The First Counsel

The Advisory Hub

Internal Policies Architecture

Which internal policies Pakistani law actually requires, which ones auditors and investors expect, and how to build a policy stack your people will follow rather than sign and forget.

Every growing company reaches the moment when rules that lived in the founder's head need to live on paper. Usually the trigger is external — an investor's diligence list, an auditor's letter, an enterprise customer's vendor questionnaire, or a complaint no one is equipped to handle. The company then buys a stack of templates, adopts them in a single resolution, and files them away. That is not a policy architecture. It is a liability generator with a table of contents.

The useful exercise is different: work out which policies Pakistani law actually mandates for your category of company, which ones your counterparties will demand, and which ones your operations genuinely need — then build that set, small enough to enforce, and evidence its adoption properly. This page sets out that architecture.

Three tiers: mandated, expected, useful

Tier one is what statute requires of you specifically. For every employer in Pakistan the anti-harassment framework is mandatory. For companies with director or shareholder dealings, related-party records are mandatory. For AML reporting entities, compliance programmes are mandatory. For listed companies, the Listed Companies (Code of Corporate Governance) Regulations 2019 drive a further set, including a whistle-blowing mechanism [SPECIFIC CODE REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER].

Tier two is what your counterparties require by contract or diligence: data-handling and security policies for enterprise customers, anti-bribery undertakings for foreign partners, HR policies for institutional investors. These are not legal mandates, but the deal does not close without them.

Tier three is what your operations need to run without improvisation: who signs what, who approves spending, what happens when someone leaves. Companies overinvest in tier three prose and underinvest in tiers one and two. Reverse that.

The mandatory core: the anti-harassment framework

The Protection Against Harassment of Women at the Workplace Act 2010 is the one statute that imposes policy obligations on effectively every employer. It requires the employer to adopt the code of conduct, display it prominently at the workplace, and constitute a standing inquiry committee of three members, at least one of whom must be a woman. The 2022 amendments widened who counts as an employee and what counts as a workplace, so a policy written before them is likely too narrow [SCOPE OF 2022 AMENDMENTS AS APPLIED — TO BE VERIFIED BY REVIEWING LAWYER].

Two features make this framework different from every other policy on the list. Non-compliance is itself sanctionable — you do not need a complaint to be in breach — and the committee is a live tribunal, not a formality: it conducts inquiries on statutory timelines, and its handling can end up before the federal or provincial Ombudsperson. Constitute it with people who can actually run a fair inquiry, and train them before they are needed.

The employment set

The handbook is the second document most companies get wrong, usually by copying one written for another country's law. Employment in Pakistan is largely a provincial subject, and for establishments above certain headcounts the standing-orders framework — the Industrial and Commercial Employment (Standing Orders) Ordinance 1968 as adapted in each province — prescribes terms and disciplinary procedure that a handbook cannot contradict [APPLICABILITY THRESHOLDS BY PROVINCE — TO BE VERIFIED BY REVIEWING LAWYER].

Within that frame, the handbook should do a small number of things well: leave policy that matches provincial law, a disciplinary procedure you will actually follow (because the procedure you publish is the one a labour forum will hold you to), and clear rules on exit — notice, final settlement, return of property. Keep pay, notice periods and restrictive covenants in the contract itself, and have the handbook incorporate by reference so it can evolve without renegotiating every contract.

The data set

Pakistan has no general data protection statute in force as of mid-2026; the Personal Data Protection Bill has been pending in successive drafts [STATUS — TO BE VERIFIED BY REVIEWING LAWYER]. That is a reason to draft carefully, not a reason to skip the policy. PECA 2016 reaches unauthorised access and misuse; SBP and PTA rules bind their sectors; and constitutional privacy jurisprudence counsels restraint with employee and customer data. Meanwhile every enterprise customer and foreign investor will measure you against GDPR-shaped expectations regardless of what local law requires.

Build the data policy from an inventory, not a template: list the systems that hold personal data, who can access each, and why the data is collected. Then write the policy to describe that reality — collection limited to need, defined access, retention periods, and a named owner for breach response. Draft it so that when a statute of the pending Bill's general shape arrives, compliance is an adjustment rather than a rebuild.

The money set

Three policies govern how money moves and who can move it. The delegation-of-authority matrix is the most valuable document in the stack for a CFO: one table stating what management can approve alone, what needs two signatures, and what is reserved to the board. Adopt it by resolution and let nothing outside it bind the company.

The conflicts-of-interest and gifts policy exists because Pakistan's anti-corruption statutes — the Prevention of Corruption Act 1947 and the bribery offences of the Penal Code among them — attach to conduct your staff may not recognise as risky, and because foreign partners will impose FCPA- and UK Bribery Act-style standards by contract even where local law is narrower. A disclosure register that is genuinely maintained matters more than elegant drafting.

AML procedures are mandatory only for reporting entities under the Anti-Money Laundering Act 2010 — financial institutions and certain designated non-financial businesses and professions. If you are in scope, the customer due diligence, record-keeping and suspicious-transaction reporting procedures are a regulatory obligation with an examiner attached, not an internal nicety. If you are not sure whether you are in scope, that question comes first.

The governance set

The related-party transaction policy deserves its own mention because it is where internal policy meets statutory duty. The Companies (Related Party Transactions and Maintenance of Related Records) Regulations 2018 prescribe approvals and records for dealings with directors, officers, major shareholders and associated companies. A short policy — who counts as related, who discloses, what the board must see before approving — turns a recurring statutory trap into a routine.

A whistle-blowing channel completes the set. Listed companies build one under the 2019 code framework; private companies build one because the alternative is that the first report of fraud goes to the person committing it. The design rule is placement: the recipient must sit outside the reporting line most complaints would travel.

Design rules that decide whether any of it works

Four rules separate policy stacks that function from those that decorate a shared drive. Keep each policy short enough to read in one sitting; a policy nobody has read protects nobody. Never promise a procedure you do not operate — an unstaffed hotline or a review cycle that never runs is documented negligence. Version and date everything, and adopt each policy by a dated resolution, because in any dispute the first question is what was in force when. And give every policy one named owner with a review date, because a policy owned by everyone is owned by no one.

Rollout is evidence too. Circulate against acknowledgment, train on the high-exposure policies — harassment, related parties, AML where applicable — and keep the attendance records. When a regulator, court or investor later asks whether the policy was real, the acknowledgments and training logs are the answer.

Requirements described here are stated as of mid-2026 and several sit in frameworks that move — the pending data statute above all. Have the stack reviewed against current law for your province, sector and company category before adopting it.

The Checklist

Policy stack build checklist

Sixteen steps to adopt, evidence and maintain the internal policies a Pakistani company needs.

  • Adopt the anti-harassment code of conduct required by the Protection Against Harassment of Women at the Workplace Act 2010 and display it as the Act prescribes.
  • Constitute the standing inquiry committee — three members, at least one of them a woman — and record the appointments in writing.
  • Train the inquiry committee before it receives its first complaint, not after.
  • Check whether the standing-orders framework in your province applies at your headcount, and align the handbook to it.
  • Audit the employment handbook against your actual contracts and remove every contradiction between them.
  • Adopt a related-party transaction policy tracking the Companies (Related Party Transactions and Maintenance of Related Records) Regulations 2018.
  • Approve a delegation-of-authority matrix by board resolution and make it the only source of signing power.
  • Adopt a conflicts-of-interest and gifts policy with a disclosure register someone actually maintains.
  • Map every system that holds personal data before drafting the data-handling policy, not after.
  • Publish a privacy and data-handling policy stating what you collect, why, who can access it, and how long you keep it.
  • Open a whistle-blowing channel with a named recipient who sits outside the reporting line most complaints would travel.
  • If you are a reporting entity under the Anti-Money Laundering Act 2010, adopt the customer due diligence and reporting procedures it requires.
  • Set an IT and acceptable-use policy covering devices, access rights, and same-day revocation for leavers.
  • Date every adoption resolution, version every policy, and archive superseded versions.
  • Assign each policy a named owner and a review date within the next twelve months.
  • Run training on the three highest-exposure policies — harassment, related parties, AML where applicable — and keep attendance records.

Questions, Answered

What clients ask most.

The clearest mandate is the anti-harassment framework: the Protection Against Harassment of Women at the Workplace Act 2010 requires every employer to adopt the code of conduct, display it, and constitute an inquiry committee — non-compliance is sanctionable even without a complaint. Beyond that, mandates attach by category: related-party records under the 2018 regulations for companies, AML procedures for reporting entities, and code-driven policies for listed companies. Most of the rest is expected rather than mandated — which stops mattering the day an investor or auditor asks for it.

Yes, for three reasons. First, as of mid-2026 the pending Personal Data Protection Bill [STATUS — TO BE VERIFIED BY REVIEWING LAWYER] is expected to arrive during the life of whatever you build, and a company with a working policy adjusts while a company without one rebuilds. Second, PECA 2016 and sectoral rules already reach specific misuse of data. Third, your contracts almost certainly promise confidentiality you currently have no documented means of keeping.

Templates fail in predictable ways: they cite foreign statutes, they contradict your employment contracts, and they promise procedures — committees, hotlines, review cycles — that do not exist in your company. A policy that promises what you do not do is worse than no policy, because it is evidence of the standard you set and missed. Start from your actual operations and keep the stack short.

A contract is bilateral and hard to change; a policy is unilateral and easy to change — and where they conflict, the employee will rely on whichever favours them, with real prospects of success. Draft contracts to incorporate policies as amended from time to time, keep terms like pay and notice in the contract only, and audit the two against each other whenever either changes.

Fewer than a template vendor will sell you. At that size: the mandatory anti-harassment code and committee, an employment handbook, a data-handling policy, a conflicts and gifts policy, a delegation-of-authority matrix, and an IT and leaver policy. Six documents, each a few pages, each owned and trained. Add the related-party policy the day directors or shareholders start transacting with the company.

The full FAQ Center

Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified

This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.

Every matter begins with a first conversation.

Contact the Firm