PVARA has enabled “NOC License Application Process“. The NOC submission form allows all crypto exchanges and businesses to get NOC for operation in Pakistan. The same NOC also allows us to see what sort of data is being collected and safeguards are being enforced for the safety and protection of ordinary Pakistani crypto users. A standard-practice comparison has been drawn with Dubai VARA, EU MiCA and FCA UK to understand how contemporary nations are addressing crypto regulations and consumer safety and protection.

Two Part Analysis of PVARA Virtual Assets Act

My analysis is personal opinion and omissions are expected, I would be glad if I can be corrected if I made a mistake. My Analysis of the NOC will be done in two parts:

1. Part 1 : Only the NOC Application will be analyzed to find out what level of safeguards are being enforced and what are the shortcomings. NOC application can very adequately let us know what are the interests of PVARA and what protections are in mind for the citizens.
2. Part 2 : A cross reference will be done with Virtual Assets Act 2025, to see if any aspect which was missed out in Application form is already covered in Virtual Assets Act 2025 thus improving consumer protection.

PVARA NOC Application

This document is the official PVARA No Objection Certificate Regulations 2025, which outlines the mandatory Anti-Money Laundering/Countering The Financing Of Terrorism (AML/CFT) registration and application process for Virtual Asset Service Providers (VASPs i.e. Crypto exchange etc) in Pakistan seeking a No Objection Certificate (NOC) from the Pakistan Virtual Asset Regulation Authority (PVARA).The NOC is a critical, phased regulatory step that grants a VASP:

1. Approval for AML Registration on the Financial Monitoring Unit’s (FMU) goAML portal.
2. Permission to proceed with the incorporation of a local entity in Pakistan.
3. Permission to provide four specific “AML-Registered Services” (Exchange, Broker-Dealer, Custody, and Virtual Asset Derivative Services) prior to obtaining a full VASP license.

While you can view the official NOC application on PVARA website. Let me highlight important aspects which give us some insight as to what may be allowed for exchanges and what all is lacking.

Scope and Shortcomings in NOC Application

SALIENT FEATURES

1. Legal Scope : Applies to all Virtual Asset Service Providers seeking NOC under the Virtual Assets Ordinance 2025.
   NOC enables AML registration and local incorporation.
2. Phased Market Entry : Businesses can operate Exchange, Broker Dealer, Custody, and Derivative services after goAML registration and before full license approval. Other services require a full license. Futures trading will also be available to Pakistani crypto users.
3. Strong Governance Structure : Mandatory board oversight of AML. Mandatory Key Individuals include CEO, CFO, Compliance Officer, MLRO, Internal Audit Head, Risk Head, and InfoSec Head.
4. Fit and Proper Regime : All Key Individuals must pass integrity, competence, and financial soundness checks. Police clearance, regulatory history, and bankruptcy checks are mandatory.
5. Ownership Transparency : Any person with 20 percent or more ownership or voting power is a Controller. Full Ultimate Beneficial Ownership disclosure is mandatory.
6. Full AML CFT Framework : Mandatory policies include CDD, EDD, sanctions screening, transaction monitoring, STR and CTR reporting, ML TF risk assessment, training, and recordkeeping.
7. goAML Integration : Mandatory real time STR and CTR filing through FMU goAML. Foreign entity registers first. Local entity takes over after licensing.
8. Sanctions Enforcement : Mandatory screening against UN and local sanctions lists. Immediate asset freezing and reporting is required.
9. Record Retention : All AML records must be retained for at least 7 years.
10. Outsourcing Control : Core AML functions cannot be outsourced without strict oversight, audit rights, and enforceable cross border supervision.
11. Detailed Application Process : Extremely detailed disclosure through Forms A1 to A8 of NOC application. Covers business model, crypto products, fiat rails, stablecoin exposure, technology stack, funding sources, and foreign licenses.
12. Annual Compliance Reporting : Mandatory Annual AML Return with full customer risk metrics, transaction alerts, STR counts, and audit remediation status.
13. Regulatory Enforcement : PVARA can revoke NOC for false data, AML breach, unfit management, or failure to progress to licensing.

SHORTCOMINGS

1. No Consumer Protection Layer : No rules on customer asset segregation, compensation fund , dispute resolution framework. This exposes users to exchange insolvency risk.
2. No Capital Adequacy Clarity : Minimum paid up capital is not defined. No liquidity buffer rules are defined nor any stress testing requirements are mentioned.
3. Cybersecurity Requirements Are Vague : Only general wording on InfoSec. No ISO standards. No penetration testing frequency. No breach disclosure timelines.
4. Derivatives Risk not Addressed : Virtual asset derivatives allowed, No margin limits or leverage caps and liquidation control standards are mentioned.
5. Missing Travel Rule : No explicit FATF Travel Rule enforcement for virtual assets. No guidance on VASP to VASP transfer data sharing.
6. Data Localization : No requirement to store Pakistani user data inside Pakistan. Cross border cloud usage allowed without hard constraints.
7. Banking Integration Risk : Fiat on ramp and off ramp is mentioned but no mandatory SBP approval pathway is defined. This can cause operational deadlocks.
8. Timeline Uncertainty : NOC validity duration is not clearly defined. Delay risk exists if full licensing rules are not issued on time.
9. Regulatory Overlap Risk : SBP, SECP, FMU, and PVARA roles can collide. No clear single window operational model exists.
10. Market Abuse Framework : No explicit rules for wash trading, spoofing, insider trading, or price manipulation.
11. Proof of Reserve Requirement : Exchanges are not required to publish cryptographic proof of reserves.
12. No Token Listing Standards : No fitness criteria for coins or tokens listed on exchanges. No investor disclosure framework is defined.

PVARA Virtual Assets Act 2025

Virtual Assets Act (VAA) 2025 addresses some of the shortcomings which have been highlighted above, let’s dwell on those aspects which have been covered by VAA 2025 and in what extend and what is the final status while incorporating the VAA 2025. Various sections of the VAA 2025 will be referenced for easy cross checking if required by the audience.

1. Customer Asset Protection
   The Act fixes this gap. Section 22 mandates segregation of customer assets. It prohibits mixing customer assets with company assets. It requires fiduciary duty. Section 23 mandates custody standards for private keys. Section 24 mandates proof of reserves and audit by an independent auditor.
   Status: Resolved

• Capital and Liquidity
  The Act fixes part of this gap. Section 17 and Section 22 mention minimum paid up capital and allow PVARA to impose higher capital based on risk. Section 28 requires prudential capital add ons for significant issuers. Liquidity buffers are not defined thus leaving some ambiguity and risks for the consumer.
  Status: Partially resolved.

• Cybersecurity and Breach Controls
  Section 11 requires technical standards to be adhered too. Section 23 requires disaster recovery and business continuity. Cyber audit cycles and breach reporting timelines are not defined nor any ISO standards like ISO 27001 etc have been made mandatory.
  Status: Partially resolved.

• Derivatives and Leverage Risk
  No section defines leverage caps or liquidation rules. No specific protection for retail derivative exposure exists. FCA UK has completely banned retail derivatives because of the associated risks and only professional services can make use of derivative services as such precautions are in the better interest of citizens while exchanges prefer derivatives /leverage trading as that is more profitable for exchanges.
  Status: Unresolved.

• Travel Rule
  The Act does not mention FATF Travel Rule. No requirement for VASP to VASP originator or beneficiary data exchange. This may prove difficult for LEA’s and VASP’s to combat money laundering / ATF efforts. While this does not impose any direct issues to the consumers .
  Status : Unresolved.

• Proof of Reserves
  The Act fully fixes this gap. Section 24 requires cryptographic proof of reserves. Section 24 also mandates periodic audit by independent auditors.
  Status: Resolved.

• Token Listing Standards
  VAA 2025 partially addresses this. Section 31 to Section 33 introduce fair dealing, market integrity, and disclosure. Whitepaper requirements appear only for fiat referenced tokens in Section 26 and Section 27. No broad token listing governance for all crypto assets.
  Status: Partially resolved.

• Market Abuse and Manipulation
  The Act fixes this gap strongly. Section 31, 32, and 33 define market abuse, insider trading, pump and dump schemes, and impose criminal penalties.
  Status : Resolved.

• Data Localization
  The Act does not impose local storage requirements. Section 23 requires protection but allows foreign cloud. I do not expect them to have any regard for our data so this was wishful thinking.
  Status : Unresolved.

• Banking Integration
  No section establishes a formal coordination process or clarity with State Bank of Pakistan for fiat on and off ramps.
  Status: Unresolved.

• Consumer Protection and Dispute Resolution
  Section 36 mandates complaint handling and dispute resolution. Section 33 mandates disclosure of risks. No mention of customer compensation fund thus by law exchanges will not be liable to compensate in case of issues of the exchange. Dubai VARA , EU MiCA and FCA UK all have clear defined user protections.
  Status : Partially resolved.

• Ownership Transparency
  Section 16 defines fit and proper criteria for controllers. Section 15 mandates full disclosure for licensing.
  Status: Resolved.

• Governance Requirements
  Section 7, Section 9, and Section 11 define governance, board structure, ethical duties, and conflict of interest controls.
  Status : Resolved.

Conclusion

Opening up VASP to process NOC’s and register their business is a very positive step and reading it while consulting Virtual Asset Act 2025 means Pakistan is going in the right direction with respect to crypto policy drafting. However there is still no news about regulating crypto for retail users and everyone is as confused when it comes to using/availing crypto related services as they were a decade back and still facing issues of bank blocks and FIA related seizures. The only difference this time is that there is an official government department which is looking into the matter, thus making us hopeful to have a thorough and consumer friendly policy out soon. The NOC Application hints towards a very strong AML enforcement and ownership transparency. But It is slightly weak on consumer protection, cybersecurity depth, derivatives risk control, and market integrity.