Skip to main content

Compliance Overview

Drop Compliance Status

Last updated: 2026-03-10 Source: legal/ (16 regulatory docs), docs/SECURITY-COMPLIANCE/ (8 detailed framework docs), legal/drop-gap-analysis-v2.md

Detailed compliance documentation: See docs/SECURITY-COMPLIANCE/ for the full regulatory framework, DORA self-assessment, data encryption policy, and other documents required for Finanstilsynet PI licence application.

Overall Compliance Readiness: ~30/100

Drop is an MVP-stage application using a PSD2 pass-through model (AISP reads bank balances via Open Banking, PISP initiates payments from user's bank — Drop never holds customer money).

Since Feb 2026: BankID OIDC integrated (SCA), Sumsub KYC live, DORA documentation completed, security hardening completed (0 Critical/High remaining), CSRF and rate-limiting middleware added, SCA audit trail deployed.

Regulatory Framework

Applicable Regulations

Regulation Norwegian Law Relevance Status
PSD2 Betalingstjenesteloven (LOV-2018-11-23-85) Core — payment services ~35% ready
AML/KYC Hvitvaskingsloven (LOV-2018-06-01-23) Core — anti-money laundering ~35% ready
GDPR Personopplysningsloven (LOV-2018-06-15-38) Core — personal data ~25% ready
ICT Security IKT-forskriften / DORA (EU) 2022/2554 Required for financial entities ~30% ready
Financial Enterprise Finansforetaksloven (LOV-2015-04-10-17) Licensing and governance 0% ready
Currency Registry Valutaregisterloven (LOV-2004-12-17-109) Cross-border reporting 0% ready
Consumer Protection Finansavtaleloven (LOV-2020-12-18-146) User rights Partial

Source: legal/drop-regulatory-map-v2.md, docs/SECURITY-COMPLIANCE/compliance-framework.md §1

Compliance Readiness by Area

1. Licensing (~15% ready)

Requirement Status Notes
Finanstilsynet PI licence Not applied PATH A (aggregator) + PATH B (own licence) planned
Client fund safeguarding N/A — pass-through model No wallet, no float held
Initial capital Not secured €50–125K needed for PATH B
Business plan Draft complete legal/virksomhetsplan.md
DORA self-assessment Complete docs/SECURITY-COMPLIANCE/dora-self-assessment.md

2. PSD2 / SCA (~35% ready)

Requirement Status Code / Document
Strong Customer Authentication (BankID OIDC) Implemented src/drop-api/src/lib/bankid.ts, src/drop-api/src/routes/auth.ts
Dynamic linking (amount + payee tied to auth) Partial Consent model in place; PISP flow pending live partner
Open Banking AISP/PISP Architecture complete Awaiting aggregator partner (Tink/Aiia)
Framework agreement Draft legal/brukervilkar.md
Fee transparency pre-authorisation Partial Shown in payment confirmation screen
Session management Implemented src/drop-api/src/lib/auth.ts, httpOnly JWT
SCA audit trail Implemented Migration 010 — sca_events table

3. AML/KYC (~35% ready)

Requirement Status Notes
Customer identification (eIDAS High via BankID) Implemented BankID national ID verified
KYC verification (Sumsub) Production src/drop-api/src/lib/services/ — Sumsub adapter live
Transaction monitoring Partial Consent and audit logging in place; automated alerts TBD
Suspicious activity reporting Not implemented SAR procedures documented (legal/hvitvaskingsrutiner.md), tooling Phase 2
AML risk assessment Document exists legal/risikovurdering-hvitvasking.md

4. GDPR (~25% ready)

Requirement Status Document
Privacy notice (Norwegian) Draft legal/personvernerklaering.md
DPIA Draft legal/dpia-vurdering.md, docs/SECURITY-COMPLIANCE/data-protection-impact-assessment.md
Terms of service Draft legal/brukervilkar.md
Data retention — cron job Implemented src/drop-app/src/app/api/cron/retention/route.ts
PII encryption at rest Implemented src/shared/crypto/pii-encryption.ts, KMS-backed
Processing register Not created legal/behandlingsprotokoll.md — Phase 2
DPO appointment Not done Required before live
Consent management Partial Consent model in DB (consents table)
Right to erasure / portability Not built Phase 2

5. ICT Security / DORA (~30% ready)

Full assessment: docs/SECURITY-COMPLIANCE/dora-self-assessment.md — overall maturity 1.1/3

Requirement Status Evidence
Security policy (IKT-sikkerhetspolicy) Draft legal/ikt-sikkerhetspolicy.md
BCP + BIA (DORA Art. 11) Draft legal/beredskapsplan.md §2
Incident handling procedures Draft legal/hendelseshaandtering.md
DORA annual self-assessment Complete docs/SECURITY-COMPLIANCE/dora-self-assessment.md
DORA follow-up procedures (FP-01 to FP-T09) Documented docs/SECURITY-COMPLIANCE/compliance-framework.md §11.5
Encryption policy Complete docs/SECURITY-COMPLIANCE/data-encryption-policy.md
Security hardening Complete 0 Critical/High findings remaining
CSRF protection Implemented src/drop-api/src/middleware/csrf.ts
Rate limiting Implemented src/drop-api/src/middleware/rate-limit.ts
Penetration test Not done Required before licence submission (GAP-DORA-01)
SIEM / security monitoring Planned CloudWatch + Sentry — Phase 2
DR environment + BCP drill Not done Phase 2 (GAP-DORA-02)

Security Audit Summary

Initial audit: 2026-02-12 — 4 Critical, 5 High, 6 Medium, 4 Low Post-hardening (2026-02-13): 0 Critical, 0 High, 2 Medium, 4 Low Latest hardening review: docs/security/audits/security-hardening-implementation.md

Key remediations completed:

  • Card data: only last_four + token_ref stored (no PAN/CVV)
  • Demo credentials gated behind NODE_ENV !== 'production'
  • SHA-256 passwords removed; bcrypt only
  • Session revocation implemented
  • Input sanitization applied to all text fields
  • CSRF tokens enforced on state-mutating routes
  • httpOnly + Secure + SameSite cookies on JWT

DORA Significant Gaps (for Finanstilsynet disclosure)

Gap DORA Reference Severity Target
No live pen test or VA completed Art. 24(2) High Before launch
DR environment not built; BCP drill not conducted Art. 11(6) High Phase 2
ICT risk register tooling not operational Art. 6(1) Medium Phase 2
Third-party risk assessments incomplete (BankID, OB partner) Art. 28(4) Medium Before launch
SIEM not live Art. 10(1) Medium Phase 2

Full gap list: docs/SECURITY-COMPLIANCE/dora-self-assessment.md §5

Location: legal/

Document File Status
Privacy notice personvernerklaering.md Draft
DPIA assessment dpia-vurdering.md Draft
Terms of service brukervilkar.md Draft
AML procedures hvitvaskingsrutiner.md Draft
AML risk assessment risikovurdering-hvitvasking.md Draft
ICT security policy ikt-sikkerhetspolicy.md Draft
Incident handling hendelseshaandtering.md Draft
Business continuity + BIA beredskapsplan.md Draft
Outsourcing policy utkontraktering-policy.md Draft
Internal control internkontroll.md Draft
Suitability assessment egnethetsvurdering.md Draft
Complaint handling klagebehandling.md Draft
Licensing preparation konsesjonssoknad-forberedelse.md Draft
Business plan virksomhetsplan.md Draft
Gap analysis v2 drop-gap-analysis-v2.md Complete
Regulatory map v2 drop-regulatory-map-v2.md Complete

Remediation Phases

Phase 1 — Before PI Licence Submission

  • External penetration test (full scope)
  • Vulnerability assessment
  • Incident response tabletop exercise
  • Vendor risk assessments (BankID + Open Banking partner)
  • Audit rights in all critical vendor contracts
  • DPO appointment
  • Board ICT risk review

Phase 2 — Within 6 Months of Licence Grant

  • DR environment build and test
  • BCP/DR drill
  • ICT risk register tooling
  • Production SIEM (CloudWatch + Sentry)
  • Per-vendor exit strategies (6 critical vendors)
  • Automated patch management

Phase 3 — Ongoing (post-licence)

  • Annual ICT risk self-assessment (DORA Art. 6(8))
  • Annual penetration test
  • Quarterly vulnerability assessments
  • TLPT within 3 years of licence grant

Source: docs/SECURITY-COMPLIANCE/dora-self-assessment.md §6

Back to top