Compliance Framework Document
Compliance Framework Document
Project: Drop — Fintech Payment App (ALAI Holding AS) Version: 1.0 Date: 2026-02-23 Author: ALAI Compliance Team Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential
Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1 | 2026-02-12 | Compliance Agent (ALAI) | Initial gap analysis and regulatory mapping |
| 1.0 | 2026-02-23 | Security Architect (ALAI) | Framework document |
1. Applicable Regulations
Overall Compliance Readiness (MVP stage, 2026-02-13): 8/100 — Pre-production MVP. No live transactions.
| Regulation | Norwegian Law | Applicability | Status |
|---|---|---|---|
| PSD2 | Betalingstjenesteloven (LOV-2018-11-23-85) | Core — payment services regulation | 10% ready |
| AML/KYC | Hvitvaskingsloven (LOV-2018-06-01-23) | Core — anti-money laundering | 5% ready |
| GDPR | Personopplysningsloven (LOV-2018-06-15-38) | Core — personal data protection | 15% ready |
| ICT Security | IKT-forskriften / DORA (EU) 2022/2554 | Required for financial enterprises | 25% ready |
| Financial Enterprise | Finansforetaksloven (LOV-2015-04-10-17) | Licensing and governance | 0% ready |
| Currency Registry | Valutaregisterloven (LOV-2004-12-17-109) | Cross-border payment reporting | 0% ready |
| Consumer Protection | Finansavtaleloven (LOV-2020-12-18-146) | User rights | Partial |
Source: legal/drop-regulatory-map-v2.md, legal/drop-gap-analysis-v2.md
Compliance Owner: Alem Bašić, CEO/CISO — ALAI Holding AS ([email protected]) External Auditor: TBD — requires appointment before license application Last Audit: 2026-02-12 (internal security audit) | Next Audit: TBD (prior to license application)
2. GDPR Compliance
Source: legal/personvernerklaering.md, legal/dpia-vurdering.md, legal/drop-regulatory-map-v2.md §4
2.1 Requirements Summary
| Article | Requirement | Our Implementation | Status |
|---|---|---|---|
| Art. 5 | Data minimization, purpose limitation | Only collect necessary fields; DPIA documents necessity | Partial |
| Art. 6 | Lawful basis for processing | See §2.2 | Partial |
| Art. 7 | Consent — specific, informed, unambiguous | Consent management TBD | Not implemented |
| Art. 13/14 | Privacy notice at collection | legal/personvernerklaering.md (draft, Norwegian) |
Draft exists |
| Art. 17 | Right to erasure | TBD — account deletion flow not built | Planned Phase 2 |
| Art. 20 | Right to data portability | TBD — data export feature planned | Planned Phase 2 |
| Art. 25 | Privacy by design and default | Pass-through model minimizes data held | Architectural |
| Art. 30 | Records of processing activities | legal/behandlingsprotokoll.md — TBD |
Not created |
| Art. 32 | Appropriate security measures | See security-architecture.md | Partial |
| Art. 33 | 72-hour breach notification | See data-breach-response-plan.md | Documented |
| Art. 35 | DPIA for high-risk processing | legal/dpia-vurdering.md |
Draft exists |
| Art. 37 | DPO designation | TBD — not yet appointed | Not done |
| Art. 44 | Cross-border transfers | SCCs required — see §2.4 | Planned |
2.2 Lawful Basis Inventory
| Processing Activity | Lawful Basis | Legal Basis Document | Retention |
|---|---|---|---|
| Account creation and management | Contract (Art. 6.1.b) | legal/brukervilkar.md (Terms) |
Duration + 2 years |
| Payment initiation (PISP) | Contract (Art. 6.1.b) | legal/brukervilkar.md |
5 years (Bokføringsloven) |
| Account info reading (AISP) | Consent (Art. 6.1.a) | Consent at onboarding | Until consent withdrawn |
| AML/KYC identity verification | Legal obligation (Art. 6.1.c) | Hvitvaskingsloven §§ 10-18 | 5 years (hvvl. §30) |
| Transaction monitoring | Legal obligation (Art. 6.1.c) | Hvitvaskingsloven §§ 24-25 | 5 years (hvvl. §30) |
| Fraud detection | Legitimate interest (Art. 6.1.f) | LIA documented in DPIA | 2 years |
| Security logging | Legitimate interest (Art. 6.1.f) | IKT-sikkerhetspolicy | 12-24 months |
| Marketing emails | Consent (Art. 6.1.a) | Consent record | Until consent withdrawn |
2.3 Controls Mapping
| Control | Requirement | Status | Evidence |
|---|---|---|---|
| Privacy notice (Norwegian) | Art. 13/14 | Draft | legal/personvernerklaering.md |
| DPIA | Art. 35 | Draft | legal/dpia-vurdering.md |
| DPO contact | Art. 37 | Not done | TBD — DPO appointment needed |
| Data breach response plan | Art. 33 | Documented | docs/SECURITY-COMPLIANCE/data-breach-response-plan.md |
| Data processing agreements | Art. 28 | Partial | legal/dpa-sumsub.md, dpa-swan.md, dpa-sentry.md |
| SCCs for non-EEA transfers | Art. 46 | Planned | Required for remittance corridors |
| Register of processing activities | Art. 30 | Not created | legal/behandlingsprotokoll.md to be completed |
2.4 Data Subject Rights — Implementation
| Right | Status | Target Implementation |
|---|---|---|
| Access (Subject Access Request) | Not built | GET /api/users/me/data-export — Phase 2 |
| Rectification | Partial | PATCH /api/users/me — settings update exists |
| Erasure | Not built | Account deletion + anonymization — Phase 2 |
| Portability | Not built | JSON export endpoint — Phase 2 |
| Restriction of processing | Not built | Phase 2 |
| Objection to processing | Not built | Support flow — Phase 2 |
SLA target: 30 days per GDPR requirement.
2.5 Cross-Border Transfer Compliance
Drop remittance to 30+ countries triggers GDPR Chapter V requirements:
| Transfer | Mechanism | Status |
|---|---|---|
| Drop → EEA countries (PLN, EUR) | Free flow — no restriction | Compliant |
| Drop → UK | Adequacy decision | Compliant |
| Drop → Serbia (RSD) | SCCs + Transfer Impact Assessment | Planned |
| Drop → Bosnia-Herzegovina (BAM) | SCCs + TIA | Planned |
| Drop → Turkey (TRY) | SCCs + TIA | Planned |
| Drop → Pakistan (PKR) | SCCs + TIA + supplementary measures | Planned — high risk |
Data minimized in transfer: Only sender name, recipient name/account, amount, currency, reference. Fødselsnummer NEVER transferred cross-border.
Source: legal/dpia-vurdering.md §7
3. PSD2 / SCA Compliance
Source: legal/drop-regulatory-map-v2.md §2, legal/drop-gap-analysis-v2.md §2
3.1 Strong Customer Authentication (SCA)
Current state: NOT compliant — email + password only (single factor). No BankID integration. Required: BankID integration for SCA (Phase 2, BLOCKING for live transactions).
| SCA Requirement | Law | Status |
|---|---|---|
| Two of three factors (knowledge/possession/inherence) | Betalingstjenesteloven §§ 4-28, 4-29 | NOT IMPLEMENTED |
| Dynamic linking (amount + payee bound to auth code) | Delegated Reg. (EU) 2018/389 Art. 5 | NOT IMPLEMENTED |
| 90-day re-authentication | Delegated Reg. Art. 10 | NOT IMPLEMENTED |
| BankID integration (covers possession + knowledge) | Required for Norwegian residents | PLANNED Phase 2 |
3.2 Open Banking (AISP/PISP)
| Requirement | Status |
|---|---|
| AISP license or agent arrangement | NOT OBTAINED |
| PISP license or agent arrangement | NOT OBTAINED |
| PSD2 API integration (Neonomics) | PLANNED Phase 2 |
| No storing of bank credentials | Architectural (pass-through model) |
| PSU explicit consent before account access | PLANNED Phase 2 |
Licensing path: Agent model under licensed PSP (1-3 months) while preparing full license (6-12 months). See §4.
3.3 Consumer Protection (PSD2)
| Requirement | Status | Document |
|---|---|---|
| Framework agreement | Draft | legal/brukervilkar.md |
| Fee transparency pre-authorization | Partial | Fee shown post-submission in API |
| Transaction receipts | Not built | Phase 2 |
| Execution time disclosure | Not built | Phase 2 |
4. Finanstilsynet Licensing
Source: legal/drop-regulatory-map-v2.md §1, legal/konsesjonssoknad-forberedelse.md
4.1 License Options
| Option | Timeline | Capital | Scope |
|---|---|---|---|
| Agent model (under existing licensee) | 1-3 months | None from Drop | Fastest to market |
| Begrenset betalingsforetak | 3-6 months | None (simplified) | Max 6M NOK/month volume |
| Ordinaert betalingsforetak | 6-12 months | 125,000 EUR | Full EEA passporting |
Recommended path: Agent model first → Begrenset betalingsforetak for initial launch → Ordinaert for Scandinavian expansion.
4.2 Licensing Readiness
| Requirement | Status | Gap |
|---|---|---|
| Business plan with 3-year projections | Draft | Partial |
| AML policy and procedures | Draft | legal/hvitvaskingsrutiner.md |
| Fit & proper documentation | Not done | Board/management CVs + police certs needed |
| Compliance officer designated | Not done | Appointment required |
| Client fund safeguarding | N/A (pass-through) | N/A — Drop never holds funds |
| IT security policy | Draft | legal/ikt-sikkerhetspolicy.md |
| Incident handling plan | Draft | legal/hendelseshaandtering.md |
| Outsourcing policy | Draft | legal/utkontraktering-policy.md |
5. AML/KYC Compliance
Source: legal/hvitvaskingsrutiner.md, legal/risikovurdering-hvitvasking.md
5.1 AML Program Status
| Requirement | Status | Document |
|---|---|---|
| Enterprise-wide risk assessment | Draft | legal/risikovurdering-hvitvasking.md |
| AML policy and procedures | Draft | legal/hvitvaskingsrutiner.md |
| AML Compliance Officer appointed | NOT DONE | Appointment required |
| KYC procedures (CDD) | Mock only | Real KYC via BankID + Sumsub — Phase 2 |
| Transaction monitoring system | NOT IMPLEMENTED | Phase 2 |
| PEP screening | NOT IMPLEMENTED | Phase 2 (ComplyAdvantage / Refinitiv) |
| Sanctions screening | NOT IMPLEMENTED | Phase 2 |
| STR reporting to EFE (Altinn) | NOT IMPLEMENTED | Phase 2 |
| Staff AML training | NOT DONE | Required |
| 5-year record retention | NOT IMPLEMENTED | Phase 2 |
5.2 Transaction Monitoring Thresholds (Planned)
| Rule | Threshold | Action |
|---|---|---|
| Single transaction | > NOK 50,000 | Manual review |
| Daily cumulative | > NOK 100,000 | Manual review |
| Monthly cumulative | > NOK 500,000 | EDD assessment |
| High-risk corridor transactions | > 5/week same corridor | Manual review |
| Structuring detection | Multiple just-under-threshold | Automatic flag |
Source: legal/hvitvaskingsrutiner.md §5.2
5.3 Corridor Risk Classification
| Risk Level | Corridors | Actions |
|---|---|---|
| Low | EU/EEA (PLN, EUR), UK | Standard CDD |
| Medium | Serbia (RSD), Bosnia (BAM), Turkey (TRY) | Standard CDD + lower thresholds |
| High | Pakistan (PKR) | Mandatory EDD, source of funds required |
| Blocked | FATF blacklist / EU high-risk / UN sanctions | System-level block |
6. Data Classification Scheme
| Level | Label | Description | Examples | Controls |
|---|---|---|---|---|
| L1 | Public | Public-facing content | Landing page, marketing | None |
| L2 | Internal | Internal, low sensitivity | Internal wikis, non-PII analytics | Access control |
| L3 | Confidential | Sensitive personal or business data | User PII (name, email, phone), transaction data | Encryption + access control + logging |
| L4 | Restricted | Highest sensitivity, regulatory implications | Fødselsnummer, AML reports, JWT secrets | Field-level encryption + MFA + strict access + audit + HSM keys |
7. Consent Management
7.1 Consent Types Required
| Consent Type | Purpose | Status |
|---|---|---|
| Open Banking (AISP) | Reading bank account balances | Planned Phase 2 — PSD2 explicit consent required |
| Marketing emails | Email campaigns | Not implemented |
| Analytics | Product improvement | Not implemented |
| Cookie consent | Website cookies | Not implemented |
7.2 PSD2 Open Banking Consent Requirements
Per Betalingstjenesteloven §§ 4-41 to 4-46:
- Explicit user consent before any AISP access to bank accounts
- Consent scoped per bank account
- Re-consent required every 90 days for AISP
- Consent revocable at any time (immediate effect)
- Consent stored with timestamp, IP, and scope in
user_consentstable (planned)
8. Audit Schedule & Methodology
| Audit Type | Frequency | Scope | Owner | Last Done | Status |
|---|---|---|---|---|---|
| Internal security review | Quarterly | Application + infrastructure | Security team | 2026-02-12 | Completed |
| Penetration test | Annual | Full scope | External firm (TBD) | Not done | Planned pre-launch |
| AML/compliance review | Annual | All AML procedures | AML Compliance Officer | Not done | Planned Phase 2 |
| GDPR compliance review | Annual | All processing activities | DPO | Not done | Planned Phase 2 |
| Vulnerability assessment | Quarterly | External attack surface | Security team | 2026-02-12 | Completed |
| Business continuity drill | Annual | DR/BCP scenarios | Operations | Not done | Planned Phase 2 |
9. Compliance Training Requirements
| Training | Audience | Frequency | Status |
|---|---|---|---|
| AML fundamentals (hvvl.) | All staff | Annual + onboarding | Not done — required |
| GDPR fundamentals | All staff handling personal data | Annual | Not done |
| Secure coding (OWASP) | Engineering | Annual | Not done |
| Incident response tabletop | Engineering + Management | Quarterly | Not done |
| PEP/sanctions screening procedures | Compliance + customer-facing | Annual | Not done |
Source: legal/hvitvaskingsrutiner.md §10
10. Third-Party Compliance Requirements
10.1 Critical Vendor Register
| Vendor | Service | Tier | Certifications | DPA Signed | Status |
|---|---|---|---|---|---|
| BankID Norge AS | SCA / Identity | Critical | eIDAS Level High | Required | Planned |
| Sumsub | KYC/AML | Critical | SOC 2, ISO 27001 | Yes — legal/dpa-sumsub.md |
Signed |
| Swan | Banking / payment rails | Critical | PCI-DSS, SOC 2 | Yes — legal/dpa-swan.md |
Signed |
| Neonomics | PSD2 AISP/PISP | Critical | PSD2 license (EU) | Required | Planned |
| AWS | Infrastructure | Critical | SOC 2 Type II, ISO 27001, PCI-DSS | AWS DPA | Standard |
| Sentry | Error monitoring | High | SOC 2 | Yes — legal/dpa-sentry.md |
Signed |
10.2 Outsourcing Policy
Source: legal/utkontraktering-policy.md
All material outsourcing relationships must:
- Have a written contract with DPA if processing personal data
- Include right to audit clause
- Include sub-processor approval requirements
- Have an exit strategy documented
- Be notified to Finanstilsynet if material (Finansforetaksloven § 13-7)
11. Compliance Monitoring
Current state: Manual tracking only. No automated compliance dashboard.
Target metrics (Phase 2):
| Metric | Target | Alert Threshold |
|---|---|---|
| Open Critical compliance issues | 0 | > 0 |
| KYC approval backlog | < 24h | > 48h |
| AML flagged transactions unreviewed | 0 after 24h | > 0 after 48h |
| Data subject requests overdue | 0 | > 25 days |
| License application milestones | On schedule | Any delay |
| Vendor certifications expired | 0 | > 0 |
| AML training completion | 100% | < 100% |
Approval
| Role | Name | Date | Signature |
|---|---|---|---|
| Author | ALAI Compliance Team | 2026-02-23 | |
| DPO | TBD — appointment required | ||
| CISO | TBD — appointment required | ||
| Legal Counsel | TBD — engagement required | ||
| CEO | Alem Bašić |