Skip to main content

Compliance Framework

Compliance Framework Document

Project: Drop — PSD2 Pass-Through Payment App Version: 1.0 Date: 2026-02-23 Author: Security Architect Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version Date Author Changes
0.1 2026-02-23 Security Architect Initial draft — multi-jurisdiction compliance mapping

1. Applicable Regulations

Compliance Owner: CISO / Compliance Officer ([email protected]) External Auditor: To be engaged (Phase 2) Last Audit: 2026-02-12 (internal security audit) | Next Audit: 2026-Q3 (external pentest)

Regulation Applicability Effective Date Status
PSD2 — Betalingstjenesteloven (LOV-2018-11-23-85) YES — core: AISP/PISP payments In force 8% ready (BankID Phase 2)
GDPR — Personopplysningsloven (LOV-2018-06-15-38) YES — processes personal data of all Norwegian users May 25, 2018 15% ready (DPIA done, processing register pending)
AML — Hvitvaskingsloven (LOV-2018-06-01-23) YES — payment service provider, remittance In force 5% ready (procedures done, real KYC Phase 2)
IKT-forskriften (FOR-2003-05-21-630) YES — financial enterprise IT security In force 25% ready
DORA (EU) 2022/2554 YES — payment institutions (Norway EEA incorporation expected 2026 H2) Jan 17, 2025 (EU); ~2026 H2 (NO) Preparing
Finansforetaksloven (LOV-2015-04-10-17) YES — governance, licensing In force 0% licensed
Valutaregisterloven (LOV-2004-12-17-109) YES — all cross-border remittance In force Not yet registered
Betalingssystemloven (LOV-1999-12-17-95) YES — payment systems In force Monitoring
Finansavtaleloven (LOV-2020-12-18-146) YES — consumer protection 2023 Draft vilkår exists

Source: legal/drop-regulatory-map-v2.md, legal/drop-gap-analysis-v2.md

2. Norway — Finanstilsynet & Core Regulatory Compliance

2.1 Finanstilsynet Licensing

Applicable law: Betalingstjenesteloven (LOV-2018-11-23-85)

License Option Requirement Status
Begrenset betalingsforetak (§ 2-10c) Max 6M NOK/month, simplified application Target for Phase 1 launch
Ordinært betalingsforetak (§ 2-3) 125,000 EUR capital, EEA passport Target for Scandinavia scaling
Agent model (§ 2-12) Operate under licensed PSP — fastest route Actively exploring partners

Current status: Not licensed. No live transactions until license or agent arrangement secured.

2.2 PSD2 / Betalingstjenesteloven Requirements

Requirement Article/Section Our Implementation
Strong Customer Authentication (SCA) § 4-28, Del. Reg. (EU) 2018/389 Phase 2: BankID OIDC (possession + knowledge)
Dynamic linking (amount + payee) Del. Reg. Art. 5 Phase 2: Shown in BankID signing dialog
AISP — account information § 4-41 Phase 2: Open Banking AISP integration
PISP — payment initiation § 4-44 Phase 2: Open Banking PISP integration
No storing user bank credentials § 4-44(3) ✓ — Drop never stores bank login credentials
Pre-transaction fee disclosure § 3-23 Partial: fee shown in API, not pre-auth
Transaction receipt § 3-22 to § 3-26 Phase 1 prerequisite
Framework agreement (rammeavtale) § 3-1 to § 3-8 Draft exists: legal/brukervilkar.md
Execution time D+1 (EEA) / D+4 (non-EEA) § 4-15 Dependent on PISP partner SLA

2.3 AML — Hvitvaskingsloven

Full procedures: legal/hvitvaskingsrutiner.md

Requirement Section Our Implementation
Enterprise risk assessment § 6 Document: legal/risikovurdering-hvitvasking.md
Written AML procedures § 8 Document: legal/hvitvaskingsrutiner.md
Customer identification (KYC) § 12 BankID: name + fødselsnummer (Phase 2)
Electronic verification § 12(3) BankID qualifies as electronic verification
PEP screening § 18 Integration: ComplyAdvantage / Refinitiv (Phase 2)
Sanctions screening Sanksjonsforskrifter Integration: EU/UN/Norwegian/OFAC lists (Phase 2)
Transaction monitoring § 24 Rules defined in hvitvaskingsrutiner.md
STR filing to EFE (Økokrim) § 26 Process documented; system Phase 2
No tipping off § 28 Policy: never inform customer of STR
Record keeping — 5 years § 30 Policy defined; technical implementation Phase 2
AML officer appointment § 8(4) Required before licensing

Corridor risk classification:

Risikonivå Land/korridorer Tiltak
Lav EU/EØS-land, Storbritannia Standard CDD
Middels Serbia (RSD), Bosnia-Hercegovina (BAM), Tyrkia (TRY) Utvidet overvåking
Høy Pakistan (PKR) EDD obligatorisk
Sperret FATF/EU sanksjonslister Blokkert i system

2.4 GDPR — Personopplysningsloven

See dedicated DPIA: data-protection-impact-assessment.md. Full privacy notice: legal/personvernerklaering.md.

Article Requirement Our Implementation
Art. 5 Data minimization, purpose limitation Collect only necessary fields; defined purposes
Art. 6(1)(b) Contract basis — core service delivery Remittance, QR payments, account management
Art. 6(1)(c) Legal obligation basis — AML/KYC Hvitvaskingsloven §§ 4, 10-18
Art. 6(1)(a) Consent basis — AISP balance access User grants PSD2 consent for Open Banking
Art. 13 Privacy notice legal/personvernerklaering.md — Norwegian
Art. 28 Data processor agreements DPAs required with BankID, cloud provider, Sumsub
Art. 30 Register of processing activities (behandlingsprotokoll) Pending
Art. 32 Appropriate technical/organisational measures See security-architecture.md
Art. 33 72-hour breach notification to Datatilsynet See data-breach-response-plan.md
Art. 35 DPIA for high-risk processing Document: legal/dpia-vurdering.md
Art. 37 DPO designation DPO contact: [email protected]

2.5 Valutaregisterloven

Requirement Section Our Implementation
Register with SSB as reporting entity § 3 To be completed before first cross-border transaction
Report all cross-border payments § 4 Monthly reporting to SSB
Transaction data: amount, currency, country, purpose code § 5 recipients.country in DB schema
Retention — 5 years § 6 Policy defined

3. Serbia — Multi-Jurisdiction Compliance

3.1 Data Protection

Applicable law: Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS br. 87/2018) (Law on Personal Data Protection — Serbia's GDPR-aligned legislation, in force November 21, 2018)

Requirement Law Article Our Implementation
Lawful basis for processing ZZPL Art. 12 Contract performance for remittance; legal obligation for AML
Data subject rights (access, erasure, portability) ZZPL Art. 26-41 Via DPO process at [email protected]
Data transfer outside Serbia ZZPL Art. 64-65 Drop's servers in Norway/EEA — transfer covered by adequacy assessment
Notification to Poverenik ZZPL Art. 56 72-hour breach notification to Commissioner for Information of Public Importance and Personal Data Protection
Register of processing activities ZZPL Art. 50 Pending

Transfer mechanism — Norway → Serbia:

  • Norway is EEA but not EU; Serbia has no EU adequacy decision
  • Transfer basis: Standard Contractual Clauses (SCCs) per ZZPL Art. 65 + GDPR Art. 46(2)(c)
  • Transfer Impact Assessment (TIA): Required — assess Serbian law on government data access
  • Minimal data transferred: Only avsender's name (lawpålagt) + mottaker's name/IBAN + amount

3.2 AML

Applicable law: Zakon o sprečavanju pranja novca i finansiranja terorizma (ZoPNFT, Sl. glasnik RS br. 113/2017, 91/2019, 153/2020) (Law on Prevention of Money Laundering and Terrorism Financing)

Requirement Our Role
Correspondent bank in Serbia performs CDD on recipients Correspondent bank responsibility
Drop provides complete sender information per FATF Recommendation 16 ✓ — name, account, reference
Serbian NBS (Narodna banka Srbije) oversight of payment systems Via correspondent bank

3.3 Payment Services

Applicable law: Zakon o platnim uslugama (Sl. glasnik RS br. 139/2014, 44/2018) (Law on Payment Services — Serbia's PSD2-equivalent)

Drop operates as a foreign PSP transferring funds to Serbia via correspondent banking. Direct license from NBS not required for outbound remittance from Norway. Correspondent bank in Serbia holds required NBS license.

4. Bosnia and Herzegovina — Multi-Jurisdiction Compliance

4.1 Data Protection — Entity-Level Regulation

Bosnia and Herzegovina has two entities with separate data protection legislation:

Federation of BiH (FBiH):

  • Applicable law: Zakon o zaštiti ličnih podataka (ZZLP BiH, Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011) (Personal Data Protection Law — state-level, administered by Agencija za zaštitu ličnih podataka — AZLP)

Republika Srpska:

  • Same state-level law applies across both entities for personal data protection
  • AZLP (Agency for Personal Data Protection of BiH) is the supervisory authority for the entire country
Requirement Law Article Our Implementation
Lawful basis ZZLP Art. 4 Contract + legal obligation
Security measures ZZLP Art. 14 TLS 1.3, AES-256, bcrypt
Data transfer to third countries ZZLP Art. 18 Norway is not in EU — adequacy assessment per ZZLP + SCCs
Breach notification to AZLP ZZLP + GDPR practice 72-hour notification

Transfer mechanism — Norway → BiH:

  • No adequacy decision for BiH from EU/Norway
  • Transfer basis: SCCs + TIA
  • Minimal data: sender name + recipient name/IBAN/BAM amount

4.2 AML

Applicable law: Zakon o sprečavanju pranja novca i finansiranja terorističkih aktivnosti (ZSPNFiTA BiH, Sl. glasnik BiH br. 47/2014, 46/2017) (Law on Prevention of Money Laundering and Financing of Terrorist Activities — BiH)

Supervisory authority: Ured za sprečavanje pranja novca (USPN) — FATF/MONEYVAL member

Requirement Our Role
Complete sender information on transfers ✓ — FATF Rec. 16 compliant
Correspondent bank performs beneficiary CDD Correspondent bank responsibility
BAM corridor classified as "Middels" risk Higher monitoring thresholds apply

4.3 Payment Services

Applicable law: Zakon o platnom prometu (FBiH); Zakon o platnim transakcijama (RS) Regulator: Centralna banka Bosne i Hercegovine (CBBH)

Drop transfers to BiH via correspondent banking; no direct CBBH license required for Norwegian outbound remittance.

5. Croatia — Multi-Jurisdiction Compliance

5.1 Data Protection

Croatia is an EU member state — GDPR applies directly.

Requirement Our Implementation
GDPR (Regulation (EU) 2016/679) directly applicable Full GDPR compliance required — see §2.4
AZOP (Agencija za zaštitu osobnih podataka) as supervisory authority Breach notification within 72h to AZOP
Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/2018) Croatian implementing legislation — aligns with GDPR

Transfer mechanism — Norway → Croatia:

  • Croatia is EU — no restriction on EEA→EU data transfer
  • Drop (Norway/EEA) → Croatia (EU): Free flow under GDPR Chapter V + EEA Agreement
  • No SCCs required; no TIA required

5.2 AML

Applicable law: Zakon o sprečavanju pranja novca i financiranja terorizma (ZSPMFT, NN 108/2017, 39/2019, 151/2022) (Law on Prevention of Money Laundering and Terrorist Financing — Croatia)

Supervisory authority: Ured za sprječavanje pranja novca (USPM) — FATF member as EU state

Requirement Our Role
Complete sender information — EU Wire Transfer Regulation (2015/847) applies ✓ — name, IBAN, reference
Croatian bank performs beneficiary CDD Correspondent bank (Croatian HNB-licensed institution)
Croatia corridor: EUR — EU/EEA — Low risk Standard CDD thresholds

5.3 Payment Services

Applicable law: Zakon o platnom prometu (NN 66/2018 — Croatian PSD2 implementation) Regulator: Hrvatska narodna banka (HNB)

EU Wire Transfer Regulation (2015/847) applies directly. Drop must include complete originator information on all transfers to Croatia. No direct HNB license required for Norwegian outbound remittance via correspondent banking.

6. Cross-Border Data Transfer Summary

From To Mechanism TIA Required DPA Required Notes
Norway (EEA) Serbia SCCs (2021) + TIA Yes Yes No adequacy decision
Norway (EEA) BiH SCCs (2021) + TIA Yes Yes No adequacy decision
Norway (EEA) Croatia EEA→EU free flow No N/A EU member state
Norway (EEA) Turkey SCCs (2021) + TIA Yes Yes No adequacy decision; higher risk
Norway (EEA) Pakistan SCCs (2021) + TIA + supplementary measures Yes Yes High-risk jurisdiction
Norway (EEA) Poland EEA→EU free flow No N/A EU member state

Data minimization for all transfers:

  • Sender: Full name only (lawfully required per FATF/EU 2015/847)
  • Recipient: Name + account/IBAN only
  • Never transferred: fødselsnummer, IP address, device ID, transaction history

7. Data Classification Scheme

Level Label Description Examples Controls Required
L1 Public Intended for public access Exchange rates, fee schedule, privacy policy None
L2 Internal Internal use only Internal wikis, non-PII analytics, logs (masked) Access control
L3 Confidential Sensitive personal or business data User names, phone, email, transaction history, KYC status Encryption + access control + logging
L4 Restricted Highest sensitivity, regulatory implications Fødselsnummer, bank account numbers, KYC documents, JWT_SECRET, BankID certificates Field-level encryption + MFA + strict access + audit + 5-year retention 
-- Immutable consent records — append-only
CREATE TABLE user_consents (
    id TEXT PRIMARY KEY,  -- cons_<hex16>
    user_id TEXT NOT NULL REFERENCES users(id),
    consent_type VARCHAR(100) NOT NULL,  -- 'aisp_balance', 'marketing', 'analytics'
    granted BOOLEAN NOT NULL,
    version VARCHAR(20) NOT NULL,  -- Policy version consented to
    ip_address TEXT,
    user_agent TEXT,
    created_at TEXT NOT NULL DEFAULT (datetime('now'))
);

9. Data Subject Rights — Implementation

Right Endpoint / Process SLA Automated?
Access (SAR) [email protected] → data export 30 days Partial
Rectification App Settings → Edit Profile Immediate Yes
Erasure [email protected] → anonymize job 30 days Partial (AML retention exceptions)
Portability Data export (JSON/CSV) 30 days Planned
Restriction Support request → compliance flag 30 days No (manual)
Objection [email protected] 30 days No (manual)
Automated decision opt-out Fraud detection manual review request 30 days Partial

Identity verification for rights requests: BankID verification (same as login).

10. Audit Schedule & Methodology

Audit Type Frequency Scope Owner Last Done Next Due
Internal access review Quarterly All user accounts + permissions Security team 2026-02-13 2026-05-13
Vulnerability assessment Quarterly External attack surface Security / external 2026-02-12 2026-05-12
Penetration test Annual Full scope External firm (TBD) Not yet done 2026-Q3
AML program review Annual Full AML program Compliance + external Draft only Pre-launch
GDPR compliance review Annual All processing activities DPO 2026-02-12 (DPIA) 2027-02-12
DORA readiness review Annual ICT resilience CISO + external Not yet 2026-Q4
Third-party risk review Annual BankID, cloud provider, Sumsub Compliance Not yet Pre-launch

11. Compliance Training Requirements

Training Audience Frequency Format
Security awareness + phishing All staff Annual + onboarding Online + simulation
GDPR / personopplysningsloven fundamentals All staff handling personal data Annual Online
AML / hvitvaskingsloven — Grunnkurs All staff At employment + annual Online
AML / hvitvaskingsloven — Avansert Compliance, operations Annual Workshop
PEP og sanksjoner Compliance, operations Annual Online
Secure coding Engineering Annual Workshop
Incident response tabletop Engineering + Management Annual Tabletop exercise

12. Critical Vendor Compliance Register

Vendor Service Tier Requirements DPA Status
BankID Norge AS Norwegian eID authentication Critical SOC 2, ISO 27001 Required — databehandleravtale
AWS App Runner Application hosting Critical SOC 2 Type II, ISO 27001, PCI-DSS Standard AWS DPA
Cloudflare WAF + DDoS + CDN Critical SOC 2 Type II, ISO 27001 Cloudflare DPA
Sumsub KYC/AML identity verification Critical SOC 2, ISO 27001, GDPR Required — DPA
Sentry Error monitoring High SOC 2 Sentry DPA
BetterStack Uptime + log monitoring High SOC 2 BetterStack DPA

Approval

Role Name Date Signature
Author Security Architect 2026-02-23
DPO
CISO
Legal Counsel
CEO / Management
Back to top