Compliance Overview

Drop Compliance Status

Last updated: 2026-~~02-13~~03-10 Source: legal/ ~~directory~~ (16 regulatory ~~documents)~~docs), security/docs/SECURITY-COMPLIANCE/ ~~directory~~(8 (5detailed ~~security~~framework ~~documents)~~docs), legal/drop-gap-analysis-v2.md,

Detailed compliance documentation: See legal/drop-regulatory-map-v2.mddocs/SECURITY-COMPLIANCE/ for the full regulatory framework, DORA self-assessment, data encryption policy, and other documents required for Finanstilsynet PI licence application.

Overall Compliance Readiness: 8/~30/100

Drop is an MVP-stage application using a PSD2 pass-through model (AISP reads bank ~~balances,~~balances via Open Banking, PISP initiates payments from user's bank — Drop never holds customer money).

~~Regulatory~~

Since ~~compliance~~Feb is2026: ~~not~~BankID ~~expected~~OIDC atintegrated ~~this~~(SCA), ~~stage,~~Sumsub ~~but~~KYC live, DORA documentation iscompleted, ~~being~~security ~~prepared.~~hardening ~~Cards~~completed ~~are~~(0 aCritical/High ~~FUTURE~~remaining), ~~feature,~~CSRF ~~gated~~and ~~behind~~rate-limiting ~~feature~~middleware ~~flags.~~added, SCA audit trail deployed.

Regulatory Framework

Applicable Regulations

~~regulation~~ ~~protection~~ ~~reporting~~

Regulation	Norwegian Law	Relevance	Status
PSD2	Betalingstjenesteloven (LOV-2018-11-23-85)	Core --— payment services	~35% ready
AML/KYC	Hvitvaskingsloven (LOV-2018-06-01-23)	Core --— anti-money laundering	~35% ready
GDPR	Personopplysningsloven (LOV-2018-06-15-38)	Core --— personal data	~25% ready
ICT Security	IKT-forskriften / DORA (EU) 2022/2554	Required for financial ~~enterprises~~entities	~30% ready
Financial Enterprise	Finansforetaksloven (LOV-2015-04-10-17)	Licensing and governance	0% ready
Currency Registry	Valutaregisterloven (LOV-2004-12-17-109)	Cross-border ~~payment~~reporting	0% ready
Consumer Protection	Finansavtaleloven (LOV-2020-12-18-146)	~~Terms and user~~User rights	Partial

Source: legal/drop-regulatory-map-v2.md:1-80md, docs/SECURITY-COMPLIANCE/compliance-framework.md §1

Compliance Readiness by Area

1. Licensing (0%~15% ready)

~~Source:~~ legal/drop-gap-analysis-v2.md:31-50

Requirement	Status	~~Gap~~Notes
Finanstilsynet ~~license~~PI licence	Not applied	~~FULL~~PATH ~~GAP~~A (aggregator) + PATH B (own licence) planned
Client fund safeguarding	~~Not~~N/A ~~applicable~~— ~~(demo)~~pass-through model	~~FULL~~No ~~GAP~~wallet, no float held
Initial capital ~~(20K-125K EUR)~~	Not secured	~~FULL~~€50–125K ~~GAP~~needed for PATH B
Business plan	~~Exists~~Draft ~~as draft~~complete	~~PARTIAL~~`legal/virksomhetsplan.md`
~~Agent~~DORA ~~arrangement~~self-assessment	~~None~~Complete	~~FULL GAP~~`docs/SECURITY-COMPLIANCE/dora-self-assessment.md`

Recommended path: Agent model under ~~licensed~~Tink/Aiia ~~PSP~~licence (~~1-3~~4–8 ~~months)~~weeks) ~~while~~+ ~~preparing~~own ~~full~~PI ~~license~~licence ~~application~~in ~~(6-12~~parallel. ~~months)~~See project/FASTEST-PATH-TO-PRODUCTION.md.

2. PSD2 / SCA (10% ready)

~~Source:~~ legal/drop-gap-analysis-v2.md:53-78

~~Requirement~~	~~Status~~	~~Code Reference~~
~~Strong Customer Authentication~~	~~NOT IMPLEMENTED~~	~~No BankID, email+password only~~
~~BankID integration~~	~~NOT IMPLEMENTED~~	~~Mentioned in architecture, not in code~~
~~Dynamic linking~~	~~NOT IMPLEMENTED~~	~~No amount+payee tied to auth~~
~~Open Banking AISP/PISP~~	~~NOT IMPLEMENTED~~	~~Balance is local, not from bank~~
~~Framework agreement~~	~~PARTIAL~~	~~Landing page has~~ `vilkar.html`
~~Fee transparency pre-auth~~	~~PARTIAL~~	~~Fee shown in API after submission~~
~~Session management~~	~~IMPLEMENTED~~	`lib/auth.ts`, `lib/middleware.ts`

3. AML/KYC (5%~35% ready)

Requirement	Status	~~Gap~~Code / Document
Strong Customer Authentication (BankID OIDC)	Implemented	`src/drop-api/src/lib/bankid.ts`, `src/drop-api/src/routes/auth.ts`
Dynamic linking (amount + payee tied to auth)	Partial	Consent model in place; PISP flow pending live partner
Open Banking AISP/PISP	Architecture complete	Awaiting aggregator partner (Tink/Aiia)
Framework agreement	Draft	`legal/brukervilkar.md`
Fee transparency pre-authorisation	Partial	Shown in payment confirmation screen
Session management	Implemented	`src/drop-api/src/lib/auth.ts`, httpOnly JWT
SCA audit trail	Implemented	Migration 010 — `sca_events` table

3. AML/KYC (~35% ready)

Requirement	Status	Notes
Customer identification (eIDAS High via BankID)	~~Mock only~~Implemented	~~Auto-approve~~BankID national ID verified
KYC verification (Sumsub)	Production	`src/drop-api/src/lib/services/` — Sumsub adapter live
Transaction monitoring	~~NOT IMPLEMENTED~~Partial	NoConsent ~~monitoring~~and ~~system~~audit logging in place; automated alerts TBD
Suspicious activity reporting	~~NOT~~Not ~~IMPLEMENTED~~implemented	No SAR ~~capability~~procedures documented (`legal/hvitvaskingsrutiner.md`), tooling Phase 2
~~Risk~~AML risk assessment	Document exists	`legal/risikovurdering-hvitvasking.md`
~~AML procedures~~	~~Document exists~~	`legal/hvitvaskingsrutiner.md`

Requiredbefore

Requirement	Status	Document
Privacy notice (Norwegian)	~~EXISTS (draft)~~Draft	`legal/personvernerklaering.md`
DPIA	~~EXISTS (draft)~~Draft	`legal/dpia-vurdering.md`, `docs/SECURITY-COMPLIANCE/data-protection-impact-assessment.md`
Terms of service	~~EXISTS (draft)~~Draft	`legal/brukervilkar.md`
Data retention — cron job	Implemented	`src/drop-app/src/app/api/cron/retention/route.ts`
PII encryption at rest	Implemented	`src/shared/crypto/pii-encryption.ts`, KMS-backed
Processing register	~~NOT~~Not ~~CREATED~~created	--`legal/behandlingsprotokoll.md` — Phase 2
DPO appointment	~~NOT~~Not ~~DONE~~done	--
~~Data retention policy~~	~~NOT DEFINED~~	--live
Consent management	~~NOT IMPLEMENTED~~Partial	--Consent model in DB (`consents` table)
Right to erasure / portability	Not built	Phase 2

5. ICT Security / DORA (25%~30% ready)

~~Source:~~Full assessment: security/security-rapport-2026-02-12.md:187-188docs/SECURITY-COMPLIANCE/dora-self-assessment.md — overall maturity 1.1/3

~~PROGRESS~~

Requirement	Status	~~Document/Code~~Evidence
Security policy (IKT-sikkerhetspolicy)	~~EXISTS (draft)~~Draft	`legal/ikt-sikkerhetspolicy.md`
BCP + BIA (DORA Art. 11)	Draft	`legal/beredskapsplan.md §2`
Incident handling procedures	~~EXISTS (draft)~~Draft	`legal/hendelseshaandtering.md`
~~Business~~DORA ~~continuity~~annual self-assessment	~~EXISTS (draft)~~Complete	`legal/beredskapsplan.docs/SECURITY-COMPLIANCE/dora-self-assessment.md`
~~Outsourcing~~DORA ~~policy~~follow-up procedures (FP-01 to FP-T09)	~~EXISTS (draft)~~Documented	`legal/utkontraktering-policy.docs/SECURITY-COMPLIANCE/compliance-framework.md §11.5`
~~Security~~Encryption ~~audit~~policy	~~COMPLETED~~Complete	`security/drop-security-rapport.docs/SECURITY-COMPLIANCE/data-encryption-policy.md`
~~Penetration testing~~	~~NOT DONE~~	--
Security hardening	INComplete	0 Critical/High findings remaining
CSRF protection	Implemented	`security/security-hardening-implementation.mdsrc/drop-api/src/middleware/csrf.ts`
Rate limiting	Implemented	`src/drop-api/src/middleware/rate-limit.ts`
Penetration test	Not done	Required before licence submission (GAP-DORA-01)
SIEM / security monitoring	Planned	CloudWatch + Sentry — Phase 2
DR environment + BCP drill	Not done	Phase 2 (GAP-DORA-02)

Security Audit Summary

~~Date:~~Initial audit: 2026-02-12 ~~Source:~~— security/drop-security-rapport.md

Before Hardening

4 ~~CRITICAL,~~Critical, 5 ~~HIGH,~~High, 6 ~~MEDIUM,~~Medium, 4 ~~LOW~~Low ~~findings~~

After HardeningPost-hardening (2026-02-13)

0 Critical, 0 High, 2 Medium, 4 Low ~~Source:~~Latest hardening review: docs/security/audits/security-hardening-implementation.md

Key remediations completed:

~~0 CRITICAL (all resolved)~~

~~0 HIGH (all resolved)~~

~~2 MEDIUM remaining (CSP tightening, proxy config)~~

~~4 LOW (acknowledged, out of scope)~~

Key Remediations Completed

C1 -- Card data: ~~Schema now stores~~ only last_four ~~and~~+ token_ref stored (no PAN/CVV)
C2 -- Demo ~~credentials:~~credentials ~~Gated~~gated behind NODE_ENV !== 'production'
C4 -- SHA-256 ~~passwords:~~passwords ~~Removed entirely,~~removed; bcrypt only
~~C6/H1~~ -- Session ~~revocation:~~revocation ~~Implemented and active~~implemented
H4 -- Input ~~sanitization:~~sanitization ~~Applied~~applied to all text fields
M5CSRF --tokens ~~Notification~~enforced ~~IDs:~~on ~~Validated~~state-mutating ~~(max 100, format check)~~routes
M6httpOnly --+ ~~Settings:~~Secure ~~Currency/language~~+ ~~validated~~SameSite ~~against~~cookies ~~whitelists~~on JWT

DORA Significant Gaps (for Finanstilsynet disclosure)

Gap	DORA Reference	Severity	Target
No live pen test or VA completed	Art. 24(2)	High	Before launch
DR environment not built; BCP drill not conducted	Art. 11(6)	High	Phase 2
ICT risk register tooling not operational	Art. 6(1)	Medium	Phase 2
Third-party risk assessments incomplete (BankID, OB partner)	Art. 28(4)	Medium	Before launch
SIEM not live	Art. 10(1)	Medium	Phase 2

Full gap list: docs/SECURITY-COMPLIANCE/dora-self-assessment.md §5

Legal Documents Inventory

Location: ~/ALAI/products/Drop/legal/

Document	File	Status
Privacy notice	`personvernerklaering.md`	Draft
DPIA assessment	`dpia-vurdering.md`	Draft
Terms of service	`brukervilkar.md`	Draft
AML procedures	`hvitvaskingsrutiner.md`	Draft
AML risk assessment	`risikovurdering-hvitvasking.md`	Draft
ICT security policy	`ikt-sikkerhetspolicy.md`	Draft
Incident handling	`hendelseshaandtering.md`	Draft
Business continuity + BIA	`beredskapsplan.md`	Draft
Outsourcing policy	`utkontraktering-policy.md`	Draft
Internal control	`internkontroll.md`	Draft
Suitability assessment	`egnethetsvurdering.md`	Draft
Complaint handling	`klagebehandling.md`	Draft
Licensing preparation	`konsesjonssoknad-forberedelse.md`	Draft
Business plan	`virksomhetsplan.md`	Draft
Gap analysis v2	`drop-gap-analysis-v2.md`	Complete
Regulatory map v2	`drop-regulatory-map-v2.md`	Complete

Security Documents Inventory

~~Location:~~ ~/ALAI/products/Drop/security/

~~Document~~	~~File~~	~~Status~~
~~Security audit rapport~~	`drop-security-rapport.md`	~~Complete (2026-02-12)~~
~~Gap analysis~~	`gap-analysis.md`	~~Complete (2026-02-12)~~
~~Hardening checklist~~	`hardening-checklist.md`	~~In progress~~
~~Hardening implementation~~	`security-hardening-implementation.md`	~~Complete (2026-02-13)~~
~~Formal assessment~~	`security-rapport-2026-02-12.md`	~~Complete (2026-02-12)~~

Remediation Phases

Phase 1 --— CurrentBefore SprintPI (inLicence progress)Submission

~~Security~~

~~fixes,~~

~~architecture~~External ~~cleanup,~~penetration test ~~suite,~~(full ~~CI/CD.~~
scope)

Vulnerability assessment

Incident response tabletop exercise

Vendor risk assessments (BankID + Open Banking partner)

Audit rights in all critical vendor contracts

DPO appointment

Board ICT risk review

Phase 2 --— BankingWithin Integration6 Months of Licence Grant

DR environment build and test

BCP/DR drill

ICT risk register tooling

Production SIEM (~~pending~~CloudWatch ~~partner~~+ ~~selection)~~Sentry)

~~BankID,~~

~~Open~~Per-vendor ~~Banking~~exit ~~AISP/PISP,~~strategies ~~real~~(6 ~~KYC,~~critical ~~PostgreSQL~~vendors)

~~migration.~~

Automated patch management

Phase 3 --— Production LaunchOngoing (after Phase 2 + follow-up audit)post-licence)

~~Audit~~

~~logging,~~

Annual ~~error~~ICT ~~handling,~~risk ~~monitoring,~~self-assessment ~~staging~~(DORA ~~environment,~~Art. ~~load~~6(8))

~~testing, external~~

Annual penetration ~~test.~~
test

Quarterly vulnerability assessments

TLPT within 3 years of licence grant

Source: security/security-rapport-2026-02-12.md:196-220docs/SECURITY-COMPLIANCE/dora-self-assessment.md §6