Pakistan has enacted one of the most comprehensive virtual asset regulatory frameworks in South Asia. The Virtual Assets Act, 2026 establishes the Pakistan Virtual Assets Regulatory Authority (PVARA) — a dedicated, autonomous body empowered to license, regulate, and supervise all Virtual Asset Service Providers (VASPs) and token issuers operating in or from Pakistan.
Whether you run a crypto exchange, a stablecoin issuer, a DeFi lending protocol, or a virtual asset custody business, this Act directly affects you. This guide covers everything you need to know: what is regulated, how to get licensed, what compliance obligations apply, and what happens if you don’t comply.
What Is the Virtual Assets Act, 2026?
The Virtual Assets Act, 2026 is Pakistan’s primary legislation governing Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). Passed by the National Assembly, the Act came into force immediately and replaces the Virtual Assets Ordinance, 2025.
The Act’s core objectives are:
- Investor protection — safeguarding customers and market integrity through enforceable conduct standards
- AML/CFT/CPF compliance — aligning Pakistan’s virtual asset sector with FATF Recommendations
- Innovation enablement — providing a regulatory sandbox and licensing framework that allows compliant businesses to operate
- Blockchain adoption — governing and promoting the use of Distributed Ledger Technology (DLT) across Pakistan
- Global competitiveness — attracting international virtual asset businesses to base operations in Pakistan
Key point for existing operators: Any business providing Virtual Asset Services before the Act’s commencement has six months to apply for a PVARA licence or must cease operations (Section 70).
What Is a Virtual Asset Under Pakistani Law?
Under Section 3(xxxi) of the Act, a Virtual Asset means:
A digital representation of value that can be digitally traded or transferred and used for payment or investment purposes.
Importantly, Virtual Assets are not legal tender in Pakistan.
The definition excludes digital representations of fiat currency, securities, or other financial assets regulated under existing laws — unless those assets are represented, issued, or transferred using DLT.
What Is NOT a Virtual Asset
The Act is careful to carve out assets that fall outside PVARA’s jurisdiction:
| Category | Condition for Exclusion |
|---|---|
| Closed-ecosystem tokens | Must be usable only within a restricted platform, non-transferable externally, and not exchangeable for fiat or tradeable on secondary markets |
| Securities and derivatives | Already regulated by SBP or SECP |
| Central bank digital currencies | Issued by any central bank or monetary authority |
| Pure NFTs | Not used for payment or investment; does not reference a regulated instrument |
| Digital collectibles | Where substance, function and economic effect confirm it is not a Virtual Asset |
The Substance-Over-Form Principle
PVARA classifies assets based on economic function and real-world effect — not labels. Calling your token a “utility token,” “collectible,” or “governance token” does not automatically exempt it from regulation. PVARA has explicit power under Section 9(f) to assess any asset, service, or offering based on its substantive features, irrespective of the name given to it.
This principle mirrors the approach taken by regulators in other leading jurisdictions. For context on how global virtual asset frameworks handle classification, see our Ultimate Guide to VASP Compliance: Global AML/CTF/PF Standards.
Who Does the Act Apply To?
The Act applies to two categories of person (Section 2):
- Virtual Asset Service Providers (VASPs) — any person who, as a business, provides one or more Virtual Asset Services to third parties on a professional basis, in or from Pakistan.
- Issuers — any legal person that offers, originates, or distributes, on its own behalf, a Virtual Asset in or from Pakistan.
Extraterritorial Reach
The Act has extraterritorial application. PVARA can exercise enforcement powers beyond Pakistan’s borders. It may enter international cooperation arrangements with foreign regulators and will prescribe — by Regulations — the conditions under which a Virtual Asset Service conducted outside Pakistan will be deemed to be offered or marketed to persons in Pakistan (Section 4).
If your business targets Pakistani users from abroad, you may fall within scope. Businesses already exploring virtual asset licensing in neighbouring jurisdictions should note that Pakistan’s regime now sits alongside the UAE’s crypto regulatory framework, DFSA licensing for fintech payment institutions, and the EU’s MiCA regulation as one of the more comprehensive dedicated VASP frameworks globally.
What Activities Require a PVARA Licence?
Section 18 and Schedule I of the Act define ten categories of regulated Virtual Asset Services. Any business carrying on these activities in or from Pakistan without a valid PVARA licence is committing a criminal offence.
The 10 Regulated Virtual Asset Services
1. Advisory Services Provision of personalised investment recommendations to specific customers relating to Virtual Asset transactions — taking into account that customer’s individual circumstances, objectives, risk profile, or financial situation. General market research, non-individualised commentary, or educational content does not qualify as advisory services.
2. Broker-Dealer Services Arranging or facilitating purchase and sale orders for Virtual Assets between parties; soliciting or accepting orders; proprietary trading using customer assets; market-making using Customer Assets; or providing placement or distribution services for Issuers acting as intermediaries.
Note: A person dealing solely on its own account, without executing orders for customers and without holding or controlling Customer Assets, is exempt from broker-dealer licensing.
3. Custody and Administration Services Safekeeping or administration of Virtual Assets — or of private cryptographic keys and other means of access — on behalf of customers and pursuant to their instructions. This does not include providers of mere software or hardware that enables customers to retain exclusive control of their own private keys (i.e., self-custody wallet providers are not caught).
4. Exchange Services Exchanging Virtual Assets for fiat currency; exchanging one type of Virtual Asset for another; matching buyers and sellers and executing conversions; or maintaining an order book for these purposes.
5. Lending and Borrowing Services Facilitation, arrangement, intermediation, or direct provision (as principal) of lending or borrowing arrangements involving Virtual Assets — where Virtual Assets are transferred to borrowers subject to a contractual obligation to return equivalent assets plus agreed interest or fees.
6. Virtual Asset Derivatives Services Offering, facilitating, executing, clearing, trading, or arranging transactions in derivatives — including futures, options, swaps, contracts for difference, or similar instruments — where the underlying reference asset is a Virtual Asset or basket of Virtual Assets.
7. Virtual Asset Management and Investment Services Acting in a fiduciary or agency capacity to manage or administer another person’s Virtual Assets — including discretionary portfolio management and discretionary staking on behalf of customers to earn validator or network rewards.
8. Virtual Asset Transfer and Settlement Services Transfer, transmission, or settlement of Virtual Assets between parties or between wallet addresses, on behalf of customers. This excludes exchange execution (which is captured under Exchange Services).
9. Virtual Asset Issuance Services Creation, issuance, initial offering, administration, and ongoing management of Virtual Assets — including supply control, reserve management, redemption, governance, and required disclosures.
10. Mining-Related Virtual Asset Services Mining activities that provide services to third parties involving customer virtual assets or funds. Pure mining for own account does not require a licence. Licensing obligations apply only where third-party customer assets or funds are involved.
The PVARA Licensing Process: Step by Step
Obtaining a PVARA licence is a two-stage process. No Virtual Asset Service may be carried on in or from Pakistan without completing both stages.
Stage 1: No-Objection Certificate (NOC)
Before incorporating a company to carry on Virtual Asset Services, you must first obtain a No-Objection Certificate (NOC) from PVARA (Section 19(1)).
How to apply:
- Submit an application to PVARA in the prescribed form
- Provide the prescribed information and pay the prescribed fee
- PVARA reviews the application against the Act’s objectives and market integrity requirements
Outcome: PVARA may grant the NOC (with or without conditions) or refuse, providing written reasons. You cannot incorporate your company until the NOC is granted.
Stage 2: Full Licence Application
Following successful incorporation, submit a full licence application to PVARA (Section 19(4)).
Required documents and information:
- The prescribed (non-refundable) application fee
- All information and documentation prescribed or required by PVARA — including corporate documents, business plan, ownership structure, AML/CFT framework, key personnel details, and IT/cybersecurity documentation
Outcome: PVARA may:
- Grant a full licence (with conditions)
- Grant a provisional or limited-scope licence on a case-by-case basis
- Refuse the application with written reasons
Provisional licensing: PVARA can grant provisional or limited-scope licences (Section 21(2)), which may be particularly relevant for sandbox participants or businesses launching novel products.
A strong application package will include a well-structured regulatory business plan demonstrating how your business model maps to the licensed activities and satisfies PVARA’s risk appetite. Applicants should also review our guide on how to get a virtual asset licence in Pakistan for additional guidance on the pre-application preparation process.
The Public Licensee Register
PVARA maintains a publicly accessible register of all licensees on its official website, showing name, licence number, permitted services, and current regulatory status (Section 21(4)). Checking this register before engaging with any VASP is advisable for customers and counterparties.
Fit-and-Proper Requirements
The fit-and-proper assessment is among the most significant aspects of the licensing process — and it is a continuing obligation, not a one-time check.
Who Is Assessed
PVARA directly assesses the following (Section 20(1)):
- Controllers — persons holding 20% or more of voting power, ownership interest, or share capital, or who otherwise exercise significant influence over management or policies
- Sponsors — contributors of initial capital or persons holding a controlling shareholding
- Chief Executive Officers
- Directors (executive and non-executive)
The licensee itself is responsible for assessing and maintaining the fitness and propriety of all other Key Individuals, which the Act defines to include:
| Role | Fit-and-Proper Applies |
|---|---|
| Managing Director | Yes |
| Chief Financial Officer | Yes |
| Chief Operating Officer | Yes |
| Head of Internal Audit | Yes |
| Head of Compliance | Yes |
| MLRO / AML/CFT/CPF Compliance Officer | Yes |
| Head of Risk Management | Yes |
| Head of Information Security / Cybersecurity | Yes |
| Any other position designated by PVARA | Yes |
Key Rules
- Continuing obligation — any person subject to fit-and-proper criteria must notify PVARA of any matter that may affect their fitness and propriety (Section 20(4))
- Pakistan-resident requirement — every licensee must ensure at least one Key Individual ordinarily resident in Pakistan holds operational and decision-making authority (Section 20(6))
- Corporate controllers — PVARA will assess the corporate behaviour, integrity, and track record of corporate controllers and their ultimate beneficial owners (Section 20(5))
- Consequence of failure — PVARA may refuse, suspend, or revoke a licence where any Controller, Sponsor, or Key Individual fails to meet fit-and-proper criteria (Section 20(3))
The MLRO role deserves particular attention here. The MLRO/AML Compliance Officer is designated as a Key Individual under the Act and must satisfy fit-and-proper criteria on a continuing basis. For businesses unfamiliar with structuring this function, our guide on AML compliance officer roles and responsibilities sets out what regulators expect. Many early-stage VASPs also consider outsourced MLRO services as a cost-effective path to meeting this requirement.
Ongoing Obligations for Licensees
Once licensed, VASPs must satisfy a comprehensive set of ongoing obligations under Chapter 4 and Section 22 of the Act.
Financial Requirements
- Maintain the prescribed minimum paid-up capital, liquid assets, and financial resources at all times
- PVARA may impose higher requirements based on category, size, complexity, or risk profile
- Additional liquidity, margin, risk-based capital, or reserve requirements may be set by Regulations
- Conditional or risk-based exemptions may be available for limited-scope or low-risk licensees
Customer Asset Segregation
This is one of the Act’s most critical provisions — and its protections are absolute:
- Customer Assets (both Virtual Assets and fiat balances) must be held in segregated accounts separate from the licensee’s own assets at all times (Section 24(1))
- Customer Assets are ring-fenced in insolvency — they do not form part of the licensee’s estate in any insolvency or liquidation (Section 24(2))
- Licensees owe a fiduciary duty to customers and must act honestly, fairly, and in customers’ best interests
- Licensees must not rehypothecate, lend, pledge, or encumber Customer Assets without the customer’s explicit, informed, and revocable written consent (Section 24(4))
Custody and Proof-of-Reserves
- Licensees providing custody services must ensure secure custody, protect against unauthorised access, and maintain robust disaster-recovery and business-continuity arrangements (Section 26)
- Cryptographic proof-of-reserves, reconciled against customer liabilities, must be furnished to PVARA at prescribed intervals (Section 27(1))
- Annual audit by a firm of Chartered Accountants approved by the Division concerned, including verification of customer asset segregation (Section 27(2))
Regulatory and Reporting Obligations
- Submit periodic returns, reports, and audited financial statements
- Obtain PVARA’s prior approval for any material change in control or business
- Maintain risk-management, compliance, and cybersecurity systems in accordance with all applicable requirements — including PVARA’s prescribed technical standards; our 2025 guide to building robust cybersecurity compliance plans is a useful framework reference
- Pay applicable supervision, renewal, and other prescribed fees
Building and maintaining the documentation infrastructure to support these obligations is non-trivial. For a broader view of what a well-structured compliance programme looks like end-to-end, see The Complete AML Programme Blueprint. The annual audit requirement also means VASPs should understand what an AML audit involves and how to prepare for independent review. Businesses should also assess whether their existing AML risk assessment adequately reflects the specific risks of their virtual asset activities.
AML, CFT and CPF Compliance for VASPs
Chapter 8 of the Act integrates Pakistan’s virtual asset sector into its broader anti-financial crime framework, directly tying it to the Anti-Money Laundering Act, 2010.
VASPs Are Financial Institutions
Under Section 46, all VASPs licensed under the Act are deemed to be financial institutions for the purposes of the AML Act. This means the full range of AML Act obligations applies directly, including customer due diligence (CDD), enhanced due diligence (EDD) for high-risk customers, and suspicious transaction reporting.
For a foundational understanding of what these obligations entail, see our comprehensive guide to understanding AML compliance.
Core AML/CFT/CPF Obligations
Every VASP and Issuer must:
- Report suspicious transactions to the Financial Monitoring Unit (FMU) in accordance with the AML Act and associated rules and guidelines
- Maintain comprehensive records of CDD, transactions, and all other relevant information for the period prescribed (no less than the AML Act minimum)
- Appoint an MLRO/AML Compliance Officer — an individual designated as the Money Laundering Reporting Officer or equivalent AML/CFT/CPF compliance officer (this is also a Key Individual for fit-and-proper purposes)
- Establish and maintain internal controls and compliance programmes to prevent money laundering, terrorist financing, and proliferation financing — aligned with international standards including 6AMLD where applicable to cross-border operations
The Travel Rule (Section 47)
The Act implements the FATF Travel Rule for Virtual Asset transfers. Licensees must obtain, hold, and transmit originator and beneficiary information for any Virtual Asset transfer at or above the threshold prescribed by PVARA — consistent with FATF Recommendations as updated from time to time.
Travel Rule obligations must comply with applicable data protection, cybersecurity, and governance laws to ensure the confidentiality, integrity, and security of the information transmitted. If you are unfamiliar with how the Travel Rule works in practice, our Crypto Travel Rules Made Simple: A 101 Guide is the right starting point.
FATF Alignment
PVARA is required to align its AML/CFT/CPF supervisory framework with FATF standards (Section 46(3)). This positions Pakistan’s VASP regime as directly tracking FATF Recommendation 15 (new technologies and VASPs) and Recommendation 16 (the Travel Rule) — critical for businesses operating across multiple FATF-member jurisdictions.
Understanding FATF’s financial crime indicators for virtual assets is also increasingly important for MLROs. Our guide on FATF financial indicators for online exploitation illustrates the kind of typologies-based thinking regulators now expect compliance functions to apply. For a broader view of current financial crime trends affecting VASPs, see the Europol SOCTA 2025 analysis on cryptocurrency money laundering and our guide on money laundering through the markets which covers the typologies most relevant to exchange and broker-dealer VASPs.
AML/CFT Best Practices for VASPs
Designing controls that satisfy PVARA’s expectations requires going beyond the minimum. Our dedicated guide on AML/CFT best practices for VASPs sets out the control frameworks, red flags, and common pitfalls that compliance teams at virtual asset businesses need to address. MLROs should also be familiar with cross-sector financial crime typologies — our guide on financial intelligence against human trafficking illustrates the layered approach to suspicious activity detection that modern regulators expect.
Stablecoin and Token Issuance Rules
The Act creates a detailed framework for token issuers, with specific rules for different token types.
Fiat-Referenced Tokens (Stablecoins)
A Fiat-Referenced Token (FRT) is a Virtual Asset that purports to maintain a stable value relative to a single official fiat currency and is redeemable at par by its Issuer.
Requirements under Section 31:
- 100% reserve backing with High-Quality Liquid Assets (HQLA) or other prescribed assets, held as a Segregated Reserve
- Par redemption mechanisms — redemption at par value must be available without undue delay
- Audited reserve disclosures as prescribed by PVARA
- Robust AML/CFT/CPF and sanctions compliance programmes
- Prioritised holder protections in insolvency
- Additional requirements as prescribed by PVARA
Asset-Referenced Tokens
An Asset-Referenced Token represents ownership rights, claims, or economic interests in one or more underlying assets — such as commodities, real estate, securities, or a combination of official currencies.
Key requirements under Section 32:
- Must be fully backed by the underlying assets at all times
- Assets may be tangible or intangible — commodities, real estate, real-world assets, securities, financial assets, or a combination of official currencies
- Cannot be backed by or derive value from other Virtual Assets
- Reserve of underlying assets held in custody in accordance with Regulations
- Audited reserve disclosures, AML/CFT/CPF programmes, insolvency protections
Prohibition on Algorithmic Tokens
Section 53 prohibits any person from issuing, offering, or marketing a Virtual Asset whose primary mechanism for maintaining value is algorithmic and not fully or adequately collateralised. A limited exception exists if specifically permitted by Regulations with prescribed safeguards.
This provision directly reflects global lessons from algorithmic stablecoin collapses and provides an explicit legislative prohibition in Pakistan.
Initial Virtual Asset Offerings (IVAOs)
Only legal entities registered in Pakistan meeting prescribed eligibility criteria may conduct an Initial Virtual Asset Offering (IVAO) (Section 30). Conducting an IVAO without authority is a criminal offence attracting imprisonment of up to three years and/or a fine of up to PKR 25 million.
PVARA will prescribe conditions, disclosure requirements, approval processes, and ongoing obligations for IVAOs by Regulations.
Token issuance requirements in Pakistan share structural similarities with those in the EU’s MiCA framework. For comparison, see our guides on MiCA regulation for 2026, country-specific MiCA implementation in Netherlands, Poland, and Lithuania, and the CLARITY and GENIUS Acts 2025 compliance guide for crypto businesses covering the US stablecoin and digital asset legislative landscape.
Market Conduct and Consumer Protection
Chapter 7 establishes conduct of business standards that all licensees must meet.
Duty of Integrity and Fair Dealing
Licensees must conduct their business honestly, fairly, and professionally, in accordance with the best interests of their customers and in a manner that upholds the integrity of the market (Section 41). PVARA may prescribe detailed market conduct requirements by Regulations.
Disclosure Obligations for Issuers
Any Issuer offering a Virtual Asset to the public must:
- Publish a whitepaper in the prescribed form and manner
- Make ongoing disclosures of material information — including reserve attestations — at the frequency prescribed by PVARA
- Comply with mandatory risk disclosures and periodic reporting requirements
Marketing Restrictions
No person may advertise or market a Virtual Asset unless the Issuer holds a valid licence or registration under the Act (Section 43). All marketing materials must contain prescribed risk disclosures and comply with PVARA’s standards and limitations. For businesses also active in the UAE, the VARA marketing regulations compliance guide provides a useful reference point for what a mature virtual asset marketing framework looks like in practice.
Conflict-of-Interest Management
Licensees must identify, manage, and disclose conflicts of interest and must not place their own interests above those of customers (Section 44). Detailed requirements — including policies, disclosure obligations, and management procedures — will be prescribed by PVARA.
Complaint Handling and Dispute Resolution
Licensees must establish and maintain internal complaint-handling procedures. PVARA may also establish or recognise an independent dispute-resolution scheme for claims below a prescribed monetary threshold (Section 45).
Penalties and Enforcement
Non-compliance with the Act carries serious consequences — ranging from administrative sanctions to criminal prosecution.
Criminal Offences and Penalties (Section 54)
| Offence | Maximum Penalty |
|---|---|
| Operating an unlicensed VASP | 5 years imprisonment and/or PKR 50 million fine |
| Conducting an unlicensed IVAO | 3 years imprisonment and/or PKR 25 million fine |
| Market manipulation / insider trading (natural person) | 3 years imprisonment and/or PKR 25 million fine |
| Market manipulation / insider trading (legal person) | Fine of 3x profits gained or losses avoided; or up to 15% of annual turnover |
| False or misleading statements to PVARA | 3 years imprisonment and/or PKR 20 million fine |
| Obstruction of a PVARA officer | 2 years imprisonment and/or PKR 10 million fine |
| Failure to comply with a PVARA order | 1 year imprisonment and/or PKR 25 million fine; plus administrative penalties |
All criminal prosecutions are conducted by a Special Public Prosecutor appointed by the Federal Government. Cases are heard by designated Special Courts.
The scale of potential liability should not be underestimated. Real-world enforcement actions in comparable jurisdictions illustrate what regulatory failure looks like — and the reputational and financial damage it causes. Our case studies on Monzo’s £21.1 million AML failures and Barclays’ £39.3 million AML enforcement are instructive reading for any compliance professional building controls under a new regulatory regime.
Corporate Liability
Where an offence is committed by a body corporate with the consent, connivance, or neglect of any director, manager, secretary, or similar officer, that individual is deemed to have committed the offence personally (Section 55).
Administrative Sanctions (Section 59)
PVARA may impose one or more of the following without resorting to criminal prosecution:
- Written reprimand or public censure
- Directive to cease or remedy the contravention
- Financial penalty — up to PKR 25 million per contravention
- Suspension or revocation of licence
- Disqualification from holding any office or position of responsibility in a licensee
Emergency Powers (Section 60)
In the event of a systemic threat, market manipulation, fraud, cybersecurity breach, or other serious risk to customers or market integrity, PVARA may issue an emergency order temporarily suspending specified Virtual Asset Services or freezing related assets for a period not exceeding 30 days.
Blocking of Unlicensed Services (Section 61)
PVARA may direct telecommunications authorities, hosting providers, app stores, search engines, advertising networks, payment providers, and other intermediaries to block or remove any online material — websites, apps, advertisements, payment links — that promotes or operates an unlicensed Virtual Asset service.
How to Appeal a PVARA Decision
The Virtual Assets Appellate Tribunal (VAAT)
Any VASP, licensee, or person aggrieved by a PVARA order may appeal to the Virtual Assets Appellate Tribunal (VAAT) within 30 days of the order being communicated (Section 63).
The VAAT comprises:
- A presiding officer — a retired High Court judge, or an advocate with at least ten years’ relevant experience
- A technical expert with at least ten years’ professional experience
- A financial expert with at least ten years’ professional experience
The VAAT must decide appeals within three months of presentation. Its decisions carry the force of civil court decrees.
Appeal to the Supreme Court
A further appeal from the VAAT lies to the Supreme Court of Pakistan, to be filed within 30 days of the VAAT’s order (Section 65).
Key Takeaways for Businesses
If you are a VASP already operating in Pakistan: You have six months from the Act’s commencement to apply for a PVARA licence or cease operations. If you submit a complete application within that window, you may continue providing existing services during the application period — provided you comply with interim PVARA directives and core AML/CFT obligations. ComplyFactor’s AML advisory services can help you assess your current compliance gaps and build a credible transition plan.
If you are planning to enter the Pakistani market: You must obtain a No-Objection Certificate from PVARA before incorporating your company, then apply for a full licence post-incorporation. Build your AML compliance programme, fit-and-proper documentation, and custody/capital structure before you approach PVARA. Understanding how to structure a comprehensive AML programme from the ground up will put you in the strongest possible position.
If you are a token issuer: Review your token’s economic function honestly. If your token can be used for payment or investment and is transferable — you likely fall within the definition of a Virtual Asset. Fiat-Referenced Tokens require 100% HQLA backing and a Segregated Reserve. Algorithmic tokens are prohibited outright unless specifically permitted by future Regulations. Issuers should also plan for the mandatory annual audit — see our AML audit services page for how we support regulated entities through this process.
If you are operating cross-border: Do not assume you fall outside scope simply because you are incorporated outside Pakistan. If your services are offered to Pakistani users, PVARA’s extraterritorial reach may apply to you. Businesses active across multiple jurisdictions should also review our guide on Pakistan crypto regulations and the PVARA NOC process and consider how it interacts with their obligations in other markets such as the UAE, the UK, or EU member states like Romania — currently the EU’s fastest crypto market entry via MiCA. Cross-border VASPs with complex ownership structures should also review our guide on circular ownership compliance for financial institutions.
Frequently Asked Questions
Does the Act apply to pure crypto mining? No. Pure mining for own account does not constitute a Virtual Asset Service requiring a PVARA licence. Licensing only applies to mining operations that provide services to third parties involving customer virtual assets or funds.
Are NFTs regulated under the Act? Not automatically. An NFT that is not used for payment or investment and does not represent a regulated instrument is excluded. However, if an NFT functions as an investment product or payment instrument in substance, PVARA may classify it as a Virtual Asset under the substance-over-form principle.
Does running a self-custody wallet app require a licence? No. The mere provision of software, hardware, or infrastructure that enables customers to retain exclusive control over their own private keys is excluded from the definition of Custody and Administration Services.
What happens to my existing PVARA NOC or licence from the 2025 Ordinance? Section 74 provides that all actions, appointments, licences, and obligations accrued under the Virtual Assets Ordinance, 2025 are deemed valid under the corresponding provisions of the new Act.
Is DeFi activity regulated? This depends on function. If a DeFi protocol provides lending, exchange, or asset management services to third parties on a professional basis, it may qualify as a VASP. PVARA will assess based on the protocol’s substantive economic function — not its decentralised architecture.
What are the AML obligations for a new VASP applicant? Before licensing, you should have a documented AML/CFT/CPF compliance programme in place, a designated MLRO (who will be assessed as a Key Individual), CDD policies, transaction monitoring procedures, Travel Rule implementation plans, and FMU reporting protocols. Our global MLRO services can help you put this infrastructure in place quickly and credibly. If your team needs upskilling, our AML training programmes are tailored to regulated financial businesses. Contact us to discuss your PVARA readiness.
How does the Act interact with Pakistan’s existing AML framework? VASPs are deemed financial institutions under the AML Act 2010, meaning they inherit all existing AML obligations. The Act additionally imposes VASP-specific requirements — the Travel Rule, proof-of-reserves, and PVARA’s own supervisory framework. For a grounding in how AML regulatory frameworks layer across financial services globally, see our top AML regulations and frameworks worldwide guide.
PVARA Licensing Requirements at a Glance
| Requirement | Detail |
|---|---|
| Regulator | Pakistan Virtual Assets Regulatory Authority (PVARA) |
| Licensing stages | NOC (pre-incorporation) → Full Licence (post-incorporation) |
| Fit-and-proper | Controllers, Sponsors, CEO, Directors, and all Key Individuals |
| Pakistan resident | At least one Key Individual must be ordinarily resident in Pakistan |
| Customer assets | Segregated at all times; ring-fenced in insolvency; no rehypothecation |
| Proof of reserves | Cryptographic proof-of-reserves at prescribed intervals |
| AML/CFT status | VASPs are deemed financial institutions under AML Act, 2010 |
| Travel Rule | Applies at PVARA-prescribed threshold; FATF-aligned |
| Stablecoins (FRT) | 100% HQLA backing; Segregated Reserve; par redemption |
| Algorithmic tokens | Prohibited unless specifically permitted by Regulations |
| Max criminal penalty | 5 years imprisonment + PKR 50 million fine (unlicensed VASP) |
| Max admin penalty | PKR 25 million per contravention |
| Appeals | Virtual Assets Appellate Tribunal → Supreme Court of Pakistan |
This article is for informational purposes only and does not constitute legal advice. The Virtual Assets Act, 2026 is subject to subsidiary Regulations, Rules, and guidance from PVARA that have not yet been issued at the time of publication. Businesses should seek independent legal counsel before taking any action in reliance on this article.