Regulatory Playbook: Nepal¶
| Field | Value |
|---|---|
| Market | Nepal (NP) |
| Regulator | Nepal Rastra Bank (NRB) |
| Status | Draft — requires local compliance review |
| Owner | Country Manager NP / CDO |
| Created | 2026-04-05 |
| Review | Semi-annually |
| Reference | Cross-Border Compliance Framework |
Purpose¶
This is the operational playbook for Simpaisa's Nepal operations. The Cross-Border Compliance Framework defines what the law requires. This playbook defines what we actually do: who is responsible, what processes run, what reporting is due, and what happens when something goes wrong.
Nepal has the most prescriptive infrastructure requirements of all Simpaisa markets. NRB mandates government-approved data centres only, and the Payment and Settlement Act 2075 (2019) prohibits operating as a PSO/PSP without prior NRB approval. Minimum paid-up capital is NPR 150 million for domestic PSPs (NPR 250 million with foreign investment).
Regulatory Landscape¶
| Dimension | Requirement | Source |
|---|---|---|
| Primary licence | PSP Licence under Payment and Settlement Act 2075 (2019). Section 5 prohibits operating without prior NRB approval. Licence categories and requirements defined in Licensing Policy for Payment Institutions 2079 (2023). | Payment and Settlement Act 2075, Licensing Policy 2079 |
| AML/KYC | Full CDD for merchants. EDD for high-risk transactions. PEP and sanctions screening. | Asset (Money) Laundering Prevention Act 2064 (2008), NRB KYC directives |
| Data localisation | Mandatory. PSP infrastructure must be located in Nepal. Government-approved data centres only. NRB has authority to specify infrastructure requirements. | Payment and Settlement Act 2075, NRB directives |
| Encryption | Data at rest and in transit must be encrypted per NRB cybersecurity requirements. | NRB circulars on technology risk management |
| PII handling | Individual Privacy Act 2018 provides limited data protection. Cross-border transfer restricted by data localisation mandate. | Individual Privacy Act 2018 |
| Transaction limits | Per NRB directives. Additional capital requirements based on transaction volume. | Licensing Policy 2079, NRB Unified Directives |
| Reporting | STR filing with FIU. Monthly reporting to NRB Payment Systems Department per Section 27 of the Act. | Payment and Settlement Act 2075, AML Act 2064 |
| Audit | Annual external audit (NRB-approved auditor). NRB supervision, monitoring, and inspection per Section 42 of the Act. NRB may issue regulatory directions per Section 45. | Payment and Settlement Act 2075 |
| Incident reporting | Significant incidents to NRB within 24 hours. NRB Payment Systems Department to be notified of any disruption to payment services. | NRB directives |
Current Compliance Status¶
| Requirement | Status | Gap | Risk |
|---|---|---|---|
| PSP Licence | Active | None | — |
| Minimum paid-up capital (NPR 150M / 250M) | Unknown | Capital adequacy status not documented. | HIGH |
| AML/KYC processes | Partially compliant | CDD processes undocumented. KYC workflow exists but not aligned to latest NRB KYC directives. | HIGH |
| Data localisation | Partially compliant | Transaction data on AWS RDS (region unconfirmed). NRB requires government-approved data centres only — AWS may not qualify. | CRITICAL |
| Encryption at rest | Non-compliant | PII stored in plain text (SECURITY-ARCHITECTURE.md, Finding R2). | CRITICAL |
| Encryption in transit | Compliant | TLS 1.2+ for all external communications. | — |
| Transaction monitoring | Partially compliant | Rule-based monitoring exists. No automated STR generation. | MEDIUM |
| Incident reporting to NRB | Unknown | No documented process for NRB notification within 24 hours. | HIGH |
| Annual audit | Unknown | Audit history not documented in Architecture repo. Must use NRB-approved auditor. | MEDIUM |
| Request signing | Non-compliant | Pay-Ins has no request signing (SECURITY-ARCHITECTURE.md, Finding 1). | CRITICAL |
| Rate limiting | Non-compliant | No documented rate limiting (SECURITY-ARCHITECTURE.md, Finding 5). | HIGH |
| Government-approved data centre | Unknown | Current infrastructure may not meet NRB requirement for government-approved data centres. | CRITICAL |
Operational Processes¶
1. Merchant Onboarding (Nepal)¶
MERCHANT ONBOARDING FLOW (NP)
─────────────────────────────────────────────────────
Application CDD/KYC Technical Go-Live
──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Merchant │──▶│ Identity │──▶│ API Key │──▶│ Live │
│ applies │ │ verified │ │ Sandbox │ │ traffic │
│ │ │ Docs │ │ Testing │ │ │
└──────────┘ │ checked │ │ Webhook │ └──────────┘
└──────────┘ │ config │
└──────────┘
Owner: Commercial (NP) Compliance (NP) Engineering Operations (NP)
SLA: 2 business days 5 business days 3 business days 1 business day
Total: 11 business days target
Required documents for CDD (Nepal): - Company registration certificate (Office of the Company Registrar) - PAN (Permanent Account Number) certificate - Citizenship certificate of directors - Bank account verification letter - Business address verification - Beneficial ownership declaration (>25% shareholders) - Board resolution authorising payment services engagement
Enhanced Due Diligence triggers: - Monthly volume exceeding NRB-prescribed thresholds - High-risk merchant category (gambling, crypto, precious metals) - PEP (Politically Exposed Person) as beneficial owner - Adverse media screening hit - Foreign-owned or foreign-invested entities
2. Transaction Monitoring¶
| Check | Frequency | Threshold | Action |
|---|---|---|---|
| Velocity check | Real-time | > 100 transactions/minute per merchant | Alert + temporary hold |
| Amount anomaly | Real-time | > 3x average daily volume | Alert + manual review |
| New merchant spike | Daily | > 10x first-day average within first 30 days | Manual review |
| Dormant reactivation | On event | No transactions > 90 days, then sudden high volume | Manual review + re-KYC |
| STR screening | Daily batch | Rule-based pattern matching against NRB/FIU typologies | STR filed with FIU within 3 business days if confirmed |
STR filing process: 1. Alert generated by monitoring system or flagged by operations staff. 2. Compliance Officer (NP) reviews within 24 hours. 3. If suspicious: STR prepared using FIU prescribed format. 4. STR filed with Financial Information Unit (FIU) within 3 business days. 5. Internal record retained for 5 years minimum. 6. No tipping-off: merchant not informed of STR filing.
3. Incident Response (Nepal-Specific)¶
In addition to the global Incident Response Playbook (Standards/INCIDENT-RESPONSE-PLAYBOOK.md):
| Requirement | SLA | Owner |
|---|---|---|
| NRB notification for significant incidents affecting payment systems | Within 24 hours of detection | Country Manager NP + CDO |
| NRB notification for any disruption to payment services | Immediate notification | Country Manager NP + CDO |
| NRB ad-hoc inspection response (per Section 42) | Immediate cooperation | Country Manager NP |
| NRB regulatory directions (per Section 45) | Compliance within specified timeline | Country Manager NP + CDO |
NRB notification template:
TO: Payment Systems Department, Nepal Rastra Bank
FROM: Simpaisa Nepal — PSP Licence No: [XXXX]
DATE: [YYYY-MM-DD]
SUBJECT: Security Incident Notification — [Brief Description]
1. Nature of incident: [description]
2. Date/time detected: [timestamp]
3. Systems affected: [list]
4. Customer impact: [number affected, data exposed if any]
5. Containment actions taken: [list]
6. Root cause (preliminary): [if known]
7. Estimated resolution: [timeline]
8. Contact for follow-up: [name, phone, email]
4. Data Localisation¶
Current architecture (non-compliant): - Single AWS RDS instance. Region not documented as Nepal-local. - Transaction data may traverse UAE or other regions. - NRB mandates government-approved data centres only — AWS is unlikely to qualify.
Target architecture (per Data Architecture, DA-06): - Primary transaction data resides in-country in a government-approved data centre. - Only aggregated/anonymised data flows to UAE for group reporting. - Cross-border transfer prohibited for raw transaction data. - PSP infrastructure must be located within Nepal.
Action items: 1. Confirm current RDS region. If not Nepal-local, initiate migration plan. 2. Identify NRB-approved / government-approved data centre providers in Nepal. 3. Document all cross-border data flows with data classification. 4. Implement column-level encryption for PII before any data leaves Nepal. 5. Assess whether current AWS infrastructure can meet NRB government-approved DC requirement.
5. Reporting Calendar¶
| Report | Frequency | Due Date | Recipient | Owner |
|---|---|---|---|---|
| Monthly transaction summary | Monthly | Per Section 27, date as specified by NRB | NRB Payment Systems Dept | Operations NP |
| Suspicious Transaction Reports | As needed | Within 3 business days of confirmation | FIU | Compliance NP |
| Annual compliance report | Annually | Q1 of following year | NRB | Compliance NP + CDO |
| External audit report (NRB-approved auditor) | Annually | Per NRB-specified timeline | NRB | Finance + CDO |
| AML/KYC programme review | Annually | Per AML Act requirements | Internal + NRB on request | Compliance NP |
| Capital adequacy reporting | Per NRB schedule | Per NRB directives | NRB | Finance |
6. Key Contacts¶
| Role | Responsibility | Name |
|---|---|---|
| Country Manager NP | Overall Nepal operations, NRB relationship | TBD |
| Compliance Officer NP | AML/KYC, STR filing, regulatory reporting, FIU liaison | TBD |
| Operations Lead NP | Transaction monitoring, merchant support | TBD |
| CDO | Technology, security, data architecture decisions | Daniel O'Reilly |
Remediation Priorities¶
Based on the compliance status assessment above:
| Priority | Item | Risk | Owner | Target |
|---|---|---|---|---|
| 1 | PII encryption at rest | CRITICAL | CDO | Q2 2026 |
| 2 | Pay-In request signing | CRITICAL | CDO | Q2 2026 |
| 3 | Government-approved data centre assessment and migration | CRITICAL | CDO + Country Mgr NP | Q2 2026 |
| 4 | Data localisation — confirm region and migrate to approved DC | HIGH | CDO + Country Mgr NP | Q2 2026 |
| 5 | NRB incident notification process | HIGH | Country Mgr NP | Q2 2026 |
| 6 | Rate limiting implementation | HIGH | CDO | Q3 2026 |
| 7 | CDD process documentation aligned to NRB KYC directives | HIGH | Compliance NP | Q2 2026 |
| 8 | Capital adequacy verification (NPR 150M/250M) | HIGH | Finance + Country Mgr NP | Q2 2026 |
| 9 | Automated STR generation | MEDIUM | CDO + Compliance NP | Q3 2026 |
Connection to Strategy¶
This playbook directly supports: - SG1 (Operational Excellence): documented processes, incident response SLAs - SG4 (Market Expansion): Nepal's government-approved data centre requirement is the most restrictive infrastructure mandate across all Simpaisa markets. Resolution is a prerequisite for continued operations. - Foundational Support #5 (Standardised global network): Nepal follows the Pakistan playbook template for consistency across the group