Pakistan is building its first full rulebook for virtual assets. The Pakistan Virtual Assets Regulatory Authority (PVARA) recently invited public feedback on the draft Pakistan Virtual Asset Services Regulations 2026 and the accompanying Activity-Specific Handbooks, issued under the Virtual Assets Act 2026. Esquare Legal submitted a detailed response, and below we walk through each of our twenty-nine recommendations in plain terms.
The Act sets the overall architecture. The detail that actually decides whether the market is safe and credible sits in these regulations, so our submission benchmarks the draft against the leading global regimes, including the European Union’s Markets in Crypto-Assets Regulation (MiCA), Dubai’s Virtual Assets Regulatory Authority (VARA), Singapore, the Abu Dhabi Global Market, Hong Kong, New York, and the standards of the Financial Action Task Force (FATF). Our response is in three parts: fourteen points sharpening the draft framework, fifteen further recommendations on gaps, and a set of technical drafting fixes.
Part A: Sharpening the Draft Framework
These fourteen points address places where the draft leaves a gap, an ambiguity, or a standard set below international practice.
1. A proper rupee stablecoin regime
The Act does not fix how quickly a fiat-referenced token must be redeemable, how often its reserves are checked, how those reserves are held, or how much capital the issuer needs. We recommended a fixed redemption window, monthly independent reserve attestations, segregated bankruptcy-remote custody of the backing assets, and a defined issuer capital floor.
2. A clear boundary with the State Bank on rupee tokens
Because a rupee-pegged token touches monetary policy, we recommended that issuing one require the prior written concurrence of the State Bank of Pakistan, supported by a published memorandum of understanding on monetary-stability limits.
3. A workable Travel Rule
The Act requires a travel rule but sets no threshold and no data format. We recommended PVARA to set a transfer threshold (around USD or EUR 1,000), adopt the international IVMS101 data standard, and require enhanced checks for transfers to or from unhosted (self-custodied) wallets, in line with FATF guidance.
4. Real rules against market manipulation
We recommended a detailed catalogue of prohibited conduct modelled on the EU market-abuse regime, liability that reaches blockchain-specific roles, and a duty on platforms to monitor and report suspicious trading.
5. Hard custody and proof-of-reserves standards
We recommended a minimum cold-storage ratio, mandatory insurance, multi-signature key management, daily reconciliation, and prior approval before any sub-custodian is used.
6. Guardrails for the pre-licence (NOC) stage
During the interim No Objection Certificate period before a full license, we recommended that firms be barred from holding or dealing in retail client assets, be subject to activity caps, and face a hard cut-off date.
7. Minimum capital set in the rules, not left to discretion
The Act leaves capital almost entirely to administrative discretion. We recommended activity-tiered capital floors written into the Regulations, and noted that the draft’s own flat figures should be made proportionate through a published, risk-based tiering matrix and a transitional glide-path, so startups are not priced out while systemic operators are properly funded.
8. Closing the definitional gaps
We recommended PVARA to define decentralised finance, staking and the limits of the algorithmic-token ban, bring payment and investment NFTs into scope, and draw a clear line between advisory and management services.
9. A guaranteed consumer compensation scheme
The Act only says PVARA may set up a compensation scheme. We recommended that may become shall, funded by industry contributions or insurance, for firms that hold client assets.
10. An independent, time-bound appeals tribunal
We recommended that the qualifications and tenure of tribunal members be fixed, and that appeals be decided within a statutory time limit.
11. A properly designed regulatory sandbox
We recommended clear eligibility criteria, defined cohort windows, a maximum test duration, consumer safeguards, and a clear exit pathway.
12. Resolving the data-localization conflict
The framework both defers to data-protection law and gives PVARA data-localization powers, which pull in opposite directions. We recommended a reconciliation clause that settles the conflict.
13. A single, coordinated anti-money-laundering structure
We recommended a published memorandum of understanding allocating lead supervision among PVARA, the Financial Monitoring Unit and the national authority, with one reporting channel.
14. Real Shariah governance
We recommended PVARA to fix the composition, powers and screening method of the Shariah Advisory Committee, and to require a Shariah audit for any product marketed as compliant.
Part B: Filling the Gaps
These fifteen recommendations address matters the draft either leaves out or leaves open.
15. Making sure your assets survive a platform failure
The strongest protection, that customer assets sit outside a failed platform’s estate, currently lives in a low-ranking handbook and cleanly protects only cash, not crypto. We recommended PVARA to move it into the Act or a regulation and extend it equally to client crypto and reserve assets, so it binds an insolvency court. The United Kingdom achieves this through a statutory trust, and under MiCA client crypto must be kept beyond the reach of the platform’s creditors.
16. A transition existing platforms can actually use
The six-month window to apply for a licence runs from the Act’s commencement, but the forms, fees and handbooks are still in draft, so firms cannot yet file a complete application. We recommended that the clock run from when the final rules are published, that the apply-or-cease cliff be replaced with a phased migration, and that it be paired with a capital glide-path.
17. Aligning client-money rules with the State Bank
The Regulations predate the State Bank’s Circular No. 10 of 2026, which now governs these accounts and limits them to rupee-only, non-remunerative accounts. We recommended PVARA to align the two regimes and, working with the State Bank, provide a route for foreign-currency and stablecoin client money, since remittances and freelancer earnings are mostly in foreign currency.
18. Rules for unclaimed and dormant assets
The framework says nothing about the assets of users who lose access or cannot be contacted when a platform is wound up. We recommended a dormancy period after which unclaimed assets move into a custody fund managed by PVARA or the State Bank, with a route for owners to reclaim them.
19. Honest cross-border and reverse-solicitation rules
The test for when a global platform is operating in Pakistan is vague, and there is no reverse-solicitation concept (a service a Pakistani user seeks out entirely on their own). We recommended an objective actively-markets-to test, a technology-neutral safe harbour covering apps as well as websites, a definition of persons in Pakistan, and a narrow reverse-solicitation exemption. MiCA codifies exactly such an exemption.
20. Real due diligence before a token is listed
Platforms must publish listing standards but need not actually vet a token. We recommended for minimum listing criteria, an orderly delisting process that protects customers, and a mandatory legal and technical due-diligence file, including a smart-contract audit, for every token before it goes live.
21. Protecting investors from crypto marketing and finfluencers
There is no dedicated regime for crypto advertising, which is dominated by social-media influencers. We recommended PVARA to require fair and clear promotions with risk warnings, ban incentives to invest, add a cooling-off period for first-time investors, and make platforms responsible for the influencers and key opinion leaders they engage. This mirrors the United Kingdom Financial Conduct Authority rules.
22. Certainty on tax
The rules are silent on how crypto gains, tokenised assets and staking or yield are taxed, even though the Federal Board of Revenue now requires reporting by service providers. We recommended clear, published tax treatment developed together with the Federal Board of Revenue.
23. Environmental and water standards
Beyond a single disclosure line, there is no environmental standard for the energy- and water-hungry activities being licensed. We recommended sustainability disclosure and real siting, energy and water conditions on mining and data centres, with tighter rules in water-stressed areas. MiCA requires similar environmental disclosure.
24. Security, chain surveillance and financial sovereignty
Sanctions screening does not reach local watch-lists, mining declarations bind only licensed operators, and incident reports go to PVARA alone. We recommended an active on-chain surveillance capability inside PVARA, a gatekeeping role for licensed platforms with a direct line to national agencies, geo-fencing of hostile jurisdictions, grid-level monitoring of mining, and an express statement that PVARA exists to protect Pakistan’s financial sovereignty, consistent with FATF expectations on intelligence-led supervision.
25. Keeping data in Pakistan and verifying identity safely
We recommended that customer and transaction data be stored within Pakistan and that identity be verified against the national database (NADRA) using privacy-preserving, zero-knowledge technology that confirms a person is verified without exposing their underlying data.
26. Operational resilience: disaster recovery and IP tracking
We recommended that every platform maintain and test a business-continuity and disaster-recovery plan, and capture and retain IP-address data for account access and transactions to help trace fraud and account takeovers.
27. Sensible on-ramp limits
We recommended tiered limits on how much a customer can move from rupees into crypto, keyed to their verification level and risk, coordinated with the State Bank’s foreign-exchange rules.
28. Building on proven SECP standards
Virtual asset businesses now perform bank-like functions, so we recommended PVARA not to reinvent the wheel: align the fit-and-proper test with the SECP’s non-bank criteria, add prudential exposure limits modelled on the SECP’s prudential regulations, and apply the SECP’s asset-management rules to asset-referenced tokens.
29. Shariah compliance that is real, not a label
We recommended PVARA to remove interest from the statutory lending definition, require Halal reserves for any token marketed as Shariah-compliant, restrict speculative conventional derivatives, and give the Shariah Advisory Committee binding authority over anything claiming to be Islamic.
Part C: The Technical Detail
Alongside these twenty-nine recommendations, our submission includes a set of clause-level drafting refinements: precise fixes to definitions, timelines, group-structure rules, custody mechanics and the application forms, so that the final rules are workable in practice.
How We Can Help
Esquare Legal advises exchanges, token issuers, custodians, banks and fintech businesses on virtual asset licensing, regulation and compliance in Pakistan, UAE, Europe, Hong Kong and LATAM. If you would like to understand how these rules affect you, we would be glad to help.
admin@esquarelegal.com · www.esquarelegal.com
Read the full submission
Our complete response to PVARA, including the clause-level drafting fixes summarised in Part C, is available as a single document.
Frequently Asked Questions
What redemption window should Pakistan set for rupee stablecoins?
We recommended a fixed redemption window, monthly independent reserve attestations, segregated bankruptcy-remote custody of backing assets, and a defined issuer capital floor for any rupee-referenced stablecoin. Read the full recommendation →
Should the State Bank of Pakistan approve rupee-pegged tokens before they launch?
Yes. We recommended that issuing a rupee-pegged token require the State Bank’s prior written concurrence, backed by a published memorandum of understanding on monetary-stability limits. Read the full recommendation →
What threshold and data standard should PVARA’s Travel Rule use?
We recommended a transfer threshold of around USD/EUR 1,000, adoption of the IVMS101 data standard, and enhanced checks on transfers involving unhosted wallets, in line with FATF guidance. Read the full recommendation →
How should PVARA police market manipulation in virtual asset trading?
We recommended a detailed catalogue of prohibited conduct modelled on the EU market-abuse regime, liability reaching blockchain-specific roles, and a platform duty to monitor and report suspicious trading. Read the full recommendation →
What custody and proof-of-reserves standards should licensed platforms meet?
We recommended a minimum cold-storage ratio, mandatory insurance, multi-signature key management, daily reconciliation, and prior approval before any sub-custodian is used. Read the full recommendation →
What should firms be allowed to do during the pre-licence NOC period?
During the interim NOC period, we recommended barring firms from holding or dealing in retail client assets, subjecting them to activity caps, and imposing a hard cut-off date. Read the full recommendation →
Should minimum capital requirements be fixed in the regulations or left to discretion?
We recommended activity-tiered capital floors written directly into the Regulations, with a published risk-based tiering matrix and a transitional glide-path so startups aren’t priced out while systemic operators remain properly funded. Read the full recommendation →
What key terms does the draft framework leave undefined?
We recommended PVARA define DeFi, staking, and the limits of the algorithmic-token ban, bring payment and investment NFTs into scope, and draw a clear line between advisory and management services. Read the full recommendation →
Should Pakistan guarantee a consumer compensation scheme for virtual asset platforms?
We recommended turning PVARA’s discretionary power to establish a compensation scheme into a mandatory duty, funded by industry contributions or insurance for firms holding client assets. Read the full recommendation →
How should PVARA’s appeals tribunal be structured?
We recommended fixing the qualifications and tenure of tribunal members and requiring appeals to be decided within a statutory time limit. Read the full recommendation →
What should PVARA’s regulatory sandbox include?
We recommended clear eligibility criteria, defined cohort windows, a maximum test duration, consumer safeguards, and a clear exit pathway for the sandbox. Read the full recommendation →
How should Pakistan resolve the conflict between data-protection law and PVARA’s data-localization powers?
We recommended a reconciliation clause that settles the conflict between the framework’s deference to data-protection law and PVARA’s separate data-localization powers. Read the full recommendation →
Who should lead AML supervision of virtual asset firms in Pakistan?
We recommended a published memorandum of understanding allocating lead AML supervision among PVARA, the Financial Monitoring Unit, and the national authority, with a single reporting channel. Read the full recommendation →
How should PVARA govern Shariah compliance claims?
We recommended PVARA fix the composition, powers, and screening method of the Shariah Advisory Committee, and require a Shariah audit for any product marketed as compliant. Read the full recommendation →
Are customer crypto assets protected if a platform becomes insolvent?
Not reliably yet. The strongest protection currently sits in a low-ranking handbook and covers only cash. We recommended elevating it into the Act or a regulation and extending it to client crypto and reserve assets so it binds an insolvency court, as MiCA and the UK’s statutory trust model do. Read the full recommendation →
When should the six-month licensing window actually start running?
We recommended the clock run from when the final rules are published rather than the Act’s commencement, replacing the apply-or-cease cliff with a phased migration paired with a capital glide-path. Read the full recommendation →
Do PVARA’s client-money rules conflict with the State Bank’s Circular No. 10 of 2026?
Yes. The Regulations predate the Circular, which limits client accounts to rupee-only, non-remunerative accounts. We recommended aligning the two regimes and creating a route for foreign-currency and stablecoin client money. Read the full recommendation →
What happens to unclaimed crypto assets when a platform winds up?
The framework is currently silent. We recommended a dormancy period after which unclaimed assets move into a custody fund managed by PVARA or the State Bank, with a clear route for owners to reclaim them. Read the full recommendation →
Does a foreign platform need a PVARA licence just because a Pakistani user signs up on their own?
The current test is vague. We recommended an objective actively-markets-to test, a technology-neutral safe harbour, a definition of persons in Pakistan, and a narrow reverse-solicitation exemption for services a user seeks out entirely on their own, as MiCA does. Read the full recommendation →
Are platforms required to actually vet a token before listing it?
Not under the current draft. Platforms must publish listing standards but aren’t required to vet tokens against them. We recommended minimum listing criteria, an orderly delisting process, and a mandatory due-diligence file including a smart-contract audit before any token goes live. Read the full recommendation →
How should PVARA regulate crypto marketing by social-media influencers?
We recommended requiring fair, clear promotions with risk warnings, banning incentives to invest, adding a cooling-off period for first-time investors, and making platforms responsible for the influencers they engage, mirroring UK FCA rules. Read the full recommendation →
How are crypto gains and staking income taxed in Pakistan?
The rules are currently silent, even though the FBR now requires reporting by service providers. We recommended clear, published tax treatment developed jointly with the Federal Board of Revenue. Read the full recommendation →
Does the draft framework set environmental standards for crypto mining?
Only a single disclosure line today. We recommended real siting, energy, and water conditions on mining and data centres, with tighter rules in water-stressed areas, similar to MiCA’s environmental disclosure requirements. Read the full recommendation →
Does PVARA have the tools to monitor on-chain activity and protect financial sovereignty?
Not yet fully. Sanctions screening doesn’t reach local watch-lists and incident reports go to PVARA alone. We recommended on-chain surveillance inside PVARA, a gatekeeping role for platforms with a direct line to national agencies, geo-fencing of hostile jurisdictions, and an express financial-sovereignty mandate, consistent with FATF expectations. Read the full recommendation →
How should platforms verify customer identity without exposing personal data?
We recommended storing customer and transaction data within Pakistan and verifying identity against NADRA using privacy-preserving, zero-knowledge technology that confirms verification without exposing the underlying data. Read the full recommendation →
Should licensed platforms be required to maintain disaster-recovery plans?
Yes. We recommended every platform maintain and test a business-continuity and disaster-recovery plan, and capture and retain IP-address data for account access and transactions to help trace fraud. Read the full recommendation →
Should there be limits on converting rupees into crypto?
We recommended tiered on-ramp limits keyed to a customer’s verification level and risk profile, coordinated with the State Bank’s foreign-exchange rules. Read the full recommendation →
Should PVARA build its own prudential standards from scratch?
No. We recommended PVARA build on proven SECP standards: align the fit-and-proper test with SECP’s non-bank criteria, adopt prudential exposure limits modelled on SECP’s regulations, and apply SECP’s asset-management rules to asset-referenced tokens. Read the full recommendation →
What makes a Shariah-compliant token claim credible under the draft rules?
We recommended removing interest from the statutory lending definition, requiring Halal reserves for any token marketed as Shariah-compliant, restricting speculative conventional derivatives, and giving the Shariah Advisory Committee binding authority over Islamic-labelled products. Read the full recommendation →
This note is a general summary published for information only and does not constitute legal advice. It reflects the position at the date of publication.
