Navigating SMS Regulations in Nepal: KYC, Privacy, and Anti-Spam Laws

SMS still runs quietly under a lot of things in Nepal.

Bank OTPs. E wallet logins. Hospital reminders. Government notices. Delivery updates. Even that one local store that keeps texting “offer offer offer” like it is 2012.

And because it is so common, people assume it is unregulated. Or lightly regulated. Or like, it is just telecom stuff, so only the telcos need to worry.

Not really.

If you are sending SMS in Nepal as a business, a fintech, an NGO, a school, a ride app, a clinic, a marketplace, anyone, you are walking through three overlapping zones:

KYC and identity rules that shape who can send messages and through which channels.
Privacy and data protection expectations around phone numbers, consent, purpose limitation, and retention.
Anti spam rules and consumer protection norms that can get you blocked, reported, or pulled into a regulator complaint.

This post is not legal advice, obviously. But it is a practical map. The kind you wish you had before you shipped a “marketing blast” feature and then spent two weeks wondering why delivery fell off a cliff.

SMS in Nepal: Who regulates what (roughly)

Nepal is not a single law, single regulator environment. SMS touches different systems.

Here are the main actors you keep hearing about:

Nepal Telecommunications Authority (NTA): the telecom regulator. Think licensing, service quality, numbering, telecom compliance, and oversight of operators. If your SMS activity looks like telecom service misuse or harms consumers at scale, NTA is the obvious place.
Telecom operators: Ncell, Nepal Telecom, and others. A lot of rules become real through operator policies, filters, short code approvals, header approvals, and KYC checks.
Government agencies and sector regulators: Nepal Rastra Bank for banks and PSPs, Insurance Board, health regulators, etc. Sector rules can effectively force “secure messaging” behavior.
Courts and general law: consumer protection concepts, cyber related offenses, contract disputes, defamation and harassment complaints. Yes, an SMS campaign can drag you into these in weird ways.

So you might do everything “right” with your SMS vendor, but still get hit because your data collection flow was sloppy. Or because your message content was misleading. Or because you used a random SIM bank.

The ultimate guide to bulk SMS in Nepal offers more insights into these regulations and how to navigate them effectively for your business needs.

The big distinction: P2P, A2P, and “random SIM blasting”

Before we go into KYC and privacy, it helps to name the lanes.

Person to Person (P2P)

Normal human texting from a mobile number. It is not meant for business messaging at scale.

Application to Person (A2P)

This is what most businesses actually need. An application sends messages to users, usually via an SMS gateway, a shortcode, or an approved sender ID or header.

A2P is where compliance starts to matter a lot, because it is trackable, filterable, and it can be controlled.

SIM based bulk sending (the “gray” method)

Sometimes businesses try to send bulk SMS by rotating SIMs, using GSM modems, SIM boxes, cheap Android apps, whatever. It can look cheaper at first, until it does not. Delivery is unstable, numbers get blocked, and it can trigger operator action because it resembles spam operations and bypasses normal A2P controls.

If you are serious, stay in A2P.

KYC in the SMS world, what it really means

KYC in Nepal is a familiar term from banking. But in telecom, KYC usually means: identity verification for SIM registration, and then layered verification for business messaging channels.

And the practical point is simple:

If a sender is not identifiable, the system is easier to abuse. So regulators and operators push traceability.

1. SIM registration is KYC’d

Mobile SIMs are issued under KYC requirements through telecom operators. That is not new. It matters because if you are doing SMS via SIMs (especially bulk), you are tying your messaging operation to consumer SIM rules. Which is already a mismatch.

Also, if complaints come in, the identity trail is right there.

2. Business sender verification for A2P

When you use a legitimate SMS gateway or operator integrated route, you’re typically required to undergo some form of business verification. While it may not be explicitly labeled as “KYC” in the documentation, it serves a similar purpose.

Be prepared to provide several documents depending on your vendor and route, such as:

Company registration documents
PAN or VAT registration
Authorized signatory ID
Letterhead request for sender ID or shortcode
Contact person details
Message use case details (OTP, alerts, promotions, etc)
Sample templates

This process isn’t merely bureaucratic red tape. It’s a necessary measure to prevent fraud, such as a random entity impersonating “YourBank” and sending phishing links.

3. Template and header controls (soft KYC)

In many regions, operators are shifting towards template registration and sender ID registration, along with implementing content filters. For instance, Nepal has its own set of operator level controls that are continuously evolving. Even in cases where formal “template registration” isn’t mandated by law, vendors often enforce template usage to ensure stable deliverability.

If your vendor advises you to adhere to approved templates for OTP messages, it’s crucial to heed their advice. They aren’t being difficult; they’re simply trying to maintain the viability of your messaging route.

4. Special sensitivity sectors get stricter

Sectors dealing with banking, wallets, remittance, and other financial services will encounter more stringent expectations from both their regulators and internal audits.

You may be asked questions such as:

Are OTP messages strictly transactional?
Are marketing messages separated?
Are there logs for message requests?
Are you storing OTPs?
Do you have vendor agreements and controls?

KYC transcends beyond just identifying who you are. It also involves demonstrating that you’re not engaging in dubious messaging practices.

For example, if you’re looking to register an alphanumeric sender ID in Ireland, specific documents will be required.

Privacy in Nepal, the reality vs the ideal

Nepal’s privacy and data protection environment has been evolving. Even if you feel the law is “not that clear”, users and regulators still expect basic privacy behavior.

And phone numbers are personal data. In practice, they are one of the most sensitive identifiers in Nepal because phone numbers connect to banking, e-wallets, social accounts, and SIM registration.

So if your system is careless with phone numbers, you are basically careless with identity.

What “privacy compliant” SMS looks like in practice

You do not need to overcomplicate this. Start with a few principles.

You should be able to answer:

Why do we collect this number?
What messages will we send?
Is it necessary for the service?

Transactional messages like OTPs, receipts, service alerts are usually sent under “service necessity”. Marketing is not.

Marketing should be opt-in. Or at minimum, it should be clearly disclosed and easy to opt out.

And yes, people in Nepal often share numbers casually. That does not mean you have consent to message them forever.

2. Clear notice at collection time

Where do you collect the phone number?

Signup page. Checkout form. Lead form. Clinic registration desk. Offline spreadsheet. WhatsApp chat. Facebook lead ads.

Every one of these should have a small, clear notice like:

“We will use your number to send order updates and support messages.”
“By signing up, you agree to receive OTP and account alerts.”
“You can opt out of promotional SMS anytime.”

This is boring copy. But it saves you later.

3. Data minimization

Do you need alternate numbers, family numbers, office numbers?

Be careful. Every extra number is another person you might message accidentally or another privacy complaint.

Collect only what you actually use following the principle of data minimization.

4. Retention and deletion

Most teams never think about this with SMS. They store contact lists forever, export CSVs, keep old campaign sheets, move them between laptops.

At some point, you need a retention rule.

Leads that did not convert after X months, delete or anonymize.
Users who closed accounts, delete numbers unless legally required to retain some records.
Campaign exports, restrict access and expire them.

If you cannot delete, at least restrict and log access following best practices for personal data deletion.

5. Vendor and cross border data handling

If you use an SMS gateway, you are sharing phone numbers, message content, timestamps, and sometimes IPs.

Ask your vendor:

Where is data stored?
How long are logs kept?
Who has access?
Do they resell data? They should not.
Do they have breach processes?

And sign an agreement that covers confidentiality, use limitation, and incident reporting.

Even if enforcement is imperfect, you want a paper trail that you acted responsibly.

6. Do not put sensitive data in SMS

This is a big one.

SMS is not end-to-end encrypted. It can be seen on lock screens. It can be forwarded.

Anti spam rules, and why you get blocked even without a “law”

There is the formal side and the practical side.

Formally, Nepal has telecom regulation and consumer protection concepts that can apply, plus cyber related offenses if harassment or fraud happens. But day to day, what most businesses feel first is the practical enforcement:

Operator spam filters
Vendor compliance requirements
User complaints
Delivery collapse
Sender ID blocking
Content level filtering (URLs, certain keywords, repetitive patterns)

So even if you never read a single act or directive, you can still get punished by the system.

What counts as spam in the real world

Spam is not just “unsolicited marketing”. In telecom terms, spam is anything that looks abusive, deceptive, or excessive.

Common triggers:

Messaging people who never opted in
High frequency sends, especially to the same number set
Sudden volume spikes
Repeated identical messages with links
URL shorteners or suspicious domains
Misleading sender identity, like pretending to be a bank
Messages that cause user complaints like “STOP texting me”
Sending at weird hours, late night blasts
Content that resembles scams: “You won prize”, “claim cash”, “urgent verify now”

Sometimes even legitimate messages get caught because your pattern matches known spam campaigns.

Transactional vs promotional, keep them separated

This is more important than teams think.

If you send OTPs and marketing from the same sender identity or same channel, you create two risks:

Your OTP deliverability becomes dependent on your marketing behavior.
Users start distrusting your OTPs because they associate the sender with spam.

So separate:

Transactional route for OTPs, security alerts, receipts, essential service updates.
Promotional route for offers, newsletters, engagement pushes.

Even better, separate sender IDs too, if available.

Always include a way to opt out (for promotions)

For promotional SMS, you should provide opt out instructions.

In Nepal, not every system supports true SMS keyword based unsubscribe (like texting STOP). But you can still do practical opt out:

“To opt out, reply STOP” if your setup supports inbound SMS.
“To opt out, call 01xxxxxxx” (not ideal but better than nothing).
“To opt out, update preferences in the app.”
“To opt out, message us on WhatsApp/Viber.”

And then actually honor it. Fast. Not in two weeks.

Also, do not make opt out conditional on logging in. That is how you annoy people.

Timing and frequency, be a human for a second

If you send 6 promotional SMS in a week, people will report you. Even if you have consent.

A simple internal policy helps:

Quiet hours: no promos after 8 pm, no promos before 9 am
Max frequency: 2 to 4 promos per month unless user explicitly asked for more
Cap per campaign: do not resend to non responders multiple times

Your metrics might look “lower” at first. But deliverability and brand trust will be higher. Which is the real metric.

Content compliance: what you say can create legal risk

SMS is short, which makes people careless. But misleading marketing in a 160 character message is still misleading marketing.

Be careful with:

Prices without taxes or conditions
“Free” when it is not truly free
Lottery, prize, and giveaway language
Financial promises, “guaranteed return”
Medical claims
Impersonation and brand confusion

Also be careful with links.

If you must include a link, use your own domain, not a random shortener. And make sure the landing page matches the message.

OTP and authentication SMS, high trust, high scrutiny

OTP messaging feels purely technical, but it is one of the most regulated and audited categories because it is tied to fraud.

A few practical rules:

OTP should be time limited, ideally 2 to 10 minutes.
Do not reuse OTPs.
Rate limit OTP requests per number and per IP.
Provide user facing language: “Do not share.”
Log OTP send events, but do not store OTP in plain text.
If possible, separate OTP sender identity from marketing.

Also, do not ever send OTP + login link + “special offer” in one message. That is how phishing patterns happen.

Working with SMS vendors and aggregators in Nepal

Most companies will not connect directly to an operator. They will use an aggregator.

Pick carefully. The vendor relationship becomes part of your compliance posture.

What to ask a vendor before you sign

Are messages sent via approved A2P routes?
Can we have a dedicated sender ID or shortcode?
How do you handle spam complaints and filtering?
What is your policy on URL shorteners?
Do you support DND or unsubscribe management?
Do you provide delivery reports and logs? How long do you keep them?
What are your uptime and failover practices?
Do you have an account manager who can actually fix routing issues?

And ask a blunt one:

If our message is blocked, can you tell us why?

Some vendors can. Some will say “operator issue” forever. Avoid that.

Keep an internal SMS log

Even if your vendor has logs, keep your own:

who triggered the message
which template
what number
timestamp
message type: OTP, transactional, promotional
vendor response ID
delivery status if available

This helps with audits, customer support, and disputes.

If a user says, “I never received OTP,” you can check. If a user says, “you spammed me,” you can verify consent and history.

Common mistakes that get teams in trouble

1. Buying a phone number list

Just do not.

It is the fastest way to get complaints and to get your sender reputation trashed. Also, it is a privacy nightmare because you cannot prove consent.

You got a number from an offline event. Or a referral. Or a delivery partner. And you assume you can market to them.

No.

If the consent was for “delivery updates”, do not convert it into “weekly promos”.

Purpose matters.

3. Using SMS for sensitive disclosures

Banks sometimes do it right. Many others do not.

Do not send sensitive personal or medical results over SMS. Use secure portals or ask the person to call in.

4. Not having a complaint path

When someone gets annoyed, they will do one of three things:

report spam to the operator
complain publicly on social
complain to your support

If you make support hard to reach, they pick the first two.

Add a simple support line in promotional messages. Even occasionally. It reduces escalation.

5. Blasting on festivals, then blaming “operator congestion”

Yes, congestion happens during big festivals and emergencies. But most failures are self caused: too much volume, too little planning, and no throttling.

If you know Dashain is coming, plan throttling and fallback channels like push notifications, email, WhatsApp, in app inbox.

A simple compliance checklist you can actually use

Here is a practical list. Not perfect, but solid.

For all SMS

Phone numbers collected with clear notice of intended use
Vendor contract includes confidentiality and purpose limitation
Internal logs for sends and templates
No sensitive personal data in message body
Links, if used, are on your domain and match the content
Rate limits and throttling configured

For OTP and transactional

Separate sender ID or route from promotions
Templates fixed and reviewed
OTP validity window and “do not share” warning
OTP stored hashed or not stored, never plain text
Abuse protection: retry limits, anomaly detection

For promotional

Explicit opt in (preferred) or strong disclosure and easy opt out
Opt out is honored quickly and recorded
Frequency caps and quiet hours
Honest pricing and conditions
No deceptive urgency or prize bait language

So what should you do next, if you are starting today

If you are a small business and you just want to send basic alerts, do this:

Use a reputable A2P SMS gateway in Nepal.
Keep messages transactional until you have a proper consent and opt out system.
Write down your policy in one page. Seriously. What you send, to whom, and how they stop it.
Separate OTP and promotions early. It is painful later.

If you are a fintech or any regulated product, do a bit more:

Align SMS content with your security policy.
Get vendor due diligence done.
Prepare for audits: message logs, template approvals, incident response.

And if you are already sending SMS and things are messy, the fastest fix is usually not “change vendor”. It is cleaning up consent, reducing frequency, removing shady links, and separating transactional from promotional.

Wrap up

SMS in Nepal is still one of the highest trust channels. Which is exactly why regulators, operators, and users react quickly when it gets abused.

The good news is you do not need to be a lawyer to do the basics right.

Know who you are as a sender, keep your identity and routes clean. Treat phone numbers like personal data, because they are. And do not spam people then act surprised when delivery tanks.

Do that, and SMS becomes boring again.

Boring is good.

FAQs (Frequently Asked Questions)

What are the main uses of SMS in Nepal today?

SMS in Nepal is widely used for bank OTPs, e-wallet logins, hospital reminders, government notices, delivery updates, and even local store promotions. It remains a common communication channel across various sectors.

Who regulates SMS messaging activities in Nepal?

SMS messaging in Nepal is regulated by multiple actors including the Nepal Telecommunications Authority (NTA), telecom operators like Ncell and Nepal Telecom, sector-specific government agencies such as Nepal Rastra Bank and health regulators, as well as courts under general laws related to consumer protection and cyber offenses.

What are the different types of SMS messaging lanes in Nepal?

There are three primary types: Person to Person (P2P) which is normal human texting; Application to Person (A2P) where businesses send messages via SMS gateways or approved sender IDs; and SIM-based bulk sending using rotating SIMs or GSM modems, which is considered a ‘gray’ method with unstable delivery and regulatory risks.

What does KYC mean in the context of SMS messaging in Nepal?

KYC in SMS involves identity verification at two levels: first, SIM registration requiring customer identification through telecom operators; second, business sender verification for A2P messaging where companies must submit documents like registration certificates and message templates to ensure traceability and prevent fraud.

Why is template registration important for business SMS messages?

Template registration helps operators control message content and sender IDs to prevent spam and phishing. Although not always legally mandated in Nepal, adhering to approved templates ensures better deliverability and compliance with evolving operator-level controls.

What risks do businesses face if they use unauthorized bulk SMS methods like random SIM blasting?

Using unauthorized bulk SMS methods such as rotating SIMs or GSM modems can lead to unstable message delivery, number blocking by operators, regulatory complaints, and damage to brand reputation. These methods bypass standard A2P controls and are often flagged as spam operations.