FAQ About finleap connect information and initiation services

finleap connect is a Hamburg-based payment institution and IT company regulated by the German Financial Supervisory Authority. finleap connect makes it possible to integrate data and functions from financial sources, such as bank accounts, into the services of finleap connect or partner companies. This enables you, for instance, to integrate your account data into the accounting service of a finleap connect partner or to initiate payments directly from there without having to switch to your online banking system.

You can rest assured that your data is safe at finleap connect. As a payment institution, finleap connect is regulated by the German Federal Financial Supervisory Authority (BaFin) and is therefore obliged to carry out regular internal audits and inspections. In addition, finleap connect is regularly audited by both auditors of regulated finleap connect partners and external auditors.

You have been redirected to finleap connect by a partner of your choice. finleap connect cooperates with partners whose services require the integration of bank account functions and data. Typical finleap connect partners are banks that offer you our account switch service or for example accounting apps in which you can integrate your account information and from which you can initiate payments.

The use of finleap connect itself is simple. The legal requirements by four parties involved are somewhat more complex and require at least the following contracts:

1. The online banking terms and conditions between you and your bank (hence no contract is necessary between your bank and finleap connect).
2. The contract with the partner service between you and a finleap connect partner of your choice.
3. The account holder usage agreement between you and finleap connect.
4. A cooperation agreement between finleap connect and the finleap connect partner of your choice, who is thereby permitted to integrate the finleap connect services.

The use of finleap connect always requires that you first use the services of a finleap connect partner who has integrated the finleap connect services into his offer. In addition, you must have an account with a financial source (e.g. a bank) supported by finleap connect. When using finleap connect, you will be forwarded directly from the partner service to finleap connect. The use of finleap connect services without f the use of a partner service is not intended – with the exception of a finleap connect user account administration in case of permanent use.

Most partner services are also available without the integration of finleap connect but cannot provide the full range of functions or are less convenient to use. For details on the functional scope of the partner service, please contact the respective partner.

As a payment institution, finleap connect has to comply with certain regulations and information obligations, such as pre-contractual information. A particular complexity arises from the variety of parties involved (see question > Who do I conclude which contracts with?) as well as from the fact that finleap connect offers access to payment accounts (in particular current accounts) regulated by financial supervisory law, as well as unregulated access to non-payment accounts (e.g. savings accounts or securities accounts).

If you do not find what you are looking for in this FAQ, finleap connect is generally available for questions via email. finleap connect can only answer questions relating to its own services and must refer to the partner’s support service for questions relating to the partner service.

If you have a question specifically related to data privacy, please contact dataprivacy-connect@finleap.com.

The acronym API is derived from the term Application Programming Interface. An API is a technical interface through which different programmes can exchange their relevant data with each other. For example, your bank provides finleap connect with an API to access your accounts, which finleap connect uses to access your account information. The bank’s API is – in greatly simplified terms – a representation of your online banking website limited to the management of rights and data without any design or other user-friendly elements. The retrieval of your data by your chosen finleap connect partner also takes place via a finleap connect API.

finleap connect value-added services are products or services for end users that are not under supervision of the national competent authority (BaFin). One example of a value-added service is the finleap connect account switch service, which supports you in switching your payment account to your new bank. The value-added services may contain a regulated information or initiation service.

finleap connect logs into your bank on your behalf. As a regulated payment institution, finleap connect can process the necessary access data within the legally defined scope. Encryption and other security measures are used at all times to ensure that nobody but you, finleap connect and the bank has access to your login data within the scope of this technical communication – not even the partner service you are using (see also the question under the category ➤ Regulation and financial supervision: Can my bank prohibit me from using finleap connect/the partner service?)

You have to create a finleap connect user account for the permanent or limited use of finleap connect. Permanent integration of finleap connect can be useful in order to be able to use certain features in partner services to their full extent or to forego certain steps within the context of a repeated use of finleap connect services. If you decide to save your online banking access data, some partner services will become even more convenient for you.

It’s up to you. You can allow finleap connect to save the online banking access data including the PIN if you want finleap connect to automatically update your account information for you at the bank and in addition allow the partner of your choice automatic access to finleap connect (see also the above question under the category ➤ About finleap connect the question: What is the auto-synchronisation function?).

Of course you can use finleap connect’s offer without saving the PIN – but then you have to enter all the access data again at finleap connect for every update of the data at the partner.

No. finleap connect is free of charge for you as a user. The costs will be paid by the provider of the partner service. To find out whether you pay anything for the use of the partner service, please refer to the separate user agreement with your chosen partner.

Your bank may charge you fees for the use of the TAN procedures such as for the sending of an smsTAN. Please refer to your bank’s list of prices and services to see whether you will be charged for using the TAN procedures.

You can delete your finleap connect user account any time. To do this, simply send an e-mail to support-connect@finleap.com. There is no minimum contract period or the like. This does not concern a possible agreement about a potential minimum contract period for the use of the partner service.

For the finleap connect value-added services (account switch service), the duration is limited to 90 days. Your account will be deleted automatically afterwards.

For the connection to your accounts finleap connect uses technical interfaces (so-called APIs – see also category > 1. About finleap connect). If, in exceptional cases, no API is made available by your bank, finleap connect also uses so-called Screen Scraping or HBCI/ FinTS to establish the connection. For a connection via APIs as well as via Screen Scraping or HBCI/ FinTS, finleap connect needs your online banking access data as well as the confirmation via a 2nd factor (eg, TAN) to prove to the bank that finleap connect signs up on your behalf and carries out the desired actions at your bank.

For finleap connect initiation, information and value-added services, you can use the internet browser of your choice regardless of the device. You do not need any special software.

The use of the account information service enables you to automatically use the transaction data of your payment accounts, which were previously only available at your bank, elsewhere. One example is the automatic identification of savings potential, e.g. directly in your accounting application or the use of finleap connect account switch service.

Using the auto-synchronisation feature, finleap connect can constantly update your account information without the need to manually enter your complete online banking credentials for each update. To do this, you have to agree to finleap connect storing your PIN. In this way, you can allow individual partners to always retrieve current account information from finleap connect.

Payment initiation cannot be automated via finleap connect.

This is not necessary for one-time use, as we delete your personal data anyway after completion of use in accordance with statutory provisions. For permanent use, it is possible to delete a connected bank by clicking on “delete bank” on the overview page of connected banks. Individual accounts can be deleted by simply unchecking the boxes previously checked to synchronise the accounts on the account selection page.

Banks provide various technical options for the retrieval of account information, such as the API required by PSD2 (see also category > 5. Regulation and Financial Supervision, the question: What is the PSD2). Via this official interface, your bank provides us with information about your payment accounts upon your consent. However, you can also use the finleap connect information service to integrate other financial products, such as savings accounts, credit cards or securities accounts, with the partner service. However, information about these accounts is not transmitted via the APIs mentioned above but, as has been the case so far, via screen scraping or the HBCI/FinTS connection.

In order to choose the correct connection method, you may have to select the account type you want to connect in the frontend.

Since September 2019, banks have been required to perform strong customer authentication for each initial account access. This means that a second factor is also required when retrieving account information. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?

Each bank decides for itself how to carry out strong customer authentication. Some banks require us to redirect you to your bank’s website so that you can log in and perform strong customer authentication there. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?

Subsequently, you can continue with the service you are using on our website as usual.

The customer’s consent (in this case: your consent) is legally valid for a maximum of 90 days. Once this period has expired, finleap connect may not retrieve any new account information from your bank. In order to continue using the auto-synchronisation function, you have to provide a second factor (e.g. TAN) again. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?

The intervals at which strong customer authentication is required depend on your bank. Many banks require strong customer authentication every 90 days, while some banks require strong customer authentication on a case-by-case basis and others with each account access. See also category > 5. Regulation and financial supervision, the question: What is strong customer authentication?

For the connection to your accounts finleap connect uses technical interfaces (so-called APIs – see also category > 1. About finleap connect). If, in exceptional cases, no API is made available by your bank, finleap connect also uses so-called Screen Scraping or HBCI/ FinTS to establish the connection. For a connection via APIs as well as via Screen Scraping or HBCI/ FinTS, finleap connect needs your online banking access data as well as the confirmation via a 2nd factor (eg, TAN) to prove to the bank that finleap connect signs up on your behalf and carries out the desired actions at your bank.

For finleap connect initiation, information and value-added services, you can use the internet browser of your choice regardless of the device. You do not need any special software.

As a payment institution, finleap connect is obliged to provide your bank with a reference that enables it to track the transaction. This serves in particular the investigation of complaints or liability cases. The reference text offers the greatest possible transparency for all parties involved in the transaction. In addition, the reference enables us to delete your personal data in the case of single payment initiations and still be able to speak to you, your bank and the financial supervisory authorities regarding the implementation of your initiation.

By using a payment initiation service, you usually save yourself the trouble of changing websites and typing payment information such as long recipient IBANs. The finleap connect value-added service or the partner can allow you to select the payment account from which you want to transfer money at the push of a button, as well as transfer the amount and the IBAN of the recipient directly to finleap connect. As a payment initiation service provider, finleap connect automatically completes the online transfer form of your bank. You check and confirm – that’s it!

With the strong customer authentication, you confirm both the access of finleap connect to your account information (e.g. to retrieve the payment accounts from which payments can be initiated) as well as the payment initiation itself. This means that you may have to enter a second factor (such as a TAN) twice to initiate a payment. See also category > 5. Regulation and financial supervision, the question: > What is strong customer authentication?

“BaFin” is the abbreviation of the German Federal Financial Supervisory Authority (“Bundesanstalt für Finanzdienstleistungsaufsicht”). It is hence the authority responsible for the supervision of the financial market in Germany. finleap connect also falls under the competences of BaFin, since finleap connect has received a licence from BaFin to provide certain payment services or to act as a payment institution. BaFin also maintains its own online information service for consumers at https://www.bafin.de/en.

In order to provide you with payment initiation and account information services, finleap connect has to process your online banking credentials and account information. The European legislator has subjected companies that access payment accounts for this purpose to financial supervision (the BaFin in Germany). This is to improve the safety for you as a consumer. The prescribed licence is subject to high requirements, compliance with which is regularly checked.

No. Since January 2018, European banks must have transposed consumer rights to use payment initiation and account information services into their online banking terms and conditions. The bank is obliged to do this and can, for instance, no longer prohibit you from passing on access data to regulated service providers such as finleap connect. finleap connect and the bank are obliged to communicate with each other in a secure manner. Innovative services such as finleap connect’s, as well as the benefits for you in your daily life should thus be promoted.

No. finleap connect only processes data upon your consent and is also required by law to do so. You give finleap connect corresponding permission at important points in the process of using the services. finleap connect’s service cannot be implemented without any processing or specific agreements to pass your data on to finleap connect partners. If possible, however, finleap connect will give you the option to decide whether or not the data should be saved or processed.

See above under the category > 1. About finleap connect the question: Who or what are finleap connect partners?

The difference results from the fact that finleap connect offers you access to payment accounts (in particular current accounts) regulated by financial supervision law, as well as unregulated access to non-payment accounts (e.g. instant access savings accounts or securities accounts). The former is referred to as account information services/payment initiation services pursuant to financial supervisory law. Information services/initiation services refer to both forms – regulated and unregulated access.

As a payment institution, finleap connect is obliged to provide your bank with a reference that enables it to track the transaction. This serves in particular the investigation of complaints or liability cases. The reference text offers the greatest possible transparency for all parties involved in the transaction. In addition, the reference enables us to delete your personal data in the case of single payment initiations and still be able to speak to you, your bank and the financial supervisory authorities regarding the implementation of your initiation.

The use of the account information service enables you to automatically use the transaction data of your payment accounts, which were previously only available at your bank, elsewhere. One example is the automatic identification of savings potential, e.g. directly in your accounting application or the use of finleap connect account switch service.

By using a payment initiation service, you usually save yourself the trouble of changing websites and typing payment information such as long recipient IBANs. The finleap connect value-added service or the partner can allow you to select the payment account from which you want to transfer money at the push of a button, as well as transfer the amount and the IBAN of the recipient directly to finleap connect. As a payment initiation service provider, finleap connect automatically completes the online transfer form of your bank. You check and confirm – that’s it!

ZAG is the abbreviation of the German Payment Services Supervision Law (“Zahlungsdiensteaufsichtsgesetz”). It regulates who can provide payment services under which conditions. finleap connect has received a licence from the German Federal Financial Supervisory Authority (BaFin) to provide account information and payment initiation services in accordance with the definitions in § 1 (33) and (34) of the ZAG.

Payment accounts are defined by law as accounts “used for the execution of payment transactions”. This refers in particular to conventional current accounts. However, the term does not include securities accounts, savings accounts or loan accounts and, generally speaking, instant access savings or fixed-term deposit accounts.

These are credit or payment institutions that have a BaFin licence for the management of payment accounts, in particular banks and savings banks. The term is used when account information or payment initiation service providers such as finleap connect access their accounts and the relevant account servicing payment service providers for these purposes and on behalf of account holders.

As of September 2019, banks will be required to perform strong customer authentication for each account access. The requirements stipulate the use of two factors that cover at least two of the three possible categories “knowledge” (e.g. password, PIN), “possession” (e.g. token, smartphone, chip card, TAN that meets the requirements) and/or “inherence” (something that the user personally or physically owns, e.g. his fingerprint). A second factor must then already be required for the access to your online banking.

PSD2 stands for “Payment Services Directive 2”, an EU-wide directive which is intended to promote innovation in the financial sector while at the same time setting new security standards in banking. The central intention of the PSD2 is that third-party providers, such as finleap connect, can access bank data and initiate payments with the user’s consent. In return, these new providers are strictly supervised and require a license from the financial supervisory authority before they can start operating. finleap connect received the license in August 2018.

The biggest risk when using finleap connect is that you as a consumer get used to the security of finleap connect services. This could lead to you entrusting your online banking access data, without hesitation, to fraudulent third parties who want to harm you. Therefore, when using innovative services in connection with your bank accounts outside of finleap connect, please always pay attention to the BaFin regulation of the company to which you provide your access data. If in doubt, verify this by searching for the company in the BaFin company database.

Yes. As a payment institution, finleap connect is supervised by the financial supervisory authority BaFin and is therefore always subject to various inspections by different auditors with regard to IT security and data protection (see also above under the category > 1. About finleap connect the question: Is finleap connect secure?). Your online banking access data already benefits from special protection by law and as part of the implementation of all requirements.

A sale of your personal data by finleap connect does not take place. finleap connect passes on your data to the partner at your explicit request when using finleap connect’s services and is paid for this by the partner. For this reason, you do not incur any costs when using finleap connect’s services. In this context, finleap connect cannot influence whether and to what extent the partner charges you a total fee for their services or whether fees for the integration of finleap connect may even be accounted for separately. The partner handles the payment of finleap connect for the integration of the services, so that you can use the partner or value-added service more comfortably or faster, for instance.

Responsible in the sense of the data protection laws is finleap connect GmbH, Gaußstraße 190 c, 22765 Hamburg. If you have any questions or suggestions, please contact the external finleap connect data privacy officer and our internal contact persons.

finleap connect’s external data privacy officer works closely with finleap connect to ensure that finleap connect fully complies with this important law at all times. When designing its services, finleap connect has therefore been taking the principles of the GDPR into account from the very beginning.

Your data will only be stored in data centres located in the European Union. Due to various requirements arising from data protection legislation, financial supervisory laws, and our own standards, finleap connect works exclusively with data centres that meet strict security requirements.

Yes, it is possible to reset the password. Just press the “Forgot password” button to start the process. You will then receive an e-mail with a link to a page where you can set a new password (in some cases after entering your security code).

In this case, neither you nor we will be able to access the finleap connect user account. In this case you will need to create a new user account. You will not be able to use the same e-mail address unless you delete your existing account and then create a new one. To delete the user account, please send a message from the corresponding e-mail address to our support.

finleap connect stores your data exclusively in encrypted form. The data is also transported via secure and efficient channels. In addition, finleap connect regularly checks the data centers itself and independently with regard to their security measures.

This is not necessary for cases of one-time use, since you only give us your consent for the purpose of a one-time use. In cases of permanent use, i.e. if you have created a finleap connect user account, you can revoke your consent at any time. This is done by requesting the deletion of your finleap connect user account in its entirety (for this purpose, please send an e-mail to our support team) or by deleting connected banks or  unchecking previously checked boxes for the synchronisation of the accounts for certain partners.

finleap connect only passes on data that you have authorised finleap connect to pass on. This is the transaction data selected by you for the desired purpose within the finleap connect service, the partner service or a confirmation of the payment initiation to the partner. Even though finleap connect selects its partners carefully, please note that the processing of the transferred data is the responsibility of the partner, who has to also send you a separate privacy statement for this purpose. If you have any questions about data processing at the partner service, please contact them directly.

Even though finleap connect selects its partners carefully and aims to work only with trusted partners, finleap connect only has limited final influence on how partners process your data. The processing of the transferred data is the responsibility of the partner, who also provides you with a separate data privacy statement for this purpose. If you have any questions about data processing at the partner service, please contact them directly.

finleap connect only saves the personal data that you have specifically made available to finleap connect for this purpose (e.g. when registering for the finleap connect user account or by allowing an automated account retrieval). You can request an overview of your personal data saved by finleap connect by sending an e-mail to our support team any time.

Your personal data is hosted in carefully selected data centres (see the above question: > Where is my data stored?). In the few exceptional cases in which your data is passed on to other service providers (e.g. finleap connect uses third-party software to send you e-mails), these service providers are obliged to adhere to the same standards as finleap connect and to use the data exclusively for the specified purpose. For this purpose, the finleap connect data privacy officer ensures compliance with the order processing contracts.

Statutory liability regulations for any damages in connection with finleap connect initiation and information services are only stipulated by law for payment initiation services (see the question below: How is liability regulated for finleap connect payment initiation services?). Other than that, finleap connect is liable according to the account holder usage agreement, which you agree to within the scope of using finleap connect services. This agreement states, for instance, that finleap connect is not liable for defects caused by circumstances for which finleap connect is not responsible.

If you discover an unauthorised payment or if a payment is late, incorrect or not executed at all, please first contact your account servicing payment service provider, e.g. the bank that executed the payment. The bank is initially responsible to you for all payment transactions made through it and may be obliged to compensate you for potential damages. In a second step, the bank and finleap connect shall settle with each other whether and to what extent a mistake was made by finleap connect and is to be compensated. finleap connect’s liability is limited to EUR 12,500, with the exception of intent, gross negligence, interest loss and separately assumed risks. In the exceptional cases mentioned above, finleap connect is liable without limitation.

This is not necessary for one-time use, as we delete your personal data anyway after completion of use in accordance with statutory provisions. For permanent use, it is possible to delete a connected bank by clicking on “delete bank” on the overview page of connected banks. Individual accounts can be deleted by simply unchecking the boxes previously checked to synchronise the accounts on the account selection page.

If you are not using finleap connect on a mobile device but on your computer and if you are on the correct web interface of finleap connect, you should always see a URL with “https” in the address bar. If this is not the case, please contact our support team immediately, mentioning the URL you see in your internet browser and never enter your access data at the suspicious URL.

To connect your bank/account, finleap connect establishes a secure connection between your terminal, finleap connect’s server and the bank. Since finleap connect depends on the availability of the interface to the bank, the maximum duration of the process can be several minutes in rare cases. Of course finleap connect continuously strives to improve the processes, within the scope of its influence.

The connection to your bank or account can fail for several reasons. First of all, finleap connect depends on the functionality of the interfaces to the banks, i.e. if an error occurs at the bank, the bank cannot be reached by finleap connect either. The same applies, for example, if your access to the bank is blocked. Furthermore, the finleap connect information service is currently only available in Germany and Austria, the finleap connect initiation service is only available in Germany. The finleap connect value-added service (account switch service) is available in Germany, Austria and Spain.

If the connection to an account in Germany or Austria fails several times even though the access is not blocked, please contact our support team.

Should the finleap connect service not work as expected, please send an e-mail to our support team. As a rule, we will reply within 1-3 working days. According to § 62 of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), a reply must be sent within 15 working days of receipt of your message. If a reply is not possible within this period, you will receive a preliminary reply indicating the reasons for the delay. A final reply must be received no later than 35 working days after receipt of the message.

Your satisfaction is important to finleap connect. Therefore, your complaint will usually be answered more quickly. We are also happy to receive general suggestions for improvement via e-mail.

We would like to inform you about the possibility of out-of-court settlement of disputes, which you are legally entitled to. If the subject of the complaint concerns a dispute from the area of application of payment service law, you have the option of lodging a complaint with the conciliation office of the Bundesbank (German language only) or with the Federal Financial Supervisory Authority. If your residence or habitual residence is in Austria, you can also contact the Financial Market Authority, Consumer Information & Complaints Office in Vienna.

The European Commission has also established a European Online Dispute Settlement Platform (OS Platform) at http://ec.europa.eu/odr. Consumers can use the platform to settle a dispute arising from online contracts with a company established in the EU out of court.