A range of frequently asked questions.. and answers.

Open Banking

How do I know Open Banking is safe?

Open Banking has been designed with security at its heart – here’s how:

Bank-level security – Open Banking uses rigorously tested software and security systems. You’ll never be asked to give access to your bank login details or password to anyone other than your own bank or building society.

It is regulated – Only apps and websites regulated by the FCA or European equivalent can use Open Banking.

Fine control – The account holders choose when, and for how long, they give access to their data.

Extra protection – Bank or building societies will pay the customers money back if fraudulent payments are made. Customers also protected by data protection laws and the Financial Ombudsman Service

Yapily Platform

Do the Yapily APIs conform to any specification or standard e.g. (OBIE)?

Yapily operates as an Open Banking gateway to connect with banks which support Open Banking from many different standards. In order to provide the same experience irrespective of the bank integration we provide our own specification normalising the data sent to and provided by each bank’s existing Open Banking APIs.

Does Yapily provide UI modals for the Open Banking AIS and PIS flows?

As an Open Banking Gateway, Yapily does not provide UI modals for your payment flows. While the secure payment will be issued by your users' chosen bank, the view at which the user specifies the bank to use is something you will have to develop for your app. This decision means that you will have complete control and flexibility over how to design your application whether on web or mobile.

What do I do if I am not FCA regulated but I am interested in using Yapily?

There are several options for using Yapily APIs without having the required Open Banking licenses:

Use a preconfigured sandbox - If you want to test our APIs, we offer a range of pre-configured sandboxes which allow you to develop your applications with sample data with no hassle. Although we provide many sandboxes, the quality of the sandboxes and the data they provide vary. We actively test against the Ozone Sandbox so we recommend using this sandbox.

To use a preconfigured sandbox, be sure to change the All Environments dropdown in the institutions view in the dashboard to 'Preconfigured Sandbox'.

Use our regulated entity (SafeConnect) - SafeConnect is our subsidiary company which is regulated by the FCA for executing AIS and PIS requests. As far as designing your application and the endpoints you call, there is no difference to using a preconfigured sandbox.

Get in contact with our team for more information on how to use SafeConnect.

Do you, and the Institutions you connect to, support SCA exemption for Trusted Beneficiary?

The SCA exemption for trusted beneficiaries is just as with online banking, so if you're able to carry out non-SCA payments to trusted beneficiaries list over the online bank, for a particular banking brand, then that bank supports it. Most of the banks I've come across do this, but whilst the right to support white-listing of trusted beneficiaries is mandated in the SCA requirements, the RTS don't state exactly how the banks have to manifest that - it's up to them if they accept an exemption request or trigger SCA on a transaction.

On the whole however, I think its safe to assume the vast majority of banks will keep trusted beneficiaries exempt from SCA.

Authorisation Flow

Does Yapily have it's own UI in the authorisation flow?

No, Yapily's goal is to be as covert as possible and just give you everything you need to define the journey for receiving your user's consent to their financial data or to initiate a payment on their behalf. Yapily does provide UI guidelines to help build these journeys and icons and logos for every institution that can be obtained from GET Institution and GET All Institutions.

After authorising with the bank, is it possible to bypass auth.yapily.com?

Yes, for direct customers, you need to define an additional redirectUrl when creating your SSA in the Open Banking Directory. After authorising with the bank, you will then get an authCode and authState from the bank which you will need exchange for a consentToken using POST [Forwarding] Send OAuth2 Code.

For customers using the SafeConnect brand, it is also possible to do so but as you do not own your own certifications, get in contact with us at support@yapily.com to discuss how we can enable this for you.

Account Information

See here for the full list of consent statuses.

What AIS features can each institution provide?

The complete list of features that Yapily supports is not what an Institution will support. If you want to be sure that a particular Institution supports a specific feature, check GET Institution to ensure that the feature is provided by the institution in the features array in the response.

See the full list of Yapily features currently supported.

Does Yapily provide MCCs (merchant category codes) for transactions?

As a gateway, Yapily can only return the information that the institution provides. As the MCC is an optional field that is not enforceable under PSD2, the presence of this information is completely dependent on whether the institution provides this or not. Most TPPs that ask for this usually want this to build their own categorisation engines. Check the feature array in the response body of GET Institution for ACCOUNT_TRANSACTIONS_WITH_MERCHANT to find out whether your institution provides merchant data or not.

Why can I not get identity data from my institution?

Not every institution provides this as a feature and so Yapily can not always provide this information. To investigate whether your institution supports identity data, see:

Resolving status code 424 (FAILED DEPENDENCY) errors

What is the experience for getiing financial data from joint accounts and business accounts?

Joint accounts and business accounts are accounts that may require multiple authorisations in order to obtain financial data depending on the institution. In the event that multiple authorisations are enforced by an institution, once a user authorises an account authorisation request, the state of the Consent object will change status from AWAITING_AUTHORISATION to AWAITING_FURTHER_AUTHORIZATION until the required authorisations have taken place offline e.g. Email, SMS or Phone call. The Consent object will contain information about how many authorisations are required and how many have been authorised while in this state.

Payment Information

How long does it take for a transaction to change from PENDING to COMPLETE?

When it comes to Open Banking payments, Yapily initiates the payment request but the execution of the payment is up to ASPSP, so it is difficult to tell when the status changes to COMPLETE. Generally, banks use FPS so payments should be quick but its difficult to tell definite time lines. It also depends on the number of authorisation required to complete the payment. If it is more than one, then it will be marked as completed only after all authorisation is been received by the bank.

Is app-to-app deep linking supported?

Provided that the customer uses mobile banking and has the accompanying mobile banking application installed on their mobile device, deep linking will automatically occur in both the AIS and PIS authentication flows redirecting from your TPP application to the banking application. There is no configuration required to enable this functionality.

Is it possible to track the status of a payment after completing the payment?

Yes - As long as the payment status was successful and is in the PENDING state, you can use the consentToken generated from the payment authorisation request call and the payment Id returned from the payment execution call to poll the status of the payment until it changes to COMPLETED.

Is there a callback or web-hook that informs when payments change status?

As of now, ASPSPs and Yapily are not providing any web-hooks or callbacks in event that the payment status changes. The status can only be checked by using GET Payment Details endpoint with the paymentId of the completed payment request.

 How do we reference a payment back to a transaction for a given account?

As long as a reference is set in the payment authorisation request (and hence the payment request), the same reference will be visible within the field transactionInformation in the payment transaction response. As of now, most banks send a reference in a transactionInformation field instead of a reference field.

 What are the possible payment statuses?

See the full list of payment statutes can be found.

The payment consent expiry depends on the financial institution, but generally it's not more than couple of minutes.

 Why does the payment information look strange in my sandbox once I’ve issued a payment request?

Some sandboxes don’t accurately replicate a real payment bank since they are only mock environments. You can attempt to use other sandboxes to see how each institution behaves but be advised that not every sandbox is stable and this functionality may change. Within live banks however, there is usually a consistent display of the payment details.

Is it possible to initiate EUR payments from UK banks?

Yes it is possible to initiate EUR payment from UK banks when you perform an International Payments. If the payment is initiated in EUR and the source bank account is in GBP, the currency conversion is applied and the equivalent amount in GBP will be debited from source account. If the destination account is also in EUR then the same amount will be credited into the destination account.

What is the experience for creating a payment from a joint accounts or business accounts?

The only difference with payments that require multiple authorisations is that once the authorisation is completed by the user via. your application and the payment is executed using the payment API, the state of the payment will be PENDING until all the required authorisations have been executed offline. The means for these authentications will be determined by the bank and are outside the Yapily domain e.g. Email, SMS, phone call. As before, the Get Payment Details endpoint can be called which will show the number of required authorisations, the number of completed authorisations and the timestamp of the most current authorisation. During this time, the status of the consent will be AWAITING_FURTHER_AUTHORIZATION until all the authorisations are executed.

What PIS features can each institution provide?

The complete list of features that Yapily supports is not what an Institution will support. If you want to be sure that a particular Institution supports a specific feature, check GET Institution to ensure that the feature is provided by the Institution in the features array in the response.

See the full list of Yapily features currently supported.


How do I find out when an Institution is experiencing downtime?

We have a monitoring dashboard that provides this information:

In the GET Institution and GET All Institutions, we also provide the capability for our customers to enable real time monitoring. This will return a payload with the monitoring object containing the following:

  "monitoring": {
    "ACCOUNT": {
      "status": "Up",
      "lastTested": "2020-08-26T17:46:40.901Z",
      "span": "P14DT9H5M26.458S"
    "IDENTITY": {
      "status": "Expired",
      "lastTested": "2020-08-25T18:33:45.255Z",
      "span": "PT22H15M37.897S"
      "status": "Up",
      "lastTested": "2020-08-26T17:46:40.008Z",
      "span": "P14DT9H5M27.347S"
      "status": "Expired",
      "lastTested": "2020-08-21T12:43:51.838Z",
      "span": "P5DT4H5M31.314S"

Get in contact with support@yapily.com in order to get more information on how to enable this in your application.

How do I identify a request?

Each request made to the Yapily API will return a unique tracing-id. If there is an issue with a request to a particular Institution, Yapily also provides the response from the Institution in the payload if it is available:

"error": {
    "code": 424,
    "tracingId": "node09c1ljiqbvqbr1e64z116fz7jo0",
    "status": "FAILED_DEPENDENCY",
    "source": "INSTITUTION",
    "message": "Error from Institution. We can help you on https://support.yapily.com/",
    "institutionError": {
        "httpStatusCode": 400,
        "errorMessage": "{
          \"Message\":\"invalid_iss_claim: Invalid iss claim. Got org_id/statement_id. Expected 001580000103UArAAM/rapTYmFWJcXfdo2EvksDUx\",
            \"Message\":\"invalid_iss_claim: Invalid iss claim. Got org_id/statement_id. Expected 001580000103UArAAM/rapTYmFWJcXfdo2EvksDUx\",

If there is an issue before reaching the Institution or if there is no error response from the Institution then Yapily will respond with the following format:

"error": {
    "code": 424,
    "tracingId": "node09c1ljiqbvqbr1e64z116fz7jo0",
    "status": "FAILED_DEPENDENCY",
    "source": "INSTITUTION",
    "message": "We can help you on https://support.yapily.com/"

In any case, if you require further assistance, please send an email to support@yapily.com describing the failed request including the tracing-id in the email which will enable the support team to investigate the issue quicker.