Skip to main content

Compliance Framework

Compliance Framework Document

Project: BilkoDropBalkanFintech AccountingPayment SaaSApp (ALAI Holding AS) Version: 1.0 Date: 2026-02-23 Author: ALAI Compliance ArchitectTeam Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version Date Author Changes
0.1 2026-02-2312 Compliance ArchitectAgent (ALAI) Initial draftgap analysis RS/BA/HRand three-country complianceregulatory mapping
1.02026-02-23Security Architect (ALAI)Framework document

1. Applicable Regulations

Compliance Owner:Overall Compliance ArchitectReadiness ([email protected])MVP Last Review:stage, 2026-02-23 | Next Review:13): 2026-08-238/100 — Pre-production MVP. No live transactions.

10%
Regulation CountryNorwegian Law PhaseApplicabilityStatus
GDPRPSD2Betalingstjenesteloven (LOV-2018-11-23-85)CoreRegulationpayment (EU)services 2016/679regulation HR Phase 1ready
Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS 87/2018)AML/KYC RSHvitvaskingsloven (LOV-2018-06-01-23)Core — anti-money laundering5% ready
GDPRPersonopplysningsloven (LOV-2018-06-15-38)Core — personal data protection15% ready
ICT SecurityIKT-forskriften / DORA (EU) 2022/2554Required for financial enterprises25% ready
Financial EnterpriseFinansforetaksloven (LOV-2015-04-10-17)Licensing and governance0% ready
Currency RegistryValutaregisterloven (LOV-2004-12-17-109)Cross-border payment reporting0% ready
Consumer ProtectionFinansavtaleloven (LOV-2020-12-18-146)User rightsPartial

Source: legal/drop-regulatory-map-v2.md, legal/drop-gap-analysis-v2.md

Compliance Owner: Alem Bašić, CEO/CISO — ALAI Holding AS ([email protected]) External Auditor: TBD — requires appointment before license application Last Audit: 2026-02-12 (internal security audit) | Next Audit: TBD (prior to license application)

2. GDPR Compliance

Source: legal/personvernerklaering.md, legal/dpia-vurdering.md, legal/drop-regulatory-map-v2.md §4

2.1 Requirements Summary

ArticleRequirementOur ImplementationStatus
Art. 5Data minimization, purpose limitationOnly collect necessary fields; DPIA documents necessityPartial
Art. 6Lawful basis for processingSee §2.2Partial
Art. 7Consent — specific, informed, unambiguousConsent management TBDNot implemented
Art. 13/14Privacy notice at collectionlegal/personvernerklaering.md (draft, Norwegian)Draft exists
Art. 17Right to erasureTBD — account deletion flow not builtPlanned Phase 2
Art. 20Right to data portabilityTBD — data export feature plannedPlanned Phase 2
Art. 25Privacy by design and defaultPass-through model minimizes data heldArchitectural
Art. 30Records of processing activitieslegal/behandlingsprotokoll.md — TBDNot created
Art. 32Appropriate security measuresSee security-architecture.mdPartial
Art. 3372-hour breach notificationSee data-breach-response-plan.mdDocumented
Art. 35DPIA for high-risk processinglegal/dpia-vurdering.mdDraft exists
Art. 37DPO designationTBD — not yet appointedNot done
Art. 44Cross-border transfersSCCs required — see §2.4Planned

2.2 Lawful Basis Inventory

Processing ActivityLawful BasisLegal Basis DocumentRetention
Account creation and managementContract (Art. 6.1.b)legal/brukervilkar.md (Terms)Duration + 2 years
Payment initiation (PISP)Contract (Art. 6.1.b)legal/brukervilkar.md5 years (Bokføringsloven)
Account info reading (AISP)Consent (Art. 6.1.a)Consent at onboardingUntil consent withdrawn
AML/KYC identity verificationLegal obligation (Art. 6.1.c)Hvitvaskingsloven §§ 10-185 years (hvvl. §30)
Transaction monitoringLegal obligation (Art. 6.1.c)Hvitvaskingsloven §§ 24-255 years (hvvl. §30)
Fraud detectionLegitimate interest (Art. 6.1.f)LIA documented in DPIA2 years
Security loggingLegitimate interest (Art. 6.1.f)IKT-sikkerhetspolicy12-24 months
Marketing emailsConsent (Art. 6.1.a)Consent recordUntil consent withdrawn

2.3 Controls Mapping

ControlRequirementStatusEvidence
Privacy notice (Norwegian)Art. 13/14Draftlegal/personvernerklaering.md
DPIAArt. 35Draftlegal/dpia-vurdering.md
DPO contactArt. 37Not doneTBD — DPO appointment needed
Data breach response planArt. 33Documenteddocs/SECURITY-COMPLIANCE/data-breach-response-plan.md
Data processing agreementsArt. 28Partiallegal/dpa-sumsub.md, dpa-swan.md, dpa-sentry.md
SCCs for non-EEA transfersArt. 46PlannedRequired for remittance corridors
Register of processing activitiesArt. 30Not createdlegal/behandlingsprotokoll.md to be completed

2.4 Data Subject Rights — Implementation

RightStatusTarget Implementation
Access (Subject Access Request)Not builtGET /api/users/me/data-export — Phase 2
RectificationPartialPATCH /api/users/me — settings update exists
ErasureNot builtAccount deletion + anonymization — Phase 2
PortabilityNot builtJSON export endpoint — Phase 2
Restriction of processingNot built Phase 2
ZakonObjection oto zaštiti ličnih podataka BiH (ZZLP, Sl. glasnik BiH 49/2006)processing BANot built Support flow — Phase 32

SLA target: 30 days per GDPR requirement.

2.5 Cross-Border Transfer Compliance

Drop remittance to 30+ countries triggers GDPR Chapter V requirements:

TransferMechanismStatus
Drop → EEA countries (PLN, EUR)Free flow — no restrictionCompliant
ZakonDrop o računovodstvu (Sl. glasnik RS 73/2019)UK RSAdequacy decisionCompliant
Drop → Serbia (RSD)SCCs + Transfer Impact AssessmentPlanned
Drop → Bosnia-Herzegovina (BAM)SCCs + TIAPlanned
Drop → Turkey (TRY)SCCs + TIAPlanned
Drop → Pakistan (PKR)SCCs + TIA + supplementary measuresPlanned — high risk

Data minimized in transfer: Only sender name, recipient name/account, amount, currency, reference. Fødselsnummer NEVER transferred cross-border.

Source: legal/dpia-vurdering.md §7

3. PSD2 / SCA Compliance

Source: legal/drop-regulatory-map-v2.md §2, legal/drop-gap-analysis-v2.md §2

3.1 Strong Customer Authentication (SCA)

Current state: NOT compliant — email + password only (single factor). No BankID integration. Required: BankID integration for SCA (Phase 2, BLOCKING for live transactions).

SCA RequirementLawStatus
Two of three factors (knowledge/possession/inherence)Betalingstjenesteloven §§ 4-28, 4-29NOT IMPLEMENTED
Dynamic linking (amount + payee bound to auth code)Delegated Reg. (EU) 2018/389 Art. 5NOT IMPLEMENTED
90-day re-authenticationDelegated Reg. Art. 10NOT IMPLEMENTED
BankID integration (covers possession + knowledge)Required for Norwegian residentsPLANNED Phase 2

3.2 Open Banking (AISP/PISP)

RequirementStatus
AISP license or agent arrangementNOT OBTAINED
PISP license or agent arrangementNOT OBTAINED
PSD2 API integration (Neonomics)PLANNED Phase 2
No storing of bank credentialsArchitectural (pass-through model)
PSU explicit consent before account accessPLANNED Phase 2

Licensing path: Agent model under licensed PSP (1-3 months) while preparing full license (6-12 months). See §4.

3.3 Consumer Protection (PSD2)

RequirementStatusDocument
Framework agreementDraftlegal/brukervilkar.md
Fee transparency pre-authorizationPartialFee shown post-submission in API
Transaction receiptsNot built Phase 2
ZakonExecution otime računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009)disclosure BANot (FBiH)Phase 3
Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005)BA (RS entity)Phase 3
Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18)HRPhase 2
Zakon o PDV RS (Sl. glasnik RS 84/2004 et al.)RSPhase 2
Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.)BAPhase 3
Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.)HRPhase 2
Zakon o elektronskom dokumentu RS (Sl. glasnik RS 51/2009)RSPhase 2
Opći porezni zakon HR (NN 115/16 et al.)HRPhase 2
Pravilnik o kontnom okviru RS (2021)RSPhase 2
FBiH Pravilnik o kontnom okviru (2022)BA (FBiH)Phase 3
RRiF Kontni plan HRHRbuilt Phase 2

2.4. SerbiaFinanstilsynet (RS) — Regulatory ComplianceLicensing

2.1 Data Protection — Zakon o zaštiti podataka o ličnosti (ZZPL)

Source: legal/drop-regulatory-map-v2.md §1, legal/konsesjonssoknad-forberedelse.md

4.1 License Options

OptionTimelineCapitalScope
Agent model (under existing licensee)1-3 monthsNone from DropFastest to market
Begrenset betalingsforetak3-6 monthsNone (simplified)Max 6M NOK/month volume
Ordinaert betalingsforetak6-12 months125,000 EURFull name:EEA passporting
November

4.2 21,Licensing 2018 Description: Serbia's GDPR-aligned personal data protection law. Supervisory authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti Website: https://www.poverenik.rs

Readiness

name,PIB/JMBGonly
Requirement ZZPL ArticleStatus Bilko ImplementationGap
LawfulBusiness basisplan forwith processing3-year projections Art. 12Draft Contract (Art. 12 st. 1 tač. 2) — accounting servicePartial
DataAML minimizationpolicy and procedures Art. 5 st. 1 tač. 3Draft Email,legal/hvitvaskingsrutiner.md
Fit where& legallyproper documentationNot doneBoard/management CVs + police certs needed
Compliance officer designatedNot doneAppointment required
DataClient subjectfund rightssafeguarding Art.N/A 26-41(pass-through) GETN/A /account/data, DELETEDrop /account,never GETholds /account/exportfunds
ProcessingIT registersecurity policy Art. 50Draft Internal processing register requiredlegal/ikt-sikkerhetspolicy.md
SecurityIncident ofhandling processingplan Art. 50Draft TLS 1.3, AES-256, bcrypt, RBAClegal/hendelseshaandtering.md
BreachOutsourcing notification to Poverenikpolicy Art. 56Draft Within 72 hours of awarenesslegal/utkontraktering-policy.md

5. AML/KYC Compliance

Breach notification:Source: [email protected]legal/hvitvaskingsrutiner.md, | Bulevar kralja Aleksandra 15, 11000 Belgradelegal/risikovurdering-hvitvasking.md

2.25.1 AccountingAML LawProgram — Zakon o računovodstvuStatus

Full name: Zakon o računovodstvu Citation: Sl. glasnik RS br. 73/2019, 44/2021

Implementationenforces debitAccountId + creditAccountIdCoA seed data Sheet) +harddeletefinancial
Requirement BilkoStatus Document
Double-entryEnterprise-wide bookkeepingrisk assessment SchemaDraft legal/risikovurdering-hvitvasking.md
ChartAML ofpolicy accounts:and Pravilnik o kontnom okviru (2021) — 10 class (0-9)procedures SerbianDraft legal/hvitvaskingsrutiner.md
BilansAML stanjaCompliance Officer appointedNOT DONEAppointment required
KYC procedures (BalanceCDD) Mock onlyReal KYC via BankID + BilansSumsub uspeha (IncomePhase Statement)2
Transaction monitoring systemNOT IMPLEMENTEDPhase 2
PEP screeningNOT IMPLEMENTED Phase 2 reports(ComplyAdvantage / Refinitiv)
Filing:Sanctions APR (https://www.apr.gov.rs), deadline June 30screening PDFNOT exportIMPLEMENTED Phase reminders2
DocumentSTR retention:reporting 10to yearsEFE (Altinn) SoftNOT deleteIMPLEMENTED Phase never2
Staff dataAML trainingNOT DONERequired
5-year record retentionNOT IMPLEMENTEDPhase 2

2.35.2 VATTransaction Monitoring Zakon o PDV

Citation: Sl. glasnik RS br. 84/2004Thresholds (consolidated)

Planned) goodsmedicines,
RateRule DescriptionThresholdAction
20%Single (opšta stopa)transaction Standard> NOK general50,000 Manual and servicesreview
10%Daily (snižena stopa)cumulative Reduced> NOK food,100,000 Manual utilitiesreview
0%Monthly cumulative Exports,> internationalNOK transport500,000EDD assessment
High-risk corridor transactions> 5/week same corridorManual review
Structuring detectionMultiple just-under-thresholdAutomatic flag

VAT threshold:Source: 8,000,000legal/hvitvaskingsrutiner.md RSD | Return: Monthly (>50M RSD) or Quarterly | Deadline: 15th of next month§5.2

2.45.3 E-InvoiceCorridor Risk SEF (Sistem e-Faktura)Classification

Platform: https://efaktura.gov.rs | Mandatory: B2B since January 2023 Format: UBL 2.1 XML | Penalties: 50,000–2,000,000 RSD for non-compliance Integration: @bilko/country-rs package (Phase 2)

2.5 APR Filing

Serbian entities file annual financial reports with APR (Agencija za privredne registre). Deadline: June 30. Bilko generates APR-compatible PDF/XML exports.

3. Bosnia & Herzegovina (BA) — Regulatory Compliance

Complexity: BiH has two entities (FBiH and Republika Srpska). VAT unified at state level via UIO. Direct taxes separate per entity.

3.1 Data Protection — Zakon o zaštiti ličnih podataka BiH (ZZLP)

Full name: Zakon o zaštiti ličnih podataka Bosne i Hercegovine Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011 Supervisory authority: AZLP — Agencija za zaštitu ličnih podataka Bosne i Hercegovine Website: https://www.azlp.ba

RequirementRisk Level ZZLP ArticleCorridors Bilko ImplementationActions
Lawful basisLow Art.EU/EEA 4(PLN, EUR), UK ContractStandard + legal obligationCDD
Security measuresMedium Art.Serbia 14(RSD), Bosnia (BAM), Turkey (TRY) TLSStandard 1.3,CDD AES-256,+ bcrypt,lower RBACthresholds
Cross-border transferHigh Art.Pakistan 18(PKR) RailwayMandatory EUEDD, Westsource of SCCsfunds mechanismrequired
Breach notification to AZLPBlocked Art.FATF 14blacklist +/ GDPREU practicehigh-risk / UN sanctions 72System-level hoursblock

Breach notification: [email protected] | Hamdije Čemerlića 2/VI, 71000 Sarajevo

3.2 FBiH — Accounting Law

Full name: Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine Citation: Sl. novine FBiH br. 83/2009, 56/2023

RequirementBilko Implementation
Double-entry bookkeepingSchema enforced
Chart of accounts: FBiH Pravilnik (2022)BiH CoA seed data
Filing: Agency of Financial Information (FBiH), deadline March 31PDF export
Document retention: 10 yearsImmutable storage

3.3 Republika Srpska (BA Entity)

Citation: Sl. glasnik RS BiH br. 96/2005, 74/2016 Filing: Tax Administration of RS (BiH entity), March 31 Retention: 11 years — maximum applied across BA entities

3.4 VAT — Zakon o PDV BiH

Citation: Sl. glasnik BiH br. 9/2005 (consolidated) Authority: UIO — Uprava za indirektno oporezivanje | https://www.uino.gov.ba

RateDescription
17% (opća stopa)Standard — all goods and services
0%Exports

Threshold: 100,000 BAM | Return: Monthly | No reduced rates

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not published Law adopted: January 2026 (FBiH only) Expected: ~2027

Bilko decision: DO NOT implement CPF until specs published. BiH is Phase 3 launch.

3.6 Corporate Income Tax

EntityRateDeadline
FBiH10%March 31
RS (BiH entity)10%March 31

4. Croatia (HR) — Regulatory Compliance

Note: Croatia is EU member state. GDPR applies directly.

4.1 Data Protection — GDPR

Applicable: GDPR Regulation (EU) 2016/679 (directly applicable) National implementing act: Zakon o provedbi Opće uredbe (NN 42/2018) Supervisory authority: AZOP — Agencija za zaštitu osobnih podataka | https://azop.hr

RequirementGDPR ArticleBilko Implementation
Lawful basisArt. 6Contract (6.1.b) for service; legal obligation (6.1.c) for tax
Data minimizationArt. 5(1)(c)OIB, name, email only
Right to accessArt. 15GET /api/v1/account/data
Right to erasureArt. 17DELETE /api/v1/account
Right to portabilityArt. 20GET /api/v1/account/export
Security of processingArt. 32TLS 1.3, AES-256, bcrypt, RBAC
Breach notification to AZOPArt. 33Within 72 hours
DPA with processorsArt. 28Railway, Vercel, Cloudflare, SendGrid

Breach notification: [email protected] | https://azop.hr/prijavapovrede | Selska cesta 136, 10000 Zagreb

4.2 Accounting Law — Zakon o računovodstvu HR

Citation: NN 78/15, 120/16, 116/18, 42/20

RequirementBilko Implementation
Double-entry bookkeepingSchema enforced
Chart of accounts: RRiF standardHR CoA seed data
Accounting standards: CFRS (SMEs) or IFRS (PIEs)CFRS-compliant reports
Bilanca + Račun dobiti i gubitkaReport generation Phase 2
Filing: FINA RGFI (https://www.fina.hr), deadline April 30FINA-compatible export
Document retention: 11 yearsImmutable storage

4.3 General Tax Law — Opći porezni zakon HR

Citation: NN 115/16, 106/18, 121/19, 32/20 Document retention 11 years, electronic record acceptance, digital accounting system obligations.

4.4 VAT — Zakon o PDV HR

Citation: NN 73/13 et al. | Portal: ePorezna — https://www.porezna-uprava.hr

RateDescription
25% (opća stopa)Standard — general goods and services
13% (srednja stopa)Intermediate — foods, water, accommodation
5% (snižena stopa)Reduced — books, baby food, medicines
0%Exports, intra-EU supply

Threshold: 60,000 EUR | Return: Monthly | Deadline: Last day of next month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr | Operator: FINA — Financijska agencija Mandatory since: January 1, 2026 (all B2B, B2G, B2C) Format: UBL 2.1 XML with HR-CIUS | Protocol: AS4 (Peppol-compatible) Certificate: FINA qualified certificate required Penalties: Up to EUR 500,000 for non-compliance Archive: 11 years

Integration: @bilko/country-hr — FINA certificate + API (Phase 2)

4.6 Corporate Income Tax — Croatia

  • Standard rate: 18% | Reduced: 10% (revenue <1M EUR) | Deadline: April 30

5. Cross-Country Compliance Matrix

RequirementSerbia (RS)Bosnia & Herzegovina (BA)Croatia (HR)
Data protection lawZZPL (GDPR-aligned, 2018)ZZLP BiH (2006)GDPR (directly applicable)
Supervisory authorityPoverenikAZLPAZOP
Breach notification deadline72 hours (ZZPL Art. 56)72 hours (best practice)72 hours (GDPR Art. 33)
VAT standard rate20%17%25%
VAT reduced rate10%None13% / 5%
E-invoice platformSEF (mandatory Jan 2023)CPF (pending ~2027)HR-FISK (mandatory Jan 2026)
E-invoice formatUBL 2.1 XMLTBDUBL 2.1 XML (HR-CIUS)
Annual report filingAPR — June 30Agency Fin. Info / Tax Admin — March 31FINA RGFI — April 30
Chart of accountsPravilnik (2021)FBiH Pravilnik (2022)RRiF standard
Document retention10 years10 (FBiH) / 11 (RS entity)11 years
CurrencyRSDBAMEUR
CIT rate15%10%18% (10% <1M EUR)

Bilko retention policy: Apply maximum across all markets — 11 years for all financial records. Never hard delete.

6. Data Classification Scheme

fee
Level Label DescriptionExamples Controls
L1 Public ExchangePublic-facing rates,content Landing schedule,page, privacy policymarketing None
L2 Internal AggregatedInternal, analytics,low sensitivityInternal wikis, non-PII logsanalytics Access control
L3 Confidential Email,Sensitive personal or business dataUser PII (name, organizationemail, data,phone), invoicetransaction amountsdata Encryption + access control + auditlogging
L4 Restricted PIB/JMBG/OIB/JIBHighest (taxsensitivity, IDs),regulatory IBAN, TOTP secrets, password hashesimplications EncryptionFødselsnummer, +AML RBACreports, JWT secretsField-level encryption + MFA + strict access + audit + 11-yearHSM retentionkeys

Tax ID types by country:

  • Serbia: PIB (9 digits), JMBG (13 digits)
  • BiH: JIB (13 digits)
  • Croatia: OIB (11 digits)
RightsConsent Types Required

Erasure exception: Invoices, expenses, transactions retained 10-11 years (accounting law). Only PII (email, name, password hash) anonymized.

8. Third-Party Data Processors

sign
ProcessorServiceRegionDPA Status
RailwayOpen Banking (AISP) PostgreSQLReading hostingbank account balances EUPlanned WestPhase (Frankfurt/Paris)2 — PSD2 explicit consent required
Marketing emails RequiredEmail campaigns Not implemented
AnalyticsProduct improvementNot implemented
Cookie consentWebsite cookiesNot implemented

7.2 PSD2 Open Banking Consent Requirements

Per Betalingstjenesteloven §§ 4-41 to 4-46:

  • Explicit user consent before any AISP access to bank accounts
  • Consent scoped per bank account
  • Re-consent required every 90 days for AISP
  • Consent revocable at any time (immediate effect)
  • Consent stored with timestamp, IP, and scope in user_consents table (planned)

8. Audit Schedule & Methodology

Audit TypeFrequencyScopeOwnerLast DoneStatus
Internal security reviewQuarterlyApplication + infrastructureSecurity team2026-02-12Completed
Penetration testAnnualFull scopeExternal firm (TBD)Not donePlanned pre-launch
VercelAML/compliance review Frontend hostingAnnual EUAll edgeAML procedures RequiredAML Compliance OfficerNot donePlanned Phase 2
CloudflareGDPR compliance review CDN, WAF, R2 storageAnnual EUAll regionprocessing activities RequiredDPONot donePlanned Phase 2
SendGridVulnerability assessment Transactional emailQuarterly EUExternal attack surface RequiredSecurity team2026-02-12Completed
Business continuity drillAnnualDR/BCP scenariosOperationsNot donePlanned Phase 2

9. Compliance Roadmap

Training

Phase 1 — Pre-Launch (GDPR baseline)

  •  Privacy policy published
  •  Terms of Service published
  •  User consent mechanism at registration
  •  Data deletion + anonymization workflow
  •  Data export endpoint
  •  DPAs signed: Railway, Vercel, Cloudflare, SendGrid
  •  Railway EU West region confirmed
  •  Breach notification process ready

Phase 2 — Serbia Launch + Croatia Launch

Serbia:

Croatia:

  •  Legal review (Zakon o računovodstvu + GDPR)
  •  Croatian CoA seed data (RRiF)
  •  VAT at 25% / 13% / 5%
  •  FINA certificate for HR-FISK
  •  HR-FISK API integration (mandatory)
  •  FINA RGFI report export

Phase 3 — BiH Launch

10. Risk AssessmentRequirements

RiskTraining LikelihoodAudience ImpactFrequency MitigationStatus
GDPR/ZZPLAML breachfundamentals fine(hvvl.) LowAll (if compliant)staff HighAnnual (GDPR+ €20M / ZZPL RSD 2M)onboarding FullNot implementationdone before first customerrequired
SEFGDPR non-compliance (RS)fundamentals MediumAll staff handling personal data High (RSD 2M)Annual PhaseNot 2 SEF integrationdone
HR-FISKSecure non-compliancecoding (HR)OWASP) High (if not integrated)Engineering Critical (EUR 500K)Annual PhaseNot 2 mandatorydone
FinancialIncident dataresponse losstabletop LowEngineering + Management CriticalQuarterly 30-dayNot Railway backups, immutable auditdone
TaxPEP/sanctions calculationscreening errorprocedures LowCompliance + customer-facing HighAnnual ConfigurableNot rates, NUMERIC precision, Zod
BiH CPF delayMediumLowPhase 3 planned, not blocking RS/HRdone

Source: legal/hvitvaskingsrutiner.md §10

Related10. DocumentsThird-Party Compliance Requirements

10.1 Critical Vendor Register

VendorServiceTierCertificationsDPA SignedStatus
BankID Norge ASSCA / IdentityCriticaleIDAS Level HighRequiredPlanned
SumsubKYC/AMLCriticalSOC 2, ISO 27001Yes — legal/dpa-sumsub.mdSigned
SwanBanking / payment railsCriticalPCI-DSS, SOC 2Yes — legal/dpa-swan.mdSigned
NeonomicsPSD2 AISP/PISPCriticalPSD2 license (EU)RequiredPlanned
AWSInfrastructureCriticalSOC 2 Type II, ISO 27001, PCI-DSSAWS DPAStandard
SentryError monitoringHighSOC 2Yes — legal/dpa-sentry.mdSigned

10.2 Outsourcing Policy

Source: legal/utkontraktering-policy.md

All material outsourcing relationships must:

11. Compliance Monitoring

Current state: Manual tracking only. No automated compliance dashboard.

Target metrics (Phase 2):

MetricTargetAlert Threshold
Open Critical compliance issues0> 0
KYC approval backlog< 24h> 48h
AML flagged transactions unreviewed0 after 24h> 0 after 48h
Data subject requests overdue0> 25 days
License application milestonesOn scheduleAny delay
Vendor certifications expired0> 0
AML training completion100%< 100%

Approval

Role Name Date Signature
Author ALAI Compliance ArchitectTeam 2026-02-23
DPO TBD — appointment required
CISOTBD — appointment required
Legal Counsel TBD — engagement required
CEO Alem Bašić
Back to top