| What the Sandbox Is | Annexure A — Self-Assessment |
| Legal Basis: VAO 2025 §§ 42-45 | Annexure B — The Undertaking |
| Who Should Apply (Eligibility) | Application Submission |
| End-to-End Application Pathway | 60-Day Assessment Timeline |
| Form I — Section A to F | Key Evaluation Criteria |
| Innovation / VASP Proposition | Testing Phase Obligations |
| Readiness for Testing | Exit Stage — Three Outcomes |
| Exit Strategy & Scaling | No-Action Relief Explained |
| Applicant Background & Particulars | Common Rejection Mistakes |
| Evaluation Criteria | Sandbox vs NOC vs Full License |
Working With CoinConnect | FAQ |
1. What the PVARA Sandbox Actually Is
The PVARA Regulatory Sandbox is a controlled, supervised environment operated by the Pakistan Virtual Assets Regulatory Authority where approved participants can test innovative virtual asset products and services with live users — under direct regulatory oversight and within defined limits — before committing to a full Virtual Asset Service Provider (VASP) license.
In plain terms: it is a learning permit for crypto exchanges, Web3 startups, custodians, token issuers, stablecoin operators, and remittance platforms that want to operate in Pakistan but are not yet ready — or do not yet need — to apply for full licensure. PVARA observes; you operate; both sides learn what works and what needs fixing before scale.
The framework was formally launched by PVARA in February 2026 and the Sandbox Guidelines 2026 (the source for this article) define every requirement an applicant must meet. Per PVARA's announcement, the Sandbox covers real-world use cases including tokenization, stablecoins, remittances, and on- and off-ramp infrastructure under regulatory oversight.
Key takeaway
The Sandbox is not a workaround for licensing. It is a structured pathway toward licensing. Successful Sandbox graduates are expected to apply for a full VASP license; unsuccessful ones must wind down. Either way, the destination is the same regulator.
2. The Legal Basis: Sections 42-45 of the Virtual Assets Ordinance 2025
The Sandbox is not an informal pilot. It is a statutory framework operationalised under four specific sections of the Virtual Assets Ordinance 2025:
Section 42
— establishes and authorises the Authority to operate the Sandbox as a controlled environment for fostering responsible innovation in Virtual Asset products and services.
Section 43
— governs the Application process. Any person seeking to participate in the Sandbox must apply under this section using the format prescribed by PVARA (Form I).
Section 44
— governs Exit. At the conclusion of testing, Section 44(3) directs the participant to either transition to full licensing, discontinue the service, or take other steps as the Authority may direct.
Section 45
— authorises the Authority to issue a No-Action Letter, indicating that PVARA does not intend to take enforcement action in respect of specified conduct for a defined period.
These four sections are the entire legal architecture of the Sandbox. Every requirement in the Guidelines, every box in Form I, every line of the undertaking traces back to one of them. Founders preparing an application should read the Sandbox Guidelines side by side with these four sections of the Ordinance — not separately.
3. Who Should Apply — Eligibility Criteria
PVARA's eligibility test for the Sandbox has four distinct gates. Failing any one gate is grounds for rejection at the screening stage, before the substantive evaluation even begins.
Gate 1 — Fit and Proper
The Applicant — and every director, sponsor shareholder, controller, and key management person within it — must be fit and proper. The Guidelines define fit and proper negatively: you fail this gate if any of the listed individuals has been found liable for any of the following:
— Fraud, financial crime, or misconduct.
— Prior regulatory or licensing breaches, including any status as a proscribed or designated person.
— Bankruptcy or insolvency proceedings, unless adequately resolved.
This is screened against every named person in the application. A single director with an unresolved regulatory issue in another jurisdiction is enough to disqualify the entire applicant. Source-of-funds documentation, regulatory history disclosures, and personal background details should be assembled before Form I is drafted, not after.
Gate 2 — Operational Readiness
The Applicant must demonstrate operational readiness across five distinct dimensions. Per the Guidelines, this means:
— A clearly defined testing plan — with stated objectives, duration, KPIs, and target users.
— Risk management and consumer protection measures — including data security, dispute resolution, and safeguarding consumer assets.
— A complete governance structure with a clearly identifiable Ultimate Beneficial Owner (UBO), along with documented risk assessment and internal control mechanisms covering: enterprise risk assessment; identity verification (detailed KYC and screening) for both originator and beneficiary; complaint handling; client money and virtual asset segregation; liability management and fraud safeguards; suspicious transaction flagging and reporting; technology risk including system controls, cybersecurity, and protection of private keys; complete risk disclosure to clients; and compliance with cross-border supervision and information-sharing protocols where applicable.
— A Sandbox exit plan — specifying either transition to full authorisation or orderly wind-down.
— Readiness for scalability — technical, financial, and human.
Gate 3 — Regulatory and Risk Assessment
The Applicant must conduct and submit a comprehensive regulatory and risk assessment that explicitly addresses:
— Cybersecurity, data privacy, and operational risks.
— Market risk and systemic risks.
This is not a generic risk register. PVARA expects an assessment that ties each identified risk to the specific product or service being tested, with proposed mitigants and trigger thresholds for escalation.
Gate 4 — Compliance and Purpose
The Applicant must ensure compliance with the applicable legal framework and confirm — on the record — that the product or service is not designed for speculation, anonymity, or illicit activity. This last clause is critical: products optimised primarily for anonymity (privacy coins with mixer-like features, fully anonymous wallets without KYC) face a structural disadvantage at this gate.
Practical filter
If you cannot truthfully answer 'yes' to all four gates today, do not file. Spend the prep weeks remediating the weak gate. Filing a Form I that fails screening costs you a resubmission slot — and you only get two.
| Stage | What Happens | Output |
|---|---|---|
| 1. Application | Applicant submits Form I, Annexure A self-assessment, and supporting attachments via the prescribed channel. PVARA screens for completeness; incomplete applications are returned with up to two resubmissions permitted. | Application accepted into Assessment Phase. |
| 2. Assessment | PVARA conducts comprehensive evaluation against the Key Evaluation Criteria. May seek input from other regulators if applicant is regulated elsewhere. May request additional information. | Letter of Approval (LoA) with terms and conditions. |
| 3. Onboarding | Approved Participant submits the undertaking (Annexure B) and agrees the reporting format and frequency with PVARA. Operational parameters — user caps, transaction limits, exposure ceilings — are confirmed. | Supervisory agreement in force; testing may commence. |
| 4. Testing / Experimentation | Participant operates within defined parameters and the agreed period. Submits periodic reports to PVARA. Notifies promptly of any unforeseen circumstances. May request a one-time extension. | Live operational data and progress reports. |
| 5. Completion & Exit | Within two weeks of close of testing, Participant submits the Completion Report. Authority analyses results and determines next steps under VAO §44(3): full licensing, discontinue, or other directed action. | Exit decision: license, wind-down, or further direction. |
| Row | What to Describe | Format / Length |
|---|---|---|
| A1. Service to be offered (Innovation Summary) | Concise description of the innovation — what it does, who it serves, why it is novel, and how it operates inside the Pakistani market. | ~500-1,000 words + attachment |
| A2. Blockchain / Technology Stack | Distributed Ledger Technology used (public or permissioned), smart contract platform, wallet architecture, throughput, scalability characteristics. | Bullets / table + attachment |
| A3. Cybersecurity Strategy | Threat model, security controls (encryption, key management, secure coding, audits), incident response, disaster recovery, privacy and data protection. | Table + narrative + attachment |
| A4. Regulatory / Legal Environment | Applicable laws and regulations, ML/TF/PF obligations, consumer protection frameworks, intellectual property and data protection laws. | Bullets + attachment |
| A5. Risk Management | Financial, operational, cybersecurity, legal/regulatory, market, and reputational risks — each with named mitigants. | Table + attachment |
On A1 specifically: PVARA evaluates novelty through a multi-factor lens — novelty of model, harnessing of technology, differentiation, and inclusion impact. A 600-word summary that hits all four factors will outperform a 1,000-word summary that emphasises only one.
| Row | What to Show | Format / Attachments |
|---|---|---|
| B1. Technical Readiness | Development status (smart contracts audited, infrastructure ready), internal testing or testnet results, system capacity. | Yes/No + short description; no attachment required |
| B2. Integration / Partnerships | List of partners (banks, exchanges, VASPs), integration points (APIs, oracles, custodians). | Table or bullets; no attachment required |
| B3. Operational and Financial Readiness | Budget, funding commitments, operational structures, safeguards, KPIs and KRIs. | Bullets or table; no attachment required |
| B4. Consumer / User Safety | Protection measures — risk disclosure, loss recovery, customer support, dispute resolution. | Narrative + key points; no attachment required |
| B5. Virtual Asset Product (if applicable) | Product details against Virtual Asset Standards. | Narrative + table + key points; attachment required |
Pure service offerings without a product wrapper may legitimately mark B5 as not applicable.
| Row | What to Provide | Format / Length |
|---|---|---|
| C1. Exit / Termination Strategy | Conditions that would trigger stopping the test, the wind-down sequence, and how customer assets are returned safely. | Bullets, ~300 words + attachment |
| C2. Transition to Full Deployment / Scaling | Steps required for scaling, licensing pathway, technological and financial requirements for full operations. | Bullets, ~300 words + attachment |
| C3. Communication Plan | How participants and the public will be informed — disclosures, test duration, termination notices, public communications. | ~300-400 words + attachment |
| Row | Required Information | Format |
|---|---|---|
| D1. Team Background | Key persons with product, blockchain, cybersecurity, finance, or technology experience; their qualifications. | Table |
| D2. Operational History and Achievements | Years in operation, past projects, incubator support received, awards or recognition. | Bullets, ~300 words + attachment |
| D3. Funding and Support | Sources of funding, grants, incubators, prior audits or certifications. | Documents and summary |
| Row | Details to Provide | Format |
|---|---|---|
| E1. Company / Entity Information | Legal name, registration number, executives, current VASP status (if any). | Description + attachment |
| E2. Contact Details | Focal person, alternate contact, registered address. | Description + attachment |
| E3. Application Category | The activity category as per Schedule I of the Ordinance. | Select / describe + attachment |
Critical for foreign applicants
Section F — Evaluation Criteria
The Self-Assessment is mandatory and submitted alongside Form I. PVARA structures it as eight key questions, each with stated Positive Indicators and Negative Indicators. The Authority uses your self-assessment as a calibration check: applicants who score themselves as strong in areas where the Form I content is weak immediately lose credibility.
| Question | Positive Indicators | Negative Indicators |
|---|---|---|
| 1. Scope — Is the proposed model within PVARA's scope and beneficial to Pakistan? | Project involves virtual assets, virtual asset services, or related infrastructure relevant to Pakistan's financial system. | Not related to Virtual Asset Services or the surrounding ecosystem. |
| 2. Business Scalability — Is there clear, growing demand and scalability potential? | Target market identified with expansion potential — local, regional, or global. | Weak or stagnant user adoption; reliance on niche or unsustainable demand such as speculative hype only. |
| 3. Technology and Security — Is your technology secure and resilient? | Robust IT infrastructure, cybersecurity safeguards, smart contract audits, disaster recovery plans, independent third-party security testing performed. | Weak cybersecurity indicators, no audits, reliance on unverified smart contracts, lack of safeguards for consumer fund custody during cyber intrusions. |
| 4. Genuine Innovation — Does the project introduce something significantly new or solve an existing problem in a novel way? | Introduces a new use-case for virtual assets not yet tested locally; adapts proven international solutions to the Pakistani market with significant improvements. | Numerous similar models already exist in Pakistan; minor tweaks to an existing virtual-asset product, service, or business model. |
| 5. Consumer and Investor Benefit — How does the project benefit users, markets, the national exchequer, and financial inclusion? | Increases transparency, lowers costs, improves efficiency, enhances financial inclusion, identifies and proposes mitigation for ML/TF, volatility, fraud, and cyber risks. | Limited transparency, cost-inefficient, high risk of consumer loss or market instability, no clear risk mitigation strategies. |
| 6. Readiness — Are you ready to test under the Ordinance and Sandbox? | Understanding of applicable laws (cybersecurity, data protection, etc.), clear business model and technology architecture, compliance plan, testing plan with objectives and timelines, adequate financial and human resources. | No clarity on ML/TF, KYC, cybersecurity, or custody compliance; lack of technical or financial readiness; no consumer protection measures; concept only on paper. |
| 7. Genuine Need for Sandbox — Do you actually need regulatory flexibility to test this? | Requires regulatory flexibility to test novel mechanisms (token issuance, DeFi protocols, smart contracts, custodial services). | Live testing is not necessary to answer the regulatory or market questions you are raising. |
| 8. ML/TF and Compliance Preparedness — How will you meet ML/TF/PF and FATF obligations? | Strong KYC/AML processes integrated into platform design; alignment with FATF and Pakistan's AML laws. | Weak or no AML/KYC framework; high risk of misuse for money laundering, terrorism financing, or fraud. |
On approval, the Participant submits a sworn undertaking in the format prescribed in Annexure B of the Guidelines. This is not a generic boilerplate — it is a specific, irrevocable set of obligations that govern your conduct inside the Sandbox. Founders who view it as 'sign and forget' typically get caught out at the first compliance review.
The one-hour clause is the one to plan for now
The undertaking requires notification of any material incident, risk event, or compliance breach within ONE HOUR of identification. This is shorter than most jurisdictions globally. Your incident-response runbook, on-call rota, escalation tree, and PVARA contact protocol must all be production-ready before Day 1 of testing — not built reactively after the first incident.
PVARA operates the Sandbox on an Agile Approach: applicants may submit at any time during the year. There is no fixed application window. There is also no fixed cohort cycle — each application is processed on its own merits.
Per PVARA's communications, Sandbox applications are submitted directly to sandbox@pvara.gov.pk. Applicants are encouraged to engage early with the Authority before submission to refine their proposal and understand regulatory expectations. Founders should treat early-engagement contact as a meaningful step, not optional courtesy — it is one of the few opportunities to test scoping assumptions before committing them to the formal application.
9. The 60-Day Assessment Timeline — What Actually Happens
The Sandbox Guidelines specify the assessment timeline precisely:
"The comprehensive evaluation must be completed within sixty (60) working days from the conclusion of the initial screening unless the Authority determines that there is reasonable cause to extend timeline."
In practice, the 60-day clock has three things to know:
— It runs in working days, not calendar days. Sixty working days is approximately 12 weeks or roughly three calendar months once weekends and public holidays are excluded.
— The clock starts at 'conclusion of initial screening,' not at submission. Initial screening is the completeness check. Time spent in resubmission cycles does not count against the 60 days. Plan accordingly.
— PVARA may extend on reasonable cause. Where the Authority requests additional information, awaits input from another regulator, or escalates to specialised review, the timeline can extend. Treat 60 working days as a target, not a guarantee.
After detailed assessment and evaluation, the Authority issues a Letter of Approval (LoA) to successful applicants, subject to the terms and conditions approved. The LoA is what unlocks the Onboarding stage and the right to submit the undertaking and begin testing.
10. Key Evaluation Criteria — How PVARA Decides
PVARA's Key Evaluation Criteria, set out in the Guidelines, cover five domains. Each domain has multiple sub-factors. The Authority does not publish weights — but the structure tells you what reviewers are trained to look for.
Innovation and Market Impact
— Novelty of the model — a product, service, or business model not currently offered in the market.
— Harnessing technology — a new application of existing technology, or a completely new, ground-breaking technology.
— Differentiation — significant departure from or improvement on existing offerings, addressing real market inefficiencies.
— Inclusion — innovation that helps transition a largely informal, high-risk market into a formalised, regulated, safe ecosystem and an important pillar of the economy.
Risk Management and Compliance
— Review of systemic, operational, and ML/TF/PF risks.
— Evaluation of cybersecurity, data protection, and consumer protection frameworks.
— Consultation with Shariah advisors where applicable.
Feasibility and Exit Strategy
— Technical and operational readiness, including team expertise.
— Clear testing parameters.
— Exit plans — winding down if unsuccessful or transitioning to licensing if successful.
— The Authority may impose limits on transaction volumes, user numbers, or exposure on a case-by-case basis.
Financial Strength
Demonstration of financial capacity to undertake the proposed business model. The Guidelines do not prescribe a fixed paid-up capital figure for Sandbox entry — Financial Strength is assessed against the scope of the proposed test, not against a uniform threshold. Applicants proposing custody of customer assets or stablecoin issuance should expect heavier scrutiny than those proposing pure software-layer experiments.
Tax Law Compliance
If the applicant is based in Pakistan, demonstrated compliance with applicable tax laws is a criterion. Foreign applicants will, on approval, be required to incorporate locally and register with tax authorities — at which point this criterion attaches.
Not sure your Sandbox application can pass the screening test?
CoinConnect's PVARA Readiness Diagnostic walks your specific product through every gate, every Form I row, and every Annexure A indicator — and tells you exactly where the application would fail today and what to fix before submission. Fixed fee, two-week turnaround, 20-25 page written report. Book a 30-minute scoping call: calendly.com/abbasmalikmuntazir/30min
11. Testing Phase — Operating Inside the Sandbox
Approval is the start, not the finish. Once the LoA is issued and the undertaking is signed, you enter the Testing / Experimentation phase. The Guidelines set four governing rules for this phase:
— Operate in compliance. The approved Participant operates in the Sandbox environment for the approved period and in compliance with the Ordinance.
— Report on the agreed cadence. Reports are submitted in the content, format, and frequency mutually agreed between the Participant and the Authority before testing commences. Negotiate this carefully — over-broad reporting commitments are difficult to roll back later.
— Request extensions before they are needed. If the Participant encounters unexpected technical or business difficulty beyond their control, an extension request must be submitted at least two weeks prior to the expiry of the relevant time period — not after.
— Notify on impairment. If unforeseen circumstances impair the ability to commence or complete testing, the Authority must be informed promptly and will advise the appropriate course of action.
Operational caps — user numbers, transaction volumes, exposure limits — are imposed in the LoA on a case-by-case basis. Plan your test infrastructure to enforce these caps technically, not just procedurally. Reviewers will ask how the cap is enforced; 'we monitor it manually' is not a satisfactory answer.
12. Completion Report and Exit — Three Possible Outcomes
Within two weeks of the close of the testing period, the Participant must submit a Completion Report to the Authority. The Guidelines specify the report's required contents:
The overall results and statistics of the testing.
An objective assessment of the potential impact of the solution if scaled — including (a) a comparison of results with objectives defined at inception, (b) the scope of scaling out to a larger audience in case of success, and (c) how the Participant will fully comply with relevant legal and regulatory requirements.
The Authority then analyses the testing results and the Completion Report at the Exit Stage and determines the future course of action. Under VAO 2025 §44(3), three outcomes are possible:
| Outcome | Trigger | Next Step |
|---|---|---|
| 1. Transition to full licensing | Test results are successful; product/service meets requirements. | Apply for full VASP license; subject to license/approval by the Authority and compliance with regulatory requirements as issued from time to time. |
| 2. Discontinue the service | Test is unsuccessful or wind-down conditions are triggered. | Cease all Sandbox activities; execute exit plan; return user assets per Section C of Form I. |
| 3. Other steps as directed | Authority determines a hybrid path is appropriate. | Comply with the specific direction issued by the Authority — may include an extended observation period, scope reduction, or interim approval pending regulatory amendments. |
13. No-Action Relief — What It Is and What It Isn't
Under Section 45 of the Ordinance, the Authority may issue a no-action letter to a Participant, stating that PVARA does not intend to take enforcement action in respect of specified conduct for the duration of the test period.
Two qualifications matter:
It is not legal immunity. The Guidelines are explicit: "the issuance of a no-action letter shall not constitute a legal immunity." Civil claims, third-party actions, and consumer disputes remain available against the Participant. The letter is a statement of regulatory intent, not a shield against private liability.
It can be withdrawn. The Authority reserves the right to withdraw the letter at any time by providing written notice. A no-action letter is not a permanent allocation; it is a revocable accommodation.
Founders considering a Sandbox path partly because of the no-action shield should calibrate expectations accordingly. The letter is useful — it provides regulatory comfort to banking partners, investors, and counterparties — but it does not relieve operational risk.
14. Suspension and Revocation — When PVARA Pulls the Plug
At any stage, where the Authority has possible reasons to believe the Participant has failed to adhere to agreed details or imposed conditions, two enforcement mechanisms are available:
Temporary suspension. The Authority can temporarily suspend the testing and approval until the matter is fully clarified. Operationally, this means a stop-work directive — testing halts, customers may need to be notified depending on scope, and remediation must be evidenced before resumption.
Complete withdrawal with public notice. The Authority can completely withdraw the approval, accompanied by a public notice, where serious discrepancy has been observed related to consumer detriment or any other serious matter. Public notice is the reputational consequence — it is not redacted, and it travels.
In addition, the undertaking allows PVARA to terminate participation with 15 days' written notice for any reason, or immediately for breach of the testing plan, expected negative consequences to consumers or financial stability, failure to provide requested information, or public-interest grounds.
15. Common Mistakes That Get Sandbox Applications Rejected
Drawing strictly from the Guidelines' stated criteria, indicators, and required content, the seven most common failure modes for first-time Form I submissions are:
1. Treating the Sandbox as a soft-launch instead of a regulatory experiment
Applicants whose product is fully ready and raises no novel regulatory question are flagged at Annexure A Question 7. The Sandbox exists to resolve regulatory or market questions through live testing — not to provide a slower path to operations. If your product belongs in the NOC and full-license track, file there; the Sandbox slot is for a different category of applicant.
2. Generic or imported AML/KYC frameworks
Annexure A Question 8 and Section A4 both probe ML/TF preparedness specifically. Frameworks copied from another jurisdiction without adaptation to Pakistan's FATF context, the local AML laws, and PVARA's reporting expectations consistently score in the Negative Indicators column.
3. Vague cybersecurity narrative
Section A3 asks for a threat model, named security controls, key management approach, incident response playbook, and disaster recovery — backed by attachments. 'Industry-standard encryption' as the entire technical answer fails the gate. Reviewers expect named ciphers, named approaches, named auditors, and stated targets.
4. Weak or missing Exit / Wind-down plan
Section C is where reviewers most reliably find applicants under-prepared. A complete C1 should describe trigger conditions, the wind-down sequence (in days), the customer notification path, and the asset-return mechanism. C2 should map the bridge from Sandbox graduation to full license filing — not aspirations, sequence.
5. Fit-and-proper gaps in named individuals
A single director, sponsor shareholder, controller, or key management person with unresolved regulatory history fails the eligibility gate. Pre-flight every named individual against the three negative-history categories — fraud/financial crime/misconduct, prior regulatory breaches or designated-person status, unresolved bankruptcy or insolvency — before drafting Section D.
6. No genuine need-for-Sandbox argument
Annexure A Question 7 is binary in PVARA's eyes: either you require regulatory flexibility to test novel mechanisms, or you do not. Applicants who cannot articulate the specific regulatory or market question their test will answer should expect to be redirected — or rejected — at the substantive evaluation stage.
7. Misalignment between Self-Assessment and Form I content
PVARA reads Annexure A as a calibration document. If your self-assessment scores Strong on cybersecurity but Section A3 contains a one-paragraph narrative with no attachments, the contradiction is visible. Calibrate the self-assessment honestly against the actual content of Form I.
16. Sandbox vs NOC vs Full License — Which Path Is Right?
As of 2026, PVARA's licensing portal is accepting NOC applications. Per PVARA's official communications, full VASP licensing is forthcoming, and the Sandbox runs alongside as an alternative entry point for applicants whose value proposition rests on testing novel products or mechanisms.
In practice, the choice between paths is driven by three factors: novelty of your product, urgency of go-live, and the specific regulatory question you need answered.
| Path | Suits You If | Does Not Suit You If |
|---|---|---|
| Sandbox (Form I) | Your product is genuinely novel; you need regulatory flexibility to test a mechanism that current rules do not cleanly cover; you can operate within imposed user/volume caps; you accept 1-hour incident notification and intensive reporting. | Your product is conventional spot trading or established custody; you need to operate at scale immediately; you cannot accept user/volume caps. |
| NOC + Full License | You operate an established, conventional virtual asset business; you have global compliance precedent; you need to scale without operational caps after license grant; you have capital ready. | Your product is novel and the rulebook does not yet cover it; you want to validate market and regulatory fit before committing to full capital. |
| Both (Sandbox first, then full license) | You want regulator-relationship-building during a structured test phase; you accept 6-12 months of capped operations as a step toward full license; you value the no-action letter as interim regulatory comfort. | You have a 90-day go-live commitment to your board; you cannot afford the dual-track time investment. |
For most global exchanges entering Pakistan with a conventional product (spot trading, custody, transfer services), the NOC + Full License path is the default. For Web3 startups, stablecoin issuers, tokenisation platforms, novel custody arrangements, and remittance experiments — the categories PVARA explicitly named when launching the Sandbox in February 2026 — the Sandbox is the more natural fit.
For a deeper comparison and our recommendation framework, see our pillar guide: VASP License Pakistan — The Complete 2026 Guide to PVARA Licensing.
17. Working With CoinConnect on Your Sandbox Application
CoinConnect is Pakistan's PVARA licensing and market-entry consultancy. We work exclusively on virtual asset regulatory matters — every engagement we run is a NOC, a Sandbox application, or a full VASP license filing. We do not split attention across unrelated practice areas.
Three engagement options for Sandbox applicants:
PVARA Readiness Diagnostic — 2 weeks. A 20-25 page written assessment of your product against every Sandbox eligibility gate, every Form I row, every Annexure A indicator, and the undertaking obligations. Tells you exactly where you stand and what to fix before submission. The cheapest insurance in the room before you commit to a full filing.
Sandbox Application Sprint — fixed fee, 8-10 weeks. End-to-end drafting of Form I (all five content sections plus attachments), the Annexure A self-assessment, supporting policy manuals (AML, cybersecurity, exit), and submission support. We handle drafting; your team handles internal sign-off and named-individual evidence.
Sandbox Compliance Retainer — monthly, post-approval. Operational support during the testing phase: PVARA reporting cadence, incident notification protocol implementation, periodic reviews against the undertaking, and Completion Report drafting at exit.
Ready to apply for the PVARA Sandbox?
Book a 30-minute scoping call
No deck, no pitch — nine questions about your product and a clear recommendation on whether the Sandbox is your right path, or whether the NOC route fits better. calendly.com/abbasmalikmuntazir/30min
Read the PVARA Guide: coinconnect.site/pvara-guide
Read the VASP Licensing Guide: coinconnect.site/blog/coinconnect-insights-1/vasp-license-pakistan-3
Author
Malik Abbas, CEO, CoinConnect — Pakistan's PVARA Licensing & Market-Entry Consultancy. Advising global crypto exchanges and Web3 founders on Virtual Assets Ordinance 2025 compliance, NOC applications, Sandbox entry, and full VASP licensing.
Published: May 2026 · Last reviewed: May 2026
Sources
This article is sourced exclusively from:
PVARA Sandbox Guidelines 2026 — Incubation Guidelines for the Regulatory Sandbox, including Form I, Annexure A (Self-Assessment Checklist), and Annexure B (Format of Undertaking).
Virtual Assets Ordinance 2025 — Sections 6, 8, 42, 43, 44, and 45.
Pakistan Virtual Assets Regulatory Authority official website — pvara.gov.pk — including the Licensing portal page and Sandbox launch communications.
Related reading
Pillar Guide: VASP License Pakistan — The Complete 2026 Guide to PVARA Licensing
Pillar Guide: The Complete PVARA Guide — Virtual Assets Ordinance 2025
Cluster: VASP Licensable Activities Pakistan — What Requires a License
Cluster: Why VASP Applications Get Rejected — 7 Common Failure Modes
Cluster: Fit-and-Proper Requirements PVARA — Director and Shareholder Tests
Frequently asked questions
Form I is the official application form for participation in PVARA's Regulatory Sandbox under Section 43 of the Virtual Assets Ordinance 2025. It contains six sections (A through F) covering the innovation proposition, readiness for testing, exit and scaling strategy, applicant background, applicant particulars, and PVARA's evaluation criteria. It is submitted alongside the Annexure A self-assessment.
Per PVARA's public communications, Sandbox applications are submitted to sandbox@pvara.gov.pk. PVARA encourages early engagement before formal submission to refine proposals and clarify regulatory expectations.
The Sandbox Guidelines specify that the comprehensive evaluation must be completed within sixty (60) working days from the conclusion of the initial screening, unless the Authority determines there is reasonable cause to extend. Time spent in resubmission cycles before screening completes does not count against the 60 working days.
The Guidelines provide that the Authority may prescribe an application fee as it may deem appropriate. Applicants should confirm the prevailing fee at the time of submission via the official PVARA channels.
The Guidelines permit up to two resubmissions. Applications returned a third time as incomplete have exhausted their resubmission allowance under the published framework.
Yes — Form I includes an explicit provision for non-local applicants. Where the applicant is not a local company, the applicant will be required to incorporate locally and provide evidence of tax registration with local tax authorities once Sandbox approval is granted.
A no-action letter, issued under Section 45 of the Ordinance, is a statement by PVARA that it does not intend to take enforcement action against specified conduct for the duration of the test. The Guidelines are explicit that this is not legal immunity and may be withdrawn at any time. A license, by contrast, is the formal authorisation to operate commercially after successful Sandbox conclusion or through the full-license track.
Within two weeks of the close of testing, the Participant submits a Completion Report covering overall results, statistics, comparison to inception objectives, scaling potential, and a regulatory compliance plan. The Authority then determines next steps under VAO §44(3): transition to full licensing, discontinue the service, or other directed action.
Per the undertaking in Annexure B, the Participant must notify PVARA within one hour of any material incident, risk event, or compliance breach. A detailed incident report must follow within 48 hours, covering nature and scope, containment and resolution steps, and prevention measures.
The Guidelines list Financial Strength as a Key Evaluation Criterion — "demonstration of financial capacity to undertake the proposed business model" — but do not prescribe a uniform paid-up capital figure for Sandbox entry. Capital adequacy is assessed against the scope of the proposed test. Applicants proposing custody of customer assets or token issuance should expect heavier scrutiny than software-layer experiments.
The undertaking requires Participants to retain all transaction records and maintain proper books of account for a period of seven years.
Yes — but the request must be submitted at least two weeks prior to the expiry of the relevant time period. Extensions may be granted where the Participant encounters unexpected technical or business difficulty beyond their control, and are at the Authority's discretion.