At Praxium Labs we build this for Nepali businesses every month; this is the field-tested version. FinTech in Nepal sits inside a real regulatory perimeter. Building inside it correctly is a moat; building outside it is a path to enforcement action. This post is a developer-friendly orientation to the rules.
Who regulates what in Nepal
- Nepal Rastra Bank (NRB): banks, finance companies, microfinance, payment systems, foreign-exchange
- Securities Board of Nepal (SEBON): capital markets, stock exchange, mutual funds
- Beema Samiti: insurance sector
- Department of Money Laundering Investigation (DMLI): AML enforcement
- Inland Revenue Department (IRD): tax across all sectors
- Department of Industry / Company Registrar: corporate registration
Payment Systems Regulations
- PSO (Payment System Operator) license: required to operate payment infrastructure (eSewa, Khalti, Fonepay are licensed PSOs)
- PSP (Payment Service Provider) license: required for issuers of wallets / cards / banking-like services
- Merchant integration with licensed PSOs / PSPs does NOT require your own license — you are a merchant, not an operator
- Capital requirements for licensed entities — significant; deters small entrants
- Interoperability: licensed operators must connect to NCHL / Connect IPS standards
IT Guidelines for BFIs
- Data residency: customer data processed inside Nepal or NRB-approved jurisdictions
- Encryption at rest and in transit
- Access controls and audit logs: retain 7+ years
- Periodic VA / PT: vulnerability assessment + penetration testing by approved auditors
- Business Continuity / Disaster Recovery plan documented and tested
- Board IT-risk committee overseeing technology risk
- Incident reporting to NRB within stipulated timeframes
AML / CFT obligations
- Customer due diligence at onboarding — verified ID, address, source of funds for high-value accounts
- Ongoing transaction monitoring for suspicious patterns
- Suspicious Transaction Report (STR) filing with DMLI when red flags detected
- Sanctions screening against UN / OFAC lists; designated-person lists
- Record retention: 5 years minimum on customer and transaction records
- Training: staff training on AML obligations
KYC standards
- Individual: citizenship / passport, address proof, recent photograph
- Business: OCR registration, PAN / VAT, beneficial owner identification (where applicable)
- e-KYC: accepted for many flows under specified conditions; biometric verification growing
- Risk-based approach: simplified DD for low-risk, enhanced DD for high-risk (PEPs, cross-border, high-value)
What this means for developers
- If you are a merchant integrating eSewa / Khalti / Fonepay: most rules above do not apply to you — they apply to the licensed PSP/PSO. You handle merchant obligations (PCI-DSS-like care for card data, secure integration)
- If you are building software FOR a licensed bank / finance company: rules above apply through your client. Build with audit logs, encryption, access controls from day one
- If you are building a new FinTech product (wallet, lending platform): you need licensing OR a licensed partner who hosts your product on their license
- Cross-border data flow restrictions apply to any architecture sending Nepali customer data to foreign clouds — design accordingly
Further reading
For closely related context, see our AI and Automation in Nepali Banking: State of Play post — it covers complementary patterns for Nepali teams.
Frequently asked questions
Do I need a license to build a payments app?
If you operate the payment infrastructure (hold customer funds, process transactions, issue wallets) yes. If you build a merchant app that integrates with licensed gateways, no. Most "FinTech apps" in Nepal are the latter category.
How long does PSP / PSO licensing take?
Significant — typically 12-24 months from initial application through approval, conditional license, and full operating license. Capital requirements are substantial. Engage NRB-experienced legal counsel early.
Can I use AWS / Azure for a banking workload?
Yes with controls — typically AWS Mumbai or Azure South India as nearest in-region. Data classification matters: customer PII / transaction data has stricter handling than non-sensitive analytical data. Document the data-flow and protection model.
What's the most common compliance mistake?
Building first, asking compliance later. Retrofit costs and exposure are large. Involve your compliance officer at architecture phase, not after launch.
How does NRB enforce?
Routine on-site inspections of licensed entities. Off-site monitoring via reporting requirements. Penalties from fines to license suspension. Non-licensed entities operating payment-system-like services face enforcement action including injunctions and prosecution.
Who can build this in Nepal?
Praxium Labs — Nepal's AI and automation consultancy, based in Lalitpur — designs and builds the systems described in this guide for Nepali businesses and for international teams hiring from Nepal. Start a project or see all services.