Practice Area
Compliance
We build and run compliance programs for Pakistani businesses — mapping which laws and regulators actually apply, closing the gaps, and answering the regulator's letter when it comes. Clients range from ten-person startups to licensed entities under SECP, SBP, PTA, and DRAP supervision.
Compliance in Pakistan is not one obligation but a stack of them, and the stack is different for every business. At the bottom sits the Companies Act 2017 — the filings, registers, and formalities every company owes SECP. Above it sit the regimes that attach by activity: the Anti-Money Laundering Act 2010 for financial institutions and designated non-financial businesses, the State Bank's framework for anything touching money, PTA and PECA for anything touching networks and platforms, DRAP for medicines and devices, the Competition Act 2010 for everyone who advertises or holds market power. Our compliance practice begins by drawing that stack accurately for a specific business, because most compliance failures start with a regime the company did not know applied to it.
The second failure mode is the opposite: programs on paper. Pakistani businesses do not usually lack policies — they lack policies that name Pakistani statutes, match what the business actually does, and have an owner. A borrowed manual citing foreign law protects no one in front of an SECP adjudicating officer or a State Bank inspection team. We draft short, statute-referenced frameworks, assign every recurring obligation an owner and a date, and put the whole thing on one calendar with board reporting, because a compliance program is a system for remembering, not a binder.
The regulator relationship is managed as deliberately as the obligations. Letters get answered properly the first time; inspections are prepared, coordinated, and recorded; past defaults are cured on the company's initiative rather than discovered on the regulator's. A business writes its file with each regulator one interaction at a time, and years later — in a licence application, an inspection, or an enforcement hearing — that file is read back. We write it accordingly.
There is also a commercial reason this work pays for itself. Every fundraise, credit facility, and exit now runs the same tests: condition-precedent lists, AML and beneficial-ownership checks, vendor questionnaires, diligence searches. Companies with a live compliance calendar pass those tests quickly and negotiate from strength; companies without one pay in time, price, and indemnities. Compliance, done properly, is transaction preparation performed early and cheaply.
The regimes described here move quickly — AML supervision, State Bank licensing categories, and the data-protection landscape have all changed materially in recent years. Everything on this page is stated as of mid-2026, and we confirm the current instruments, thresholds, and forms at the start of each engagement.
When Businesses Need This
The moments this practice exists for.
- 01An investor's condition-precedent list has arrived and the company cannot certify half of it — filings, registrations, policies, approvals.
- 02Your first regulated customer or foreign partner has sent a vendor questionnaire asking about AML controls, data handling, and licences, and there is no honest answer yet.
- 03The company has grown from five people to eighty and nobody owns the filing calendar, the licence renewals, or the board minute book.
- 04You operate in a licensed sector — payments, pharmaceuticals, telecom — and the licence conditions have never been mapped against what the business actually does today.
- 05A regulator has written to you — SECP, the State Bank, PTA, DRAP, or the tax authorities — and the response needs to be right the first time.
- 06You have been told the Anti-Money Laundering Act 2010 applies to your non-financial business and need to know whether that is true and what it requires.
- 07You are entering Pakistan and need a map of which regulators govern your model before launch, not after.
How It Works
The process, stage by stage.
1
Compliance map
We start from what the business actually does — products, money flows, data flows, customers — and map it to the regulators and instruments that govern each activity. Every Pakistani company carries the Companies Act 2017 baseline; the map shows what sits on top of it for this business in particular.
2
Gap assessment
The map is tested against reality: which filings exist, which licences are current, which policies are practiced rather than merely printed. Each gap is risk-rated by the sanction and the regulator behind it, because a missed SECP return and a breached SBP licence condition are not the same problem.
3
Remediation
Gaps are closed in sequence: backlogged filings cured, registrations obtained, licence variations applied for, and defective practices stopped. Where a past breach needs disclosure to a regulator, we manage that approach deliberately rather than waiting to be found.
4
Policies and training
We draft the written framework the business genuinely needs — AML program, sanctions screening, data handling, gifts and payments, whistleblowing — sized to the company, referenced to Pakistani statutes, and short enough that people read it. Training is done on the client's real scenarios, not slides.
5
Calendar and ownership
Every recurring obligation gets an owner, a deadline, and an escalation path, consolidated into one compliance calendar with periodic reporting to the board. Compliance fails at handover, so the calendar is built to survive the departure of the person who built it.
6
Regulator interface
When notices, inspections, and renewals come, we prepare the responses, attend alongside management, and keep the record of what was asked and produced. A company's file with its regulator is written one letter at a time, and we write those letters as if they will be read back in a hearing.
The Legal Framework
The law this work runs on.
- Companies Act, 2017
- The compliance baseline for every company: filings, registers, board and shareholder formalities, and the SECP penalty regime for defaults. Most compliance programs are built on this floor before anything sectoral is added.
- Anti-Money Laundering Act, 2010
- Imposes customer due diligence, record-keeping, and suspicious transaction reporting to the Financial Monitoring Unit on financial institutions and on designated non-financial businesses and professions — a category that includes real estate agents, dealers in precious metals and stones, and accountants and lawyers in defined transactions. Scope and supervisory rules have been revised repeatedly since 2020 and are stated here as of mid-2026.
- SECP and SBP AML/CFT regulations
- The sectoral rulebooks under the AML Act: SECP's regulations for the entities it supervises — brokers, NBFCs, insurers — and the State Bank's for banks, exchange companies, and payment providers. Each prescribes its own CDD, screening, and reporting detail [CURRENT VERSIONS — TO BE VERIFIED AT ENGAGEMENT].
- State Bank of Pakistan framework
- For anything touching money: the Banking Companies Ordinance 1962, the Payment Systems and Electronic Fund Transfers Act 2007 and the EMI regulations under it, and the Foreign Exchange Regulation Act 1947 for cross-border flows. Product features are tested against the licence category before launch, because the State Bank tests them after.
- Pakistan Telecommunication (Re-organization) Act, 1996 and Prevention of Electronic Crimes Act, 2016
- PTA's domain: telecom and class licensing, and the content-blocking and data-preservation powers under PECA and its rules. Relevant well beyond telecom companies — any platform with users in Pakistan feels this regime.
- DRAP Act, 2012, Drugs Act, 1976 and Medical Devices Rules, 2017
- The federal regime for pharmaceuticals and medical devices — manufacturing and import licensing, product registration, and advertising restrictions — administered by the Drug Regulatory Authority of Pakistan, with provincial healthcare commissions separately licensing healthcare establishments.
- Competition Act, 2010
- The conduct rules that apply to every business regardless of sector: prohibited agreements under section 4, abuse of dominance under section 3, and deceptive marketing under section 10 — the provision that catches ordinary advertising claims most often. Compliance programs that ignore competition law leave out the regulator with some of the largest fines.
- Income Tax Ordinance, 2001 and Sales Tax Act, 1990
- The obligations businesses hold as taxpayers and as withholding agents. We cover the legal architecture — registrations, notices, and the consequences of default — with quantification handled alongside the client's tax advisers.
Statutory references are stated as of the page’s as-of date and flagged where verification is pending; the law moves, and the current position should be confirmed before relying on it.
Common Mistakes
The errors we see most — and their price.
- Treating compliance as an annual audit event instead of a calendar someone owns every week.
- Adopting a foreign policy pack that cites GDPR and the UK Bribery Act but not a single Pakistani statute, and calling the program done.
- Assuming the Anti-Money Laundering Act 2010 is a banks-only problem, when the DNFBP categories reach real estate, dealers in precious metals, and professional firms.
- Launching a product feature that crosses a licence line — a wallet, a stored balance, a lending product — on the theory that the licence can follow the traction.
- Ignoring a regulator's first informal letter, and meeting the same question again as a show cause notice on a worse record.
- Holding board and shareholder approvals in fact but never minuting or filing them, so the statutory trail cannot prove decisions ever happened.
- Missing withholding obligations on vendor and salary payments, which accumulate quietly into one of the largest exposures on the balance sheet.
- Making marketing claims no one can substantiate, and meeting the Competition Commission's deceptive-marketing jurisdiction under section 10 for the first time by notice.
Representative Scenarios
The shape of the work.
Illustrative scenarios, not case reports — composites drawn to show how matters of this kind run.
- —A fintech preparing an EMI application maps every product feature against the State Bank's licence categories, re-sequences two features that crossed the line, and enters the application process with a clean design. Illustrative.Illustrative
- —A hospital group's review finds establishment licences current but pharmacy and device registrations lapsed; DRAP and provincial healthcare commission filings are cured, and a renewal calendar installed. Illustrative.Illustrative
- —An SME seeking bank financing cures three years of SECP filing backlog, minutes its undocumented decisions properly, and passes the lender's legal review at the second attempt. Illustrative.Illustrative
- —A securities broker rebuilds its AML program — customer risk-rating, screening, and STR escalation to the Financial Monitoring Unit — ahead of an SECP thematic inspection, and the inspection closes without adverse findings. Illustrative.Illustrative
Questions, Answered
What clients ask about compliance.
Three documents: a map of the regulators and instruments that apply to your specific business, a gap list risk-rated by sanction and likelihood, and a remediation plan with owners and dates. The point is decision-usefulness — a board should be able to read it in one sitting and know what to fix first and what it costs to fix.
By activity, not by label. Every company answers to SECP under the Companies Act 2017. Touch money and the State Bank enters; touch telecom, platforms, or online content and PTA and PECA enter; touch medicines or devices and DRAP enters; employ people and the labour and social security regimes enter; sell to consumers and the Competition Act 2010 conduct rules apply throughout. The map follows what the business does, which is why we start there.
Yes. The Anti-Money Laundering Act 2010 reaches designated non-financial businesses and professions — including real estate agents, dealers in precious metals and stones, and accountants and lawyers in defined transactions — as well as everything SECP and the State Bank supervise. As of mid-2026 the DNFBP regime carries registration, customer due diligence, and reporting obligations with active supervision behind them. Whether your business is in scope is a threshold question we answer early, in writing.
As of mid-2026 there is no general data-protection statute in force — a Personal Data Protection Bill has circulated in successive drafts [STATUS — TO BE VERIFIED]. Data obligations instead come from sectoral rules, PECA 2016, licence conditions, and contract. We build data-handling practices on those sources now, drafted so that a future statute is an adjustment rather than a rebuild.
Almost always, cure deliberately and on your own initiative — late filings with additional fees, regularization applications where the regime provides one, and a considered approach to the regulator where a breach requires disclosure. Waiting converts a filing problem into a credibility problem, and regulators sanction the concealment more heavily than the default. The sequencing matters, so it is planned before the first form is filed.
With preparation and a record. Before: know your file, brief the people who will speak, and identify privileged material. During: one coordinator, produce what is properly demanded, log everything asked and given. After: close out undertakings on time and in writing. Inspections go wrong through improvisation — an unbriefed manager's guess becomes the company's recorded position.
Regulated entities often have no choice — SBP and SECP frameworks require designated compliance functions for their licensees. Outside regulated sectors, the honest answer is proportionality: what every company needs is a named owner for the calendar, board-level reporting, and external counsel behind them; a dedicated hire follows headcount and risk. We structure both models and say plainly which one a client needs.
As the difference between a two-week diligence and a two-month one. Investors and buyers test compliance through condition-precedent lists, warranty schedules, and their own searches, and every unresolved gap is priced against you in the terms. Companies that run a calendar and keep the minute book current close faster and concede less — which is why we treat compliance as transaction preparation done early.
Who To Call
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
