As Digital Banking Grows, Cyber Risks Deepen in Nepal’s Financial Sector

Nepal’s rapid transition toward a digital economy has transformed the financial landscape, delivering unprecedented efficiency through mobile banking, e-wallets and real-time payment systems. However, this post-Covid 19 digital surge has also exposed serious vulnerabilities, as the development of robust cybersecurity infrastructure has struggled to keep pace with increasingly sophisticated threats. From repeated fraudulent card transactions to high-profile system breaches, the financial sector now faces a critical juncture where technological convenience must be balanced with rigorous security protocols.

Addressing these escalating risks requires a multifaceted approach that includes stronger board-level governance, advanced technical safeguards and heightened client awareness. As cyberattacks grow more complex and increasingly AI-driven, banks and financial institutions are under mounting pressure to strengthen internal controls and comply with evolving regulatory standards.

Recently, a client of Himalayan Bank experienced repeated fraudulent transactions on a virtual dollar card. Despite 22 attempted transactions, the bank’s card department failed to detect the suspicious activity. Under normal circumstances, card transactions are blocked after three incorrect attempts; however, this safeguard did not activate even after the client lodged formal complaints via email and phone. The fraudulent transactions continued until the bank eventually blocked the card. This incident underscores the urgent need for a technology-enabled, risk-based and regulatory-driven system to protect clients from financial fraud.

Commenting on the incident, Bhaskar Dahal, Head of the Card Department at Himalayan Bank, stated that the hacker executed a high volume of small, repetitive transactions and that the bank initiated recovery efforts immediately once the issue came to its attention.

As risks evolve in both form and complexity, banks and financial institutions (BFIs) in Nepal have been strengthening risk mitigation measures, particularly against technology-driven threats. The expansion of digital banking, mobile wallets, online remittances and real-time payment systems has introduced new vulnerabilities. Bhuvan Kumar Dahal, former President of the Nepal Bankers’ Association (NBA), noted that BFIs remain cautious of such risks and have made substantial investments in technology to prevent cyber threats.

“However, client awareness is equally critical in preventing such scams,” Dahal added. “BFIs have been actively educating customers on safeguarding themselves without exposing confidential information.”

A recent incident at Sanima Bank further highlights the growing sophistication of cyber fraud. Bank employees identified an online survey form circulating under the bank’s name and logo, falsely offering participants a reward of Rs 10,000. The form contained suspicious links designed to steal sensitive client data and was widely shared across Instagram, Facebook and other social media platforms via unverified accounts. In response to this unauthorised use of its identity, Sanima Bank alerted the Cyber Bureau of Nepal Police for investigation and issued public notices and emails to raise customer awareness.

The bank has urged customers not to click on suspicious links or share sensitive information such as one-time passwords (OTPs), passwords, PINs, bank account details or card information.

Sujeet Dhakal, Assistant CEO and Chief Risk Officer of Sanima Bank, emphasised that banks never request confidential details through social media, phone calls or messages. He urged customers to remain vigilant and verify information only through official channels. BFIs continue to operate 24/7 customer help centres to support their clients.

Cyber threats targeting financial transactions in Nepal have intensified significantly, driven by the rapid post-Covid 19 shift toward digital banking services such as e-wallets and mobile banking, which has outpaced the development of robust cybersecurity infrastructure. Cyberattacks on financial institutions have increased sharply. In the fiscal year 2024/25 alone, reported online fraud cases amounted to Rs 835.9 million, according to Nepal Police.

Board governance and strategic risk mitigation in the digital era

Cyber risks now represent one of the most significant threats to the financial sector and have become a top priority for boards seeking to protect systems and safeguard clients. In boardrooms across financial institutions, discussions on system resilience, client awareness and fraud prevention have taken centre stage. According to Upendra Prasad Poudel, former Chairperson of Nabil Bank, “Banks and financial institutions have invested heavily in strengthening their systems and training human resources to mitigate the risks of fraudulent transactions.”

A notable example is the SWIFT-related hacking incident at NIC Asia Bank, which exposed critical vulnerabilities within the financial system. The case revealed serious internal control weaknesses, including reports that an employee associated with the SWIFT function had used a private email account. This highlighted significant gaps in cybersecurity discipline, staff awareness and system governance.

The 2017 SWIFT hack involved the unauthorised transfer of approximately Rs 460 million during the five-day Tihar holiday. A joint investigation by Nepal Rastra Bank (NRB) and KPMG identified major IT security lapses, including weak staff practices and poor IT management, such as allowing personal email use on secure systems. Despite these shortcomings, the bank was able to recover most of the funds by promptly alerting international correspondent banks.

Similar cyber heists have occurred internationally. In February 2016, hackers attempted to steal nearly $1 billion from Bangladesh Bank’s account at the Federal Reserve Bank of New York using fraudulent SWIFT messages. They succeeded in transferring $101 million, of which $81 million was laundered through Philippine casinos, while $20 million was recovered from a blocked transaction to Sri Lanka.

In Nepal, several board-level committees are mandated under the Banks and Financial Institutions Act (BAFIA), 2017 and the “Provisions related to corporate governance” outlined in Unified Directive-6 issued by NRB. These include the Audit Committee, Risk Management Committee, Remuneration Committee and the AML/CFT Committee.

The Risk Management Committee is chaired by a non-executive director, with the Chief Risk Officer serving as member secretary. The convenor of the Audit Committee acts as an ex officio member. As per NRB’s Unified Directive-6, the committee meets every three months.

Over time, financial transactions have become increasingly technology-dependent. While technological advancement has modernised payment systems and enhanced efficiency, it has also enabled businesses to expand operations, scale services and improve competitiveness.

In this context, financial institutions have identified three major categories of risk: market risk, human resource risk and IT risk. IT risk includes cybersecurity threats such as phishing, ransomware, data breaches and malware; system failures due to hardware or software malfunctions; data management risks involving data loss or privacy non-compliance; and vendor-related risks.

Payment service providers and operators face similar challenges and are also working to enhance their security frameworks. The Cyber Bureau of Nepal Police has reported a growing number of complaints related to payment service providers (PSPs).

Data privacy concerns and regulatory challenges in an AI-driven ecosystem

Data privacy violations and unauthorised data sharing have emerged as major risks in the era of surveillance capitalism, which has become deeply embedded in the modern economy. Transactional cyber risks persist in Nepal’s increasingly digital ecosystem, further compounding these challenges. For instance, client data stored on e-commerce platforms, ride-hailing services and other digital applications is often used across multiple contexts without the users’ knowledge or consent.

Recently, Nepal Telecom came under scrutiny not only for providing gateway services for bulk messaging but also for allegedly allowing entities involved in these messages access to telecom data. This has raised serious concerns about data privacy, regulatory oversight and the potential misuse of sensitive subscriber information. Nepal Police recently arrested Nirdesh Sedhai for sending bulk messages containing sensitive content urging approximately five million people to join protests, using the Nepal Telecom gateway under the name “NT Alert.”

While regulated sectors have aligned their systems and processes with legal requirements, and possess comparatively stronger legal and technical frameworks to address cyber risks, rising threats - particularly AI-driven attacks - continue to pose serious challenges. According to Deepak Raj Awasthi, Superintendent of Police and spokesperson for the Nepal Police Cyber Bureau, these emerging risks are testing the resilience of even well-regulated systems.

Highlights
•    Online fraud losses reached Rs 835.9 million in FY 2024/25, driven largely by digital banking and e-wallet scams (Nepal Police).
•    Banks and payment service providers are prime targets, with phishing, fake links and impersonation scams most common.
•    Low digital literacy and human error (OTP sharing, fake surveys) remain major vulnerabilities.
•    Cyber threats are outpacing regulatory and technical capacity, despite IT risk directives from Nepal Rastra Bank.
•    AI-enabled fraud is emerging, increasing the scale and sophistication of cybercrime in Nepal.