Non-Functional Requirements (NFR): Drop — Fintech Payment App

Non-Functional Requirements Specification (FRS)NFR): Drop — Fintech Payment App

Project: Drop — Remittance + QR Payments Version: 1.0 Date: 2026-02-23 Author: John (AI Director) Status: Approved Reviewers: Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	2026-02-23	John	Initial ~~draft~~draft; ~~based~~targets onfrom ~~CLAUDE.md,~~security ~~API-REFERENCE.md,~~audit ~~DATABASE-SCHEMA.md~~+ business case

1. SystemNFR Overview

~~System Name:~~ ~~Drop — Fintech Payment App~~ ~~System Purpose:~~ Drop is a PSD2 pass-through payment app for residents of Norway/Scandinavia. It enables international remittance (PISP bank transfer at 0.5% fee) and QR-code merchant payments (PISP at 1% fee) directly from users' Norwegian bank accounts — without holding any customer funds. Users are onboarded via Norwegian BankID (18+ required).

~~System Context Diagram:~~

graph TB
    subgraph "Drop Application"
        UI[Next.js Web App - 10 screens]
        API[Next.js API Routes - 26 endpoints]
        DB[(SQLite → PostgreSQL)]
    end
    U1[Consumer User] -->|BankID login| UI
    U2[Merchant User] -->|QR management| UI
    API -->|Reads/Writes| DB
    API -->|PISP payment initiation| BAAS[BaaS Provider - Swan/SpareBank1]
    API -->|AISP balance read| BAAS
    API -->|KYC verification| KYC[KYC Provider - Sumsub]
    BAAS -->|Open Banking| BANKS[Norwegian Banks - PSD2]
    BAAS -->|SCA| BANKID[BankID]
    API -->|Remittance corridors| CORRIDOR[30+ countries]

2. Actors & Personas

~~strongcustomerauthentication (SCA)integration~~

~~Actor ID~~Category	~~Actor~~# ~~Name~~Requirements	~~Type~~Highest Priority	~~Description~~	~~Access Level~~Owner
~~ACT-01~~Performance	~~Consumer User~~6	~~Human~~Must Have	~~Norwegian resident~~John (~~18+)~~Tech ~~sending money abroad or paying merchants~~	~~Authenticated user~~Lead)
~~ACT-02~~Scalability	~~Merchant User~~4	~~Human~~Must Have	~~Local~~John ~~business~~/ ~~owner accepting QR payments~~	~~Authenticated merchant~~DevOps
~~ACT-03~~Availability	~~BaaS Provider~~6	~~System~~Must Have	~~Swan~~John or/ ~~SpareBank1 — Open Banking API (AISP/PISP)~~	~~System integration~~DevOps
~~ACT-04~~Security	~~KYC Provider~~12	~~System~~Critical	~~Sumsub~~John —+ ~~identity~~Security ~~verification and AML screening~~	~~System integration~~agent
~~ACT-05~~Reliability	~~BankID~~5	~~System~~Must Have	~~Norwegian~~John
Usability	~~System~~5	Should Have	John (Designer)
Compatibility	4	Must Have	John
Maintainability	5	Should Have	John
Compliance	8	Critical	John + Legal
Data	5	Must Have	John

Persona Detail

~~Persona: Amir (Consumer)~~

~~Role:~~ ~~Software developer, immigrant from Bosnia~~

~~Goal:~~ ~~Send 3,000 NOK/month to his mother in Sarajevo cheaply and reliably; also pay at Ahmet's kebab shop~~

~~Pain Points:~~ ~~Western Union charges 10%; needs 2 separate apps for remittance and local payments~~

~~Tech Savviness:~~ ~~High~~

~~Frequency of Use:~~ ~~Weekly (remittance monthly; QR payments weekly)~~

~~Persona: Ahmet (Merchant)~~

~~Role:~~ ~~Owner of kebab shop in Oslo~~

~~Goal:~~ ~~Accept payments without Vipps terminal; lower fees; understand daily revenue~~

~~Pain Points:~~ ~~Vipps charges 1.75-2.75%; requires hardware terminal; fees eat into margins~~

~~Tech Savviness:~~ ~~Medium~~

~~Frequency of Use:~~ ~~Daily (receives 20-50 QR payments/day)~~

3.2. FunctionalPerformance Requirements

3.1 Module: Authentication & BankID Onboarding

Module Overview

User registration and login via Norwegian BankID SCA. Age (18+) and residency (Norway, +47 phone) verified. JWT tokens issued in httpOnly cookies. 3-step onboarding: BankID verification → OTP verification → PIN setup.

~~FR-001: User Registration (3-step onboarding)~~

to Interactive responsetime p95response

~~Attribute~~ID	~~Value~~Requirement	Metric	Target
~~Module~~NFR-P01	~~Authentication~~Page load time (initial)
Time
~~Priority~~< 3 seconds	4G connection, cold cache	Lighthouse	Must Have
~~Trace~~NFR-P02	~~BR-001,~~API ~~BR-002~~
~~UI Reference~~(standard)	`mockups/figma-make-export/src/components/Onboarding.js`

~~Description:~~ New users register via a 3-step flow: (1) personal details + BankID, (2) OTP verification via Norwegian phone number, (3) PIN setup. Users must be ≥18 years old (validated via BankID DOB). Norwegian phone (+47) required.

~~Acceptance Criteria:~~

~~Given~~ ~~a valid email, password (≥8 chars), Norwegian phone (+47), and DOB ≥18 years,~~ ~~when~~ ~~user submits registration,~~ ~~then~~ ~~account is created and user proceeds to OTP step~~

~~Given~~ ~~a user under 18 years old,~~ ~~when~~ ~~they submit registration,~~ ~~then~~ ~~system rejects with "Du må være minst 18 år"~~

~~Given~~ ~~an already-registered email,~~ ~~when~~ ~~user tries to register,~~ ~~then~~ ~~system returns 409 "Email already in use"~~

~~Given~~ ~~OTP is sent,~~ ~~when~~ ~~user enters correct 6-digit code,~~ ~~then~~ ~~user proceeds to PIN setup~~

~~Given~~ ~~PIN setup,~~ ~~when~~ ~~user enters and confirms 4-digit PIN,~~ ~~then~~ ~~account is activated~~

~~Given~~ ~~invalid email format,~~ ~~when~~ ~~user submits,~~ ~~then~~ ~~422 validation error with specific field details~~

~~Data Requirements:~~

~~Input: email (unique), password (≥8 chars), first_name, last_name, phone (+47), date_of_birth~~

~~Output: user record (id, kyc_status=pending), JWT token in httpOnly cookie~~

~~Validation: email format (regex), password length, phone format, DOB ≥18~~

~~Business Rules:~~ ~~RUL-001, RUL-002, RUL-008~~

~~Dependencies:~~ ~~None~~

load (200 concurrent users)APIresponsetime

~~Attribute~~	~~Value~~
~~Module~~time	~~Authentication~~< 500ms
Normal
~~Priority~~APM / k6	Must Have
~~Trace~~NFR-P03	~~BR-001~~
UI(bcrypt ~~Reference~~operations)	`mockups/figma-make-export/src/components/Login.js`

~~Description:~~ ~~Users log in with email + password. JWT token issued in httpOnly cookie (7-day expiry). Failed logins rate-limited.~~

~~Acceptance Criteria:~~

~~Given~~ ~~valid email + password,~~ ~~when~~ ~~user submits login,~~ ~~then~~ ~~JWT cookie set and user redirected to dashboard~~

~~Given~~ ~~invalid credentials,~~ ~~when~~ ~~user submits,~~ ~~then~~ ~~401 "Invalid email or password" (no user enumeration)~~

~~Given~~ ~~10+ attempts from same IP in 1 minute,~~ ~~when~~ ~~user tries again,~~ ~~then~~ ~~429 rate limit~~p95 response
~~Given~~ ~~authenticated session idle for 7 days,~~ ~~when~~ ~~user makes request,~~ ~~then~~ ~~token expired; redirect to login~~

~~Data Requirements:~~

~~Input: email, password~~

~~Output: JWT in httpOnly cookie (SameSite=Strict); user object (id, email, role, kyc_status)~~

~~Validation: email format, password non-empty~~

~~Business Rules:~~ ~~RUL-001, RUL-002~~

~~Dependencies:~~ ~~FR-001~~

~~FR-003: Session Management + Logout~~

loadDatabasequery

~~Attribute~~	~~Value~~
~~Module~~time	~~Authentication~~< 1,000ms
Normal
~~Priority~~Benchmark tests	Must Have
~~Trace~~NFR-P04	~~BR-001~~

~~Description:~~ ~~Authenticated routes require valid JWT. Logout clears the cookie and revokes the session in the database. GET /api/auth/me returns current user.~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~they call GET /api/auth/me,~~ ~~then~~ ~~current user object returned~~

~~Given~~ ~~unauthenticated user,~~ ~~when~~ ~~they access protected route,~~ ~~then~~ ~~401 Unauthorized~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~they POST /api/auth/logout,~~ ~~then~~ ~~cookie cleared and session revoked in DB~~

~~Business Rules:~~ ~~RUL-001~~

~~Dependencies:~~ ~~FR-002~~

3.2 Module: KYC Verification

Module Overview

Know-Your-Customer identity verification required before any transaction. In MVP: Sumsub integration (mocked in demo). Users with kyc_status=approved can transact; others are blocked with clear messaging.

~~FR-010: KYC Identity Verification~~

10ms (SELECT), < 20ms (INSERT)

~~Attribute~~	~~Value~~
~~Module~~time	~~KYC~~p95 query time
<
~~Priority~~Normal load	api-benchmarks.test.ts	Must Have
~~Trace~~NFR-P05	~~BR-001, BR-002~~

~~Description:~~ Users must complete KYC verification before initiating their first transaction. KYC status stored per user: pending → in_review → approved | rejected. In production: Sumsub document + biometric verification.

~~Acceptance Criteria:~~

~~Given~~ ~~user with kyc_status=pending,~~ ~~when~~ ~~they attempt remittance,~~ ~~then~~ ~~403 "KYC verification required" with link to complete~~

~~Given~~ ~~approved user,~~ ~~when~~ ~~they initiate transaction,~~ ~~then~~ ~~transaction proceeds~~

~~Given~~ ~~Sumsub webhook callback with approved status,~~ ~~when~~ ~~received,~~ ~~then~~ ~~user kyc_status updated to approved~~

~~Given~~ ~~rejected user,~~ ~~when~~ ~~they attempt transaction,~~ ~~then~~ ~~403 with rejection reason~~

~~Business Rules:~~ ~~RUL-008~~

~~Dependencies:~~ ~~FR-001~~

3.3 Module: Remittance (Send Money)

Module Overview

Core ~~revenue~~Web ~~stream~~Vitals: #1. Users send money to 30+ countries at 0.5% fee via PISP. The payment is initiated directly from the user's Norwegian bank account. Recipient receives bank transfer or cash pickup within 1-2 business days.

~~FR-020: Send Money — Remittance Flow~~

2.5 seconds concurrentratelimit

~~Attribute~~	~~Value~~
~~Module~~LCP	~~Remittance~~Largest Contentful Paint
<
~~Priority~~Mobile, 4G	Lighthouse	Must Have
~~Trace~~NFR-P06	~~BR-003,~~50 ~~BR-005~~
~~UI Reference~~checks	`mockups/figma-make-export/src/components/SendMoney.js`Total time	< 2,000ms total	50 concurrent calls	api-benchmarks.test.ts	Should Have

~~Description:~~ Authenticated, KYC-approved users can send money to recipients in 30+ countries. Fee: 0.5% of transaction amount. Supported MVP corridors: NOK→RSD, NOK→BAM, NOK→PKR, NOK→TRY, NOK→PLN, NOK→EUR.

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated + KYC-approved user and valid recipient,~~ ~~when~~ ~~POST /api/transactions/remittance with amount 100-50,000 NOK,~~ ~~then~~ ~~201 transaction created; fee calculated as amount × 0.005~~

~~Given~~ ~~unauthenticated user,~~ ~~when~~ ~~they attempt remittance,~~ ~~then~~ ~~401 Unauthorized~~

~~Given~~ ~~user with insufficient balance,~~ ~~when~~ ~~they attempt remittance,~~ ~~then~~ ~~402 "Insufficient balance"~~

~~Given~~ ~~amount below 100 NOK or above 50,000 NOK,~~ ~~when~~ ~~user submits,~~ ~~then~~ ~~400 validation error~~

~~Given~~ ~~valid transaction,~~ ~~when~~ ~~completed,~~ ~~then~~ ~~transaction_history record created with status=completed, correct fee~~

~~Data Requirements:~~

~~Input: recipientId, amount (100-50,000 NOK), currency (RSD/BAM/PKR/TRY/PLN/EUR), note (optional)~~

~~Output: transaction_id, amount, fee (amount × 0.005), recipient_amount, status, created_at~~

~~Validation: amount range, recipientId exists, KYC approved, balance sufficient~~

~~Business Rules:~~ ~~RUL-003, RUL-005, RUL-007, RUL-008~~

~~Dependencies:~~ ~~FR-002, FR-010, FR-040 (recipients)~~

~~FR-021:~~

3. ExchangeScalability Rates
Requirements

sessions Databasemigration

~~Attribute~~ID	~~Value~~Requirement	Metric	MVP Target
~~Module~~NFR-S01	~~Remittance~~Concurrent users
Active
~~Priority~~200 users (SQLite limit)	5,000+ users (PostgreSQL)	Load testing	Must Have
~~Trace~~NFR-S02	~~BR-003~~

~~Description:~~ ~~Current NOK exchange rates for all supported corridors. GET /api/rates returns all; GET /api/rates/[currency] returns specific rate.~~

~~Acceptance Criteria:~~

~~Given~~ ~~GET /api/rates,~~ ~~when~~ ~~called,~~ ~~then~~ ~~returns all 6 NOK exchange rates (RSD, BAM, PKR, TRY, PLN, EUR)~~

~~Given~~ ~~GET /api/rates/RSD,~~ ~~when~~ ~~called,~~ ~~then~~ ~~returns NOK→RSD rate~~

~~Given~~ ~~GET /api/rates/XXX (invalid),~~ ~~when~~ ~~called,~~ ~~then~~ ~~404 Not Found~~

~~Given~~ ~~rate query,~~ ~~when~~ ~~currency code is lowercase,~~ ~~then~~ ~~case-insensitive match~~

~~Dependencies:~~ ~~None~~

~~FR-022: Recipients Management~~

at 200 concurrent APIrate

~~Attribute~~	~~Value~~
~~Module~~trigger	~~Remittance~~Concurrent users
Migrate
~~Priority~~PostgreSQL in Phase 2	Monitoring	Must Have
~~Trace~~NFR-S03	~~BR-003~~

~~Description:~~ ~~Users can add, list, and reuse recipients for remittance. Recipients have name, country, bank account / IBAN.~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~POST /api/recipients with valid data,~~ ~~then~~ ~~recipient created and associated with user~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~GET /api/recipients,~~ ~~then~~ ~~all user's recipients returned~~

~~Given~~ ~~IBAN provided,~~ ~~when~~ ~~validated,~~ ~~then~~ ~~reject invalid IBAN format~~

~~Given~~ ~~unauthenticated user,~~ ~~when~~ ~~accessing recipients,~~ ~~then~~ ~~401 Unauthorized~~

~~Business Rules:~~ ~~RUL-003~~

~~Dependencies:~~ ~~FR-002~~

3.4 Module: QR Payments (Merchant + Consumer)

Module Overview

~~Core revenue stream #2. Merchants generate QR codes via Drop; consumers scan and pay. 1% merchant fee. Settlement via daily batch payout to merchant bank account.~~

~~FR-030: QR Payment — Consumer Flow~~

req/min (auth), 60 req/min (general)

~~Attribute~~	~~Value~~
~~Module~~limits	QRMax ~~Payments~~requests per IP
10
~~Priority~~Same	Rate limiter config	Must Have
~~Trace~~NFR-S04	~~BR-004,~~Storage ~~BR-005~~
~~UI Reference~~growth	`mockups/figma-make-export/src/components/ScanQR.js`DB size	< 1GB on Fly.io persistent volume	Managed PostgreSQL	Storage monitoring	Should Have

~~Description:~~ Consumer scans merchant's QR code → enters amount → confirms → payment initiated via PISP from bank account. Fee: 1% charged to merchant. Consumer sees confirmation; merchant receives push notification.

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated + KYC-approved user,~~ ~~when~~ ~~POST /api/transactions/qr-payment with valid merchantId and amount ≥1 NOK,~~ ~~then~~ ~~201 transaction created; merchant fee calculated as amount × 0.01~~

~~Given~~ ~~invalid merchantId,~~ ~~when~~ ~~user pays,~~ ~~then~~ ~~404 "Merchant not found"~~

~~Given~~ ~~amount < 1 NOK,~~ ~~when~~ ~~submitted,~~ ~~then~~ ~~400 validation error~~

~~Given~~ ~~missing merchantId,~~ ~~when~~ ~~submitted,~~ ~~then~~ ~~400 validation error~~

~~Given~~ ~~successful payment,~~ ~~when~~ ~~completed,~~ ~~then~~ ~~both user and merchant transaction records updated~~

~~Data Requirements:~~

~~Input: merchantId, amount (≥1 NOK), note (optional)~~

~~Output: transaction_id, amount, merchant_fee (amount × 0.01), status, merchant details~~

~~Validation: merchantId exists, amount ≥1, KYC approved, balance sufficient~~

~~Business Rules:~~ ~~RUL-003, RUL-006, RUL-008~~

~~Dependencies:~~ ~~FR-002, FR-010, FR-031~~

~~FR-031:~~

4. MerchantAvailability Registration + QR Generation
Requirements

99.5%

~~Attribute~~ID	~~Value~~Requirement	Target	Period	Exclusions	Priority
~~Module~~NFR-A01	QRSystem ~~Payments~~uptime SLA
≥
~~Priority~~Monthly rolling	Scheduled maintenance (advance notice)	Must Have
~~Trace~~NFR-A02	~~BR-004,~~Scheduled ~~BR-006~~maintenance window	Max 4 hours/month	Monthly	Tue-Thu 02:00-06:00 CET preferred	Must Have
~~UI Reference~~NFR-A03	`mockups/figma-make-export/src/components/MerchantDashboard.js`Maintenance notice lead time	≥ 24 hours	Per event	Emergency patches: ASAP notify	Must Have
NFR-A04	RPO (Recovery Point Objective)	Max 24 hours data loss	Per incident	Daily backup schedule	Must Have
NFR-A05	RTO (Recovery Time Objective)	System restored within 4 hours	Per incident	For staging; production target 2 hours	Must Have
NFR-A06	Database backup	Daily automated backup	Ongoing	Fly.io persistent volume	Must Have

~~Description:~~SLA ~~Merchants register their business (name, address, bank account) and receive a unique QR code. Self-service onboarding < 5 minutes.~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~POST /api/merchants with valid business data,~~ ~~then~~ ~~merchant record created with unique QR code value~~

~~Given~~ ~~merchant,~~ ~~when~~ ~~GET /api/merchants/me,~~ ~~then~~ ~~merchant details + QR code returned~~

~~Given~~ ~~QR code,~~ ~~when~~ ~~scanned by Drop consumer app,~~ ~~then~~ ~~merchant identified and payment flow initiated~~

~~Business Rules:~~ ~~RUL-006~~

~~Dependencies:~~ ~~FR-002, FR-010~~

~~FR-032: Merchant Dashboard Analytics~~Reference:

~~Attribute~~Uptime %	~~Value~~Monthly Downtime
~~Module~~99.9%	QR43.8 ~~Payments~~minutes
99.5%	3.6 hours
99.0%	7.3 hours

5. Security Requirements

Context: Drop is a fintech app handling real money flows. Security is Critical priority. See security/drop-security-rapport.md for full audit (score: 57/100 pre-Phase 0.5; target: 80/100 post-hardening).

ID	Requirement	Category	Target / Standard	Method	Priority
NFR-SEC01	Authentication	Auth	JWT (jose library) in httpOnly cookie; SameSite=Strict; 7-day expiry	Code review + audit	Must Have
NFR-SEC02	Password hashing	Auth	bcrypt, 12 rounds; NO SHA-256 fallback	auth.test.ts	Must Have
NFR-SEC03	JWT secret	Secrets	JWT_SECRET must be set via env var — fail fast if missing	Code review	Must Have
NFR-SEC04	CSRF protection	Injection	CSRF middleware on all POST/PATCH/DELETE endpoints	Code review + test	Must Have
NFR-SEC05	Rate limiting	Abuse	10 req/min on auth; 60/min general; persistent (DB-backed, not in-memory)	middleware.test.ts	Must Have
NFR-SEC06	Input validation	Injection	All inputs sanitized server-side; parameterized SQL (no raw queries)	validation.test.ts	Must Have
NFR-SEC07	XSS prevention	Injection	CSP headers (script-src 'self'); no dangerouslySetInnerHTML	OWASP ZAP	Must Have
NFR-SEC08	Security headers	HTTP	HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP	securityheaders.com	Must Have
NFR-SEC09	Card data	PCI-DSS	NEVER store or return full card number or CVV; only last_four + token_ref	Code review + db.test.ts	Must Have
NFR-SEC10	Audit logging	Compliance	All auth events, transactions, KYC changes logged with user_id + IP + timestamp	Code review	Must Have
NFR-SEC11	Per-user transaction locks	Financial	Concurrent transactions from same user serialised; no double-spend	Integration test	Must Have
NFR-SEC12	Penetration testing	Operations	External pentest before production launch	Third-party report	Should Have

6. Reliability Requirements

ID	Requirement	Metric	Target	Method	Priority
NFR-R01	Application error rate	5xx errors / total requests	< 0.1%	Monitoring	Must Have
NFR-R02	Transaction integrity	Atomic transactions	ACID compliance; no partial updates	db.test.ts	Must Have
NFR-R03	MTTR	Average recovery time	< 4 hours	Incident log	Must Have
NFR-R04	Data integrity	Database constraints	Zero orphaned records; FK constraints enabled	db.test.ts	Must Have
NFR-R05	Health check	System observability	GET /api/health returns 200 with DB status	CI smoke tests	Must Have

7. Usability Requirements

ID	Requirement	Target	Method	Priority
NFR-U01	Onboarding completion	New user completes onboarding (3 steps) in < 3 minutes	Usability testing	Must Have
NFR-U02	Remittance flow time	Registered user sends money in < 2 minutes	Usability testing	Must Have
NFR-U03	Mobile responsiveness	Fully functional on 375px–1440px (primary: 375-428px mobile)	Manual + automated	Must Have
NFR-U04	Error recovery	User can recover from any form error without page reload	Manual testing	Must Have
NFR-U05	Language	Norwegian (primary) and English (secondary)	Content audit	Should Have

8. Compatibility Requirements

ID	Requirement	Category	Target	Priority
NFR-C01	Web browsers	Browser	Chrome 100+, Firefox 100+, Safari 16+, Edge 100+	Must Have
NFR-C02	Mobile browsers	Browser	Safari iOS 15+, Chrome Android 100+ (primary platform)	Must Have
NFR-C03	Screen resolutions	Responsive	375px (iPhone SE) to 1440px (desktop); mobile-first	Must Have
NFR-C04	API versioning	API	Next.js API Routes (no versioning in MVP); semantic versioning in Phase 2	Should Have

9. Maintainability Requirements

Documentation

ID	Requirement	Metric	Target	Method	Priority
NFR-M01	Test coverage	% code covered	≥ 80% overall; 100% for auth + transaction paths	CI coverage (Vitest)	Must Have
NFR-M02	CI/CD pipeline	Deployment frequency	Bug fix to staging in < 30 minutes from merge	GitHub Actions	Must Have
NFR-M03	Feature flags	Feature control	All gated features controllable via env vars without redeploy	feature-flags.test.ts	Should Have
~~Trace~~NFR-M04	~~BR-011~~

~~Description:~~ ~~Merchants view transaction volume, revenue, and fees by time period (today/week/month).~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated merchant,~~ ~~when~~ ~~GET /api/merchants/dashboard?period=week,~~ ~~then~~ ~~total transactions, gross volume, fees earned returned~~

~~Given~~ ~~invalid period,~~ ~~when~~ ~~queried,~~ ~~then~~ ~~defaults to today~~

~~Dependencies:~~ ~~FR-031~~

3.5 Module: Bank Accounts (AISP)

Module Overview

~~Read-only view of user's linked bank account balance via AISP (Open Banking). Drop never holds funds — balance displayed for user awareness only.~~

~~FR-040: Bank Account Balance View~~

API endpoints documented in docs/backend/API-REFERENCE.mdDependency

~~Attribute~~	~~Value~~
~~Module~~currency	~~Bank~~Doc ~~Accounts~~coverage
All
~~Priority~~Doc review	Should Have
~~Trace~~NFR-M05	~~BR-010~~
~~UI Reference~~currency	`mockups/figma-make-export/src/components/BankAccounts.js`CVE exposure	0 critical CVEs in production dependencies	npm audit in CI	Must Have

~~Description:~~ ~~Users view their linked bank account balance from their Norwegian bank via AISP. In MVP: mock balance from demo account. In Phase 2: real Open Banking AISP via BaaS provider.~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~GET /api/bank-accounts,~~ ~~then~~ ~~linked bank account(s) with masked account number and balance returned~~

~~Given~~ ~~user with no linked account,~~ ~~when~~ ~~viewing accounts,~~ ~~then~~ ~~prompt to link bank via BankID~~

~~Business Rules:~~ ~~RUL-003~~

~~Dependencies:~~ ~~FR-002, FR-010~~

3.6

10. Module:Compliance Transaction History

Module Overview

~~Users view all their transactions (remittance, QR payments) with filters by type, date, status.~~

~~FR-050: Transaction History~~

Requirements Norwegian

~~Attribute~~ID	~~Value~~Regulation	Applicability	Requirement	Technical Implementation	Priority
~~Module~~NFR-COMP01	~~Transaction~~GDPR ~~History~~(EU)	Yes — Norwegian users	Lawful basis; right to deletion; DPA with BaaS; 72h breach notification	Data deletion API; audit logs; DPA contract	Must Have
~~Priority~~NFR-COMP02	GDPR — Data minimisation	Yes	Collect only data necessary for stated purpose	BA review of DB schema	Must Have
NFR-COMP03	PSD2 (EU)	Yes — payment initiation	PISP/AISP registration with Finanstilsynet; or operate under bank partner licence	Finanstilsynet registration	Must Have
NFR-COMP04	AML / AMLD6	Yes — money transfer	KYC verification before transaction; transaction monitoring; SAR capability	Sumsub integration; monitoring alerts	Must Have
NFR-COMP05	PCI-DSS	Partial (cards feature)	No card number/CVV storage; tokenisation only	last_four + token_ref only; tokenisation via partner	Must Have
NFR-COMP06	DORA (EU)	Yes	ICT risk management; incident reporting framework	Incident report template; business continuity	Should Have
~~Trace~~NFR-COMP07	~~BR-009~~
~~UI Reference~~Personvernloven	`mockups/figma-make-export/src/components/TransactionHistory.js`

~~Description:~~ ~~Authenticated users view all transactions with pagination. Filterable by type (remittance/qr_payment) and date range.~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~GET /api/transactions,~~ ~~then~~ ~~all user's transactions returned (most recent first)~~

~~Given~~ ~~query params,~~ ~~when~~ ~~?type=remittance,~~ ~~then~~ ~~filtered results returned~~

~~Given~~ ~~unauthenticated user,~~ ~~when~~ ~~accessing transactions,~~ ~~then~~ ~~401 Unauthorized~~

~~Dependencies:~~ ~~FR-002~~

3.7 Module: Notifications

Module Overview

~~Push notifications for transaction events. Users receive alerts for incoming/outgoing transactions.~~

~~FR-060: Transaction Notifications~~

NationalGDPRimplementation;

~~Attribute~~	~~Value~~
~~Module~~Yes	~~Notifications~~
~~Priority~~same requirements	~~Should~~Legal review	Must Have
~~Trace~~NFR-COMP08	~~BR-008~~Financial licence disclaimer
Yes
NEVER use "banking" without licence disclaimer in UI	UI ~~Reference~~copy review; `/learning-opportunity` on violations	`mockups/figma-make-export/src/components/Notifications.js`Must Have

~~Description:~~ ~~Users receive push notifications when transactions are created or completed. Notifications stored in DB and viewable in-app.~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~GET /api/notifications,~~ ~~then~~ ~~all user's notifications returned (unread first)~~

~~Given~~ ~~new transaction,~~ ~~when~~ ~~completed,~~ ~~then~~ ~~notification record created for relevant user(s)~~

~~Given~~ ~~user marks notification as read,~~ ~~when~~ ~~PATCH /api/notifications/[id],~~ ~~then~~ ~~status updated~~

~~Dependencies:~~ ~~FR-020, FR-030~~

3.8 Module: User Profile & Settings

Module Overview

~~Users view and update their profile information, manage app preferences.~~

~~FR-070: User Profile~~

~~Attribute~~	~~Value~~
~~Module~~	~~Profile~~
~~Priority~~	~~Should Have~~
~~Trace~~	~~BR-007~~
~~UI Reference~~	`mockups/figma-make-export/src/components/Profile.js`

~~Description:~~ ~~Authenticated users view their profile details, update preferences, and initiate account deletion (GDPR right to erasure).~~

~~Acceptance Criteria:~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~GET /api/auth/me,~~ ~~then~~ ~~user profile returned (no password hash)~~

~~Given~~ ~~authenticated user,~~ ~~when~~ ~~DELETE /api/user/account,~~ ~~then~~ ~~account deletion initiated per GDPR~~

~~Business Rules:~~ ~~RUL-007 (GDPR right to deletion)~~

~~Dependencies:~~ ~~FR-002~~

3.9 Module: Feature Flags

Module Overview

~~Feature flag system controls access to beta/future features without code deployment.~~

~~FR-080: Feature Flag Control~~

~~Attribute~~	~~Value~~
~~Module~~	~~Feature Flags~~
~~Priority~~	~~Should Have~~
~~Trace~~	~~BR-014~~

~~Description:~~ ~~8 feature flags control access to Cards (feature-flagged), Top-up (removed), and other future features. Controlled via environment variables.~~

~~Acceptance Criteria:~~

~~Given~~ ~~FF_CARDS_ENABLED=false,~~ ~~when~~ ~~user accesses /cards,~~ ~~then~~ ~~404-equivalent feature gate response~~

~~Given~~ ~~FF_CARDS_ENABLED=true,~~ ~~when~~ ~~user accesses /cards,~~ ~~then~~ ~~full cards feature accessible~~

~~Given~~ ~~GET /api/feature-flags,~~ ~~when~~ ~~called,~~ ~~then~~ ~~all 8 flags with current values returned~~

~~Business Rules:~~ ~~Cards feature requires card partner agreement (RUL-010)~~

~~Dependencies:~~ ~~None~~

4. Use Case Diagrams

4.1 Consumer User Use Cases

graph LR
    A1((Consumer)) --> UC1[FR-001: Register via BankID]
    A1 --> UC2[FR-002: Login]
    A1 --> UC3[FR-020: Send Money Remittance]
    A1 --> UC4[FR-030: Pay via QR Scan]
    A1 --> UC5[FR-040: View Bank Balance]
    A1 --> UC6[FR-050: View Transaction History]
    A1 --> UC7[FR-060: View Notifications]

4.2 Merchant User Use Cases

graph LR
    A2((Merchant)) --> UC1[FR-001: Register]
    A2 --> UC2[FR-031: Register Business + Get QR]
    A2 --> UC3[FR-032: View Dashboard Analytics]
    A2 --> UC4[FR-060: Receive Payment Notifications]

5. System Behavior Specifications

5.1 Error Handling

~~All errors return~~ {error, message, details?} ~~JSON format~~

~~Validation errors: 422 with~~ details ~~array listing per-field errors~~

~~Authentication errors: 401 (never reveal if email exists)~~

~~Rate limit errors: 429 with Retry-After header~~

~~No stack traces in production responses~~

5.211. Data Persistence

~~All mutations logged with user_id, ip, timestamp~~

~~Transaction records are immutable once created (status-only updates)~~

~~ACID compliance required for financial transactions~~

5.3 Session & State

~~JWT expiry: 7 days~~

~~httpOnly cookies (SameSite=Strict) prevent XSS token theft~~

~~CSRF protection on all state-changing endpoints (POST/PATCH/DELETE)~~

5.4 Notifications

~~In-app: all transaction events (create, complete, fail)~~

~~Push: Phase 2 (requires native mobile app)~~

~~Email: account registration, security alerts~~

5.5 Security Headers (Required)

~~HSTS, CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff~~

~~Referrer-Policy: strict-origin-when-cross-origin~~

6. Requirements Summary Table

Data

ID	~~Feature Name~~Requirement	~~Module~~Category	Target	Implementation	Priority	~~Status~~	~~Trace~~
~~FR-001~~NFR-D01	Data retention — user data	Retention	User ~~Registration~~data ~~(3-step~~deleted ~~onboarding)~~within 30 days of account deletion request	~~Auth~~Scheduled deletion job (GDPR Art.17)	Must Have	~~Implemented~~	~~BR-001, BR-002~~
~~FR-002~~NFR-D02	~~User~~Data ~~Login~~retention — audit logs	~~Auth~~Retention	Audit logs: 5 years (AML requirement)	Log rotation policy	Must Have	~~Implemented~~	~~BR-001~~
~~FR-003~~NFR-D03	~~Session~~PII ~~Management~~field ~~+ Logout~~documentation	~~Auth~~Privacy	All PII fields identified in DATABASE-SCHEMA.md	Data dictionary in docs/backend/	Must Have	~~Implemented~~	~~BR-001~~
~~FR-010~~NFR-D04	~~KYC~~Data ~~Identity~~anonymisation ~~Verification~~(non-prod)	~~KYC~~Privacy	No real user data in staging/dev environments	Seed data only; no prod data migration	Must Have	~~Mock (prod pending)~~	~~BR-001~~
~~FR-020~~NFR-D05	~~Send~~GDPR ~~Money~~data ~~— Remittance~~export	~~Remittance~~Portability	~~Must~~User ~~Have~~can export their data (GDPR Art.20)	~~Implemented~~	~~BR-003,~~export ~~BR-005~~
~~FR-021~~	~~Exchange Rates API~~	~~Remittance~~	~~Must Have~~	~~Implemented~~	~~BR-003~~
~~FR-022~~	~~Recipients Management~~	~~Remittance~~	~~Must Have~~	~~Implemented~~	~~BR-003~~
~~FR-030~~	~~QR Payment — Consumer~~	~~QR Payments~~	~~Must Have~~	~~Implemented~~	~~BR-004, BR-005~~
~~FR-031~~	~~Merchant Registration + QR~~	~~QR Payments~~	~~Must Have~~	~~Implemented~~	~~BR-004, BR-006~~
~~FR-032~~	~~Merchant Dashboard Analytics~~	~~QR Payments~~endpoint	Should Have	~~Implemented~~	~~BR-011~~
~~FR-040~~	~~Bank Account Balance (AISP)~~	~~Bank Accounts~~	~~Should Have~~	~~Mock (AISP pending)~~	~~BR-010~~
~~FR-050~~	~~Transaction History~~	~~History~~	~~Should Have~~	~~Implemented~~	~~BR-009~~
~~FR-060~~	~~Transaction Notifications~~	~~Notifications~~	~~Should Have~~	~~Implemented~~	~~BR-008~~
~~FR-070~~	~~User Profile + GDPR deletion~~	~~Profile~~	~~Should Have~~	~~Implemented~~	~~BR-007~~
~~FR-080~~	~~Feature Flag Control~~	~~Feature Flags~~	~~Should Have~~	~~Implemented~~	~~BR-014~~

~~Requirements Count:~~

~~Must Have: 7~~

~~Should Have: 8~~

~~Could Have: 0~~

~~Won't Have (this release): Cards virtual/physical (BR-014), Loyalty rewards (BR-012)~~

7.12. TraceabilityNFR toTesting Business& RequirementsVerification Plan

~~Objective~~ failed

FRNFR IDCategory	~~Feature~~Testing ~~Name~~Method	~~Business Requirement (BR ID)~~Tools	~~Business~~Frequency	Pass ~~(BO ID)~~Criteria
~~FR-001~~Performance	~~User~~Benchmark ~~Registration~~tests + load testing	~~BR-001,~~api-benchmarks.test.ts, ~~BR-002~~Lighthouse	~~BO-02,~~Per ~~BO-05~~sprint + pre-launch	All NFR-P targets met
~~FR-002~~Security	~~User~~Security ~~Login~~audit + automated tests	~~BR-001~~validation.test.ts, OWASP ZAP, external pentest	~~BO-02~~Per sprint + pre-launch	Score ≥ 80/100; no critical open
~~FR-010~~Availability	~~KYC~~Uptime ~~Verification~~monitoring	~~BR-001,~~Fly.io ~~BR-007~~metrics, health endpoint	~~BO-05~~Ongoing	≥ 99.5% monthly
~~FR-020~~Compliance	~~Remittance~~Legal review + audit	~~BR-003,~~Manual ~~BR-005~~+ Sumsub	~~BO-01,~~Pre-launch ~~BO-02~~+ annual	All compliance items verified
~~FR-030~~Reliability	QRUnit ~~Payments~~+ integration tests	~~BR-004,~~Vitest ~~BR-005~~(db.test.ts)	~~BO-01,~~Per ~~BO-03~~
~~FR-031~~commit	~~Merchant~~Zero ~~Registration~~	~~BR-004,~~integrity ~~BR-006~~	~~BO-03~~
~~FR-040~~	~~Bank Balance (AISP)~~	~~BR-010~~	~~BO-02~~tests

~~Full traceability matrix:~~ [requirements-traceability-matrix.md](requirements-traceability-matrix.md)

Approval

Role	Name	Date	Signature
Author	John (AI Director)	2026-02-23	Approved (AI)
Tech Lead	John	2026-02-23	Approved
~~Product Owner~~	~~John~~	~~2026-02-23~~	~~Approved~~
AI Director (John)	John	2026-02-23	Approved
CEO (Alem)	Alem Bašić	TBD

Non-Functional Requirements (NFR): Drop — Fintech Payment App

Non-Functional Requirements Specification (FRS)NFR): Drop — Fintech Payment App

Document History

1. SystemNFR Overview

2. Actors & Personas

Persona Detail

3.2. FunctionalPerformance Requirements

3.1 Module: Authentication & BankID Onboarding

Module Overview

3.2 Module: KYC Verification

Module Overview

3.3 Module: Remittance (Send Money)

Module Overview

3. ExchangeScalability RatesRequirements

3.4 Module: QR Payments (Merchant + Consumer)

Module Overview

4. MerchantAvailability Registration + QR GenerationRequirements

5. Security Requirements

6. Reliability Requirements

7. Usability Requirements

8. Compatibility Requirements

9. Maintainability Requirements

3.5 Module: Bank Accounts (AISP)

Module Overview

3.6

10. Module:Compliance Transaction History

Module Overview

3.7 Module: Notifications

Module Overview

3.8 Module: User Profile & Settings

Module Overview

3.9 Module: Feature Flags

Module Overview

4. Use Case Diagrams

4.1 Consumer User Use Cases

4.2 Merchant User Use Cases

5. System Behavior Specifications

5.1 Error Handling

5.211. Data Persistence

5.3 Session & State

5.4 Notifications

5.5 Security Headers (Required)

6. Requirements Summary Table

7.12. TraceabilityNFR toTesting Business& RequirementsVerification Plan

Approval

3. ExchangeScalability Rates
Requirements

4. MerchantAvailability Registration + QR Generation
Requirements