Pakistan

A standing prohibition by the State Bank of Pakistan (SBP) for regulated financial institutions to deal in or facilitate virtual assets.

Ongoing discussions and proposed legislative efforts, primarily driven by the need to comply with Financial Action Task Force (FATF) recommendations, to eventually introduce a regulatory framework.

**SBP BPRD Circular No. 03 of 2018:** Issued on April 06, 2018, this circular explicitly prohibits all banks, Microfinance Banks (MFBs), and Payment System Operators (PSOs)/Payment Service Providers (PSPs) from:

Dealing in Virtual Currencies/Coins/Tokens (VCs/VCOs/VCTs).

Facilitating any transaction involving VCs/VCOs/VCTs.

Maintaining accounts of individuals/entities involved in VCs/VCOs/VCTs.

**Implication:** This circular effectively creates a de facto ban on any regulated financial institution in Pakistan from engaging with or facilitating cryptocurrency activities. This means that:

**Cryptocurrency exchanges, custody providers, and payment processors cannot legally operate with bank accounts in Pakistan or integrate with the traditional financial system.**

Any individual or entity involved in crypto transactions faces significant challenges in dealing with their funds through regulated financial channels.

**State Bank of Pakistan BPRD Circular No. 03 of 2018: "Caution against usage of Virtual Currencies/Coins/Tokens (VCs/VCOs/VCTs)"**

**Exchanges:** No license. Cannot lawfully connect to the banking system.

**Custody Providers:** No license. Cannot lawfully connect to the banking system.

**Payment Processors (Crypto-related):** If processing fiat for crypto, no license and prohibited for regulated entities. If purely crypto-to-crypto, it operates outside the formal financial system but still in a legally ambiguous and high-risk environment.

**FATF Recommendation 15:** Which requires countries to regulate and supervise Virtual Asset Service Providers (VASPs) for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) purposes. Pakistan's compliance with FATF recommendations is critical for its international financial standing.

**Proposed Drafts:** Various draft bills and frameworks have been reported in the media, suggesting that a future regime might include:

**Registration:** Likely for smaller or lower-risk VASP activities.

**Licensing:** For higher-risk activities, larger entities, or specific types of virtual assets (e.g., security tokens, if classified as securities).

**SECP (Securities and Exchange Commission of Pakistan):** Likely to regulate VAs, especially those that may fall under the definition of securities. https://www.secp.gov.pk/

**SBP (State Bank of Pakistan):** Would likely maintain oversight for payment systems and potentially for stablecoins or central bank digital currencies (CBDCs) if introduced.

VASPs would likely need to maintain a minimum paid-up capital to ensure financial stability and solvency. The exact amounts would vary based on the type and scope of services (e.g., higher for exchanges vs. simple transfer services).

**AML/KYC (Anti-Money Laundering / Know Your Customer):** This will be the cornerstone of any future regulation, driven by FATF compliance.

**Customer Due Diligence (CDD):** Robust procedures for identifying and verifying customer identities (KYC).

**Enhanced Due Diligence (EDD):** For higher-risk customers or transactions.

**Transaction Monitoring:** Systems to detect unusual or suspicious transaction patterns.

**Record Keeping:** Maintenance of transaction and customer data for prescribed periods.

**Reporting Obligations:** Reporting of suspicious transactions (STRs) and potentially cash transaction reports (CTRs) to the Financial Monitoring Unit (FMU).

Likely requirement for a physical office and local management (e.g., CEO, AML Officer) to ensure local oversight and accountability.

Management, directors, and significant beneficial owners of the VASP would need to meet "fit and proper" criteria, including checks on their financial standing, reputation, and experience.

Robust cybersecurity frameworks, data protection measures, and secure storage solutions for virtual assets (e.g., hot/cold wallet management).

Business continuity and disaster recovery plans.

Clear organizational structure, risk management policies, and internal audit functions.

Requirements for transparent disclosures, fair trading practices, and mechanisms for handling customer complaints.

**Pre-Application Consultation:** Optional or mandatory meetings with the regulator (e.g., SECP) to discuss the proposed business model.

**Submission of Application Package:** A comprehensive submission including:

Detailed business plan and financial projections.

Shareholding structure and beneficial ownership information.

Profiles of key personnel (management, directors, compliance officers).

Comprehensive AML/CFT manual and policies.

Technology architecture and security frameworks.

**Due Diligence by Regulator:** The regulator would conduct thorough background checks on the applicant entity, its management, and beneficial owners.

**Interviews:** Potential interviews with key personnel.

**Review and Approval/Rejection:** The regulator would review the application and, if satisfied, grant the license/registration, subject to ongoing compliance.

**Post-Licensing Obligations:** Continuous reporting, audits, and adherence to all regulatory requirements.

**Investment Contract / Collective Investment Scheme:** If a digital asset represents an investment contract, it is likely to be considered a security. This generally involves:

**Investment of money/value:** Funds or assets are committed.

**Common enterprise:** The investment is pooled with others.

**Expectation of profit:** The investor anticipates financial gain.

**Reliance on the efforts of others:** The profit is derived from the managerial or entrepreneurial efforts of the issuer or a third party, rather than the investor's own efforts.

**Other Defined Securities:** The Securities Act, 2015, defines "security" broadly to include:

Shares, scrips, stocks, bonds, debentures, debenture stock.

Modaraba certificates, sukuk, and other instruments creating or acknowledging indebtedness.

Any certificate of interest or participation in profit sharing, whether or not redeemable.

Any transferable share, script, stock, bond, debenture, debenture stock, or other marketable security of a like nature.

Any instrument declared by the SECP to be a security.

**Security Tokens:** These are digital assets that represent traditional securities like equity, debt, or funds. Examples include:

**Tokenized Shares:** Representing ownership in a company.

**Tokenized Bonds/Sukuk:** Representing a debt instrument.

**Revenue-Sharing Tokens:** Giving holders a right to a portion of an entity's future revenues or profits.

**Investment Fund Tokens:** Representing an interest in a collective investment scheme.

**Tokens providing voting rights or dividends:** Indicating corporate governance or profit distribution.

**Utility Tokens (with investment characteristics):** While intrinsically designed to provide access to a product or service, if a utility token is marketed, sold, or structured with a prominent expectation of future profit based on the issuer's efforts (especially during an initial offering), it may be reclassified as a security. The "substance over form" analysis is critical here.

**Certain types of Stablecoins (depending on structure):** While stablecoins are generally intended to maintain a stable value, if they are structured in a way that provides an expectation of profit from their management (e.g., through lending or staking of underlying reserves beyond simple stability mechanisms), or if they represent an interest in a pooled fund, they *could* potentially be deemed securities. However, the SBP's primary concern with stablecoins is their potential use as currency or e-money, and their AML/CFT implications.

**Non-Fungible Tokens (NFTs):** While most NFTs are considered unique digital collectibles, if an NFT is offered as part of an investment scheme with an expectation of profit from the efforts of others (e.g., fractionalized NFTs managed by a central entity, or NFTs linked to future revenue streams), it could potentially fall under the definition of a security.

**Pure Payment/Currency Tokens (e.g., Bitcoin, Ethereum):** Unless part of a specific investment scheme, widely decentralized cryptocurrencies are generally not considered securities by the SECP, but rather digital assets with no legal tender status by the SBP.

**Public Offerings:** Any public offer of a security token would require mandatory registration with the SECP. This involves filing a detailed prospectus, comprehensive disclosures about the issuer, the token, the underlying project, risks, financial statements, and other material information.

**Licensing:** Issuers or intermediaries involved in the offering (e.g., investment banks, brokers) must be appropriately licensed by the SECP.

The Securities Act, 2015, provides for certain exemptions from prospectus requirements, such as:

**Private placements:** Offerings to a limited number of sophisticated investors or institutional investors.

**Small offerings:** Offerings below a certain threshold (if defined by SECP rules).

**Offers to existing security holders:** Under specific conditions.

However, specific exemptions tailored for digital asset security offerings are yet to be fully developed and operationalized.

**Licensed Exchanges:** Trading would need to occur on a licensed stock exchange (e.g., Pakistan Stock Exchange) or a specifically authorized "Digital Asset Exchange" if such an entity were to be licensed by the SECP in the future. No such dedicated "Digital Asset Exchange" for security tokens currently exists.

**Regulatory Oversight:** All trading activities would be under the direct oversight of the SECP, ensuring market integrity, transparency, and fairness.

**Market Conduct Rules:** Adherence to rules against insider trading, market manipulation, and other unfair trading practices.

**AML/CFT & KYC:** Strict compliance with Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) regulations, including Know-Your-Customer (KYC) procedures for all participants.

**Central Depository:** Security tokens, like other securities, might be required to be dematerialized and held in a central depository system (e.g., Central Depository Company of Pakistan Limited).

**State Bank of Pakistan (SBP) Warnings:** The SBP has repeatedly issued circulars and public warnings, advising financial institutions and the public against engaging in transactions involving virtual currencies, stating they are not legal tender and carry significant risks. Financial institutions are prohibited from processing transactions related to virtual currencies.

**Federal Investigation Agency (FIA) Actions:** The FIA, Pakistan's premier investigation agency, has taken action against individuals and entities involved in operating unauthorized cryptocurrency exchanges or alleged crypto scams. These actions are primarily based on unauthorized foreign exchange dealings, fraud, or money laundering, rather than specifically *securities violations* related to tokens.

**Example:** The FIA has investigated and arrested individuals involved in operating peer-to-peer crypto exchanges or alleged investment schemes promising high returns through crypto, branding them as fraudulent or illegal money laundering operations. This demonstrates a willingness to act against *any* unauthorized crypto activity.

**SECP's Cautionary Stance:** While developing the regulatory framework, the SECP itself has issued investor alerts warning against the risks associated with investing in unregulated digital assets.

Accessible via the SECP website or various legal databases.

*Direct Link (SECP source usually reliable):* https://www.secp.gov.pk/laws/securities-laws/ (Look for "Securities Act, 2015")

**SECP's Digital Asset Regulatory Framework / Consultation Paper:**

The SECP issued a consultation paper titled "Proposed Regulatory Framework for Digital Asset Trading Platforms" and other related documents. While a final, fully implemented framework for security tokens is still evolving, these documents outline their approach.

*SECP's dedicated page for "Digital Assets":* https://www.secp.gov.pk/digital-assets/

**State Bank of Pakistan (SBP) Circulars/Press Releases:**

The SBP frequently issues warnings against virtual currencies.

*SBP's main page for press releases/circulars:* https://www.sbp.org.pk/press/index.asp

You would need to search their archives for specific circulars regarding virtual currencies, which have been issued over the years. A prominent one was PR.17/2018-SBP dated April 6, 2018, prohibiting financial institutions from dealing in virtual currencies.

**Anti-Money Laundering Act, 2010 (AMLA 2010):** This is the overarching legislation that criminalizes money laundering and provides the legal basis for AML/CFT measures in Pakistan. It mandates reporting obligations for financial institutions and designated non-financial businesses and professions (DNFBPs).

AMLA 2010 Link (often found on FMU or Ministry of Law & Justice websites) (PDF link to FMU website)

**Anti-Money Laundering (AML) Regulations, 2015:** Issued by the State Bank of Pakistan under the AMLA 2010, these regulations provide detailed guidelines to financial institutions on implementing AML/CFT measures.

SBP AML Regulations 2015 Link (often found on SBP website) (PDF link to SBP website)

**SBP CDD / KYC Regulations, 2022 (BPRD Circular No. 04 of 2022):** This is a critical development. The State Bank of Pakistan, through its Banking Policy & Regulations Department (BPRD), issued comprehensive Customer Due Diligence (CDD) / Know Your Customer (KYC) Regulations, 2022. These regulations explicitly define and include "Virtual Asset Service Providers" (VASPs) as a type of entity that must comply with AML/CFT requirements, effectively bringing them under the regulatory ambit.

**Key Aspect:** These regulations define a VASP, consistent with FATF definitions, and mandate that they adhere to all the CDD/KYC obligations applicable to other financial institutions.

SBP BPRD Circular No. 04 of 2022 (CDD/KYC Regulations, 2022) (PDF link to SBP website)

**Identification and Verification of Customer Identity:**

**Individuals:** Obtain and verify full legal name, date of birth, national identity document (e.g., CNIC for Pakistani nationals, passport for foreigners), current address, contact details, and occupation/source of funds. Verification must be performed using reliable, independent source documents, data, or information.

**Legal Persons/Entities:** Obtain and verify legal name, principal place of business, registration number, articles of association, memorandum of understanding, board resolution, and identification of key management personnel.

**Beneficial Ownership:** Identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer, including for legal persons, trusts, and other legal arrangements.

**Purpose and Nature of Relationship:** Understand the purpose and intended nature of the business relationship or the specific transaction.

VASPs must adopt a risk-based approach to CDD. This means applying enhanced CDD measures for higher-risk customers, products, services, transactions, or geographic areas.

Factors determining risk include customer type, jurisdiction, type of virtual asset, transaction value/volume, and delivery channels.

Lower risk scenarios may allow for simplified CDD, but never complete exemption.

Regularly scrutinize transactions undertaken throughout the course of the relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.

Keep customer identification data and beneficial ownership information up-to-date.

**Politically Exposed Persons (PEPs):** Implement enhanced CDD measures for PEPs, including obtaining senior management approval for establishing business relationships, taking reasonable measures to establish the source of wealth and funds, and conducting ongoing enhanced monitoring.

**Sanctions Screening:** Screen customers and transactions against national and international sanctions lists (e.g., UN Security Council sanctions lists).

**"Travel Rule" (FATF Recommendation 16):** While the SBP CDD/KYC Regulations 2022 implicitly align with FATF standards, explicit guidance on the "Travel Rule" for VASPs (requiring the collection and transmission of originator and beneficiary information for crypto transfers above a certain threshold) may still be developing or need further specific directives. However, as Pakistan adheres to FATF standards, VASPs should anticipate and prepare for full implementation of this rule.

**Trigger:** Any transaction (attempted or completed) that appears unusual, lacks a clear economic or lawful purpose, is inconsistent with the customer's known profile, or raises suspicion of money laundering or terrorist financing.

**Reporting Mechanism:** Reports are filed electronically through the FMU's secure reporting portal.

**"No Tipping Off":** VASPs and their employees are prohibited from disclosing to the customer or any third party that a STR has been or will be filed.

**Customer Records:** All records obtained through CDD procedures, including identity documents, account files, business correspondence, and analysis of transactions.

**Transaction Records:** Records of all transactions, including the amount, currency, date, and details of the parties involved (both originator and beneficiary, where applicable).

**Retention Period:** All records (customer identification data and transaction records) must generally be kept for a minimum period of **five (5) years** after the business relationship has ended or after the date of the transaction.

**State Bank of Pakistan (SBP):**

**Role:** As the central bank, the SBP is the primary regulator for financial institutions and, now explicitly, for VASPs concerning AML/CFT compliance. It issues regulations, guidelines, and directives, conducts off-site and on-site supervision, and enforces penalties for non-compliance.

**URL:** State Bank of Pakistan

**Role:** The FMU acts as Pakistan's Financial Intelligence Unit (FIU). It is responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and currency transaction reports (CTRs) to law enforcement agencies.

**URL:** Financial Monitoring Unit (FMU)

**SBP Circular (January 2018):** The State Bank of Pakistan issued Circular No. 03 of 2018, titled "Prohibition of Dealing in Virtual Currencies/Tokens (VCs/ICTs)." This circular explicitly stated that VCs/ICTs are not legal tender in Pakistan and prohibited all banks, financial institutions, and payment system providers from dealing in, processing, or facilitating transactions involving VCs/ICTs.

The State Bank of Pakistan Circular No. 03 of 2018's prohibition remains in effect, but the Pakistan Virtual Assets Regulatory Authority is actively considering its withdrawal, indicating the policy is no longer settled or dominant.

**Update (2022-2023):** While there have been ongoing discussions and government committees formed to evaluate the possibility of regulating cryptocurrencies, no formal change to the SBP's stance or new legislation has been enacted. Reports in local media suggest that committees involving the Ministry of Finance, Law Ministry, and the SBP have explored various options, including maintaining a ban or developing a regulatory framework, often influenced by FATF recommendations.

Pakistan has enacted the Virtual Assets Act, 2026, which requires all Virtual Asset Service Providers, including cryptocurrency custodians, to obtain a license from the Pakistan Virtual Assets Regulatory Authority (PVARA).

**Segregation of Client Assets Rules:**

No specific rules for the segregation of client digital assets exist. While traditional financial institutions (like banks or brokerages) have strict client asset segregation rules under the relevant banking and securities laws (e.g., Securities Act, 2015, Banking Companies Ordinance, 1962), these do not apply to unregulated digital assets.

There are no mandates for insurance or bonding requirements for digital asset custodians.

No specific mandates or best practices regarding cold storage (offline storage of private keys) for digital assets are prescribed by Pakistani regulators.

The concept of a "qualified custodian" for digital assets is not defined within Pakistan's regulatory framework. The term "qualified custodian" typically refers to institutions meeting specific criteria for safeguarding financial assets, and since cryptocurrencies are not recognized as such for regulatory purposes, no definition applies.

**Government Committees:** Various committees have been formed by the government (e.g., under the Ministry of Finance, sometimes involving the Law Ministry, FIA, SBP, and SECP) to study cryptocurrencies.

**Reports/Recommendations (circa 2022-2023):** Some reports indicated that certain government bodies (like the Law Ministry or SBP) might favor a continued ban, while others might suggest developing a regulatory framework, often to comply with **Financial Action Task Force (FATF)** recommendations concerning Virtual Asset Service Providers (VASPs). Pakistan is under pressure from FATF to strengthen its anti-money laundering and counter-terrorist financing (AML/CFT) regime, which includes regulating virtual assets.

**Reference:** News reports from reputable Pakistani financial media (e.g., Dawn, The News International, Business Recorder) frequently cover these committee meetings and their preliminary recommendations. For example:

**Dawn News (January 2022):** "Govt body wants to ban cryptocurrencies" - https://www.dawn.com/news/1669460 (This indicates the general sentiment, though discussions continue).

Pakistan opted not to buy urgent cargoes of LNG on the spot market, implementing a definitive policy shift rather than an unresolved regulatory consideration.