Pakistan -- AML/CFT Compliance Regulatory Overview

Pakistan has been progressively strengthening its anti-money laundering (AML) and combating the financing of terrorism (CFT) framework, largely driven by its commitment to meet the Financial Action Task Force (FATF) recommendations. While the regulatory landscape for cryptocurrencies (virtual assets) has evolved from an initial outright ban to a more structured, albeit cautious, approach, Virtual Asset Service Providers (VASPs) are now explicitly brought under AML/CFT obligations.

The State Bank of Pakistan (SBP) has been instrumental in this shift, particularly with its issuance of detailed Customer Due Diligence (CDD) regulations that include VASPs.

Here's a breakdown of the AML/KYC requirements for VASPs in Pakistan:

AML/CFT Legislation Governing VASPs in Pakistan

The primary legal and regulatory instruments that apply to AML/CFT for VASPs (now recognized as reporting entities) in Pakistan include:

1. Anti-Money Laundering Act, 2010 (AMLA 2010): This is the overarching legislation that criminalizes money laundering and provides the legal basis for AML/CFT measures in Pakistan. It mandates reporting obligations for financial institutions and designated non-financial businesses and professions (DNFBPs).

   • AMLA 2010 Link (often found on FMU or Ministry of Law & Justice websites) (PDF link to FMU website)

2. Anti-Money Laundering (AML) Regulations, 2015: Issued by the State Bank of Pakistan under the AMLA 2010, these regulations provide detailed guidelines to financial institutions on implementing AML/CFT measures.

   • SBP AML Regulations 2015 Link (often found on SBP website) (PDF link to SBP website)

3. SBP CDD / KYC Regulations, 2022 (BPRD Circular No. 04 of 2022): This is a critical development. The State Bank of Pakistan, through its Banking Policy & Regulations Department (BPRD), issued comprehensive Customer Due Diligence (CDD) / Know Your Customer (KYC) Regulations, 2022. These regulations explicitly define and include "Virtual Asset Service Providers" (VASPs) as a type of entity that must comply with AML/CFT requirements, effectively bringing them under the regulatory ambit.

   • Key Aspect: These regulations define a VASP, consistent with FATF definitions, and mandate that they adhere to all the CDD/KYC obligations applicable to other financial institutions.
   • SBP BPRD Circular No. 04 of 2022 (CDD/KYC Regulations, 2022) (PDF link to SBP website)

Customer Due Diligence (CDD) Requirements for VASPs

Based on the AMLA 2010, AML Regulations 2015, and most importantly, the SBP CDD/KYC Regulations, 2022, VASPs are required to implement robust CDD measures, which include:

1. Identification and Verification of Customer Identity:

   • Individuals: Obtain and verify full legal name, date of birth, national identity document (e.g., CNIC for Pakistani nationals, passport for foreigners), current address, contact details, and occupation/source of funds. Verification must be performed using reliable, independent source documents, data, or information.
   • Legal Persons/Entities: Obtain and verify legal name, principal place of business, registration number, articles of association, memorandum of understanding, board resolution, and identification of key management personnel.
   • Beneficial Ownership: Identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer, including for legal persons, trusts, and other legal arrangements.

2. Purpose and Nature of Relationship: Understand the purpose and intended nature of the business relationship or the specific transaction.

3. Risk-Based Approach:

   • VASPs must adopt a risk-based approach to CDD. This means applying enhanced CDD measures for higher-risk customers, products, services, transactions, or geographic areas.
   • Factors determining risk include customer type, jurisdiction, type of virtual asset, transaction value/volume, and delivery channels.
   • Lower risk scenarios may allow for simplified CDD, but never complete exemption.

4. Ongoing Monitoring:

   • Regularly scrutinize transactions undertaken throughout the course of the relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.
   • Keep customer identification data and beneficial ownership information up-to-date.

5. Politically Exposed Persons (PEPs): Implement enhanced CDD measures for PEPs, including obtaining senior management approval for establishing business relationships, taking reasonable measures to establish the source of wealth and funds, and conducting ongoing enhanced monitoring.

6. Sanctions Screening: Screen customers and transactions against national and international sanctions lists (e.g., UN Security Council sanctions lists).

7. "Travel Rule" (FATF Recommendation 16): While the SBP CDD/KYC Regulations 2022 implicitly align with FATF standards, explicit guidance on the "Travel Rule" for VASPs (requiring the collection and transmission of originator and beneficiary information for crypto transfers above a certain threshold) may still be developing or need further specific directives. However, as Pakistan adheres to FATF standards, VASPs should anticipate and prepare for full implementation of this rule.

Suspicious Transaction Reporting (STR)

VASPs, as reporting entities, are legally obligated to report suspicious transactions to the Financial Monitoring Unit (FMU) if they suspect or have reasonable grounds to suspect that funds are the proceeds of a criminal activity or are linked to terrorist financing.

• Trigger: Any transaction (attempted or completed) that appears unusual, lacks a clear economic or lawful purpose, is inconsistent with the customer's known profile, or raises suspicion of money laundering or terrorist financing.
• Reporting Mechanism: Reports are filed electronically through the FMU's secure reporting portal.
• "No Tipping Off": VASPs and their employees are prohibited from disclosing to the customer or any third party that a STR has been or will be filed.

Record-Keeping Obligations

VASPs are required to maintain records for a specified period to assist in investigations and prosecutions of money laundering and terrorist financing.

• Customer Records: All records obtained through CDD procedures, including identity documents, account files, business correspondence, and analysis of transactions.
• Transaction Records: Records of all transactions, including the amount, currency, date, and details of the parties involved (both originator and beneficiary, where applicable).
• Retention Period: All records (customer identification data and transaction records) must generally be kept for a minimum period of five (5) years after the business relationship has ended or after the date of the transaction.

Overseeing Authority for Compliance

The primary authorities overseeing AML/CFT compliance for VASPs in Pakistan are:

1. State Bank of Pakistan (SBP):

   • Role: As the central bank, the SBP is the primary regulator for financial institutions and, now explicitly, for VASPs concerning AML/CFT compliance. It issues regulations, guidelines, and directives, conducts off-site and on-site supervision, and enforces penalties for non-compliance.
   • URL: State Bank of Pakistan

2. Financial Monitoring Unit (FMU):

   • Role: The FMU acts as Pakistan's Financial Intelligence Unit (FIU). It is responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and currency transaction reports (CTRs) to law enforcement agencies.
   • URL: Financial Monitoring Unit (FMU)

Important Note: The regulatory landscape for virtual assets is rapidly evolving globally and in Pakistan. VASPs operating in Pakistan must stay updated with the latest circulars, directives, and legislative amendments issued by the SBP, FMU, and other relevant government bodies. It is highly recommended that VASPs seek independent legal and compliance advice to ensure full adherence to all applicable laws and regulations.