Industry
Fintech
Counsel for companies that touch money in Pakistan — where the licence category decides the product, the State Bank decides the timeline, and the AML file decides whether either survives inspection.
Fintech is the one technology sector in Pakistan where the regulatory architecture arrived before the industry matured, and it shapes everything. The State Bank built its framework deliberately: EMI regulations issued in 2019 under the Payment Systems and Electronic Fund Transfers Act 2007, PSO/PSP rules for the infrastructure layer, a digital bank licensing framework introduced in 2022, and Raast — the instant payment system rolled out in phases and now central to how money moves domestically. On the other side of the street, SECP licenses the NBFCs through which app-based lending runs and has imposed conduct requirements on digital lenders after a period of genuine abuse in that market [CURRENT REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER]. A fintech founder in Pakistan is therefore never asking whether the business is regulated. The question is which regime, at which stage, and on whose licence.
The perimeter is the product decision
We push clients to answer the licence question before the architecture question, because in this sector the two are the same decision. Stored value makes you an EMI candidate. Routing and switching make you a PSO/PSP question. Bearing credit risk makes you an NBFC question. Each category carries its own capital, governance, and systems requirements, and each has a partner-model alternative — riding on a bank's or licensed entity's authorization — that trades margin and control for speed. The wrong sequencing is expensive in a specific way: features get built that the eventual licence category does not permit, and the pilot stage becomes a renegotiation with the regulator instead of a demonstration. As of mid-2026 the State Bank's approach rewards applicants who arrive with the perimeter analysis already done and punishes, with time, those who make the regulator do it for them. The newer product categories test the perimeter hardest. Buy-now-pay-later sits between SBP and SECP depending on who funds and who bears the credit risk; embedded finance puts a non-financial brand in front of a licensed balance sheet; and the digital bank framework of 2022 created a category whose economics only work for the well-capitalized few. Each of these is a structuring question before it is a licensing question.
Life under the AML Act
The Anti-Money Laundering Act 2010 is the statute fintech founders underestimate most. Its obligations — customer due diligence, ongoing monitoring, record-keeping, and suspicious transaction reporting to the Financial Monitoring Unit — attach to the activity, not to the company's size, and the State Bank examines payments businesses against its AML/CFT regulations with the seriousness Pakistan's international commitments require. For a young company the practical stakes are twofold. First, examination findings are cumulative: the record built in year one is the lens for year three. Second, AML failures are the fastest route from supervision to enforcement, and enforcement in this sector reaches individuals — compliance officers and directors — not just the licence. We build proportionate, written, actually-operating programs: risk assessment, CDD tiers matched to product limits, screening, an STR decision process with a record, and the training file an examiner asks for first.
The paper between the players
Almost no Pakistani fintech operates alone. There is a sponsor bank, an EMI partner, a processor, an agent network, a Raast connection through somebody's participation — and a stack of agreements allocating the risks that make payments businesses fail: fraud losses, settlement failure, chargebacks, data incidents, regulatory penalties triggered by the other party's conduct, and what happens to customers when the partnership ends. These agreements are negotiated once, under time pressure, and then govern years of operations. We treat them as the core asset they are. Raast deserves specific mention: as the rails move from a launch achievement to ordinary infrastructure, the questions shift to operational ones — settlement finality, dispute and reversal handling, liability for downtime, and what a participant owes the customers of a partner riding on its connection. Those answers live in the participation and partnership documents, and the time to read them is before volume arrives. The same discipline applies to fundraising: investment into a licensed or licence-track fintech carries regulatory approval mechanics — shareholding thresholds, fit-and-proper clearance of incoming controllers, sometimes prior no-objection — that belong in the conditions precedent, priced and time-tabled, rather than discovered between signing and closing.
How we serve fintech companies
We take fintechs through the full arc: perimeter analysis and licensing strategy, the application and pilot stages before the State Bank or SECP, the AML program, the partnership and infrastructure contracts, and the rounds that fund it all — with the regulatory approvals sequenced into the deal rather than bolted on. When supervision hardens into an inspection finding or show-cause notice, we answer it with the care of litigation, because in this sector the first answer becomes the permanent record. The frameworks named here are stated as of mid-2026 and move quickly — circulars amend without ceremony — and we confirm the current instrument at the start of every engagement.
The Five Recurring Problems
The problems this sector keeps producing.
- 01
Building the product before answering the perimeter question
Wallets, payment gateways, lending apps, and BNPL each sit in a different licence category — EMI, PSO/PSP, NBFC, or a bank partnership — and taking deposits or intermediating payments without the right authorization is an offence, not a formality. Teams that design the product first and ask the licence question second usually discover their flagship feature belongs to a category they did not apply for.
- 02
Treating EMI authorization as a filing rather than a program
The State Bank's EMI framework under the Payment Systems and Electronic Fund Transfers Act 2007 runs in stages — in-principle approval, pilot operations, then commercial launch — each with its own conditions, capital requirements [AMOUNTS — TO BE VERIFIED BY REVIEWING LAWYER], and systems scrutiny. Founders who budget for a licence application rather than a multi-stage regulatory program run out of runway inside the pilot.
- 03
AML obligations arriving before the compliance team does
The Anti-Money Laundering Act 2010 imposes customer due diligence, record-keeping, and suspicious transaction reporting to the Financial Monitoring Unit from the day the product handles funds — headcount notwithstanding. The State Bank examines against its AML/CFT regulations without regard to company age, and early findings shape every later interaction with the regulator.
- 04
Digital lending under two regulators at once
App-based lending runs through SECP-licensed NBFCs and, as of mid-2026, is subject to SECP's digital lending requirements on disclosure, pricing transparency, and app conduct [CIRCULAR AND CURRENT REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER], while the payment leg sits with SBP-regulated entities. Products structured without mapping both regimes end up compliant with one regulator and exposed to the other.
- 05
Partnership paper that collapses under a fraud loss
Most Pakistani fintechs operate on top of a bank or EMI partner — sponsor arrangements, agent networks, Raast connectivity — documented in agreements written when everyone was optimistic. The first significant fraud or settlement failure reveals that loss allocation, chargeback mechanics, and termination transition were never really negotiated, and the fintech holds the weak end.
The Regulators That Matter
Who you answer to — and for what.
- State Bank of Pakistan
- Licenses and supervises EMIs, PSOs/PSPs, and digital banks under the Payment Systems and Electronic Fund Transfers Act 2007 and its frameworks; operates Raast; examines AML/CFT compliance in the payments sector.
- SECP
- Licenses NBFCs and regulates digital lending conduct; also the corporate regulator every fintech answers to for its company-law life.
- Financial Monitoring Unit
- Receives suspicious transaction and currency transaction reports under the Anti-Money Laundering Act 2010; the quality of a fintech's reporting history is part of its regulatory reputation.
- PTA
- A secondary but real presence — app distribution, SIM-linked verification, and content-blocking powers that can reach a fintech's customer-facing channels.
Mapped Services
The practices this industry draws on.
- Compliance The AML/CFT program, licence-condition tracking, and inspection responses that keep the authorization alive.
- Technology Law The regulatory analysis of what the product legally is — before the State Bank performs its own.
- Commercial Contracts Sponsor bank, agent, merchant, and processor agreements with loss allocation actually negotiated.
- Fundraising & Investment Rounds where regulatory approvals for shareholding changes are a closing condition, not an afterthought.
- Corporate Governance Fit-and-proper requirements, board composition, and the governance record the licence conditions assume.
- Risk Advisory Fraud-loss allocation, outsourcing risk, and the scenario planning regulators expect to see documented.
Questions, Answered
What clients in this industry ask.
If customers store value with you, yes — that is the EMI category under the State Bank's framework, as of mid-2026. Alternatives exist: operating as an agent or technology provider on a licensed partner's authorization, with the product legally anchored in their licence. Which path fits depends on the economics you need and the control you can give up; we map both before you commit engineering time.
Plan in years, not months. The framework runs through in-principle approval, a supervised pilot, and commercial launch approval, and the State Bank's questions between stages are substantive — systems, capital, governance, and AML arrangements. The companies that move fastest are the ones whose applications anticipate the second-round questions in the first filing.
No. Lending as a business requires an SECP NBFC licence, and app-based lending additionally carries SECP's digital lending requirements on disclosure and conduct [TO BE VERIFIED BY REVIEWING LAWYER]. Structures that route lending through partners have to be genuine — the regulator looks at who bears credit risk and who faces the borrower, not at labels.
The same ones as a large institution, scaled by risk rather than headcount: customer due diligence, screening, record-keeping, and suspicious transaction reports to the FMU under the Anti-Money Laundering Act 2010. A proportionate written program, actually followed, is the minimum credible position at first inspection. We build these programs for pre-launch fintechs routinely.
Raast participation runs through the State Bank's arrangements for banks, EMIs, and other approved participants; a fintech without its own authorization typically connects through a licensed partner. The connectivity agreement matters — settlement timing, dispute handling, and outage responsibility should be negotiated, not accepted as boilerplate.
Yes, subject to the exchange-control mechanics that apply to any foreign investment into Pakistan and, for licensed entities, the regulator's approval requirements for significant shareholding changes and fit-and-proper clearance of controllers. Rounds in licensed fintechs are sequenced around those approvals, and the term sheet should say who bears the delay.
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
