KATHMANDU: Nepal Rastra Bank’s Payment Systems Department has finalised the Guidelines on the Regulatory Sandbox, effective from 14 May 2026, giving Nepal its first formal mechanism for testing new financial technology under live market conditions.

The framework lets banks, payment companies, remittance firms, and fintech startups trial new products, services, or underlying technical solutions with temporary relief from certain regulatory requirements, while NRB watches closely.

The guidelines replace an earlier 2025 consultative draft and are issued under NRB’s own founding statute, the Nepal Rastra Bank Act 2002, as part of the central bank’s Fourth Strategic Plan running through 2026. They set out who can apply, what can be tested, how long testing lasts, and what happens when it ends.

What problem is the Regulatory Sandbox actually meant to solve?

Ordinarily, any company wanting to launch a new financial product in Nepal has to satisfy the full weight of licensing, capital, and compliance requirements before it can even begin operating, regardless of whether the product is genuinely new or simply an extension of an existing service.

This creates a real bottleneck for fintech innovation, because young companies experimenting with things like digital lending or smart contracts often cannot meet capital or track record requirements designed for established banks, even though their underlying technology may be sound.

The sandbox solves this by creating a temporary, supervised space where a company can test its actual product with real customers, under reduced but not absent regulatory requirements, for up to six months.

NRB watches the test closely, the company collects real evidence on how its technology performs, and only if the test succeeds does the company move toward the full licensing or approval process that would otherwise have been required from day one.

Guidelines on the Regulatory Sandbox

It is best understood as a regulatory trial period rather than a shortcut around regulation, since NRB retains full oversight throughout and nothing is exempted that involves customer money laundering risk, data security, or consumer harm.

Why is NRB introducing this now, and what conditions in Nepal made it relevant?

NRB cites three specific data points behind this push. According to the National Statistics Office’s 2023 figures referenced in the guidelines, 38 percent of Nepali households now have internet access, and nearly 73 percent of the population owns a smartphone. At the same time, the cost of mobile data has fallen sharply, dropping from roughly 2.25 dollars per gigabyte in 2019 to about 0.43 dollars by 2023, according to industry data the guidelines reference.

Taken together, these trends mean far more Nepalis are now reachable through digital financial channels than even five years ago, creating both opportunity and risk: opportunity because fintech products can now plausibly reach underserved populations including in remote areas, and risk because untested technology reaching millions of users quickly could cause harm before regulators even understand how it behaves.

The sandbox is NRB’s answer to managing that tension, allowing innovation to proceed without letting it run fully unsupervised. The initiative also fulfils a specific commitment NRB made in its Fourth Strategic Plan for 2022 to 2026, meaning this is not an improvised response but the execution of a multi-year regulatory roadmap.

Who exactly is allowed to apply, and does a company need to already be licensed?

Two broad groups can apply. The first is licensed entities already under NRB’s regulatory umbrella, including commercial banks and other classes of banks and financial institutions, licensed payment system operators, licensed payment service providers, and licensed remittance companies.

These entities can apply directly because NRB already supervises them in some capacity. The second group is new fintech companies that are not licensed by NRB but want to deliver products, services, or technical solutions that would eventually fall under NRB’s regulatory purview, or that support activities NRB regulates even if the company itself never becomes directly licensed.

Crucially, if such an unlicensed fintech company cannot obtain the approvals it needs on its own, it must first secure a partnership with an existing licensed financial institution before it is allowed to begin live testing, ensuring that an experienced, accountable partner is involved even when the underlying innovation comes from outside the regulated banking system.

Every applicant, regardless of category, must be incorporated in Nepal, ruling out testing by purely foreign entities without a local corporate presence.

What kind of scrutiny does NRB apply to the people actually running these companies, not just the products?

This is one of the more rigorous parts of the framework. Beyond evaluating the product itself, NRB conducts what it calls a fit and proper assessment of the applicant company along with its beneficial owners, board members, and senior management.

None of these individuals can appear on any blacklist or sanctions list issued by a competent regulatory, judicial, or government body, and if any of them were previously blacklisted, at least three years must have passed since they were removed from that list before the company can qualify. None of them may have a criminal record. If the company already holds any kind of license, it must show a clean compliance history with its existing regulator.

On top of this, NRB requires concrete proof of technical capacity: the company must employ at least two full-time technical staff such as software developers or cyber security specialists, and it must have a project manager with at least two years of relevant experience specifically in fintech or regulatory technology.

Finally, the company and its leadership must sign a formal self-disclosure declaring that everything submitted is accurate and complete, and accepting full legal liability if any of it later proves false or misleading.

What specific technologies and financial products are actually allowed to be tested?

NRB has published a defined list rather than leaving this open-ended. Eligible categories include application programming interfaces that let different financial systems talk to each other, mobile money services, retail payment products, money transfer and remittance-related services and  digital KYC tools that let customers be verified online rather than in person.

Governor Biswo Nath Poudel of NRB

Similarly, other eligible categories include digital identification services, digital lending products, smart contracts, products specifically aimed at expanding financial inclusion, cyber security products, embedded finance solutions that build financial services into non-financial apps or platforms and regulatory technology products that help institutions comply with rules more efficiently.

NRB also retains the right to approve any other innovation it considers worthwhile, even if it does not fit neatly into these categories. On the other side, four categories are explicitly barred from testing no matter how innovative the underlying technology: cryptocurrency, virtual assets more broadly, central bank digital currency, and online betting, gaming, and similar products. Anything else already prohibited under existing Nepali law is also automatically excluded.

This list signals where NRB sees genuine appetite for innovation, largely around payments, lending, identity verification, and inclusion, while drawing a hard line around speculative digital assets and gambling-adjacent products it is not prepared to legitimize even experimentally.

What regulatory burdens are actually lifted during the testing period, and what stays firmly in place?

For licensed institutions like banks and payment companies, NRB can temporarily ease requirements around minimum liquid assets, minimum paid-up capital, license fees, credit rating conditions, management experience thresholds, and escrow arrangements, along with asset maintenance or cash balance rules, provided the institution still keeps enough funds on hand to cover its obligations to customers during the test.

For new, unlicensed fintech companies, the relief covers similar ground: requirements around risk management frameworks, third-party outsourcing rules, minimum liquid assets, cash balance levels, management experience, and track record can all be eased for the duration of testing.

Both categories of participant may also get simplified reporting templates instead of full regulatory filings, lower-cost access to existing payment and banking infrastructure, some flexibility on customer support hours, freedom to use new and unproven technology without it being treated as automatically non-compliant, and more relaxed marketing rules as long as customers are clearly told they are part of an experimental test.

What does not get relaxed under any circumstance is customer data confidentiality, Know Your Customer verification, anti money laundering compliance, and counter-terrorism financing rules. NRB has been explicit that these protections apply at full strength throughout testing regardless of any other relief granted, because they consider these non-negotiable regardless of how early-stage or experimental the product is.

How long does the whole application process take from start to finish, and is there a hard deadline?

Yes, and this is one of the most concrete operational details in the final guidelines. Each cohort’s application window stays open for 45 working days, during which interested companies submit their applications. Once that window closes, NRB has 30 working days to complete an initial screening of every application received, filtering out those that clearly do not meet the basic eligibility bar.

Applications that pass this initial screening then move to a more detailed final evaluation, which must itself be wrapped up within another 30 working days. After that, NRB has just 3 working days to send written notice to every applicant telling them whether they have been accepted or rejected. Added together, this means the full journey from opening applications to knowing the outcome should generally take no more than 120 working days, or roughly six calendar months.

NRB does reserve the right to extend any of these internal deadlines if circumstances genuinely warrant it, for instance if it receives an unusually large or complex batch of applications, but such an extension does not automatically mean an application is approved or rejected, and applicants gain no special right or expectation from the delay itself.

Once approved, how long can a company actually run its live test, and can that be extended?

The core testing period is capped at six months from the point the company actually begins testing, which is distinct from the date it was approved, since testing only starts once the company tells NRB it is fully ready to begin. If a participant believes it needs more time, it must put that request in writing to NRB at least 30 calendar days before its current testing period is due to end.

Nepal Rastra Bank,Thapathali. File photo

NRB can grant or refuse this request entirely at its own discretion, but if it refuses, the guidelines now require NRB to give written reasons for that refusal rather than simply declining without explanation. Where an extension is granted, it cannot run longer than a further six months, meaning that even with one extension, a single sandbox cycle tops out at roughly twelve months of live testing in total.

Throughout this entire period, whether in the original six months or any extension, the participant must keep submitting periodic progress reports to NRB on whatever schedule NRB has set, so the regulator maintains continuous visibility into how the test is actually going rather than only checking in at the very end.

Under what circumstances can NRB pull the plug on a test before it finishes?

NRB can revoke a participant’s authorization for a fairly wide range of reasons. The most serious is causing significant harm to customers, which takes priority over almost any other consideration.

Beyond that, NRB can step in if a participant materially fails to follow the terms and conditions it originally agreed to, fails to put in place the consumer safeguards it promised, or breaches data security requirements.

A participant can also be removed if it fails to comply with anti money laundering or counter-terrorism financing rules, or if NRB observes it engaging in transactions that create a meaningful risk of either.

Submitting misleading information to NRB, going into liquidation, having its main operating license cancelled elsewhere, or simply failing to fix known technical bugs in its product can all trigger revocation as well.

A participant is also free to withdraw voluntarily if it decides the test is not working out, and NRB has also given itself a broader catch-all power to revoke authorization if a participant fails to meet any other condition NRB has separately specified for that particular cohort or test. This wide net suggests NRB wants flexibility to act quickly if something goes wrong, rather than being boxed into a narrow, predefined list of failure conditions.

What happens to customer data and unfinished business when a company leaves the sandbox?

Whether a company exits because its test succeeded, because it chose to withdraw, or because NRB revoked its authorization, the same set of closing obligations applies. The exiting company must present NRB with a clear plan for transitioning its existing test customers away from the product in a way and timeframe NRB finds acceptable, and it must actually stop operating the tested product in line with that plan.

It must hand over all data gathered during the test, including customer data, to NRB, and once that handover happens, NRB requires the company to permanently delete or purge any customer data it still holds on its own systems, so customer information used during an experimental test does not linger indefinitely in a startup’s database.

The company must also settle any outstanding obligations toward customers it onboarded, the payment or banking infrastructure it connected to, and any other licensed institutions it worked with during the test.

Finally, within 60 days of leaving the sandbox, it must submit a final evaluation report covering how the test actually went, regardless of whether the outcome was a success or a failure.

If a test succeeds, what does the company actually walk away with, and is it guaranteed a license?

This depends on both who the participant is and what exactly it tested. A licensed bank or financial institution that successfully tested a finished product or service can expect to receive the regulatory approval needed to roll that product out more broadly, since it is already inside NRB’s licensing system.

A new, previously unlicensed fintech company that tested a finished product instead moves toward both licensing and the relevant regulatory approval, since it needs to formally enter the regulated system before it can operate at scale. Where what was tested was not a finished customer product but rather an underlying technical solution, the outcome looks different.

A licensed entity that successfully tested such a solution may simply be permitted to deploy or integrate it into its existing licensed operations. An unlicensed entity that tested a solution, however, receives only what the guidelines call a sandbox completion acknowledgement, a document that confirms the company finished its testing process but explicitly does not amount to any kind of license, certification, or regulatory approval on its own.

Crucially, NRB states plainly that successfully graduating from the sandbox is never a guarantee of eventual licensing or approval; every outcome still depends on the company separately satisfying whatever legal and regulatory requirements apply once it leaves the testing environment.

Who actually runs the sandbox day to day, and who is ultimately accountable for how it’s managed?

Oversight sits at two levels. At the top is a dedicated, inter-departmental steering body called the Sandbox Governing Committee, which meets regularly to review how the sandbox is performing overall, approve major decisions such as changes in scope or how individual participants should exit, and ensure that supervision stays consistent across different cohorts and different types of participants.

Below that, the actual day-to-day administration, including calling for applications, evaluating them, and managing the testing and exit process, sits with the Payment Systems Department, which has set up its own Sandbox Committee under the direct supervision of the Department’s Director.

This Sandbox Committee reports upward to the Governing Committee, so there is a clear chain of accountability rather than the operational team acting fully independently.

For the specific task of evaluating applications, NRB has also created a dedicated Evaluation Team, drawn from the Sandbox Committee and other relevant departments as needed, whose job is to recommend which applicants should be admitted, with that recommendation then going up through both the Sandbox Committee and the Governing Committee before any final decision is made.

How does NRB check on itself to make sure the sandbox is actually working as intended?

Rather than relying on outside consultants, NRB has assigned this job internally to its own Internal Audit Department, which is required to carry out a full evaluation of how the sandbox has been functioning once every year and report its findings directly to the Sandbox Governing Committee.

This annual review is expected to look at how well the companies that participated actually performed, whether the regulatory flexibility NRB extended to them was appropriate or needs adjusting, and what real impact the tested products or solutions had once they were tried out with actual customers.

The findings are meant to feed directly into how future cohorts are designed, including any changes to eligibility rules, timelines, or the kinds of products NRB chooses to invite for testing next.

The areas the audit is expected to cover include whether the sandbox is meeting its original objectives, what feedback both participants and their customers gave during testing, what new regulatory insight NRB itself gained from watching the tests unfold, and concrete suggestions for how upcoming cohorts could be run better.

This creates a built-in feedback loop so the sandbox framework is not expected to remain static, but to evolve based on what NRB actually observes once real companies start using it.

Looking at the bigger picture, what does this guideline actually change about how fintech reaches the Nepali market?

Before these guidelines, a company building something like a digital lending product or an embedded finance tool generally had only two paths: either secure full banking-grade licensing and capital before launching anything, which is often unrealistic for an early-stage company, or operate informally outside any clear regulatory recognition, which carries its own risks for both the company and its customers.

The sandbox creates a credible middle path, allowing real-world testing with real customers under NRB’s direct watch, with clearly defined limits on how long that testing can run and exactly what protections must remain in place throughout.

For Nepal’s broader digital financial sector, this also signals where NRB sees the most promising near-term innovation, given that digital lending, embedded finance, and identity verification tools made the eligible list while cryptocurrency and virtual assets remain firmly excluded.

For ordinary consumers in remote or underserved parts of the country, the eventual effect NRB is aiming for is wider access to formal financial services through technology that has actually been tested locally before reaching the broader market, rather than products imported or scaled up without ever being checked against Nepal’s specific regulatory and consumer protection standards.