The government has introduced a comprehensive framework aimed at tightening oversight of digital assets and aligning Pakistan’s financial system with international anti-money laundering and counter-terror financing standards.
According to reports, under the Virtual Asset Service Provider Governance & Operations Regulations 2025, Virtual Asset Service Providers (VASPs) will be required to obtain, verify and maintain detailed information of both the originator and beneficiary for every transaction exceeding Rs1 million.
This data must be made available to authorities upon request. Full compliance with the Financial Action Task Force (FATF) Travel Rule has also been made mandatory, reinforcing transparency in the country’s growing crypto sector.
The regulations cover nearly all aspects of virtual asset activity, including brokerage, custody, exchange operations, lending, derivatives, asset management, token issuance and settlement services. VASPs must deploy blockchain analytics and monitoring tools to detect suspicious patterns, prevent market manipulation and flag activity linked to criminal behavior.
Corporate governance is a central focus of the framework. VASPs must disclose ultimate beneficial ownership, seek prior approval for changes in control and ensure board members meet strict “Fit and Proper Person” standards.
Boards will be required to conduct annual performance evaluations, maintain conflict-of-interest registers and make statutory information publicly accessible.
Financial resilience measures include maintaining paid-up capital for each licensed activity, with 30 percent deposited as security with the State Bank of Pakistan. This deposit will only be refunded once operations cease and liabilities are cleared. Cross-border outsourcing remains permissible, but firms must ensure regulators retain access to data and oversight.
Cybersecurity has emerged as one of the most heavily regulated domains under the new framework. Each VASP must adopt an Authority-approved cybersecurity policy, reviewed annually, covering access controls, employee vetting, smart-contract auditing, client authentication, system monitoring, incident response, vendor risk assessment and safeguards against ransomware. Continuous testing and auditing of IT systems, including external integrations, will be compulsory to ensure resilience against evolving threats.
The regulations mark Pakistan’s most ambitious attempt yet to regulate digital assets, signaling a decisive move toward stricter compliance and transparency in the sector.