Pakistan Virtual Asset Regulatory Tracker

Pakistan's virtual asset regulatory landscape is moving quickly. The Virtual Assets Act 2026 established the Pakistan Virtual Asset Regulatory Authority (PVARA) as the country's dedicated regulator for virtual asset service providers, and a set of secondary rules, supervisory guidance and adjacent policy work continues to build the operating regime around it. For firms planning to enter the market — or already in it — keeping track of what has been issued, what is in draft, who is active in sandbox and where enforcement has landed is not a once-a-year exercise. This tracker consolidates the picture as at publication and will be refreshed quarterly.

Last refreshed: Q2 2026. Next scheduled refresh: Q3 2026.

This is a living document. If you spot a development we have missed, let us know.

Five authorities matter for a Pakistani virtual asset firm. Understanding the perimeter of each — and the seams between them — is the starting point for any compliance programme.

Pakistan Virtual Asset Regulatory Authority (PVARA). The primary regulator for Virtual Asset Service Providers under the Virtual Assets Act 2026. PVARA licences and supervises firms carrying on virtual asset activities as a primary business, including exchanges, custodians, brokers, transfer service providers and issuers. PVARA also operates a regulatory sandbox for products that benefit from supervised live testing. Our PVARA licensing guide walks through the authorisation architecture, and our PVARA sandbox guide covers the sandbox route.

State Bank of Pakistan (SBP). The central bank, monetary authority and payment systems regulator. The SBP regulates banks, Electronic Money Institutions, Payment System Operators and Providers and the Raast instant payment system. Its intersection with virtual asset activity is mostly at the fiat leg — the banking relationships, payment rails and foreign exchange framework that move PKR in and out of virtual asset platforms. Our State Bank digital payments piece covers the payments side.

Securities and Exchange Commission of Pakistan (SECP). The securities and non-bank financial sector regulator. SECP's interest in virtual assets is primarily where tokenised instruments fall on the securities side of the line — tokenised T-Bills, tokenised equity, tokenised funds — and where non-bank financial companies want to engage with virtual asset products. The PVARA-SECP perimeter is one of the more nuanced boundary questions in the regime.

Financial Monitoring Unit (FMU). Pakistan's financial intelligence unit, responsible for receiving, analysing and disseminating suspicious transaction reports. Licensed VASPs file suspicious transaction reports with the FMU, and the FMU's typologies and guidance shape monitoring expectations across the sector.

Federal Board of Revenue (FBR). The tax authority. The FBR's interest in virtual assets covers direct and indirect taxation on user gains, issuer revenues and cross-border flows. Tax treatment of virtual asset transactions continues to evolve, and firms should treat tax guidance as a moving target rather than settled law.

The seams between these authorities are where most boundary questions arise. Is a tokenised T-Bill a virtual asset (PVARA) or a security (SECP), or both? Is a PKR-denominated stablecoin a virtual asset (PVARA) or a payment instrument (SBP), or both? Is a wallet product that holds both PKR and virtual assets a single licensed entity or a two-regulator structure? The honest answer is that these seams are being worked out, and firms operating across them should maintain active dialogue with each relevant authority rather than assume a single point of contact will resolve cross-perimeter questions.

The Virtual Assets Act 2026 is the primary statutory basis for PVARA's existence and powers. At a high level, it:

• Establishes PVARA as an independent statutory authority
• Defines virtual assets and virtual asset service providers on a technology-neutral, activity-based basis
• Introduces a licensing requirement for VASPs carrying on activities in or targeting Pakistan
• Gives PVARA rule-making, supervisory, inspection and enforcement powers
• Establishes the sandbox framework as a structured route to market
• Integrates virtual asset activity into Pakistan's anti-money laundering and counter-terrorism financing regime

The Act is deliberately framework-level. The substantive operating rules — capital, governance, technology, conduct, reporting — come through PVARA's secondary rulebook, which continues to evolve. Firms should assume that the rulebook will iterate and should design compliance architecture to absorb changes without major rework.

PVARA's sandbox and authorisation pipelines are the most visible signals of where the market is heading.

Sandbox. Since opening, PVARA's sandbox has attracted interest across a predictable set of product categories: exchanges with fiat on-ramp, regulated custody, tokenisation platforms (notably for Pakistani government securities), stablecoin design work, and cross-border remittance products with a virtual asset leg. Admission to the sandbox is by application, with activity, volume and client caps defined per applicant. The transition path from sandbox to full authorisation is the intended arc for most admitted firms.

Full authorisation. The full-authorisation pipeline is concentrated among firms with mature operating histories elsewhere — regional or international exchanges, spinouts from licensed banks, and institutional custody providers. The substantive expectations (capital, governance, technology, conduct) are set at the full-regime standard, with credit given for operating history and evidenced controls.

Specific programmes. The Virtual Assets Act and subsequent government engagement have also signalled specific programmes of interest. The much-reported memorandum of understanding between Pakistan and Binance around tokenised government securities indicates official support for tokenisation of sovereign instruments; the specifics of any live issuance will be subject to the standard regulatory architecture.

Firms considering entry should treat the sandbox as a credible route rather than a detour. The operational discipline developed in-sandbox becomes the evidence base for full authorisation.

Cohort themes. Across both sandbox and full-authorisation pipelines, three themes are visible in the applicant mix. The first is an on-ramp and custody cluster: firms building regulated PKR on-ramp with spot virtual asset services and custody. The second is a tokenisation cluster: firms building platforms to issue or distribute tokenised Pakistani instruments, particularly sovereign debt. The third is a cross-border cluster: remittance and transfer products that use virtual asset infrastructure as a settlement layer between sending and receiving jurisdictions. Each cluster has its own compliance centre of gravity, and PVARA's supervisory posture is differentiating accordingly.

Virtual asset regulation in Pakistan layers onto a pre-existing AML framework rather than replacing it.

AML and CTF. VASPs are subject to the standard customer due diligence, transaction monitoring, sanctions screening and suspicious transaction reporting obligations. Risk-based CDD is the default, with enhanced due diligence for higher-risk clients, counterparties and products. The FMU is the filing destination for STRs.

Travel Rule. The Travel Rule applies to virtual asset transfers between VASPs. Originator and beneficiary information must be transmitted in a standardised format, with defined treatment for transfers to unhosted wallets and to counterparties in non-participating jurisdictions. Firms building virtual asset transfer infrastructure should treat Travel Rule as a technical build from day one. Our Travel Rule service covers the implementation.

Identity. NADRA, Pakistan's national identity database, provides the cryptographic identity backbone. Licensed VASPs can build KYC workflows that anchor on NADRA rather than on document-capture workflows, which raises control quality and reduces onboarding fraud. Our NADRA-backed KYC is designed for this integration.

Enforcement in Pakistan's virtual asset regime is at an early stage, as the regime itself is new. The enforcement themes that tend to matter in any emerging VASP regime — and that firms should expect to be salient — are unauthorised virtual asset activity directed at Pakistani residents, AML and Travel Rule failures, consumer protection failures (notably misleading promotion of virtual asset products to retail), operational incidents with client harm, and cross-border flows without adequate controls.

Firms should also pay attention to adjacent enforcement elsewhere in Pakistan's financial sector, because supervisory posture in banking, EMI and payments has a habit of carrying over into virtual assets. Decisions on AML failures in banks, consumer-protection failings in digital wallets and operational failings in payment systems give clues to how PVARA will calibrate its own enforcement.

We will track material PVARA enforcement decisions in future refreshes of this tracker.

Pakistan's regulatory architecture is being built in conscious dialogue with international standards rather than in isolation.

FATF. Pakistan is a Financial Action Task Force jurisdiction, and the FATF's standards on virtual assets — Recommendation 15, the Travel Rule, risk-based supervision — are the baseline that PVARA's AML architecture is built to. Firms with cross-border activity should assume FATF alignment as the default.

IOSCO and BIS. IOSCO principles on crypto and digital asset markets, and BIS commentary on stablecoins and tokenisation, provide the background standards that Pakistani regulators draw on when designing conduct and prudential rules. Firms that build to international best practice will find Pakistani compliance straightforward; firms that build to a local-minimum posture will find it harder.

Regional peers. The GCC region's regulatory frameworks — the UAE's VARA, Dubai's DFSA and ADGM's FSRA — are natural reference points for PVARA, both because of regulatory proximity and because of the remittance and commercial links between Pakistan and the GCC. Convergence rather than full alignment is the realistic expectation: Pakistani rules will resemble the best-developed regional regimes on the substantive questions, with local adjustments for Pakistani market structure.

Cross-border coordination. Memoranda of understanding between PVARA and foreign regulators are likely to expand over time, particularly for corridors where cross-border virtual asset activity is material. This matters for firms running products across Pakistan and another jurisdiction: the more cross-border regulatory coordination exists, the smoother the operating model.

For firms preparing to enter or already operating in the Pakistani virtual asset market, a short checklist captures the essentials. Regulatory mapping should be a live document that is reviewed quarterly rather than a one-off exercise at licensing. AML and Travel Rule controls should be operated and evidenced, not merely documented. Identity verification should be anchored on NADRA where the client is a Pakistani resident. Client asset segregation should be a property of the infrastructure, not a claim in a policy document. Reporting infrastructure should produce supervisory outputs from the system of record rather than from manual aggregation. Incident notification protocols should be rehearsed, not improvised. Finally, a designated senior person should own the relationship with each relevant authority, with internal escalation paths that work in practice.

Firms that operate to this standard will find Pakistani supervision manageable. Firms that do not will find it difficult, and the difficulty will show up at the worst possible moment — typically during a material incident, when the supervisor's tolerance for gaps is at its lowest.

Keeping up with a moving regulatory regime requires a dedicated internal process. The firms that manage this best tend to run a quarterly regulatory review led by the chief compliance officer, which takes each active regulatory development, maps it to the firm's activities and controls, and produces a small number of concrete change-requests with owners and deadlines. This review feeds into the firm's risk committee and is evidenced in meeting minutes that supervisors can sample.

A lighter-weight parallel process covers draft or consultation-stage developments — the guidance that has been trailed but not yet issued. Here the objective is not immediate change but preparedness: ensuring the firm is not caught by a final rule that moves in a direction it did not anticipate. Formal consultation responses, filed either directly or through industry associations, are a second-order benefit of this process: they make the firm visible to supervisors as a constructive participant in rule development.

For the Q3 2026 refresh, the developments we will be tracking include: finalisation of PVARA secondary rules on capital, technology and conduct; specific stablecoin guidance from PVARA and the SBP; early sandbox graduations to full authorisation; any live tokenisation issuance of Pakistani government securities; updates to the Travel Rule operational expectations; and material enforcement actions.

If you want this tracker in your inbox as it refreshes, or if you want to be flagged when a specific development lands, contact Bridge with your area of interest. See also our Pakistan hub and the PVARA licensing guide for deeper dives.