The legal landscape for fintech in Pakistan

Tuesday 18 July 2023

Sahar Iqbal
Akhund Forbes, Karachi

Creating a fintech company under the SBP Framework

The State Bank of Pakistan Act 1956 (‘the SBP Act’)[1] governs the financial sector of Pakistan. The SBP is empowered to issue rules, regulations and frameworks which govern all types of banking, including fintech. In January 2022, the SBP published a Licensing and Regulatory Framework for Digital Banks (‘the Framework’),[2] which delineates the complete process for setting up digital banks while complying with laws and regulations. Under the framework, licensing requirements for conventional and Islamic variants of digital banks are provided and must not be excluded unless inconsistent with the general framework. Digital Retail Banks are for retail customer segments, while Digital Full Banks are for corporate, commercial, as well as retail purposes. Traditional banks, international banks or digital financial services entities, electronic money institutions and other entities with relevant experience in financial services or technology can apply to form a digital bank. In fact, collaboration with established entities or investors is encouraged under the Framework. However, a group which already owns a traditional bank is not eligible to apply for a digital bank licence, except if the digital bank is proposed as a subsidiary of the traditional bank.

The application process involves multiple stages, including the pre-application stage, application stage, feasibility study and business plan submission, sponsors’ financial strength assessment, fit and proper test, and obtaining a No Objection Certificate (NOC) from the SBP. After receiving the NOC, the applicant can proceed with the incorporation of the proposed digital bank as a public limited company and apply for In-Principle Approval (IPA) from SBP. The IPA provides terms and conditions for pilot operations, which must be completed within a specified period. After successful pilot operations, the applicant is eligible to apply for a licence to commence commercial operations.

Our firm advised Kleiner Perkins and Sequoia Capital on their maiden venture capital investment in Pakistan in D-Bank, an innovative fintech services provider in Pakistan. We also advised Avanza Group on its multi-million dollar joint venture with Premier Systems to establish a local online payment gateway system in the growing e-commerce market of Pakistan.

Furthermore, the Securities and Exchange Commission of Pakistan (SECP), in 2019, introduced a regulatory sandbox[3] as part of its efforts to foster financial inclusion and innovation in the country’s financial sector, especially in the fintech industry. This framework provides guidelines for fintech startups interested in participating in the regulatory sandbox, outlining eligibility criteria, the application process and participation requirements. One of the key advantages of the sandbox is its ability to provide a controlled testing environment for startups to refine their products and services, ensuring consumer protection and minimising risks before their market launch, ultimately time and resources.

In 2023, QistBazaar,[4] a prominent Pakistan-based Buy Now Pay Later (BNPL) fintech company, announced a significant partnership with Bank Alfalah, one of the country’s largest commercial banks. The partnership involves a PKR 500m (US$1.7m) equity investment by Bank Alfalah, representing a 7.2% stake in QistBazaar, as well as becoming the company’s embedded lending partner. This collaboration is a significant milestone for Pakistan’s fintech sector as it marks the first time a commercial bank has taken an equity stake in a BNPL fintech company. Our law firm advised QistBazaar.

Other laws and regulations applicable to fintech companies

Besides the primary SBP framework, fintech companies in Pakistan are subject to multiple other laws and regulations. The Electronic Transactions Ordinance 2002 (ETO)[5] regulates the security of electronic transactions which are central to the fintech industry. A significant challenge lies in the lack of awareness among individuals regarding their rights and the extent of coverage under these protection acts when conducting online transactions. To address this, the Electronic Certification Accreditation Council (ECAC), an autonomous body operating under the Federal Government’s Ministry of Information Technology & Telecom, is established. As a Public Key Infrastructure (PKI) Accreditation Authority, ECAC provides certification to private sector entities involved in electronic transactions through accredited certificate service providers. The issuance of PKI-based digital certificates enhances the security, reliability and global acceptance of electronic transactions. In addition to the ETO, the Payment Systems and Electronic Fund Transfers Act 2007[6] also applies to fintech companies and essentially regulates payments and other banking transactions.

Furthermore, fintech companies in Pakistan are also subject to the Anti-Money Laundering and Counter-Terrorism Financing Regulations (‘the AML/CTF Regulations’).[7] These Regulations include customer identification and verification procedures, ongoing monitoring of customer transactions and reporting of suspicious transactions to the relevant authorities.

Significantly, consumer protection is of utmost importance in today’s times where data breaches expose companies and individuals to significant risk. The Ministry of Information, Technology and Telecommunication finalised the Personal Data Protection Bill 2023,[8] which aims to regulate the collection, processing, use, disclosure and transfer of personal data, providing a mechanism for data protection and addressing offences related to data privacy rights. It establishes the National Commission for Personal Data Protection of Pakistan and sets out guidelines for the lawful and fair collection and processing of personal data. The bill aims to foster trust in online transactions and information sharing. Compliance with international standards, notification of data breaches and restrictions on cross-border data transfers are also included. Non-compliance may result in fines, registration suspension or termination and penalties for legal entities. Once enacted, this bill will be directly applicable to fintech companies and will provide a significant level of security to electronic transactions.


The fintech sector in Pakistan has witnessed rapid growth and innovation, bringing significant advancements to the country’s financial services landscape, which is particularly important considering the large unbanked population. In addition to benefiting from digitisation, fintech services, such as QistBazaar, play a crucial role in promoting financial inclusion through their BNPL offerings, providing valuable financial relief to society. The SBP’s Framework and the SECP’s regulatory sandbox are instrumental in encouraging fintech startups and fostering financial inclusion and innovation. Moreover, the ETO and the AML/CTF Regulations, along with the forthcoming Personal Data Protection Bill offer sufficient protection to both customers and fintech companies. Overall, the regulatory framework in Pakistan continues to evolve to support the growth and security of the fintech industry, and there remains untapped potential.


[1] State Bank of Pakistan 1956 https://www.sbp.org.pk/about/act/sbp-act.pdf accessed 12 July 2023.

[2] State Bank of Pakistan, Licensing and Regulatory Framework for Digital Banks (January 2022) https://www.sbp.org.pk/bprd/2022/C1-Annex.pdf accessed 12 July 2023.

[3] Securities and Exchange Commission of Pakistan https://www.secp.gov.pk/regulatory-sandbox/what-is-regulatory-sandbox/ accessed 12 July 2023.

[4] See https://www.bankalfalah.com/press-releases/bank-alfalah-marks-breakthrough-with-equity-investment-and-embedded-finance-partnership-with-qistbazaar/ accessed 12 July 2023 for more details.

[5] Electronic Transactions Ordinance 2002 https://www.sbp.org.pk/about/act/ETC202.pdf accessed 12 July 2023.

[6] Payment Systems and Electronic Fund Transfers Act 2007 https://www.sbp.org.pk/psd/2007/EFT_Act_2007.pdf accessed 12 July 2023.

[7] Anti-Money Laundering, Combating the Financing  of Terrorism & Countering Proliferation Financing (AML/CFT/CPF) Regulations for State Bank of Pakistan’s Regulated Entities (SBP-Res)  https://www.sbp.org.pk/bprd/2022/CL33-Annex-B.pdf accessed 12 July 2023.

[8] Personal Data Protection Bill 2023 https://senate.gov.pk/uploads/documents/1676274056_117.pdf accessed 12 July 2023.