Data Privacy Practices in Nepal’s Mobile Wallet Ecosystem: An Analysis

Nepal’s digital payment landscape has undergone rapid transformation with significant financial inclusion. Mobile wallets like eSewa, Khalti, IME Pay, Moru, and PrabhuPay are now widely used for everyday transactions. These platforms benefits millions of users making them vital to Nepal’s digital economy. However, this growth has outpaced the development of strong data privacy and protection safeguards.

This policy paper examines the data privacy practices of the existing major mobile wallets within the existing constitutional, legal, and regulatory framework. The study is based on the desk review of publicly available policies of major wallet service providers and key regulatory instruments issued by Nepal Rastra Bank and is analyzed based on the six key core areas: data collection and purpose limitation; consent and transparency; data storage and retention; third-party data sharing and cross-border transfers; security safeguards and breach response; and user rights and grievance redress mechanisms.

The findings shows that the mobile wallet providers though mostly comply with NRB’s licensing, operational, and consumer-protection requirements the substantive data privacy protections remain weak. Most often, data collection is done more than what is required, consent mechanisms are bundled and non-granular, and transparency regarding data retention, third-party processing, and cross-border data flows is limited. Security commitments are generally expressed in broad terms without clear breach-notification obligations, and users lack meaningful rights to access, delete, or control their personal data. As a result, privacy is treated primarily as a compliance and risk-management issue rather than as an enforceable user right. These gaps, in additional to consumer protection risks, also invites a longer-term threat to trust, regulatory credibility, and the sustainability of Nepal’s digital payments ecosystem.

The analysis highlights the limitations of relying solely on sector-specific financial regulation to effectively manage current data protection challenges. To strengthen privacy governance in Nepal’s digital payment ecosystem, coordinated action is required. This includes robust regulatory directives from the Nepal Rastra Bank (NRB), the implementation of a comprehensive personal data protection law, the establishment of clearer institutional accountability, and the adoption of improved privacy practices by mobile wallet providers. In the absence of such measures, the consumers will be continually exposed to the increasing data related risks which may have unforeseen consequences.

Click here to read.