For every virtual asset transfer of more than Rs. 1 million, Virtual Asset Service Providers (VASPs) in Pakistan will be required to obtain, verify, and maintain detailed information on the originator and the beneficiary, and provide the information to the authorities upon request.
The increased verification requirement is the government’s newly drafted Virtual Asset Service Provider Governance & Operations Regulations 2025, the most far-reaching attempt so far by the country to regulate digital assets.
The rule indicates a definitive inclination toward better tracking of large-value crypto transactions as Pakistan attempts to align its financial controls with international anti-money-laundering and counter-terror-financing norms.
Authorities have also made full adherence to the FATF Travel Rule mandatory, making transparency a requirement in the country’s growing digital asset space.
The regulations also introduce an expansive framework that regulates nearly every conceivable activity in virtual assets: brokerage, custody, exchange operations, lending, derivatives, asset management, the issuance of tokens, and settlement services.
Such organizations must put in place rigorous mechanisms to avoid market manipulation, coordinated attacks, and other forms of system abuses, the rules stated.
This will involve the use of blockchain analytics and tracking tools for firms to monitor all incoming and outgoing transactions, which will enable them to detect suspicious patterns and flag activity linked to criminal behavior, said the regulations.
The government has made it clear that due diligence on foreign counterparties, management of unhosted wallets, and scrutiny regarding anonymity-enhanced transactions are no longer optional. Much of the rulebook is taken up with corporate governance.
VASPs should be fully transparent about their ownership and be able to provide regulators with an unmistakable chain of control through the identification of all ultimate beneficial owners. Any significant change to ownership, control, or governance is subject to prior approval by the Authority. Members of the boards must meet strict “Fit and Proper Person” standards, the rules added.
All boards must conduct annual performance evaluations of their work and that of their committees.
The government has also stressed the imperative of stronger conflict-of-interest controls by making sure companies maintain formal conflict registers, disclose conflicts, and have board members recuse themselves whenever necessary.
The statutory information has to be made available to shareholders and the public, including through company websites.
Financial resilience forms another core element of the reforms. VASPs are to maintain paid-up capital for each licensed business activity, and 30 percent of that will be deposited as security with the State Bank of Pakistan. This will only be refunded once a business closes operations and confirms that all liabilities have been cleared.
Cross-border outsourcing remains permissible, but regulators insist that it must not obstruct access to data or impede supervisory oversight. Firms are to maintain contingency plans ensuring that critical functions can be brought back in-house or shifted to alternate providers without disruption.
“Arguably, cybersecurity becomes the most heavily regulated domain under the new framework. Each VASP must have an Authority-approved Cybersecurity Policy that shall be reviewed and updated annually. Such a policy shall cover everything from access controls and employee vetting to smart-contract auditing, client authentication, system monitoring, incident response, vendor risk assessment, and physical and digital safeguards against ransomware and other forms of cyber threats. The continuous testing and auditing of IT systems, including external integrations, will be compulsory for resiliency against evolving cyber risks,” the regulations stated.
