Operating under the highest regulatory standards across multiple jurisdictions in Europe and Asia.
Compliance is not an afterthought at NML — it is the foundation upon which every service, process, and client engagement is built. Since our founding in 2015, we have operated with the conviction that sustainable business growth in regulated industries requires a proactive, compliance-first approach. This principle guides our organizational structure, technology investments, and day-to-day operations across every jurisdiction in which we operate.
NML maintains active regulatory registrations and licenses across eight regulatory bodies spanning four countries. Our compliance team works continuously to monitor regulatory developments, update internal policies, and ensure that our operations remain aligned with evolving requirements. We conduct regular internal audits, engage independent third-party assessors, and maintain comprehensive documentation of all compliance activities.
For our clients — particularly payment service providers, financial institutions, and telecommunications operators — this means working with a partner whose compliance posture has been independently validated and is subject to ongoing regulatory oversight. We provide full transparency into our compliance framework upon request and actively support client due diligence processes.
NML is registered with and regulated by the following authorities. Each registration reflects our commitment to operating within the legal frameworks of every market we serve.
Federal Network Agency, Germany
Germany's federal regulatory authority for electricity, gas, telecommunications, post, and railway markets. NML holds telecommunications licenses issued by the Bundesnetzagentur, authorizing the provision of voice and data services within the German market.
Federal Financial Supervisory Authority, Germany
Germany's integrated financial services regulator overseeing banks, insurance companies, and securities trading. NML's payment processing and financial services operations in Germany are conducted in compliance with BaFin regulatory requirements.
Accounting and Corporate Regulatory Authority, Singapore
Singapore's national regulator for business entities, public accountants, and corporate service providers. NML — New Media License PTE LTD is incorporated and registered with ACRA under UEN 201540896K, maintaining full compliance with Singapore corporate governance requirements.
Infocomm Media Development Authority, Singapore
Singapore's statutory board responsible for the regulation and development of the infocomm and media sectors. NML is registered with IMDA for the provision of telecommunications and media-related services within Singapore.
Monetary Authority of Singapore
Singapore's central bank and integrated financial regulator. MAS oversees all financial institutions in Singapore, including payment service providers. NML's payment processing activities in Singapore are conducted in accordance with MAS regulatory guidelines and the Payment Services Act.
Austrian Regulatory Authority for Broadcasting and Telecommunications
Austria's regulatory authority for broadcasting and telecommunications. NML is registered with RTR for the provision of telecommunications services in the Austrian market, ensuring compliance with Austrian telecommunications law and EU regulatory frameworks.
Office of Electronic Communications, Poland
Poland's national regulatory authority for the telecommunications and postal markets. NML holds registrations with UKE authorizing telecommunications operations in Poland, including voice services and data transmission.
National Broadcasting and Telecommunications Commission, Thailand
Thailand's independent regulatory body for broadcasting and telecommunications. NML operates in the Thai market under NBTC oversight, providing telecommunications and payment aggregation services in compliance with Thai regulatory requirements.
ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company and customer information, encompassing people, processes, and technology. NML maintains ISO 27001 certification, independently audited by accredited certification bodies.
Our ISMS covers the full scope of NML operations, including data processing centers, telecommunications infrastructure, payment systems, and client-facing services. The certification requires ongoing risk assessments, implementation of security controls across 14 domains, regular internal audits, and annual surveillance audits by external assessors. Our information security policies are reviewed and updated at least annually, with all employees completing mandatory security awareness training.
PCI DSS is the global security standard for organizations that handle branded credit and debit card data. NML maintains PCI DSS Level 1 compliance — the highest level of certification — which applies to entities processing over six million card transactions annually. Compliance is validated through annual on-site assessments conducted by a Qualified Security Assessor (QSA).
Our PCI DSS compliance covers all twelve requirements of the standard, including the maintenance of a secure network, protection of cardholder data through encryption and tokenization, vulnerability management programs, strong access control measures, regular monitoring and testing of networks, and comprehensive information security policies. Cardholder data is encrypted at rest using AES-256 and in transit using TLS 1.3. We maintain network segmentation to isolate cardholder data environments, and all access is subject to multi-factor authentication and least-privilege principles.
The GDPR is the European Union's comprehensive data protection regulation that governs the processing of personal data of individuals within the EU and EEA. NML operates as both a data controller and data processor, depending on the nature of the engagement, and maintains full compliance with GDPR requirements across all European operations.
Our GDPR compliance program includes the appointment of a Data Protection Officer (DPO), maintenance of detailed Records of Processing Activities (ROPA), implementation of Data Protection Impact Assessments (DPIAs) for high-risk processing, and established procedures for responding to data subject access requests within statutory timeframes. We execute Data Processing Agreements (DPAs) with all clients for whom we process personal data, clearly defining the scope, purpose, and duration of processing. Standard Contractual Clauses (SCCs) are implemented for any transfers of personal data outside the EEA to ensure adequate protection.
All data at rest is encrypted using AES-256. Data in transit is protected using TLS 1.3 across all internal and external communications. Encryption keys are managed through dedicated key management systems with regular key rotation schedules. Database-level encryption is applied to all production systems storing personal or financial data.
All systems operate on the principle of least privilege. Access to production environments, client data, and sensitive infrastructure requires multi-factor authentication (MFA). Role-based access control (RBAC) is enforced across all platforms, with access reviews conducted quarterly. Privileged access is logged and monitored in real time.
NML engages independent third-party firms to conduct annual penetration tests and vulnerability assessments across all externally facing systems and critical internal infrastructure. Internal audits are performed quarterly against ISO 27001 control objectives. Findings are tracked through a centralized remediation workflow with defined SLAs for resolution.
Our incident response plan follows a structured process: identification, containment, eradication, recovery, and post-incident review. Suspected security incidents are escalated within 30 minutes of detection. Clients and relevant regulatory authorities are notified within the timeframes required by GDPR (72 hours) and applicable financial regulations. Incident response procedures are tested through tabletop exercises at least twice annually.
Data retention periods are defined per data category and contractual obligation, in accordance with applicable legal requirements. Personal data is retained only for as long as necessary for the purpose for which it was collected. Upon expiration of the retention period or termination of a client engagement, data is securely deleted using methods that comply with NIST 800-88 guidelines for media sanitization.
NML's operational facilities are secured with access control systems, CCTV surveillance, and visitor management procedures. Data processing areas operate as restricted zones with additional access controls. Clean desk policies are enforced across all operational environments, and removable media usage is controlled and logged.
NML maintains a comprehensive Anti-Money Laundering (AML) and Know Your Customer (KYC) program in line with the requirements of the jurisdictions in which we operate, including the German Money Laundering Act (GwG), Singapore's Corruption, Drug Trafficking and Other Serious Crimes Act (CDSA), and applicable EU Anti-Money Laundering Directives.
Our AML program includes customer due diligence (CDD) and enhanced due diligence (EDD) procedures, ongoing transaction monitoring, sanctions screening against relevant lists (EU, UN, OFAC), suspicious activity reporting, and regular AML training for all employees involved in financial services operations. The program is overseen by a designated Money Laundering Reporting Officer (MLRO) and is subject to annual independent review.
Read our full AML PolicyEuropean Telecommunications Network Operators' Association
The principal trade association representing Europe's major telecommunications network operators, advocating for a regulatory environment that supports innovation and investment.
European Fintech Association
An industry body representing fintech companies across Europe, promoting dialogue between financial technology innovators and regulators to shape the future of financial services.
European Data Protection Industries Association
A trade association representing companies in the data protection and privacy technology sector, contributing to policy discussions on data protection standards and best practices across Europe.
Computer & Communications Industry Association
An international nonprofit membership organization for companies in the computer, internet, information technology, and telecommunications industries, promoting open markets and innovation.
Telecommunications Industry Association
A leading trade association representing manufacturers, suppliers, and providers of information and communications technology, setting standards and advocating for policies that drive industry growth.
For compliance documentation, due diligence inquiries, or questions regarding our regulatory framework and certifications, please contact our compliance team directly.
compliance@nml.world