KYC for Fintech in Pakistan (SBP, SECP and NADRA)

Comprehensive guide to KYC, NADRA biometrics and AML/CFT/CPF compliance for fintechs in Pakistan under SBP, SECP, AMLA 2010 and the Virtual Asset Act 2026.

Regulatory Framework for KYC in Pakistan

Pakistan has built one of the most robust biometric identity systems in the world through NADRA (National Database and Registration Authority). This national register, combined with a strengthened AML/CFT/CPF framework after the country's exit from the FATF grey list, has positioned Pakistan as a market with fully functional digital onboarding for fintechs, digital banks and EMIs (Electronic Money Institutions).

The regulatory ecosystem is distributed across four key authorities:

State Bank of Pakistan (SBP): Central bank. Regulates banks, MFBs (Microfinance Banks), EMIs, exchange companies and payment service providers.
Securities and Exchange Commission of Pakistan (SECP): Regulates brokers, NBFCs, insurers, investment funds and corporations.
Financial Monitoring Unit (FMU): Financial intelligence unit, receives STRs/CTRs.
NADRA: National identity authority, manages the biometric register and verification APIs.

Primary Legal Basis

Anti-Money Laundering Act (AMLA), 2010 and regulations: Section 7A defines the Customer Due Diligence (CDD) obligation.
AML/CFT/CPF Regulations issued by SBP (revised) and SECP (amended via SRO 669(I)/2026).
NADRA Ordinance, 2000 and NIC Rules amended in 2025-2026 to recognise multimodal biometrics.
Virtual Asset Act, 2026: Framework subjecting virtual assets to a reinforced KYC regime.

NADRA and Biometric Verification

The CNIC (Computerized National Identity Card) and SNIC (Smart National Identity Card), issued by NADRA, are mandatory for every Pakistani customer. Without a valid CNIC it is not possible to open a bank account or contract financial services.

NADRA Verification Methods

Reporting entities (banks and MFBs) must verify the customer via one of the following mechanisms:

NADRA Verisys: Direct query against the NADRA database. Validates name, photograph, date of birth and document status.
Biometric Verification (BV): Biometric check with liveness detection via NADRA terminals or authorised APIs.
Multi-biometrics (2025-2026): Amendments to the National Identity Card Rules expand the definition of biometrics to legally recognise fingerprint + facial recognition + iris, aligned with NADRA systems. Previously only fingerprint was recognised.

Contactless Facial Verification

Since January 2026, NADRA issues biometric verification certificates based on facial recognition at all its registration centres, expanding options for individuals who cannot complete fingerprint verification (elderly, manual workers). SBP has authorised banks to deploy contactless biometric verification through mobile apps, capturing and verifying customer biometrics from home.

SBP KYC Requirements for Fintechs

Mandatory Customer Identification

SBP-regulated entities must collect:

Scanned copy or photograph of the valid original CNIC/SNIC issued by NADRA.
NADRA Verisys or Biometric Verification with liveness.
Socio-economic data: occupation, source of funds, monthly income.
Account purpose and expected transactional pattern.
For foreign residents: valid passport, POC (Pakistan Origin Card) or NICOP where applicable.

Mandatory Risk-Based Approach

SBP requires each reporting entity to produce an Internal Risk Assessment Report (IRAR) identifying and assessing ML/TF/PF risks at:

Customer level.
Product level.
Distribution channel.
Technology.
Employees.

The IRAR must be updated periodically and tailored to the entity's risk profile.

Diligence Levels

Simplified Due Diligence (SDD): Allowed only for low-risk products explicitly identified by SBP.
Standard CDD: Applied to most customers.
Enhanced Due Diligence (EDD): Mandatory for PEPs (domestic and foreign), family members and close associates, high-risk jurisdictions, correspondent banking and complex transactions.

SECP KYC Requirements for Fintechs

SECP regulates brokers, NBFCs, insurers and funds. Its 2020 AML/CFT/CPF regulations, amended by SRO 669(I)/2026, have strengthened digital onboarding:

Digital Investor Onboarding

SECP proposed (2025-2026) a framework for digital investor onboarding to include:

Mandatory biometric verification via NADRA.
Investor IBAN verification to ensure traceability of source of funds.
Validation of consistency between customer data and the originating bank account.
AML/CFT screening against international and domestic proscribed lists.

Legal Person Identification

Fintechs must collect for corporate clients:

Certificate of Incorporation and NTN (National Tax Number).
Memorandum and Articles of Association.
Board resolutions authorising account opening and signatories.
CNIC of each director, significant shareholder and signatory.
Identification of the Ultimate Beneficial Owner (UBO) with ownership above 25%.
For listed companies, disclosure under the Companies Act 2017.

Virtual Assets: Virtual Asset Act 2026

The Virtual Asset Act 2026, approved by the Senate of Pakistan, subjects Virtual Asset Service Providers (VASPs) to a formal licensing regime and requires:

Reinforced KYC with mandatory NADRA biometrics.
Beneficiary identification and source of funds for each transaction.
Implementation of the FATF Travel Rule for transfers between VASPs.
Mandatory reporting to FMU.
Compliance with international sanctions and on-chain transaction monitoring.

This legislation opens the first legal pathway for exchanges, custodians and crypto services in Pakistan, aligned with MiCA-equivalent standards.

Sanctions Lists and Screening

Reporting entities must screen against:

UNSC Consolidated List (United Nations sanctions).
Schedule IV of the Anti-Terrorism Act, 1997 (domestic proscribed list).
NACTA Watch List (National Counter Terrorism Authority).
OFAC, EU and other international lists as applicable.

Reporting and Recordkeeping

STRs (Suspicious Transaction Reports) and CTRs (Currency Transaction Reports) are filed with FMU.
Cash transactions and transfers above regulatory thresholds must be reported.
Minimum 5-year retention of all KYC and transactional documentation from the end of the relationship.

Sanctions for Non-Compliance

Significant administrative fines imposed by SBP or SECP.
Custodial sentences and fines under AMLA 2010.
Suspension or revocation of licences.
Inclusion in supervised-entity lists with restrictions.
Personal liability for directors and the designated CAMLCO.

Opportunities for Fintechs

Pakistan has emerged as one of the most attractive fintech markets in South Asia:

Mature biometric verification: NADRA enables end-to-end remote onboarding with low fraud rates.
FATF grey-list exit: Restored the country's appeal for investment and cross-border services.
Full digital banking: SBP issues Digital Bank and Digital Retail Bank licences.
Formalised crypto market: Virtual Asset Act 2026 paves the way for licensed VASPs.

Joinble integrates with NADRA Verisys and Biometric Verification to offer fintechs, EMIs, NBFCs and VASPs in Pakistan digital onboarding with face-match, liveness, CNIC validation, IBAN check and AML/CFT/CPF screening aligned with SBP, SECP and AMLA 2010. Our AI Agents automate continuous risk grading and IRAR generation, removing friction without sacrificing compliance.

Frequently Asked Questions

What is NADRA and why is it central to Pakistani KYC?

NADRA is the National Database and Registration Authority, the body that manages the national biometric register and issues the CNIC/SNIC. Every financial relationship in Pakistan requires verification against NADRA via Verisys or Biometric Verification, making this register the cornerstone of the country's KYC system.

What types of biometrics are legally recognised in Pakistan?

Following the 2025-2026 amendments to the NIC Rules, the following are legally recognised: fingerprint, facial recognition and iris, all aligned with NADRA systems. Before the reform, only fingerprint had legal validity.

Is 100% remote onboarding possible in Pakistan?

Yes. SBP authorises contactless biometric verification through mobile apps. Since January 2026, NADRA issues facial verification certificates at all its centres, allowing banks and fintechs to complete end-to-end digital onboarding without physical presence.

What does the Virtual Asset Act 2026 cover?

The Virtual Asset Act 2026 establishes the framework for licensing VASPs in Pakistan. It requires reinforced KYC with NADRA biometrics, UBO identification, implementation of the FATF Travel Rule and reporting to FMU. It is the first formal regulation of the crypto sector in the country.

What is the difference between SBP and SECP regulations?

SBP regulates banks, MFBs, EMIs, exchange companies and payments. SECP regulates brokers, NBFCs, insurers and funds. Both apply the AMLA 2010 framework but issue parallel operational regulations. A fintech may be subject to one or the other depending on its licence, or to both in mixed business models.

How does Joinble support Pakistani fintechs?

Joinble integrates NADRA Verisys and Biometric Verification, offering face-match, liveness, CNIC validation and IBAN check, together with AI-Agent-driven automated risk grading and AML/CFT/CPF screening aligned with SBP, SECP and AMLA 2010, including support for the Virtual Asset Act 2026.