Frequently asked questions

What is Open Banking?

Open Banking allows for customers' banking data to be safely shared with trusted Third Party Providers (TPPs).

Please refer to the Open Banking website for further details

Who is the developer portal designed for?

The developer portal is for software developers of Third Party Providers (TPPs) to provide the information needed to connect to our APIs.

What Virgin Money products were launched after 2 December 2019?

Virgin Money Current Account and Instant Saver
Virgin M Account and M Saver

How does a Third Party Provider (TPP) on-board?

We allow Dynamic Client Registration providing you have enrolled with Open Banking and uploaded your certificates.

If you are not enrolled with Open Banking and have suitable eIDAS (QSEAL and QWAC) certificates and appropriate permissions from your relevant NCA please email us at OpenBankingResponse@cybg.com with the subject "Manual Registration" and we will process your request

How do I register for your Service-Now support portal?

Please email OpenBankingResponse@cybg.com

We will respond to your email query during normal office hours, Monday to Friday 9am to 5pm.

To assist us, please include your Open Banking organisation ID.

Who do I contact if I have any Virgin Money Open Banking issues or queries?

Please email OpenBankingResponse@cybg.com, raise a ticket via the Open Banking Service Desk (Problem with an ASPSP -> ClydesdaleBank) or raise a ticket via our Service-Now portal if you are registered.

We will respond to your email query during normal office hours, Monday to Friday 9am to 5pm.

To assist us, please include as much information as possible so we can attempt to replicate your issue including whether the issue is with our merged or standalone APIs.

Which type of certificates do we support on OB for CYBG?

We currently support OB legacy transport and signing certificates for UK TPPs. For non-UK TPPs we accept eIDAS QWAC and eIDAS QSeal.

We will move to accept OBWAC and OBSeal before July 2021, when OB legacy can no longer be used.

For each brand, what account types do you support across the API?

BUSINESS ACCOUNTS
Business Current Accounts Academy Business Current Accounts Business Currency Accounts Business Current Accounts Clubs, Societies & Charity Current Accounts Offset Business Current Accounts Professional Firms Client Accounts	Business Savings Accounts BBS Scheme Savings Accounts Business Cash Management Accounts Charity Instant Savings Accounts Offset Business Savings Accounts Trust Instant Access Savings Accounts
PERSONAL ACCOUNTS
Personal Current Accounts Control Current Accounts DYB Packaged Current Accounts Personal Currency Accounts Plus Current Accounts Private Current Accounts ReadyCash Current Accounts Signature Current Accounts Student Current Accounts Tracker Current Accounts	Personal Savings Accounts Cash ISA Accounts CyberSave Savings Accounts Instant Access Flexible ISA Accounts Instant Savings Accounts JumpStart Savings Accounts Offset Savings Accounts Offset Plus Savings Accounts Online Fixed Rate Bonds Plus Savings Accounts Private Savings Accounts Private Nil Interest Savings Accounts Signature Savings Accounts
CREDIT CARD ACCOUNTS “B” Credit Card Account Clydesdale Bank Credit Card Account Yorkshire Bank Credit Card Account	CAM ACCOUNTS Current Accounts Flexible Repay Accounts Private Flexible Repay Accounts Rapid Repay Accounts Retail Flexible Repay Accounts
Virgin Money and M Accounts
Current Accounts Club M Current Accounts M Current Accounts Virgin Money Current Accounts	Savings Accounts Club M Savers Accounts M Saver Accounts Virgin Money Savings Accounts

How many years/months transactions history information do you make available from your API?

The Transaction API will return transaction details for any period that the customer provides consent for, and if TransactionFromDateTime and TransactionToDateTime are not specified it will be default to 90 days.

Why am I getting a '400 Bad Request' error message when attempting to dynamically register tusing the Merged API endpoints?

Dynamic registration endpoints expect specific validation headers.

Some of our more frequent issues with Dynamic Registration are:
1) Field 'Aud'- uses the regex function (^[0-9a-zA-Z]{1,18}$) to identify this field and doesn't accept special characters.
2) Field 'Jti'- uses the regex function (^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$) to identify this field anddoesn't accept lower case characters.
3) Content Type - should be 'application/jose', not 'application/jwt'.

Do you allow customers to delete consents?

We do not offer any way for customers to delete their consents. Please ensure you have built this functionality into your application before allowing customers to grant consents.

What do the error codes mean within the HTTP 403 error message?

1) Error code 002 = no client certificate was found in session. Please check your request and try again.
2) Error code 003 = client certificiate was found in session but was not QWAC type. Please check your request and try again. This is only possible if you are using an eIDAS certificate.
3) Error code 004 = client certificate was found in session but failed OCSP validation. Please check your request and try again.

What are the contact details for CYBG helpdesk?

You can direct customers to our website where full contact information is available.

Clydesdale Bank - https://secure.cbonline.co.uk/contact-us/
Yorkshire Bank - https://secure.ybonline.co.uk/contact-us/
B - https://www.youandb.co.uk/help/talk-to-us/
Virgin Money - https://uk.virginmoney.com/contact/

Support