Pakistan has introduced a comprehensive regulatory framework for Virtual Asset Service Providers under the newly drafted Virtual Asset Service Provider Governance & Operations Regulations 2025. The rules require VASPs to obtain, verify, and maintain detailed information on both originators and beneficiaries for any virtual asset transfer exceeding Rs. 1 million, and to provide the data to authorities upon request. This step represents the country’s most extensive effort yet to regulate digital assets and signals a clear commitment to improving oversight and monitoring of high-value crypto transactions, in line with international anti-money-laundering and counter-financing-of-terrorism standards. Full adherence to the FATF Travel Rule is now mandatory, making transparency a core requirement for Pakistan’s growing digital asset sector.
The regulations establish a broad governance framework covering nearly all virtual asset activities, including brokerage, custody, exchange operations, lending, derivatives, asset management, token issuance, and settlement services. VASPs must implement robust mechanisms to prevent market manipulation, coordinated attacks, and other abuses. This will involve leveraging blockchain analytics and monitoring tools to track all incoming and outgoing transactions, enabling the detection of suspicious patterns and potentially illicit activity. Due diligence on foreign counterparties, management of unhosted wallets, and careful scrutiny of anonymity-enhanced transactions are now compulsory, reflecting an uncompromising approach to risk management and regulatory compliance.
Corporate governance receives significant attention under the new rules. VASPs must maintain complete transparency regarding ownership and provide regulators with a clear chain of control through identification of all ultimate beneficial owners. Any material changes to ownership, control, or governance require prior approval from the Authority, and board members must meet strict Fit and Proper Person standards. Annual evaluations of board performance and committee work are mandatory, along with the establishment of formal conflict-of-interest registers, disclosure protocols, and procedures for board members to recuse themselves when conflicts arise. Statutory information must be accessible to shareholders and the public, including via company websites, reinforcing accountability and governance transparency.
Financial resilience and operational continuity are also central to the regulations. VASPs are required to maintain paid-up capital for each licensed business activity, with 30 percent deposited as security with State Bank of Pakistan, refundable only after closure and settlement of all liabilities. Cross-border outsourcing remains permitted, provided it does not obstruct access to data or regulatory oversight, and contingency plans must ensure critical functions can be restored internally or shifted to alternative providers without disruption. Cybersecurity is heavily regulated, with each VASP mandated to maintain an Authority-approved cybersecurity policy covering access controls, employee vetting, smart-contract audits, client authentication, system monitoring, incident response, vendor risk assessment, and safeguards against ransomware and other cyber threats. Continuous testing and auditing of IT systems, including external integrations, is compulsory to ensure resiliency against evolving cyber risks. This framework positions Pakistan among jurisdictions with detailed oversight and compliance requirements for digital asset service providers.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
