Compliance Overview

Drop Compliance Status

Last updated: 2026-~~03-10~~02-13 Source: legal/ directory (16 regulatory ~~docs)~~documents), docs/SECURITY-COMPLIANCE/security/ directory (85 ~~detailed~~security ~~framework docs)~~documents), legal/drop-gap-analysis-v2.md

~~Detailed compliance documentation:~~ ~~See~~, docs/SECURITY-COMPLIANCE/legal/drop-regulatory-map-v2.md ~~for the full regulatory framework, DORA self-assessment, data encryption policy, and other documents required for Finanstilsynet PI licence application.~~

Overall Compliance Readiness: ~30/8/100

Drop is an MVP-stage application using a PSD2 pass-through model (AISP reads bank ~~balances via Open Banking,~~balances, PISP initiates payments ~~from user's bank~~ — Drop never holds customer money).

~~Since~~Regulatory ~~Feb~~compliance ~~2026:~~is ~~BankID~~not ~~OIDC~~expected ~~integrated~~at ~~(SCA),~~this ~~Sumsub~~stage, ~~KYC live, DORA~~but documentation ~~completed,~~is ~~security~~being ~~hardening~~prepared. ~~completed~~Cards (0are ~~Critical/High~~a ~~remaining),~~FUTURE ~~CSRF~~feature, ~~and~~gated ~~rate-limiting~~behind ~~middleware~~feature ~~added, SCA audit trail deployed.~~flags.

Regulatory Framework

Applicable Regulations

Regulation	Norwegian Law	Relevance	~~Status~~
PSD2	Betalingstjenesteloven (LOV-2018-11-23-85)	Core —-- payment services	~~~35% ready~~regulation
AML/KYC	Hvitvaskingsloven (LOV-2018-06-01-23)	Core —-- anti-money laundering	~~~35% ready~~
GDPR	Personopplysningsloven (LOV-2018-06-15-38)	Core —-- personal data	~~~25% ready~~protection
ICT Security	IKT-forskriften / DORA ~~(EU) 2022/2554~~	Required for financial ~~entities~~	~~~30% ready~~enterprises
Financial Enterprise	Finansforetaksloven (LOV-2015-04-10-17)	Licensing and governance	~~0% ready~~
Currency Registry	Valutaregisterloven ~~(LOV-2004-12-17-109)~~	Cross-border payment reporting	~~0% ready~~
Consumer Protection	Finansavtaleloven ~~(LOV-2020-12-18-146)~~	~~User~~Terms and user rights	~~Partial~~

Source: legal/drop-regulatory-map-v2.md, docs/SECURITY-COMPLIANCE/compliance-framework.md §1md:1-80

Compliance Readiness by Area

1. Licensing (~15%0% ready)

Source: legal/drop-gap-analysis-v2.md:31-50

Requirement	Status	~~Notes~~Gap
Finanstilsynet ~~PI licence~~license	Not applied	~~PATH~~FULL ~~A (aggregator) + PATH B (own licence) planned~~GAP
Client fund safeguarding	~~N/A~~Not —applicable ~~pass-through model~~(demo)	NoFULL ~~wallet, no float held~~GAP
Initial capital (20K-125K EUR)	Not secured	~~€50–125K~~FULL ~~needed for PATH B~~GAP
Business plan	~~Draft~~Exists ~~complete~~as draft	`legal/virksomhetsplan.md`PARTIAL
~~DORA~~Agent ~~self-assessment~~arrangement	~~Complete~~None	`docs/SECURITY-COMPLIANCE/dora-self-assessment.md`FULL GAP

Recommended path: Agent model under ~~Tink/Aiia~~licensed ~~licence~~PSP (~~4–8~~1-3 ~~weeks)~~months) +while ~~own~~preparing PIfull ~~licence~~license inapplication ~~parallel.~~(6-12 ~~See~~ project/FASTEST-PATH-TO-PRODUCTION.mdmonths).

2. PSD2 / SCA (~35%10% ready)

Source: legal/drop-gap-analysis-v2.md:53-78

Requirement	Status	Code Reference
Strong Customer Authentication	NOT IMPLEMENTED	No BankID, email+password only
BankID integration	NOT IMPLEMENTED	Mentioned in architecture, not in code
Dynamic linking	NOT IMPLEMENTED	No amount+payee tied to auth
Open Banking AISP/PISP	NOT IMPLEMENTED	Balance is local, not from bank
Framework agreement	PARTIAL	Landing page has `vilkar.html`
Fee transparency pre-auth	PARTIAL	Fee shown in API after submission
Session management	IMPLEMENTED	`lib/auth.ts`, `lib/middleware.ts`

3. AML/KYC (5% ready)

Requirement	Status	~~Code / Document~~
~~Strong Customer Authentication (BankID OIDC)~~	~~Implemented~~	`src/drop-api/src/lib/bankid.ts`, `src/drop-api/src/routes/auth.ts`
~~Dynamic linking (amount + payee tied to auth)~~	~~Partial~~	~~Consent model in place; PISP flow pending live partner~~
~~Open Banking AISP/PISP~~	~~Architecture complete~~	~~Awaiting aggregator partner (Tink/Aiia)~~
~~Framework agreement~~	~~Draft~~	`legal/brukervilkar.md`
~~Fee transparency pre-authorisation~~	~~Partial~~	~~Shown in payment confirmation screen~~
~~Session management~~	~~Implemented~~	`src/drop-api/src/lib/auth.ts`~~, httpOnly JWT~~
~~SCA audit trail~~	~~Implemented~~	~~Migration 010 —~~ `sca_events` ~~table~~

~~3. AML/KYC (~35% ready)~~

~~Requirement~~	~~Status~~	~~Notes~~Gap
Customer identification ~~(eIDAS High via BankID)~~	~~Implemented~~Mock only	~~BankID~~Auto-approve ~~national ID verified~~
KYC ~~verification (Sumsub)~~	~~Production~~	`src/drop-api/src/lib/services/` ~~— Sumsub adapter live~~
Transaction monitoring	~~Partial~~NOT IMPLEMENTED	~~Consent~~No ~~and~~monitoring ~~audit logging in place; automated alerts TBD~~system
Suspicious activity reporting	~~Not~~NOT ~~implemented~~IMPLEMENTED	No SAR ~~procedures documented (~~`legal/hvitvaskingsrutiner.md`~~), tooling Phase 2~~capability
~~AML risk~~Risk assessment	Document exists	`legal/risikovurdering-hvitvasking.md`
AML procedures	Document exists	`legal/hvitvaskingsrutiner.md`

~~beforelive~~

Requirement	Status	Document
Privacy notice ~~(Norwegian)~~	~~Draft~~EXISTS (draft)	`legal/personvernerklaering.md`
DPIA	~~Draft~~EXISTS (draft)	`legal/dpia-vurdering.md`, `docs/SECURITY-COMPLIANCE/data-protection-impact-assessment.md`
Terms of service	~~Draft~~EXISTS (draft)	`legal/brukervilkar.md`
~~Data retention — cron job~~	~~Implemented~~	`src/drop-app/src/app/api/cron/retention/route.ts`
~~PII encryption at rest~~	~~Implemented~~	`src/shared/crypto/pii-encryption.ts`~~, KMS-backed~~
Processing register	~~Not~~NOT ~~created~~CREATED	`legal/behandlingsprotokoll.md` ~~— Phase 2~~--
DPO appointment	~~Not~~NOT ~~done~~DONE	~~Required~~--
Data retention policy	NOT DEFINED	--
Consent management	~~Partial~~NOT IMPLEMENTED	~~Consent model in DB (~~`consents` ~~table)~~
~~Right to erasure / portability~~	~~Not built~~	~~Phase 2~~--

5. ICT Security / DORA (~30%25% ready)

~~Full assessment:~~Source: docs/SECURITY-COMPLIANCE/dora-self-assessment.mdsecurity/security-rapport-2026-02-12.md:187-188 ~~— overall maturity 1.1/3~~

EXISTS IN

Requirement	Status	~~Evidence~~Document/Code
Security policy ~~(IKT-sikkerhetspolicy)~~	~~Draft~~EXISTS (draft)	`legal/ikt-sikkerhetspolicy.md`
~~BCP~~Incident ~~+ BIA (DORA Art. 11)~~handling	~~Draft~~	`legal/beredskapsplan.md §2`
~~Incident handling procedures~~	~~Draft~~(draft)	`legal/hendelseshaandtering.md`
~~DORA~~Business ~~annual self-assessment~~continuity	~~Complete~~EXISTS (draft)	`docs/SECURITY-COMPLIANCE/dora-self-assessment.legal/beredskapsplan.md`
~~DORA~~Outsourcing ~~follow-up procedures (FP-01 to FP-T09)~~policy	~~Documented~~EXISTS (draft)	`docs/SECURITY-COMPLIANCE/compliance-framework.legal/utkontraktering-policy.md §11.5`
~~Encryption~~Security ~~policy~~audit	~~Complete~~COMPLETED	`docs/SECURITY-COMPLIANCE/data-encryption-policy.security/drop-security-rapport.md`
Penetration testing	NOT DONE	--
Security hardening	~~Complete~~	~~0 Critical/High findings remaining~~
~~CSRF protection~~	~~Implemented~~PROGRESS	`src/drop-api/src/middleware/csrf.tssecurity/security-hardening-implementation.md`
~~Rate limiting~~	~~Implemented~~	`src/drop-api/src/middleware/rate-limit.ts`
~~Penetration test~~	~~Not done~~	~~Required before licence submission (GAP-DORA-01)~~
~~SIEM / security monitoring~~	~~Planned~~	~~CloudWatch + Sentry — Phase 2~~
~~DR environment + BCP drill~~	~~Not done~~	~~Phase 2 (GAP-DORA-02)~~

Security Audit Summary

~~Initial audit:~~Date: 2026-02-12 —Source: security/drop-security-rapport.md

Before Hardening

4 CRITICAL, 5 HIGH, 6 MEDIUM, 4 ~~Critical,~~LOW 5findings

~~High,~~

After Medium, 4 Low Post-hardeningHardening (2026-02-13):

~~0 Critical, 0 High, 2 Medium, 4 Low~~

~~Latest hardening review:~~Source: docs/security/audits/security-hardening-implementation.md

~~Key remediations completed:~~

0 CRITICAL (all resolved)

0 HIGH (all resolved)

2 MEDIUM remaining (CSP tightening, proxy config)

4 LOW (acknowledged, out of scope)

Key Remediations Completed

C1 -- Card data: Schema now stores only last_four +and token_ref ~~stored~~ (no PAN/CVV)
C2 -- Demo ~~credentials~~credentials: ~~gated~~Gated behind NODE_ENV !== 'production'
C4 -- SHA-256 ~~passwords~~passwords: ~~removed;~~Removed entirely, bcrypt only
C6/H1 -- Session ~~revocation~~revocation: ~~implemented~~Implemented and active
H4 -- Input ~~sanitization~~sanitization: ~~applied~~Applied to all text fields
~~CSRF~~M5 ~~tokens~~-- ~~enforced~~Notification onIDs: ~~state-mutating~~Validated ~~routes~~(max 100, format check)
~~httpOnly~~M6 +-- ~~Secure~~Settings: +Currency/language ~~SameSite~~validated ~~cookies~~against ~~on JWT~~whitelists

DORA Significant Gaps (for Finanstilsynet disclosure)

~~Gap~~	~~DORA Reference~~	~~Severity~~	~~Target~~
~~No live pen test or VA completed~~	~~Art. 24(2)~~	~~High~~	~~Before launch~~
~~DR environment not built; BCP drill not conducted~~	~~Art. 11(6)~~	~~High~~	~~Phase 2~~
~~ICT risk register tooling not operational~~	~~Art. 6(1)~~	~~Medium~~	~~Phase 2~~
~~Third-party risk assessments incomplete (BankID, OB partner)~~	~~Art. 28(4)~~	~~Medium~~	~~Before launch~~
~~SIEM not live~~	~~Art. 10(1)~~	~~Medium~~	~~Phase 2~~

~~Full gap list:~~ docs/SECURITY-COMPLIANCE/dora-self-assessment.md §5

Legal Documents Inventory

Location: ~/ALAI/products/Drop/legal/

Document	File	Status
Privacy notice	`personvernerklaering.md`	Draft
DPIA assessment	`dpia-vurdering.md`	Draft
Terms of service	`brukervilkar.md`	Draft
AML procedures	`hvitvaskingsrutiner.md`	Draft
AML risk assessment	`risikovurdering-hvitvasking.md`	Draft
ICT security policy	`ikt-sikkerhetspolicy.md`	Draft
Incident handling	`hendelseshaandtering.md`	Draft
Business continuity ~~+ BIA~~	`beredskapsplan.md`	Draft
Outsourcing policy	`utkontraktering-policy.md`	Draft
Internal control	`internkontroll.md`	Draft
Suitability assessment	`egnethetsvurdering.md`	Draft
Complaint handling	`klagebehandling.md`	Draft
Licensing preparation	`konsesjonssoknad-forberedelse.md`	Draft
Business plan	`virksomhetsplan.md`	Draft
Gap analysis v2	`drop-gap-analysis-v2.md`	Complete
Regulatory map v2	`drop-regulatory-map-v2.md`	Complete

Security Documents Inventory

Location: ~/ALAI/products/Drop/security/

Document	File	Status
Security audit rapport	`drop-security-rapport.md`	Complete (2026-02-12)
Gap analysis	`gap-analysis.md`	Complete (2026-02-12)
Hardening checklist	`hardening-checklist.md`	In progress
Hardening implementation	`security-hardening-implementation.md`	Complete (2026-02-13)
Formal assessment	`security-rapport-2026-02-12.md`	Complete (2026-02-12)

Remediation Phases

Phase 1 —-- BeforeCurrent PISprint Licence(in Submissionprogress)

Security

fixes, ~~External~~architecture ~~penetration~~cleanup, test ~~(full~~suite, ~~scope)~~

~~Vulnerability assessment~~

~~Incident response tabletop exercise~~

~~Vendor risk assessments (BankID + Open Banking partner)~~

~~Audit rights in all critical vendor contracts~~

~~DPO appointment~~

~~Board ICT risk review~~

CI/CD.

Phase 2 —-- WithinBanking 6Integration Months(pending ofpartner Licence Grantselection)

BankID,

Open DRBanking ~~environment~~AISP/PISP, ~~build~~real ~~and~~KYC, ~~test~~

PostgreSQL

~~BCP/DR drill~~

~~ICT risk register tooling~~

~~Production SIEM (CloudWatch + Sentry)~~

~~Per-vendor exit strategies (6 critical vendors)~~

~~Automated patch management~~

migration.

Phase 3 —-- OngoingProduction Launch (post-licence)after Phase 2 + follow-up audit)

Audit

~~Annual~~logging, ~~ICT~~error ~~risk~~handling, ~~self-assessment~~monitoring, ~~(DORA~~staging ~~Art.~~environment, ~~6(8))~~

load

~~Annual~~testing, external penetration ~~test~~

~~Quarterly vulnerability assessments~~

~~TLPT within 3 years of licence grant~~

test.

Source: docs/SECURITY-COMPLIANCE/dora-self-assessment.md §6security/security-rapport-2026-02-12.md:196-220