We use Google Cloud Translation Services. Google requires we provide the following disclaimer relating to use of this service:
This service may contain translations powered by Google. Google disclaims all warranties related to the translations, expressed or implied, including any warranties of accuracy, reliability, and any implied warranties of merchantability, fitness for a particular purpose, and noninfringement.
Nepal Rastra Bank has amended the Integrated Directive on Payment System-2080 to reduce cyber risks in the digital financial system.
By adding sub-points (7) and (8) to point number 2 of Sabic's directive number 12/080, the National Bank has instructed financial institutions to adopt identification, protection, detection, response and recovery procedures for reducing cyber risks and to implement fraud detection systems based on AI and machine learning.
In the
directive, risks arising from non-compliance with international standards such as ISO 27001 and ISO 2022 messaging standards are defined as technology risks. In order to reduce such risks, financial institutions should give priority to the identification, monitoring and management of technology risk sources in order to reduce risks arising from cyber attacks, data privacy violations, system weaknesses, system disruptions and inter-connections.
According to the new arrangement, users will not be able to log into financial institutions' systems unless they have an official virtual private network (VPN). The National Bank has included such a provision by adding point number 13 to the point number 2 of the directive, "identifying whether or not the customer uses a VPN while operating or doing business with the mobile banking and internet banking system, an arrangement must be made to prevent logging into the app if the official VPN is not used." It is believed to prevent unauthorized access and reduce the risk of cyber attacks.
Similarly, payment service providers have now been mandated to store data only in data centers registered with the Department of Information Technology. The department has recently issued a notification asking data centers and cloud service providers across the country to be listed. It is stipulated that financial institutions should monitor their software and hardware end-to-life and perform regular technical audits of the system.
Rastra Bank seems to have tightened the financial institutions to strengthen the identification, protection, detection, response and recovery process for cyber risk management . In addition, it is clearly mentioned in the directive that financial institutions should improve customer identification, transaction monitoring and risk management systems to prevent money laundering and terrorist financing.
