# Project Charter: Drop — Fintech Payment App

# Project Charter: Drop — Fintech Payment App

> **Project:** Drop — Remittance + QR Payments
> **Version:** 1.1
> **Date:** 2026-02-08 (updated 2026-02-23)
> **Author:** John (AI Director)
> **Status:** Approved
> **Reviewers:** Alem Bašić (CEO)

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1 | 2026-02-08 | John | Initial draft |
| 1.0 | 2026-02-13 | John | Updated after Phase 0.5 security sprint |
| 1.1 | 2026-02-23 | John | Aligned with ROADMAP.md and current pipeline state |

---

## 1. Vision & Mission

**Vision:** Drop becomes the default payment tool for all residents in Norway who need to send money abroad or pay at local businesses — capturing the remittance + QR payments market that no single app currently serves together.

**Mission:** Build a PSD2 pass-through fintech app (never holding customer money) that offers remittance at 0.5% and QR merchant payments at 1%, powered by Open Banking — cheaper and simpler than every existing alternative.

**Strategic Alignment:** Drop is ALAI Holding AS's flagship product, demonstrating AI-native product development from zero to market. It aligns with ALAI's mission to "build digital" and generates recurring revenue through transaction fees. Innovasjon Norge Oppstartstilskudd (150K NOK) provides initial runway.

---

## 2. Scope

### 2.1 In Scope — Deliverables

| # | Deliverable | Description | Acceptance Criteria Summary |
|---|-------------|-------------|-----------------------------|
| D-01 | Web App (Next.js) | Full-featured payment app with 10 screens | All pages functional, deployed to staging at drop-staging.fly.dev |
| D-02 | Remittance Flow | Send money to 30+ countries at 0.5% fee via PISP | User can initiate transfer; 6 corridors working (RS, BA, PK, TR, PL, EUR) |
| D-03 | QR Payment Flow | Pay merchants by scanning QR code at 1% fee | Merchant QR generated; customer scan + payment flow functional |
| D-04 | Open Banking Integration | AISP (read balance) + PISP (initiate payments) via BaaS partner | Real bank connection via BankID + selected BaaS provider |
| D-05 | KYC + BankID Onboarding | Identity verification, age 18+, Norwegian residency | Users verified via BankID; KYC status tracked per user |
| D-06 | Landing Page | Marketing site at getdrop.no with waitlist | Live on Vercel; waitlist collecting emails |
| D-07 | CI/CD + Monitoring | GitHub Actions pipeline + Fly.io deployment | All tests green in CI; staging auto-deploys on merge |

### 2.2 Out of Scope

- Physical card issuance (feature-flagged, requires card partner)
- Wallet / balance holding (Drop is pass-through — no float)
- Crypto payments or asset trading
- Lending or credit products
- Under-18 user support (requires separate legal review)
- White-label product for other companies (Phase 4 roadmap item)
- Real money movement in MVP demo (mock Open Banking until licence obtained)
- Content creation, translations beyond Norwegian/English

### 2.3 Assumptions

| # | Assumption | Risk if False | Owner to Validate |
|---|------------|---------------|-------------------|
| A-01 | BaaS partner (Swan or SpareBank1) confirms by Phase 2 | Phase 2 blocked indefinitely | Alem |
| A-02 | Finanstilsynet PISP/AISP registration process takes ~3 months | Launch delayed | Alem + Legal advisor |
| A-03 | Users have Norwegian BankID and +47 phone | Onboarding conversion low | Alem (user research) |
| A-04 | Open Banking APIs from BaaS provider are stable | Integration rework required | John |
| A-05 | Innovasjon Norge grant (150K NOK) is approved | Cash flow gap before revenue | Alem |

### 2.4 Constraints

| # | Constraint | Category | Impact |
|---|------------|----------|--------|
| C-01 | Drop NEVER holds customer money (PSD2 pass-through model) | Legal / Regulatory | Architecture must use AISP/PISP only |
| C-02 | Minimum user age: 18 (BankID DOB validation) | Legal | Onboarding must validate DOB |
| C-03 | NEVER use word "banking" without licence disclaimer | Legal | All copy must be reviewed |
| C-04 | Norwegian BankID required for onboarding | Technical | Locks market to Norway initially |
| C-05 | Budget: ~250K NOK total (150K Innovasjon Norge + bootstrap) | Financial | AI-first development to minimise costs |
| C-06 | PCI-DSS: NEVER store or expose full card numbers/CVV | Security | Cards feature requires tokenisation partner |

---

## 3. Stakeholder Register

| ID | Name | Organization | Role | Interest | Influence | Engagement Strategy | Contact |
|----|------|--------------|------|----------|-----------|---------------------|---------|
| S-01 | Alem Bašić | ALAI Holding AS | CEO / Sponsor | Strategic success, revenue, brand | High | Direct sessions, all major decisions | alem@alai.no |
| S-02 | John | ALAI Holding AS | AI Director / Product Owner | Technical delivery, product quality | High | Daily async, all sprint reviews | — |
| S-03 | SpareBank1 contact | SpareBank1 | Banking Partner Candidate | Partnership revenue, market expansion | High | Quarterly meetings, pitch materials | Via Alem |
| S-04 | Swan (BaaS) | Swan.io | BaaS Provider Candidate | API adoption, merchant fees | Medium | Technical integration discussions | Via John |
| S-05 | Finanstilsynet | Norwegian FSA | Regulator | PSD2 compliance, consumer protection | High | Formal registration process | Via legal advisor |
| S-06 | Early users (waitlist) | — | End Users | Cheap remittance, easy QR payments | Low | Waitlist comms, beta invitations | hei@getdrop.no |
| S-07 | Local merchants | Oslo area | Merchant Users | Lower fees than Vipps, easy setup | Medium | Door-to-door onboarding | Alem |

**Key Decision Makers:**
- Final scope decisions: Alem Bašić (CEO)
- Technical architecture approval: John (AI Director)
- Budget approval: Alem Bašić
- Contract/legal: Alem Bašić + external legal advisor

---

## 4. Budget Summary

| Line Item | Amount (NOK) | % of Total | Notes |
|-----------|-------------|------------|-------|
| Development (AI-first) | 10,000 | 4% | Claude Code + tooling costs |
| Open Banking integration (PSD2) | 15,000 | 6% | BaaS setup + API costs |
| Legal + compliance setup | 50,000 | 20% | Finanstilsynet registration, legal review |
| Marketing launch | 100,000 | 40% | Social media, local merchant onboarding |
| QR stickers + merchant kits | 20,000 | 8% | Physical materials |
| Buffer / contingency | 55,000 | 22% | Unexpected costs |
| **Total Budget** | **250,000** | **100%** | |

**Payment Schedule:** Internal project — Innovasjon Norge Oppstartstilskudd (~150K NOK) + bootstrapped by ALAI.

| Milestone | Amount (NOK) | Source |
|-----------|-------------|--------|
| Phase 0.5 completion (security hardening) | 0 (AI cost only) | ALAI bootstrap |
| Phase 1 (demo app) | ~25,000 | Innovasjon Norge |
| Phase 2 (bank integration) | ~125,000 | Innovasjon Norge |
| Phase 3 (launch) | ~100,000 | Revenue + grant |

---

## 5. Timeline & Milestones

| # | Milestone | Target Date | Gate Condition | Owner |
|---|-----------|-------------|----------------|-------|
| M-01 | Phase 0 — Foundation | 2026-02-08 | Landing page live, brand done, pipeline test passed | John |
| M-02 | Phase 0.5 — MVP Hardening | 2026-02-20 | Security audit passed, 217 tests green, staging live | John |
| M-03 | Phase 1 — Demo App | 2026-03-15 | Full 10-screen app functional, investor-ready demo | John |
| M-04 | BaaS Partner Decision | 2026-03-01 | SpareBank1 answer or Swan signed | Alem |
| M-05 | Phase 2 — Banking Integration | 2026-04-30 | Real BankID, AISP, PISP working with 10 beta users | John |
| M-06 | Finanstilsynet Registration | 2026-05-15 | PISP/AISP licence submitted | Alem + Legal |
| M-07 | Phase 3 — Production Launch | 2026-06-15 | App Store + Play Store live, 200 merchants onboarded | John + Alem |
| M-08 | Post-launch Review | 2026-07-15 | 1,000 users, monitoring active, external pentest done | John |

**Gantt Diagram:**

```mermaid
gantt
    title Drop — Project Timeline
    dateFormat  YYYY-MM-DD
    section Foundation
    Phase 0 Foundation       :done, p0, 2026-02-08, 7d
    Phase 0.5 Hardening      :done, p05, after p0, 14d
    section Demo
    Phase 1 Demo App         :active, p1, 2026-02-20, 28d
    section Integration
    BaaS Partner Decision    :milestone, baas, 2026-03-01, 1d
    Phase 2 Banking          :p2, after p1, 56d
    Finanstilsynet Filing    :milestone, reg, 2026-05-15, 1d
    section Launch
    Phase 3 Production       :p3, 2026-05-15, 30d
    Go Live                  :milestone, live, 2026-06-15, 1d
```

---

## 6. Success Criteria & KPIs

| # | Success Criterion | KPI / Metric | Target | Measurement Method | Evaluation Point |
|---|-------------------|-------------|--------|--------------------|------------------|
| SC-01 | Revenue generation | Monthly Recurring Revenue | 130,000 NOK/month | Transaction logs | Month 12 post-launch |
| SC-02 | User acquisition | Registered users | 3,000 | App analytics | Month 12 post-launch |
| SC-03 | Merchant adoption | Onboarded merchants | 200 | Merchant dashboard | Month 12 post-launch |
| SC-04 | System performance | API response time p95 | < 500ms | Monitoring | Launch + 30 days |
| SC-05 | Security posture | Security score | ≥ 80/100 | Security audit | Pre-launch |
| SC-06 | Transaction reliability | Payment success rate | ≥ 99% | Transaction logs | Ongoing post-launch |
| SC-07 | Fee competitiveness | Remittance fee vs Wise | 0.5% vs 0.7-1.5% | Competitor monitoring | Ongoing |

---

## 7. Dependencies

| # | Dependency | Type | Impact if Delayed | Owner | Target Date | Status |
|---|-----------|------|-------------------|-------|-------------|--------|
| DEP-01 | BaaS provider (Swan or SpareBank1) | External | Phase 2+ blocked | Alem | 2026-03-01 | SpareBank1 pitched; awaiting |
| DEP-02 | Finanstilsynet PISP/AISP registration | External / Regulatory | Real payments blocked | Alem + Legal | 2026-05-15 | Not started |
| DEP-03 | BankID integration via BaaS | External | SCA/onboarding blocked | John | After BaaS selected | Pending BaaS |
| DEP-04 | KYC provider (Sumsub or partner KYC) | External | AML compliance blocked | John | After BaaS selected | Mock in place |
| DEP-05 | Phase 0.5 security hardening | Internal | Phase 1 blocked | John | 2026-02-20 | In progress |

---

## 8. Governance Model

### 8.1 Decision-Making Authority

| Decision Category | Authority | Must Consult | Must Inform |
|-------------------|-----------|--------------|-------------|
| Scope changes | Alem (CEO) | John | All stakeholders |
| Architecture decisions | John (AI Director) | Tech Lead agents | Alem |
| Budget changes > 10% | Alem | John | — |
| Release go/no-go | John | QA agents | Alem |
| Partner/legal decisions | Alem | John + Legal advisor | — |
| Team / agent changes | John | — | Alem |

### 8.2 Change Control Process Summary

1. **Request:** Any stakeholder raises change request via `change-request.md` template
2. **Impact Analysis:** John assesses scope, timeline, budget within 3 business days
3. **Decision:** Alem approves/rejects within 2 business days
4. **Budget changes > 10%:** Require Alem explicit approval via session
5. **Implementation:** Approved changes logged in `comms/decisions/`, scheduled in roadmap
6. **Communication:** All stakeholders notified within 24 hours

### 8.3 Escalation Hierarchy

```
L1: Agent → John (response: 4 hours)
L2: John → Alem (response: 24 hours — strategic/financial only)
L3: Alem → External advisor (legal/regulatory only)
```

---

## 9. Team & Roles

| Role | Agent / Person | Responsibilities | Availability |
|------|---------------|-----------------|--------------|
| Project Sponsor / CEO | Alem Bašić | Strategic direction, partnerships, budget approvals, regulatory | Part-time (decisions + partnerships) |
| AI Director | John (Claude Opus) | Delivery accountability, architecture, agent coordination | Full-time |
| Developer / Builder | Builder (Claude Sonnet) | Feature implementation, API routes, frontend pages | Per-task |
| QA / Validator | Validator (Claude Sonnet) | Testing, validation, code review | Per-task |
| Security | Security agent (Claude) | Threat modelling, audit, compliance | Per-sprint |
| Legal | Legal agent (Claude) | Regulatory review, document drafting | As needed |
| Finance | Finance agent (Claude) | Budget analysis, projections | As needed |

---

## 10. Risk Summary

| # | Risk | Probability | Impact | Mitigation |
|---|------|------------|--------|------------|
| R-01 | Banking partner / BaaS not secured in time | High | High | Multi-provider approach; Swan as backup to SpareBank1 |
| R-02 | Finanstilsynet registration delayed | Medium | High | Start process early; operate under bank partner licence initially |
| R-03 | Security breach before production hardening | Low | Critical | Security audit completed; 8 critical fixes tracked; no real money in MVP |
| R-04 | Vipps launches remittance product | Medium | High | Already ahead in market; community trust and lower fees are moat |
| R-05 | Slow merchant adoption | Medium | Medium | Door-to-door in local communities; 0% fee for first 3 months |

> Full risk register: `[risk-register.md](risk-register.md)`

---

## Approval

| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | John (AI Director) | 2026-02-08 | Approved (AI) |
| Reviewer | John (AI Director) | 2026-02-23 | Reviewed (AI) |
| AI Director (John) | John | 2026-02-08 | Approved |
| Project Sponsor | Alem Bašić | 2026-02-08 | Approved |
| CEO | Alem Bašić | 2026-02-08 | Approved |