Compliance Gap (Feb 2026)
Drop Compliance Gap Analysis — Overnight Sprint
2026-02-16
TL;DR
Readiness: 8/100 (per gap-analysis-v2.md, 2026-02-12)
We have more than we think:
- 14 substantive legal draft documents (6,238 lines total)
- 36 API endpoints, security hardened (0 CRITICAL, 0 HIGH)
- Session management, rate limiting, CSRF, security headers all done
- CI/CD pipeline, test suite (40 tests), deployed on Vercel + Fly.io
The gap is NOT documentation — it's code infrastructure for compliance. The legal docs exist but the app has zero compliance plumbing.
GAP MATRIX: IMAMO vs TREBA
BACKEND
| # | Component | IMAMO | TREBA | Gap | AI Tonight? |
|---|---|---|---|---|---|
| B1 | Audit logging | Nothing | Immutable audit_log table + middleware on all sensitive ops | FULL | YES |
| B2 | DB schema: compliance columns | users.kyc_status only | users.dob, national_id_hash, risk_level, pep_status, sanctions_cleared, kyc_method, kyc_verified_at | FULL | YES |
| B3 | DB schema: compliance tables | None | audit_log, aml_alerts, str_reports, screening_results, consents, data_access_requests | FULL | YES |
| B4 | Transaction monitoring | Nothing | Rule engine: structuring, velocity, corridor risk, volume spike, PEP | FULL | YES |
| B5 | GDPR: Data export (DSAR) | Nothing | GET /api/user/data-export — full user data JSON | FULL | YES |
| B6 | GDPR: Account deletion | Nothing | DELETE /api/user/account — soft-delete with AML retention | FULL | YES |
| B7 | Consent management API | Nothing | POST /api/consents, GET /api/consents — track GDPR consents | FULL | YES |
| B8 | Pre-auth disclosure | Fee shown AFTER submission | GET /api/transactions/disclosure — fees, rate, ETA BEFORE auth | FULL | YES |
| B9 | Transaction receipt | API returns tx data | GET /api/transactions/[id]/receipt — PSD2 formatted receipt | FULL | YES |
| B10 | Purpose codes | No field | transactions.purpose_code column + API support | FULL | YES |
| B11 | QR KYC gate | Missing (QA H-11) | KYC check in QR payment route | FULL | YES |
| B12 | Password complexity | Length-only (>=8) | Uppercase + lowercase + digit + min 8 | PARTIAL | YES |
| B13 | Cookie consent API | Nothing | POST /api/consents/cookies — track cookie preferences | FULL | YES |
| B14 | Complaint handling API | Nothing | POST /api/complaints, GET /api/complaints — track complaints | FULL | YES |
FRONTEND
| # | Component | IMAMO | TREBA | Gap | AI Tonight? |
|---|---|---|---|---|---|
| F1 | Cookie consent banner | Nothing | GDPR cookie consent with preferences (necessary/analytics/marketing) | FULL | YES |
| F2 | Pre-payment disclosure | Goes straight to submit | Screen showing: amount, fees, exchange rate, ETA, total BEFORE confirm | FULL | YES |
| F3 | Transaction receipt view | Basic tx detail | PSD2-compliant receipt: amount, fees, rate, ref, date, payee | FULL | YES |
| F4 | Data export request | Nothing | Settings → "Download my data" button → triggers DSAR | FULL | YES |
| F5 | Account deletion | Nothing | Settings → "Delete account" with confirmation, AML warning | FULL | YES |
| F6 | Complaint form | Nothing | Help → "File complaint" form (Finansavtaleloven §3-53) | FULL | YES |
| F7 | Fee schedule page | Nothing | Public page: all fees, rates, corridors (Betalingstjenesteloven §3-23) | FULL | YES |
| F8 | Consent in registration | No consent checkbox | Checkbox: "I accept terms" + "I accept privacy policy" with links | FULL | YES |
| F9 | Privacy policy page | Only landing vilkar.html | In-app /privacy page with full personvernerklaering content | FULL | YES |
| F10 | Terms page | Only landing vilkar.html | In-app /terms page with full brukervilkar content | FULL | YES |
| F11 | Withdrawal form | Nothing | In-app /withdrawal page (Angrerettloven §11) | FULL | YES |
MOBILE / PWA
Same as frontend — Drop is a PWA, no native app yet.
CANNOT DO TONIGHT (Requires External)
| # | Component | Why Not |
|---|---|---|
| X1 | BankID integration | Needs test agreement + banking partner |
| X2 | Real KYC (Sumsub) | Needs Sumsub production contract |
| X3 | Open Banking AISP/PISP | Needs banking partner (SpareBank1/Swan) |
| X4 | PostgreSQL migration | Infrastructure decision needed |
| X5 | Penetration test | External firm required |
| X6 | Finansklagenemnda membership | Registration process |
| X7 | SSB/Valutaregister registration | Government registration |
| X8 | License application | Needs legal advisor + Alem |
| X9 | Compliance officer appointment | Human decision |
| X10 | PEP/Sanctions screening | Needs provider (ComplyAdvantage/Refinitiv) |
OVERNIGHT SPRINT PLAN
Phase A — Database Schema (foundation, do first)
Files: src/lib/db.ts
Tasks: B2, B3, B10
Add to users table:
risk_level TEXT DEFAULT 'low'(low/medium/high)pep_status TEXT DEFAULT 'not_checked'sanctions_cleared INTEGER DEFAULT 0kyc_method TEXT(bankid/document/simplified)kyc_verified_at TEXTnational_id_hash TEXTdeleted_at TEXT(soft delete for GDPR)
Add to transactions table:
purpose_code TEXT(ISO 20022 purpose codes)
New tables:
audit_log(id, timestamp, user_id, action, resource_type, resource_id, details, ip_address, user_agent)aml_alerts(id, user_id, alert_type, severity, transaction_id, details, status, reviewed_by, reviewed_at, created_at)str_reports(id, user_id, alert_id, report_type, status, filed_at, reference_number, details)screening_results(id, user_id, screening_type, provider, result, match_details, screened_at)consents(id, user_id, consent_type, granted, granted_at, withdrawn_at, ip_address)data_access_requests(id, user_id, request_type, status, requested_at, completed_at, download_url)
Phase B — Backend APIs (compliance endpoints)
Tasks: B1, B4, B5, B6, B7, B8, B9, B11, B12, B13, B14
- Audit logging middleware — wraps all API routes, logs to audit_log table
- Transaction monitoring — post-transaction hook: checks rules, creates aml_alerts
- GDPR endpoints — /api/user/data-export, /api/user/account (DELETE)
- Consent API — /api/consents (GET, POST)
- Pre-auth disclosure — /api/transactions/disclosure (GET)
- Receipt endpoint — /api/transactions/[id]/receipt (GET)
- Complaint API — /api/complaints (GET, POST)
- QR KYC gate — add kyc_status check to qr-payment route
- Password complexity — upgrade validation in register route
Phase C — Frontend UI (compliance screens)
Tasks: F1-F11
TASK SPLIT FOR AGENTS
| Task | Scope | Agent Type | Est. Files |
|---|---|---|---|
| T1: Schema upgrade | Phase A (all DB changes) | Builder | 1 (db.ts) |
| T2: Audit logging | B1 (middleware + table) | Builder | 2-3 |
| T3: Transaction monitoring | B4 (rule engine) | Builder | 2-3 |
| T4: GDPR endpoints | B5, B6, B7, B13 | Builder | 4-5 |
| T5: Payment compliance APIs | B8, B9, B11, B14 | Builder | 4-5 |
| T6: Auth hardening | B12 (password rules) | Builder | 1-2 |
| T7: Frontend legal pages | F7, F9, F10, F11 | Builder | 4-5 |
| T8: Frontend compliance UI | F1, F2, F3, F4, F5, F6, F8 | Builder | 6-8 |
Dependency: T1 must complete first (schema), then T2-T8 can run in parallel.
AFTER TONIGHT
With these tasks done, compliance readiness jumps from 8/100 to ~35-40/100.
Remaining blockers (external):
- BankID + SCA (CRITICAL — needs banking partner)
- Real KYC (CRITICAL — needs Sumsub)
- Open Banking (CRITICAL — needs partner)
- License application (CRITICAL — needs legal advisor)
But we'll have the infrastructure ready — when the partner comes, we plug in real providers and the compliance plumbing is already there.
No comments to display
No comments to display