FAQ
About Qwist information and initiation services
Who or what is Qwist?
Qwist (formerly finleap connect) is a Hamburg-based payment institution and IT company regulated by the German Financial Supervisory Authority. Qwist makes it possible to integrate data and functions from financial sources, such as bank accounts, into the services of Qwist or partner companies. This enables you, for instance, to integrate your account data into the accounting service of a Qwist partner or to initiate payments directly from there without having to switch to your online banking system.
Is Qwist safe?
You can rest assured that your data is safe at Qwist. As a payment institution, Qwist is regulated by the German Federal Financial Supervisory Authority (BaFin) and is therefore obliged to carry out regular internal audits and inspections. In addition, Qwist is regularly audited by both auditors of regulated Qwist partners and external auditors.
Who or what are Qwist partners?
You have been redirected to Qwist by a partner of your choice. Qwist cooperates with partners whose services require the integration of bank account functions and data. Typical Qwist partners are banks that offer you our account switch service or for example accounting apps in which you can integrate your account information and from which you can initiate payments.
Who do i sign which contracts with?
The use of Qwist itself is simple. The legal requirements by four parties involved are somewhat more complex and require at least the following contracts:
The online banking terms and conditions between you and your bank (hence no contract is necessary between your bank and Qwist).
The contract with the partner service between you and a Qwist partner of your choice.
The account holder usage agreement between you and Qwist.
A cooperation agreement between Qwist and the Qwist partner of your choice, who is thereby permitted to integrate the Qwist services.
How can i use Qwist?
The use of Qwist always requires that you first use the services of a Qwist partner who has integrated the Qwist services into his offer. In addition, you must have an account with a financial source (e.g. a bank) supported by Qwist. When using Qwist, you will be forwarded directly from the partner service to Qwist. The use of Qwist services without f the use of a partner service is not intended – with the exception of a Qwist user account administration in case of permanent use.
Can I use a partner service without Qwist?
Most partner services are also available without the integration of Qwist but cannot provide the full range of functions or are less convenient to use. For details on the functional scope of the partner service, please contact the respective partner.
Why is the Qwist user agreement so extensive?
As a payment institution, Qwist has to comply with certain regulations and information obligations, such as pre-contractual information. A particular complexity arises from the variety of parties involved (see question > Who do I conclude which contracts with?) as well as from the fact that Qwist offers access to payment accounts (in particular current accounts) regulated by financial supervisory law, as well as unregulated access to non-payment accounts (e.g. savings accounts or securities accounts).
Who can i contact at Qwist if I have a question?
If you do not find what you are looking for in this FAQ, Qwist is generally available for questions via email. Qwist can only answer questions relating to its own services and must refer to the partner’s support service for questions relating to the partner service.
If you have a question specifically related to data privacy, please contact dataprivacy-connect@qwist.com.
What is an API?
The acronym API is derived from the term Application Programming Interface. An API is a technical interface through which different programmes can exchange their relevant data with each other. For example, your bank provides Qwist with an API to access your accounts, which Qwist uses to access your account information. The bank’s API is – in greatly simplified terms – a representation of your online banking website limited to the management of rights and data without any design or other user-friendly elements. The retrieval of your data by your chosen Qwist partner also takes place via a Qwist API.
What are Qwist value-added services?
Qwist value-added services are products or services for end users that are not under supervision of the national competent authority (BaFin). One example of a value-added service is the Qwist account switch service, which supports you in switching your payment account to your new bank. The value-added services may contain a regulated information or initiation service.
Qwist (formerly finleap connect) is a Hamburg-based payment institution and IT company regulated by the German Financial Supervisory Authority. Qwist makes it possible to integrate data and functions from financial sources, such as bank accounts, into the services of Qwist or partner companies. This enables you, for instance, to integrate your account data into the accounting service of a Qwist partner or to initiate payments directly from there without having to switch to your online banking system.
Is Qwist safe?
You can rest assured that your data is safe at Qwist. As a payment institution, Qwist is regulated by the German Federal Financial Supervisory Authority (BaFin) and is therefore obliged to carry out regular internal audits and inspections. In addition, Qwist is regularly audited by both auditors of regulated Qwist partners and external auditors.
Who or what are Qwist partners?
You have been redirected to Qwist by a partner of your choice. Qwist cooperates with partners whose services require the integration of bank account functions and data. Typical Qwist partners are banks that offer you our account switch service or for example accounting apps in which you can integrate your account information and from which you can initiate payments.
Who do i sign which contracts with?
The use of Qwist itself is simple. The legal requirements by four parties involved are somewhat more complex and require at least the following contracts:
The online banking terms and conditions between you and your bank (hence no contract is necessary between your bank and Qwist).
The contract with the partner service between you and a Qwist partner of your choice.
The account holder usage agreement between you and Qwist.
A cooperation agreement between Qwist and the Qwist partner of your choice, who is thereby permitted to integrate the Qwist services.
How can i use Qwist?
The use of Qwist always requires that you first use the services of a Qwist partner who has integrated the Qwist services into his offer. In addition, you must have an account with a financial source (e.g. a bank) supported by Qwist. When using Qwist, you will be forwarded directly from the partner service to Qwist. The use of Qwist services without f the use of a partner service is not intended – with the exception of a Qwist user account administration in case of permanent use.
Can I use a partner service without Qwist?
Most partner services are also available without the integration of Qwist but cannot provide the full range of functions or are less convenient to use. For details on the functional scope of the partner service, please contact the respective partner.
Why is the Qwist user agreement so extensive?
As a payment institution, Qwist has to comply with certain regulations and information obligations, such as pre-contractual information. A particular complexity arises from the variety of parties involved (see question > Who do I conclude which contracts with?) as well as from the fact that Qwist offers access to payment accounts (in particular current accounts) regulated by financial supervisory law, as well as unregulated access to non-payment accounts (e.g. savings accounts or securities accounts).
Who can i contact at Qwist if I have a question?
If you do not find what you are looking for in this FAQ, Qwist is generally available for questions via email. Qwist can only answer questions relating to its own services and must refer to the partner’s support service for questions relating to the partner service.
If you have a question specifically related to data privacy, please contact dataprivacy-connect@qwist.com.
What is an API?
The acronym API is derived from the term Application Programming Interface. An API is a technical interface through which different programmes can exchange their relevant data with each other. For example, your bank provides Qwist with an API to access your accounts, which Qwist uses to access your account information. The bank’s API is – in greatly simplified terms – a representation of your online banking website limited to the management of rights and data without any design or other user-friendly elements. The retrieval of your data by your chosen Qwist partner also takes place via a Qwist API.
What are Qwist value-added services?
Qwist value-added services are products or services for end users that are not under supervision of the national competent authority (BaFin). One example of a value-added service is the Qwist account switch service, which supports you in switching your payment account to your new bank. The value-added services may contain a regulated information or initiation service.
Why do I have to enter the username and PIN for my online banking access at Qwist?
Qwist logs into your bank on your behalf. As a regulated payment institution, Qwist can process the necessary access data within the legally defined scope. Encryption and other security measures are used at all times to ensure that nobody but you, Qwist, and the bank has access to your login data within the scope of this technical communication – not even the partner service you are using (see also the question under the category ➤ Regulation and financial supervision: Can my bank prohibit me from using Qwist/the partner service?)
What is a Qwist user account?
You have to create a Qwist user account for the permanent or limited use of Qwist. Permanent integration of Qwist can be useful in order to be able to use certain features in partner services to their full extent or to forego certain steps within the context of a repeated use of Qwist services. If you decide to save your online banking access data, some partner services will become even more convenient for you.
Will my online banking access data be saved?
It’s up to you. You can allow Qwist to save the online banking access data including the PIN if you want Qwist to automatically update your account information for you at the bank and in addition allow the partner of your choice automatic access to Qwist (see also the above question under the category ➤ About Qwist the question: What is the auto-synchronisation function?).
Of course, you can use Qwist’s offer without saving the PIN – but then you have to enter all the access data again at Qwist for every update of the data at the partner.
Do I have to pay for Qwist?
No. Qwist is free of charge for you as a user. The costs will be paid by the provider of the partner service. To find out whether you pay anything for the use of the partner service, please refer to the separate user agreement with your chosen partner.
Your bank may charge you fees for the use of the TAN procedures such as for the sending of an smsTAN. Please refer to your bank’s list of prices and services to see whether you will be charged for using the TAN procedures.
Is there a minimum contract duration?
You can delete your Qwist user account at any time. To do this, simply send an e-mail to support@qwist.com. There is no minimum contract period or the like. This does not concern a possible agreement about a potential minimum contract period for the use of the partner service.
For the Qwist value-added services (account switch service), the duration is limited to 90 days. Your account will be deleted automatically afterwards.
Qwist logs into your bank on your behalf. As a regulated payment institution, Qwist can process the necessary access data within the legally defined scope. Encryption and other security measures are used at all times to ensure that nobody but you, Qwist, and the bank has access to your login data within the scope of this technical communication – not even the partner service you are using (see also the question under the category ➤ Regulation and financial supervision: Can my bank prohibit me from using Qwist/the partner service?)
What is a Qwist user account?
You have to create a Qwist user account for the permanent or limited use of Qwist. Permanent integration of Qwist can be useful in order to be able to use certain features in partner services to their full extent or to forego certain steps within the context of a repeated use of Qwist services. If you decide to save your online banking access data, some partner services will become even more convenient for you.
Will my online banking access data be saved?
It’s up to you. You can allow Qwist to save the online banking access data including the PIN if you want Qwist to automatically update your account information for you at the bank and in addition allow the partner of your choice automatic access to Qwist (see also the above question under the category ➤ About Qwist the question: What is the auto-synchronisation function?).
Of course, you can use Qwist’s offer without saving the PIN – but then you have to enter all the access data again at Qwist for every update of the data at the partner.
Do I have to pay for Qwist?
No. Qwist is free of charge for you as a user. The costs will be paid by the provider of the partner service. To find out whether you pay anything for the use of the partner service, please refer to the separate user agreement with your chosen partner.
Your bank may charge you fees for the use of the TAN procedures such as for the sending of an smsTAN. Please refer to your bank’s list of prices and services to see whether you will be charged for using the TAN procedures.
Is there a minimum contract duration?
You can delete your Qwist user account at any time. To do this, simply send an e-mail to support@qwist.com. There is no minimum contract period or the like. This does not concern a possible agreement about a potential minimum contract period for the use of the partner service.
For the Qwist value-added services (account switch service), the duration is limited to 90 days. Your account will be deleted automatically afterwards.
How do information and initiation services work from a technical perspective?
For the connection to your accounts Qwist uses technical interfaces (so-called APIs – see also category > 1. About Qwist). If, in exceptional cases, no API is made available by your bank, Qwist also uses so-called Screen Scraping or HBCI/ FinTS to establish the connection. For a connection via APIs as well as via Screen Scraping or HBCI/ FinTS, Qwist needs your online banking access data as well as the confirmation via a 2nd factor (eg, TAN) to prove to the bank that Qwist signs up on your behalf and carries out the desired actions at your bank.
Do I need to download a programme to use the features?
For Qwist initiation, information and value-added services, you can use the internet browser of your choice regardless of the device. You do not need any special software.
What is an account information service?
The use of the account information service enables you to automatically use the transaction data of your payment accounts, which were previously only available at your bank, elsewhere. One example is the automatic identification of savings potential, e.g. directly in your accounting application or the use of Qwist account switch service.
What is the auto-sync function?
Using the auto-synchronisation feature, Qwist can constantly update your account information without the need to manually enter your complete online banking credentials for each update. To do this, you have to agree to Qwist storing your PIN. In this way, you can allow individual partners to always retrieve current account information from Qwist.
Payment initiation cannot be automated via Qwist.
Can I delete a connected bank or individual bank accounts later on?
This is not necessary for one-time use, as we delete your personal data anyway after completion of use in accordance with statutory provisions. For permanent use, it is possible to delete a connected bank by clicking on “delete bank” on the overview page of connected banks. Individual accounts can be deleted by simply unchecking the boxes previously checked to synchronise the accounts on the account selection page.
Why may I have to select the account type that I want to connect?
Banks provide various technical options for the retrieval of account information, such as the API required by PSD2 (see also category > 5. Regulation and Financial Supervision, the question: What is the PSD2). Via this official interface, your bank provides us with information about your payment accounts upon your consent. However, you can also use the Qwist information service to integrate other financial products, such as savings accounts, credit cards or securities accounts, with the partner service. However, information about these accounts is not transmitted via the APIs mentioned above but, as has been the case so far, via screen scraping or the HBCI/FinTS connection.
In order to choose the correct connection method, you may have to select the account type you want to connect in the frontend.
Why do I have to enter a second factor (e.g. a TAN) when I want to connect a bank?
Since September 2019, banks have been required to perform strong customer authentication for each initial account access. This means that a second factor is also required when retrieving account information. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
Why am I sometimes redirected to my bank’s website to connect an account?
Each bank decides for itself how to carry out strong customer authentication. Some banks require us to redirect you to your bank’s website so that you can log in and perform strong customer authentication there. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
Subsequently, you can continue with the service you are using on our website as usual.
Why does the auto-synchronisation function only work for a maximum of 180 days?
The customer’s consent (in this case: your consent) is legally valid for a maximum of 180 days. Once this period has expired, Qwist may not retrieve any new account information from your bank. In order to continue using the auto-synchronisation function, you have to provide a second factor (e.g. TAN) again. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
Why may I have to enter a second factor (e.g. TAN) for manual synchronisations, although the 180 days have not yet expired?
The intervals at which strong customer authentication is required depend on your bank. Many banks require strong customer authentication every 180 days, while some banks require strong customer authentication on a case-by-case basis and others with each account access. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
For the connection to your accounts Qwist uses technical interfaces (so-called APIs – see also category > 1. About Qwist). If, in exceptional cases, no API is made available by your bank, Qwist also uses so-called Screen Scraping or HBCI/ FinTS to establish the connection. For a connection via APIs as well as via Screen Scraping or HBCI/ FinTS, Qwist needs your online banking access data as well as the confirmation via a 2nd factor (eg, TAN) to prove to the bank that Qwist signs up on your behalf and carries out the desired actions at your bank.
Do I need to download a programme to use the features?
For Qwist initiation, information and value-added services, you can use the internet browser of your choice regardless of the device. You do not need any special software.
What is an account information service?
The use of the account information service enables you to automatically use the transaction data of your payment accounts, which were previously only available at your bank, elsewhere. One example is the automatic identification of savings potential, e.g. directly in your accounting application or the use of Qwist account switch service.
What is the auto-sync function?
Using the auto-synchronisation feature, Qwist can constantly update your account information without the need to manually enter your complete online banking credentials for each update. To do this, you have to agree to Qwist storing your PIN. In this way, you can allow individual partners to always retrieve current account information from Qwist.
Payment initiation cannot be automated via Qwist.
Can I delete a connected bank or individual bank accounts later on?
This is not necessary for one-time use, as we delete your personal data anyway after completion of use in accordance with statutory provisions. For permanent use, it is possible to delete a connected bank by clicking on “delete bank” on the overview page of connected banks. Individual accounts can be deleted by simply unchecking the boxes previously checked to synchronise the accounts on the account selection page.
Why may I have to select the account type that I want to connect?
Banks provide various technical options for the retrieval of account information, such as the API required by PSD2 (see also category > 5. Regulation and Financial Supervision, the question: What is the PSD2). Via this official interface, your bank provides us with information about your payment accounts upon your consent. However, you can also use the Qwist information service to integrate other financial products, such as savings accounts, credit cards or securities accounts, with the partner service. However, information about these accounts is not transmitted via the APIs mentioned above but, as has been the case so far, via screen scraping or the HBCI/FinTS connection.
In order to choose the correct connection method, you may have to select the account type you want to connect in the frontend.
Why do I have to enter a second factor (e.g. a TAN) when I want to connect a bank?
Since September 2019, banks have been required to perform strong customer authentication for each initial account access. This means that a second factor is also required when retrieving account information. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
Why am I sometimes redirected to my bank’s website to connect an account?
Each bank decides for itself how to carry out strong customer authentication. Some banks require us to redirect you to your bank’s website so that you can log in and perform strong customer authentication there. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
Subsequently, you can continue with the service you are using on our website as usual.
Why does the auto-synchronisation function only work for a maximum of 180 days?
The customer’s consent (in this case: your consent) is legally valid for a maximum of 180 days. Once this period has expired, Qwist may not retrieve any new account information from your bank. In order to continue using the auto-synchronisation function, you have to provide a second factor (e.g. TAN) again. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
Why may I have to enter a second factor (e.g. TAN) for manual synchronisations, although the 180 days have not yet expired?
The intervals at which strong customer authentication is required depend on your bank. Many banks require strong customer authentication every 180 days, while some banks require strong customer authentication on a case-by-case basis and others with each account access. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?
How do information and initiation services work from a technical perspective?
For the connection to your accounts, Qwist uses technical interfaces (so-called APIs – see also category > 1. About Qwist). If, in exceptional cases, no API is made available by your bank, Qwist also uses so-called Screen Scraping or HBCI/ FinTS to establish the connection. For a connection via APIs as well as via Screen Scraping or HBCI/ FinTS, Qwist needs your online banking access data as well as the confirmation via a 2nd factor (eg, TAN) to prove to the bank that Qwist signs up on your behalf and carries out the desired actions at your bank.
Do I need to download a program to use the features?
For Qwist initiation, information, and value-added services, you can use the internet browser of your choice regardless of the device. You do not need any special software.
What is the purpose of the Qwist reference in the reference text of an initiated payment?
As a payment institution, Qwist is obliged to provide your bank with a reference that enables it to track the transaction. This serves in particular the investigation of complaints or liability cases. The reference text offers the greatest possible transparency for all parties involved in the transaction. In addition, the reference enables us to delete your personal data in the case of single payment initiations and still be able to speak to you, your bank and the financial supervisory authorities regarding the implementation of your initiation.
What is a payment initiation service?
By using a payment initiation service, you usually save yourself the trouble of changing websites and typing payment information such as long recipient IBANs. The Qwist value-added service or the partner can allow you to select the payment account from which you want to transfer money at the push of a button, as well as transfer the amount and the IBAN of the recipient directly to Qwist. As a payment initiation service provider, Qwist automatically completes the online transfer form of your bank. You check and confirm – that’s it!
Why may I have to enter a second factor (e.g. TAN) twice to initiate a payment?
With the strong customer authentication, you confirm both the access of Qwist to your account information (e.g. to retrieve the payment accounts from which payments can be initiated) as well as the payment initiation itself. This means that you may have to enter a second factor (such as a TAN) twice to initiate a payment. See also category > 5. Regulation and financial supervision, the question: > What is strong customer authentication?
For the connection to your accounts, Qwist uses technical interfaces (so-called APIs – see also category > 1. About Qwist). If, in exceptional cases, no API is made available by your bank, Qwist also uses so-called Screen Scraping or HBCI/ FinTS to establish the connection. For a connection via APIs as well as via Screen Scraping or HBCI/ FinTS, Qwist needs your online banking access data as well as the confirmation via a 2nd factor (eg, TAN) to prove to the bank that Qwist signs up on your behalf and carries out the desired actions at your bank.
Do I need to download a program to use the features?
For Qwist initiation, information, and value-added services, you can use the internet browser of your choice regardless of the device. You do not need any special software.
What is the purpose of the Qwist reference in the reference text of an initiated payment?
As a payment institution, Qwist is obliged to provide your bank with a reference that enables it to track the transaction. This serves in particular the investigation of complaints or liability cases. The reference text offers the greatest possible transparency for all parties involved in the transaction. In addition, the reference enables us to delete your personal data in the case of single payment initiations and still be able to speak to you, your bank and the financial supervisory authorities regarding the implementation of your initiation.
What is a payment initiation service?
By using a payment initiation service, you usually save yourself the trouble of changing websites and typing payment information such as long recipient IBANs. The Qwist value-added service or the partner can allow you to select the payment account from which you want to transfer money at the push of a button, as well as transfer the amount and the IBAN of the recipient directly to Qwist. As a payment initiation service provider, Qwist automatically completes the online transfer form of your bank. You check and confirm – that’s it!
Why may I have to enter a second factor (e.g. TAN) twice to initiate a payment?
With the strong customer authentication, you confirm both the access of Qwist to your account information (e.g. to retrieve the payment accounts from which payments can be initiated) as well as the payment initiation itself. This means that you may have to enter a second factor (such as a TAN) twice to initiate a payment. See also category > 5. Regulation and financial supervision, the question: > What is strong customer authentication?
Who or what is BaFin?
“BaFin” is the abbreviation of the German Federal Financial Supervisory Authority (“Bundesanstalt für Finanzdienstleistungsaufsicht”). It is hence the authority responsible for the supervision of the financial market in Germany. Qwist also falls under the competences of BaFin, since Qwist has received a license from BaFin to provide certain payment services or to act as a payment institution. BaFin also maintains its own online information service for consumers at https://www.bafin.de/en.
Why does Qwist need a BaFin license?
In order to provide you with payment initiation and account information services, Qwist has to process your online banking credentials and account information. The European legislator has subjected companies that access payment accounts for this purpose to financial supervision (the BaFin in Germany). This is to improve the safety of you as a consumer. The described license is subject to high requirements, compliance with which is regularly checked.
Can my bank prohibit me from using Qwist/the partner service?
No. Since January 2018, European banks must have transposed consumer rights to use payment initiation and account information services into their online banking terms and conditions. The bank is obliged to do this and can, for instance, no longer prohibit you from passing on access data to regulated service providers such as Qwist. Qwist and the bank are obliged to communicate with each other in a secure manner. Innovative services such as Qwist’s, as well as the benefits for you in your daily life should thus be promoted.
Can Qwist/the partner initiate payments or view my data without my consent?
No. Qwist only processes data upon your consent and is also required by law to do so. You give Qwist corresponding permission at important points in the process of using the services. Qwist’s service cannot be implemented without any processing or specific agreements to pass your data on to Qwist partners. If possible, however, Qwist will give you the option to decide whether or not the data should be saved or processed.
Why do I have to take the detour via Qwist to integrate my data into the partner service?
See above under the category > 1. About Qwist the question: Who or what are Qwist partners?
Why does Qwist differentiate between information services and account information services and initiation services and payment initiation services?
The difference results from the fact that Qwist offers you access to payment accounts (in particular current accounts) regulated by financial supervision law, as well as unregulated access to non-payment accounts (e.g. instant access savings accounts or securities accounts). The former is referred to as account information services/payment initiation services pursuant to financial supervisory law. Information services/initiation services refer to both forms – regulated and unregulated access.
What is the purpose of the Qwist reference in the reference text of an initiated payment?
As a payment institution, Qwist is obliged to provide your bank with a reference that enables it to track the transaction. This serves in particular the investigation of complaints or liability cases. The reference text offers the greatest possible transparency for all parties involved in the transaction. In addition, the reference enables us to delete your personal data in the case of single payment initiations and still be able to speak to you, your bank and the financial supervisory authorities regarding the implementation of your initiation.
What is an account information service?
The use of the account information service enables you to automatically use the transaction data of your payment accounts, which were previously only available at your bank, elsewhere. One example is the automatic identification of savings potential, e.g. directly in your accounting application or the use of Qwist account switch service.
What is a payment initiation service?
By using a payment initiation service, you usually save yourself the trouble of changing websites and typing payment information such as long recipient IBANs. The Qwist value-added service or the partner can allow you to select the payment account from which you want to transfer money at the push of a button, as well as transfer the amount and the IBAN of the recipient directly to Qwist. As a payment initiation service provider, Qwist automatically completes the online transfer form of your bank. You check and confirm – that’s it!
What is ZAG?
ZAG is the abbreviation of the German Payment Services Supervision Law (“Zahlungsdiensteaufsichtsgesetz”). It regulates who can provide payment services under which conditions. Qwist has received a licence from the German Federal Financial Supervisory Authority (BaFin) to provide account information and payment initiation services in accordance with the definitions in § 1 (33) and (34) of the ZAG.
What are payment accounts?
Payment accounts are defined by law as accounts “used for the execution of payment transactions”. This refers in particular to conventional current accounts. However, the term does not include securities accounts, savings accounts or loan accounts and, generally speaking, instant access savings or fixed-term deposit accounts.
Who are the account servicing payment service providers?
These are credit or payment institutions that have a BaFin licence for the management of payment accounts, in particular banks and savings banks. The term is used when account information or payment initiation service providers such as Qwist access their accounts and the relevant account servicing payment service providers for these purposes and on behalf of account holders.
What is strong customer authentication (SCA)?
As of September 2019, banks will be required to perform strong customer authentication for each account access. The requirements stipulate the use of two factors that cover at least two of the three possible categories “knowledge” (e.g. password, PIN), “possession” (e.g. token, smartphone, chip card, TAN that meets the requirements) and/or “inherence” (something that the user personally or physically owns, e.g. his fingerprint). A second factor must then already be required for the access to your online banking.
What is the PSD2?
PSD2 stands for “Payment Services Directive 2”, an EU-wide directive which is intended to promote innovation in the financial sector while at the same time setting new security standards in banking. The central intention of the PSD2 is that third-party providers, such as Qwist, can access bank data and initiate payments with the user’s consent. In return, these new providers are strictly supervised and require a license from the financial supervisory authority before they can start operating. Qwist received the license in August 2018.
“BaFin” is the abbreviation of the German Federal Financial Supervisory Authority (“Bundesanstalt für Finanzdienstleistungsaufsicht”). It is hence the authority responsible for the supervision of the financial market in Germany. Qwist also falls under the competences of BaFin, since Qwist has received a license from BaFin to provide certain payment services or to act as a payment institution. BaFin also maintains its own online information service for consumers at https://www.bafin.de/en.
Why does Qwist need a BaFin license?
In order to provide you with payment initiation and account information services, Qwist has to process your online banking credentials and account information. The European legislator has subjected companies that access payment accounts for this purpose to financial supervision (the BaFin in Germany). This is to improve the safety of you as a consumer. The described license is subject to high requirements, compliance with which is regularly checked.
Can my bank prohibit me from using Qwist/the partner service?
No. Since January 2018, European banks must have transposed consumer rights to use payment initiation and account information services into their online banking terms and conditions. The bank is obliged to do this and can, for instance, no longer prohibit you from passing on access data to regulated service providers such as Qwist. Qwist and the bank are obliged to communicate with each other in a secure manner. Innovative services such as Qwist’s, as well as the benefits for you in your daily life should thus be promoted.
Can Qwist/the partner initiate payments or view my data without my consent?
No. Qwist only processes data upon your consent and is also required by law to do so. You give Qwist corresponding permission at important points in the process of using the services. Qwist’s service cannot be implemented without any processing or specific agreements to pass your data on to Qwist partners. If possible, however, Qwist will give you the option to decide whether or not the data should be saved or processed.
Why do I have to take the detour via Qwist to integrate my data into the partner service?
See above under the category > 1. About Qwist the question: Who or what are Qwist partners?
Why does Qwist differentiate between information services and account information services and initiation services and payment initiation services?
The difference results from the fact that Qwist offers you access to payment accounts (in particular current accounts) regulated by financial supervision law, as well as unregulated access to non-payment accounts (e.g. instant access savings accounts or securities accounts). The former is referred to as account information services/payment initiation services pursuant to financial supervisory law. Information services/initiation services refer to both forms – regulated and unregulated access.
What is the purpose of the Qwist reference in the reference text of an initiated payment?
As a payment institution, Qwist is obliged to provide your bank with a reference that enables it to track the transaction. This serves in particular the investigation of complaints or liability cases. The reference text offers the greatest possible transparency for all parties involved in the transaction. In addition, the reference enables us to delete your personal data in the case of single payment initiations and still be able to speak to you, your bank and the financial supervisory authorities regarding the implementation of your initiation.
What is an account information service?
The use of the account information service enables you to automatically use the transaction data of your payment accounts, which were previously only available at your bank, elsewhere. One example is the automatic identification of savings potential, e.g. directly in your accounting application or the use of Qwist account switch service.
What is a payment initiation service?
By using a payment initiation service, you usually save yourself the trouble of changing websites and typing payment information such as long recipient IBANs. The Qwist value-added service or the partner can allow you to select the payment account from which you want to transfer money at the push of a button, as well as transfer the amount and the IBAN of the recipient directly to Qwist. As a payment initiation service provider, Qwist automatically completes the online transfer form of your bank. You check and confirm – that’s it!
What is ZAG?
ZAG is the abbreviation of the German Payment Services Supervision Law (“Zahlungsdiensteaufsichtsgesetz”). It regulates who can provide payment services under which conditions. Qwist has received a licence from the German Federal Financial Supervisory Authority (BaFin) to provide account information and payment initiation services in accordance with the definitions in § 1 (33) and (34) of the ZAG.
What are payment accounts?
Payment accounts are defined by law as accounts “used for the execution of payment transactions”. This refers in particular to conventional current accounts. However, the term does not include securities accounts, savings accounts or loan accounts and, generally speaking, instant access savings or fixed-term deposit accounts.
Who are the account servicing payment service providers?
These are credit or payment institutions that have a BaFin licence for the management of payment accounts, in particular banks and savings banks. The term is used when account information or payment initiation service providers such as Qwist access their accounts and the relevant account servicing payment service providers for these purposes and on behalf of account holders.
What is strong customer authentication (SCA)?
As of September 2019, banks will be required to perform strong customer authentication for each account access. The requirements stipulate the use of two factors that cover at least two of the three possible categories “knowledge” (e.g. password, PIN), “possession” (e.g. token, smartphone, chip card, TAN that meets the requirements) and/or “inherence” (something that the user personally or physically owns, e.g. his fingerprint). A second factor must then already be required for the access to your online banking.
What is the PSD2?
PSD2 stands for “Payment Services Directive 2”, an EU-wide directive which is intended to promote innovation in the financial sector while at the same time setting new security standards in banking. The central intention of the PSD2 is that third-party providers, such as Qwist, can access bank data and initiate payments with the user’s consent. In return, these new providers are strictly supervised and require a license from the financial supervisory authority before they can start operating. Qwist received the license in August 2018.
What are the risks for users?
The biggest risk when using Qwist is that you as a consumer get used to the security of Qwist services. This could lead to you entrusting your online banking access data, without hesitation, to fraudulent third parties who want to harm you. Therefore, when using innovative services in connection with your bank accounts outside of Qwist, please always pay attention to the BaFin regulation of the company to which you provide your access data. If in doubt, verify this by searching for the company in the BaFin company database.
Is it safe to enter my online banking access data at Qwist?
Yes. As a payment institution, Qwist is supervised by the financial supervisory authority BaFin and is therefore always subject to various inspections by different auditors with regard to IT security and data protection (see also above under the category > 1. About Qwist the question: Is Qwist secure?). Your online banking access data already benefits from special protection by law and as part of the implementation of all requirements.
Does Qwist sell my data?
A sale of your personal data by Qwist does not take place. Qwist passes on your data to the partner at your explicit request when using Qwist’s services and is paid for this by the partner. For this reason, you do not incur any costs when using Qwist’s services. In this context, Qwist cannot influence whether and to what extent the partner charges you a total fee for their services or whether fees for the integration of Qwist may even be accounted for separately. The partner handles the payment of Qwist for the integration of the services, so that you can use the partner or value-added service more comfortably or faster, for instance.
Who is responsible for the processing of my data?
Responsible in the sense of the data protection laws is Qwist GmbH, Hardenbergstraße 32, 10623 Berlin. If you have any questions or suggestions, please contact the external Qwist data privacy officer and our internal contact persons.
Does Qwist comply with the General Data Protection Regulation (GDPR)?
Qwist’s external data privacy officer works closely with Qwist to ensure that Qwist fully complies with this important law at all times. When designing its services, Qwist has therefore been taking the principles of the GDPR into account from the very beginning.
Where is my data stored?
Your data will only be stored in data centers located in the European Union. Due to various requirements arising from data protection legislation, financial supervisory laws, and our own standards, Qwist works exclusively with data centers that meet strict security requirements.
Can I reset my password?
Yes, it is possible to reset the password. Just press the “Forgot password” button to start the process. You will then receive an e-mail with a link to a page where you can set a new password (in some cases after entering your security code).
What happens if I have misplaced my security code?
In this case, neither you nor we will be able to access the Qwist user account. In this case you will need to create a new user account. You will not be able to use the same e-mail address unless you delete your existing account and then create a new one. To delete the user account, please send a message from the corresponding e-mail address to our support.
How is my data protected?
Qwist stores your data exclusively in encrypted form. The data is also transported via secure and efficient channels. In addition, Qwist regularly checks the data centers itself and independently with regard to their security measures.
Can I cancel the authorization of Qwist and/or the partner to use the data?
This is not necessary for cases of one-time use, since you only give us your consent for the purpose of a one-time use. In cases of permanent use, i.e. if you have created a Qwist user account, you can revoke your consent at any time. This is done by requesting the deletion of your Qwist user account in its entirety (for this purpose, please send an e-mail to our support team) or by deleting connected banks or unchecking previously checked boxes for the synchronization of the accounts for certain partners.
Which of my data does Qwist pass on to the partner?
Qwist only passes on data that you have authorised Qwist to pass on. This is the transaction data selected by you for the desired purpose within the Qwist service, the partner service or a confirmation of the payment initiation to the partner. Even though Qwist selects its partners carefully, please note that the processing of the transferred data is the responsibility of the partner, who has to also send you a separate privacy statement for this purpose. If you have any questions about data processing at the partner service, please contact them directly.
What happens to my data after Qwist has passed it on to the partner?
Even though Qwist selects its partners carefully and aims to work only with trusted partners, Qwist only has limited final influence on how partners process your data. The processing of the transferred data is the responsibility of the partner, who also provides you with a separate data privacy statement for this purpose. If you have any questions about data processing at the partner service, please contact them directly.
Where can I see what data Qwist has saved for me?
Qwist only saves the personal data that you have specifically made available to Qwist for this purpose (e.g. when registering for the Qwist user account or by allowing an automated account retrieval). You can request an overview of your personal data saved by Qwist by sending an e-mail to our support team at any time.
Will anyone else besides Qwist and the partner get access to my personal data?
Your personal data is hosted in carefully selected data centers (see the above question: > Where is my data stored?). In the few exceptional cases in which your data is passed on to other service providers (e.g. Qwist uses third-party software to send you e-mails), these service providers are obliged to adhere to the same standards as Qwist and to use the data exclusively for the specified purpose. For this purpose, the Qwist data privacy officer ensures compliance with the order processing contracts.
How is liability regulated for Qwist initiation and information services?
Statutory liability regulations for any damages in connection with Qwist initiation and information services are only stipulated by law for payment initiation services (see the question below: How is liability regulated for Qwist payment initiation services?). Other than that, Qwist is liable according to the account holder usage agreement, which you agree to within the scope of using Qwist services. This agreement states, for instance, that Qwist is not liable for defects caused by circumstances for which Qwist is not responsible.
How is liability regulated for Qwist payment initiation services?
If you discover an unauthorised payment or if a payment is late, incorrect, or not executed at all, please first contact your account servicing payment service provider, e.g. the bank that executed the payment. The bank is initially responsible to you for all payment transactions made through it and may be obliged to compensate you for potential damages. In a second step, the bank and Qwist shall settle with each other whether and to what extent a mistake was made by Qwist and is to be compensated. Qwist’s liability is limited to EUR 12,500, with the exception of intent, gross negligence, interest loss, and separately assumed risks. In the exceptional cases mentioned above, Qwist is liable without limitation.
Can I delete a connected bank or individual bank accounts later on?
This is not necessary for one-time use, as we delete your personal data anyway after completion of use in accordance with statutory provisions. For permanent use, it is possible to delete a connected bank by clicking on “delete bank” on the overview page of connected banks. Individual accounts can be deleted by simply unchecking the boxes previously checked to synchronise the accounts on the account selection page.
The biggest risk when using Qwist is that you as a consumer get used to the security of Qwist services. This could lead to you entrusting your online banking access data, without hesitation, to fraudulent third parties who want to harm you. Therefore, when using innovative services in connection with your bank accounts outside of Qwist, please always pay attention to the BaFin regulation of the company to which you provide your access data. If in doubt, verify this by searching for the company in the BaFin company database.
Is it safe to enter my online banking access data at Qwist?
Yes. As a payment institution, Qwist is supervised by the financial supervisory authority BaFin and is therefore always subject to various inspections by different auditors with regard to IT security and data protection (see also above under the category > 1. About Qwist the question: Is Qwist secure?). Your online banking access data already benefits from special protection by law and as part of the implementation of all requirements.
Does Qwist sell my data?
A sale of your personal data by Qwist does not take place. Qwist passes on your data to the partner at your explicit request when using Qwist’s services and is paid for this by the partner. For this reason, you do not incur any costs when using Qwist’s services. In this context, Qwist cannot influence whether and to what extent the partner charges you a total fee for their services or whether fees for the integration of Qwist may even be accounted for separately. The partner handles the payment of Qwist for the integration of the services, so that you can use the partner or value-added service more comfortably or faster, for instance.
Who is responsible for the processing of my data?
Responsible in the sense of the data protection laws is Qwist GmbH, Hardenbergstraße 32, 10623 Berlin. If you have any questions or suggestions, please contact the external Qwist data privacy officer and our internal contact persons.
Does Qwist comply with the General Data Protection Regulation (GDPR)?
Qwist’s external data privacy officer works closely with Qwist to ensure that Qwist fully complies with this important law at all times. When designing its services, Qwist has therefore been taking the principles of the GDPR into account from the very beginning.
Where is my data stored?
Your data will only be stored in data centers located in the European Union. Due to various requirements arising from data protection legislation, financial supervisory laws, and our own standards, Qwist works exclusively with data centers that meet strict security requirements.
Can I reset my password?
Yes, it is possible to reset the password. Just press the “Forgot password” button to start the process. You will then receive an e-mail with a link to a page where you can set a new password (in some cases after entering your security code).
What happens if I have misplaced my security code?
In this case, neither you nor we will be able to access the Qwist user account. In this case you will need to create a new user account. You will not be able to use the same e-mail address unless you delete your existing account and then create a new one. To delete the user account, please send a message from the corresponding e-mail address to our support.
How is my data protected?
Qwist stores your data exclusively in encrypted form. The data is also transported via secure and efficient channels. In addition, Qwist regularly checks the data centers itself and independently with regard to their security measures.
Can I cancel the authorization of Qwist and/or the partner to use the data?
This is not necessary for cases of one-time use, since you only give us your consent for the purpose of a one-time use. In cases of permanent use, i.e. if you have created a Qwist user account, you can revoke your consent at any time. This is done by requesting the deletion of your Qwist user account in its entirety (for this purpose, please send an e-mail to our support team) or by deleting connected banks or unchecking previously checked boxes for the synchronization of the accounts for certain partners.
Which of my data does Qwist pass on to the partner?
Qwist only passes on data that you have authorised Qwist to pass on. This is the transaction data selected by you for the desired purpose within the Qwist service, the partner service or a confirmation of the payment initiation to the partner. Even though Qwist selects its partners carefully, please note that the processing of the transferred data is the responsibility of the partner, who has to also send you a separate privacy statement for this purpose. If you have any questions about data processing at the partner service, please contact them directly.
What happens to my data after Qwist has passed it on to the partner?
Even though Qwist selects its partners carefully and aims to work only with trusted partners, Qwist only has limited final influence on how partners process your data. The processing of the transferred data is the responsibility of the partner, who also provides you with a separate data privacy statement for this purpose. If you have any questions about data processing at the partner service, please contact them directly.
Where can I see what data Qwist has saved for me?
Qwist only saves the personal data that you have specifically made available to Qwist for this purpose (e.g. when registering for the Qwist user account or by allowing an automated account retrieval). You can request an overview of your personal data saved by Qwist by sending an e-mail to our support team at any time.
Will anyone else besides Qwist and the partner get access to my personal data?
Your personal data is hosted in carefully selected data centers (see the above question: > Where is my data stored?). In the few exceptional cases in which your data is passed on to other service providers (e.g. Qwist uses third-party software to send you e-mails), these service providers are obliged to adhere to the same standards as Qwist and to use the data exclusively for the specified purpose. For this purpose, the Qwist data privacy officer ensures compliance with the order processing contracts.
How is liability regulated for Qwist initiation and information services?
Statutory liability regulations for any damages in connection with Qwist initiation and information services are only stipulated by law for payment initiation services (see the question below: How is liability regulated for Qwist payment initiation services?). Other than that, Qwist is liable according to the account holder usage agreement, which you agree to within the scope of using Qwist services. This agreement states, for instance, that Qwist is not liable for defects caused by circumstances for which Qwist is not responsible.
How is liability regulated for Qwist payment initiation services?
If you discover an unauthorised payment or if a payment is late, incorrect, or not executed at all, please first contact your account servicing payment service provider, e.g. the bank that executed the payment. The bank is initially responsible to you for all payment transactions made through it and may be obliged to compensate you for potential damages. In a second step, the bank and Qwist shall settle with each other whether and to what extent a mistake was made by Qwist and is to be compensated. Qwist’s liability is limited to EUR 12,500, with the exception of intent, gross negligence, interest loss, and separately assumed risks. In the exceptional cases mentioned above, Qwist is liable without limitation.
Can I delete a connected bank or individual bank accounts later on?
This is not necessary for one-time use, as we delete your personal data anyway after completion of use in accordance with statutory provisions. For permanent use, it is possible to delete a connected bank by clicking on “delete bank” on the overview page of connected banks. Individual accounts can be deleted by simply unchecking the boxes previously checked to synchronise the accounts on the account selection page.
I see an URL without “https” in my internet browser. What can I do?
If you are not using Qwist on a mobile device but on your computer and if you are on the correct web interface of Qwist, you should always see a URL with “https” in the address bar. If this is not the case, please contact our support team immediately, mentioning the URL you see in your internet browser and never enter your access data at the suspicious URL.
Why does it take so long to connect my bank/account?
To connect your bank/account, Qwist establishes a secure connection between your terminal, Qwist’s server and the bank. Since Qwist depends on the availability of the interface to the bank, the maximum duration of the process can be several minutes in rare cases. Of course Qwist continuously strives to improve the processes, within the scope of its influence.
Why is it not possible to connect my bank/account?
The connection to your bank or account can fail for several reasons. First of all, Qwist depends on the functionality of the interfaces to the banks, i.e. if an error occurs at the bank, the bank cannot be reached by Qwist either. The same applies, for example, if your access to the bank is blocked. Furthermore, the Qwist information service is currently only available in Germany and Austria, the Qwist initiation service is only available in Germany. The Qwist value-added service (account switch service) is available in Germany, Austria and Spain.
If the connection to an account in Germany or Austria fails several times even though the access is not blocked, please contact our support team.
How can I complain if something goes wrong?
Should the Qwist service not work as expected, please send an e-mail to our support team. As a rule, we will reply within 1-3 working days. According to § 62 of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), a reply must be sent within 15 working days of receipt of your message. If a reply is not possible within this period, you will receive a preliminary reply indicating the reasons for the delay. A final reply must be received no later than 35 working days after receipt of the message.
Your satisfaction is important to Qwist. Therefore, your complaint will usually be answered more quickly. We are also happy to receive general suggestions for improvement via e-mail.
What options for dispute resolution do I have?
We would like to inform you about the possibility of out-of-court settlement of disputes, which you are legally entitled to. If the subject of the complaint concerns a dispute from the area of application of payment service law, you have the option of lodging a complaint with the conciliation office of the Bundesbank (German language only) or with the Federal Financial Supervisory Authority. If your residence or habitual residence is in Austria, you can also contact the Financial Market Authority, Consumer Information & Complaints Office in Vienna.
The European Commission has also established a European Online Dispute Settlement Platform (OS Platform) at http://ec.europa.eu/odr. Consumers can use the platform to settle a dispute arising from online contracts with a company established in the EU out of court.
If you are not using Qwist on a mobile device but on your computer and if you are on the correct web interface of Qwist, you should always see a URL with “https” in the address bar. If this is not the case, please contact our support team immediately, mentioning the URL you see in your internet browser and never enter your access data at the suspicious URL.
Why does it take so long to connect my bank/account?
To connect your bank/account, Qwist establishes a secure connection between your terminal, Qwist’s server and the bank. Since Qwist depends on the availability of the interface to the bank, the maximum duration of the process can be several minutes in rare cases. Of course Qwist continuously strives to improve the processes, within the scope of its influence.
Why is it not possible to connect my bank/account?
The connection to your bank or account can fail for several reasons. First of all, Qwist depends on the functionality of the interfaces to the banks, i.e. if an error occurs at the bank, the bank cannot be reached by Qwist either. The same applies, for example, if your access to the bank is blocked. Furthermore, the Qwist information service is currently only available in Germany and Austria, the Qwist initiation service is only available in Germany. The Qwist value-added service (account switch service) is available in Germany, Austria and Spain.
If the connection to an account in Germany or Austria fails several times even though the access is not blocked, please contact our support team.
How can I complain if something goes wrong?
Should the Qwist service not work as expected, please send an e-mail to our support team. As a rule, we will reply within 1-3 working days. According to § 62 of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), a reply must be sent within 15 working days of receipt of your message. If a reply is not possible within this period, you will receive a preliminary reply indicating the reasons for the delay. A final reply must be received no later than 35 working days after receipt of the message.
Your satisfaction is important to Qwist. Therefore, your complaint will usually be answered more quickly. We are also happy to receive general suggestions for improvement via e-mail.
What options for dispute resolution do I have?
We would like to inform you about the possibility of out-of-court settlement of disputes, which you are legally entitled to. If the subject of the complaint concerns a dispute from the area of application of payment service law, you have the option of lodging a complaint with the conciliation office of the Bundesbank (German language only) or with the Federal Financial Supervisory Authority. If your residence or habitual residence is in Austria, you can also contact the Financial Market Authority, Consumer Information & Complaints Office in Vienna.
The European Commission has also established a European Online Dispute Settlement Platform (OS Platform) at http://ec.europa.eu/odr. Consumers can use the platform to settle a dispute arising from online contracts with a company established in the EU out of court.