The First Counsel

Client Alert

SBP prudential update: digital banking and payments

Pakistan's payments perimeter now has several doors — digital bank, EMI, PSO/PSP, bank partnership — and the licence a business model needs is the first legal question, not the last.


20 May 2026 · 3 min read · The First Counsel

Draft — for lawyer review before publication

Payments regulation in Pakistan rests on the Payment Systems and Electronic Fund Transfers Act 2007. On that base the State Bank has built a layered perimeter: rules for payment system operators and providers, the Electronic Money Institutions Regulations 2019, a licensing framework for digital banks issued in 2022, and Raast, the central instant-payment rail. As of mid-2026 the digital-bank cohort licensed under the 2022 framework is moving from authorisation into operations, and SBP continues to adjust the surrounding rulebook by circular [STATUS OF EACH LICENSEE AND ALL 2026 INSTRUMENTS TO BE VERIFIED BY REVIEWING LAWYER]. This alert maps the perimeter and the questions it puts to anyone building or investing in a payments business.

What changed

The recurring themes in SBP's recent output are these. Digital onboarding — frameworks for remote customer identification and verification, which determine how far a product can go without a branch [CURRENT E-KYC REQUIREMENTS TO BE VERIFIED]. Outsourcing and cloud — SBP's framework for banks' and regulated entities' use of outsourced and cloud services, including where data may sit and what must be approved in advance [CURRENT FRAMEWORK AND APPROVAL TRIGGERS TO BE VERIFIED]. Safeguarding — the requirement that an EMI hold customer e-money floats segregated in the prescribed manner, which is the provision that decides whether customers are protected when a fintech fails. Interoperability — the progressive mandating of Raast connectivity across use cases, from person-to-person to merchant and bulk payments. And consumer protection — complaint handling, disclosure and liability for unauthorised transactions, where supervisory attention has visibly increased. Alongside all of it, the Anti-Money Laundering Act 2010 applies to every licensed actor from the first customer, with SBP as sectoral supervisor.

What it means

The first legal question for any payments or digital-finance model is which door it enters by. A digital bank licence permits deposit-taking and lending but carries bank-grade capital and governance obligations. An EMI licence permits issuing e-money and wallets but not intermediation of funds. PSO/PSP authorisation covers switching, gateway and processing activity without holding customer money. And a partnership model — riding on a licensed bank's balance sheet — trades regulatory burden for dependence on the partner's compliance appetite. Choosing wrongly is expensive in both directions: an over-licensed business carries capital it does not need, and an under-licensed one is conducting unauthorised banking business, which is an offence, not a footnote [PENALTY PROVISIONS TO BE VERIFIED]. For investors, the licence also shapes the deal: changes of control in regulated entities require SBP clearance, fit-and-proper tests reach major shareholders and directors, and the condition-precedent list should say so.

What this means for you

Write down the business model in one paragraph — who holds customer money, who bears credit risk, who touches the payment message — and map each function to a licence category before any build. If the model has drifted since licensing, as live products do, re-run the mapping; the perimeter is judged on what you do, not what you applied to do. Confirm the safeguarding arrangements match the current regulations exactly — segregation, permitted investments, reconciliation frequency — because this is the first thing an inspection tests. Review outsourcing and cloud arrangements against SBP's framework and obtain the approvals it requires before migration, not after. For acquirers and investors, put SBP change-of-control clearance and fit-and-proper approvals in the conditions precedent and give the timetable room for them. And treat AML capability as a launch requirement: transaction monitoring tuned to the product, screening, and a compliance officer with real authority. In this sector, the regulator's confidence is the asset; everything else can be rebuilt.

This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.

The position stated is as of 20 May 2026 and must be verified against current law.

Every matter begins with a first conversation.

Contact the Firm