KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namepassportresidential addresssource of income

KYC to onboard international persons

nameidentification documentspassport numberresidential address telephone numberemaildate of birthsource of income

corporate requirements

full namepassportresidential addressbusiness addresscontact numbersemaildate of birthregistration nature of businesspurpose of accounttype of accountsource of earningsmonthly credit turnovermodes of transactions

National ID card name

Computerized National Identity Card

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

E-COMMERCE LAW IN PAKISTAN

E-sig law files

What year did the relevant AML laws and regulations become effective?

2015

Further details on AML regime

The Anti-Money Laundering Act was enacted in Mar 2010 after its approval by the Parliament of Pakistan. In addition, local banking regulator, the State Bank of Pakistan (“SBP”), has issued detailed AML and CFT regulations, together with guidelines on a risk based approach in 2012; both of which have subsequently been amended, and revised regulations issued in 2015.

Who is the regulator for AML controls for Banking

The SBP is the regulator for AML controls for banking and related services while the Securities and Exchange Commission (“SECP”) is the regulator for all other entities

Link to site

http://www.sbp.org.pk/ http://www.secp.gov.pk/

Other financial Services

N/A

Website of Regulator

N/A

Financial Sector regulator

N/A

Practical Guidance for AML

The SBP has issued detailed guidelines on AML/CFT regulations, together with guidelines on risk based approach.

Practical guidance PDF's

Is there a requirement to verify the identity of customers retroactively?

Yes

Retroactive details

Yes

Has the country been the subject of FATF mutal evaluation in the last 3 years?

No. The latest Mutual Evaluation Report was performed by Asia Pacific Group on Money Laundering and is dated 09 Jul 2009

PDF of FATF review

pakistan-mutual-evaluation-report-anti-money-laundering-combating-financing-terrorism

FATF high risk or monitored jurisdiction

Monitored Jurisdiction

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

The AML and CFT regulations of 2015 are available at the following link (http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf) which specifies monetary thresholds for transactions executed by occasional customers/ walk-in customers and online transactions. Organisations however, have defined their own internal monetary thresholds.

What are the requirements for customer identification information for individuals

As per SBP AML/CFT Regulations (para 3 of Regulation 1: Customer Due Diligence), for identity and due diligence purposes, at the minimum, the following information shall also be obtained, verified and recorded on KYC/CDD form or account opening form: a) full name as per identity document; b) CNIC/Passport/NICOP/POC/ARC number or where the customer is not a natural person, the registration/incorporation number or business registration number (as applicable); c) existing residential address, registered or business address (as necessary), contact telephone number(s) and e-mail (as applicable); d) date of birth, incorporation or registration (as applicable); e) nationality or place of birth, incorporation or registration (as applicable); f) nature of business, geographies involved and expected type of counter-parties (as applicable); g) purpose of account; h) type of account; i) source of earnings; j) expected monthly credit turnover (amount and no. of transactions); and k) normal or expected modes of transactions.

Details to be Collected on Corporates

What are the high level requirements around beneficial ownership (identification and verification)?

As per paragraphs 7 and 8 of Regulation 1 of SBP AML and CFT regulations Banks/DFIs shall take reasonable measures to obtain information to identify and verify the identities of the beneficial owner(s). Where the customer is not a natural person, the bank/DFI shall (i) take reasonable measures to understand the ownership and control structure of the customer for obtaining information required and (ii) determine the natural persons who ultimately own or control the customer. Verification of the identity of the beneficial owners shall be completed before business relations are established including verification from NADRA wherever required.

What circumstances are enhanced customer due diligence measures required?

Section ‘D’ of SBP’s AML/CFT Guidelines on Risk Based Approach (paragraph 4-6) available on the link (http://www.sbp.org.pk/l_frame/AML-CFT-Guidelines-RiskBasedApproach.pdf) provides specific high risk elements and recommendations for EDD such as NPOs, NGOs, charities, associations, house wife accounts, landlords, proprietorships, self-employed professionals, on-line transactions, cash, wire transfers etc. Paragraph 5 provides high risk elements/factors bifurcated into customers, products and delivery channels, geography or locations.

How should FI's deal with Politically exposed persons

Paragraph 29 of Regulation 1 of the SBP AML/CFT regulations available on the link (http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf) covers in detail the treatment for PEPs. In relation to PEPs and their close associates or family members, banks/DFIs shall: a) implement appropriate internal policies, procedures and controls to determine if a customer or beneficial owner is a PEP; b) obtain approval from the bank’s senior management to establish or continue business relations where the customer or a beneficial owner is a PEP or subsequently becomes a PEP; c) establish, by appropriate means, the sources of wealth or beneficial ownership of funds, as appropriate; including bank/ DFI’s own assessment to this effect; and d) conduct during the course of business relations, enhanced monitoring of business relations with the customer.

What enhanced due diligence must be performed for correspondent banking relationships?

Regulations 2 of SBP AML/CFT regulations available on the link (http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf) cover this topic in detail.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes. As per Regulation 2 of SBP AML/CFT regulations (paragraph 4) available on the link (http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf). No bank/DFI shall enter into or continue correspondent banking relations with a s

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

In dealing with non-face-to-face transactions and/or relationships, adequate measures have been adopted by organizations. Additional due diligence may be required when: a) transactions do not make economic sense or are inconsistent with customer’s business or profile; b) transactions involving locations of concern & wire transfer; and c) transactions involving unidentified parties.

To whom are SAR's made? (suspicious activity reports)

State Bank of Pakistan

Link to website of SAR reporting

http://www.sbp.org.pk/, http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf

Other Suspicious or unusual transactions obligations.

As per paragraph 7 of Regulation – 4 of the AML/CFT, the regulations are available on the following link (http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf). Currency Transaction Reports (“CTRs”) should be reported for transactions of INR2m (approx. USD30,000) and above as per requirements of the AML Act. This is also stated in the SBPs BPRD Circular Letter No. 04 of 2015 available on the link (http://www.sbp.org.pk/bprd/2015/CL4.htm)

Are there any de-minimis thresholds below which transactions do not need to be reported?

As per paragraph 7 of Regulation - 4 of SBP AML/CFT regulations available on the link (http://www.sbp.org.pk/l_frame/Revised-AML-CFT-Regulations.pdf). Banks/DFIs should note that STRs, including attempted transactions, should be reported regardless of the amount of the transactions; and, the CTRs should be reported for transactions of INR2m (approx. USD30,000) and above as per requirements of the AML Act.

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Liability for failure to file a suspicious transaction report and for providing false information is provided in paragraph 33 of the AML Act, 2010 available on the link (http://www.sbp.org.pk/about/act/Anti-Act- 2010.pdf). Paragraph 34 of this Act lays out requirements with respect to non-disclosure of information and consequences of violation.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Yes by SBP. The following are extracts from SBP AML/CFT Regulation No. 4 (paragraph 5). Banks/DFIs are advised to make use of technology and upgrade their systems and procedures in accordance with the changing profile of various risks. Accordingly, all banks/DFIs are advised to implement automated Transaction Monitoring Systems (“TMS”) capable of producing meaningful alerts based on pre-defined parameters/thresholds and customer profile, for analysis and possible reporting of suspicious transactions. Further, banks/DFIs shall establish criteria in their AML/CFT Policies and/or Procedures for management of such alerts.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

Data Protection for Corporate Data

Do any restrictions on the transfer of credit reports exist?

None except for those specified above.

Regulator Acronym

SBP, SECP

Year of last FATF mutual evaluation

2009

National ID card details

First made at the age of 18, not compulsory to carry all the time.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Computerised_National_Identity_Card

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Requirement to proceed

requirement to use automated suspicious transaction tools

Yes

Who are SARS made to?

SBP

shell banks

Yes

EDD for correspondent banking

Yes

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

The AML Ordinance was issued in 2007 followed by the Anti-Money Laundering Act in 2010. Subsequently AML and CFT regulations were issued in 2012 which were subject to amendments that have been incorporated in the revised regulations issued in 2015. The previous regulations required the following (which have now been stringently amended for inclusion in the revised regulations): a) verification of the identity of the customers shall be completed as soon as it is reasonably practicable but not later than five business days from the date of opening of the account; b) half yearly list is to be maintained by banks/DFIs highlighting all accounts/deposits where the business relationship needed to be closed on account of negative verification; c) obtain copy of CNIC from occasional customers/walk-in customers conducting cash transactions above INR1m (approx. USD15,000) whether carried out in a single operation or in multiple operations that appear to be linked; and d) currency Transaction Reports should be reported above the threshold of INR2.5m (approx. USD38,000).

Non financial sector (e.g. casinos, high value goods etc.)

N/A

Does the country have a risk based approach?

Yes. SBP has issued detailed guidelines on AML/CFT regulations, together with guidelines on the risk based approach

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

As per paragraph 4 of Regulation 1 of SBP AML and CFT regulations, the Bank/DFI shall verify identity documents of the customers from relevant authorities/document issuing bodies and where necessary using other reliable, independent sources and retain on record copies of all reference documents used for identification and verification. The particulars/CNIC of such persons must be verified from the National Database Registration Authority (“NADRA”) through VeriSys or bio-metric technology. Verification of the identity of the customers and beneficial owners shall be completed before business relations are established including verification of CNIC/NICOP/POC from NADRA wherever required for customers under these regulations.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

None except for those specified above.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

None except for those specified above.