# Compliance Framework Document

# Compliance Framework Document

> **Project:** Drop — Fintech Payment App (ALAI Holding AS)
> **Version:** 1.0
> **Date:** 2026-02-23
> **Author:** ALAI Compliance Team
> **Status:** Draft
> **Reviewers:** DPO, Legal Counsel, CEO
> **Classification:** Confidential

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1     | 2026-02-12 | Compliance Agent (ALAI) | Initial gap analysis and regulatory mapping |
| 1.0     | 2026-02-23 | Security Architect (ALAI) | Framework document |

---

## 1. Applicable Regulations

**Overall Compliance Readiness (MVP stage, 2026-02-13):** 8/100 — Pre-production MVP. No live transactions.

| Regulation | Norwegian Law | Applicability | Status |
|-----------|--------------|--------------|--------|
| PSD2 | Betalingstjenesteloven (LOV-2018-11-23-85) | Core — payment services regulation | 10% ready |
| AML/KYC | Hvitvaskingsloven (LOV-2018-06-01-23) | Core — anti-money laundering | 5% ready |
| GDPR | Personopplysningsloven (LOV-2018-06-15-38) | Core — personal data protection | 15% ready |
| ICT Security | IKT-forskriften / DORA (EU) 2022/2554 | Required for financial enterprises | 25% ready |
| Financial Enterprise | Finansforetaksloven (LOV-2015-04-10-17) | Licensing and governance | 0% ready |
| Currency Registry | Valutaregisterloven (LOV-2004-12-17-109) | Cross-border payment reporting | 0% ready |
| Consumer Protection | Finansavtaleloven (LOV-2020-12-18-146) | User rights | Partial |

**Source:** `legal/drop-regulatory-map-v2.md`, `legal/drop-gap-analysis-v2.md`

**Compliance Owner:** Alem Bašić, CEO/CISO — ALAI Holding AS (alem@alai.no)
**External Auditor:** TBD — requires appointment before license application
**Last Audit:** 2026-02-12 (internal security audit) | **Next Audit:** TBD (prior to license application)

---

## 2. GDPR Compliance

**Source:** `legal/personvernerklaering.md`, `legal/dpia-vurdering.md`, `legal/drop-regulatory-map-v2.md §4`

### 2.1 Requirements Summary

| Article | Requirement | Our Implementation | Status |
|---------|------------|-------------------|--------|
| Art. 5 | Data minimization, purpose limitation | Only collect necessary fields; DPIA documents necessity | Partial |
| Art. 6 | Lawful basis for processing | See §2.2 | Partial |
| Art. 7 | Consent — specific, informed, unambiguous | Consent management TBD | Not implemented |
| Art. 13/14 | Privacy notice at collection | `legal/personvernerklaering.md` (draft, Norwegian) | Draft exists |
| Art. 17 | Right to erasure | TBD — account deletion flow not built | Planned Phase 2 |
| Art. 20 | Right to data portability | TBD — data export feature planned | Planned Phase 2 |
| Art. 25 | Privacy by design and default | Pass-through model minimizes data held | Architectural |
| Art. 30 | Records of processing activities | `legal/behandlingsprotokoll.md` — TBD | Not created |
| Art. 32 | Appropriate security measures | See security-architecture.md | Partial |
| Art. 33 | 72-hour breach notification | See data-breach-response-plan.md | Documented |
| Art. 35 | DPIA for high-risk processing | `legal/dpia-vurdering.md` | Draft exists |
| Art. 37 | DPO designation | TBD — not yet appointed | Not done |
| Art. 44 | Cross-border transfers | SCCs required — see §2.4 | Planned |

### 2.2 Lawful Basis Inventory

| Processing Activity | Lawful Basis | Legal Basis Document | Retention |
|--------------------|-----------|--------------------|---------|
| Account creation and management | Contract (Art. 6.1.b) | `legal/brukervilkar.md` (Terms) | Duration + 2 years |
| Payment initiation (PISP) | Contract (Art. 6.1.b) | `legal/brukervilkar.md` | 5 years (Bokføringsloven) |
| Account info reading (AISP) | Consent (Art. 6.1.a) | Consent at onboarding | Until consent withdrawn |
| AML/KYC identity verification | Legal obligation (Art. 6.1.c) | Hvitvaskingsloven §§ 10-18 | 5 years (hvvl. §30) |
| Transaction monitoring | Legal obligation (Art. 6.1.c) | Hvitvaskingsloven §§ 24-25 | 5 years (hvvl. §30) |
| Fraud detection | Legitimate interest (Art. 6.1.f) | LIA documented in DPIA | 2 years |
| Security logging | Legitimate interest (Art. 6.1.f) | IKT-sikkerhetspolicy | 12-24 months |
| Marketing emails | Consent (Art. 6.1.a) | Consent record | Until consent withdrawn |

### 2.3 Controls Mapping

| Control | Requirement | Status | Evidence |
|---------|------------|--------|---------|
| Privacy notice (Norwegian) | Art. 13/14 | Draft | `legal/personvernerklaering.md` |
| DPIA | Art. 35 | Draft | `legal/dpia-vurdering.md` |
| DPO contact | Art. 37 | Not done | TBD — DPO appointment needed |
| Data breach response plan | Art. 33 | Documented | `docs/SECURITY-COMPLIANCE/data-breach-response-plan.md` |
| Data processing agreements | Art. 28 | Partial | `legal/dpa-sumsub.md`, `dpa-swan.md`, `dpa-sentry.md` |
| SCCs for non-EEA transfers | Art. 46 | Planned | Required for remittance corridors |
| Register of processing activities | Art. 30 | Not created | `legal/behandlingsprotokoll.md` to be completed |

### 2.4 Data Subject Rights — Implementation

| Right | Status | Target Implementation |
|-------|--------|----------------------|
| Access (Subject Access Request) | Not built | `GET /api/users/me/data-export` — Phase 2 |
| Rectification | Partial | `PATCH /api/users/me` — settings update exists |
| Erasure | Not built | Account deletion + anonymization — Phase 2 |
| Portability | Not built | JSON export endpoint — Phase 2 |
| Restriction of processing | Not built | Phase 2 |
| Objection to processing | Not built | Support flow — Phase 2 |

**SLA target:** 30 days per GDPR requirement.

### 2.5 Cross-Border Transfer Compliance

Drop remittance to 30+ countries triggers GDPR Chapter V requirements:

| Transfer | Mechanism | Status |
|---------|-----------|--------|
| Drop → EEA countries (PLN, EUR) | Free flow — no restriction | Compliant |
| Drop → UK | Adequacy decision | Compliant |
| Drop → Serbia (RSD) | SCCs + Transfer Impact Assessment | Planned |
| Drop → Bosnia-Herzegovina (BAM) | SCCs + TIA | Planned |
| Drop → Turkey (TRY) | SCCs + TIA | Planned |
| Drop → Pakistan (PKR) | SCCs + TIA + supplementary measures | Planned — high risk |

**Data minimized in transfer:** Only sender name, recipient name/account, amount, currency, reference. Fødselsnummer NEVER transferred cross-border.

**Source:** `legal/dpia-vurdering.md §7`

---

## 3. PSD2 / SCA Compliance

**Source:** `legal/drop-regulatory-map-v2.md §2`, `legal/drop-gap-analysis-v2.md §2`

### 3.1 Strong Customer Authentication (SCA)

**Current state:** NOT compliant — email + password only (single factor). No BankID integration.
**Required:** BankID integration for SCA (Phase 2, BLOCKING for live transactions).

| SCA Requirement | Law | Status |
|----------------|-----|--------|
| Two of three factors (knowledge/possession/inherence) | Betalingstjenesteloven §§ 4-28, 4-29 | NOT IMPLEMENTED |
| Dynamic linking (amount + payee bound to auth code) | Delegated Reg. (EU) 2018/389 Art. 5 | NOT IMPLEMENTED |
| 90-day re-authentication | Delegated Reg. Art. 10 | NOT IMPLEMENTED |
| BankID integration (covers possession + knowledge) | Required for Norwegian residents | PLANNED Phase 2 |

### 3.2 Open Banking (AISP/PISP)

| Requirement | Status |
|------------|--------|
| AISP license or agent arrangement | NOT OBTAINED |
| PISP license or agent arrangement | NOT OBTAINED |
| PSD2 API integration (Neonomics) | PLANNED Phase 2 |
| No storing of bank credentials | Architectural (pass-through model) |
| PSU explicit consent before account access | PLANNED Phase 2 |

**Licensing path:** Agent model under licensed PSP (1-3 months) while preparing full license (6-12 months). See §4.

### 3.3 Consumer Protection (PSD2)

| Requirement | Status | Document |
|------------|--------|---------|
| Framework agreement | Draft | `legal/brukervilkar.md` |
| Fee transparency pre-authorization | Partial | Fee shown post-submission in API |
| Transaction receipts | Not built | Phase 2 |
| Execution time disclosure | Not built | Phase 2 |

---

## 4. Finanstilsynet Licensing

**Source:** `legal/drop-regulatory-map-v2.md §1`, `legal/konsesjonssoknad-forberedelse.md`

### 4.1 License Options

| Option | Timeline | Capital | Scope |
|--------|---------|---------|-------|
| Agent model (under existing licensee) | 1-3 months | None from Drop | Fastest to market |
| Begrenset betalingsforetak | 3-6 months | None (simplified) | Max 6M NOK/month volume |
| Ordinaert betalingsforetak | 6-12 months | 125,000 EUR | Full EEA passporting |

**Recommended path:** Agent model first → Begrenset betalingsforetak for initial launch → Ordinaert for Scandinavian expansion.

### 4.2 Licensing Readiness

| Requirement | Status | Gap |
|-------------|--------|-----|
| Business plan with 3-year projections | Draft | Partial |
| AML policy and procedures | Draft | `legal/hvitvaskingsrutiner.md` |
| Fit & proper documentation | Not done | Board/management CVs + police certs needed |
| Compliance officer designated | Not done | Appointment required |
| Client fund safeguarding | N/A (pass-through) | N/A — Drop never holds funds |
| IT security policy | Draft | `legal/ikt-sikkerhetspolicy.md` |
| Incident handling plan | Draft | `legal/hendelseshaandtering.md` |
| Outsourcing policy | Draft | `legal/utkontraktering-policy.md` |

---

## 5. AML/KYC Compliance

**Source:** `legal/hvitvaskingsrutiner.md`, `legal/risikovurdering-hvitvasking.md`

### 5.1 AML Program Status

| Requirement | Status | Document |
|------------|--------|---------|
| Enterprise-wide risk assessment | Draft | `legal/risikovurdering-hvitvasking.md` |
| AML policy and procedures | Draft | `legal/hvitvaskingsrutiner.md` |
| AML Compliance Officer appointed | NOT DONE | Appointment required |
| KYC procedures (CDD) | Mock only | Real KYC via BankID + Sumsub — Phase 2 |
| Transaction monitoring system | NOT IMPLEMENTED | Phase 2 |
| PEP screening | NOT IMPLEMENTED | Phase 2 (ComplyAdvantage / Refinitiv) |
| Sanctions screening | NOT IMPLEMENTED | Phase 2 |
| STR reporting to EFE (Altinn) | NOT IMPLEMENTED | Phase 2 |
| Staff AML training | NOT DONE | Required |
| 5-year record retention | NOT IMPLEMENTED | Phase 2 |

### 5.2 Transaction Monitoring Thresholds (Planned)

| Rule | Threshold | Action |
|------|---------|--------|
| Single transaction | > NOK 50,000 | Manual review |
| Daily cumulative | > NOK 100,000 | Manual review |
| Monthly cumulative | > NOK 500,000 | EDD assessment |
| High-risk corridor transactions | > 5/week same corridor | Manual review |
| Structuring detection | Multiple just-under-threshold | Automatic flag |

**Source:** `legal/hvitvaskingsrutiner.md §5.2`

### 5.3 Corridor Risk Classification

| Risk Level | Corridors | Actions |
|-----------|---------|---------|
| Low | EU/EEA (PLN, EUR), UK | Standard CDD |
| Medium | Serbia (RSD), Bosnia (BAM), Turkey (TRY) | Standard CDD + lower thresholds |
| High | Pakistan (PKR) | Mandatory EDD, source of funds required |
| Blocked | FATF blacklist / EU high-risk / UN sanctions | System-level block |

---

## 6. Data Classification Scheme

| Level | Label | Description | Examples | Controls |
|-------|-------|------------|---------|---------|
| L1 | Public | Public-facing content | Landing page, marketing | None |
| L2 | Internal | Internal, low sensitivity | Internal wikis, non-PII analytics | Access control |
| L3 | Confidential | Sensitive personal or business data | User PII (name, email, phone), transaction data | Encryption + access control + logging |
| L4 | Restricted | Highest sensitivity, regulatory implications | Fødselsnummer, AML reports, JWT secrets | Field-level encryption + MFA + strict access + audit + HSM keys |

---

## 7. Consent Management

### 7.1 Consent Types Required

| Consent Type | Purpose | Status |
|-------------|---------|--------|
| Open Banking (AISP) | Reading bank account balances | Planned Phase 2 — PSD2 explicit consent required |
| Marketing emails | Email campaigns | Not implemented |
| Analytics | Product improvement | Not implemented |
| Cookie consent | Website cookies | Not implemented |

### 7.2 PSD2 Open Banking Consent Requirements

Per Betalingstjenesteloven §§ 4-41 to 4-46:
- Explicit user consent before any AISP access to bank accounts
- Consent scoped per bank account
- Re-consent required every 90 days for AISP
- Consent revocable at any time (immediate effect)
- Consent stored with timestamp, IP, and scope in `user_consents` table (planned)

---

## 8. Audit Schedule & Methodology

| Audit Type | Frequency | Scope | Owner | Last Done | Status |
|-----------|-----------|-------|-------|----------|--------|
| Internal security review | Quarterly | Application + infrastructure | Security team | 2026-02-12 | Completed |
| Penetration test | Annual | Full scope | External firm (TBD) | Not done | Planned pre-launch |
| AML/compliance review | Annual | All AML procedures | AML Compliance Officer | Not done | Planned Phase 2 |
| GDPR compliance review | Annual | All processing activities | DPO | Not done | Planned Phase 2 |
| Vulnerability assessment | Quarterly | External attack surface | Security team | 2026-02-12 | Completed |
| Business continuity drill | Annual | DR/BCP scenarios | Operations | Not done | Planned Phase 2 |

---

## 9. Compliance Training Requirements

| Training | Audience | Frequency | Status |
|---------|---------|-----------|--------|
| AML fundamentals (hvvl.) | All staff | Annual + onboarding | Not done — required |
| GDPR fundamentals | All staff handling personal data | Annual | Not done |
| Secure coding (OWASP) | Engineering | Annual | Not done |
| Incident response tabletop | Engineering + Management | Quarterly | Not done |
| PEP/sanctions screening procedures | Compliance + customer-facing | Annual | Not done |

**Source:** `legal/hvitvaskingsrutiner.md §10`

---

## 10. Third-Party Compliance Requirements

### 10.1 Critical Vendor Register

| Vendor | Service | Tier | Certifications | DPA Signed | Status |
|--------|---------|------|---------------|----------|--------|
| BankID Norge AS | SCA / Identity | Critical | eIDAS Level High | Required | Planned |
| Sumsub | KYC/AML | Critical | SOC 2, ISO 27001 | Yes — `legal/dpa-sumsub.md` | Signed |
| Swan | Banking / payment rails | Critical | PCI-DSS, SOC 2 | Yes — `legal/dpa-swan.md` | Signed |
| Neonomics | PSD2 AISP/PISP | Critical | PSD2 license (EU) | Required | Planned |
| AWS | Infrastructure | Critical | SOC 2 Type II, ISO 27001, PCI-DSS | AWS DPA | Standard |
| Sentry | Error monitoring | High | SOC 2 | Yes — `legal/dpa-sentry.md` | Signed |

### 10.2 Outsourcing Policy

**Source:** `legal/utkontraktering-policy.md`

All material outsourcing relationships must:
- Have a written contract with DPA if processing personal data
- Include right to audit clause
- Include sub-processor approval requirements
- Have an exit strategy documented
- Be notified to Finanstilsynet if material (Finansforetaksloven § 13-7)

---

## 11. Compliance Monitoring

**Current state:** Manual tracking only. No automated compliance dashboard.

**Target metrics (Phase 2):**

| Metric | Target | Alert Threshold |
|--------|--------|----------------|
| Open Critical compliance issues | 0 | > 0 |
| KYC approval backlog | < 24h | > 48h |
| AML flagged transactions unreviewed | 0 after 24h | > 0 after 48h |
| Data subject requests overdue | 0 | > 25 days |
| License application milestones | On schedule | Any delay |
| Vendor certifications expired | 0 | > 0 |
| AML training completion | 100% | < 100% |

---

## Approval
| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | ALAI Compliance Team | 2026-02-23 | |
| DPO | TBD — appointment required | | |
| CISO | TBD — appointment required | | |
| Legal Counsel | TBD — engagement required | | |
| CEO | Alem Bašić | | |