QWAC Assessor

  • prototyped
  • PSD2

Software solution that makes authorization and authentification to TPPs based on their certificate offline. In accordance with the EU PSD2 Directive, registered Third Party Providers (TPPs) are authorized to access customer bank accounts as well as execute payments. The regulatory standards require processing of transactions via secure channels, in order to protect data in terms of authenticity and confidentiality.

Certificates for the protection of sensitive customer data

In order to meet the PSD2 security requirements, banks and TPPS Account Information Service Providers, use qualified QWAC certificates and electronic seals. These serve as authentication for authorized access to sensitive customer data.

Key challenge for banks

The provision of a public interface requires banks to check every request from a Third Party Provider from the outset, in order to protect the information of their customers. However, identity and authorization are confirmed by different entities. Therefore, there is the risk that a bank may well have identified the Third Party Provider correctly, but that TPP’s authorisation for certain services is no longer valid.

Therefore, any request from a Third Party Provider requires a two-part check to prevent the following dangers:

• Unauthorized access, and as a result disclosure of sensitive information
• Unauthorized initiation of payments

The adorsys TPP Validator (QWAC Assessor) handles the check for you

The validity of the certificates is subject to constant changes and adjustments, which have to be updated daily in your system. The Qwac Assessor can be run as a standalone web service or it can be integrated into an API gateway.

2E282E36-D34C-4F13-87EA-C2D01848329BCreated with sketchtool.

Offline TPP

The verification of the certificates takes place in the offline mode.

9EF16D01-F1F2-419E-9014-24C6DC9D2440Created with sketchtool.


This component checks the requests of the Third Party Provider (TPP) for their identity based on the provided certificate.

Icon / AuthentificationCreated with Sketch.


Checks whether a TPP is authorized as a PISP, AISP, or PIISP. Validity of the TPP certificate.

Use Case

How the Qwac Assessor works

A Third Party Provider (TPP) makes a request to the bank to obtain account information or initiate a payment initiation. It is imperative that the bank checks the validity of the TPP certificate. This ensures that no customer data is mistakenly issued to third parties. This is where the QWAC Assessor comes in. The QWAC Assessor validates the identity and role (AIS, PIS, PIIS) of the TPP and then releases the call of the TPP. Only after this confirmation does the TPP receive the requested XS2A access.

adorsys-QWAC-Assessor-infographicCreated with Sketch.TPPAPI GatewayXS2A InterfaceRequestCheckBankAPI GatewayXS2A InterfaceBankTPPAPI GatewayXS2A InterfaceBankTPPLibraryProxyStandaloneAs a standalone server that receives requests from both TPP and XS2A InterfaceAs a proxy server between TPP and XS2A Interface As a library that is integrated in a bank`s application

Any questions?Ask our expert

Francis Pouatcha

Technical Lead