Skip to main content

Compliance Gap Analysis

Drop Gap Analysis v2

Regulatory Compliance Gap Assessment

Date: 2026-02-12 Prepared for: ALAI Holding AS / Drop Payment App Source code reviewed: /Users/makinja/ALAI/products/Drop/src/drop-app/src/ Security rapport: /Users/makinja/ALAI/products/Drop/security/drop-security-rapport.md QA rapport: /Users/makinja/ALAI/products/Drop/project/docs/drop-qa-rapport.md

NOTE (2026-03-03): This analysis was performed on 2026-02-12. ADR-014 (2026-03-03) removed SQLite and replaced it with PostgreSQL 16 in all environments (AWS RDS, AES-256 at rest). All SQLite-specific gaps in this document (single-file DB, no HA, no backup, no retention policy tooling) are resolved by the PostgreSQL migration. Review and update this document against the current PostgreSQL 16 architecture.

Executive Summary

Drop is an MVP-stage Next.js payment app (remittance + QR payments) with SQLite backend. The codebase has solid fundamentals (parameterized SQL, JWT auth, atomic transactions) but has zero regulatory compliance infrastructure. Every regulatory area has critical gaps. The app cannot legally process a single real transaction in its current state.

Overall compliance readiness: 8/100

Area Readiness Critical Gaps
Licensing 0% No license applied for, no agent arrangement
PSD2/SCA 10% No BankID, no SCA, no Open Banking integration
AML/KYC 5% Mock KYC only, no real identity verification, no transaction monitoring
GDPR 15% Landing page has terms, but no DPIA, no processing register, limited privacy notice
ICT Security 25% Basic security controls exist but no formal policies, no BCP, no pen tests
Governance 5% No compliance officer, no internal control framework documented
Valutaregisteret 0% No SSB registration, no reporting capability
Consumer Protection 10% Basic terms exist but incomplete, no Finansklagenemnda membership

1. Licensing Gap Analysis

Current State

  • No Finanstilsynet license applied for
  • No agent arrangement with licensed institution
  • App is running as a standalone MVP/demo

Gap Table

Requirement Required State Current State Gap Priority
Payment institution license Valid license from Finanstilsynet None FULL GAP CRITICAL
Client fund safeguarding Segregated account or insurance Not applicable (demo mode) FULL GAP CRITICAL
Initial capital 20,000-125,000 EUR depending on scope Not secured FULL GAP CRITICAL
Business plan with projections 3-year financial plan Exists as business case (project/docs/zica-business-case-v2.md) PARTIAL -- needs licensing-format update HIGH
Agent arrangement (alternative) Registered agent under licensed PSP None FULL GAP CRITICAL

Recommendation

Fastest path to market: Establish agent arrangement with a licensed Norwegian payment institution while simultaneously preparing full license application. The agent model allows live transactions within 1-3 months; own license takes 6-12 months.

2. PSD2 / Betalingstjenesteloven Gap Analysis

Current State (from code review)

  • Auth: lib/auth.ts -- JWT with HS256, cookie-based, 24h expiry
  • SCA: None. Login is email + password only. No second factor.
  • BankID: Not integrated. CLAUDE.md mentions it as a requirement but it is not implemented.
  • Open Banking: Not integrated. Architecture doc mentions pass-through model but all balance/transaction data is local SQLite.
  • Fee disclosure: Remittance shows fee (0.5%) and QR shows fee (1%) in API responses, but no pre-contractual disclosure framework.
  • Framework agreement: Landing page has vilkar.html (terms) but not compliant with betalingstjenesteloven SS 3-1 format.

Gap Table

Requirement Law Reference Current State Gap Priority
Strong Customer Authentication SS 4-28, 4-29 Email + password only (single factor) FULL GAP -- No SCA CRITICAL
BankID integration SS 4-28 (Norwegian SCA) Not implemented; mentioned in architecture doc FULL GAP CRITICAL
Dynamic linking (amount+payee to auth) Del. Reg. Art. 5 Not implemented FULL GAP CRITICAL
Open Banking AISP/PISP SS 4-40 to 4-46 Not implemented; balance is local FULL GAP CRITICAL
Framework agreement SS 3-1 to 3-8 Basic terms page exists (vilkar.html) PARTIAL -- needs betalingstjenesteloven format HIGH
Per-transaction receipt SS 3-22 to 3-26 API returns transaction data; no formal receipt PARTIAL -- needs formatting to comply HIGH
Fee transparency pre-auth SS 3-23 Fee shown in API response after submission GAP -- fee must be shown BEFORE authorization HIGH
Exchange rate disclosure SS 3-24 Rate shown in API response; no reference rate markup PARTIAL -- needs reference rate + markup HIGH
Execution time disclosure SS 4-15 Remittance returns eta: "1-2 business days" hardcoded PARTIAL -- needs accurate per-corridor times MEDIUM
Unauthorized transaction refund SS 4-19 to 4-22 No refund mechanism exists FULL GAP HIGH
Session management / token revocation Related to SCA Sessions table exists but unused (lib/db.ts:97-104). Security report H1 confirms no revocation. FULL GAP HIGH

Technical Gaps in Code

File: lib/auth.ts

  • Line 18-20: JWT_SECRET uses dev fallback in non-production. Production enforcement is correct.
  • Line 48-54: Cookie settings are solid (httpOnly, secure, sameSite strict). Good foundation.
  • Missing: No BankID callback handler, no OIDC/OAuth flow, no second factor.

File: app/api/auth/register/route.ts

  • Line 20-29: Registration collects email, password, firstName, lastName, phone. No DOB field.
  • Line 27: Password validation is length-only (>= 8 chars). No complexity requirements.
  • Missing: Age verification (18+), BankID verification, Norwegian residency check.

File: app/api/transactions/remittance/route.ts

  • Line 21: KYC check exists (kyc_status !== "approved" returns 403). Good gate, but KYC is fake.
  • Line 60: Fee calculation (0.5%) is hardcoded. No disclosure step before authorization.
  • Missing: Pre-authorization disclosure screen, SCA for transaction signing.

File: app/api/transactions/qr-payment/route.ts

  • No KYC check (QA rapport H-11 confirms this). A user with pending KYC can make QR payments.
  • Missing: KYC gate for QR payments, SCA for transaction signing.

3. AML / Hvitvaskingsloven Gap Analysis

Current State (from code review)

  • KYC: users.kyc_status field exists (pending/approved/rejected) but verification is mocked.
  • Sumsub integration: lib/services/mock-sumsub.ts -- fully mocked, no real API calls.
  • Transaction monitoring: None. No rules, no alerts, no flagging.
  • STR filing: No mechanism.
  • PEP/Sanctions screening: None.
  • AML officer: Not appointed.
  • Risk assessment: Not conducted.

Gap Table

Requirement Law Reference Current State Gap Priority
AML risk assessment SS 6, 7 Not conducted FULL GAP CRITICAL
AML policy & procedures SS 8 Not created FULL GAP CRITICAL
AML compliance officer SS 8(5) Not appointed FULL GAP CRITICAL
Customer identity verification SS 12 Mock only (mock-sumsub.ts); kyc_status field is manually set FULL GAP CRITICAL
BankID as identity verification SS 12(3) Not integrated FULL GAP CRITICAL
Ongoing customer monitoring SS 24 None FULL GAP CRITICAL
Transaction monitoring system SS 24, 25 None -- no rules, no alerts FULL GAP CRITICAL
STR reporting to EFE SS 26 No mechanism exists FULL GAP CRITICAL
PEP screening SS 18 None FULL GAP CRITICAL
Sanctions screening Sanctions regulations None FULL GAP CRITICAL
Record keeping (5 years) SS 30 SQLite local file, no retention policy PARTIAL -- data stored but no policy HIGH
Customer risk categorization SS 12(4) No risk model FULL GAP HIGH
Source of funds documentation SS 17(2) Not collected for any transaction FULL GAP HIGH
AML training SS 36 No training program FULL GAP MEDIUM
Ongoing PEP/sanctions rescreening SS 18(5), 24 None FULL GAP HIGH

Technical Gaps in Code

File: lib/db.ts

  • Line 29: kyc_status field exists with proper enum. Good schema foundation.
  • Missing: No risk_level column, no pep_status, no sanctions_check_date, no kyc_verified_at, no kyc_method (BankID vs document vs simplified).

File: lib/services/mock-sumsub.ts

  • Entire file is a mock. Lines 204-224 show random 90% approval logic.
  • Sumsub interface has proper checks modeled (documentAuthenticity, livenessCheck, facematch, sanctionsCheck, pepCheck) but all mocked.
  • Missing: Real Sumsub API integration, BankID integration for Norwegian residents.

File: app/api/transactions/remittance/route.ts

  • Line 21: KYC gate exists. Good.
  • Line 40: Amount limits (100-50,000 NOK). Good.
  • Missing: Transaction monitoring hooks, suspicious pattern detection, cumulative daily/monthly limit checks, corridor risk assessment.

Database schema missing tables:

  • aml_alerts -- transaction monitoring alerts
  • str_reports -- suspicious transaction report records
  • pep_screening_results -- PEP check results per user
  • sanctions_screening_results -- sanctions check results
  • customer_risk_profile -- risk categorization per user
  • kyc_documents -- verified identity documents
  • audit_log -- comprehensive audit trail (also noted in security rapport L3)

4. GDPR / Personopplysningsloven Gap Analysis

Current State (from code review)

  • Landing page has terms (vilkar.html) and presumably a privacy notice
  • No DPIA conducted
  • No Register of Processing Activities
  • No data processing agreements with service providers
  • No data subject rights procedures implemented
  • No cookie consent mechanism
  • No data retention schedule implemented

Gap Table

Requirement GDPR Reference Current State Gap Priority
DPIA Art. 35 Not conducted FULL GAP CRITICAL
Privacy policy (nb) Art. 13 Basic terms exist; unclear if full privacy notice PARTIAL CRITICAL
Register of processing activities Art. 30 Not created FULL GAP HIGH
Lawful basis documentation Art. 6 Not documented FULL GAP HIGH
Data processing agreements Art. 28 None (no real processors yet, but mock services reference Swan, Stripe, Sumsub) FULL GAP for production HIGH
SCCs for non-EEA transfers Art. 46 Not prepared (remittance to RS, BA, TR, PK requires SCCs) FULL GAP HIGH
Transfer Impact Assessments Schrems II Not conducted FULL GAP HIGH
Data subject access procedure Art. 15 No API endpoint or process for data access requests FULL GAP HIGH
Right to erasure procedure Art. 17 No deletion capability (AML retention conflicts need mapping) FULL GAP HIGH
Data portability Art. 20 No export mechanism FULL GAP MEDIUM
Cookie consent Art. 6(1)(a), ePrivacy No consent mechanism FULL GAP MEDIUM
Retention schedule Art. 5(1)(e) No schedule; data stored indefinitely FULL GAP MEDIUM
Data breach response plan Art. 33-34 Not created FULL GAP HIGH
DPO appointment Art. 37 Not appointed (may not be required for small PSP but recommended) GAP MEDIUM

Technical Gaps in Code

File: lib/db.ts

  • All personal data stored in plaintext SQLite: name, email, phone, bank accounts, transaction history.
  • Card data stored in plaintext (security rapport C1). PCI-DSS violation AND GDPR security adequacy issue.
  • No encryption at rest.
  • No field-level encryption for sensitive data.
  • No deleted_at or soft-delete mechanism for data subject erasure.
  • No data export endpoint.

File: app/api/auth/register/route.ts

  • Collects personal data (email, name, phone) with no consent mechanism.
  • No link to privacy policy during registration.
  • No purpose disclosure.

Cross-border transfer data flow:

  • Remittance sends data to recipients in RS, BA, TR, PK (non-EEA countries).
  • No SCCs or TIAs prepared for these transfers.
  • Recipient data (name, bank account) is processed for non-EEA delivery.

5. IKT-forskriften / DORA Gap Analysis

Current State (from security rapport and code review)

  • JWT auth with proper cookie config (positive)
  • Parameterized SQL throughout (positive)
  • Security headers configured (CSP, X-Frame, X-Content-Type, Referrer-Policy, Permissions-Policy) (positive)
  • Rate limiting exists but in-memory only (security rapport H2)
  • No formal IT security policy document
  • No BCP/DRP
  • No pen test conducted
  • No incident response plan
  • No change management procedures
  • No audit logging (security rapport L3)

Gap Table

Requirement IKT-f. / DORA Current State Gap Priority
IT security policy IKT SS 3 Not documented FULL GAP HIGH
IT risk assessment IKT SS 4 Security rapport exists (2026-02-12) but not a formal risk assessment PARTIAL HIGH
Access control IKT SS 6 JWT-based, user-scoped queries. Good code-level controls. No admin access control. PARTIAL HIGH
Audit trail IKT SS 11, DORA Art. 12 No audit logging (security rapport L3) FULL GAP HIGH
Incident management IKT SS 8, DORA Art. 17-23 No incident response plan FULL GAP HIGH
Business continuity IKT SS 9, DORA Art. 11 No BCP/DRP. SQLite single-file DB = single point of failure. FULL GAP HIGH
Penetration testing IKT SS 12, DORA Art. 24-27 No pen test conducted. Security rapport is code review, not pen test. FULL GAP HIGH
Change management IKT SS 7 No documented procedures FULL GAP MEDIUM
Third-party management IKT SS 10, DORA Art. 28-44 Mock services only; no real third-party integrations yet. No vendor assessment framework. FULL GAP for production MEDIUM
ICT incident reporting DORA Art. 19 No reporting capability FULL GAP MEDIUM
Register of ICT providers DORA Art. 28(3) Not maintained FULL GAP MEDIUM
HSTS header Best practice Missing (security rapport M2) GAP MEDIUM
CSP tightening Best practice unsafe-inline and unsafe-eval in script-src (security rapport M1) GAP MEDIUM
Distributed rate limiting IKT SS 5 In-memory Map, resets on restart (security rapport H2) GAP HIGH
Session revocation IKT SS 6 Table exists but unused (security rapport H1) GAP HIGH

Security Rapport Findings Impact on Compliance

Finding Regulatory Impact
C1: Card PAN/CVV in plaintext PCI-DSS violation; GDPR Art. 32 security adequacy failure
C2/C3: Hardcoded demo credentials IKT-forskriften SS 5 security measures failure
C4: SHA-256 legacy passwords GDPR Art. 32 -- inadequate cryptographic protection
H1: No session revocation PSD2 SCA non-compliance; IKT-forskriften SS 6 access control gap
H2: In-memory rate limiting IKT-forskriften SS 5 -- unreliable security control
H5: Top-up without payment verification Betalingstjenesteloven violation -- fictitious value creation
L3: No audit logging Hvitvaskingsloven SS 30; IKT-forskriften SS 11; DORA Art. 12

6. Finansforetaksloven / Governance Gap Analysis

Current State

  • ALAI Holding AS is registered (org.nr 932 516 136)
  • No compliance officer appointed
  • No formal internal control framework
  • No board-level governance documented for Drop specifically

Gap Table

Requirement Law Reference Current State Gap Priority
Board competence SS 8-4 Alem is sole director of ALAI Holding GAP -- may need additional board members with financial competence HIGH
Fit & proper documentation SS 3-5 to 3-7 Not prepared FULL GAP HIGH
Compliance officer SS 13-4 Not appointed FULL GAP CRITICAL
Internal control system SS 13-2 Not documented FULL GAP HIGH
Internal audit function SS 8-18 Not established FULL GAP MEDIUM
Risk management framework SS 13-3 Not documented FULL GAP HIGH
Outsourcing policy SS 13-7 Not documented FULL GAP MEDIUM
Capital adequacy plan SS 2-9 Not prepared FULL GAP HIGH
Organizational chart for license SS 3-3 Exists in ALAI CLAUDE.md but needs formal version PARTIAL MEDIUM

7. Valutaregisterloven Gap Analysis

Current State

  • Remittance to 6 currencies (RSD, BAM, PLN, PKR, TRY, EUR) is implemented
  • Transaction records store: amount, currency, country (via recipient), date
  • No SSB registration
  • No reporting capability
  • No purpose codes assigned

Gap Table

Requirement Law Reference Current State Gap Priority
SSB registration SS 3 Not registered FULL GAP HIGH
Monthly reporting SS 4, Forskrift SS 5 No reporting extract or process FULL GAP HIGH
Purpose codes Forskrift SS 4 Not assigned to transactions FULL GAP HIGH
Country-level data SS 5 recipients.country captures this OK --
Currency data SS 5 Transaction records include currency OK --
5-year retention SS 6 Data stored, no retention policy PARTIAL MEDIUM

Technical Gaps in Code

File: lib/db.ts

  • transactions table has amount, currency, recipient_id (links to country). Good foundation.
  • Missing: purpose_code column in transactions table.
  • Missing: Reporting extract query/export function.

8. Consumer Protection Gap Analysis

Current State

  • Landing page has vilkar.html (terms of service)
  • Remittance shows fees and exchange rate in API response
  • No framework agreement in betalingstjenesteloven format
  • No Finansklagenemnda membership
  • No complaint handling procedure
  • No withdrawal form

Gap Table

Requirement Law Reference Current State Gap Priority
Framework agreement Betalingstjenesteloven SS 3-1 Basic terms only PARTIAL -- needs full PSD2-format agreement HIGH
Pre-contractual information Finansavtaleloven SS 3-23 Incomplete GAP HIGH
Fee schedule Betalingstjenesteloven SS 3-23 Fees hardcoded in API (0.5% remittance, 1% QR). No published schedule. GAP HIGH
14-day withdrawal right Angrerettloven SS 22 Not implemented FULL GAP HIGH
Withdrawal form Angrerettloven SS 11 Not created FULL GAP MEDIUM
Complaint handling Finansavtaleloven SS 3-53 No procedure FULL GAP HIGH
Finansklagenemnda membership Finansklagenemndloven Not member FULL GAP HIGH
Unauthorized transaction refund Finansavtaleloven SS 4-30 No mechanism FULL GAP HIGH
Marketing substantiation Markedsfoeringsloven SS 9 "Enklere betalinger. Lavere gebyrer." -- "Lavere gebyrer" needs substantiation if compared RISK MEDIUM

9. Document Inventory: What Exists vs. What Is Needed

Documents That Exist

Document Location Compliance Value
Terms of Service (vilkar.html) Landing page Partial -- needs PSD2 upgrade
Security Audit Rapport security/drop-security-rapport.md Useful for risk assessment but not a formal pen test
QA Code Quality Rapport project/docs/drop-qa-rapport.md Identifies technical debt
Architecture Document project/architecture/architecture-document.md Foundation for IT documentation
Business Case project/docs/zica-business-case-v2.md Foundation for license business plan
Feature Flags System lib/feature-flags.ts Good for controlling feature rollout
Mock Service Interfaces lib/services/mock-*.ts Defines integration requirements

Documents That Are Completely Missing

Document Regulation Priority
Finanstilsynet license application Betalingstjenesteloven kap. 2 CRITICAL
AML risk assessment Hvitvaskingsloven SS 6 CRITICAL
AML policy and procedures manual Hvitvaskingsloven SS 8 CRITICAL
KYC procedures document Hvitvaskingsloven SS 10-18 CRITICAL
STR reporting procedures Hvitvaskingsloven SS 26 CRITICAL
DPIA GDPR Art. 35 CRITICAL
Privacy policy (full, nb) GDPR Art. 13 CRITICAL
Register of processing activities GDPR Art. 30 HIGH
Data processing agreements GDPR Art. 28 HIGH
SCCs for non-EEA transfers GDPR Art. 46 HIGH
Transfer Impact Assessments Schrems II HIGH
IT security policy IKT-forskriften SS 3 HIGH
Business continuity plan IKT-forskriften SS 9 HIGH
Disaster recovery plan IKT-forskriften SS 9 HIGH
Incident response plan IKT-forskriften SS 8 HIGH
Framework agreement (PSD2 format) Betalingstjenesteloven SS 3-1 HIGH
Fee schedule Betalingstjenesteloven SS 3-23 HIGH
Complaint handling procedure Finansavtaleloven SS 3-53 HIGH
Internal control framework Finansforetaksloven SS 13-2 HIGH
Fit & proper documentation Finansforetaksloven SS 3-5 HIGH
Withdrawal form Angrerettloven SS 11 MEDIUM
Data breach response plan GDPR Art. 33-34 HIGH
Data retention schedule GDPR Art. 5(1)(e) MEDIUM
Change management procedures IKT-forskriften SS 7 MEDIUM
Capital adequacy plan Betalingstjenesteloven SS 2-9 HIGH

10. Technical Gap Summary

Database Schema Gaps

The current schema (lib/db.ts) needs these additions for compliance:

Table/Column Purpose Regulation
users.dob Age verification (18+) Betalingstjenesteloven (vilkar)
users.national_id_hash Fodselsnummer hash for verification Hvitvaskingsloven SS 12
users.risk_level Customer risk categorization Hvitvaskingsloven SS 12(4)
users.pep_status PEP flag Hvitvaskingsloven SS 18
users.sanctions_cleared Sanctions clearance status Sanctions regulations
users.kyc_method How KYC was performed (BankID/document/etc.) Hvitvaskingsloven SS 12
users.kyc_verified_at When KYC was completed Hvitvaskingsloven SS 30
transactions.purpose_code Valutaregister reporting Valutaregisterloven SS 5
audit_log (new table) All sensitive operations IKT-forskriften SS 11; Hvitvaskingsloven SS 30
aml_alerts (new table) Transaction monitoring alerts Hvitvaskingsloven SS 24
str_reports (new table) STR filings Hvitvaskingsloven SS 26
screening_results (new table) PEP/sanctions screening results Hvitvaskingsloven SS 18
consents (new table) GDPR consent records GDPR Art. 7
data_access_requests (new table) DSAR tracking GDPR Art. 15-22

API Route Gaps

Route Gap Regulation
POST /api/auth/register No age check, no BankID, no consent PSD2, AML, GDPR
POST /api/auth/login No SCA (single factor only) PSD2 SS 4-28
POST /api/transactions/remittance No pre-auth disclosure, no SCA signing, no TM hooks PSD2, AML
POST /api/transactions/qr-payment No KYC gate, no SCA signing PSD2, AML
POST /api/users/top-up No payment verification (infinite money) PSD2 -- not a valid payment service
POST /api/cards PCI-DSS violations (plaintext PAN/CVV) PCI-DSS, GDPR Art. 32
ALL routes No audit logging IKT-forskriften, AML
MISSING GET /api/user/data-export (DSAR) GDPR Art. 15, 20
MISSING DELETE /api/user/account (erasure) GDPR Art. 17
MISSING POST /api/auth/bankid/callback PSD2 SCA
MISSING GET /api/compliance/screening/:userId AML SS 18
MISSING Transaction monitoring middleware AML SS 24

Infrastructure Gaps

Component Current Required Priority
Database SQLite (single file) PostgreSQL or similar (HA, encryption at rest, backup) HIGH
Rate limiting In-memory Map Redis/Upstash distributed limiter HIGH
Session management Stateless JWT only Session table + revocation HIGH
Audit logging None Immutable audit log (append-only) HIGH
Encryption at rest None AES-256 for sensitive fields or full-disk HIGH
Backup None Automated daily backup with tested restore HIGH
Monitoring None Application + security monitoring HIGH
Card data Plaintext in SQLite Tokenized via PCI-compliant issuer (Stripe Issuing) CRITICAL
KYC provider Mock Sumsub Real Sumsub/Onfido + BankID CRITICAL
BaaS Mock Swan Real BaaS provider for IBAN accounts CRITICAL

Phase 0: Documentation Sprint (Weeks 1-4)

No code changes. Produce regulatory documents.

# Deliverable Owner Weeks
1 AML risk assessment Compliance advisor + Alem 1-2
2 AML policy and procedures Compliance advisor 2-3
3 DPIA Legal/Compliance advisor 2-3
4 Privacy policy (full, nb) Legal 1-2
5 IT security policy Tech Lead 1-2
6 Framework agreement (PSD2 format) Legal 2-3
7 Internal control framework Compliance advisor 2-4
8 Business plan (licensing format) Alem + advisor 1-3

Phase 1: Critical Technical (Weeks 3-8)

Code changes to close critical security and compliance gaps.

# Task Dependency Weeks
1 BankID integration (authentication + SCA) BankID test agreement 3-5
2 Real KYC integration (Sumsub production) Sumsub contract 3-5
3 Remove plaintext card storage (use Stripe Issuing or tokenization) Stripe contract 3-4
4 Audit logging implementation None 3-4
5 Session revocation (activate existing sessions table) None 3-4
6 Remove top-up endpoint / integrate real payment processor Payment partner 4-6
7 PEP/sanctions screening integration Screening provider contract 4-6
8 Gate seed data behind NODE_ENV None 3 (quick fix)

Phase 2: Compliance Infrastructure (Weeks 6-12)

Build compliance operational capability.

# Task Dependency Weeks
1 Transaction monitoring engine (rules + alerts) Phase 1 audit logging 6-9
2 STR filing workflow AML procedures doc 7-10
3 Valutaregister reporting (SSB monthly extract) SSB registration 7-10
4 DSAR endpoint (data export + erasure) GDPR procedures 6-8
5 Consent management GDPR procedures 6-8
6 Distributed rate limiting (Redis) Infrastructure upgrade 6-7
7 Database migration to PostgreSQL Infrastructure plan 8-12
8 Complaint handling system Consumer protection docs 8-10

Phase 3: License Application (Weeks 8-16)

Submit license application with supporting documentation.

# Task Dependency Weeks
1 Compile license application package All Phase 0 documents 8-10
2 Secure initial capital (if full license) Financial planning 8-12
3 Submit to Finanstilsynet Complete package 10-12
4 OR: Establish agent arrangement Partner identified 8-12
5 Finansklagenemnda membership application Complaint handling ready 10-12
6 SSB registration Reporting capability ready 8-10
7 Pre-launch security pen test Phase 1-2 complete 12-16

Alternative Fast Track: Agent Model

If speed to market is critical:

  1. Weeks 1-4: Identify and negotiate with licensed payment institution
  2. Weeks 2-6: Complete Phase 0 documentation (still required by principal)
  3. Weeks 4-8: Phase 1 critical technical fixes
  4. Weeks 6-10: Agent registration by principal
  5. Week 10-12: Soft launch under agent model
  6. Weeks 12+: Continue Phase 2-3 in parallel, pursue own license

12. Risk Summary

Risk Likelihood Impact Mitigation
Operating without license CERTAIN if launched as-is Criminal liability (betalingstjenesteloven SS 11-1), Finanstilsynet enforcement Obtain license or agent status before first live transaction
AML non-compliance CERTAIN if launched as-is Criminal liability (hvitvaskingsloven SS 49), license revocation Full AML program before launch
Data breach (plaintext card data) HIGH given current architecture GDPR Art. 83 fines (up to 4% of turnover or 20M EUR), reputational damage Remove plaintext storage immediately
PSD2 SCA non-compliance CERTAIN if launched as-is Finanstilsynet enforcement, liability for unauthorized transactions Implement BankID + SCA
GDPR non-compliance HIGH if launched without DPIA Datatilsynet fines, processing ban Complete DPIA before any real data processing
Consumer complaint to Finansklagenemnda MEDIUM after launch Reputational damage, binding ruling Join Finansklagenemnda, establish complaint handling

End of Drop Gap Analysis v2

Back to top