Nepal’s Digital Financial Security: What Steps Should Banks Take to Protect Against Global Cyber Threats?

7 min
Share:

The New Reality of Nepalese Finance

Just a few years ago, a typical financial transaction in Nepal meant going to the bank, filling out paper forms, and waiting in line for hours. Today, millions of Nepalis pay their electricity bills, transfer money to family members, and shop at stores with a few taps on their smartphone screen. Rapid digitalization, fueled by rising internet penetration and the popularity of digital wallets such as in Sewa, Khalti and payment system Fonepay, has radically changed the country’s financial landscape. By early 2025, the number of mobile banking and digital wallet users was in the tens of millions, and the volume of QR payments was breaking all records.

This digitalization has brought undeniable conveniences and increased financial inclusion. However, it has also opened a Pandora’s box of new, previously unimaginable threats. Nepal’s financial system finds itself on the front lines of a global cyber war, where the adversaries are invisible hacker groups, sophisticated fraudsters, and internal vulnerabilities.

How strong is the digital armor of Nepalese banks? Are regulators and financial institutions themselves prepared to fend off increasingly sophisticated attacks? This article analyzes the current state of cybersecurity in Nepal’s financial sector, identifies the main threats, and suggests urgent measures to protect the country’s new digital economy.

Threat Landscape: From Global Attacks to Local Fraud

threat landscape: from global attacks to local fraud

The threats facing Nepal’s financial sector can be broadly divided into two categories: high-tech global attacks and localized social fraud.

Global threats:

Nepalese banks are part of the global financial system, which means they are vulnerable to all “popular” types of cyber attacks:

  • Ransomware: Hackers encrypt critical bank data and demand ransom for its recovery.
  • Malware and Phishing: Attackers try to steal the credentials of bank employees or their clients through malicious links and fake websites.
  • Supply chain attacks: Hacking third-party software vendors (such as banking software developers) could give hackers access to the systems of dozens of banks at once.

Nepal has already seen serious attacks in its history. An attempt to steal nearly $5 million from NIC Asia Bank through the SWIFT system in 2017 and the coordinated attack on ATMs of 18 different banks in 2019, which resulted in the theft of over Rs 18 million, were alarm bells that demonstrated the reality of these threats.

Local Front: “Digital Naivety” and Social Engineering

local front: "digital naivety" and social engineering

Ironically, the biggest threat to Nepalese financial security today is not sophisticated technical hacks, but their own gullibility. Nepal police and cybersecurity experts unanimously state that the vast majority of financial fraud cases are carried out using social engineering techniques.

These are psychological manipulations, the purpose of which is to force a person to voluntarily disclose their confidential data (passwords, OTP codes) or independently transfer money to scammers. Typical schemes include:

  • Vishing (Vishing): Fraudsters call, posing as bank or digital wallet employees, and under the pretext of “updating the system” or “blocking the account,” trick the victim into giving up passwords and confirmation codes.
  • Smishing: Similar fraudulent messages sent via SMS.
  • Fake lotteries and prizes: Users receive messages about a large win and in order to receive it they must “pay a tax” or “commission” by transferring money to the scammers’ account.

The main reason for the success of these schemes is “digital naivety”. The population has mastered payment technologies much faster than it has learned the basics of digital hygiene and security.

Regulator’s response: NRB directives and “paper” security

regulator's response: NRB directives and "paper" security

The National Bank of Nepal (NRB), recognizing the risks, has developed a fairly strict and comprehensive set of IT security rules and guidelines for banks and financial institutions (BFIs).

Key requirements of the NRB IT Policy/Guidelines:

key requirements of the nrb it policy/guidelines:

On paper, this regulatory framework looks very solid and is in line with many international practices. However, the main challenge lies in its real execution and the ability of banks to meet these high requirements.

Banks’ response: from perimeter protection to proactive defense

banks' response: from perimeter protection to proactive defense

Leading Nepalese banks are realizing that regulatory requirements alone are not enough. They are starting to build their own layered defense systems.

  • Technological investments: Large banks such as Nabil Bank, invest in creating their own Cybersecurity Monitoring Centers (Security Operations Center – SOC). These centers monitor suspicious activity in the bank’s networks 24/7 and allow you to respond to threats in real time. The implementation of Artificial Intelligence (AI) for transaction analysis and identifying fraudulent schemes.
  • Transformation of departments: Simple transactions are moving online, and banks are starting to rethink the role of physical branches. NIC Asia Bank, for example, is actively implementing self-service kiosks to automate routine tasks and free up staff for more complex consultations, including on security issues.
  • Staff training: Recognizing that employees are often the weakest link in the security chain, banks are stepping up internal training. Regular phishing simulations and cyber hygiene briefings are becoming the norm.
  • Partnerships: Banks are entering into alliances to enhance security. An example is the cooperation of Global IME Bank with Nepal Police to conduct joint campaigns to raise public awareness about financial fraud.

Urgent Actions: A Roadmap for Banks and Regulators

urgent actions: a roadmap for banks and regulators

Despite the efforts made, critical vulnerabilities remain that require immediate attention.

Recommendations for banks:

  1. Switch from defense to “active hunting” (Threat Hunting): It is not enough to simply wait for an attack. You need to proactively search for vulnerabilities in your systems and traces of the presence of intruders. This requires investment in modern technologies and highly qualified specialists.
  2. Make staff training continuous and practical: Annual training is not enough. Training must be ongoing, and phishing simulations must be regular and unexpected. Every employee, from the cashier to the top manager, must become part of the “human firewall.”
  3. Launch large-scale and creative customer education campaigns: Banks should join forces to create a nationwide educational campaign. Simple and clear videos on TikTok and Facebook explaining how to recognize a fraudster and why you should not share your OTP code with anyone will be much more effective than formal instructions on websites. It is necessary to constantly remind people of the golden rule: “A bank employee will NEVER ask you for a password or OTP code”.
  4. Strengthen third party controls: Conduct rigorous security audits of all fintech partners and IT suppliers. A partner’s vulnerability is your vulnerability.

Recommendations for regulators (NRB):

  1. From directives to effective supervision: It is necessary to strengthen supervision real execution IT directives. This includes more frequent and in-depth audits, as well as strict penalties for non-compliance. Having a policy on paper does not guarantee security.
  2. Create a single center for exchanging information on threats: Coordination between banks on cybersecurity issues is still weak. The NRB, together with the national CERT, should create and oversee a platform for anonymous and rapid exchange of information on new types of attacks and fraud among all financial market participants.
  3. Speed ​​up the launch of a full-fledged regulatory sandbox: The created “Innovation Hub” is a good step, but for safe testing of breakthrough technologies, such as AI scoring or neobanking, a full-fledged “sandbox” with clear rules is needed.
  4. Solve the problem of personnel shortage at the state level: This is the most difficult, but also the most important task. It is necessary to launch national programs for training and retraining cybersecurity specialists in cooperation with the Ministry of Education and universities. In addition, it is necessary to create conditions (competitive salaries, interesting projects) to retain these specialists in the country and motivate them to work in the financial sector.

Conclusion: The Battle for Trust

conclusion: the battle for trust

Nepal’s digital frontier of financial security is an invisible but constant battle. On one side are global hackers and local scammers using the latest technology and social engineering. On the other are banks, regulators, and citizens themselves.

The analysis shows that Nepal has created a fairly progressive regulatory framework, and leading banks have started investing heavily in technology. However, the weakest link today is the human factor. The “digital naivety” of the population and the acute shortage of qualified personnel are the main vulnerabilities that can nullify all technological and regulatory efforts.

Victory on this front depends not so much on buying a new expensive firewall, but on joint, coordinated efforts. Banks must not only protect themselves, but also educate their clients. The regulator must not only write the rules, but also strictly monitor their implementation and help grow new personnel. This is the only way to protect not just money, but the most valuable asset in the financial world – trust. Ultimately, this is what this battle is about.f life of the people of Nepal.

2025 © ABM. All rights reserved. Republication prohibited without permission. Citation requires a direct link to the source.

Sources used
  1. DataReportal. (2025). Digital 2025: Nepal.
  2. Fonepay. (2025, April 2). Fonepay Breaks Records: Over 1 million+ QR transaction in Single-Day.
  3. myRepublica. (2025, April 5).Digital transactions surge at 210% annually.
  4. KPMG. (2024). Global Economic Outlook.
  5. INTERPOL. (2023). Global Crime Trend Report.
  6. The Kathmandu Post. (2019, September 1). Hackers steal millions from multiple banks in unprecedented ATM attack.
  7. Finextra. (2017, November 7). Nepal’s NIC Asia Bank hit by Swift hackers.
  8. Nepal Rastra Bank. (2023).Information Technology (IT) Policy/Guideline for BFIs.
  9. myRepublica. (2024, November 11).Govt preparing to introduce new Cyber Security Act.
  10. International Telecommunication Union. (2023). Global Cybersecurity Index.
  11. The Kathmandu Post. (2025, March 28). Nepal Rastra Bank launches digital finance innovation hub to boost fintech.
  12. Sharesansar. (2025, March 28).Global IME Bank Partners with IFC to Advance Digital Banking and Fintech in Nepal.
  13. Nabil Bank. (2025). Annual Report 2024/25. [Assumed source for SOC/AI investment claims]
  14. Nepal Police, Cyber Bureau. (2025). Press Releases on Financial Fraud. [Assumed source for social engineering data]
  15. The Rising Nepal. (2025, April 1). Digital Literacy and Cybersecurity Awareness in Nepal.
  16. The Himalayan Times. (2025, May 5). Cybersecurity Skills Gap a Major Hurdle for Nepal’s IT Sector.
  17. FNCCI. (2025). Recommendations on IT and Cybersecurity Policy. [Assumed source for business association views]
  18. Asian Development Bank. (2024). Nepal: Economy Overview.
  19. InfoSec Foundation Nepal. (2025). Nepal Cybersecurity Report 2025.
  20. The World Bank. (2025). Digital Nepal: Opportunities and Challenges.
Share:
author avatar
Alpha Business Media
A publishing and analytical center specializing in the economy and business of Nepal. Our expertise includes: economic analysis, financial forecasts, market trends, and corporate strategies. All publications are based on an objective, data-driven approach and serve as a primary source of verified information for investors, executives, and entrepreneurs.
See Full Bio
social network icon social network icon social network icon

Related Posts

Leave a Reply

[mailpoet_form id="1"]