Market Research

Mobile Banking Research
Banking Providers
MVP Specification
Cost Analysis
Technology Stack
BankID & Vipps Research
Cloud Cost Analysis

Mobile Banking Research

Mobile Payment/Banking Application - Full Research Findings

Regulatory Requirements
Technical Architecture
Security & Compliance
Market Analysis
Key Success Factors

1. Regulatory Requirements

1.1 EU Payment Services Directive (PSD2/PSD3)

Current State (PSD2)

PSD2 has been the governing framework since 2018, establishing:

Strong Customer Authentication (SCA) requirements
Open Banking mandates for API access
Liability frameworks for unauthorized transactions
Consumer protection standards

PSD3 Transition (2025-2028)

Timeline:

Political agreement reached: November 2025
Formal adoption expected: Early-Mid 2026
Transition period: 18-24 months after adoption
Full compliance deadline: 2027-2028

Key Changes in PSD3:

Payment Services Regulation (PSR): Directly applicable across EU (no local transposition needed)
Enhanced SCA: Stronger identity verification, tighter exemption management
Fraud Prevention: Banks liable for certain impersonation scams, mandatory "Confirmation of Payee"
Expanded Scope: Covers instant payments, BNPL, cryptocurrencies, digital identity
API Standards: Improved technical and performance standards for Open Banking

Compliance Actions for 2026:

Implement Confirmation of Payee systems
Upgrade SCA mechanisms for eIDAS 2.0 alignment
Establish real-time fraud monitoring
Prepare for API hardening requirements
Build recovery assurance capabilities

1.2 Licensing Requirements

Electronic Money Institution (EMI) License

Capital Requirements:

Full EMI: EUR 350,000 minimum capital (must be unencumbered)
Small EMI: Available if < EUR 5M in outstanding e-money
- Lower requirements
- Application fee: EUR 1,000
- Limited to home country (no passporting)

Application Costs by Jurisdiction:

Country	Application Fee	Timeline	Total Setup Cost
Lithuania	EUR 1,463	6-9 months	EUR 30K-50K
Malta	EUR 2,000-5,000	~6 months	EUR 40K-60K
Ireland	GBP 5,000	12-18 months	EUR 200K-300K+
UK	GBP 5,000	6-12 months	EUR 100K-200K

Lithuania Advantages:

Fastest processing in EU (6-9 months)
Strong fintech ecosystem (Revolut HQ)
Government investment in fintech infrastructure
Lower operational costs
Full EU passporting rights

Ireland Advantages:

Higher institutional credibility
Better for UK/US partnerships
Stronger for institutional clients
More stringent = higher trust

Payment Institution (PI) License

Alternative to EMI if not issuing e-money:

Lower capital requirement (EUR 20K-125K depending on services)
Faster approval process
Limited to payment services only

1.3 KYC/AML Requirements

EU AML Package 2025

New Framework:

Anti-Money Laundering Authority (AMLA) operational late 2025
EU Single Rulebook for harmonized requirements
Direct supervision of selected entities from 2028

Core KYC Requirements:

Customer Due Diligence (CDD)
- Identity verification (ID document + biometric)
- Address verification
- Source of funds verification
- Beneficial ownership identification (UBO)
Enhanced Due Diligence (EDD)
- Required for high-risk customers/transactions
- PEP (Politically Exposed Persons) screening
- Ongoing monitoring requirements
eKYC Standards (2025)
- Mandatory electronic identification
- eIDAS 2.0 compliance for digital identity
- Remote verification capabilities required

Cash Transaction Limits:

EU-wide cap: EUR 10,000 for cash payments
Applies to all businesses dealing in high-value goods

1.4 Data Protection (GDPR)

Key Requirements for Financial Apps:

Data Minimization
- Collect only necessary data
- Clear purpose limitation
- Defined retention periods
Privacy by Default
- Location tracking disabled by default
- Marketing communications opt-in only
- Minimal data sharing defaults
Consent Management
- Explicit, active consent required
- No pre-ticked boxes
- Easy withdrawal mechanism
- Granular consent options
Data Subject Rights
- Right to access (30-day response)
- Right to portability
- Right to erasure
- Right to rectification
Security Requirements
- End-to-end encryption (TLS 1.3+)
- AES-256 for data at rest
- Data breach notification within 72 hours
DPIA Requirements
- Required for AI-powered decisions
- Biometric authentication systems
- Large-scale customer analytics

Penalties:

Up to EUR 20 million or 4% of global annual turnover

2. Technical Architecture

2.1 System Architecture Overview

Modern mobile banking requires a layered, microservices-based architecture:

┌─────────────────────────────────────────────────────────────┐
│                    PRESENTATION LAYER                        │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │  iOS App    │  │ Android App │  │    Web Dashboard    │  │
│  │  (Swift)    │  │  (Kotlin)   │  │     (React)         │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
│         OR Cross-Platform: Flutter / React Native            │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                      API GATEWAY                             │
│  (Authentication, Rate Limiting, Load Balancing)             │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                   MICROSERVICES LAYER                        │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐   │
│  │   Auth   │ │ Accounts │ │ Payments │ │    Cards     │   │
│  │ Service  │ │ Service  │ │ Service  │ │   Service    │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────────┘   │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐   │
│  │   KYC    │ │   AML    │ │  Ledger  │ │ Notification │   │
│  │ Service  │ │ Service  │ │ Service  │ │   Service    │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────────┘   │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                    DATA LAYER                                │
│  ┌──────────────┐  ┌───────────┐  ┌─────────────────────┐   │
│  │  PostgreSQL  │  │   Redis   │  │   Event Stream      │   │
│  │  (Primary)   │  │  (Cache)  │  │   (Kafka/RabbitMQ)  │   │
│  └──────────────┘  └───────────┘  └─────────────────────┘   │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                 EXTERNAL INTEGRATIONS                        │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐   │
│  │  BaaS    │ │   Card   │ │   KYC    │ │   Payment    │   │
│  │ Provider │ │ Issuer   │ │ Provider │ │   Rails      │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────────┘   │
└─────────────────────────────────────────────────────────────┘

2.2 Payment Processing Flow

1. User Initiates Payment
         │
         ▼
2. Mobile App → API Gateway
         │
         ▼
3. Authentication Service (verify session, 2FA if required)
         │
         ▼
4. Payment Service
   ├── Validate request
   ├── Check balance/limits
   ├── AML screening (real-time)
   └── Create payment intent
         │
         ▼
5. Ledger Service
   ├── Reserve funds (pending state)
   └── Create audit trail
         │
         ▼
6. External Payment Rail (SEPA, SWIFT, card network)
         │
         ▼
7. Confirmation
   ├── Ledger finalization
   ├── User notification
   └── Transaction record

2.3 Mobile Wallet Architecture

Core Components:

Wallet Container
- Multi-currency support
- Real-time balance tracking
- Transaction history
- Spending analytics
Card Management
- Virtual card generation
- Physical card ordering
- Card controls (freeze, limits)
- Push provisioning (Apple/Google Pay)
Payment Methods
- NFC tap-to-pay
- QR code payments
- P2P transfers
- Scheduled payments
- Bill payments
Security Layer
- Biometric authentication
- Device binding
- Transaction signing
- Tokenization

2.4 Core Banking Integration Options

Option 1: Full BaaS

Use provider's complete stack
Fastest time to market
Limited customization
Higher per-transaction costs

Option 2: Modular Integration

Core banking from BaaS
Own card program
Custom payment rails
Balanced approach

Option 3: Custom Build

Own core banking system
Maximum flexibility
Highest development cost
Longest timeline

2.5 API-First Design Principles

RESTful APIs for standard operations
WebSocket for real-time updates
GraphQL for complex data queries (optional)
Idempotency for payment operations
Versioning for backward compatibility
Rate limiting for security and stability

3. Security & Compliance

3.1 PCI DSS Compliance

Compliance Levels:

Level 1: >6M transactions/year (QSA audit required)
Level 2: 1-6M transactions/year
Level 3: 20K-1M transactions/year
Level 4: <20K transactions/year (self-assessment)

Key Requirements (v4.0.1):

Requirement	Description
Req 3	Protect stored cardholder data
Req 4	Encrypt transmission of cardholder data
Req 6	Develop and maintain secure systems
Req 8	Identify users and authenticate access
Req 10	Log and monitor all access
Req 11	Regularly test security systems
Req 12	Maintain information security policy

Mobile-Specific Requirements:

Runtime Application Self-Protection (RASP)
Code obfuscation
White-box cryptography
Secure key management
Certificate pinning

Non-Compliance Penalties:

EUR 5,000 - 100,000 per month
Increased transaction fees
Loss of payment processing capability

3.2 Strong Customer Authentication (SCA)

Two of Three Factors Required:

Knowledge: PIN, password
Possession: Phone, token, card
Inherence: Biometrics (fingerprint, face)

SCA Exemptions:

Low-value transactions (<EUR 30)
Recurring payments (same amount, same merchant)
Trusted beneficiaries
Low-risk transactions (based on fraud analysis)

3.3 Security Architecture

┌─────────────────────────────────────────────────────┐
│              SECURITY LAYERS                         │
├─────────────────────────────────────────────────────┤
│ Application Security                                 │
│ ├── Input validation                                │
│ ├── Output encoding                                 │
│ ├── Session management                              │
│ └── OWASP MASVS compliance                          │
├─────────────────────────────────────────────────────┤
│ Data Security                                        │
│ ├── AES-256 encryption (at rest)                    │
│ ├── TLS 1.3 (in transit)                            │
│ ├── Tokenization (sensitive data)                   │
│ └── Key management (HSM)                            │
├─────────────────────────────────────────────────────┤
│ Infrastructure Security                              │
│ ├── WAF (Web Application Firewall)                  │
│ ├── DDoS protection                                 │
│ ├── Network segmentation                            │
│ └── Intrusion detection                             │
├─────────────────────────────────────────────────────┤
│ Operational Security                                 │
│ ├── 24/7 monitoring                                 │
│ ├── Incident response                               │
│ ├── Penetration testing                             │
│ └── Vulnerability management                        │
└─────────────────────────────────────────────────────┘

3.4 Fraud Prevention

Real-Time Monitoring:

Transaction velocity checks
Geographic anomaly detection
Device fingerprinting
Behavioral biometrics
ML-based risk scoring

Required Capabilities (PSD3):

Confirmation of Payee (name matching)
Real-time fraud data sharing between PSPs
Impersonation scam detection
Social engineering prevention

4. Market Analysis

4.1 European Digital Banking Market

Market Size:

Digital banking users: 500M+ in Europe
Mobile banking penetration: 70%+ in Western Europe
Neobank market share growing at 25%+ annually

Key Players:

Revolut (35M+ users)
N26 (8M+ users)
Monzo (9M+ users, UK)
Bunq (12M+ users)

4.2 Competitive Landscape

Neobank Industry Statistics (2025):

76% of neobanks remain unprofitable
Only 18% projected to break even by 2025
Customer acquisition costs remain high
Revenue diversification is key to profitability

Success Factors:

Differentiated value proposition
Superior user experience
Cost-efficient operations
Multiple revenue streams
Strong unit economics

4.3 Revenue Models

Primary Revenue Streams:

Interchange fees: 0.2-0.3% of card transactions
FX markup: 0.5-2% on currency conversion
Subscription tiers: EUR 5-15/month premium plans
Interest income: On deposits (if banking license)
Lending: Personal loans, BNPL, overdrafts

Emerging Revenue:

Insurance products
Investment/trading fees
Business accounts (higher margins)
Crypto services

5. Key Success Factors

5.1 Time to Market

Critical Milestones:

Month 1-3: Legal structure, licensing strategy
Month 3-6: BaaS integration, MVP development
Month 6-9: Beta testing, compliance audit
Month 9-12: Public launch, scaling

Accelerators:

Use BaaS provider (vs. own license initially)
Cross-platform mobile development
Pre-built KYC/AML integrations
Cloud-native infrastructure

5.2 User Acquisition

Strategies:

Referral programs: Proven effective for neobanks
Niche targeting: Specific customer segments
Feature differentiation: Unique value proposition
Partnership distribution: Through platforms/employers

Metrics to Track:

Customer Acquisition Cost (CAC)
Lifetime Value (LTV)
LTV:CAC ratio (target >3:1)
Activation rate (target >25%)
Monthly active users (MAU)

5.3 Operational Excellence

Key Capabilities:

Customer support: 24/7, multi-channel
Fraud management: Real-time, ML-powered
Compliance: Continuous monitoring
Engineering: Rapid iteration, reliability

Cost Optimization:

AI chatbots (reduce support costs 60%)
Automated KYC (reduce onboarding costs)
Cloud-native (elastic scaling)
Outsourced development (40-60% savings)

Sources and References

Regulatory

Technical

Market

Banking Providers

Third-Party Providers Comparison

Architecture alignment note (2026-02-14): This document is pre-architecture research from the mobilebank-research phase. Drop ultimately chose a PSD2 pass-through model — no wallet, no balance held by Drop, no IBAN generation. BaaS providers listed here would serve as Open Banking (AISP/PISP) integration partners, not wallet infrastructure. Card issuing is a FUTURE feature (feature-flagged). This document is retained as provider research reference.

Banking-as-a-Service (BaaS) Providers
Card Issuing Platforms
Payment Processors
KYC/Identity Verification Providers
Virtual IBAN Providers
Recommendation Matrix

1. Banking-as-a-Service (BaaS) Providers

Overview

BaaS providers enable fintech companies to offer banking services without obtaining their own banking license. They provide the regulatory infrastructure, APIs, and banking capabilities.

Provider Comparison

Solarisbank (Solaris SE)

Attribute	Details
Headquarters	Berlin, Germany
License	Full German banking license + Digital Assets Custody
Coverage	EU-wide (passporting)
Key Features	Accounts, cards, lending, digital assets, compliance
Target Market	Fintechs, enterprises, large card programs
Notable Clients	Samsung, ADAC
Strengths	Full-stack, modular APIs, banking license
Weaknesses	Requires BaFin approval for new partners, financial challenges
Best For	Enterprises needing complete banking capabilities

Services:

Current accounts with IBAN
Card issuing (virtual + physical)
Lending products
Digital asset custody
Full compliance stack

Swan

Attribute	Details
Headquarters	Paris, France
License	EMI (French)
Coverage	Eurozone (expanding)
Key Features	IBANs, cards, embedded finance
Target Market	Startups, SMEs, SaaS platforms
Strengths	5-minute integration, built-in KYC, fast time-to-market
Weaknesses	Limited geographic coverage, cards/accounts focus
Best For	Fast MVP launch, European startups

Key Differentiators:

Claims 10X shorter implementation time
KYC/fraud detection built into product (no extra cost)
Developer-friendly APIs
Good for expense management, HR tech, proptech

Treezor (Societe Generale)

Attribute	Details
Headquarters	Paris, France
License	EMI (European) + MasterCard Prepaid approved
Coverage	EU (branches in Italy, Spain, Germany)
Key Features	E-wallets, cards, marketplaces, crowdfunding
Target Market	Neobanks, mobility, employee benefits
Strengths	Backed by Societe Generale, SEPA network, 50M+ transactions/year
Weaknesses	Best suited for eurozone transactions
Best For	Euro-focused operations, established platforms

Services:

White-label prepaid cards
E-wallets
Marketplace payments
Crowdfunding solutions

Railsr (formerly Railsbank)

Attribute	Details
Headquarters	UK
License	EMI
Coverage	Europe, Asia
Key Features	BaaS, Cards-as-a-Service, payments, compliance
Target Market	Fintechs, brands embedding finance
Strengths	Flexible APIs, cards + payments combined
Weaknesses	Financial challenges (acquired/recapitalized 2023)
Best For	Card programs, embedded finance for brands

Other Notable Providers

Provider	HQ	Specialty	Notes
Modulr	UK	Payments infrastructure	EMI license, fast payments
Paynetics	Bulgaria	E-money, cards	EU + UK licenses
Vodeno/Aion	Poland/Belgium	Full banking	Acquired by UniCredit
OpenPayd	UK	Multi-currency accounts	Virtual IBANs specialist

BaaS Selection Criteria

Regulatory Coverage: Does license cover target markets?
API Quality: Developer documentation, SDKs, sandbox
Time to Market: Integration complexity, onboarding time
Pricing Model: Setup fees, per-transaction, revenue share
Financial Stability: Provider's funding, profitability
Scalability: Can grow with your business
Support: Technical support, account management

2. Card Issuing Platforms

Provider Comparison

Marqeta

Attribute	Details
Headquarters	US (global coverage)
Coverage	40+ countries
Key Features	Virtual/physical cards, JIT funding, customization
PCI Compliance	Level 1, tokenization
Pricing	~$0.50/virtual card, 0.5-1% transaction fee
Setup Cost	$5,000-$50,000
Best For	Custom card programs, expense management

Strengths:

Open API architecture
Just-in-Time (JIT) funding
Real-time transaction control
Extensive customization options

Stripe Issuing

Attribute	Details
Headquarters	US (Ireland for EU)
Coverage	US, EU expanding
Key Features	Virtual/physical cards, webhooks, Stripe ecosystem
Integration	Seamless with Stripe payments
Best For	Existing Stripe users, developer-centric teams

Strengths:

Real-time authorization hooks
PCI compliance handled by Stripe
Apple Pay / Google Pay integration
Excellent developer experience

Adyen Issuing

Attribute	Details
Headquarters	Netherlands
Coverage	Global
Key Features	Issuing + acquiring + processing combined
Integration	Single API for all payment needs
Best For	Enterprise with complex payment needs

Strengths:

Unified platform (issuing + acquiring)
3D Secure built-in
Real-time reporting
Global compliance (GDPR, PSD2)

Other Card Issuers

Provider	Specialty	Coverage
Paymentology	Cloud-based issuing	Global
Thredd (GPS)	Prepaid programs	EU, UK
Wallester	European cards	EU
Galileo	Processing platform	US, expanding

3. Payment Processors

Adyen

Attribute	Details
Pricing Model	Interchange++ (most transparent)
Processing Fee	EUR 0.10-0.15 per transaction
Interchange	Pass-through (EU capped: 0.2% debit, 0.3% credit)
Payment Methods	Cards, local methods, wallets
Best For	Large volume, international operations

Strengths:

Direct connections to card networks
Local payment methods (SEPA, iDEAL, etc.)
Single platform for global payments
50% EBITDA margin (financially stable)

Stripe

Attribute	Details
Pricing	1.4% + EUR 0.25 (EU cards), 2.9% + EUR 0.25 (non-EU)
Features	Payments, subscriptions, connect, treasury
Best For	Startups, developer-first companies

Strengths:

Excellent documentation
Rapid integration
Broad feature set (payments, issuing, treasury)
Strong developer community

Stripe Treasury (Embedded Finance)

Feature	Capability
Financial Accounts	Stored-value accounts for customers
Bank Integration	Fifth Third Bank partnership
FDIC Insurance	Pass-through eligible
ACH/Wire	Supported
Use Case	Embedded banking for platforms

Notable Implementation: Shopify Balance built on Stripe Treasury

Other Payment Processors

Provider	Specialty	Pricing Model
Checkout.com	Enterprise payments	Interchange++
Mollie	European SMB	Fixed % per method
Worldpay	Global acquiring	Custom
PayPal/Braintree	Consumer payments	Fixed %

4. KYC/Identity Verification Providers

Provider Comparison

Onfido

Attribute	Details
Services	ID scanning, facial recognition, risk scoring
Coverage	Global (195+ countries)
Integration	SDK (iOS, Android, Web) + API
Compliance	GDPR, eIDAS, SOC 2
Best For	High-volume onboarding, international

Sumsub

Attribute	Details
Services	KYC, AML screening, fraud prevention
Coverage	220+ countries
Features	Bank verification, PEP/sanctions screening
Best For	Growing fintechs, multi-region expansion

IDnow

Attribute	Details
Services	Video-based verification, eIDAS compliance
Coverage	Europe focus
Compliance	BaFin approved, full eIDAS
Best For	German market, strict compliance requirements

Entrust

Attribute	Details
Recognition	Gartner Magic Quadrant 2025
Services	AI-powered verification, digital onboarding
Best For	Enterprise, banking institutions

Comparison Matrix

Provider	Document Types	Biometrics	AML Screening	Pricing Range
Onfido	4,500+	Face match	Yes	$$$
Sumsub	3,000+	Face + liveness	Yes	$$
IDnow	EU focus	Video + face	Yes	$$$
Ondato	2,000+	Photo/video	Yes	$$
Trulioo	Global databases	Limited	Yes	$$
iDenfy	3,000+	Face + liveness	Yes	$

5. Virtual IBAN Providers

Key Providers

OpenPayd

Attribute	Details
IBAN Countries	UK, FR, MT, NL
Features	Named vIBANs, Target2 connectivity
API	Simple (2 required params)
Best For	Platforms needing named accounts

Banking Circle

Attribute	Details
Headquarters	Luxembourg
Features	Named vIBANs, multi-currency (EUR, GBP, USD, AED)
Target	High-volume PSPs, EMIs

Airwallex

Attribute	Details
Coverage	60+ markets
Features	Global accounts, FX, API automation
Best For	International operations

Other Providers

Provider	Specialty
Payset	SME-focused, multi-currency
Clear Junction	High-risk friendly
Currencycloud	FX + accounts
Sharpay	Instant issuance, SEPA/SWIFT

IBAN Provider Selection Criteria

Coverage: Which IBAN countries needed?
Naming: Named vs. pooled IBANs
Payment Rails: SEPA, SWIFT, Target2
Currency Support: EUR, GBP, USD, others
API Quality: Documentation, reliability
Compliance: AML/KYC support
Pricing: Per-account, per-transaction fees

6. Recommendation Matrix

By Company Stage

Stage	BaaS	Cards	KYC	Payments
MVP/Seed	Swan	Stripe Issuing	Sumsub	Stripe
Growth	Treezor/Railsr	Marqeta	Onfido	Adyen
Enterprise	Solarisbank	Marqeta/Adyen	IDnow	Adyen

By Use Case

Use Case	Recommended Stack
B2C Neobank	Solarisbank + Marqeta + Onfido
B2B Expense	Swan + Stripe Issuing + Sumsub
Marketplace	Treezor + Stripe + Ondato
Remittance	OpenPayd + Wise API + Trulioo
Embedded Finance	Stripe Treasury + Stripe Issuing + Sumsub

By Budget

Budget	Recommended Approach
< EUR 100K	Swan/Stripe ecosystem, Sumsub, minimal custom
EUR 100-500K	BaaS + card issuer + KYC stack
EUR 500K+	Full custom integration, enterprise providers

Sources

MVP Specification

MVP Feature Specification

Architecture alignment note (2026-02-14): This document is pre-architecture research from the mobilebank-research phase. Drop ultimately chose a PSD2 pass-through model — no wallet, no balance held, no IBAN generation, no top-up. AISP reads bank balances, PISP initiates payments from the user's own bank account. Cards are a FUTURE feature (feature-flagged). This document is retained as research reference — it does NOT reflect the current Drop architecture.

MVP Philosophy
Core Features
Feature Specifications
Timeline
Success Metrics

1. MVP Philosophy

Focus Areas

89% of user retention comes from 5 key features (Gartner 2025)
3-minute onboarding is critical (74% abandon if >5 minutes)
Avoid low-impact features (68% ignore crypto/loans in MVP)

What to Include

Account creation and KYC
IBAN generation
Card issuing (virtual)
P2P transfers
Basic top-up

What to Exclude (MVP)

Crypto trading
Loan products
Investment features
Advanced analytics

2. Core Features

Feature Priority Matrix

Feature	Priority	Complexity	Timeline
User Onboarding	P0	Medium	Week 1-4
Digital KYC	P0	High	Week 2-6
Account Creation	P0	Medium	Week 4-8
IBAN Generation	P0	Low	Week 6-8
Virtual Card	P0	High	Week 8-12
P2P Transfers	P0	Medium	Week 10-14
Top-up (Card)	P1	Medium	Week 12-16
Bank Transfer	P1	Medium	Week 14-18
Transaction History	P1	Low	Week 8-10
Push Notifications	P1	Low	Week 10-12
Physical Card	P2	High	Post-MVP

3. Feature Specifications

3.1 User Onboarding

Goal: Complete signup in <3 minutes

Flow:

Download app
Enter phone number
Verify via OTP
Enter email
Set password/PIN
Accept T&C
Start KYC

Requirements:

Phone number validation
OTP delivery (<30 sec)
Email verification
Password strength rules
Biometric setup (optional)

Acceptance Criteria:

95% OTP delivery rate
<3 min completion time
25% activation rate

3.2 Digital KYC (Know Your Customer)

Goal: Verify identity in <5 minutes

Flow:

Select ID document type
Capture front of ID
Capture back of ID (if applicable)
Take selfie (liveness check)
Enter personal details
Verification processing
Result notification

Document Types:

Passport
National ID card
Driving license (select countries)

Requirements:

Document OCR
Face matching (>98% accuracy)
Liveness detection
PEP/Sanctions screening
Address verification (optional)

Integration: Sumsub or Onfido API

Acceptance Criteria:

85% auto-approval rate
<2 min average verification
Manual review queue for failures

3.3 Account Creation

Goal: Generate EUR account with IBAN

Flow:

KYC approved
Account type selection (Personal)
IBAN generation
Account activated
Welcome notification

Account Features:

Single EUR account (MVP)
Real-time balance
Account details view
Statement generation (PDF)

Integration: BaaS provider (Swan/Treezor)

Acceptance Criteria:

Instant IBAN generation
Valid SEPA-reachable IBAN
Real-time balance updates

3.4 IBAN Generation

Technical Requirements:

Named virtual IBAN (user's name)
SEPA reachable
Target2 compatible (if available)
Instant credit notification

Provider Options:

BaaS provider native
OpenPayd (if separate)
Banking Circle

Formats:

Display: XX00 0000 0000 0000 0000 00
Copy to clipboard
Share via QR code

3.5 Virtual Card Issuing

Goal: Instant virtual Mastercard/Visa

Features:

Instant generation post-account
Add to Apple Pay / Google Pay
Card details view (PAN, CVV, expiry)
Freeze/unfreeze toggle
Spending limits
Transaction notifications

Card Controls:

Online payments: ON/OFF
ATM withdrawals: ON/OFF (N/A virtual)
Contactless: ON/OFF
Geographic restrictions

Security:

PCI DSS compliant display
3D Secure enabled
Real-time fraud monitoring

Integration: Marqeta or Stripe Issuing

Acceptance Criteria:

<10 sec card generation
Successful wallet provisioning
Real-time transaction auth

3.6 P2P Transfers

Goal: Send money to other users instantly

Transfer Types:

A) Internal (App-to-App)

By phone number
By username
By QR code
Instant settlement

B) SEPA Transfer

By IBAN
Standard SEPA (D+1)
SEPA Instant (if available)

Flow:

Select recipient method
Enter/select recipient
Enter amount
Review details
Authenticate (biometric/PIN)
Confirmation

Requirements:

Amount validation (balance check)
Transaction limits
Confirmation of Payee (name match)
Audit trail

Limits (MVP):

Type	Daily	Monthly
Internal	EUR 5,000	EUR 20,000
SEPA	EUR 2,000	EUR 10,000

3.7 Top-up Methods

A) Card Top-up

Visa/Mastercard debit/credit
3D Secure required
Instant credit
Fee: 1-2% (or included in premium)

B) Bank Transfer

SEPA inbound to IBAN
Auto-reconciliation
Credit on receipt

C) Future: Apple Pay / Google Pay top-up

Integration: Stripe or Adyen for card payments

3.8 Transaction History

Features:

Real-time updates
Filter by type/date/amount
Search functionality
Transaction details
Receipt/proof generation
Export (CSV, PDF)

Categories:

Card payments
Transfers (in/out)
Top-ups
Fees

3.9 Push Notifications

Mandatory Notifications:

Transaction alerts (all)
Login from new device
Card frozen/unfrozen
KYC status updates
Security alerts

Optional Notifications:

Marketing
Product updates
Weekly spending summary

4. Timeline

Phase 1: Foundation (Months 1-2)

Week 1-4:

Project setup, CI/CD
BaaS integration start
Auth service
User onboarding flow

Week 5-8:

KYC integration
Account creation
IBAN generation
Basic app UI

Phase 2: Core Features (Months 3-4)

Week 9-12:

Virtual card issuing
Wallet provisioning
Transaction history
Push notifications

Week 13-16:

P2P transfers (internal)
Card top-up
Basic card controls

Phase 3: Launch Prep (Months 5-6)

Week 17-20:

SEPA transfers
Bank transfer top-up
Security hardening
Compliance audit

Week 21-24:

Beta testing (500 users)
Bug fixes
Performance optimization
Soft launch

Milestones

Milestone	Target Date	Deliverable
Alpha	Month 3	Core features working
Beta	Month 5	500 beta users
Soft Launch	Month 6	Public availability
GA	Month 7-8	Marketing push

5. Success Metrics

Activation Metrics

Metric	Target	Threshold
Signup completion	>80%	>60%
KYC pass rate	>85%	>70%
First transaction	>50% in 7 days	>30%
Card activation	>70%	>50%

Engagement Metrics

Metric	Target	Threshold
MAU/DAU	>30%	>20%
Transactions/user/month	>10	>5
App opens/week	>3	>1

Quality Metrics

Metric	Target	Threshold
App crash rate	<0.5%	<1%
API latency (p95)	<500ms	<1000ms
Uptime	>99.9%	>99.5%
App store rating	>4.5	>4.0

Business Metrics

Metric	Target	Threshold
CAC	<EUR 30	<EUR 50
Monthly burn	<EUR 50K	<EUR 75K
Active users (6 months)	>5,000	>2,000

Sources

Cost Analysis

Cost Breakdown and Budget Estimates

Architecture alignment note (2026-02-14): This document is pre-architecture research from the mobilebank-research phase. Drop ultimately chose a PSD2 pass-through model — no wallet, no balance held, no own EMI license required for MVP. The pass-through model significantly reduces licensing and BaaS costs compared to the scenarios below. Card issuing is a FUTURE feature. This document is retained as cost research reference — actual Drop cost structure differs.

Executive Summary
Licensing Costs
Development Costs
Third-Party Provider Costs
Infrastructure Costs
Operational Costs
Budget Scenarios

1. Executive Summary

Total Investment Range

Approach	Initial (Year 1)	Monthly Ops	Break-even
BaaS MVP	EUR 150K-300K	EUR 15-30K	18-24 months
Full Build	EUR 500K-1.5M	EUR 50-100K	24-36 months
Enterprise	EUR 1.5M+	EUR 100K+	36+ months

Key Cost Drivers

Licensing strategy (own vs. BaaS)
Development approach (in-house vs. outsource)
Feature complexity
Geographic scope
Transaction volume

2. Licensing Costs

Option A: Own EMI License

Jurisdiction	Application	Capital	Setup (Legal/Consulting)	Timeline
Lithuania	EUR 1,463	EUR 350,000	EUR 30-50K	6-9 months
Malta	EUR 2-5K	EUR 350,000	EUR 40-60K	6 months
Ireland	EUR 4K	EUR 350,000	EUR 200-300K	12-18 months
UK (FCA)	GBP 5,000	GBP 350,000	GBP 100-200K	6-12 months

Lithuania Breakdown:

Application fee: EUR 1,463
Capital requirement: EUR 350,000 (held in local bank)
Legal/consulting: EUR 30,000-50,000
Directors/compliance staff: EUR 100,000+/year
Total setup: ~EUR 400,000-500,000

Option B: BaaS Partnership (No Own License)

Provider	Setup Fee	Monthly Minimum	Per-Transaction
Swan	EUR 0-10K	EUR 500-2K	Volume-based
Treezor	EUR 10-50K	EUR 2-5K	Volume-based
Solarisbank	EUR 50-100K	EUR 5-10K	Custom

Savings with BaaS:

No EUR 350K capital lock-up
No license application process
Faster time to market (weeks vs. months)
Compliance handled by provider

3. Development Costs

MVP Development (4-6 months)

Component	In-House (Western EU)	Outsource (Eastern EU)	Outsource (Asia)
Backend	EUR 80-120K	EUR 40-60K	EUR 25-40K
Mobile (Flutter)	EUR 60-100K	EUR 30-50K	EUR 20-35K
Frontend (Web)	EUR 30-50K	EUR 15-25K	EUR 10-18K
DevOps/Infra	EUR 20-40K	EUR 10-20K	EUR 8-15K
QA/Testing	EUR 20-30K	EUR 10-15K	EUR 6-10K
Total	EUR 210-340K	EUR 105-170K	EUR 69-118K

Feature-Level Costs

Feature	Development Cost	Notes
User onboarding	EUR 8-15K	Auth, registration
KYC integration	EUR 15-30K	Third-party API
Account management	EUR 20-35K	Core functionality
Virtual card	EUR 25-40K	Issuing integration
P2P transfers	EUR 15-25K	Internal + SEPA
Card top-up	EUR 10-20K	Payment gateway
Push notifications	EUR 5-10K	FCM/APNS
Transaction history	EUR 8-12K	UI + backend
Card controls	EUR 10-15K	Freeze, limits

Team Composition (MVP)

Role	Count	Monthly Cost (EU)
Tech Lead	1	EUR 8-12K
Backend Dev (Senior)	2	EUR 12-18K
Mobile Dev (Senior)	2	EUR 12-18K
DevOps	1	EUR 6-9K
QA	1	EUR 4-6K
Product Manager	1	EUR 6-10K
Designer	0.5	EUR 3-5K
Total	8.5	EUR 51-78K/month

Outsourcing Savings: 40-60% vs. Western EU rates

4. Third-Party Provider Costs

BaaS Provider Costs

Provider	Setup	Monthly	Per Account	Notes
Swan	Free-10K	EUR 500-2K	EUR 0.50-2	Fast integration
Treezor	EUR 10-30K	EUR 2-5K	Included	SEPA optimized
Solarisbank	EUR 50-100K	EUR 5-10K	Custom	Full stack

Card Issuing Costs

Provider	Setup	Per Card	Transaction Fee
Marqeta	EUR 5-50K	EUR 0.50-2	0.5-1%
Stripe Issuing	Free	EUR 0.10-0.50	Included
Adyen	Custom	Custom	Custom

KYC/Identity Verification

Provider	Per Verification	Volume Discount
Sumsub	EUR 0.50-2.00	Yes (>10K/month)
Onfido	EUR 1.00-3.00	Yes
IDnow	EUR 2.00-5.00	Yes

Example (10K users/month):

Sumsub: EUR 5,000-20,000/month
Volume pricing reduces to EUR 0.30-0.50/verification

Payment Processing

Provider	Setup	Per Transaction	Notes
Stripe	Free	1.4% + EUR 0.25 (EU)	Easy integration
Adyen	Free	EUR 0.10-0.15 + interchange	Enterprise

Virtual IBAN

Provider	Per IBAN	Monthly Maintenance
OpenPayd	EUR 1-5	EUR 0-1
Banking Circle	Custom	Volume-based
Usually included in BaaS	-	-

5. Infrastructure Costs

Cloud Infrastructure (AWS/GCP)

Component	Monthly Cost	Notes
Compute (K8s cluster)	EUR 1,500-3,000	3-5 nodes
Database (RDS/Cloud SQL)	EUR 500-1,500	Multi-AZ
Redis (ElastiCache)	EUR 200-500	Cluster mode
Storage (S3)	EUR 100-300	Documents, backups
CDN (CloudFlare)	EUR 200-500	Pro/Business
Monitoring (Datadog)	EUR 300-800	APM included
Total	EUR 2,800-6,600	Scales with users

Cost Per User

Users	Infrastructure	Third-Party	Total/User
1,000	EUR 3/user	EUR 5/user	EUR 8/user
10,000	EUR 1/user	EUR 3/user	EUR 4/user
100,000	EUR 0.50/user	EUR 2/user	EUR 2.50/user

6. Operational Costs

Monthly Operational Expenses

Category	MVP Phase	Growth Phase	Scale Phase
Team (salaries)	EUR 30-50K	EUR 80-150K	EUR 200K+
Infrastructure	EUR 3-5K	EUR 10-20K	EUR 50K+
Third-party services	EUR 5-10K	EUR 20-50K	EUR 100K+
Compliance	EUR 5-10K	EUR 15-30K	EUR 50K+
Customer support	EUR 2-5K	EUR 10-20K	EUR 30K+
Marketing	EUR 5-15K	EUR 30-100K	EUR 200K+
Legal/Professional	EUR 2-5K	EUR 5-15K	EUR 20K+
Office/Admin	EUR 2-5K	EUR 5-10K	EUR 15K+
Total	EUR 54-105K	EUR 175-395K	EUR 665K+

Per-User Economics

Metric	Amount	Notes
Customer Acquisition Cost	EUR 20-50	Marketing + onboarding
First-year serving cost	EUR 175	Fixed costs
Monthly serving cost	EUR 5	Infrastructure + support
Required spend for breakeven	EUR 750/month	Year 1

Compliance Costs

Item	Annual Cost
Compliance Officer (FTE)	EUR 80-120K
AML monitoring tools	EUR 20-50K
External audits	EUR 30-60K
Regulatory reporting	EUR 10-20K
Training & certification	EUR 5-10K
Total	EUR 145-260K

7. Budget Scenarios

Scenario A: Lean BaaS MVP

Assumptions:

BaaS partnership (Swan)
Outsourced development (Eastern EU)
6-month timeline
Target: 5,000 users Year 1

Category	Year 1	Monthly (Avg)
Development	EUR 150,000	-
BaaS setup + fees	EUR 20,000	EUR 2,000
KYC (5K verifications)	EUR 10,000	EUR 1,000
Infrastructure	EUR 36,000	EUR 3,000
Operations (lean)	EUR 120,000	EUR 10,000
Marketing	EUR 60,000	EUR 5,000
Legal/Compliance	EUR 30,000	EUR 2,500
Buffer (15%)	EUR 64,000	-
Total Year 1	EUR 490,000	EUR 23,500

Scenario B: Standard Build

Assumptions:

Own EMI license (Lithuania)
Mixed team (in-house + outsource)
12-month timeline
Target: 20,000 users Year 1

Category	Year 1	Monthly (Avg)
EMI License	EUR 450,000	-
Development	EUR 300,000	-
Card program	EUR 50,000	EUR 5,000
KYC (20K verifications)	EUR 30,000	EUR 3,000
Infrastructure	EUR 72,000	EUR 6,000
Operations	EUR 480,000	EUR 40,000
Marketing	EUR 200,000	EUR 17,000
Legal/Compliance	EUR 150,000	EUR 12,500
Buffer (20%)	EUR 346,000	-
Total Year 1	EUR 2,078,000	EUR 83,500

Scenario C: Enterprise Launch

Assumptions:

Own license (Ireland for prestige)
Full in-house team
Custom core banking
Target: 100,000 users Year 1

Category	Year 1
EMI License (Ireland)	EUR 800,000
Development	EUR 800,000
Core banking platform	EUR 300,000
Card program	EUR 150,000
KYC (100K verifications)	EUR 100,000
Infrastructure	EUR 300,000
Operations	EUR 1,500,000
Marketing	EUR 1,000,000
Legal/Compliance	EUR 400,000
Buffer (25%)	EUR 1,337,500
Total Year 1	EUR 6,687,500

Cost Optimization Strategies

Development

Outsource to Eastern EU (40-60% savings)
Use BaaS to reduce custom development
Cross-platform mobile (Flutter) vs. native

Licensing

Start with BaaS, migrate to own license later
Lithuania over Ireland (70% cheaper)
Small EMI if eligible

Operations

AI chatbots reduce support costs 60%
Automated KYC reduces manual review
Cloud-native for elastic scaling

Marketing

Referral programs (lower CAC)
Partnership distribution
Niche targeting

Financial Model Summary

Unit Economics Target

Metric	Target
CAC	< EUR 30
LTV	> EUR 150
LTV:CAC	> 5:1
Payback period	< 12 months
Gross margin	> 60%

Revenue Model

Stream	Revenue/User/Year
Interchange	EUR 15-30
FX markup	EUR 10-20
Premium subscription	EUR 60-120
Interest income	EUR 5-15
Total potential	EUR 90-185

Break-even Analysis

Scenario	Users Required	Timeline
BaaS MVP	5,000-10,000	18-24 months
Standard	20,000-30,000	24-36 months
Enterprise	50,000+	36+ months

Sources

Technology Stack

Technical Stack Recommendations

1. Architecture Overview

Principles

Microservices Architecture - Modular, independently deployable
Cloud-Native Design - Containerized, elastic scaling
Security by Design - Zero-trust, encryption everywhere

2. Backend Technology

Primary: Java/Spring Boot

Built-in Spring Security, OAuth2
ACID compliance for transactions
Proven in regulated industries
Spring Boot 3.x, Spring Cloud

Secondary: Node.js

WebSocket connections
Push notifications
Real-time updates

Hybrid Approach

Java: Auth, Accounts, Payments, Cards, Ledger, KYC/AML
Node.js: WebSocket, Notifications, Real-time
Python: Fraud ML, Risk Scoring, Analytics

3. Mobile Development

Recommendation: Flutter

Criteria	Flutter	React Native	Native
Performance	Near-native	Good	Best
Code Sharing	95%+	85-90%	0%
Market Share	46%	35%	-

Why Flutter:

Same UI across iOS/Android
Single codebase
No JS bridge
Used by major banks

Stack: Bloc, GoRouter, Dio, Hive, local_auth

4. Database & Storage

Primary: PostgreSQL 16
Cache: Redis 7
Queue: Kafka/RabbitMQ
Documents: S3
Search: Elasticsearch

5. Infrastructure

Cloud: AWS or GCP

Components:

Kubernetes (EKS/GKE)
Terraform
GitHub Actions + ArgoCD
Prometheus + Grafana
CloudFlare (WAF)

6. Security

OWASP MASVS

AES-256, TLS 1.3
Biometric auth, 2FA
Certificate pinning
Code obfuscation

7. MVP Stack

Backend: Java 21 + Spring Boot 3.2, Node.js 20
Mobile: Flutter 3.x
Data: PostgreSQL, Redis, Kafka
Infra: AWS/GCP, K8s, Terraform
Third-Party: Swan (BaaS), Stripe Issuing, Sumsub (KYC)

BankID & Vipps Research

BankID and Vipps Login Authentication Research

Research Date: 2026-02-15 Project: Drop Fintech App Purpose: Evaluate feasibility of integrating BankID and Vipps as authentication methods

Executive Summary

Both BankID and Vipps Login are viable authentication options for Drop. Both support OIDC/OAuth2 integration with Next.js, have test environments, and can serve dual purposes as both authentication and PSD2 Strong Customer Authentication (SCA).

Critical Timeline Note: BankID is undergoing major changes with an April 1, 2026 deadline for migration to new infrastructure.

Key Considerations:

BankID requires Norwegian bank account and 10 business days for production access
Vipps has lower per-transaction costs (DKK 0.00-0.40 vs DKK 0.65-0.89)
Both services can be accessed via aggregators (Idura/Signicat) which simplify integration
Both meet PSD2 SCA requirements

1. Norwegian BankID

What is it?

BankID is Norway's leading electronic identification system, issued through Norwegian banks. It enables secure authentication and digital signatures. BankID supports both traditional methods and the newer BankID with Biometrics (app-based solution using WebAuthn).

Major Change in 2026: BankID is moving to a single issuer (Stø AS) with critical infrastructure changes taking effect April 1, 2026. All integrations must migrate to the new Digital Trust Platform and OIDC-based approach before this deadline.

Integration Method

Protocol: OpenID Connect (OIDC) / OAuth 2.0
Flow: Authorization Code Flow with PKCE (Proof Key for Code Exchange)
Redirect-based: Yes, user redirected to BankID login
Next.js Compatibility: Yes, Auth.js/NextAuth supports BankID NO provider
Implementation: Use well-known OIDC libraries

Technical Requirements:

Set acr_values to urn:bankid:bis for biometric authentication
Verify ID token's acr claim includes "LOA=3" (Level of Assurance 3)
Scopes: openid, profile, nnin_altsub (for Norwegian national identity number)
Generate nonce and code_verifier for security

Reference Implementation: GitHub - BankID OIDC Integration Examples

Requirements to Get Access

Mandatory Prerequisites:

Company must be a customer of a Norwegian bank (within BankID network)
Person signing the contract must have personal eID (Norwegian BankID, Swedish BankID, or Danish MitID)
Completed "Getting Ready for Production" guide (step 5) to obtain production domain
Register application in BankID Developer Portal (freely available)

Application Information Required:

Company information
General contact person
Person authorized to sign agreement
Norwegian bank details
Technical contacts (credentials delivery, blocking/revoking access)
Display name for login app
Production domain URL

Agreement Process:

Submit application information
Provider sends online agreement for signing
Signed agreement forwarded to your bank for processing
Bank issues client credentials

Cost

Direct from BankID Norge (Reseller Model):

One-time establishment fee: NOK 100,000
Fixed monthly fee: NOK 8,300
Per-transaction costs: Not clearly specified in direct model

Via Idura/Criipto Aggregator:

Monthly platform fee: €65–€390 (tier-dependent: Small/Medium/Large)
Biometric BankID (app): DKK 0.65 per login
Traditional BankID: DKK 0.89 per login
Billing: Monthly consumption + subscription

NEEDS VERIFICATION: Direct BankID pricing may have changed. Contact BankID Norge for current 2026 pricing.

Technical Complexity

Difficulty Level: Medium

Pros:

Standard OIDC implementation
Extensive documentation available
Auth.js/NextAuth built-in support
Code examples available on GitHub

Cons:

April 1, 2026 migration deadline adds urgency
Must handle migration to new Digital Trust Platform
PAdES transition required for document signing (Jan-Mar 2026)
More complex setup vs simpler OAuth providers

Estimated Integration Time: 2-4 weeks (including testing and certification)

Timeline

Application to Production:

Bank processing time: Up to 10 business days after signed agreement
Total estimated timeline: 2-4 weeks (including application, bank processing, credential issuance)

Critical Dates:

January 1, 2026: PAdES transition begins for Enterprise/Express API
March 31, 2026: Final deadline for PAdES migration
April 1, 2026: Old BankID Server and OIDC signing from Stø discontinued

Action Required: Complete migration to Digital Trust Platform before April 1, 2026.

Sandbox/Test Environment

Test Access: Freely available

Test Environment Details:

Register application in BankID Developer Portal (free)
Preprod app access: Request via support portal or through BankID partner
Self-service test user portal: ra-preprod.bankidnorge.no
Default test credentials: OTP password and qwer1234
Test users: Generate Norwegian national identity numbers (NNIN) for testing

Testing Tools:

Available at tools.bankid.no
Supports authentication, signing, password change
Document types: plain text, PDF, XML
Can be embedded via iframe or direct link

Support: developer@bankidnorge.no

PSD2 Relevance

SCA Compliance: YES - Fully compliant

BankID with biometrics is approved for payments and meets Strong Customer Authentication (SCA) requirements according to PSD2 and 3D Secure standards.

Technical Details:

Level of Assurance: "Substantial" (eIDAS standard)
Authentication: WebAuthn-based biometrics (built-in phone/computer biometrics)
Security: BankID never accesses biometric data; receives signed confirmation from Apple/Google
PSD2 Integration: Netcompany Banking Services supports 1-SCA (single strong customer authentication) using BankID for Norway

Use Cases for Drop:

User authentication/login
PSD2 payment authorization (SCA)
Combined auth + payment flow

Alternative Providers

Aggregator Services (Recommended):

Idura (formerly Criipto)
- Bundles BankID + Vipps + other Nordic eIDs
- Single integration point for multiple providers
- Pricing: €65-€390/month + per-transaction fees
- Website: idura.eu
Signicat
- Largest BankID provider in Norway (established 2007)
- Enterprise-focused solution
- Offers authentication + digital signatures
- Pricing: Contact for quote
- Website: signicat.com
Curity
- Identity platform with Norwegian BankID support
- OIDC authenticator approach
- Enterprise-grade solution
- Website: curity.io

Recommendation: For Drop's use case (fintech startup), Idura offers the best balance of simplicity, cost-effectiveness, and multi-provider support.

What is it?

Vipps is Norway's #1 mobile payment provider with near-ubiquitous adoption. Vipps Login is an authentication service that allows users to log in using their mobile number. The brand split: Vipps (Norway/Sweden) and MobilePay (Denmark/Finland) use the same API under Vipps MobilePay.

Integration Method

Protocol: OpenID Connect (OIDC) / OAuth 2.0
Flow: Browser-based redirect flow (user-initiated or merchant-initiated)
Authentication: API keys (obtained via Vipps MobilePay business portal)
Next.js Compatibility: Yes, Auth.js/NextAuth supports Vipps MobilePay provider
Age Requirement: Users must be 15+ years old

Implementation Example:

import NextAuth from "next-auth"
import Vipps from "next-auth/providers/vipps"

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [Vipps],
})

Test Mode Override:

Vipps({ issuer: "https://apitest.vipps.no/access-management-1.0/access/" })

Key Endpoint:

User info: GET:/vipps-userinfo-api/userinfo (returns consented user data)
Token endpoint: Standard OIDC token exchange

Requirements to Get Access

Application Process:

Order product at vippsmobilepay.com
Complete "Login checklist" for direct integration
Partner application review
Receive test credentials via email (test phone number + national identity number)

Company Requirements:

NEEDS VERIFICATION: Minimum company requirements not specified in documentation
Likely requires Norwegian business registration

Technical Setup:

Access business portal: portal.vippsmobilepay.com
Obtain API keys for authentication
Configure redirect URIs

Cost

Per-Transaction Pricing:

Via Idura Aggregator:

Monthly platform fee: €65–€390 (tier-dependent)
Per-transaction: Vipps MobilePay invoices directly based on "active users" pricing model
NEEDS VERIFICATION: Current 2026 active users pricing structure

Notes:

Most cost-effective authentication option
Free basic login is suitable for initial authentication
SSN access (DKK 0.40) needed for age/identity verification

Technical Complexity

Difficulty Level: Low-Medium

Pros:

Standard OIDC/OAuth2 implementation
Excellent documentation
Auth.js built-in support
Well-known integration libraries recommended
Active GitHub repositories with examples
Widespread usage in Norway (proven reliability)

Cons:

Test environment has no SLA/uptime guarantee
Support limited to Norwegian office hours for test environment
Separate test and production API keys required

Estimated Integration Time: 1-2 weeks

Timeline

Application to Production:

NEEDS VERIFICATION: Specific timeline not documented
Process: Order product → Partner review → Credentials issued
Estimated: Likely 1-2 weeks based on industry standards

Recommendation: Contact Vipps developer support for exact onboarding timeline.

Sandbox/Test Environment

Test Environment: Merchant Test (MT) - Available to all API merchants

Access Details:

All partners/merchants with API access have test environment access
Test server: https://apitest.vipps.no
Portal access: portal.vippsmobilepay.com → "For developers" → "Test users"
Test app: iOS and Android apps that mirror production (connect to MT environment)

Test User Credentials:

Provided via email after partner review
Includes test phone number and national identity number
PIN for "Verify your number": 1236
PIN for "Enter your code": 1236

Limitations:

No SLA or uptime guarantee
No fixes outside Norwegian office hours
Completely separate from production (different API keys)

Suitable For: Websites, e-commerce, apps, loyalty programs

PSD2 Relevance

SCA Compliance: YES - Fully compliant

Vipps has implemented PSD2-compliant Strong Customer Authentication with regulatory-approved delegated SCA from card issuers.

Technical Details:

Two-factor authentication: PIN or biometrics + device possession
No additional 3D Secure required (Verified by Visa, Mastercard ID Check)
Security handled when user logs into Vipps/MobilePay app
Wallet-based payment method with built-in SCA layer

Use Cases for Drop:

User authentication/login
PSD2 payment authorization
Simplified payment flow (no separate 3DS step needed)

Advantage: Vipps SCA is transparent to users (already authenticated in app), creating smoother UX than traditional 3DS flows.

Alternative Providers

Same aggregators as BankID:

Idura (formerly Criipto)
- Bundles Vipps with BankID and other eIDs
- Single integration, multiple auth methods
- Transparent pricing model
Signicat
- Enterprise solution
- Combined authentication suite
- Contact for pricing

Recommendation: If implementing both BankID AND Vipps, use Idura aggregator to manage both via single integration point.

3. Aggregator Comparison

Why Use an Aggregator?

Benefits:

Single integration point for multiple eID providers
Simplified SDK/API (abstraction layer)
Unified billing and reporting
Faster time-to-market
Reduced maintenance burden
Future-proof (easy to add more eID methods)

Trade-offs:

Additional monthly platform fee (€65-€390)
Dependency on third-party service
Potential slight latency increase

Idura (Criipto) - Recommended

What is it: European eID verification platform (formerly Criipto, rebranded to Idura)

Supported eIDs:

Norwegian BankID (Traditional + Biometric)
Vipps Login
Swedish BankID
Danish MitID
Finnish eID
30+ other European eIDs

Pricing Structure:

Platform fee: €65/month (Small), €140/month (Medium), €390/month (Large)
Norwegian BankID: DKK 0.65 (biometric) or DKK 0.89 (traditional) per login
Vipps: DKK 0.00 (no SSN) or DKK 0.40 (with SSN) per login
Swedish BankID: DKK 0.10 per login

Technical:

OIDC/OAuth2 standard
SDKs available
Good documentation
Test environment included

Best For: Drop's use case - need both BankID + Vipps with potential Nordic expansion

Signicat - Enterprise Alternative

What is it: Europe's largest eID and signature provider (established 2007)

Position: Largest BankID provider in Norway

Pricing: Contact for quote (not publicly listed)

Best For: Large enterprises, complex compliance needs, high-volume applications

Direct Integration vs Aggregator

Reasoning:

Supports both BankID and Vipps through one integration
Transparent pricing (€140/month Medium tier likely sufficient)
Future-proof for Nordic expansion
Faster development (proven SDK)
Lower maintenance burden
Cost-effective at expected volume (<10,000 logins/month)

Break-even Analysis:

Idura Medium: €140/month + per-transaction fees
Direct BankID: NOK 8,300/month (€750) + NOK 100,000 setup (€9,000)
Conclusion: Idura cheaper until very high volumes (50,000+ logins/month)

4. Implementation Recommendations

Recommended Approach

Phase 1: Email + Password (MVP)

Implement JWT-based auth with jose (already planned)
Collect email, validate age/residency through form
Manual verification initially

Phase 2: Add BankID (Primary eID)

Integrate via Idura
Use BankID for identity verification (name, SSN, address)
Automatic age verification (18+)
Satisfies regulatory requirements
Serves as SCA for PSD2 payments

Phase 3: Add Vipps Login (Alternative)

Same Idura integration (minimal additional work)
Offer choice: BankID or Vipps
Vipps likely preferred by users (more familiar, used daily)
Free basic login reduces costs

Phase 4: Optimize Flow

Optional: Allow email/password for returning users
Require BankID/Vipps for first-time verification
Re-verify periodically (e.g., annually) via eID

Technical Architecture

Recommended Stack:

Next.js 16 App Router
├─ Auth.js (NextAuth v5) - OIDC client
├─ Idura Verify - eID aggregator
│  ├─ Norwegian BankID
│  └─ Vipps Login
├─ jose - JWT signing/verification
└─ PostgreSQL - user sessions

Flow:

User clicks "Log in with BankID" or "Log in with Vipps"
Next.js redirects to Idura OIDC endpoint
Idura redirects to BankID/Vipps
User authenticates
Idura returns to callback with ID token
Next.js validates token, extracts claims (name, SSN, email)
Create/update user in database
Issue JWT session token (jose)
User authenticated

Security Considerations:

Store Idura client credentials in environment variables
Validate ID token signature
Check acr claim for LOA=3
Verify age from birthdate/SSN
Log all authentication events
Implement rate limiting

Timeline Estimate

Development Timeline:

Week 1-2: Idura account setup, test environment configuration
Week 3-4: Next.js Auth.js integration, BankID flow
Week 5: Vipps Login integration
Week 6-7: Testing, edge cases, error handling
Week 8: Production deployment, monitoring

Total: 8 weeks to production-ready dual eID authentication

Cost Projection (First Year)

Assumptions:

1,000 users in year 1
50% use BankID, 50% use Vipps
Average 12 logins/user/year
Idura Medium tier: €140/month

Calculation:

Platform fee: €140 × 12 = €1,680
BankID logins: 500 users × 12 logins × DKK 0.65 = DKK 3,900 (€470)
Vipps logins: 500 users × 12 logins × DKK 0.40 = DKK 2,400 (€290)
Total Year 1: €2,440

At Scale (10,000 users):

Platform fee: €1,680
BankID: €4,700
Vipps: €2,900
Total: €9,280/year

Conclusion: Cost scales linearly with users, remains affordable for fintech startup.

5. Risks and Mitigations

BankID Migration Risk (Critical)

Risk: April 1, 2026 deadline for Digital Trust Platform migration

Impact: Service disruption if not migrated in time

Mitigation:

If integrating via Idura: Migration handled by aggregator
If direct integration: Prioritize migration work immediately
Test new platform in preprod before March 31
Recommendation: Use Idura to offload migration risk

Age Verification Accuracy

Risk: Users might bypass age check with email/password

Mitigation:

Require BankID/Vipps for account activation
Email/password only for returning users
Periodic re-verification (annual)
Flag accounts without eID verification

User Adoption

Risk: Users unfamiliar with eID login may abandon signup

Mitigation:

Clear onboarding instructions
Video tutorial for first-time users
Support contact readily available
Fallback to manual verification if needed

Service Availability

Risk: BankID/Vipps downtime prevents login

Mitigation:

Multiple authentication options (BankID + Vipps)
Cache authentication status (JWT sessions)
Monitor provider status pages
Implement graceful degradation

Regulatory Changes

Risk: PSD2/eIDAS requirements may change

Mitigation:

Use compliant providers (BankID/Vipps are regulated)
Stay informed via provider newsletters
Idura handles compliance updates
Legal review of authentication flow

6. Questions Needing Verification

The following points require direct contact with providers for confirmation:

BankID Direct Pricing: Current 2026 per-transaction costs (NOK 8,300/month model unclear on variable costs)
Vipps Timeline: Exact onboarding timeline from application to production
Vipps Active Users Model: Current 2026 pricing structure for active users billing
Idura Large Tier: Volume thresholds for Small/Medium/Large tiers
Minimum Requirements: Specific business registration requirements for Vipps merchant account
SCA Dual-Use: Confirm BankID/Vipps can be used for BOTH login and payment authorization in same session
April 2026 Migration: Detailed requirements if integrating direct BankID (not via aggregator)

7. Final Recommendation

Recommendation: Implement BOTH BankID and Vipps via Idura aggregator

Justification:

Regulatory Compliance: BankID satisfies identity verification (18+, Norwegian resident)
User Preference: Vipps more familiar, offers free login option
PSD2 Dual-Use: Both serve as authentication AND SCA for payments
Cost-Effective: Idura cheaper than direct integration until high volume
Risk Mitigation: Idura handles April 2026 BankID migration
Future-Proof: Easy to add Swedish/Danish eIDs for Nordic expansion
Development Speed: Faster implementation with proven SDK

Implementation Priority:

Phase 1: Email/Password (MVP launch)
Phase 2: BankID via Idura (compliance requirement)
Phase 3: Vipps via Idura (user convenience)

Next Steps:

Contact Idura sales for Medium tier quote and setup
Register test account and explore SDK documentation
Validate integration with Next.js 16 App Router
Architect user database schema (with eID verification fields)
Implement BankID flow first (higher priority for compliance)
Add Vipps as alternative option
Load test authentication flow
Production deployment with monitoring

Sources

BankID Sources

Vipps Sources

PSD2/SCA Sources

Aggregator Sources

Report Prepared By: John (AI Director) Last Updated: 2026-02-15 Status: Research complete, awaiting approval for implementation

Cloud Cost Analysis

Drop — Cloud Deployment Cost Analysis

Date: 2026-02-11 Author: John (AI Director) Status: Historical — superseded by ADR-014 (PostgreSQL-only) and ADR-012 (AWS App Runner)

NOTE (2026-03-03): This analysis was written before ADR-014 mandated PostgreSQL 16 in all environments. SQLite references below reflect the old architecture and are no longer valid. Current deployment: AWS App Runner + AWS RDS PostgreSQL 16. See ADR-012 and ADR-014.

Current Tech Stack

Layer	Tech	Production Note
App	Next.js 16 (App Router)	Monolith, ~7 pages + API
Frontend	React 19 + Tailwind v4	SSR/SSG
DB	SQLite (better-sqlite3)	Must migrate to PostgreSQL for production
Auth	JWT (jose) httpOnly cookie	OK for production
Dependencies	bcryptjs, radix-ui, lucide, sonner	Lightweight
Dev server	Port 3001 (configured in project.json)	Currently running locally

Key constraint: SQLite cannot handle concurrent writes (ADR-001). Must switch to PostgreSQL before launch.

Phase 1: MVP / Demo (now → 200 users)

Provider	Plan	Price/mo	Notes
Vercel Pro	Next.js native	$20 (~215 NOK)	No persistent FS — SQLite won't work without Turso/Neon
Railway Starter	Next.js + persistent disk	$5 + usage (~160 NOK)	SQLite works here
Fly.io Hobby	LiteFS support	$5 + usage (~160 NOK)	Great for SQLite
Hetzner VPS (shared)	On same CPX41	+~0 NOK	If already provisioned from system migration

Recommended Phase 1 Stack

Item	Provider	Cost/mo
App hosting	Hetzner VPS (shared) or Railway	0-160 NOK
DB	SQLite (local)	0
Domain	getdrop.no (one.com)	~100 NOK/yr
SSL	Let's Encrypt / Cloudflare	0
Total Phase 1		~10-170 NOK/mo

Phase 2: Launch (200-3,000 users)

SQLite → PostgreSQL migration required. Need transactional email and SMS for auth.

Item	Provider	Cost/mo
App hosting	Railway or Fly.io	$10-20 (~110-215 NOK)
PostgreSQL managed	Neon free→Pro $19 or Supabase free→$25	0-270 NOK
Transactional email	Resend (3,000 free/mo) → $20	0-215 NOK
SMS (OTP auth)	Twilio ~$0.05/SMS × 500/mo	~270 NOK
CDN	Cloudflare Free	0
Monitoring	Sentry free tier	0
BaaS (Wise API)	Per-transaction fee	Covered by tx fees
Total Phase 2		~400-1,000 NOK/mo

Phase 3: Scale (3,000-15,000 users)

Fintech = reliability, backups, WAF, logging required.

Item	Provider	Cost/mo
App hosting (2 instances)	Railway Pro or Fly.io	$30-50 (~325-540 NOK)
PostgreSQL managed (HA)	Neon Pro $69 or Supabase Pro $25+usage	270-750 NOK
Redis (caching/sessions)	Upstash free→$10	0-110 NOK
Transactional email	Resend Pro $20	215 NOK
SMS (OTP)	Twilio × 3,000/mo	~1,600 NOK
CDN + WAF	Cloudflare Pro $20	215 NOK
Monitoring	Sentry Team $26	280 NOK
Logging	Betterstack free→$25	0-270 NOK
Backup storage	Backblaze B2	55 NOK
BaaS APIs (Wise/Thunes/Swan)	Per-tx, variable	Covered by tx fees
Total Phase 3		~3,000-4,000 NOK/mo

Summary

Phase	Users	Infra cost/mo	MRR (from business case)	Margin
MVP	0-200	10-170 NOK	0-12,000 NOK	— (pre-revenue)
Launch	200-3,000	400-1,000 NOK	12,000-130,000 NOK	90%+
Scale	3,000-15,000	3,000-4,000 NOK	130,000-650,000 NOK	97%+

Infrastructure cost is negligible vs revenue. Fintech margins on infra are excellent — biggest costs are marketing (30-50K/mo) and compliance, not hosting.

Shared Hetzner VPS Option

Drop can run on the same Hetzner CPX41 (from system migration analysis) for +0 NOK incrementally:

Next.js production build → Docker container
PostgreSQL → share existing Docker Postgres or add new container
Cloudflare tunnel: add new hostname for Drop

Only at 3,000+ users should Drop move to dedicated infrastructure.

System cloud migration analysis: ~/ALAI/finance/cloud-migration-analysis.md (MC #524)
Drop business case: ~/ALAI/products/Drop/project/docs/zica-business-case-v2.md
Drop architecture: ~/ALAI/products/Drop/project/architecture/architecture-document.md

Market Research

Mobile Banking Research

Mobile Payment/Banking Application - Full Research Findings

Table of Contents

1. Regulatory Requirements

1.1 EU Payment Services Directive (PSD2/PSD3)

Current State (PSD2)

PSD3 Transition (2025-2028)

1.2 Licensing Requirements

Electronic Money Institution (EMI) License

Payment Institution (PI) License

1.3 KYC/AML Requirements

EU AML Package 2025

1.4 Data Protection (GDPR)

2. Technical Architecture

2.1 System Architecture Overview

2.2 Payment Processing Flow

2.3 Mobile Wallet Architecture

2.4 Core Banking Integration Options

2.5 API-First Design Principles

3. Security & Compliance

3.1 PCI DSS Compliance

3.2 Strong Customer Authentication (SCA)

3.3 Security Architecture

3.4 Fraud Prevention

4. Market Analysis

4.1 European Digital Banking Market

4.2 Competitive Landscape

4.3 Revenue Models

5. Key Success Factors

5.1 Time to Market

5.2 User Acquisition

5.3 Operational Excellence

Sources and References

Regulatory

Technical

Market

Banking Providers

Third-Party Providers Comparison

Table of Contents

1. Banking-as-a-Service (BaaS) Providers

Overview

Provider Comparison

Solarisbank (Solaris SE)

Swan

Treezor (Societe Generale)

Railsr (formerly Railsbank)

Other Notable Providers

BaaS Selection Criteria

2. Card Issuing Platforms

Provider Comparison

Marqeta

Stripe Issuing

Adyen Issuing

Other Card Issuers

3. Payment Processors

Adyen

Stripe

Stripe Treasury (Embedded Finance)

Other Payment Processors

4. KYC/Identity Verification Providers

Provider Comparison

Onfido

Sumsub

IDnow

Entrust

Comparison Matrix

5. Virtual IBAN Providers

Key Providers

OpenPayd

Banking Circle

Airwallex

Other Providers

IBAN Provider Selection Criteria

6. Recommendation Matrix

By Company Stage

By Use Case

By Budget

Sources

MVP Specification