be used.

For each brand, what account types do you support across the API?

Business Current Accounts
Academy Business Current Accounts
Business Currency Accounts
Business Current Accounts
Clubs, Societies & Charity Current Accounts
Offset Business Current Accounts
Professional Firms Client Accounts
Business Savings Accounts
BBS Scheme Savings Accounts
Business Cash Management Accounts
Charity Instant Savings Accounts
Offset Business Savings Accounts
Trust Instant Access Savings Accounts
Personal Current Accounts
Control Current Accounts
DYB Packaged Current Accounts
Personal Currency Accounts
Plus Current Accounts
Private Current Accounts
ReadyCash Current Accounts
Signature Current Accounts
Student Current Accounts
Tracker Current Accounts
Personal Savings Accounts
Cash ISA Accounts
CyberSave Savings Accounts
Instant Access Flexible ISA Accounts
Instant Savings Accounts
JumpStart Savings Accounts
Offset Savings Accounts
Offset Plus Savings Accounts
Online Fixed Rate Bonds
Plus Savings Accounts
Private Savings Accounts
Private Nil Interest Savings Accounts
Signature Savings Accounts
“B” Credit Card Account
Clydesdale Bank Credit Card Account
Yorkshire Bank Credit Card Account
Current Accounts
Flexible Repay Accounts
Private Flexible Repay Accounts
Rapid Repay Accounts
Retail Flexible Repay Accounts
Virgin Money and M Accounts
Current Accounts
Club M Current Accounts
M Current Accounts
Virgin Money Current Accounts
Savings Accounts
Club M Savers Accounts
M Saver Accounts
Virgin Money Savings Accounts


How many years/months transactions history information do you make available from your API?

The Transaction API will return transaction details for any period that the customer provides consent for, and if TransactionFromDateTime and TransactionToDateTime are not specified it will be default to 90 days.

Why am I getting a '400 Bad Request' error message when attempting to dynamically register tusing the Merged API endpoints?

Dynamic registration endpoints expect specific validation headers.

Some of our more frequent issues with Dynamic Registration are:
1) Field 'Aud'- uses the regex function (^[0-9a-zA-Z]{1,18}$) to identify this field and doesn't accept special characters.
2) Field 'Jti'- uses the regex function (^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$) to identify this field anddoesn't accept lower case characters.
3) Content Type - should be 'application/jose', not 'application/jwt'.

Do you allow customers to delete consents?

We do not offer any way for customers to delete their consents. Please ensure you have built this functionality into your application before allowing customers to grant consents.

What do the error codes mean within the HTTP 403 error message?

1) Error code 002 = no client certificate was found in session. Please check your request and try again.
2) Error code 003 = client certificiate was found in session but was not QWAC type. Please check your request and try again. This is only possible if you are using an eIDAS certificate.
3) Error code 004 = client certificate was found in session but failed OCSP validation. Please check your request and try again.

What are the contact details for CYBG helpdesk?

You can direct customers to our website where full contact information is available.

Clydesdale Bank -
Yorkshire Bank -
B -
Virgin Money -

Having trouble?

Contact our dedicated team members via our ticketing system or via our support mailbox

Opens in a new window Contact