● ~18 min read ● ~4,500 words ● Author: Malik Abbas, CEO CoinConnect
1. What FMU goAML Actually Is | 2. The Three Laws That Govern AML for Pakistani VASPs |
3. Why VASPs Are Reporting Entities Under AMLA 2010 | 4. The goAML Registration Process Step-by-Step |
5. STR Reporting --- Suspicious Transaction Reports | 6. CTR Reporting --- Cash Transaction Reports (PKR 2 Million Threshold) |
7. The FATF Travel Rule for VASPs | 8. PVARA's No-Outsourcing Rule for AML-Critical Functions |
9. Sanctions Screening --- The Pakistan TFS List Problem | 10. Record Retention --- The 10-Year Rule |
11. Five Common goAML Compliance Failures | 12. Frequently Asked Questions |
13. Sources Cited |
1. What FMU goAML Actually Is
Pakistan's Financial Monitoring Unit (FMU) is the country's Financial Intelligence Unit (FIU), established under the Anti-Money Laundering Act 2010 (AMLA). FMU receives, analyses, and disseminates Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) filed by Reporting Entities --- banks, exchange companies, securities brokers, insurance companies, designated non-financial businesses and professions (DNFBPs), and now Virtual Asset Service Providers (VASPs). FMU sits under the State Bank of Pakistan organizationally but operates with independent decision-making authority on day-to-day operational matters.
goAML is the United Nations Office on Drugs and Crime's (UNODC) standardized software platform for FIU operations globally. Pakistan's FMU implemented goAML as its primary reporting and case-management system. For Pakistani Reporting Entities --- including every PVARA-licensed VASP --- goAML is the operational mechanism through which they submit STRs and CTRs, receive feedback from FMU analysts, and maintain the audit trail FMU regulators expect during examinations.
Registration on goAML is Stage 5 of the six-stage post-NOC operational gauntlet covered at Post-NOC-Pakistan-operational-playbook. Unlike SECP incorporation (Stage 1, procedural) or FBR registration (Stage 2, also procedural), goAML registration is an active commitment --- the moment a VASP completes goAML registration, the AMLA 2010 obligations crystallize: STR filing on suspicion without delay, CTR filing for any cash transaction at or above PKR 2 million, 10-year record retention, sanctions screening, and the prohibition on tipping off customers about reports filed. This article walks through every operational requirement that flows from goAML registration.
Key Takeaway |
FMU goAML registration is not a tickbox. It is the moment a Pakistani VASP becomes a Reporting Entity under AMLA 2010, with binding obligations on STR filing, sanctions screening, record retention, and FATF Travel Rule compliance. PVARA's Regulation 15.4 makes NOC the pre-AML-registration clearance --- meaning every NOC holder must complete goAML registration before AML obligations can begin running. The detailed Form A3 walkthrough at Fit-and-proper-test-pvara-form-a3 covers the MLRO Fit & Proper requirements that precede this stage. |
2. The Three Laws That Govern AML for Pakistani VASPs
Pakistan's AML framework for crypto VASPs rests on three legal layers operating together. Understanding which obligation comes from which law matters because the penalties, statutory timelines, and supervisor differ across layers.
Law / Framework | What It Governs | Issuing Authority |
Anti-Money Laundering Act 2010 (AMLA) | Definition of Reporting Entities; STR and CTR filing obligations; FMU's powers; record retention; penalties; tipping-off prohibition | Parliament of Pakistan; FMU is administrator |
PVARA NOC Regulations 2025 + Sandbox Guidelines 2026 | Specific AML/CFT framework for VASPs; MLRO and Compliance Officer requirements; no-outsourcing rule for AML-critical functions; entity-level Sharia compliance interactions | PVARA |
FATF Recommendations 15 and 16 | International standards for virtual assets (R15) and the Travel Rule for wire transfers including virtual asset transfers (R16); PKR 1 million threshold | Financial Action Task Force (FATF), implemented by FMU and PVARA |
Three additional layers are relevant: SBP's AML/CFT/CPF Regulations (covering bank-level AML obligations that flow downstream to bank relationships with VASPs), FMU's STR Guidelines and CTR Guidelines (procedural standards for filing format), and the United Nations (Security Council) Act 1948 read with SROs issued by the Ministry of Foreign Affairs (for sanctions implementation, including listing of designated persons under UN Security Council resolutions).
3. Why VASPs Are Reporting Entities Under AMLA 2010
AMLA 2010 defines Reporting Entities to include Financial Institutions (FIs) and Non-Financial Business and Professions (NFBPs). The Act was amended in 2020 via Gazette Notification F.22(50)/2020-Legis to expand the categories of Reporting Entities and strengthen the FMU's powers. By the time PVARA's NOC Regulations 2025 came into force, VASPs were already structurally within scope as Reporting Entities through the financial institutions framework, with additional VASP-specific requirements layered on by PVARA.
Why this matters operationally
Once registered with FMU and operating under a PVARA NOC, a Pakistani VASP carries the same AML obligations as a bank, with three structural specificities:
STR obligation triggers on suspicion --- the standard is reasonable grounds to suspect, not certainty of money laundering or terrorism financing
CTR obligation triggers at thresholds --- PKR 2 million in a single day in cash transactions, aggregated for the same customer
Travel Rule obligation triggers at PKR 1 million for virtual asset transfers --- different and lower than the CTR threshold, capturing routine retail transfers
Penalties for non-compliance
AMLA 2010 imposes substantial penalties on Reporting Entities that fail to comply with the framework:
Failure to file an STR within statutory timelines --- fines up to PKR 5 million per violation; severe cases attract criminal prosecution of the MLRO and senior management
Tipping off a customer about a filed STR --- criminal offence with imprisonment and significant fines
Failure to maintain records for the 10-year statutory period --- administrative penalties plus criminal exposure in cases of deliberate destruction
Failure to register on goAML before commencing operations --- operational suspension by FMU plus reputational damage with PVARA
4. The goAML Registration Process Step-by-Step
goAML registration is digital, through the FMU's web portal at goamlweb.fmu.gov.pk. The process has multiple steps that must be completed in order; skipping or out-of-order completion creates rejection cycles.
Pre-registration prerequisites
PVARA NOC already granted --- Regulation 15.4 of the NOC Regulations 2025 makes the NOC the pre-AML-registration clearance
SECP incorporation complete --- the Pakistani entity must exist as a registered company. SECP walkthrough at secp-crypto-company-registration-pakistan
FBR National Tax Number issued --- required for goAML organization registration
MLRO appointed and Fit & Proper sign-off complete --- covered in detail at Fit-and-proper-test-pvara-form-a3
AML/CFT policy documentation in final form --- uploaded as part of registration
Step 1 --- Person of Reporting Entity registration
The MLRO (or the designated goAML administrator on behalf of the VASP) registers as a Person of Reporting Entity on the goAML web portal. This is the individual user account that will be associated with the entity. The registration form captures contact details, role, identification, and the entity that the person represents.
Critical note: do not select Individual User during registration. The Individual User type is for personal AML reporting (rare) and does not create the Reporting Entity relationship. Select Person of Reporting Entity, which links to the organizational entity in the next step.
Step 2 --- Organization registration
The Reporting Entity itself is registered as an Organization in goAML. The Organization Business Type for a VASP is currently typically selected as Financial Institution with VASP / Virtual Asset Service Provider sub-classification where the goAML version supports it. Documentation uploaded during organization registration includes:
SECP Certificate of Incorporation
FBR NTN certificate
PVARA NOC certificate
AML/CFT policy documentation (typically 50--80 pages covering CDD, transaction monitoring, sanctions screening, STR escalation, Travel Rule implementation, PEP handling, record retention)
MLRO appointment documentation with Fit & Proper credentials
Authorised signatory documentation for goAML correspondence
Sanctions screening vendor confirmation (typically World-Check, Refinitiv, or equivalent) demonstrating coverage of OFAC, UN, EU, UK, and Pakistan TFS lists
Step 3 --- FMU verification and approval
FMU reviews submitted documentation. For PVARA-NOC VASPs, FMU coordinates with PVARA on the substantive review. Verification typically takes 2 to 6 weeks. Deficiencies result in resubmission requests on the goAML message board. Once approved, the goAML administrator account is activated and the Reporting Entity can begin filing STRs and CTRs.
Step 4 --- Ongoing maintenance
The MLRO maintains the goAML account, manages user additions or removals (deputy MLRO, additional compliance officers), updates organisation information as it changes, and responds to FMU communications through the goAML message board. The platform is the day-to-day operating system of the VASP's AML function --- not a quarterly reporting tool.
Total goAML registration timeline |
Realistic end-to-end goAML registration for a PVARA-NOC VASP is 30 to 60 days from first portal access to active Reporting Entity status. Faster than incorporation (60--90 days) and banking (90--180 days) but slower than NTN issuance (5--10 working days). Begin goAML registration immediately after MLRO Fit & Proper sign-off, not after. |
5. STR Reporting --- Suspicious Transaction Reports
STR is the most operationally critical reporting obligation. Section 7(1) of AMLA 2010 requires Reporting Entities to file an STR with FMU without delay once reasonable grounds to suspect have formed. Without delay is the statutory standard --- there is no fixed hour or day window, but FMU's expectation is that STRs are filed within hours of suspicion crystallising, not weeks.
When STR obligation triggers
The trigger is suspicion, not proof. AMLA 2010 specifically uses the language reasonable grounds to suspect, which is a lower threshold than reasonable grounds to believe. Examples of suspicion triggers that should result in STR filing for a VASP:
Customer transaction patterns inconsistent with declared profile --- a salaried-employee customer suddenly trading USD 50,000+ per month
Transactions structured to avoid the Travel Rule threshold --- multiple PKR 950,000 transfers in the same day
Origin or destination wallets associated with sanctioned addresses --- flagged by blockchain analytics vendors (Chainalysis, Elliptic, TRM Labs)
Behaviour inconsistent with KYC --- declared retail user transacting volumes more consistent with institutional flows
Geographic risk patterns --- concentrated activity from high-risk jurisdictions on FATF's grey list or black list
Customer refusal to provide source of funds when prompted by the VASP's risk-based KYC
Three STR types in goAML
STR-F (with Transaction) --- used when the suspicion relates to specific completed or attempted transactions. Captures From Party, To Party, and transaction details
STR-A (without Transaction) --- used when the suspicion is activity-based rather than transaction-based; for example, account activity patterns or suspected use of the platform for criminal purpose
Combined STR-F + STR-A --- used where both transactional and activity-based suspicions co-exist
Tipping-off prohibition
Section 8 of AMLA 2010 prohibits Reporting Entities and their staff from disclosing --- directly or indirectly --- to any person, including the customer, that an STR has been filed or is being considered. This is a criminal offence. The customer-service implication: when an STR is filed and FMU subsequently requests additional information, all communication with the customer about their account must proceed as though no report has been filed. The MLRO and compliance team must be trained to handle this dual reality.
STR rejection and resubmission
FMU reviews submitted STRs and rejects those that don't meet quality or completeness standards. Rejected STRs are treated as non-reported STRs under AMLA 2010 unless resubmitted. FMU's guidance is clear: rejected STRs must be reverted, corrected per the rejection reason, and resubmitted with the same goAML ID. Creating a new STR for resubmission is incorrect procedure.
6. CTR Reporting --- Cash Transaction Reports (PKR 2 Million Threshold)
Separately from STR, Reporting Entities file Cash Transaction Reports (CTRs) for any cash transaction or aggregate cash transactions of the same customer in a single day at or above PKR 2 million (approximately USD 7,000 at 2026 exchange rates). The CTR threshold is set by FMU under AMLA 2010 and is reviewed periodically.
Why CTR is largely irrelevant for crypto VASPs operationally
Under the SBP April 2026 banking framework, cash deposits and withdrawals are categorically not permitted in Client Money Accounts. Detailed in crypto-banking-pakistan-vasp. This means that direct cash flows into and out of customer-facing accounts at the VASP are structurally blocked at the banking layer. The CTR obligation remains technically applicable but practically rare for a properly-segregated VASP.
Where CTR can still apply
Operational account transactions --- large cash withdrawals from operational accounts for legitimate business purposes (rare but possible)
Cash deposits during the foreign parent's capital injection --- if any portion of the capital flow involves cash (typically not the case in modern transactions)
Cash payments to or from vendors and contractors --- for very large transactions where the counterparty insists on cash settlement
CTRs use the same goAML reporting infrastructure as STRs. The mechanical filing process is similar; the trigger is different (threshold-based rather than suspicion-based) and the cumulative volume is typically materially higher than STR volume.
7. The FATF Travel Rule for VASPs
FATF Recommendation 16 (the Travel Rule) requires that originator and beneficiary information be transmitted in wire transfers above prescribed thresholds. FATF extended R16 explicitly to virtual asset transfers in 2019 and updated the guidance in 2021 and 2023. Pakistan implements the Travel Rule for VASPs through PVARA's regulations and FMU's broader AML/CFT framework.
The PKR 1 million threshold
For virtual asset transfers, the Travel Rule applies at PKR 1 million (approximately USD 3,500 at 2026 exchange rates). Above this threshold, the originating VASP must transmit and the beneficiary VASP must receive:
Originator name
Originator account number (or unique transaction identifier where account-based identification doesn't apply)
Originator address, or national identity number, or customer identification number, or date and place of birth
Beneficiary name
Beneficiary account number (or unique identifier)
The threshold is materially lower than the CTR threshold. PKR 1 million translates to roughly USD 3,500 --- meaning a moderately active retail trader will cross this threshold weekly. Travel Rule data capture must be designed into the default transaction flow, not configured as an exception path for high-value transfers.
Travel Rule technology --- TRP, Notabene, Sumsub Travel Rule, Shyft
Travel Rule compliance requires interoperability with other VASPs globally. A Pakistani VASP transferring 1 BTC to a Singaporean exchange's customer must transmit the originator data to the Singaporean exchange before the transfer is completed; the Singaporean exchange must verify. The same flow runs in reverse when an inbound transfer arrives. This requires technology infrastructure that the major commercial vendors provide:
TRP (Travel Rule Protocol) --- the most widely adopted open protocol; CipherTrace-led consortium
Notabene --- popular commercial Travel Rule solution; broad VASP coverage
Sumsub Travel Rule --- bundled with Sumsub's KYC platform; integrated workflow advantage
Shyft Network --- privacy-preserving Travel Rule infrastructure
Implementation cost for Travel Rule infrastructure typically runs USD 20,000 to USD 60,000 annually in subscription and integration cost. The cost is significantly lower than building Travel Rule infrastructure custom, and the interoperability is materially better with a commercial vendor than with a bespoke implementation.
The data overlap with Section 285BAA tax reporting
The data captured for Travel Rule compliance --- originator name, beneficiary, transaction amount, PKR-equivalent value, asset type, timestamp --- overlaps significantly with the data required for Section 285BAA tax reporting to FBR. Detailed at tax-banking. Building well-structured Travel Rule infrastructure once means the Section 285BAA reporting comes essentially for free. Building them as separate systems doubles the cost and creates reconciliation problems.
The single design choice that compresses AML/tax cost |
Design the Travel Rule data capture as part of the default transaction flow, not as an exception path. Build Section 285BAA reporting infrastructure as a query against the same dataset, not as a separate capture. Foreign exchanges that treat AML and tax as separate systems typically pay 2x to 3x the AML/tax cost over a five-year operating window. The savings are visible from year one and compound. |
8. PVARA's No-Outsourcing Rule for AML-Critical Functions
Regulation 6 of the PVARA NOC Regulations 2025 prohibits outsourcing of AML-critical functions, with specific reference to MLRO responsibilities, transaction monitoring, and STR escalation. This rule has structural implications for how a Pakistani VASP staffs its AML function.
What cannot be outsourced
MLRO function --- the designated Money Laundering Reporting Officer must be in-house and Pakistan-resident. Cannot be a third-party consultant or shared across parent-group entities
Transaction monitoring --- the actual review of alerts generated by the monitoring system must be performed in-house, although the monitoring software itself can be vendor-provided (Chainalysis, Elliptic, TRM Labs)
STR escalation decisions --- the decision to file an STR is the MLRO's decision; cannot be delegated to a vendor
Sanctions screening decisions --- vendor-provided screening produces alerts; the decision to clear or escalate alerts must be in-house
What can be outsourced
KYC vendor systems --- biometric verification, document authentication, sanctions screening data feeds (Sumsub, Onfido, Jumio, Trulioo)
Blockchain analytics tools --- Chainalysis, Elliptic, TRM Labs subscriptions for wallet risk scoring
Transaction monitoring software --- rule engines from commercial vendors are permitted; the alert review and escalation is in-house
Travel Rule infrastructure --- TRP, Notabene, Sumsub, Shyft subscriptions
Legal advice on specific STRs --- outside counsel can advise on complex STR decisions; the decision and filing remain MLRO-owned
The implications for staffing
The no-outsourcing rule means that even small VASP operations require a Pakistan-resident MLRO with full-time commitment. Sharing an MLRO across the parent group's regional entities (a common cost-saving practice in early-stage crypto firms) is not permitted under Pakistan's framework. The MLRO function is a dedicated role, not a coverage role. Coverage of the role's competence and Fit & Proper expectations at Fit-and-proper-test-pvara-form-a3.
9. Sanctions Screening --- The Pakistan TFS List Problem
Pakistan-licensed VASPs must screen customers and transactions against multiple sanctions lists. Most major screening vendors (World-Check, Refinitiv, Dow Jones Risk and Compliance, Comply Advantage) cover the international lists comprehensively. The screen most commonly missed is Pakistan's domestic Targeted Financial Sanctions (TFS) list.
The five lists every Pakistani VASP must screen against
OFAC (US Treasury Specially Designated Nationals list) --- global standard; all vendors cover comprehensively
UN Security Council Consolidated Sanctions List --- international standard; all vendors cover comprehensively
EU Sanctions --- Common Foreign and Security Policy designations; covered by most vendors
UK Sanctions --- OFSI list post-Brexit separation from EU framework; covered by most vendors
Pakistan domestic TFS list (NACTA designations) --- the screen most likely to be missing from a default international vendor configuration
Pakistan's domestic TFS list is maintained by the National Counter Terrorism Authority (NACTA) and implements designations under various SROs issued by the Ministry of Foreign Affairs under the United Nations (Security Council) Act 1948. The list includes Pakistani-specific designations not always present in international vendor data.
Mitigation
VASPs onboarding any international screening vendor should explicitly confirm Pakistan TFS list coverage as part of the vendor selection process. Where the default vendor configuration does not include the Pakistan list, request a custom data feed or supplement the default with a manual screen against NACTA's published list. The mismatch typically costs nothing to fix if surfaced during onboarding, and is genuinely expensive to remediate post-launch.
10. Record Retention --- The 10-Year Rule
AMLA 2010 requires Reporting Entities to maintain records related to STRs, CTRs, customer due diligence, transaction history, sanctions screening, and supporting documentation for a minimum of ten (10) years. This is materially longer than many comparable jurisdictions and longer than the standard tax record retention period.
What must be retained
STR and CTR submissions with all supporting documentation including transaction records, KYC files, communications
Customer due diligence files for all customers --- identity documents, source of funds documentation, risk assessment records
Transaction history --- date, timestamp, amount, asset, PKR-equivalent value, counterparty information, wallet addresses where applicable
Sanctions screening results --- alert history, clear/escalate decisions, supporting documentation
Travel Rule data --- originator and beneficiary information transmitted and received
Internal compliance communications --- MLRO decisions, escalation correspondence, training records
Why 10 years matters operationally
Retention periods drive storage architecture, data sovereignty arrangements, and disaster recovery design. A VASP planning for typical 3 to 5 year data retention will under-provision storage and discover the gap at year 6, when older records become inaccessible just as FMU or PVARA requests historical data during an examination. Storage architecture for Pakistani VASPs should be designed for 10-year retention from day one.
The retention discrepancy in PVARA's Sandbox Undertaking |
PVARA's Sandbox Guidelines 2026 (Annexure B Undertaking) reference 7-year retention. AMLA 2010 requires 10 years. Where the two conflict, AMLA prevails as primary legislation. The conservative practice is to retain for 10 years, which satisfies both. The 7-year reference in the Sandbox is best understood as a Sandbox-period commitment, not as a derogation from AMLA. |
11. Five Common goAML Compliance Failures
MLRO function shared across parent-group entities. Violates PVARA's no-outsourcing rule under Regulation 6. The fix is dedicated Pakistan-resident MLRO appointment, which then triggers a fresh Fit & Proper assessment cycle of 60--90 days.
STR rejected and not resubmitted with the same goAML ID. Reporting Entities treating rejection as the end of the matter leave themselves with non-reported STR exposure under AMLA 2010. Always revert, correct, and resubmit using the original goAML ID.
Pakistan TFS list missing from sanctions screening configuration. Default international vendor configurations often miss the Pakistan-specific list. Surface during vendor onboarding, not after a NACTA-listed person attempts to onboard or transact.
Travel Rule data capture configured as an exception path above PKR 1 million. Active retail users cross the threshold weekly. Building Travel Rule capture as exception path produces broken capture rates of 30--50%. Build as default flow capturing originator/beneficiary data on every transaction; suppress at sub-threshold for display purposes but retain in records.
Record retention designed for 5--7 years instead of 10. Storage architecture under-provisioned, records become inaccessible at the wrong time. Design for 10 years from incorporation, even if the operating runway is shorter.
Frequently asked questions
Yes. Every PVARA-licensed or NOC-holding VASP is a Reporting Entity under AMLA 2010 and must register on the FMU's goAML portal. Registration follows PVARA NOC grant per Regulation 15.4 of the NOC Regulations 2025. Operating without goAML registration is a Reporting Entity compliance breach independent of the substantive AML obligations themselves.
No. PVARA's no-outsourcing rule under Regulation 6 effectively requires the MLRO to be Pakistan-resident and available for FMU follow-up within statutory timelines under AMLA 2010. The role cannot be shared across the parent group's regional entities. This is one of the structural reasons foreign exchanges entering Pakistan need a Pakistan-resident MLRO from day one --- covered at resident-director-pvara-pakistan.
Section 7(1) of AMLA 2010 requires STR filing without delay once reasonable grounds to suspect have formed. There is no fixed hour or day window, but FMU's operational expectation is that STRs are filed within hours of suspicion crystallising. Delays beyond a few business days are difficult to defend at FMU examination.
STR (Suspicious Transaction Report) is suspicion-based --- filed when reasonable grounds to suspect money laundering or terrorism financing have formed, regardless of amount. CTR (Cash Transaction Report) is threshold-based --- filed for any cash transaction or aggregated cash transactions of the same customer at or above PKR 2 million in a single day, regardless of suspicion.
Generally no, where the transfer is genuinely between accounts of the same person at the same VASP or between same-customer accounts at affiliated VASPs in the same group. The Travel Rule is designed to capture inter-customer transfers. However, the burden of demonstrating that transfers are genuinely intra-customer rather than masking inter-customer flows rests on the VASP, and FMU and PVARA both expect documented internal procedures.
Onboarding or transacting with a designated person is a categorical breach of sanctions obligations, with both administrative and criminal exposure under the United Nations (Security Council) Act 1948 and AMLA 2010. The expectation is freeze without delay once the match is identified, plus immediate reporting to FMU and the supervisor (PVARA). Genuine failure of screening (vendor data quality issues) is mitigation but not exoneration.
Blockchain analytics tools (Chainalysis, Elliptic, TRM Labs) supplement but do not replace traditional sanctions screening. Sanctions screening operates on customer identity (name, date of birth, identifiers) at onboarding and ongoing. Blockchain analytics operates on wallet addresses associated with sanctioned designations. Both are required; neither is sufficient alone.
goAML registration is required before the VASP can operationally function under its NOC. It is also required as part of the full VASP licensing application --- PVARA evaluates the VASP's AML/CFT maturity, including goAML registration status, STR filing history, and Travel Rule implementation, as part of the licensing review. Operating goAML well during the NOC period is the strongest positioning for the full licensing application.
Failure to file an STR within the statutory without delay timeline can result in fines up to PKR 5 million per violation under AMLA 2010, with severe cases attracting criminal prosecution of the MLRO and senior management. Tipping off a customer about a filed STR is separately a criminal offence with imprisonment and significant fines.
Failure to file an STR within the statutory without delay timeline can result in fines up to PKR 5 million per violation under AMLA 2010, with severe cases attracting criminal prosecution of the MLRO and senior management. Tipping off a customer about a filed STR is separately a criminal offence with imprisonment and significant fines.
Yes. FMU is Pakistan's Financial Intelligence Unit, established under AMLA 2010, focused on receiving and analysing STRs and CTRs across all Reporting Entity categories (banks, brokers, insurance, DNFBPs, VASPs). PVARA is the VASP-specific regulator established under the Virtual Assets Act 2026, focused on VASP licensing, supervision, and the regulatory framework. PVARA-licensed VASPs report to both --- FMU for AML reporting; PVARA for regulatory supervision.
[CTA BLOCK: Preparing Stage 5 of your post-NOC operational gauntlet --- FMU goAML registration, STR/CTR infrastructure, FATF Travel Rule implementation? CoinConnect coordinates goAML registration with MLRO Fit & Proper preparation, sanctions screening vendor selection (with Pakistan TFS list coverage), Travel Rule infrastructure procurement, and 10-year record retention architecture design. Visit services or reach out via contactus to discuss your AML compliance strategy.
13. Sources Cited
Anti-Money Laundering Act 2010 (as amended September 2020 via F.22(50)/2020-Legis; Sections 6, 7, 8, 25, and Schedules). fmu.gov.pk.
FMU goAML Registration User's Guide. fmu.gov.pk.
FMU STR Filing Guidelines for Reporting Entities. fmu.gov.pk.
PVARA No Objection Certificate Regulations 2025 (Regulations 5, 6, 15.4). pvara.gov.pk.
PVARA Sandbox Guidelines 2026. pvara.gov.pk.
Virtual Assets Ordinance 2025 / Virtual Assets Act 2026. pakistancode.gov.pk.
FATF Recommendations 15 and 16 (virtual assets and the Travel Rule). fatf-gafi.org.
United Nations (Security Council) Act 1948 and SROs issued by Ministry of Foreign Affairs. mofa.gov.pk.
NACTA Pakistan domestic Targeted Financial Sanctions list. nacta.gov.pk.
SBP AML/CFT/CPF Regulations. sbp.org.pk.
UNODC goAML platform documentation. unodc.org.
Article prepared by CoinConnect's regulatory advisory team. Last reviewed against published FMU, PVARA, AMLA 2010, and FATF sources as of 8 May 2026. This article is general analysis and not legal, regulatory, or AML compliance advice. AML obligations carry both administrative and criminal exposure; verify the current position of any specific obligation with the FMU, PVARA, or qualified counsel before relying on it for material decisions.