Pakistan is preparing to enforce a significant shift in its oversight of digital assets, introducing mandatory requirements for Virtual Asset Service Providers to collect, verify, and maintain detailed information about both the originator and the beneficiary for every virtual asset transfer exceeding Rs. 1 million. This provision forms part of the newly drafted Virtual Asset Service Provider Governance & Operations Regulations 2025, which represent the country’s most extensive attempt to regulate the crypto sector and align it with global compliance standards.
The new rules underline the state’s intent to bring stronger visibility and discipline to high-value crypto activity. According to the draft, the regulations are designed to strengthen Pakistan’s alignment with international anti-money-laundering and counter-terror-financing rules. As part of this framework, authorities have made compliance with the FATF Travel Rule mandatory for all VASPs, establishing transparency as a foundational requirement for digital asset operations in the country.
The regulatory package outlines a comprehensive framework covering almost every function linked to virtual assets. Activities such as brokerage, custody services, exchange operations, lending, digital asset derivatives, asset management, token issuance, and settlement services will now be subject to detailed operational requirements. The regulations state that digital asset firms must implement robust measures capable of identifying and preventing market manipulation, coordinated malicious activity, and other system risks.
To support these obligations, VASPs will be required to adopt blockchain analytics tools, transaction-monitoring systems, and tracking technologies that allow detailed scrutiny of all inflows and outflows. This level of monitoring is intended to help firms detect suspicious transactions and identify activity associated with criminal networks or financial misconduct.
The government has also emphasized that due diligence on foreign counterparties, oversight of unhosted wallets, and scrutiny of anonymity-enhanced transactions must no longer be treated as optional. A substantial part of the regulatory text focuses on corporate governance standards intended to reinforce transparency, accountability, and responsible management within the sector.
Under these rules, VASPs must disclose full ownership structures and provide regulators with a complete chain of control that clearly identifies all ultimate beneficial owners. Any significant alteration in ownership, governance, or managerial control will require prior regulatory approval. Board members must meet strict Fit and Proper Person criteria, and annual evaluations of board performance and committee functioning will become mandatory.
The regulations introduce stronger expectations around conflict-of-interest management as well. Firms will be required to maintain formal conflict registers, disclose any conflicts that arise, and ensure that board members step aside from decision-making processes when conflicts are identified. Additionally, statutory information must be made easily accessible to shareholders and the public, including through company websites.
Financial stability forms another central part of the new framework. VASPs must maintain paid-up capital for each licensed business activity, and 30 percent of this capital will be deposited with the State Bank of Pakistan as security. This deposit will be released only after a company shuts down operations and confirms that all outstanding obligations have been cleared. While cross-border outsourcing will remain permitted, regulators insist that it must not limit access to data or weaken supervisory control. Firms will also need contingency arrangements allowing them to shift critical services back in-house or to alternative providers without operational disruption.
Cybersecurity stands out as one of the most heavily regulated domains under the new system. Each VASP must adopt an Authority-approved Cybersecurity Policy that will undergo annual review and updates. The policy will need to address access controls, employee screening, smart-contract reviews, client authentication, network monitoring, incident response systems, vendor risk evaluation, and defenses against cyber threats including ransomware. Continuous testing and auditing of IT systems, including third-party integrations, will become compulsory to ensure resilience against evolving digital risks.
These reforms signal Pakistan’s move toward a tightly governed digital asset landscape, prioritizing transparency, security, and structural integrity as crypto adoption and activity continue to grow in the country.
Follow the PakBanker Whatsapp Channel for updates across Pakistan’s banking ecosystem.