Sagar Mahatara
Sagar Mahatara

Corporate Lawyer

FDI Lawyer

IP Lawyer

Sagar Mahatara
Sagar Mahatara

Corporate Lawyer

FDI Lawyer

IP Lawyer

Menu
#Blog

Payment Gateways, PSPs & Digital Payment Regulations in Nepal — A Compliance Guide (2025)

November 1, 2025 Uncategorized by admin_lawsagar
Payment Gateways, PSPs & Digital Payment Regulations in Nepal — A Compliance Guide (2025)

Introduction

If you operate or plan to launch payment gateways in Nepal, or provide digital payment services as a payment service provider (PSP), you must align with the Payment and Settlement Act (2019) and NRB’s licensing, bylaw and directive framework. NRB licences PSPs and PSOs, operates NepalQR standards, and now governs cross-border payment rules under the NPIx framework. Compliance involves corporate registration, capital and collateral requirements, technical standards, cybersecurity and KYC/AML controls, periodic reporting and adherence to NRB’s inspection regime. This guide explains the legal steps, operational requirements, and best practice compliance checklist.

1. Why this matters: the regulatory context for digital payments in Nepal

Digital payments are now central to Nepal’s financial infrastructure. The regulatory architecture is led by Nepal Rastra Bank (NRB) under the Payment and Settlement Act. NRB’s Payment Systems Department sets the licensing rules, issues bylaws and directives, supervises PSPs/PSOs, and enforces operational standards (including NepalQR and cross-border rules). NRB’s recent oversight reports and amendments show increasing supervision and higher technical, capital and AML expectations for PSPs. Any entity handling or routing electronic payments must therefore take a dual approach: (a) corporate and licensing compliance; and (b) operational, technical and AML/CFT compliance.

Key takeaway: Treat NRB requirements as foundational — non-compliance invites enforcement, fines and possible license revocation.

2. Who is regulated? Definitions and actors

Understanding the defined roles simplifies compliance.

  • Payment Service Provider (PSP): Entities licensed by NRB to provide payment services (wallets, mobile payments, merchant acquiring, switching). NRB distinguishes between PSPs and PSOs. Licensed PSPs can be banks, BFIs or non-bank payment service companies as permitted under licensing policy.
  • Payment System Operator (PSO): Entities that operate payment schemes/networks (e.g., NepalQR scheme operator, national clearing house). PSOs manage routing, settlement and switching infrastructure and are separately licensed by NRB.
  • Payment Gateway: A commercial product — typically provided by a licensed PSP or in partnership with banks — that accepts card/online payments from customers and routes them to acquirers. In Nepal, payment gateways conducting settlement must route through licensed BFIs or PSPs and comply with NRB technical and AML rules.
  • Merchant Acquirer & Issuer: Banks or PSPs that perform merchant acquiring and card issuing functions. Acquirers must be NRB-supervised institutions and comply with RTGS/IPS rules for settlement.

Practical counsel: If you plan to operate a payment gateway, you will either (a) obtain a PSP/PSO licence from NRB if eligible, or (b) partner with a licensed PSP/PSO and ensure contractual obligations cover NRB compliance and data protection.

3. Licensing: do you need a PSP or PSO licence?

3.1 Licensing policy & LOI step

NRB’s Licensing Policy for payment related institutions sets out eligibility, minimum capital/collateral requirements, scope of permitted activities and timeline for licensing. Key features include:

  • Entities must be registered in Nepal (Office of Company Registrar) before applying.
  • NRB may issue a Letter of Intent (LOI) followed by a full license. Applicants must demonstrate organization, governance, business plan, capital and technical infrastructure. Often NRB requires 1% of issued capital as collateral during licensing (subject to the policy).

3.2 Minimum capital, collateral & suitability

NRB evaluates financial strength, IT infrastructure, risk management, AML/CFT arrangements, and board/management competency. For certain licences NRB prescribes minimum paid-up capital and a collateral deposit equal to a percentage of capital (policy changes over time; check current NRB notice). Examples and lists of licensed PSPs/PSOs are published by NRB.

3.3 Time-frame & pre-approval steps

Once LOI is issued, developers must implement IT and security measures, finalize partnerships with BFIs for settlement, and submit for final licensing; NRB aims to decide within a statutory timeline (check current policy). Failure to satisfy technical or AML requirements leads to rejection or conditional licensing.

Practical checklist before applying:

  • Company registration (OCR) and corporate documents
  • KYC/AML program drafted and approved by board
  • IT architecture, disaster recovery and cyber resilience plan
  • Agreement with at least one acquiring bank for settlement
  • Business continuity and consumer redress mechanisms
  • Proof of paid-up capital and collateral deposit (as required)
  • Board & management CVs and fit-and-proper evidence

4. Technical, operational and cyber-resilience requirements

NRB’s oversight emphasizes operational safety and cyber resilience. NRB’s Payment Systems Department issues guidelines and onsite inspection manuals. Areas of focus:

4.1 Data localisation, PII & encryption

PSPs must store certain payment data securely. Personal Identifiable Information (PII) protections, strong encryption for data in transit and at rest, and adherence to NRB guidance on data confidentiality are essential.

4.2 System availability, redundancy & disaster recovery

Payment systems require high availability; NRB will inspect disaster recovery (DR) sites, failover mechanisms, and business continuity plans. Testing and evidence of DR exercises are often requested during licensing and supervision. nrb.org.np+1

4.3 Transaction limits, reconciliation & settlement

NRB sets rules around daily transaction limits (for wallets, e-money), settlements through RTGS or other clearing systems, and reconciliation procedures. PSPs must implement automated reconciliation and reporting to NRB as per Payment Systems rules.

4.4 Certification & testing

Interoperability testing (e.g., NepalQR compliance, NPIx API conformance) and security testing (penetration tests) are typically required before go-live. NRB or PSOs may maintain certification lists.

5. NepalQR & interoperability

NepalQR is NRB’s QR standard for open QR merchant payments. It standardizes QR data formats and routing, enables merchant interoperability, and reduces fragmentation. Licensed PSOs/PSPs can join NepalQR networks under NRB rules. If you operate a gateway that supports QR payments, compliance with NepalQR technical and scheme rules is mandatory.

Merchant onboarding & settlement with NepalQR:

  • PSPs that issue QR codes must ensure merchant KYC, fee disclosures, settlement timelines, and dispute resolution procedures per NRB and NepalQR rules.

6. Cross-border payments and NPIx (National Payments Interface cross-border rules)

NRB recently approved NPIx cross-border operating rules to facilitate cross-border person-to-person transfers and expand interoperability with foreign rails (e.g., India’s UPI). NPIx prescribes compliance on FX, KYC, transaction monitoring, and roles for International Payment Partners (IPP) and PSPs. For payment gateways enabling cross-border payments, NPIx rules define the required contracts, FX handling, customer disclosure, and AML controls.

Key legal points for cross-border:

  • NRB may require prior approval for cross-border payment products.
  • Foreign exchange and repatriation rules under NRB apply — integrate FX compliance and reporting.
  • Partner with NRB-approved IPPs or BFIs to route cross-border flows.

7. AML/CFT, KYC and targeted sanctions

PSPs/PSOs are subject to AML/CFT obligations. NRB issues targeted financial sanctions guidance for payment providers and banks. Requirements include:

  • Customer due diligence (CDD) and ongoing monitoring
  • Suspicious transaction reporting to FIU/NRB
  • Sanctions screening (domestic and international)
  • Record keeping for prescribed periods and cooperation with law enforcement.

Practical compliance steps:

  • Implement a risk-based KYC policy (tiered due diligence for low/high value).
  • Transaction monitoring systems tuned for local typologies.
  • Staff training and independent compliance testing.

8. Consumer protection, fees and dispute resolution

Consumer protection obligations are practical and reputational essentials:

  • Transparent disclosure of fees, chargebacks and settlement times.
  • Clear refund and complaint resolution channels with time limits.
  • Data privacy notices and consent for electronic receipts or notifications.

NRB audits customer complaint records; unresolved patterns can trigger supervisory action. Contractual terms with merchants must allocate responsibilities for refunds and chargebacks clearly.

9. Contracts & commercial considerations for gateways and PSPs

Key contracts to prepare and negotiate:

9.1 PSP – Bank (Acquirer) Agreement

Covers settlement, chargebacks, reserve mechanisms, fees, reconciliation, and termination clauses.

9.2 Merchant Agreement & T&Cs

Must include merchant KYC obligations, fee structure, refund and chargeback rules, and dispute resolution.

9.3 IT/Platform Provider Contracts

When you outsource gateway technology or cloud hosting, include SLAs, data protection clauses, indemnities, uptime commitments and right to audit.

9.4 Interoperability/Network Agreements

If participating in NepalQR or NPIx, sign scheme membership agreements and comply with scheme rules (technical and commercial).

Legal drafting tips: Add compliance warranties, NRB-law compliance covenants, and explicit termination triggers for regulatory breaches.

10. Supervision, reporting and inspections

NRB conducts onsite and offsite supervision of PSPs/PSOs. Typical supervisory obligations:

  • Periodic reports (operational, transaction volumes, AML/CFT metrics)
  • Annual audited financials and technical audit reports
  • Immediate notification of major incidents (cybersecurity breaches, major operational incidents)
  • Onsite inspections and audit access

Prepare for inspection by maintaining a regulatory pack: licenses, corporate documents, board minutes, incident logs, audit reports and reconciliations.

11. Enforcement, penalties and remedial measures

NRB uses graduated enforcement: directions, fines, operational restrictions, or license revocation for material violations. The Payment Systems Oversight Reports show NRB increasingly leverages corrective orders and supervisory directives — so remedial compliance and rapid remediation plans are important.

Practical mitigation: Have a documented remediation plan, insurance coverage (cyber & operational), and prompt regulatory reporting to reduce enforcement risk.

12. Step-by-step compliance checklist (practical)

  1. Corporate & registration: Register company; ensure shareholding and paid-up capital meet NRB policy.
  2. Pre-licensing readiness: Draft business plan, technical architecture, AML/CFT program, and DR/BCP.
  3. Banking partnership: Secure at least one acquiring bank or BFI for settlement.
  4. Apply for LOI & license: Submit complete application to NRB Payment Systems Department.
  5. Technical certification: Complete NepalQR/NPI testing and pen tests.
  6. Policies & procedures: Board approved KYC, AML, IT security, vendor management and consumer protection policies.
  7. Contracts & merchant onboarding: Draft merchant T&Cs and operational manuals.
  8. Go-live & reporting: Establish routine reconciliations and NRB reporting flows.
  9. Supervision readiness: Maintain regulatory pack, internal audit schedule, and incident response.

13. Practical commercial considerations (pricing, margins, reserves)

  • Fee models: subscription, per-transaction fee, or blended models (merchant discount rate).
  • Reserve requirements: NRB may require PSPs to maintain collateral or reserves to manage chargebacks — factor this into working capital.
  • Chargebacks and fraud: allocate reserves and insurance; set merchant underwriting criteria.

14. Working with NRB: best practice in regulatory engagement

  • Engage early — pre-application meetings and consultations reduce risk.
  • Maintain transparent communication during application and remediation.
  • Use experienced counsel to draft policies and license submissions.
  • Document compliance actions — NRB values documented evidence during inspections.

15. Future trends & what to watch

  • Interoperability with Indian UPI/other rails via NPIx — cross-border payment expansion.
  • Increased NRB supervision and targeted sanctions rules for PSPs — monitor NRB guideline updates.
  • Open finance & APIs — more data sharing and third-party fintech participation regulated under strict consent and security models.
  • Cyber resilience focus — expect higher penetration and disaster recovery testing requirements.

FAQs

Q1: Do I need an NRB license to operate a payment gateway in Nepal?
A1: If your gateway processes/settles payments and provides payment services, an NRB license (PSP or PSO) or a partnership with a licensed PSP/PSO is required. Check NRB’s licensing policy for precise eligibility and capital requirements.

Q2: What is NepalQR and do gateways have to comply?
A2: NepalQR is NRB’s QR standard for merchant payments. Gateways offering QR payments must comply with NepalQR scheme rules and technical specifications.

Q3: Can a foreign company provide payment services in Nepal?
A3: Payment firms must be registered in Nepal to obtain NRB licences; foreign entities typically establish a Nepalese subsidiary or partner with licensed local PSPs. NRB may also require local ownership/representation per licensing rules.

Q4: How strict is NRB on cyber security?
A4: NRB places high emphasis on cyber resilience and operational continuity; expect requirements for encryption, penetration testing, DR sites, and incident reporting. Non-compliance can result in enforcement.

Q5: What about cross-border transfers?
A5: NPIx cross-border rules govern cross-border transfers and require additional FX, KYC and partner-bank controls. Pre-approval or partnership with NRB-approved IPPs/BFIs is usually necessary.

16. Conclusion — legal counsel checklist

For any business planning to operate payment gateways in Nepal or offer payment services as a PSP, counsel’s role is essential: map corporate form, design AML and technical controls, draft robust merchant/acquirer contracts, lead the NRB application, and maintain an evidence-driven compliance program. The regulatory environment is maturing — act proactively and document everything.

Related Posts
Write a comment