Payment service providers must now implement measures to monitor transaction trends, focusing on transaction errors, processing delays, and other key risk indicators.

On Wednesday, Nepal Rastra Bank, the central bank, amended the payment system-related integrated directives.

The revised provisions require payment service providers to analyse incidents and disruption patterns in past payment systems and services. Officials said they must maintain appropriate logs to prevent similar incidents in the future.

The updated directive mandates that payment-related service providers prepare a strategic business continuity and growth plan for at least three years to mitigate business risks.

This plan should be executed through a detailed work plan, with fixed deadlines and clear responsibilities assigned to relevant departments or staff.

“We amended the payment system directives based on risk assessment. Fraud activities have been increasing, and scammers are exploiting digital payment platforms, as reflected in the rising number of police cases,” said Kiran Pandit, executive director of the Payment Systems Department at the Nepal Rastra Bank.

“We discussed the surge in online payment fraud with payment system operators and service providers on Thursday. While transactions may appear straightforward initially, disputes often arise when payers report fraud after sending money,” Pandit added.

“There is no official data yet, but the growth rate of fraud using digital payment platforms is escalating.”

The central bank directed payment-related service providers to adopt settlement guarantee funds or similar mechanisms to manage credit risk.

The bank also introduced regular inspections to identify high-risk counterparties.

The amended provisions include technology risk management under the business risk category.

Technology risk encompasses cyberattacks, data confidentiality breaches, system vulnerabilities, operational failures, interoperability issues, and data integrity risks.

Payment companies must adopt appropriate strategies to minimise technology risk by identifying risk sources and assessing their potential impact on business.

They are required to conduct technology audits of software, hardware, and network infrastructure at regular intervals.

The directives emphasise continuous improvement in cyber risk identification, protection, detection, response, recovery, situational awareness, and system security.

Payment companies must follow the central bank's cyber resilience guidelines when developing policies and work procedures to secure online transactions through encrypted messaging standards.

Payment-related companies are encouraged to integrate artificial intelligence (AI) and machine learning into their risk management systems for fraud detection and management.

The amended directive also introduces provisions for anti-money laundering (AML) and combating the financing of terrorism (CFT). It requires companies to identify, analyse, and manage risks related to these activities.

Recently, authorities have noted a rise in digital payment services for illegal activities, such as online gaming platforms and hundi transactions.

Regarding cross-border retail payments in foreign currency via QR codes, 'A' and 'B' class national banks can now offer these services through payment service providers in collaboration with third parties, with prior approval from the central bank.

The directives stipulate that payment system operators must register as public limited companies by mid-July 2028.

Payment service providers are instructed to process transactions through payment system operators, except for internal company transactions.

The current transaction limit on e-wallets will not apply when making tax payments at government offices or paying revenue, fines, vehicle fees, registration charges, and other public service fees.

This also extends to electricity, telecommunications, and water charges, insurance premiums, social security fund contributions, and school fees.

A new provision allows customers to deactivate and reactivate services within payment apps or web portals. Service providers must comply with these customer requests.

Furthermore, payment companies must notify customers immediately via SMS after every transaction. Companies must also accommodate customers' requests for notifications through online platforms.

Payment companies may adopt geo-tagging or geo-fencing systems for domestic and international transactions to enhance transaction monitoring.

As of mid-July last year, there are 26 payment service providers (PSPs) and nine payment system operators (PSOs) in the country.