Loading...
Banking Regulations, Foreign Exchange, Digital Payments & FinTech Licensing
| Rate/Scheme | Current Value | Effective Date | Notes | Reference |
|---|---|---|---|---|
| Policy Rate | 10.50% | Apr 2026 | BPRD Circular C1/2026 | |
| Export Finance Scheme (EFS) | Variable | Ongoing | Refinance at subsidized rate for exporters | |
| Long-Term Financing Facility (LTFF) | Variable | Ongoing | Long-term loans for export-oriented sectors | |
| 180-Day Repatriation | Mandatory | Ongoing | Export proceeds must be repatriated within 180 days | |
| Raast (Instant Payments) | Real-time | 2023+ | Free person-to-person; B2B via bank integration | |
| Digital Banking License | Regulated | 2022+ | BPRD C2/2022 framework for DSP licensing |
| Indicator | Value | As Of | Notes | Reference |
|---|---|---|---|---|
| Policy Rate | 10.50% | Mar 2026 | Unchanged from Feb 2026 | |
| KIBOR 12M | 11.51% | Apr 2026 | Inter-bank rate | |
| Foreign Reserves (Total) | $21,789.6M | Apr 2026 | SBP + banks | |
| PKR/USD | ~279.10 | Apr 2026 | Interbank rate | |
| Inflation (CPI) | 7.3% | Mar 2026 | 17-month high | |
| ICT Exports H1 FY25 | $1.86B | H1 FY25 | +28% YoY |
| Reference | Title | Year | Department | Key Requirement | |
|---|---|---|---|---|---|
| CRMD CL01/2026 | Cyber Shield - Cyber Resilience Strategy 2025-2030 | 2026 | CRMD | Mandatory cyber resilience program for all regulated entities | |
| BPRD C1/2026 | Teenager Account/Wallet Framework | 2026 | BPRD | Digital wallet for 13-17 year olds with guardian oversight | |
| PSD C4/2025 | Technology Risk Management Framework for Payment Institutions | 2025 | PSD | IT governance, cybersecurity, BCP. Compliance by Mar 2026 | |
| PSD C1/2025 | Raast Participation Criteria | 2025 | PSD | Updated rules for Raast instant payment participation | |
| PSD C3/2025 | Raast P2M QR Payment Subsidy (PKR 3.5B) | 2025 | PSD | Government subsidy to expand QR merchant acceptance | |
| BPRD C1/2025 | Consolidated Customer Onboarding Framework | 2025 | BPRD | Digital KYC/CDD standards, e-Sign, biometric verification | |
| BPRD CL7/2025 | VPN for SBP Hosted Portals | 2025 | BPRD | IT connectivity transition to VPN for Service Desk/RAS | — |
| PSD C1/2024 | Customer Notifications for Digital Payments | 2024 | PSD | Push/in-app notifications replacing SMS | — |
| PSD C1/2023 | Guidelines for Downtime of Digital Channels | 2023 | PSD | 99.5% uptime SLA, incident reporting | — |
| PSD C2/2023 | No Services to Unauthorized Digital Lending Apps | 2023 | PSD | Banks/EMIs must not serve unlicensed apps | — |
| PSD C3/2023 | Regulations for Electronic Money Institutions | 2023 | PSD | Updated EMI regulatory framework | — |
| PSD C4/2023 | Launch of Raast Person-to-Merchant (P2M) | 2023 | PSD | P2M payments operational | — |
| PSD CL6/2022 | Mobile Applications Security Guidelines | 2022 | PSD | Secure coding, VAPT, certificate pinning | — |
Choose a bank with international banking services (14 banks offer RDA)
SBP has implemented the electronic Proceeds Realization Certificate (ePRC) system to streamline export documentation. All IT exporters must register for ePRC to obtain realization certificates electronically. This replaces the manual PRC process.
Source: SBP Official Website | FE Circular Letter 05/2026
The State Bank of Pakistan (SBP) issues Foreign Exchange (FE) Circulars that govern all foreign exchange transactions, including IT export remittances. These circulars are the primary regulatory instrument through which SBP directs banks on forex procedures, export repatriation timelines, and reporting requirements.
Key circulars affecting IT exporters:
Reference: SBP BPRD Circulars
IT exporters must comply with SBP's export repatriation requirements. The key rules under FECL 05/2026:
| Requirement | Rule | Reference |
|---|---|---|
| Repatriation Window | 180 days from date of shipment/invoice | FECL 05/2026 |
| Designated Bank Branches | PSEB-identified branches for IT sector facilitation | PSEB IT Policy |
| ePRC Registration | Mandatory for all exporters | SBP ePRC Portal |
| Export Proceeds Form | Form M (for goods), SBP declaration for services | SBP FECL |
| RDA Accounts | Non-resident accounts at preferential exchange rates | SBP RDA Framework |
| Reporting | Quarterly reports to PSEB on export remittances | PSEB Guidelines |
Important: Export proceeds must come through official banking channels (SWIFT). Crypto payments do not qualify for 0.25% WHT under Section 152A ITO 2001.
| Scheme | Rate | Eligibility | Max Amount |
|---|---|---|---|
| LTFF (Long-Term Financing Facility) | 6-month KIBOR + 2% (as of April 2026) | IT exporters with PSEB reg. | Rs. 400M |
| EFS (Export Finance Scheme) | SBP refinance rate + 1.5% | All exporters | Based on export value |
| PM Kamyab Jawan | 3-5% (tier-based) | Startups & SMEs | Rs. 5M |
SBP's Banking Policy & Regulations Department (BPRD) issues circulars that IT companies must comply with when handling financial transactions:
IT companies opening bank accounts for export remittances must comply with:
IT exporters need to be familiar with key SBP forms and declarations:
| Form | Purpose | When Required |
|---|---|---|
| Form M | Import declaration | When importing IT equipment |
| ePRC | Export proceeds realization | For every export remittance |
| SBP Declaration | IT service export declaration | With each remittance |
| WeBOC GD | Goods declaration | Only for hardware imports (not software exports) |
| FBR Withholding Statement | Monthly tax deduction report | Monthly (Section 165 ITO 2001) |
Failure to comply with SBP foreign exchange regulations carries severe penalties:
Reference: SBP FECL 05/2026
| Reference | Title | Year | Key Points |
|---|---|---|---|
| CRMD CL01/2026 | Cyber Shield — Cyber Resilience Strategy 2025-2030 | 2026 | First CRMD circular. Mandates cyber resilience program for all regulated entities |
| BPRD C1/2026 | Teenager Account/Wallet Framework | 2026 | New digital wallet category for 13-17 year olds |
| DRB License | Raqami Islamic Digital Bank — Digital Retail Bank License | 2026 | Third DRB license issued under new digital banking framework |
| PSD C4/2025 | Technology Risk Management Framework for Payment Institutions | 2025 | Compliance deadline: March 2026. Covers IT governance, cybersecurity, BCP |
| BPRD C1/2025 | Consolidated Customer Onboarding Framework | 2025 | Digital KYC/CDD standards including e-Sign, biometric verification |
| BPRD CL7/2025 | VPN for SBP Hosted Portals Connectivity | 2025 | Transition to VPN for Service Desk and RAS access |
| PSD C1/2024 | Customer Notifications for Digital Payments | 2024 | Push/in-app notification replacing SMS for payment alerts |
| PSD C2/2023 | Digital Payment Services to Unauthorized Digital Lending Apps | 2023 | Banks/EMIs must not provide services to unlicensed lending apps |
| PSD C1/2023 | Guidelines for Downtime of Digital Channels | 2023 | Uptime SLAs: 99.5% for digital channels, incident reporting requirements |
| PSD CL6/2022 | Mobile Applications Security Guidelines | 2022 | Secure coding, VAPT, certificate pinning requirements |
SBP has created a Digital Retail Bank (DRB) category — fully digital banks with no physical branches. Three licenses issued:
| Bank | Year | Type | Significance |
|---|---|---|---|
| Easypaisa Bank (SBP DRB licenses, as of April 2026) | 2025 | Conventional DRB | First DRB license — largest mobile wallet operator in Pakistan |
| Mashreq Bank Pakistan (SBP DRB licenses, as of April 2026) | 2025 | Conventional DRB | International bank entering Pakistan as digital-only |
| Raqami Islamic Digital Bank (SBP DRB licenses, as of April 2026) | 2026 | Islamic DRB | First Islamic digital bank — Shariah-compliant digital banking |
Per BPRD C1/2026, SBP has introduced a Teenager Account/Wallet category for 13-17 year olds with digital onboarding and guardian oversight. This creates new product requirements for:
Per BPRD C1/2025, SBP consolidated all previous account opening instructions into a single framework. Key IT impacts:
As of January 2026, SBP authorizes 6 EMIs for commercial operations, 4 in pilot/IPA:
| EMI | App | Status | Products |
|---|---|---|---|
| NayaPay | NayaPay | Commercial | Consumer/Merchant Wallets, Agent, Gateway, Acquiring |
| Finja | OPay | Commercial | Consumer/Merchant Wallets, Agent, Gateway |
| SadaPay | SadaPay | Commercial | Consumer Wallets |
| Akhtar Fuiou | Digitt+ | Commercial | Consumer Wallets |
| E-Processing | OneZapp | Commercial | Consumer Wallets |
| Wemsol | Keenu | Commercial | Consumer Wallets |
| Pilot: HubPay, YAP Pakistan, Cerisma, Toko Lab | |||
| Revoked: TAG Innovation, Careem Payment Solutions, Checkout, CMPECC | |||
Per CRMD CL01/2026, the Cyber Shield strategy goes beyond the four priorities initially summarized. The PDF reveals five priorities with specific action items: (Federal (SBP))
| Priority | Action Items | Key Outcome |
|---|---|---|
| 1. Strengthen | Cyber-testing framework for controlled attack simulations; tiered cybersecurity regulations; maturity assessment mechanism; Zero Trust Architecture roadmap; 2-hour RTO for FMIs; designate systemically important payment systems | Improved cyber resilience; risk-based investment |
| 2. Mature | Formalize CISO/CIO-CTO role expectations; enhance BoD cyber risk literacy; mandatory board deliberations on cyber risk | Effective cyber governance at all levels |
| 3. Enhance | Threat intelligence & info-sharing platform; standardized IT/cyber incident reporting; FinCERT establishment; multi-year cyber exercising program | faster incident response; cross-entity collaboration |
| 4. Develop | Cyber skills gap survey; competency roadmap & training programs for banking sector | Reduced cyber workforce gap |
| 5. Evolve | Regular strategy review; emerging tech advisories (AI, quantum); strengthen third-party risk oversight; annual cyber threat landscape report | Adaptive, future-proof cyber programs |
Per BPRD C1/2025, the consolidated framework provides detailed digital onboarding provisions: (Federal (SBP))
SBP REs may open accounts/wallets remotely via:
Digital onboarding limited to: CNIC/NICOP/POC/POR/ARC holders
| Category | Required Information |
|---|---|
| Basic Info | Full name, mother's maiden name, DOB, place of birth, father/spouse name, gender |
| ID Document | ID number, issue/expiry date, passport (foreign nationals) |
| Contact | Current mailing address, permanent address, cell number, email, emergency contact |
| FATCA/CRS | Resident/non-resident status, tax residencies, nationalities |
| Source of Income | Profession, purpose of account, beneficial owner details |
For corporate/business accounts, SBP requires: entity registration details, tax registration, list of persons associated (authorized signatories, beneficial owners with 20%+ ownership, or 10%+ for EDD cases), board members, nature of business, and purpose of account.
SBP mandates specific TAT for account opening — digital channels must process within defined SLAs. Smart Computerized Account Opening Interface at branches must automate the onboarding process.
SBP’s BPRD C4/2025 (BCFRF) establishes consumer protection standards with specific data protection provisions: (Federal (SBP))
| Pillar | Key IT-Relevant Provisions |
|---|---|
| Pillar 4: Data Protection & Privacy | General rules for data collection/processing; customer consent management; confidentiality & anonymization of customer data; security of customer data under third-party arrangements; data breach notification requirements |
| Pillar 5: Dispute Resolution | Complaint handling mechanism with defined TAT; FIs must resolve digital banking fraud complaints within stipulated time; call center management standards; digital fraud information collection |
| Pillar 2: Disclosure & Transparency | Key Facts Statement (KFS) mandatory; credit card summary box; standardized terms & conditions; advertising standards |
Per PSD C4/2025 (TRM Framework), SBP has established clear fraud liability rules for payment institutions: (Federal (SBP))
| Scenario | Liability |
|---|---|
| Dispute not lodged within 30 min of customer complaint | Originating PI liable for all customer losses |
| Customer unable to lodge dispute (channel unavailable) | Originating PI fully liable |
| Disputed funds not blocked in beneficiary account within 30 min | Beneficiary PI liable for all customer loss |
| False customer registration (controls absent/improper) | Responsible PI bears full liability |
| PI cannot prove transaction from registered device | PI liable to compensate customer |
| Delayed transaction alerts | PI fully liable for resulting customer losses |
| Data breach causes financial loss | Bank/PI must compensate within 2 business days (PSD C9/2018) |
SBP is transitioning government security auctions and open market operations to PRISM+ (upgraded Real-Time Gross Settlement system): (Federal (SBP))
For: Non-Resident Pakistanis & IT freelancers abroad
Benefits: 1% better exchange rate, digital account opening, PSX/NPC investment, property purchase
Banks: HBL, UBL, MCB, Bank Alfalah, Meezan, etc.
For: All individuals and businesses
Benefits: Real-time P2P payments (free), P2M payments, QR-based invoicing
Integration: API access for business platforms
Launched: March 19, 2026 (BPRD CRMD CL 01/2026)
Scope: Banking sector cybersecurity framework
IT Impact: Vendors to banks need SOC 2/ISO 27001, third-party risk assessments mandatory
Per PSD C3/2025: (Federal (SBP))
| Wallet Type | Monthly Credit | Max Balance |
|---|---|---|
| Basic E-Money Wallet | PKR 40,000 | PKR 20,000 |
| Enhanced E-Money Wallet | PKR 400,000 | PKR 200,000 |
| Basic Minor Wallet (under 18) | PKR 37,000 | PKR 10,000 |
| Enhanced Minor Wallet (under 18) | PKR 100,000 | PKR 50,000 |
| Regulation | Key Point |
|---|---|
| PSD C9/2018 | 3rd-party VAPT mandatory; free SMS+email transaction alerts; biometric for internet banking activation; data breach notification within 48hrs; compensation within 2 business days (Federal (SBP)) |
| PSD C5/2016 | Payment card security framework; EMV compliance; fraud & dispute resolution management (Federal (SBP)) |
| PSD C3/2015 | Internet banking security; 2FA; IDS/IPS; breach response (Federal (SBP)) |
| Metric | Value | Source |
|---|---|---|
| Policy Rate | 10.50% (Federal SBP) (as of April 2026) | SBP |
| KIBOR 12M | 11.51% (as of April 2026) | SBP |
| PIB 5Y Yield | 12.50% | SBP |
| Foreign Reserves | $21.79B (SBP $16.38B + Banks $5.41B) | SBP |
| PKR/USD | ~279.10 | SBP |
| SBP Liquidity Injection | Rs. 13.68T (Apr 4, 2026) | SBP |
| Adult Bank Account Ownership | 67% | SBP |
| Teen Population (13-18) | 26 million | SBP |
| Document | Year | Key Points (from PDF) |
|---|---|---|
| Digital Banks Framework | 2022 | DRB (PKR 1.5B → 2B → 4B MCR phased), DFB (PKR 6.5B → 10B), 4-stage licensing (NOC → IPA → Pilot → Commercial), 3-year transition, EMI conversion to DRB pathway |
| EMI Regulations (Revised 2023) | 2023 | PKR 200M min capital, tiered ongoing capital by OEB, enhanced wallets up to PKR 1M, minor wallets (basic PKR 50K / enhanced PKR 400K for freelancer minors), escrow services, 2FA mandatory, trust account at A+ rated bank |
| PSO/PSP Rules 2014 | 2014 | Foundation for payment system licensing — PSO/PSP definitions, capital requirements, governance, agent management, interoperability, and SBP oversight framework |
| SBP Regulatory Sandbox Guidelines | 2019 | Thematic cohorts, open to non-licensed entities (fintechs, telcos, startups), 4-stage lifecycle (Application → Evaluation → Testing → Exit), Innovation Hub as front door, Sandbox Committee (Deputy Governor-chaired) |
| EFT Regulations 2018 | 2018 | Electronic fund transfer rules — IBFT, instant payments, transaction monitoring, dispute resolution, security requirements |
| SBP Forex Retention PR (Oct 2023) | 2023 | IT exporter forex retention 35% → 50%; Freelancer framework: USD 5,000/mo retention; Debit cards on ESFCAs; No SBP approval needed for ESFCA payments |
| Bank Type | MCR at Pilot License | MCR at Commercial Launch | MCR Year 1 | MCR Year 2 | MCR Year 3 |
|---|---|---|---|---|---|
| Digital Retail Bank (DRB) | PKR 1.5 Billion | PKR 2 Billion | PKR 2.5 Billion | PKR 3 Billion | PKR 4 Billion |
| Digital Full Bank (DFB) | PKR 6.5 Billion | N/A (must meet DFB MCR) | PKR 8 Billion | PKR 10 Billion | — |
Licensing Stages: Pre-Application → Application (PKR 1M fee) → NOC → SECP Incorporation → IPA (12-month validity) → Operational Readiness → Pilot (3-9 months, restricted license) → Commercial Operations → 3-Year Transition Phase
EMI to DRB Conversion: EMIs with 1+ year DFS experience may apply to transform into DRBs. Pilot phase operation period counts toward experience requirement.
Source: Licensing & Regulatory Framework for Digital Banks (PDF) (Federal (SBP))
| Average Daily Outstanding E-Money Balance (OEB) | Minimum Ongoing Capital |
|---|---|
| Up to PKR 4 Billion | PKR 200 million |
| PKR 4B – PKR 10B | PKR 200M + 5% of OEB exceeding PKR 4B |
| PKR 10B – PKR 20B | PKR 500M + 7.5% of OEB exceeding PKR 10B |
| Above PKR 20 Billion | PKR 1.25B + 10% of OEB exceeding PKR 20B |
Security Deposit: 10% of required capital at SBP BSC (5% non-remunerative current account + 5% government securities under lien).
Source: Regulations for EMIs (Revised June 2023, PDF) (Federal (SBP))
| Wallet Type | Monthly Load Limit | Cash Withdrawal | Verification Required |
|---|---|---|---|
| Pilot Operations | PKR 50,000 (CNIC) / PKR 200,000 (Biometric) | PKR 10,000/day | NADRA VeriSys or Biometric |
| Commercial Operations | PKR 50,000 (CNIC) / PKR 400,000 (Biometric) | PKR 10,000/day (CNIC); Risk-based (Biometric) | NADRA VeriSys or Biometric |
| Enhanced Wallet | Up to PKR 1,000,000 | Risk-based | Income proof, CNIC/SIM pairing, TMS, detailed risk profiling |
| Basic Minor Wallet (under 18) | PKR 50,000 | PKR 10,000/day | Linked to parent/guardian wallet |
| Enhanced Minor Wallet (Freelancers under 18) | PKR 400,000 | PKR 10,000/day | Biometric, parent/guardian undertaking |
Wallet Limit Exclusions: Fully licensed EMIs with proven track record may apply to exclude: employer salary credits, inward remittances up to PKR 1.5M, and utility bill payments from wallet limits.
Source: Regulations for EMIs (Revised June 2023, PDF) (Federal (SBP))