AML Compliance for FinTechs and VASPs in Nepal: Legal Obligations & Best Practices

Introduction

In the rapidly evolving digital payments and financial technology landscape of Nepal, AML compliance for fintechs and VASPs in Nepal has become a critical legal and regulatory requirement. Fintech companies, virtual asset service providers (VASPs) and digital payment platforms must ensure robust anti‑money‑laundering (AML) and counter‑terrorist‑financing (CFT) frameworks to stay compliant with the legal regime overseen by the Nepal Rastra Bank (NRB), the Financial Intelligence Unit – Nepal (FIU‑Nepal) and international standards such as the Financial Action Task Force (FATF).
This article provides a detailed guide to AML compliance for fintechs and VASPs in Nepal, diagnosing legal obligations, risk‑based approach, controls, enforcement trends and practical recommendations.

1. Why AML compliance matters for fintechs and VASPs in Nepal

Fintechs and VASPs present heightened money‑laundering and terrorist‑financing (ML/TF) risks: they offer digital, often cross‑border, fast payment or asset transfer services, which can be exploited for illicit flows. According to FATF’s interpretive guidance, a “virtual asset service provider” refers to any natural or legal person that conducts, on behalf of another, activities including exchange between virtual assets and fiat currencies, transfer of virtual assets, safekeeping or administration of virtual assets, or the provision of other financial services relating to virtual assets.

In Nepal, the NRB’s recently‐issued Suspicious Transaction Report (STR) / Suspicious Activity Report (SAR) Guidelines 2025 explicitly include fintechs, digital wallets and VASPs within the reporting perimeter.
Non‑compliance may lead to sanctions, loss of licence, reputational damage and regulatory intervention. For fintechs and VASPs operating in Nepal, avoiding these outcomes demands a structured AML compliance programme.

2. Legal & regulatory framework in Nepal for AML compliance

2.1 Key legislation

• The Assets (Money) Laundering Prevention Act, 2008 (AML Act) remains the principal statute targeting money‑laundering in Nepal.
• The NRB’s Money Laundering Prevention Supervision Division (MLPSD) oversees inspections, off‑site surveillance and enforcement across licensed financial institutions.
• The 2025 STR/SAR Guidelines apply to fintechs, VASPs, payment service providers (PSPs) and other high‑risk sectors.
  2.2 Scope of obligated entities
  Fintechs and VASPs, as digital financial service providers, fall within the ambit of AML compliance. Payment processors, wallet companies and VASPs must implement customer due diligence (CDD), transaction monitoring, suspicious transaction reporting (STR) and maintain records.
  2.3 International standard alignment
  Nepal aligns with FATF Recommendation 15 which extends AML/CFT measures to virtual assets and VASPs.
  2.4 Recent enforcement and regulatory developments
  The 2025 STR/SAR Guidelines introduced real‐time alerting (24‑hour red flag reporting for terrorism‐linked or cyber laundering) and digital goAML reporting. A partnership between the Payment Service Providers Association of Nepal (PSPAN) and RegTech firm ZIGRAM underscores fintech‑sector regulatory focus.

3. Key obligations for fintechs and VASPs in Nepal

3.1 Customer due diligence (CDD) & KYC
Fintechs and VASPs must implement CDD and know‑your‑customer (KYC) procedures: verifying identity, beneficial ownership, understanding business purpose, risk profiling. For virtual asset service providers, FATF guidance emphasises enhanced due diligence for higher‑risk customers or transactions.
3.2 Monitoring & transaction screening
Continuous monitoring of transactions is required—particularly for high‑risk patterns, unusual volumes, cross‑border transfers, digital wallet layering. Fintechs should deploy RegTech tools integrated with local and global watchlists.
3.3 Suspicious Transaction Reporting (STR) / Suspicious Activity Reporting (SAR)
Fintechs and VASPs in Nepal must file STRs within the timeframe specified (24 hours for specified high‑risk cases) under the 2025 Guidelines.
3.4 Risk‑based approach (RBA)
Obliged entities must adopt a risk‑based approach: assess ML/TF risks, calibrate controls accordingly, maintain documented risk assessments. FATF guidance for VASPs provides detailed risk factors and red‑flag indicators.
3.5 Record‑keeping and audit trails
Maintain customer and transaction records for the statutory period (often 5‑7 years), ensure auditability of AML controls, and enable regulatory inspection.
3.6 Governance, compliance officer & training
Fintechs and VASPs must appoint a Money Laundering Reporting Officer (MLRO) or equivalent compliance lead; develop internal AML policies; conduct periodic audits and staff training.
3.7 Virtual assets / VASPs: Additional obligations
If an entity qualifies as a VASP under FATF/Nepal standards, it will face additional compliance strictures: registration/licensing, segregation of client assets, enhanced monitoring of virtual asset transfers, peer‐to‑peer wallet risk, and cross‑border flows.

4. Practical steps for fintechs and VASPs to build an AML compliance programme

4.1 Conduct an ML/TF risk assessment
Start by mapping your business model (payments, lending, virtual assets), customer profiles, geographies, and products; identify risks; classify customers/transactions; document findings.
4.2 Draft AML compliance policies and manuals
Create an AML policy tailored to Nepal context: include CDD/KYC, transaction monitoring, STR/SAR process, sanctions screening, digital wallet risk, crypto/VASP specific rules, staff responsibilities, internal audit process.
4.3 Implement CDD/KYC & onboarding controls
Use digital KYC (e‑KYC) where permitted; verify identity; screen PEPs (politically exposed persons) and sanctions; obtain beneficial ownership info; assign risk rating.
4.4 Transaction monitoring and alerting systems
Deploy systems to monitor transactions in real time, flag suspicious patterns (typologies such as layering, cross‑border transfers, wallet hopping). Use RegTech solutions tailored for Nepal’s context.
4.5 Suspicious activity reporting mechanism
Establish internal escalation process: alerts → compliance officer review → decide STR/SAR → file with FIU/Nepal. Fintechs must meet 24‑hour reporting for high‑risk cases.
4.6 Sanctions & embargo list screening
Screen customers and transactions against domestic and international sanctions lists, PEP lists, UN/EU lists.
4.7 Virtual assets / VASP specific controls
If you handle virtual assets or VASP‑type services: ensure wallet controls, segregation of client assets, monitoring of cross‑border virtual asset flows, enhanced due diligence on unknown wallet counter‑parties.
4.8 Training & audit
Provide regular training for staff on AML risks, red‑flags, typologies; conduct internal and external audits of compliance programme.
4.9 Governance oversight & culture
Board and senior management must own AML compliance; ensure independence of compliance function; promote a culture of “know your risk” and “report suspicious activities”.
4.10 Continuous review & improvement
Update your risk assessment, policies and controls at least annually or when there is a material change (new product, jurisdiction, virtual asset offering). FATF expects annual risk assessment for VASPs.

5. Challenges & common pitfalls for fintechs and VASPs in Nepal

• Digital wallet layering and peer‑to‑peer transfers are harder to monitor than traditional bank transfers.
• Identifying beneficial ownership in fintech/virtual asset contexts can be opaque.
• Rapid innovation, new products and cross‑border flows require agile AML controls.
• Regulatory ambiguity in virtual assets/VASPs: according to the FATF review, Nepal prohibits VASPs under certain statutes but enforcement and registration remain challenging.
• Maintaining and justifying a risk‑based approach requires documented evidence and audit trails.
• Integration of RegTech solutions may require investment and alignment with legacy systems. For example, Nepal’s fintech association’s partnership with ZIGRAM highlights the move toward sophisticated AML solutions.

6. Enforcement, penalties and regulatory risk in Nepal

The MLPSD under NRB has powers to inspect and impose sanctions for AML/CFT breaches. The 2025 STR/SAR Guidelines introduce administrative fines, targeted inspections and licence suspension for non‑filing or incomplete filing of STRs. For virtual assets/VASPs, Nepal’s legal amendments prohibit such operations without appropriate licensing — contravention may result in asset confiscation, fines and up to 5 years’ imprisonment. Thus fintechs and VASPs must treat AML compliance not as an optional operational cost but as a core regulatory obligation.

7. Best practices & roadmap for fintechs and VASPs

Short‑term (0‑6 months):

• Conduct comprehensive risk assessment
• Draft AML policy specific to your fintech/VASP model
• Establish CDD/KYC and digital onboarding
• Deploy sanctions/PEP screening and transaction monitoring
• Train staff and appoint MLRO
  Medium‑term (6‑18 months):
• Integrate RegTech/AML software suitable for Nepal (e.g., SmartScan)
• Enhance wallet monitoring, cross‑border flow detection, virtual asset tracking
• Establish internal audit of AML programme
• Build reporting mechanism and governance escalation
  Long‑term (18–36 months):
• Publish regular compliance reports for board/management
• Conduct annual risk assessment and control review
• Align with global best practices (FATF, APG) and build robust culture of compliance
• If VASP‑eligible, seek registration/licence as required and manage ongoing supervision

8. How LawSagar can assist fintechs and VASPs in Nepal

As a specialized corporate law and FDI advisory firm in Nepal, LawSagar helps fintechs and VASPs with:

• Legal review of fintech/VASP business models for AML/CFT risk
• Drafting AML/CFT policy, KYC/EDD templates and compliance manuals
• Assisting with registration/licensing processes and regulatory filings
• Conducting compliance audits and training programmes for staff
• Advising on virtual asset regulatory requirements and cross‑border payment risk
• Representing clients before NRB and FIU‑Nepal on AML/CFT matters

Our deep experience in Nepal’s corporate and regulatory landscape ensures that fintechs and VASPs implement not just technically compliant systems, but commercially viable and investor‑friendly frameworks.

9. Conclusion

For fintechs and VASPs operating in Nepal, AML compliance is not merely a regulatory checkbox — it is a core operational discipline that protects your business, builds trust with investors and clients, and ensures regulatory sustainability. By adopting a risk‑based approach, implementing strong controls, leveraging RegTech tools and aligning with Nepal’s evolving AML/CFT‑regime, your fintech or virtual asset service provider can position itself as a trustworthy market player. LawSagar stands ready to guide you through this complex but essential compliance journey.

FAQs

Q1. What fintech companies in Nepal must comply with AML/CFT obligations?
Any fintech company, digital wallet provider or payment service provider (PSP) regulated by NRB or operating in digital payments must comply with AML/CFT obligations under Nepal’s AML regime. The 2025 STR/SAR Guidelines specifically include fintechs and VASPs.

Q2. Are virtual asset service providers (VASPs) regulated in Nepal for AML?
Yes. While Nepal’s regulatory framework is still developing, Nepal’s FATF Mutual Evaluation Report indicates that VASPs are prohibited under certain statutes but remain a risk‑area and subject to enforcement.

Q3. What is the time‑frame for filing a Suspicious Transaction Report (STR) in Nepal?
Under the 2025 STR/SAR Guidelines, fintechs and VASPs must file a high‑risk or terrorism‑linked transaction alert within 24 hours, replacing earlier longer time‑frames.

Q4. What penalties can fintechs or VASPs face for AML non‑compliance in Nepal?
Penalties include administrative fines, targeted inspections, licence suspension, confiscation of illicit assets and in some cases criminal liability of officials. Virtual asset activities without licensing may attract up to five years’ imprisonment.

Q5. How can fintechs implement a risk‑based approach to AML in Nepal?
A risk‑based approach involves identifying and assessing ML/TF risks in your business model, classifying customers/transactions, tailoring controls accordingly, periodically reviewing, and documenting everything to withstand regulatory scrutiny. FATF guidance confirms this is essential for VASPs.