Pakistan is set to introduce some of its most comprehensive digital asset regulations to date, requiring Virtual Asset Service Providers to collect, verify, and maintain detailed information on both the originator and the beneficiary for every virtual asset transfer exceeding Rs. 1 million. Under the newly drafted Virtual Asset Service Provider Governance & Operations Regulations 2025, this information must be provided to the authorities whenever requested, marking a significant step toward stronger oversight of cryptocurrency transactions in the country.
The new regulations signal a clear government intent to tighten monitoring of large-value crypto activity as Pakistan works to align its financial framework with global anti-money-laundering and counter-terror-financing standards. Authorities have also mandated full implementation of the FATF Travel Rule, effectively making transparency an essential requirement for participation in the country’s growing digital asset space.
The framework introduced under the 2025 regulations is expansive, covering almost every type of virtual asset business. Brokerage services, custody operations, exchanges, lending platforms, derivatives, asset management, token issuance, and settlement services will now be subject to strict rules and oversight. According to the draft, organizations operating in the digital asset sector must adopt strong mechanisms to detect and prevent market manipulation, coordinated attacks, and system abuse.
To help enforce these protections, VASPs will be required to use blockchain analytics, monitoring tools, and other tracking technologies to analyze all incoming and outgoing transactions. This level of visibility will enable firms to detect suspicious behavior and highlight patterns linked to criminal activity, providing regulators with better safeguards across the digital ecosystem.
The government has emphasized that due diligence obligations are no longer optional. Pakistani and foreign counterparties dealing in virtual assets must undergo strict assessment, and additional scrutiny will apply to unhosted wallets and anonymity-enhanced transactions. A major portion of the new rulebook is dedicated to corporate governance, reflecting an effort to strengthen management transparency and accountability among VASPs.
Under the regulations, VASPs must maintain full transparency regarding ownership and provide regulators with a clear chain of control, including the identification of all ultimate beneficial owners. Any major change in ownership, control, or governance will require prior approval from authorities. Members of company boards will have to meet strict Fit and Proper Person standards, and boards will be required to conduct yearly performance evaluations of themselves and their committees.
Stronger conflict-of-interest controls are also being made mandatory. Companies must keep formal conflict registers, disclose conflicts openly, and ensure that board members recuse themselves whenever required. Additionally, statutory company information must be accessible to shareholders and the public, including through official websites.
Financial resilience forms a key pillar of the new framework. VASPs will need to maintain paid-up capital for each licensed activity, with 30 percent of that amount deposited as security with the State Bank of Pakistan. This security will only be refunded upon closure of business operations and complete settlement of liabilities. While cross-border outsourcing will still be allowed, regulators have clarified that it must not obstruct access to data or hinder supervisory oversight. Firms must also keep contingency plans to ensure that key functions can be brought back in-house or shifted to alternate vendors without operational disruption.
Cybersecurity emerges as one of the most heavily regulated sections in the new rules. Each VASP must adopt an Authority-approved Cybersecurity Policy that is updated annually. The policy must address access controls, employee vetting procedures, smart-contract auditing, authentication methods, system monitoring, incident response, vendor-related risks, and both physical and digital protections against cyber threats. Regular testing and auditing of IT systems, including externally integrated platforms, will be mandatory to keep up with evolving cyber risks.
Pakistan’s new regulatory approach marks a decisive shift in how the country governs digital assets, placing transparency, security, and accountability at the forefront of crypto operations as it prepares for a more structured and compliant digital financial future.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
