Pakistan PVARA vs India VDA: The Custody Checklist for Fintech Operators Running Gulf-to-South-Asia Corridors

India and Pakistan together processed over $173 billion in remittances in FY2025. India received $135.4 billion, Pakistan a record $38.3 billion. By volume, this two-country corridor cluster is the largest in the world.

A significant share of those flows already moves through stablecoins and crypto rails, outside formal banking, outside any regulatory perimeter, and without a custody framework that could survive scrutiny.

That is changing. But not uniformly.

Pakistan built a crypto regulator, a licensing portal, and bank access for VASPs in under 18 months. India built a 30% tax. Two neighbors, two opposite directions, and both arriving at the same operational question for any operator touching their markets: do you have custody infrastructure that holds up when a regulator looks at it?

(TL;DR)

• Pakistan's PVARA is live. Bank access for VASPs is now conditional on an NOC. If you move money in or out of Pakistan via crypto rails, the clock is running.
• India has no comprehensive crypto law, but the PMLA already likely covers custodial activity under enforcement practice, including assets held only temporarily during settlement. FIU-IND registration is mandatory now. Enhanced Due Diligence requirements went live in January 2026.
• Both markets are converging on the same custody requirement: key management with no single point of failure, asset segregation at the technical layer, and audit trails that regulators can access on demand.
• The operator who builds to FATF standards now - the floor both PVARA and India's eventual bill are building toward - is positioned to adapt rather than rebuild from scratch. If India's framework diverges significantly from FATF baselines, adjustments will be needed. But the structural work does not repeat.

Who Is in Scope, and Why It Matters Differently in Each Market

Regulation is abstract until it affects your banking access or your ability to onboard users. Here is where each operator type is exposed today.

The compliance question is not whether regulation will eventually affect you. It is which regulatory obligation you are already inside, and whether you know it.

Pakistan: What PVARA Actually Requires, and What It Means for Operators

In 2023, Pakistan's Finance Ministry stated that cryptocurrency would "never be legalized." Banks refused to serve crypto firms. An estimated 25 to 40 million Pakistanis were using crypto in a legal gray zone. Much of the $38B in annual remittances flowed through hawala networks and unregulated P2P platforms.

What followed was one of the fastest regulatory pivots in any emerging market.

The timeline:

• July 2025: Pakistan Virtual Assets Ordinance promulgated. PVARA established as an autonomous regulator.
• December 2025: PVARA issues NOCs to Binance and HTX, allowing them to establish local entities and begin full license applications.
• December 2025: Pakistan and Binance sign an MOU to explore tokenizing up to $2 billion in government bonds, treasury bills, and commodity reserves.
• April 14, 2026: State Bank of Pakistan issues Circular No. 10. The seven-year banking ban is lifted. SBP-regulated banks may now open accounts for PVARA-licensed VASPs.
• 2026: Virtual Assets Act moves through parliamentary process. Confirm current status directly at pvara.gov.pk before relying on this for compliance filings, as the parliamentary process was still ongoing at time of publication.

The SBP Circular is the consequence that matters most right now. Before April 2026, no Pakistani bank could legally serve a crypto firm. Now they can, but only if that firm holds a PVARA NOC or license. If you are a remittance operator moving funds through Pakistani banking infrastructure and you have not started the NOC process, your banking relationships are operating on borrowed time.

The three-phase PVARA licensing process

PVARA licenses VASPs across eight categories: advisory services, broker-dealers, exchanges, custodians, wallet providers, token issuers, and others. The process runs in three phases.

• Phase 1 is the NOC: ownership disclosure and an AML policy document. The portal is live at pvara.gov.pk. This is the step you should be doing today.
• Phase 2 is SECP registration: a registered office in Pakistan and local incorporation. Budget for Pakistani counsel and allow four to eight weeks.
• Phase 3 is the full license review: cybersecurity framework, capital adequacy, risk management systems, and ongoing reporting commitments. This is where your custody architecture will be assessed.

PVARA has not yet published detailed technical custody standards. Phase 3 signals direction, cybersecurity, key management controls, risk management, and points toward FATF-aligned requirements. The specific technical rules are still being defined. Operators who wait for the detailed standards before building will be building during their review, not before it.

PVARA includes something no other crypto regulator in the world has: a Shariah Advisory Committee.

This is not a formality. Over 44% of Pakistan's remittance inflows come from Saudi Arabia and UAE, markets where Islamic finance is not an option but a baseline expectation. The banks, payment partners, and in some cases regulators in those corridors will ask whether your product is Shariah-compliant, even if you never positioned it that way.

MPC architecture does not inherently conflict with Islamic finance principles, but how a product is structured, including fee mechanisms, yield components, and custody arrangements, can. If your corridors run through the Gulf, confirm Shariah compatibility with Islamic finance counsel before entering the PVARA licensing process, not after.

India: No Crypto Law, But the Custody Obligation Is Already Here

India's situation is the inverse of Pakistan's. The market is massive, 107 million crypto users depending on methodology (Chainalysis, 2024), but the regulatory framework is incomplete. The temptation for operators is to read "no comprehensive law" as "no obligation." That reading is wrong, and it is costing operators.

What actually exists today

Since 2022, cryptocurrencies are classified as Virtual Digital Assets under the Income Tax Act, legal to hold and trade, not legal tender. The Finance Bill 2025 expanded the VDA definition from April 2026 to cover any crypto-asset on a distributed ledger. (Chambers and Partners, Blockchain 2025).

Your product is operating inside a recognized legal category, which means regulators already have a clear peg to attach obligations to.

Since March 2023, all VDA service providers, including exchanges, wallet providers, and custodians, must register with FIU-IND under the Prevention of Money Laundering Act. This applies to foreign companies with any nexus to India, including serving Indian customers - though the precise nexus threshold for foreign operators has not been formally codified. Under current FIU-IND enforcement posture, serving Indian users without registration carries meaningful regulatory risk. Binance and Kraken were blocked from Indian markets for AML lapses.

Binance and Kraken were blocked from Indian markets for AML lapses.

Since April 2025, SEBI has signaled authority over tokens that generate returns based on someone else's efforts, though no formal crypto-specific regulation has been published. This reflects current enforcement posture, not codified law. Operators should treat it as a live risk, not a confirmed obligation. The self-check for your product is one question: do your users earn a return, and does that return depend on what you or a third party does with their assets? If yes, SEBI may classify your product as a collective investment scheme, which triggers registration, reporting, and securities disclosure obligations. Not engaging with SEBI does not mean you are outside scope. It means you have not been seen yet. To make it concrete:

• Staking pool where you manage the validator: likely in scope
• Yield account funded by lending activity: likely in scope
• Tokenized real estate with rental yield distribution: in scope
• Simple spot exchange with no yield component: generally outside scope

Since January 2026, FIU-IND requires geo-tagging of all users initiating trades and AI-assisted liveness KYC. Liveness KYC means users must complete a real-time action during onboarding, turning their head, blinking, following an on-screen prompt, rather than uploading a static selfie. Geo-tagging means logging the user's location at the moment they initiate a transaction. Both require changes at the technical layer of your onboarding flow, not just a policy update.

What does not exist yet: No comprehensive crypto law, no codified custody requirements, no licensing regime. A bill has been discussed since June 2025 but no public draft has been released. The paradox of India's current situation is that operating without a clear law is harder than operating with one. When there is a law, you have a checklist. When there is only enforcement practice, you find out you interpreted it wrong through an enforcement action. The practical response is to build to FATF standards now, since that is the direction India's eventual bill will take, and to document every compliance decision you make so that if FIU-IND comes asking, you can demonstrate a good-faith effort.

Same Region, Opposite Approaches, Both Pointing to the Same Infrastructure Question

Pakistan tells you what to build and gives you a licensing process to build toward. India tells you that obligations exist now and will tell you more specifically later. The custody infrastructure that satisfies PVARA's Phase 3 signals is the same infrastructure that would satisfy India's eventual VDA framework, because both are building toward FATF standards.

The operator who builds that infrastructure once does not have to rebuild it twice.

What "Building Once for Both Markets" Actually Means

You are building a platform that moves money from Dubai to Karachi. At some point in that flow, you are holding your users' funds, even if only for seconds. Maybe it sits in a hot wallet while you route it. Maybe your system can pause a withdrawal. Maybe you control the address the funds land in before the user can touch them.

That moment, however brief, is what regulators in both Pakistan and India are looking at.

Pakistan's PVARA will ask: show us how your keys are managed. Show us that no single person or server can move funds unilaterally. Show us that client money is technically separated from your own. India's PMLA enforcement already asks the same thing, just without a published rulebook telling you exactly how to answer it.

The operators who build this infrastructure once, covering both markets and every chain they use, are the ones who do not get a surprise audit question they cannot answer. The ones who delay are the ones building their answer while the regulator is already in the room.

And practically: South Asia remittances run on multiple chains. USDT on Tron for speed and low fees. USDC on Solana for B2B. ETH-based stablecoins for larger institutional flows. If you build custody separately per chain, you are maintaining three compliance setups instead of one. Every new requirement from PVARA or FIU-IND hits all three at the same time.

Where This Thesis Could Break

This analysis points in a clear direction, but operators should understand where it could be wrong.

• Pakistan's banking access may remain selective in practice. SBP Circular No. 10 opened the door, but individual banks move at their own pace and with their own risk appetite. Getting your NOC does not guarantee a bank account next month. Run your banking conversations in parallel with your licensing process, not after it.
• India's bill could go stricter than expected. The pending VDA framework could impose requirements more restrictive than FATF standards, higher capital thresholds, tighter stablecoin rules, or restrictions on foreign operators. Building to FATF standards now is the right floor, but monitor the bill's development closely when a draft eventually surfaces.
• PVARA enforcement could be slower than the framework implies. A new regulator building institutional capacity is not the same as a mature enforcement body. Phase 3 custody reviews may be less technically rigorous in the near term than the framework signals. That is not a reason to underbuild. Enforcement bodies mature faster than operators expect, and the cost of being caught underprepared is higher than the cost of building correctly now.
• Pakistan's banking rollback risk is not zero. The current regulatory pivot is driven by economic pragmatism. If that calculus shifts, due to FATF grey-listing pressure, domestic political change, or financial stability concerns, the framework could tighten again. Operators entering the Pakistani market should treat this as a real scenario, not a tail risk.

How Fystack Addresses the Custody Gap in Both Markets

The infrastructure requirements signaled by PVARA Phase 3 and active under India's PMLA enforcement practice describe a set of problems with a clear solution profile.

You need custody infrastructure that satisfies a regulator's assessment of your key management and asset segregation, in Pakistan now, and in India when the bill drops. You need it to work across the chains your remittance corridors actually use. And you need to control it yourself, because delegating custody to a third party does not transfer the regulatory accountability. It adds a vendor dependency to your compliance surface.

One important nuance: regulators do not approve infrastructure architectures. They assess whether an operator's controls, governance, and operational practices meet the required standard. Fystack's infrastructure is designed to make those controls demonstrable, but the compliance outcome still depends on the operator's governance, licensing entity, audit relationships, and banking relationships. Infrastructure is a necessary condition, not a sufficient one.

Contact the Fystack team here for a technical assessment of your current custody setup against PVARA Phase 3 signals and India's PMLA enforcement posture.

What to Do Next

If you operate in Pakistan: Apply for your PVARA NOC now at pvara.gov.pk. The portal is live and Phase 1 only requires ownership disclosure and an AML policy. Do not wait until you have everything perfect. Being inside the process is what keeps your banking relationships intact while you build toward Phase 3. Start SECP incorporation in parallel because the registered office requirement takes longer than most operators expect.

If you operate in India: Register with FIU-IND if you have not done so. That is the only non-negotiable step right now. Then audit your KYC stack against the January 2026 EDD requirements: geo-tagging and liveness verification, not static selfies. After that, treat the PMLA functional control test as your current compliance standard and document how your custody setup answers it. You will need that documentation when the VDA bill arrives.

For both markets: Segregate client assets at the key-management layer, not just in accounting. Cover USDT/Tron, USDC/Solana, and ETH-based stablecoin corridors in your custody architecture. Make sure your audit logs are accessible to regulators without exposing private keys.

FAQ

Share with us what you are building: contact Fystack here

Follow architecture updates and product discussions on Telegram: t.me/+9AtC0z8sS79iZjFl