Compliance Framework
Compliance Framework Document
Project / Organization: ALAI Holding AS — Drop Payment App Policy Number: POL-COMP-FW-001 Version: 1.0 Date: 2026-02-23 Author: Security Architect Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential
Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1 | 2026-02-23 | Security Architect | Initial draft — Drop payment app multi-jurisdiction compliance mapping |
1. Applicable Regulations
Compliance Owner: Security Architect / DPO ([email protected]) Company: ALAI Holding AS (org.nr 932 516 136), incorporated in Norway Domain: getdrop.no Business Model: PSD2 pass-through payment app — NEVER holds customer money; AISP reads bank balances, PISP initiates payments from user's bank account. Service: Remittance to 30+ countries + QR payments in Norway Users: All residents of Norway, 18+ years, with Norwegian BankID
Primary Jurisdiction: Norway
Drop is incorporated in Norway under Norwegian law. All primary regulatory obligations flow from Norwegian legislation and Finanstilsynet supervision.
| Regulation | Norwegian Law | Relevance |
|---|---|---|
| PSD2 (Payment Services) | Betalingstjenesteloven (LOV-2018-11-23-85) | Core — legal basis for payment operations |
| AML/CFT | Hvitvaskingsloven (LOV-2018-06-01-23) + Hvitvaskingsforskriften (FOR-2018-09-14-1324) | Core — anti-money laundering obligations |
| GDPR | Personopplysningsloven (LOV-2018-06-15-38) | Core — personal data protection |
| Financial Enterprises | Finansforetaksloven (LOV-2015-04-10-17) | Licensing, governance, capital requirements |
| ICT Security | IKT-forskriften (FOR-2003-05-21-630) | ICT security for financial enterprises |
| Digital Operational Resilience | DORA (EU) 2022/2554 | Norway incorporation expected ~2026 H2 |
| Currency Registry | Valutaregisterloven (LOV-2003-06-06-39) | Cross-border payment reporting to SSB |
| Consumer Protection | Finansavtaleloven (LOV-2020-11-13-125) | Payment terms, user rights, fee transparency |
| Electronic Signatures | eIDAS / LOV-2001-06-15-81 | BankID as qualified electronic identification |
Remittance Corridor Jurisdictions
Drop sends remittances to 30+ countries. Regulatory obligations in these corridors:
| Destination Region | Key Regulations | Drop Obligations |
|---|---|---|
| EU/EEA (Eurozone, Croatia, etc.) | GDPR (free data flow), EU AML | Standard KYC; no SCCs needed for data |
| Serbia | ZZPL (Zakon o zaštiti podataka, LOV RS 87/2018) | Standard KYC; SCC + TIA for data transfers |
| Bosnia & Herzegovina | ZZLP (Zakon o zaštiti ličnih podataka, SG BiH 49/06) | Standard KYC; SCC + TIA for data transfers |
| Turkey | Turkish Personal Data Protection Law (KVKK 6698/2016) | FATF monitoring list — enhanced KYC |
| Pakistan | Pakistan Personal Data Protection Act | FATF monitoring — enhanced due diligence |
Note: Drop's obligations in corridor jurisdictions are primarily fulfilled by the receiving payment institution. Drop's direct obligations are Norwegian-law based, supplemented by GDPR requirements for cross-border data transfers.
2. Licensing
Current Status
Drop is an MVP-stage application. No Finanstilsynet license has been obtained. Live transactions with real money are NOT permitted until a license is in place.
Licensing Pathway
Recommended path: Agent model (Option C) for initial launch, then full license (Option B) for scale.
Option A: Begrenset betalingsforetak (Limited Payment Institution)
Law: Betalingstjenesteloven § 2-10c
| Requirement | Detail |
|---|---|
| Monthly transaction volume | Max 6 million NOK/month (12-month average) |
| Capital requirement | None |
| Application timeline | 3-6 months |
| EEA passporting | NO — Norway only |
| Fit & proper | Directors and beneficial owners |
| AML | Full compliance required |
Drop fit: Initial launch — allows ~3,000 remittances of 2,000 NOK average/month.
Option B: Ordinaert betalingsforetak (Full Payment Institution)
Law: Betalingstjenesteloven §§ 2-3 to 2-10
| Requirement | Detail |
|---|---|
| Initial capital | 125,000 EUR (~1.4M NOK) for remittance services |
| Application timeline | 6-12 months |
| EEA passporting | YES — enables Sweden/Denmark |
| Governance | Board, compliance officer, internal audit |
| Safeguarding | Client funds in segregated account or guarantee |
Drop fit: Target license for Scandinavian scale.
Option C: Agent Model (recommended for Phase 1)
Law: Betalingstjenesteloven § 2-12
| Requirement | Detail |
|---|---|
| Structure | Drop operates as agent of licensed payment institution |
| Capital | None required from Drop |
| Timeline | 1-3 months |
| Liability | Principal (licensed PSP) is responsible |
Target partners: Licensed Norwegian PSPs or BaaS providers (Swan, Modulr, Banking Circle).
3. PSD2 / Betalingstjenesteloven
Strong Customer Authentication (SCA)
Law: Betalingstjenesteloven §§ 4-28, 4-29; Delegated Regulation (EU) 2018/389
| Requirement | Section | Status |
|---|---|---|
| Two-factor authentication | § 4-28 | Phase 2: BankID (possession + knowledge) |
| Dynamic linking | Art. 5 (Del. Reg.) | Phase 2: amount + payee tied to BankID signing |
| 90-day re-authentication | Art. 10 (Del. Reg.) | Phase 2 |
| Low-value exemption (<500 NOK) | Art. 10-18 | Phase 2 |
Current state: Email + password only. SCA required for production launch.
Required implementation (Phase 2):
- BankID OIDC for initial login (Level 4 eID)
- Transaction signing with BankID for all payment initiation
- Dynamic linking: display amount + payee in BankID signing dialog
- Session timeout and re-authentication after 5 minutes inactivity
Open Banking (AISP/PISP)
Law: Betalingstjenesteloven §§ 4-40 to 4-46
| Service | Law | Requirement |
|---|---|---|
| AISP (read bank balances) | § 4-41 | AISP license or agent arrangement; explicit user consent |
| PISP (initiate payments) | § 4-44 | PISP license or agent arrangement; no storing bank credentials |
| Dedicated interface | § 4-40 | Use banks' PSD2 APIs (Bits, Tink, or direct bank APIs) |
Consumer Information Requirements
Law: Betalingstjenesteloven kapittel 3 and 4; Finansavtaleloven
| Requirement | Section | Document |
|---|---|---|
| Pre-contractual information | §§ 3-1 to 3-8 | Framework agreement (rammeavtale) |
| Per-transaction information | §§ 3-22 to 3-26 | Transaction receipts |
| Fee transparency before authorization | § 3-23 | Pre-auth disclosure screen |
| Exchange rate disclosure | § 3-24 | FX rate + reference rate shown before confirmation |
| Execution time (non-EEA) | § 4-15 | Max D+4 business days |
| Complaint handling | § 3-60 | Klagebehandling procedure |
4. AML/KYC — Hvitvaskingsloven
Customer Due Diligence (CDD)
Law: Hvitvaskingsloven §§ 10-18
| Requirement | Section | Drop Implementation |
|---|---|---|
| Identity verification | § 12 | BankID (covers name + fødselsnummer + DOB) |
| Electronic verification | § 12(3) | BankID is approved electronic method |
| Source of funds (large amounts) | § 15 | Trigger above thresholds |
| Purpose of relationship | § 12(1)d | Registration questionnaire |
| Ongoing monitoring | § 24 | Transaction monitoring system |
| Record retention | § 30 | 5 years after relationship ends |
KYC Tiers
| Tier | Limit | Requirements | Corridor Risk |
|---|---|---|---|
| Basic | Up to 1,000 NOK/transaction, 5,000 NOK/month | BankID verification only | Lav (Low) — EU/EEA |
| Standard | Up to 10,000 NOK/transaction, 30,000 NOK/month | BankID + address verification | Middels (Medium) — Serbia, BiH |
| Enhanced | Above 10,000 NOK/transaction | Full EDD: source of funds + senior management approval | Høy (High) — Pakistan, Turkey (FATF) |
| Blocked | Any amount | Sanctioned countries/individuals | Blokkert — OFAC/UN/EU sanctioned |
Transaction Monitoring Rules
Law: Hvitvaskingsloven §§ 24, 25
Transactions that must trigger investigation:
- Structuring — multiple transactions just below reporting thresholds
- Rapid movement — large in/out within same day
- Unusual corridors — sudden change in destination country
- Volume spikes — significantly above customer's historical pattern
- FATF jurisdiction — any transaction to FATF grey/black list countries
- PEP match — customer or recipient on PEP list
Reporting: Suspicious Transaction Reports (STR) filed with EFE (Enheten for finansiell etterretning) via altinn.no. Tipping off the customer is prohibited (§ 28).
AML Risk Classification — Corridor Risk
| Corridor | Risk Level | Rationale |
|---|---|---|
| EU/EEA countries | Lav (Low) | Strong AML frameworks, FATF compliant |
| Croatia (HR) | Lav (Low) | EU member state |
| Serbia (RS) | Middels (Medium) | FATF member, not EU; targeted remittance risk |
| Bosnia & Herzegovina (BA) | Middels (Medium) | Enhanced monitoring; cash economy |
| Turkey (TR) | Høy (High) | FATF grey list (monitoring); elevated corridor risk |
| Pakistan (PK) | Høy (High) | FATF monitoring; common remittance corridor |
| OFAC/UN sanctioned countries | Blokkert | Transactions blocked entirely |
Source: ~/ALAI/products/Drop/legal/hvitvaskingsrutiner.md
5. GDPR / Personopplysningsloven
Legal Bases for Processing
Law: GDPR Art. 6; Personopplysningsloven (LOV-2018-06-15-38)
| Processing Activity | Legal Basis | Norwegian Law Reference |
|---|---|---|
| User registration | Contract performance | Personopplysningsloven § 5, GDPR Art. 6(1)(b) |
| KYC identity verification | Legal obligation | Personopplysningsloven § 6, GDPR Art. 6(1)(c) + Hvitvaskingsloven § 12 |
| Payment processing | Contract performance | Personopplysningsloven § 5, GDPR Art. 6(1)(b) |
| Transaction monitoring (AML) | Legal obligation | Personopplysningsloven § 6, GDPR Art. 6(1)(c) + Hvitvaskingsloven § 24 |
| Fødselsnummer processing | Special legal basis | Personopplysningsloven § 12 (requires specific legal basis) |
| Error monitoring (Sentry) | Legitimate interest | GDPR Art. 6(1)(f) |
| Marketing | Consent | GDPR Art. 6(1)(a) |
Data Subject Rights
| Right | GDPR Article | Drop Implementation |
|---|---|---|
| Right to access | Art. 15 | Profile page + data export endpoint |
| Right to rectification | Art. 16 | Profile edit |
| Right to erasure | Art. 17 | Account deletion — 30-day retention for AML override |
| Right to restriction | Art. 18 | Manual processing by DPO |
| Right to portability | Art. 20 | JSON export |
| Right to object | Art. 21 | Opt-out for marketing |
| Right to withdraw consent | Art. 7(3) | Consent management UI |
Retention conflict: GDPR Art. 17 (erasure) vs. Hvitvaskingsloven § 30 (5-year AML retention). AML retention takes precedence — user data anonymized after account close, transaction records retained 5 years.
Data Classification
| Level | Label | Examples | Encryption Required |
|---|---|---|---|
| L1 | Public | Exchange rates, fee schedule, getdrop.no content | No |
| L2 | Internal | System logs, performance metrics, error traces | No (TLS) |
| L3 | Confidential | Names, email, phone, transaction history, bank balances | TLS + AES-256 at rest |
| L4 | Restricted | Fødselsnummer (national ID), KYC documents, BankID sub |
TLS + AES-256-GCM field encryption (separate key) |
Data Inventory
| Data Category | Classification | Retention | Legal Basis |
|---|---|---|---|
| Name | L3 Confidential | Life of account + 5 years (AML) | Contract |
| L3 Confidential | Life of account | Contract | |
| Phone number | L3 Confidential | Life of account | Contract |
| Fødselsnummer | L4 Restricted | 5 years (AML) | Legal obligation |
BankID sub |
L4 Restricted | 5 years (AML) | Legal obligation |
| KYC documents | L4 Restricted | 5 years (AML) | Legal obligation |
| Transaction records | L3 Confidential | 5 years (AML) + accounting | Legal obligation |
| Bank account balances | L3 Confidential | Session only — not persisted | Contract |
| IP addresses / logs | L2 Internal | 90 days | Legitimate interest |
DPIA
A Data Protection Impact Assessment (DPIA) has been conducted. Document: data-protection-impact-assessment.md
DPIA trigger: Processing of fødselsnummer at scale, BankID integration, cross-border transfers to Serbia/BiH.
Cross-Border Data Transfers
| Destination | Transfer Mechanism | Safeguards |
|---|---|---|
| EU/EEA (AWS Frankfurt, Cloudflare EU) | Free flow (EEA to EEA) | Standard GDPR protections |
| Croatia (HR) | Free flow (EEA → EU) | Standard GDPR protections |
| Serbia (RS) | No adequacy decision | SCCs (Standard Contractual Clauses) + Transfer Impact Assessment (TIA) |
| Bosnia & Herzegovina (BA) | No adequacy decision | SCCs + Transfer Impact Assessment (TIA) |
| USA (AWS, Sentry, BetterStack) | No adequacy decision | SCCs + DPA signed |
Note: Serbia and Bosnia & Herzegovina do not have EU adequacy decisions. All data transfers involving these countries require SCCs and a documented TIA before data flows.
6. ICT Security — IKT-forskriften / DORA
IKT-forskriften (FOR-2003-05-21-630)
Currently applicable to financial enterprises in Norway.
| Requirement | Sections | Status |
|---|---|---|
| ICT security policy | §§ 5-6 | Document: ikt-sikkerhetspolicy.md — Draft |
| Incident handling | § 8 | Document: hendelseshaandtering.md — Draft |
| Business continuity | § 9 | Document: beredskapsplan.md — Draft |
| Outsourcing policy | § 10 | Document: utkontraktering-policy.md — Draft |
| Access control | § 5 | Implemented: RBAC, session revocation, JWT |
| Encryption | § 6 | Implemented: TLS 1.3, AES-256, bcrypt(12) |
DORA (EU) 2022/2554
DORA is expected to be incorporated into Norwegian law approximately 2026 H2 (via EEA Agreement).
| DORA Requirement | Article | Drop Plan |
|---|---|---|
| ICT risk management framework | Art. 6 | Mapped to IKT-forskriften currently |
| ICT incident classification | Art. 18 | Breach response plan covers this |
| Major incident reporting | Art. 19 | Finanstilsynet + Datatilsynet within 72h |
| Digital operational resilience testing | Art. 24-25 | Annual pentest planned (Phase 3) |
| ICT third-party risk management | Art. 28-44 | Outsourcing policy + DPAs |
| Encryption standards | Art. 9(4)(d) | AES-256-GCM, TLS 1.3 |
7. Valutaregisterloven
Law: Valutaregisterloven (LOV-2003-06-06-39)
All cross-border payment service providers must report transactions to Statistisk sentralbyrå (SSB) and Norges Bank.
| Requirement | Threshold | Reporting Recipient |
|---|---|---|
| Cross-border transactions | All (> 0 NOK) | SSB via Valutaregisteret |
| Aggregate statistics | Monthly | Norges Bank |
| Format | XML via SSB API | Valutaregisteret |
Implementation: Phase 2 — automated reporting pipeline to Valutaregisteret for all completed remittances.
8. Compliance Gap Summary
Overall compliance readiness: 8/100 (MVP stage — expected)
| Area | Readiness | Gap |
|---|---|---|
| Licensing (Finanstilsynet) | 0% | No license — no live transactions permitted |
| PSD2 / SCA | 10% | BankID not implemented; SCA not in place |
| AML/KYC | 5% | Mock KYC only; no real identity verification |
| GDPR | 15% | Privacy notice + DPIA drafted; no DPO appointed |
| ICT Security | 25% | Security hardened (post 2026-02-13); pentest pending |
| Valutaregisterloven | 0% | No SSB reporting pipeline |
| Consumer Protection | 20% | Terms drafted; no formal complaints process |
Phase 2 completion target: 60% (licensing + BankID + real KYC + GDPR implementation) Phase 3 completion target: 85% (pentest + Valutaregisteret + full GDPR + DPO)
9. Compliance Monitoring Plan
Monthly Checks
- npm audit — dependency vulnerability check
- Review Sentry errors for security-relevant issues
- BetterStack uptime + alert review
- Transaction volume check against license threshold (after licensing)
Quarterly Checks
- KYC data retention audit (5-year AML retention compliance)
- GDPR data subject rights fulfillment review
- JWT_SECRET rotation (quarterly per key management policy)
- Review of AML transaction monitoring rules effectiveness
- Security exceptions review
Annual Checks
- External security penetration test (required before Phase 3 launch)
- AML risk assessment review (Hvitvaskingsloven § 6)
- DPIA review (GDPR Art. 35 — when processing changes materially)
- All encryption keys rotation audit
- Regulatory change review — Finanstilsynet circulars
- DPAs review (AWS, Cloudflare, Sentry, BetterStack, Sumsub, BankID Norge AS)
10. Third-Party Compliance
All third-party processors of personal data require a signed Data Processing Agreement (DPA).
| Vendor | Role | DPA Status | Data Transferred |
|---|---|---|---|
| AWS (Frankfurt, Ireland) | Infrastructure + hosting | Required | All data |
| Cloudflare (EU edge) | CDN, WAF, DDoS | Required | Request metadata, IPs |
| Sentry | Error monitoring | Required | Error data, stack traces |
| BetterStack | Uptime + logs | Required | Log data |
| Sumsub | KYC verification (Phase 2) | Required | Name, photo ID, fødselsnummer |
| BankID Norge AS | eID authentication (Phase 2) | Required | Name, fødselsnummer, DOB |
| Marqeta / Lithic | Card issuance (Phase 3) | Required | Payment data (PCI-DSS) |
DPA requirement source: GDPR Art. 28; Personopplysningsloven § 5
11. Document Register
| Document | File | Status | Owner |
|---|---|---|---|
| Privacy notice | personvernerklaering.md |
Draft | DPO |
| DPIA | dpia-vurdering.md |
Draft | DPO |
| Terms of service | brukervilkar.md |
Draft | Legal |
| AML procedures | hvitvaskingsrutiner.md |
Draft | Compliance |
| AML risk assessment | risikovurdering-hvitvasking.md |
Draft | Compliance |
| ICT security policy | ikt-sikkerhetspolicy.md |
Draft | Security |
| Incident handling | hendelseshaandtering.md |
Draft | Security |
| Business continuity | beredskapsplan.md |
Draft | Operations |
| Outsourcing policy | utkontraktering-policy.md |
Draft | Legal |
| Internal control | internkontroll.md |
Draft | Compliance |
| Suitability assessment | egnethetsvurdering.md |
Draft | Legal |
| Complaint handling | klagebehandling.md |
Draft | Operations |
| Licensing preparation | konsesjonssoknad-forberedelse.md |
Draft | Legal |
| Gap analysis | drop-gap-analysis-v2.md |
Complete | Compliance |
| Regulatory map | drop-regulatory-map-v2.md |
Complete | Legal |
| Security architecture | security-architecture.md |
Draft | Security |
| Encryption policy | data-encryption-policy.md |
Draft | Security |
| Key management policy | key-management-policy.md |
Draft | Security |
| Breach response plan | data-breach-response-plan.md |
Draft | Security |
| Security testing policy | security-testing-policy.md |
Draft | Security |
Approval
| Role | Name | Date | Signature |
|---|---|---|---|
| Author | Security Architect | 2026-02-23 | |
| DPO | |||
| Legal Counsel | |||
| CEO |