Regulatory Framework for Fintechs in Pakistan

USAID Small and Medium Enterprise Activity

Regulatory Framework for Fintechs in Pakistan

01, 02, 2020 This publication was made possible by the support of the American people through the United States Agency for International Development (USAID). This publication was produced for review by the USAID. It was prepared by Dr. Leon Perlman for an assigment commissioned by Chemonics International under the USAID Small and Medium Enterprise Activity.

USAID Small and Medium Enterprise Activity

Regulatory Framework for Fintechs in Pakistan

DISCLAIMER The author’s views expressed in this publication do not necessarily reflect the views of the United States Agency for International Development (USAID), the United States Government, or Chemonics International Inc.

USAID Small and Medium Enterprise Activity (SMEA) Page. i

Data Page Project Data Sheet

Donor United States Agency for International Development (USAID)

Reporting Office USAID Economic Growth and Agriculture (EGA) Office

Country Pakistan

Project Name USAID Small and Medium Enterprise Activity (SMEA)

Prime Managing Contractor

Chemonics International Inc.

Contract Number Contract No. AID-391-C-17-00003

Name of the Component

Business Enabling Environment (BEE)

Date of Report February 01, 2020

Document Title Regulatory Framework for Fintechs in Pakistan Final Report

Author’s Name Dr. Leon Perlman and contributed by Talha Leghari Study Design and Methodology

Dr. Leon Perlman, Talha Leghari, Suleman Ghani, Kaiyan Yousaf, Sonia Seth

Photo Credits SMEA Team Editing Sonia Seth, Kaiyan Yousaf SOW Title and number

SOW Development of Framework for Fintech Regulations SOW # C1BEE-07 Business Enabling Environment

Geographic Focus Nationwide Pakistan Key Words Fintech, access to finance, State Bank of Pakistan, SME,

Financial Inclusion, Regulation, Sandbox, Innovation

USAID Small and Medium Enterprise Activity (SMEA) Page. ii

USAID Small and Medium Enterprise Activity (SMEA) Page. iii

EXECUTIVE SUMMARY This Report addresses methods to catalyze and bootstrap the development of the growing, but still nascent financial technology (‘fintech’) ecosystem in Pakistan. The Report is based on interactions with industry participants and regulators in Pakistan and a site visit by the Consultant and workshop in July 2019. It addresses the regulatory trilogy of who, what, and how of regulation and includes recommendations on new policy frameworks and approaches in line with evolving best practices worldwide. The prudential regulator, the State Bank of Pakistan (SBP) – perceived internationally as a ‘can-do’ regulator - is the lead regulator on financial matters. The Securities and Exchange Commission of Pakistan (SECP) regulates other financial components as well as company registrations. The Report finds that while the provision of financial services is dominated by banks in Pakistan, there is a low use of accounts and non-cash payments. This presents a huge opportunity for new entities known as ‘fintechs’ to provide fintech and related innovations, to introduce business models, and to provide services currently not addressed by the banks and other large incumbents. These new entrants and new technologies invariably catalyze a country’s financial and technology ecosystem, creating network effects of increased competition, more choice, higher overall efficiencies, and in a developing world context, improving financial inclusion. Their innovations may include consumer-facing service verticals such as mobile payment technologies; crypto-assets; wealth management tools and Robo-advisors; and lending. Back-end products provision could include use of distributed ledger technologies (DLTs), centralized and intelligent anti-money laundering (AML) and know your customer (KYC) systems; cloud computing storage and application platforms; artificial intelligence (AI); machine learning (ML) applications, and predictive data analytics. New data-driven open banking and open finance models may improve competition and enhance offerings for consumers. The Report finds though that for Pakistan, there are currently identifiable issues constraining this potential, inter alia, lack of a predictable, competitive and enabling commercial environment and regulatory framework for fintechs, fintech and its ancillary components. Based on these observations and on trends in regulation of fintech and fintechs worldwide, a number of Recommendations are provided in this Report, which are categorized by suggested regulatory framework and policies; market conditions, innovation and conduct; and regulatory capacity and coordination. The contours of an appropriate regulatory strategy that balances such approaches is outlined below. Primary findings from the mission include the following observations and associated recommendations: 1.Lack of Direct Regulatory Framework for Enabling Fintechs And Fintech In Pakistan: At a regulatory design level, the use in Pakistan of what is known as a rules-based, institutional approach has manifested one-size fits all regulatory regime. These approaches do not however easily adapt to the emergence of new technologies, entities and business models. Instead, they favor well-funded entities since startups are handicapped by high licensing costs that, in all, stymie their ability to launch new products or fully introduce innovations. The consequential regulatory issues are the lack of definitive regulatory categorization of ‘fintechs,’ or only tangential reference to their activities by the SBP and SECP.

Recommendations: Many developed and developing countries have in large measure embraced more modern regulatory approaches, particularly the more flexible and ‘fintech-enabling’

USAID Small and Medium Enterprise Activity (SMEA) Page. iv

principles and functional approaches that replace or augment the current rules and institutional approaches respectively. The principles-based approach is usually technologically neutral, risk-based, and sets a number of principles or guidelines for entities to follow to achieve desired regulatory outcomes. It also allows regulators (and entities) to adapt to changing market conditions and the emergence of new technologies, whilst still addressing systemic, AML and consumer protection risks and concerns. The paired functional approach provides a framework for who and what is being regulated, categorizing entities broadly through their functional activity (vertical) rather than by the type of entity. The product-based regulatory approach is a sub-set of the functional approach, regulating specific products that may pose consumer, AML and systemic issues.

2. Lack of Ancillary Regulations for Providing Certainty to Critical Fintech Usage Components: Secondary, ancillary regulations may also be needed to address regulatory gaps for brining certainty to the use technologies and processes that fintechs (and others) will invariably need in pursuing their innovations. This is the how component of the regulatory trilogy and includes regulations addressing cloud computing use; contractual and evidential certainty in the use of distributed ledger technologies (DLT); increased access to data in ‘data lakes’ held (often exclusively) by large incumbents; ability to share and use KYC data in a centralized manner; data protection requirements for all entities; and use of AI and ML to replace or augment human decision making.

Recommendations: Applying a data-centric approach to regulation may catalyze and complement a number of domains, including open banking, open finance, regtech, suptech, increased consumer choice, financial inclusion, open APIs, moves towards a more flexible principle-based regulation, and regulatory coordination. Required however are a number of regulatory innovations, including clearer and more permissive cloud computing and data-localization rules, initiating policies towards principle-based regulations based on functional criteria, and an implementation of open banking and finance policies. Pairing the how with the who and what of regulation would necessarily involve increased amount of regulatory coordination between regulators - usually a very glacial process.

But regulatory coordination is crucial here, given that many of these primary and ancillary regulatory issues may fall within the remit of one or more regulators. Similarly, access by regulators to accurate and contemporaneous data is necessary not only for their internal ‘regtech’ use, but also for supervisory purposes to determine the degree of adherence of supervised entities to any rules or principles as the front end of desired regulatory policy ‘outcomes.’ Modern analytical tools can help make sense of this data by employing quantitative analysis to clarify enforcement priorities and the potential costs of non-compliance.

Approaches To The Report’s Primary Recommendations: Noting the broad scope of the recommendations above, the consensus view of fintechs as Small and Medium Enterprises (SMEs) and some of the regulators in attendance at the USAID fintech workshop held on July 25th 2019 in Karachi was for regulators to transition from the current, strict rules-based, institutional approaches towards development of a new primary regulatory regime for fintechs. This would entail embracing a data-centric, technologically neutral functional approach based on

USAID Small and Medium Enterprise Activity (SMEA) Page. v

principle-based regulations, and which may include secondary laws and regulations supporting ancillary services for fintechs.

Notably though, and to avoid ‘big bang’ regulatory changes that may unsettle markets and policy makers, regulators could use a (transitionary) hybrid, evolutionary approach that includes elements of institutional, principles, functional and product approaches.

Regulators also should be able to exercise discretion to determine which rulesets should apply to any entity, and if any should be temporarily waived or fully exempted. Thereto, a regulatory sandbox operated by SBP or a combination of SBP, SECP and Pakistan Telecommunications Authority (PTA) or an outside entity authorized by these regulators should be implemented as soon as possible. This would complement the sandbox announced by the SECP in December 2019. It would also facilitate a ‘transition period’ that avoids the touted ‘big bang’ approach which the SBP indicated they would not be in favor of, given their need to retain some elements – particularly for the banking and lending sectors – of the rules-based, institutional approach.

In all, these approaches, it is submitted, could satisfy the following constituencies:

● Regulators: A transitionary, hybrid regulatory regime means that there is no ‘bang-bang’ move from a familiar and tested institutional/product/rules-based approach towards a potentially unfamiliar principles/functional/product approach that may raise public-policy and concerns and potentially even legal challenges. It also allows regulators to act in the interests of customers, protecting them in a changing environment that can pose new, unanticipated risks that may also raise systemic stability and AML concerns. It also allows multiple regulators to have oversight on sectors implementing specific functions/products, without significantly impacting their respective remits and creating regulatory arbitrage.

● Fintechs (as SMEs): It provides an opening to introduce innovations with less burdensome regulatory requirements.

● Plans for Sandboxes: A glacial approach fits within a risk-based approach that cultivates innovative classes or services and products whilst limiting the potential of open-ended regulation to exposure money laundering and consumer harm.

● Investors: Noting the relative lack of foreign investors in Pakistan compared to its peers, regulatory certainty is a very attractive proposition for investors, improving ROI times.

USAID Small and Medium Enterprise Activity (SMEA) Page. vi

USAID Small and Medium Enterprise Activity (SMEA) Page. vii

ACRONYMS AI Artificial Intelligence AML Anti-Money Laundering API Application Programming Interface AWS Amazon Web Services B2B Business-to-Business B2C BMR CAR

Business-to-Consumer Balancing, Modernization and Replacement of SMEs Capital Adequacy Ratio

CB CGS

Central Bank Credit Guarantee Scheme

CCP CEER

Competition Commission of Pakistan Companies Easy Exit Regulations

CIV CSR

Customer Identification and Verification Companies Regularization Scheme

CSP DFI DFID

Cloud Service Provider Development Finance Institutions Department for International Development UK

DLT Distributed Ledger Technology eKYC Electronic Know Your Customer EMIs Electronic Money Institutions EU European Union FATF Financial Action Task Force FBR Functional Based Regulation Fintech Financial Technology Fintechs Financial Technology Companies FSB Financial Stability Board G2P Government-to-Person GOP IBI

Government of Pakistan Islamic Banking Institutions

IBR IOT

Institutional-based Regulation Internet of Things

USAID Small and Medium Enterprise Activity (SMEA) Page. viii

IPR IRDAI

Intellectual Property Rights Insurance Regulatory and Development Authority of India

KYC Know Your Customer MAS ME

Monetary Authority of Singapore Medium Enterprise

MFIs Micro Finance Institutions ML Machine Learning MNO Mobile Network Operator MoITT Ministry of Information Technology and Telecommunication MOU Memorandum of Understanding NADRA National Database and Registration Authority NBFCs Non-Bank Finance Companies NBFIs Non-Bank Finance Institutions NCCPL NFAS

National Clearing Company of Pakistan Limited Non-Financial Advisory Services

NFIS National Financial Inclusion Strategy P2P Peer to Peer (P2P) PBR Principles-based regulation PII Personally Identifiable Information PRISM Pakistan Real Time Interbank Settlement Mechanism PSD2 EU Second Payment Services Directive PSO Payment System Operator PSP RBI

Payment System Provider Reserve Bank of India

RBR SE SEDI SEDF

Rules-based regulation Small Enterprise Securities and Exchange Board of India Sindh Enterprise Development Fund

SBP State Bank of Pakistan SECP Securities and Exchange Commission of Pakistan SME SMEDA STR

Small and Medium Enterprise Small Medium Enterprise Development Authority Secured Transaction Registry

TPSP Third Party Service Provider

USAID Small and Medium Enterprise Activity (SMEA) Page. ix

UIDAI Unique Identification Authority of India UK United Kingdom USAID United States Agency for International Development USD US Dollar VC Venture Capital

USAID Small and Medium Enterprise Activity (SMEA) Page. x

Table of Contents EXECUTIVE SUMMARY iii

ACRONYMS vii

1. INTRODUCTION 1

1.1. SCOPE OF THIS REPORT 1

1.2. APPROACHES TO THIS REPORT 2

2. ‘FINTECH’ AND ‘FINTECHS’ 3

2.1. OVERVIEW 3

2.2. THE ‘FINTECH’ AND PAYMENTS ECOSYSTEM IN PAKISTAN 4

2.2.1. Overview 4

2.2.2. Regulatory Environment Summary 6

2.2.3. Collaborative Challenges for Financial Ecosystem Participants 7

2.2.4. Additional Challenges 8

3. SME SECTOR 9

3.1. POLICY & REGULATORY INITIATIVES FOR SMES 10

3.1.1. Policy Initiatives 10

3.1.2. Regulatory Initiatives: 14

3.2. SME FINANCING PRODUCTS: 16

3.3. CURRENT STATE OF SMALL & MEDIUM ENTERPRISES IN PAKISTAN: 17

4. GLOBAL APPROACHES TO REGULATION OF FINTECH AND FINTECHS 20

4.1. GENERAL OVERVIEW 20

4.2. REGULATORY APPROACHES 21

4.2.1. Principles-based Regulation (PBR) Approach: 23

4.2.2. Functional-based Regulation (FBR) Approach: 23

4.2.3. Rules-based Regulation (RBR) Approach: 23

4.2.4. Institutional-based Regulation (IBR) Approach: 24

4.2.5. Product-based Regulation Approach: 24

4.2.6. Comparing Application of the Regulatory Approaches 25

4.3. SUPRANATIONAL APPROACHES TO FINTECH INNOVATION AND REGULATION: THE BALI FINTECH AGENDA 27

USAID Small and Medium Enterprise Activity (SMEA) Page. xi

4.4. PRACTICAL IMPLEMENTATION OF THE REGULATORY APPROACHES 30

4.4.1. Overview 30

4.4.2. Hybrid Regulatory Approaches 30

4.5. COUNTRY APPROACHES TO FINTECH INNOVATION AND REGULATION 30

5. ANCILLARY REGULATIONS IMPACTING FINTECH AND FINTECHS 37

5.1. OVERVIEW: 37

5.2. DISTRIBUTED LEDGER/BLOCKCHAIN TECHNOLOGIES (DLTS): 38

5.3. CLOUD COMPUTING AND DATA LOCALIZATION RULES 38

5.4. DATA PROTECTION AND PRIVACY: 39

5.5. ARTIFICIAL INTELLIGENCE (AI) AND MACHINE LEARNING (ML) 40

5.6. OPEN BANKING: 41

5.7. OPEN FINANCE 43

5.7.1. Overview: 43

5.7.3. Risk of Open Finance 45

5.8. REGULATORY SUPPORT FOR FINTECH INNOVATION 45

5.8.1. Regulatory Sandboxes 45

5.9. CENTRALIZED KYC UTILITIES FOR AML/CFT COMPLIANCE: 47

5.10. TECHNOLOGY OUTSOURCING: 47

6. LEGAL, POLICY AND REGULATORY ENVIRONMENT FOR FINTECHS AND FINTECH IN PAKISTAN 48

6.1. THE LEGAL SYSTEM IN PAKISTAN: 48

6.2. ‘RELEVANT’ FINTECH REGULATORS AND POLICY MAKERS 48

6.2.1. State Bank of Pakistan 49

6.2.2. Security Exchange Commission of Pakistan 50

6.2.3. Pakistan Telecommunication Authority: 51

6.2.4. Ministry of Information Technology and Telecommunication 51

6.2.5. The National Database and Registration Authority: 51

6.2.6. Competition Commission of Pakistan (CCP) 51

6.3. GOVERNMENTAL INITIATIVES ON FINTECHS AND FINANCIAL INCLUSION 52

6.4. REGULATORY COORDINATION AND INTERACTIONS BETWEEN REGULATORS, AND WITH POLICY MAKERS 53

6.5. PREVALENCE OF RULE-BASED, INSTITUTIONAL LICENSING FRAMEWORK 54

USAID Small and Medium Enterprise Activity (SMEA) Page. xii

6.6. LIMITATIONS IN ACQUIRING ENABLEMENT 58

6.7. LIMITATIONS IN ACQUIRING CUSTOMER INFORMATION FOR KYC 58

6.8. ANCILLARY LAWS, REGULATIONS AND POLICIES IN PAKISTAN RELEVANT TO FINTECH 59

7. RECOMMENDED APPROACHES FOR FINTECH REGULATION IN PAKISTAN 62

7.1. OVERVIEW 62

7.2. IMPLEMENTING A RISK-BASED APPROACH TO REGULATION OF FINTECH AND FINTECHS 62

7.3. ANCILLARY LAWS AND REGULATIONS FOR ENSURING DATA-CENTRICITY AND REGULATORY CERTAINTY 63

7.3.1. Overall Approaches 63

7.3.2. Implementation of Open Banking and Open Finance Regimes for Pakistan 65

7.3.3. Artificial Intelligence and Machine Learning 67

7.3.4. Enhancing Data Protection and Data Privacy 67

7.3.5. Clarification of Cloud Computing Use 68

7.3.6. Clarification of Technology Outsourcing Perimeters 68

7.3.7. Improving Protections for the Intellectual Property Rights of Fintechs 69

7.3.8. Use of KYC Utilities for Collaborative Compliance 69

7.4. FACILITATE COORDINATION OF ANCILLARY REGULATION AND POLICIES 70

7.5. FACILITATE COORDINATION ON SANDBOXES AND INNOVATION OFFICES 70

8. CONCLUSIONS AND RECOMMENDATIONS 72

9. ANNEXURE/ APPENDICES 82

USAID Small and Medium Enterprise Activity (SMEA) Page. xiii

List of Tables Exhibit 1: Fintech Service Verticals. .......................................................................................... 4 Exhibit 2: Fintech applications and companies in Pakistan. ...................................................... 5 Exhibit 3: State Bank of Pakistan definition of SMEs. ................................................................ 9 Exhibit 4: State Bank of Pakistan SME financing products. ......................................................17 Exhibit 5 : Conceptual differences between principles- and rule-based regulatory approaches.

..........................................................................................................................................21 Exhibit 6: Practical examples of differences between principle- and rule-based regulatory

approaches. ......................................................................................................................22 Exhibit 7: The Degree of Regulatory Supervision For Each Functional Activity Using A FBR

Approach. ..........................................................................................................................24 Exhibit 8: Relative Advantages and Disadvantages of Principles-Based Regulatory Approach

Versus A Rules-Based Regulatory Approach. ...................................................................27 Exhibit 9: The Bali fintech principles and their potential applicability to Pakistan. .....................29 Exhibit 10: Examples of hybrid regulatory approaches using either principles or rules as the

primary focus. ....................................................................................................................30 Exhibit 11: Comparative country approaches to fintech regulation. ..........................................31 Exhibit 12: Some key highlights on Fintech Development in India ............................................33 Exhibit 13: Intersection of Financial Regulations with Ancillary Laws and Regulations .............37 Exhibit 14: Cloud Computing Storage and Personally Identifiable Information (PII) .................39 Exhibit 15: Stylized Use of Open Banking ................................................................................42 Exhibit 16: Potential Open Finance Schemes for Pakistan ......................................................44 Exhibit 17: Risks that open finance could pose to customers and competition in the financial

sector. ...............................................................................................................................45 Exhibit 18: International Regulatory Environment Assessment of Pakistan. .............................48 Exhibit 19: Payment System snapshot - State bank of Pakistan .............................................49 Exhibit 20: Government entities and regulators involved in authorizing or regulating

components that encapsulate fintech activities. .................................................................54 Exhibit 21: SBP’s Onboarding Process for SMEs In Payments ................................................56 Exhibit 22: Limitations of a One-Size-Fits-All Regulatory Approach to Financial Ecosystem

Regulation in Pakistan .......................................................................................................57 Exhibit 23: Status of Ancillary Laws, Regulations and Policies in Pakistan relevant to Fintech 60 Exhibit 24: Regulatory Innovations Needed in Pakistan For Fintech-related Enablement.........64 Exhibit 25: Data that could be shared in an API-driven open finance ecosystem, with

appropriate regulatory endorsement by the SBP and SECP. .............................................66 Exhibit 26: Summary of Issues, Effects And Recommendations For Development Of The

Fintech Ecosystem In Pakistan. .........................................................................................74

List of Figures

USAID Small and Medium Enterprise Activity (SMEA) Page. xiv

Figure 1: Historical trend of the average sales revenue 7 Figure 2: Classification of Sample Hotels 8

Exchange Rate (only if used) 1 USD = 104.659 PKR

Regulatory Framework for Fintechs in Pakistan <Final>

USAID Small and Medium Enterprise Activity (SMEA) Page. 1

1. INTRODUCTION 1.1. SCOPE OF THIS REPORT Financial technology (‘fintech’)1 and digital innovations in the financial sector have emerged as a potentially transformative force in a country’s development. Potential benefits include efficiency improvements, risk reduction and greater financial inclusion.

This innovation potential has become a focal point of attention from supra-national bodies, investors, financial technology companies (‘fintechs’), policy makers, lawmakers, and regulators. In many cases, fintech is a key component of national financial inclusion strategies.

Regulatory and policy reaction globally to the emergence of fintechs and fintech though has been mixed. Some jurisdictions have reworked laws and regulations to be more flexible for adaptation to new fintechs, their ‘fintech’ innovations and other technologies, business models and use cases. Some have passed eponymous ‘fintech’ laws to create a framework that encompasses a blended set of pro-competition, data-centric policy and regulatory frameworks, while others have put in place a variety of regulatory and supervisory initiatives such as regulatory sandboxes, innovation hubs or teams, tech sprints, innovation incubators and accelerators.

Not all jurisdictions though have moved that quickly or adapted at all. This is in part because of public policy considerations; regulatory arbitrage due to, inter alia, overlapping regulatory remits; insufficient regulatory capacity, and regulator and law-maker inertia. There are also challenges involved in regulating evolving technologies; monitoring activity outside regulated sectors; identifying and monitoring new risks arising from the technologies, new entrants, new business models, and new service verticals. In many cases, perceived risks around anti-money laundering (AML), consumer protection and systemic considerations have quenched a potential regulatory and policy renaissance for enabling and nurturing fintech and fintechs.

This overall inertia invariably stymies investment in the sector, resulting in missed opportunities, reduced competition and loss of expertise. In jurisdictions where this inertia exists, new framing for identifying, managing and supervising potential risks arising from fintech and fintechs are much needed. Pakistan stands at a similar junction, with the potential for the implementation of swathes of innovation and investment awaiting regulatory catalyzation of fintechs and new technologies through new enabling policy frameworks and improved regulatory coordination.

This Report addresses potential regulatory strategies to catalyze and bootstrap the development of the growing, but still nascent fintech ecosystem in Pakistan, including recommendations in line with evolving best practices worldwide on new data-centric, technologically-neutral, risk-based policy frameworks and approaches that could be used by

1 The term ‘Fintech’ is a contraction of the words ‘finance’ and ‘technology’ and refers to the technological start-ups that are emerging to challenge traditional banking and financial players and covers an array of services, from crowd funding platforms and mobile payment solutions to online portfolio management tools and international money transfers.



the primary fintech regulators in Pakistan, the State Bank of Pakistan (SBP) and the Securities and Exchange Commission of Pakistan (SECP).

The issues and findings are based on desktop research, collaboration with consultant Mr. Talha Leghari; a mission to Pakistan from July 22 to 31 2019 to meet with fintechs in Pakistan and regulators, and the outcomes of a fintech workshop held on July 25 2019 in Karachi with fintech and banking ecosystem participants and some regulators.

Due to logistical constraints, the consultant was unable to meet with the SECP.

Portions of this Report are adapted from previous reports on the fintech ecosystem in Pakistan by Mr. Talha Leghari.

1.2. APPROACHES TO THIS REPORT Section 1 is the introduction to the Report, and these approaches. Sections 2-5 provide the context-setting for later recommendations in this Report on how regulators in Pakistan could catalyze and grow the fintech ecosystem.

Specifically:

Section 2 outlines the global fintech ecosystem and the fintech market in Pakistan

Section 3 outlines the theoretical aspects of fintech-focused regulation, encompassing a number of legal and regulatory principles, and their relative strengths and disadvantages. These theoretical and practical expositions are meant to underpin the later recommendations for their use in Pakistani fintech context.

Section 4 deals with ancillary regulations and their importance in complementing fintech regulation by filling in any regulatory gaps.

Section 5 outlines the legal, policy and regulatory environment for fintechs and fintech in Pakistan.

Sections 6 outlines proposed approaches for fintech regulation in Pakistan.

Section 7 summarizes the findings in the Report and proposes a number of recommendations categorized by regulatory framework and policies; market conditions, innovation and conduct; and regulatory capacity and coordination. A color-coded priority scale is also provided per recommendation, reflecting the consultant’s view of relative timeframes needed (or possible) for the adoption of the recommendations to catalyze fintech adoption in Pakistan.



2. ‘FINTECH’ AND ‘FINTECHS’ 2.1. OVERVIEW The Financial Stability Board (FSB) defines ‘fintech’ as:

‘[T]echnologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services.’2

This definition encompasses the wide variety of innovations in financial services enabled by technologies, regardless of the type, size and regulatory status of the innovators. The broadness of the FSB definition is useful when assessing and anticipating the rapid development and innovations in the financial system and financial institutions, and the associated risks and opportunities.3

Although ‘fintech’ is an umbrella term, we bifurcate it for the purposes of this Report as ‘fintech’ and ‘fintechs,’ the former being the technology catalyst and enabler, and the latter being the set of actors implementing fintech. This bifurcation assists in the Report’s later proposal on methods than could be employed to catalyze and regulate, as needed, ‘fintechs’ as well as ancillary regulations needed to fill regulatory gaps.4

Fintech innovations have the potential to deliver a range of benefits, in particular efficiency improvements and cost reductions. Technological developments are also fundamentally changing the way people access financial services and increasing financial inclusion. Recognizing the huge potential of the sector, there have been large investments by venture capital (VC) funds, with the value of fintech deals worldwide during 1H19 at USD 22 billion, and with the number of global deals increasing by 2% to 1,561 compared to 2018.5 Licensed financial institutions and others clearly not only use ‘fintech’ products developed by external fintech companies, but may use their own internally-developed ‘fintech’ solutions.

Ultimately though, consumer choice and market efficiency can be catalyzed by the introduction of new sets of classes of product types – also called ‘verticals’ - using fintechs that service a particular market function or vertical.

2 FSB (2019) fintech and market structure in financial services: Market developments and potential financial stability implications, available at https://bit.ly/2t9OBWu. Portions of this report are based on Perlman, (2019) Fintech and Regtech: Data as the New Regulatory Honeypot, available at www.ssrn.com; and Perlman, L, Wechsler, M & Gurung, N (2018) The State of Regulatory Sandboxes in Developing Countries, available at www.dfsobservatory.com; 3 Basel Committee on Banking Supervision (2013) Principles for Effective Risk Data Aggregation and Risk Reporting, available at https://www.bis.org/publ/bcbs239.pdf 4 Zetzsche, D; Buckley, R; Arner, D and Weber, R (2019) The Future of Data-Driven Finance and Regtech: Lessons from EU Big Bang II, available at https://ssrn.com/abstract=3359399; Weber, R (2017) Regtech as A New Legal Challenge, available at: https://ssrn.com/abstract=3359399 5 The ongoing trade war between the US and China led global fintech investments to fall by 29% during 1H19 according to Accenture. During 2014 around USD 12 billion was invested in Fintech companies, and in 2015 USD 20 billion. TechRadar (2019) Global fintech investment plummets worldwide, available at https://bit.ly/2SwrmRe

https://bit.ly/2t9OBWu

https://ssrn.com/abstract=3359399



Some of the major fintech products and services (as verticals) currently used in the market place include peer to-peer (P2P) lending and crowd-funding platforms; distributed ledger technology (DLT), crypto-asset and blockchain-based solutions; big data generators and analytics; financial information and access aggregators and providers; and Robo-advisors and wealth management.

Exhibit 1 shows a number of verticals that are part of a number of fintech ecosystems worldwide.

Exhibit 1: Fintech Service Verticals.

These vertical could form the basis of a principles-based functional approach to fintech regulation in Pakistan.

2.2. THE ‘FINTECH’ AND PAYMENTS ECOSYSTEM IN PAKISTAN 2.2.1. Overview Startup activity is thriving in the software and services sector of Pakistan, with some 360,000 software developers and over 10,000 IT graduates.6 What is lacking however is a coordinated national effort to convert this potential into a thriving fintech sector:7

The sluggish growth8 mirrors the absence of a sufficiently engaged and primed VC industry to raise capital. This lack of liquidity further hampers the development and growth of these fintech startups, who usually raise pre-seed or seed capital through family and

6 GSMA(2018) A deep dive into Pakistan’s start-up ecosystem, available at https://bit.ly/2rxxuxt 7 Report on fintechs in Pakistan for Chemonics by Mr. Talha Leghari, July 2019. 8 Rizvi, S; Naqvi, B; and Tanveer, F (2018) Is Pakistan Ready to Embrace Fintech Innovation?, available at https://bit.ly/2PR1e1X



friends - often done only to develop prototypes. There is also a low contribution of financial services towards GDP, with a narrow focus on top of the proverbial pyramid.9

Unlike many of its regional peers then, Pakistan’s fintech ecosystem is still nascent, with only a few fintechs operating. Exhibit 2 categorizes identified companies in Pakistan by fintech applications/vertical. Most are located in Lahore, Islamabad, Peshawar and Karachi.10

In all, and alongside the uncertain regulatory environment and support, these challenges reportedly discourage11 entrepreneurs from venturing into the fintech environment with startups, SMEs and entrepreneurs focusing their development efforts in areas other than fintech.

Exhibit 2: Fintech applications and companies in Pakistan.

The primary fintech-type verticals in Pakistan appear to be payment application, payment platform applications, financial information comparison engines, payment gateways, digital lenders using alternative credit scoring, and investing tools. These are offered by banks, microfinance banks, non-bank financial companies (NBFCs) and startups. These would all, to some degree, benefit from a regularized data-sharing open financial framework. Very few of these entities share customer data, a silo’d approach that may change if open banking and open finance is embraced by regulators in Pakistan, described in Section 4.

9 Karandaaz (2019) Seeding Innovation, available at https://karandaaz.com.pk/karandaaz-publication/ 10 According to the GSMA Ecosystem Accelerator program’s tech hub landscaping research, Pakistan saw a 30% growth in the number of active tech hubs between 2018 (36 tech hubs) and 2016 (26 tech hubs), positioning itself as the largest tech ecosystem in South Asia after India. Most of these organizations are spread around the country’s three biggest cities – Islamabad, Karachi and Lahore. Partly accounting for this growth is the rise in private and public-led initiatives mainly focused on providing incubation support to early-stage start-ups. Academic institutions such as Bahria University, National University of Science and Technology (NUST), Institute of Business Administration (IBA) and Lahore University of Management Sciences (LUMS). GSMA (2018) A deep dive into Pakistan’s start-up ecosystem, available at https://bit.ly/2rfYaCK 11 Rizvi, S; Naqvi, B; and Tanveer, F (2018) Is Pakistan Ready to Embrace Fintech Innovation?, available at https://bit.ly/2PR1e1X



Data and Image Source: Nadeem Hussein.12

2.2.2. Regulatory Environment Summary While still nascent, there is relatively speaking a rapid growth in the fintech and ancillary sectors. This flurry of innovation raises questions on how to regulate it.13 Regulators in Pakistan – and other countries faced with similar innovations - have found it difficult to craft regulation that accommodate firms of various sizes, technology use, and business verticals.14

As things currently stand however, the benefits of fintech innovation cannot be fully realized. The regulatory environment in Pakistan, spread as it is across multiple regulators with remit directly or indirectly over fintechs, is viewed by fintechs and other non-bank ecosystem participants in Pakistan as being too restrictive due to the use of what is seen as a non-risk based, non-proportional ‘one-size-fits-all’ model. This regulatory environment is seen as favoring only larger institutions who can afford the one-size-fits-all license fees and who are able to satisfy initial and ongoing regulatory scrutiny. More strategically though, and a major existential challenge for fintech firms, is that there is no specific category or sets of (licensing) categories at the SECP and SBP levels that reflect their ‘non-standard’ and evolving business models.

12 https://www.tezfinancialservices.pk/tfs/fintech.php 13 Zetzsche, D; Buckley, R; Arner, D and Weber, R (2019) The Future of Data-Driven Finance and Regtech: Lessons from EU Big Bang II, available at https://ssrn.com/abstract=3359399 14 Rizvi, S; Naqvi, B; and Tanveer, F (2018) Is Pakistan Ready to Embrace Fintech Innovation?, available at https://bit.ly/2PR1e1X



In the current Pakistani financial regulatory regime, there are a set of licensed entities that include payment service providers (PSPs); payment system operators (PSOs); third party service providers (TPSPs); electronic money institutions (EMIs); non-bank financial institutions (NBFIs) party; and non-bank financial companies (NBFCs).

A there is no ‘fintech’ category per se in either of the SBP or SECP regulatory classification regimes, fintech-type services are thus mostly offered only by this closed group range of institutions authorized to do so within the perimeter of existing regulations. It has also meant that the financial industry that is mostly dominated by banks, although some of their (internal) innovations are provided by independent Pakistani or foreign fintechs.

A (more) accommodative framework – including category recognition - for ‘fintechs’ in Pakistan – is discussed in greater detail in Section 6, and would engender a number of potential gains, including:

● Enabling market participants to provide financial services at lower cost through disruption of traditional value chains; disintermediation; further automation resulting in more efficient processes.

● Enabling market participants to develop a broader range of products and services, thereby widening consumers’ and businesses’ choice and potentially providing them with better financing opportunities, new and better products and services such as crypto-assets, crowdfunding and business-to-business (B2B) lending.

● Enhancing financial inclusion by opening certain products or services to consumers or businesses that were previously excluded due to non-enabling regulation or policies, through a higher degree of personalization, broader product offerings, better pricing through lower marginal cost and improved accuracy of credit scoring.

● Achieving more effective regulation and compliance via automated reporting, data analysis, transactions monitoring.

2.2.3. Collaborative Challenges for Financial Ecosystem Participants

Fintechs to a large degree cannot independently provide services to customers. Anecdotal evidence suggests that banks see fintechs as threats or engendering reputational harm by absconding with customer funds. Where banks have partnered with fintechs, fintechs have shifted partnership dynamics from licensing to profit sharing.15 These however have been on a limited scale with only a few banks opening up their application programming interfaces (APIs) to fintechs to allow bank accounts or wallets to be used as payment methods on third party websites.

Further, most microfinance banks (MFBs) do not have access to the National Institutional Facilitation Technologies (NIFT)-operated Cheque Clearing House, and Pakistan Real Time Interbank Settlement Mechanism (PRISM) systems, which means that they are unable to provide the same level of payment services as banks.

15 Karandaaz (2019) Seeding Innovation, available at https://karandaaz.com.pk/karandaaz-publication/



The need in many cases to partner with banks and identity providers to satisfy AML/CFT requirements for Business-to-Consumer (B2C) services has meant that the scope and addressable market for independent provision of B2C services by fintechs has been quenched.

There is also a need for neutral fintech incubators that curate the innovation potential. According to startups and banks canvassed, there is a lack of collaboration platforms in Pakistan where fintechs and incumbents can collaborate.16 The incubators see very few entrepreneurs interested in financial services products because of the perceived regulatory uncertainty around this space and recommend the same to incubated startups.17

2.2.4. Additional Challenges The nascent fintech ecosystem in Pakistan is also subject to several other endemic and systemic challenges, including:

● Threats to data security and intellectual property. ● A limited card acceptance network, with no concerted efforts to expand it. ● Attracting the right talent and customer base. ● No deferred settlement system and real-time funds transfer system for interbank

low value credit and debit transfers. This has resulted in the predominance of cheques for all forms of corporate, financial service and Government of Pakistan (GOP) payments.

16 ibid 17 ibid



3. SME SECTOR Small and Medium Enterprises are the missing middle18 and economic backbone of almost every economy in the world19. According to the World Bank, ‘’Small and Medium Enterprises (SMEs) play a major role in most economies, particularly in developing countries. SMEs account for the majority of businesses worldwide and are important contributors to job creation and global economic development. They represent about 90% of businesses and more than 50% of employment worldwide’’.20

In Pakistan, there are more than 3.8 million21 Small and Medium Enterprises and providing 80%22 employment to the non-agriculture labor and contributing 40% in the Gross Domestic Product (GDP) of the country.23 Almost every country has a different definition for SMEs. State Bank of Pakistan Prudential Regulations for Small and Medium Enterprises Financing – Dec 201724, defines SMEs as business entities meeting the following parameters mentioned in Exhibit 3.

Exhibit 3: State Bank of Pakistan definition of SMEs.

Type *Number of Employees Annual Sales Turnover Small Enterprise

Up to 50 employees Up to Rs. 150 million

Medium Enterprise

51-250 employees (Manufacturing & Services MEs)

51-100 employees (Trading MEs)

Above Rs. 150 million and up

to Rs. 800 million (All types of Medium

Enterprises) *including contractual employees

Small and Medium Enterprises are operating in various sectors in Pakistan including Manufacturing, Textile, Light Engineering, Construction material, Leather Industry, Food items and other sectors.

Manufacturing: Textiles, leather, wooden furniture, light engineering, construction material, gems and jewelry, footwear, rice and wheat milling, metallic and non-metallic products, and sports goods.

18 https://nextbillion.net/the-missing-middle/ 19 https://www.worldbank.org/en/topic/financialsector/publication/whats-happening-in-the-missing-middle-lessons-from-financing-smes 20 https://www.worldbank.org/en/topic/smefinance. 21 https://fp.brecorder.com/2019/08/20190810505818/ 22 https://fp.brecorder.com/2019/08/20190810505818/ 23 https://fp.brecorder.com/2019/08/20190810505818/ 24 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf



Textile: Cotton-ginning, cotton-spinning, semi-finished and finished garments, bed-wear, bedlinen & table-linen, towel & terry products, curtain & furnishing, blanket, canvas and carpets.

Light Engineering: Manufacturing of bicycles, electric fans, home appliances, cutlery, surgical instruments, foundries, steel fabrication, automobile parts, agricultural implements and general workshops.

Construction Material: Ceramic, marble, granite and other mineral processing.

Leather Industry: Units for production of finished leather, leather garments, gloves and other goods. Food Items: Dairy, meat and poultry, bakery products, agriculture produces (such as vegetables, fruits and horticulture), fisheries, cold storage, pottery, tobacco and cigarettes. Others: Plastics, chemicals, paper and paperboard, information technology and hospitality

3.1. POLICY & REGULATORY INITIATIVES FOR SMES 3.1.1. Policy Initiatives In October 1998, the Government of Pakistan under Ministry of Industries & Production established Small and Medium Enterprises Development Authority (SMEDA)25. The institution is responsible to provide an enabling environment and business development services to small and medium enterprises in Pakistan. Following are the main objectives of SMEDA:

• Formulate Policy to encourage the growth of SMEs in the country and to advise the Government on fiscal and monetary issues related to SMEs.26

• Facilitation of Business Development Services to SMEs.27 • Facilitate the development and strengthening of SME representative bodies

associations/chambers.28 • Set up and manage a service provider’s database including machinery and

supplier for SMEs.29 • Conducting sector studies and analysis for sector development strategies.30 • Facilitation of SMEs in securing financing.31 • Strengthening of SMEs by conducting and facilitating seminars, workshops and

training programs.32

25 https://smeda.org/index.php?option=com_content&view=article&id=58:smepolicy-development&catid=2&Itemid=101 26 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 27 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 28 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 29 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 30 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 31 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 32 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689



• Donor assistances for SME development through programs and projects.33 • Assist SMEs in getting international certifications (such as UL, CE, DIN, JIS,

ASME, KS, etc.) for their products and processes.34 • Identification of service opportunities on the basis of supply/demand gap.35

Since its inception, SMEDA has executed various projects for small and medium enterprises development including Prime Minister’s ‘Kamyab Jawan – Youth Entrepreneurship Scheme’, for young entrepreneurs between the age group of 21 - 45 years36, Economic Revitalization of Khyber Pakhtunkhwa and FATA (ERKF)37 and Public Sector Development Projects including Dyeing , Washing & Pressing CFC for Silk Cluster - Mingora Swat38, Establishment of Spinning CFC - Islampur Swat39, Foundry Service Centre – Lahore40, Honey Processing & Packaging Common Facility Center - Mingora Swat41, Sialkot Business and Commerce Centre – SBCC42, SME Business Facilitation Center (SMEBFC) – Multan43, Sports Industries Development Centre (SIDC) – Sialkot44 and Women Business Development Centre (WBDC) - Mingora, Swat45.

To further promote SME financing in Pakistan, SMEDA collaborated with SBP and SECP and initiated various coordinated initiatives for SME sector development and facilitate SME borrowers46.

SBP: SBP has taken various initiatives to develop the SME banking in Pakistan and introduced various facilities ranging from short term to long term while providing incentives like markup subsidy, risk sharing and mix of both. SBP initiatives includes Targets for SME Financing for Banks and DFIs47, Compendium of SME financing products48, Prime Minister’s Youth Business Loans Scheme49, Credit Guarantee Scheme for Small and Rural Enterprises50, Credit Guarantee and Risk Sharing Scheme for Rice and Husking Mills in Sindh51, Refinance Facility for Modernization of SMEs52, Scheme for Financing

33 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 34 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 35 https://smeda.org/index.php?option=com_content&view=article&id=2&Itemid=689 36 https://smeda.org/index.php?option=com_content&view=article&id=568&Itemid=974 37 https://smeda.org/index.php?option=com_content&view=article&id=224:economic-revitalization-of-khyber-pakhtunkhwa-and-fata-erkf&catid=72&Itemid=578 38 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 39 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 40 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 41 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 42 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 43 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 44 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 45 https://smeda.org/index.php?option=com_content&view=category&id=34&Itemid=164 46 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 47 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 48 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 49 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 50 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 51 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 52 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970

https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970



Power Plants using Renewable Energy53 and Financing Facility for Storage of Agricultural Produce54.

To further smooth the SME financing in the country, SBP Policy for Promotion of SME Finance was launched by the Prime Minister of Pakistan on December 22nd 201755. A holistic exercise was undertaken in collaboration with relevant stakeholders to eliminate gaps in the SME financing and introduced following nine pillars/amendments in SME policy and regulations allowing rapid growth of SME financing in the country.

• Pillar 1: Improvement in Regulatory Framework56

o Revisions / Amendments in Prudential Regulations o Relaxation in Credit Risk Weights to calculate Capital Adequacy Ratio

(CAR) o Targets for SME Financing o Refinance Facility for SMEs

• Pillar 2: Upscaling through Microfinance Banks57 • Pillar 3: Risk Mitigation Strategy58

o Inclusion of low-end medium enterprises in Credit Guarantee Scheme (CGS)

o Establishing Credit Guarantee Company o Supporting Provincial Risk Sharing Schemes o Setting up of E-Registry

• Pillar 4: Simplified Procedures for SME Financing59 o Simplification of Loan Application for SMEs o Small Enterprise Loan Documentation Manual

• Pillar 5: Program based Lending & Value Chain Financing60 • Pillar 6: Capacity Building & Awareness Creation61 • Pillar 7: Handholding of SMEs – Non Financial Advisory Service (NFAS)62 • Pillar 8: Leveraging Technology to Promote SME Financing63 • Pillar 9: Simplifying Taxation Regime for SMEs64

o Tax rate reduction on banks’ income derived from SME financing o Tax holiday on income of eligible start-ups and women SE borrowers

(eligibility criteria and tenure for holiday to be finalized in consultation with Ministry of Commerce and Federal Bureau of Revenue)

o Reduction in sales tax on service sector SEs & MEs

53 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 54 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 55 http://www.sbp.org.pk/press/2017/Pr1-22-Dec-17.pdf 56 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 57 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 58 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 59 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 60 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 61 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 62 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 63 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 64 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf



SMEDA: SMEDA is supporting SME sector development in Pakistan while providing business development services through development and implementation of programs in core areas of access to finance and legal services. SMEDA initiatives includes Financial Analysis, Prefeasibility Studies, Business Plans, SMEDA Accounting Package, Banking Products and Services, Loan Facilitation Helpdesk and Financial Literacy Programs for Small and Medium Enterprises65.

SECP: SECP with its integrated role in the corporate and financial sector has taken various initiatives to promote SME sector development. SECP initiatives includes Regulatory Framework for Non-Bank Finance Companies engaged in Lending Services, Facilitation of SME sector through Private Equity and Venture Capital Funds, Introduction of SME Board, Promulgation of Single Member Companies Rule (SMC 2003), Companies Regularization Scheme (CRS), Introduction of Companies Easy Exit Regulations (CEER) and Setting up Facilitation Counters at Chamber of Commerce and Industry66. Recently, the federal government has entrusted the function of Secured Transaction Registry (STR) for unincorporated entities to the Securities and Exchange Commission of Pakistan (SECP). The registry will record charges/security interests created by entities on their movable assets. It is likely that the establishment of STR will improve Pakistan’s ranking in “getting credit” indicator of the World Bank’s Ease of Doing Business index that requires establishment of an integrated or unified collateral registry to register security interests in movable assets by incorporated and unincorporated entities67.

In 2018, The Planning Commission of Pakistan Ministry of Planning, Development & Reform Government of Pakistan introduced a policy framework68 to address cross cutting issues and gaps that are weakening the small and medium enterprise sector in Pakistan including an over-regulated business environment, complex human resource development environment, lack of updated technological framework, market constraints and complicated financial facilities etc. The policy framework addressed the above issues and gaps by summarizing the recommendations for Legislative Environment, Sectors Development Approach, Institutional Frameworks, Access to Finance, which suggests steps in the form of Credit Guarantee Schemes and Equity Participation Fund, Women Entrepreneurship Development, Technical and Vocational Skills Development and E-Enablement of Ease of Doing Business69.

65 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 66 https://smeda.org/index.php?option=com_content&view=article&id=494&Itemid=970 67 https://www.secp.gov.pk/wp-content/uploads/2019/05/Press-Release-May-13-Secured-transactions-registry-established-in-SECP.pdf 68 https://www.pc.gov.pk/uploads/pub/FIRST_05_PAGES_of_SMEs_Sector_(1)1.pdf 69 https://www.pc.gov.pk/uploads/pub/FIRST_05_PAGES_of_SMEs_Sector_(1)1.pdf



3.1.2. Regulatory Initiatives: The State Bank of Pakistan while responding to certain market changes directed towards Small and Medium Enterprises, updated their Prudential Regulations in 201770 and defined a separate definition for small and medium sized enterprises mentioned above in Exhibit 3) in order to direct focus of Banks and DFIs separately towards them. Following key changes were made in the SME Prudential Regulations:

• Regulation SME R-1: SME Specific Credit Policy71 • Regulation SME R-2: e-CIB Report72 • Regulation SME R-9: General Measures73 • Regulation SE R-7: General Reserve against Small Enterprise Finance74 • Regulation SE R-10: Turn-Around-Time75 • Regulation ME R-6: Turn-Around-Time (newly introduced)76

SMEs are the pillars for economic development in a country, given the importance of SME Financing in Pakistan, SBP has also taken below initiatives to enhance SME financing in the country:

• Facilitated approval of “The Financial Institutions (Secured Transactions) Act, 2016” from the Parliament to facilitate SMEs and Agri borrowers to access credit from banking sector by using their movable assets as collateral.77

• Assigned SME financing targets to banks and DFIs for the first time in 2016 in order to enhance access to credit to this sector. To cater to Islamic financing needs of SMEs, SBP is persuading Islamic Banking Institutions (IBIs) to extend financing by assigning them SME financing targets. SBP has also advised banks and DFIs to put in place proper structures with regards to SME financing.78

• SBP is offering different risk coverage and refinance schemes for SMEs. A brief of these schemes is given below:79

o Launched ‘Credit Guarantee Scheme (CGS) for Small and Rural Enterprises’ in March 2010 in collaboration with UK’s Department for International Development (DFID). Under this scheme, risk coverage of up to 60 percent is provided against credit losses of participating financial institutions on their lending to micro, small and rural enterprises.80

o To improve access to finance for women entrepreneurs in underserved areas of the country, ‘Refinance and Credit Guarantee Scheme for Women Entrepreneurs in Underserved Areas’ has been offered by SBP under which financing at subsidized rate (up to 5 percent) along with risk

70 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 71 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 72 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 73 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 74 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 75 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 76 http://www.sbp.org.pk/smefd/2017/SME-PRs-Updtd-Dec-2017.pdf 77 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 78 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 79 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 80 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf



coverage is available for setting up of new businesses or expansion of existing ones.81

o Introduced SME-related refinance facilities for purchase of new imported/ local plant/ machinery and new generators, for adopting renewable energy projects using solar, wind, biogas and other renewable energy sources and for storage of agricultural produce.82

o Facilitating federal government to promote SME financing in the country through mark-up subsidy and risk coverage schemes. Prime Minister Youth Business Loan Scheme is one of such schemes.83

o Collaborating with provincial governments to facilitate in developing customized refinance and credit guarantee schemes in their respective provinces. SBP, in collaboration with Sindh Enterprise Development Fund (SEDF), has launched a ‘Mark-up Subsidy and Guarantee Facility for Rice Husking Mills’ in Sindh under which SBP provides the refinancing facility and SEDF provides markup subsidy and risk coverage. SBP is supporting Government of Punjab in designing subsidized refinance scheme for Balancing, Modernization and Replacement (BMR) of SMEs in Punjab and credit guarantee scheme for small enterprises in Punjab.84

Being a progressive regulator, the State Bank of Pakistan has also introduced a handbook for Islamic SME financing85, same is also applicable for Conventional SME financing. High level details of the prudential regulations are mentioned below:

• R-1 “Source and Capacity of Repayment and Cash flow -Backed Lending”86 • R-2 “Personal Guarantees”87 • R-3 “Limit on Clean Facilities”88 • R-4 “Securities”89 • R-5 “Margin Requirement”90 • R-6 “Per Party Exposure Limit”91 • R-7 “Aggregate Exposure of a Bank on SME Sector”92 • R-8 “Minimum Conditions for taking Exposure”93 • R-9 “Proper Utilization of Financing”94 • R-10 “Restriction on Facilities to Related Parties95

81 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 82 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 83 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 84 http://www.sbp.org.pk/smefd/PolicyPromotionSME-Finance.pdf 85 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 86 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 87 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 88 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 89 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 90 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 91 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 92 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 93 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 94 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 95 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf



• R-11 “Classification and Provisioning for Assets96

State Bank of Pakistan is also empowered to grant license and supervise the affairs of credit bureaus under Credit Bureaus Act, 201597 in Pakistan. Credit Bureaus plays an integral role to credit risk management and advancement of a sound credit culture and decisions in the financial system. Lack of credit information is a major constraint faced by SMEs in assessing their creditworthiness. This initiative will certainly improve access to finance opportunities for SMEs in the country through improved credit reporting.

3.2. SME FINANCING PRODUCTS: The core SME financing products for Conventional and Islamic Financing allowed by the State Bank of Pakistan are mentioned below in Exhibit 4. Financial Institutions have adopted these financing products according to their business requirements.

96 http://www.sbp.org.pk/ibd/pdf/Handbook-%28iSME%29.pdf 97 http://www.sbp.org.pk/about/act/CreditBureauAct-2015.pdf



Exhibit 4: State Bank of Pakistan SME financing products.

SME Financing Type SME Financing Products Islamic SME Financing98

Murabaha Salam Istisna Tijarah Diminishing Musharakah Ijarah Mudarabah Musharakah

Conventional SME Financing99

Working Capital Financing Needs o Running Finance o Demand Finance o Cash Finance o Factoring

Asset Acquisition / Business Expansion

o Term Loan o Leasing

Trade Financing o Letter of Credit o Export Credit Financing o Bank Guarantee o Bills of Exchange Purchased o Trust Receipts

3.3. CURRENT STATE OF SMALL & MEDIUM ENTERPRISES IN PAKISTAN:

Despite of various policy, regulatory and other initiatives, SME landscape in Pakistan faces substantial challenges in securing credit lines, from financial institutions mainly because of collateral requirements, poor governance structure and documentation practices and reluctance of financial institutions to extend credit to SMEs. According to a study commissioned by Karandaaz, as of 2018, the demand for SME financing ranges between PKR 3.2 – PKR 4.6 trillion, more than half of which is working capital needs. The NFIS 100 days agenda also states promotion of SME finance i.e. Extend finance to 700,000 SMEs; 17% of the private sector credit).100 To further develop the SME landscape in Pakistan, following issues needs to be addressed.

98http://www.sbp.org.pk/departments/ihfd/SMEFP/Exploring%20Islamic%20Banking%20Solutions%20for%20SMEs.pdf 99 http://www.sbp.org.pk/sme/pdf/smebooklet-05-jul-08.pdf 100 http://www.finance.gov.pk/NFIS.pdf



Demand Side Issues & Constraints:

• Access to Finance issues • Lack of collaterals to meet banks’ requirements • Absence of proper accounts management, business planning, and missing formal

management • Low level of awareness about different financing options • Absence of reliable and credit worthy data

Supply Side Issues & Constraints:

• Current SME Financing products are not suitable to the need and requirements of SMEs

• Shortage of credit evaluation, product, marketing skills and non- innovative products • SMEs are perceived to be high risk projects by banks • Absence of credit scoring and reliable and responsible algorithms, cash flow based

lending, program based lending and downscaling • Absence of SME research and development in banks

Firm-Level Capabilities:

• Firm level training & skills development • Management capacity building • Acceleration and incubation support • Innovation and upgrading technology

Access to Markets:

• SME supply chain development • Innovative investment policy • Trade logistics and infrastructure

Enhancing access to finance for Small and Medium Enterprises is the most critical impediment in the underdeveloped countries. The current SME financing products offered by incumbents in Pakistan are mostly collateral based. Out of the total 3.8 million101 SMEs operating in the country, only a handful of SMEs – big sized SMEs are eligible for the existing financing products hence leaving behind majority of the SMEs and their future growth uncertainties. Following technology driven changes to business models can also expand access to finance with growth for SMEs.

- Peer to Peer Lending - Modernizing inefficient processes and reduce the role of costly intermediaries and invoice

financing - Process automation makes lending to SMEs viable - Using alternate data to expand credit scoring and models - Leveraging online commerce to expand invoice financing also called factoring - Use of blockchain can expand SMEs collateral for borrowing - Open Banking can support SMEs access to finance

101 https://fp.brecorder.com/2019/08/20190810505818/



- Artificial Intelligence can be used to provide new financing opportunities for SMEs - Open finance can be used to provide financing opportunities to SMEs through third parties - Account aggregation services can be used to expand SMEs access to finance. All of the above are various verticals of financial technology and can be tested in a close loop environment in the regulatory sandbox. The financial regulator can learn from the testing outcomes which will further help them to regularize these financial technology verticals and further support the improvement of SME access to finance and strengthening of the SME landscape in Pakistan.



4. GLOBAL APPROACHES TO REGULATION OF FINTECH AND FINTECHS 4.1. GENERAL OVERVIEW While fintechs can play an outsize role in the evolution of a country’s financial ecosystem, the breadth of the sector and its offerings can make it difficult to talk about ‘fintech regulation’ per se. The multiplicity of entities, a mosaic of business models and innovative technologies have generally complicated the classification of the various types of activities, products and transactions covered under the fintech spectrum.102

Simply put, if it’s difficult to define it and its scope, it’s usually also difficult to regulate it.

The challenge become even more pronounced with technology leaps – such as digital financial services, DLTs, crowd-funding platforms and AI – which with their breadth of application, invariably challenge the perimeters of many regulatory remits and scope of laws and regulations. That is, multiple laws, regulations and regulators may be impacted by the emergence of new technology beyond its obvious initial use, reflecting that evolving technology is often just an enabler of a particular activity or function.

There is clearly a need to update regulatory frameworks to leverage the benefits of fintech, whilst maintaining high standards of consumer protection, market integrity and the stability of financial systems.

The current main concerns of policymakers and industry arise not from the technology itself but from the question of who is applying technology to finance along with the speed of development. Lack of proper understanding and appreciation by regulators may lead to onerous conditions being imposed and/or delays in obtaining approvals.

While fintechs can play an outsize role in the evolution of a country’s financial ecosystem, the breadth of the sector and its offerings can make it difficult to talk about ‘fintech regulation’ per se. The multiplicity of entities, a mosaic of business models and innovative technologies have generally complicated the classification of the various types of activities, products and transactions covered under the fintech spectrum.103

Faced with the profound changes that fintech is bringing to the banking and financial sectors, regulatory uncertainty surrounding the fintech sector can severely hamper its development.104 Regulatory decisions have both a direct and indirect impact on competition between incumbent firms and newcomers.105 That is, they need to avoid over-protecting incumbents by erecting barriers to entry for newcomers as this would discourage financial

102 RBI (2018) Report of the Working Group on fintech and Digital Banking, available at https://bit.ly/2Zs91q6 103 RBI (2018) Report of the Working Group on fintech and Digital Banking, available at https://bit.ly/2Zs91q6 104 WEF (2016) The Complex Regulatory Landscape for fintech An Uncertain Future for Small and Medium-Sized Enterprise Lending, available at https://bit.ly/35Wa2sX 105 Nicoletti, B (2017) The Future of fintech: Integrating Finance and Technology in Financial Services, available at https://www.amazon.com/s?k=9783319514154&i=stripbooks&linkCode=qs

https://www.amazon.com/s?k=9783319514154&i=stripbooks&linkCode=qs



innovation and stifle competition in the financial sector. Similarly, they would not want to unduly favor newcomers by regulating them less stringently than incumbents simply in the name of fostering competition.106

4.2. REGULATORY APPROACHES A number of general regulatory approaches are in use by financial regulators around the world. At one end is the institutional-based regulatory (IBR) approach that reflects who is providing services. It is mostly anchored in predictable, but relatively inflexible ruled-based regulation (RBR).107 Here, an entity’s ability to fully comply with enumerated rules is the metric for regulatory compliance.

On the other end there is a product-like approach anchored in flexible, principle-based regulation (PBR) comprised of a functional approach which together reflect which services are being provided.108 Here, an entity’s ability to fully fulfill and embrace regulatory goals or outcomes is the metric for regulatory compliance. Exhibit 5 shows conceptual differences between pure PBR and RBR,109 while Exhibit 6 shows practical examples of differences between the approaches. Exhibit 7 shows functional activities and the type of regulatory approaches that can be used.

Exhibit 5 : Conceptual differences between principles- and rule-based regulatory approaches.110

Factor Principles-based regulation Rules-based regulation

Degree of precision

Directives are generally imprecise and open-textured, leaving scope for interpretation

Specific and precise rules for behavior and actions

Who decides on content?

Firms interpret the goal and make judgments as to how best to comply with the goal

Those drafting the rule, such as a regulator

When is content determined?

At the time the firm interprets the goal and takes action

At the time of the drafting of the rule

106 IMF (2017) Fintech and Financial Services: Initial Considerations, available at https://bit.ly/2ZuIUhY 107 UK Department for Business, Energy and Industrial Strategy (2018) Goals-Based And Rules-Based Approaches To Regulation, available at https://bit.ly/2ZdS16R; Black, J ( 2008) Forms and Paradoxes of Principles Based Regulation, available at https://ssrn.com/abstract=1267722; Pearson, J (2014) Rules- or Principles-Based Regulation - Factors for Choosing the Best Language Strategy 108 RBI (2018) Report of the Working Group on fintech and Digital Banking, available at https://bit.ly/395YYew 109 Adapted from UK Department for Business, Energy and Industrial Strategy (2018) Goals-Based And Rules-Based Approaches To Regulation, available at https://bit.ly/2ZdS16R; Black, J ( 2008) Forms and Paradoxes of Principles Based Regulation, available at https://ssrn.com/abstract=1267722; Allen, J (2013) Securities Regulation of Ontario Venture Issuers: Rules or Principles?, available at https://bit.ly/2ESIqc5; Pearson, J (2014) Rules- or Principles-Based Regulation - Factors for Choosing the Best Language Strategy 110 ibid

https://bit.ly/2ZdS16R




http://digitalcommons.osgoode.yorku.ca/phd/4



Fits in with a regulatory objective

Encourages firms to take actions and exercise judgments directly consistent with the regulatory objective

Assumed that the rule fits in with the objective, so that if firms comply with the rule, then the objective will be achieved

Enforcement approaches

Investigate whether the firm’s actions are consistent with the goal

Regulators investigate whether the firm has complied with the rule

It is trite that regulators diverting their resources to understand every new technological innovation could result in inefficient outcomes for regulators and their regulated industries. The rapid pace of technological innovation and the need to provide a cogent, flexible and technology-neutral wrapper to satisfy imperatives around financial integrity, financial inclusion, competition and consumer protection has meant a gradual move towards embracing some or all of the principle-based, functional-type of regulation.

Some jurisdictions which use one or other of these approaches also include a product-based approach that address specific product types, rather than product segments. Here, and depending on the risk implications, regulatory actions may vary from disclosure, to light-touch regulation and supervision, to fully-fledged regulation and supervision.

A tiered regulatory approach could be used through gradually increasing oversight and supervision of an entity as it grows and so its risk profile increases. In many jurisdictions, a move from a traditional institutional, rules-based regime to principles-based functional regulatory approaches is glacial, necessitating a transitional ‘hybrid’ regulatory arrangement which combined both approaches, but anchored in one set as the binding approach.

Exhibit 6: Practical examples of differences between principle- and rule-based regulatory approaches.

In the case of complex rules, there are multiple components to the rule. Principles-based Rules-based Complex Rule-based A company must hire sufficient and competent staff to manage all as aspects of cybersecurity

A company must employ a Chief Information Security Officer to manage all aspects of cybersecurity

A company must employ a Chief Information Security Officer to manage all as aspects of cybersecurity who has a Master’s Degree in Computer Science and has 10 years’ experience

All mobile money customers must provide some form of identity to sign up for services

All mobile money customers must provide a valid national identity document to sign up for services

All mobile money customers must provide a national identity, 3 utility bills for the past 3 months to sign up for services



4.2.1. Principles-based Regulation (PBR) Approach: • Description: Rather than specific rules, regulators provide principles fintechs

need to abide by. These principles provide the framework in which firms can organize their own (internal) system of management and control to achieve the outcome the regulator seeks. Here, outcomes and principles are set and the controls, measures, procedures on how to achieve those outcomes are left for each organization to determine. An entity may need to describe to the regulator why it chose a particular path to reach those outcomes.

● Advantages: Using a tiered approach, it allows fintech startups to provide services without onerous licensing requirements that apply to larger institutions. As the fintech start-up matures, it grows in its capacity to so does its compliance culture, with increasing access to sufficient financial resources.

● Disadvantages: The flexibility of a principle-based approach allocates sufficient discretionary power to the regulator to potentially create a level of uncertainty as to what exactly is expected in terms of compliance. That is, whilst a PBR approach may provide a start-up with the benefit of flexibility at an early stage, this may create limitations in terms of scalability of its business.

4.2.2. Functional-based Regulation (FBR) Approach: • Description: Entities, no matter who they are that fit a functional description of a

service or vertical can provide services. • Advantages: Allows classes of entities performing certain general activities (and

verticals) as specified generally to be authorized or licensed by the regulator (if at all needed), and is usually not based on any particular technology, class of or on the size of entity. Entities that fit within a certain level can simply gain authorization to operate. It also suits regulating in the era of rapid pace of technological innovation.

• Disadvantages: Requires that the regulator undertake continuous market studies to determine potential functions that can be included in a (functional) regulation. A number of regulators may be impacted by the broad functionality, which may induce regulatory arbitrage if regulators do not coordinate on which regulators have specific oversight.

4.2.3. Rules-based Regulation (RBR) Approach: • Description: Prescribes in detail or gives a set of rules. Regulators issue largely

inflexible rules as to who can provide services, if at all. • Advantages: Creates certainty as to what a fintech must do to comply as the

regulator must forward-engineer the implications of compliance for the intended regulatory outcomes, usually via a regulatory impact assessment. For fintechs, the legal predictability (and thus) higher compliance costs associated with a rule-based model may be balanced with the certainty of being more attractive to investors. This approach is more likely to create a barrier to entry for subsequent new competitors to existing fintechs.

• Disadvantages: Compliance obligations can limit the incentive of the supervised entity to do more because the obligations are perceived as sufficiently



comprehensive. Compliance costs can be very high as the regulatory regime may encompass a one-size-fits all approach.

4.2.4. Institutional-based Regulation (IBR) Approach: • Description: Only specified entities can provide specified services, using a one

size fits all approach. • Advantages: Regulators can tailor their regulatory capacity needs according to a

set number of entities that they may need to regulate based on finite descriptions of entity types and functions. For larger institutions, it keeps out competition as there is usually a high barrier to entry.

• Disadvantages: Entities that do not fit within the finite number of entity types may not be authorized or licensed. A one-size-fit all required collateral and/or license fee will exclude most startups who do not have the funds for this purpose, and who may not be able to undertake a rigorous due diligence process.

4.2.5. Product-based Regulation Approach: • Description: Regulation is based on the exact product or services rather than a

class of activities. • Advantages: Allows classes specific products to be authorized or licensed by the

regulator (if at all needed), and is usually not based on any particular technology, class of or on the size of entity. Entities that provide the product type within a certain level can simply gain authorization or simply undertake disclosure of their activities to consumers.

• Disadvantages: Requires that the regulator undertake continuous market studies to determine product portfolios. A number of regulators could be impacted by the product, which will induce regulatory arbitrage if regulators do not coordinate on which regulator has specific oversight. Requires that there be a specific rule for each specific product type.

Exhibit 7: The Degree of Regulatory Supervision For Each Functional Activity Using A FBR Approach.

Disclosure has the least compliance (and supervision) burden. Light touch has some supervision but may be deferred to self-regulation of periodic reporting. Rule-based fully-fledged reporting has the highest compliance, reporting and supervision components.

Function/activity Disclosure

Light Touch

Full-fledged

Mobile wallet e-commerce platform PSO Payment bank/EMI Recharge



Bill payments Online marketplace providing customized rate quotes on loans & insurance products Online lending Financial inclusion technology provider Multi-purpose prepaid cash card PoS terminal for accepting card payments Payment device maker Payment gateway Payment services through retail outlets Loyalty relationship management company Real-time market data & financial news Online investment platform for mutual funds Insurance aggregator & selling platform Analytics, Risk compliance solutions for banking Small business lending Online platform that provides working capital for SMEs Multi-brand gift card store B2B backend technology provider Web mobile based personal finance management platform Cloud based management platforms for lending institutions Smartphone application for P2P money transactions Virtual marketplace for money borrowers & lenders Managed subscription billing service for SaaS Branchless mobile banking Alternative payments solution for e-commerce companies to allow users to buy & pay later Online retail brokerage firm Care coordination solutions for healthcare organizations Fraud customer experience management solutions for financial, retail & telecom industry Cloud based compliance platform Market intelligence platform for private market investing Free income tax preparation & e-filling portal Web based deal origination tool for Private Equity firms & investment banks Financial planning & management tool Credit management services Online selling & comparison platform for insurance

4.2.6. Comparing Application of the Regulatory Approaches

Given rapid technology evolution, shifting business models, and often-limited regulatory capacity, it is often difficult for regulators to fully anticipate the types of innovations that may emerge in the market and their impact on the broader market and institutions.



In many regulatory regimes then, the RBR and IBR approaches are paired. In newer regimes geared towards enabling and nurturing technology innovations and new business models, the PBR and FBR approaches are embraced, with some product-based regulation used. Implementation of the set of rules within an RBR approach requires less interpretation and skills: the regulator provides rules and an organization must adopt and implement control measures to ensure compliance with the rules. A narrow focus though on rigid rules and compliance reporting has often led to the letter of the law being followed while the spirit of the law is missed.111 Exhibit 8 shows the relative advantages and disadvantages of principles-based regulatory approach versus a rules-based regulatory approach.112

A PBR approach seeks to set principles that specify the intention of regulation, rather than set rules detailing requirements of a financial institution. Implementation of a set of principles and outcomes requires interpretation and understanding of how an organization has to conduct itself to meet the outcome and then adopt and implement controls and measures to ensure that the organization complies with the outcomes and principles. It is not a ‘one-size fit all’ or ‘tick-box’ manner of implementation and it will differ for each organization. A change in focus to PBR should see a shift in both industry and the regulator toward ensuring that their actions and processes are geared toward driving the attainment of certain desired outcomes in the financial sector, not only on technical compliance with the law.’

Even so, there are ‘hybrid’ variants within the general types in Exhibit 10. Where a hybrid PBR approach is applied, firms may be required to justify why they deviated from any non-binding guidance. They may also need to show the regulator that their compliance approach was consistent with the regulatory goal/outcome.

The FBR approach though, aspirationally, creates a broad anticipation of which product types may emerge (the what); while the companion PBR-approach may address how these as yet unknown functional activities may be regulated. Any risk may be apportioned (tiered) based on the size and activity of the entity, of which its risk profile may change as the entity evolves.

It should be noted that while a product-based approach allows for some innovation, it is limiting since it requires constant updates to regulations and is thus more suited to long-standing product groups such as credit or debit card rules where there is a set, and predictable set of circumstances and harms/outcomes that could occur. The product approach could however be incorporated into an RBR-approach as a (non-exclusive) example of functions anticipated by this approach.

111 Allen, J (2013) Securities Regulation of Ontario Venture Issuers: Rules or Principles?, available at https://bit.ly/2ESIqc5; UK Department for Business, Energy and Industrial Strategy (2018) Goals-Based And Rules-Based Approaches To Regulation, available at https://bit.ly/2ZdS16R; 112 Adapted from UK Department for Business, Energy and Industrial Strategy (2018) Goals-Based And Rules-Based Approaches To Regulation, available at https://bit.ly/2ZdS16R; Black, J ( 2008) Forms and Paradoxes of Principles Based Regulation, available at https://ssrn.com/abstract=1267722; Allen, J (2013) Securities Regulation of Ontario Venture Issuers: Rules or Principles?, available at https://bit.ly/2ESIqc5; Pearson, J (2014) Rules- or Principles-Based Regulation - Factors for Choosing the Best Language Strategy








Exhibit 8: Relative Advantages and Disadvantages of Principles-Based Regulatory Approach Versus A Rules-Based Regulatory Approach.113

Factor Principles-based regulation Rules-based regulation

Flexibility Seen as more flexible Less flexible Predictability and certainty

More imprecise, and potentially less certain

More precise and therefore potentially more certain

Promotion of innovation

Seen to encourage experimentation and alternative approaches to compliance

Limited incentives to innovate in compliance

Equality Seen to promote substantive equality

Seen to promote formal equality

Impact on approach and mindset of firm

Requires firm to be forward- looking and think through consequences of actions

Can result in a tick-box mentality developing

Uniform or differential treatment of firm

Can allow for differential treatment of firm based on compliance history or other characteristics

Formally treats all firm the same

Ability to adapt to changes in environment market

More open-textured and therefore can be more adaptive to changes in the environment

Less adaptive to changes, rules can tend towards obsolescence, and require more rules to be introduced

Scope for exercise of regulatory discretion

Potentially significant scope for the exercise of regulatory discretion

Typically constrains the discretion of the regulator

Accountability Devolves some responsibility to firms, and can create an accountability gap

Regulator is ultimately accountable for failures

Incentives for compliance

Can lead to over- or under-compliance depending on level of precision of regulation, and the risk profile of regulates

Can create incentives to 'game the rules' and engage in creative compliance

4.3. SUPRANATIONAL APPROACHES TO FINTECH INNOVATION AND REGULATION: THE BALI FINTECH AGENDA

Recognizing the importance of fintechs in the development of financial ecosystems and their role in fostering innovations and competition, in October 2018 the International Monetary Fund

113 ibid



and the World Bank Group launched the Bali Fintech Agenda,114 a set of 12 policy elements aimed at helping member countries to harness the benefits and opportunities of rapid advances in financial technology that are transforming the provision of banking services, while at the same time managing the inherent risks

The Agenda’s 12 high-level issues are for countries to consider in their own domestic policy. They cover topics relating broadly to enabling fintech; ensuring financial sector resilience; addressing risks; and promoting international cooperation.

The Bali fintech principles and their potential applicability to Pakistan are outlined in Exhibit 9.

114 World bank (2018) The Bali Fintech Agenda: A Blueprint for Successfully Harnessing Fintech’s Opportunities, available at https://bit.ly/2MkdKoo



Exhibit 9: The Bali fintech principles and their potential applicability to Pakistan.

Bali Fintech Principle Potential Applicability To Pakistan Embrace the promise of fintech Use of regulatory sandboxes, innovation hubs,

innovation offices. Embrace function and PBR regulation.

Enable new technologies to enhance financial service provision

Allow new technologies to be tested in sandboxes

Reinforce competition and commitment to open, free, and contestable markets

Differential pricing for access to utility-type services like ID.

Foster fintech to promote financial inclusion and develop financial markets

Loosen capital requirements for fintechs licensing to allow more companies to provide digital financial services

Monitor developments closely to deepen understanding of evolving financial systems

Regulator meetings with fintech groups; regulatory sandbox; A common forum between industry participants, regulators and policy makers through should be instituted, with regulator meetings scheduled.

Adapt regulatory framework and supervisory practices for orderly development and stability of the financial system

Investigate using a hybrid approach to regulation by moving away from current strict institutional and rules-based supervision to combine with principles and functional-type regulation

Safeguard the integrity of financial systems

Use of KYC Utility for collaborative KYC/CIV purposes

Modernize legal frameworks to provide an enabling legal landscape

Investigate using a hybrid approach to regulation by moving away from current strict institutional and rules-based supervision to combine with principles and functional-type regulation; enable blockchain via new enabling laws and regulations

Ensure the stability of domestic monetary and financial systems

Embrace fully and execute on FATF AML recommendation; Facilitate a KYC Utility; Improve cooperation amongst regulators in Pakistan.

Develop robust financial and data infrastructure to sustain fintech benefits

Allow use of cloud computing in some form, and move away from strict data localization requirements

Encourage international cooperation and information-sharing

Move away from strict data localization requirements

Enhance collective surveillance of the international monetary and financial system

Embrace fully and execute on FATF AML recommendation; Facilitate a KYC Utility; Improve cooperation amongst regulators in Pakistan.



4.4. PRACTICAL IMPLEMENTATION OF THE REGULATORY APPROACHES 4.4.1. Overview While sharp distinctions are often made between the PBR and RBR in practice, the distinctions are less clear cut, and various forms of `hybrid' approaches are adopted which combine elements of each approach to regulation. For this reason, it is better to think of approaches as being either more PBR-like or more RBR¬ like, rather than in terms of pure versions of PBR and RBR.115

4.4.2. Hybrid Regulatory Approaches It is also possible to observe variants within the general PBR or RBR-typology. For example, where a hybrid PBR approach is applied which has binding goals and non-binding guidance, regulated entities may be required to justify why it is that they deviate from any non-binding guidance and/or bear the onus of demonstrating that their compliance approach is consistent with a regulatory goal. Exhibit 10 outlines these hybrid approaches.

Exhibit 10: Examples of hybrid regulatory approaches using either principles or rules as the primary focus.116

These regulatory approaches have binding and non-binding elements. In either case, the binding element determines the type of approach.

Approach Binding elements Non-Binding elements Hybrid PBR approach Principles,

outcomes & goals Guidance, safe-harbors, prior decisions, best practice requirements.

Hybrid RBR approach Rules Regulatory goals statement, exceptions, qualifications

4.5. COUNTRY APPROACHES TO FINTECH INNOVATION AND REGULATION

Often the benefits of PBR versus RBR approaches are not clear from the perspective of start-ups and large financial institutions. At an international level, beyond the model regulatory silos above, the newer ‘hybrid’ regulatory combinations are evolving that recognize and enable

115 Black, J ( 2008) Forms and Paradoxes of Principles Based Regulation, available at https://ssrn.com/abstract=1267722; Allen, J (2013) Securities Regulation of Ontario Venture Issuers: Rules or Principles?, available at https://bit.ly/2ESIqc5 116 ibid





technical and business model innovations and new, omnibus product-type verticals generated by fintechs and banks.

These, to a large degree, maintain a technologically neutral approach such that policies and regulations foster healthy competition between ecosystem participants, regardless of whether they offer conventional approaches or offer or use new technological solutions.117

Exhibit 11 shows comparative country approaches to fintech regulation. The trend is towards PBR, functional regulation of fintechs and fintech technology. Mexico, China and Bahrain have specific fintech laws that act as a framework law for fintech development and enabling of fintechs.118

Exhibit 11: Comparative country approaches to fintech regulation.

The global trend regulation of fintechs and fintech technology is towards principle-based regulations using a functional approach. In most cases there is a regulatory sandbox in the country, while regulators may coordinate on ancillary regulations impact fintech and fintechs.

Country Regulatory Approach(es)

Top Fintech Vertical(s)

Sandbox/Innovation Office/Techsprint

Fintech Law Fintech Ancillary/Regs

PAKISTAN

IBR, RBR Payments Sandbox, via SECP

No No

Australia FBR, PBR Payments, WealthTech, Blockchain, crypto-assets and Regtech open banking

Sandbox No Yes

Bahrain FBR, PBR Payments, crowdfunding, crypto-assets, forex, open banking, and digital banking, Big Data Analytics and Intelligence

Sandbox; Innovation Office

Yes Yes

Brazil IBR, RBR, FBR, PBR

Payments, crypto-assets, insurance, Forex, and digital banking

Sandbox No Yes

Brunei IBR, RBR Payments Sandbox No No China IBR, RBR,

PBR Payments Sandbox Yes Yes

117 RBI (2018) Report of the Working Group on fintech and Digital Banking, available at https://bit.ly/395YYew 118 Many of the Arab regional fintech models in effect import international early-stage start-ups to fill accelerator programs, rather than necessarily cultivating indigenous fintech start-ups. Financial Times (2019) Bahrain fintech model offers blueprint for rest of the region, available at https://on.ft.com/376MUb3



India IBR, PBR, FBR

Payments, alternative lending, eKYC

Sandbox No Yes

Indonesia IBR, RBR Payments Sandbox; Innovation Office

No No

Malaysia IBR, RBR Payments Sandbox; Innovation Office

Malta FBR, PBR Payments, WealthTech, Blockchain, crypto-assets

Sandbox No Yes

Mexico FBR, PBR WealthTech, Payments, and Blockchain

Sandbox Yes Yes

Nigeria IBR, RBR Payments, WealthTech, Blockchain, crypto-assets

Sandbox No No

Saudi Arabia

FBR, PBR [Planned]

Payments, blockchain, open banking [planned]

[Sandbox Planned]

No Yes [Planned]

Singapore

FBR, PBR WealthTech, Payments, open banking, and Blockchain

Sandbox No Yes

South Africa

FBR, PBR Payments, WealthTech, Blockchain, crypto-assets

Sandbox No Yes

Thailand IBR, RBR Payments, WealthTech, crypto-assets

Sandbox No Yes

UAE FBR, PBR Payments, alternative lending, WealthTech

Sandbox, Innovation Office

No Yes

Uganda IBR, RBR Payments No No No UK Functional,

Principal Payments, InsurTech, WealthTech, open banking, Big Data Analytics and Intelligenc

Yes No Yes

US Federal

IBR, PBRs, Product, Functional

Payments, Alternative Lending, and WealthTech

Some/Planned No No



Exhibit 12: Some key highlights on Fintech Development in India119

Regulatory Bodies120 • Reserve Bank of India (RBI) • Ombudsman Scheme for Digital transactions • Unique Identification Authority of India (UIDAI) • Securities and Exchange Board of India (SEBI) • Insurance Regulatory and Development Authority of India (IRDAI)

Regulatory Approaches

• IBR, PBR and FBR Fintech Law:

• No Fintech Ancillary Regulations

• Yes Sandbox/Innovation Office/Techsprints

• Yes Key Regulations governing Fintech in India121

• Payment System Act 2007 • Master Direction on Issuance and Operations of Prepaid Payment Instruments 2017 • NPCI Guidelines governing UPI Payments • NBFC license 2016 • Guidelines regulating P2P lending platforms 2017 • Guidelines governing payment aggregators / intermediaries 2009 • RBI guidelines of Payment Banks

o License for Payment Banks 2014 o Operating guidelines for Payment Banks 2016

State Level Policies122 Fintech policy issued by only one Indian state so far, the Government of Maharashtra in 2018.

• Aims to set up a global fintech hub in Mumbai.

Peer 2 Peer Lending123 Non-banking Financial Company – Peer-to-Peer (P2P) Lending Platform (Reserve Bank) Directions, 2017 issued by the RBI.

• These directions provide a framework for the registration and operation of NBFC-P2Ps in India.

Cryptocurrency and Blockchain technology124 1. Circular on ‘Prohibition on dealing in

Virtual Currencies’ dated April 6, 2018 issued by the Reserve Bank of India (RBI).

2. High-level committee Department of Economic Affairs, Ministry of Finance, Government of India), set up in 2017 and reformulated in 2018.

1. Prohibits entities regulated by the RBI from dealing in virtual currencies or providing services for facilitating any person or entity in dealing with or settling virtual currencies

2. To devise an appropriate legal framework to ban use of private cryptocurrencies in India and encourage the use of Distributed Ledger

119 https://www.gatewayhouse.in/indias-fintech-laws/ 120 https://www.globallegalinsights.com/practice-areas/fintech-laws-and-regulations/india 121 https://www.globallegalinsights.com/practice-areas/fintech-laws-and-regulations/india 122 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 123 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 124 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf



Technology with blockchain which eliminates the need for intermediaries.

Cloud Computing125 1. Maharashtra Cloud Computing Policy,

2018, issued by the state government of Maharashtra.

2. Integrated Goods and Services Tax Act, 2017, issued by GST Council

3. National Digital Communications Policy, 2018, issued by Department of Telecommunications.

1. To ensure that all state government organizations use cloud services.

2. The term ‘cloud services’ has been included in the definition under Section 2(17) of ‘online information and database access or retrieval services’ as an electronic service.

3. Envisions inter-alia the establishment of India as a global hub for cloud computing by enabling regulation for the proliferation of cloud- based systems and facilitating cloud service providers to establish captive fiber network

Artificial Intelligence (AI) and Robotics126 1. Discussion paper on ‘National Strategy for

AI’ by NITI Aayog in June 20-18. 2. Multi-stakeholder task force set up in

February 2018, with representation from the government, defense services, academia, industry professionals and startups, under the chairmanship of N Chandrasekharan, Chairman, Tata Sons.

3. Report on ‘India’s Trillion Digital Opportunity’ by Ministry of Electronics and Information Technology on 20 February 2019.

1. The paper highlights the five sectors that will best use AI for solving societal needs: a) healthcare b) agriculture c) education d) smart Cities and infrastructure e) smart mobility and transportation

2. Task force formed to study the strategic implications of AI in national security and in the global context. Final report published in June 2018.

3. To unlock the potential and productivity of the digital economy in India

Internet of Things (IOT)127 1. Draft policy on Internet of Things, 2015,

issued by Ministry of Electronics and Information Technology

2. National Digital Communications Policy, 2018, issued by Department of Telecommunications

3. Report on ‘India’s Trillion Digital Opportunity’ by Ministry of Electronics and Information Technology on 20 February 2019.

1. Envisions development of a cross sectoral connected, secure, smart IoT based system.

2. It envisages harnessing the power of emerging digital technologies, including IoT, to enable the provision of future-ready products and services.

3. To unlock the potential and productivity of the digital economy in India.

Payment Systems128 1. Payment and Settlement Systems Act,

2007 • Payment and Settlement Systems Bill,

2018. 2. Notification on ‘Storage of Payment

System Data’, issued by the RBI, 6 April 2018.

1. The act provides for authorization, regulation and supervision of payments systems by the RBI. Amendments have been proposed through the 2018 bill. Key proposals are: • Establishment of a Payments Regulatory

Board • Regulatory sandbox for a period of six months • Puts banks and non-banks on a par with each

other by making authorization criteria to operate payment and settlement systems ownership-neutral

125 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 126 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 127 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 128 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf



• A dissent note (19 October 2018) was issued by the RBI, opposing the establishment of any entity for payment systems that will not be governed by RBI

2. Issued under the Payment and Settlement Systems Act, 2007.

Drones129 1. Requirements for Operation of Civil

Remotely Piloted Aircraft System (also known as Drone Regulations 1.0), issued by Ministry of Civil Aviation (effective 1 December 2018). a. Ministry of Civil Aviation released a Drone Ecosystem Policy Roadmap (also known as Drone Policy 2.0) in January 2019

1. Lays down the basic framework for regulating drones

Policies and Regulations Across Fintech Data protection regime130

1. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

2. Personal Data Protection Bill, 2018 issued by Ministry of Electronics and Information Technology

3. Draft National E-commerce Policy issued by Department of Promotion of Industry and Internal Trade

4. Telecom Regulatory Authority of India recommendations

5. Draft Digital Information Security in Healthcare Act (DISHA), issued by the Ministry of Health and Family Welfare

6. Constitution of India Right to privacy is: fundamental right, September 2018

1. Ministry of Electronics and Information Technology is in the process of replacing these rules with the Information Technology (Intermediary Guidelines) Rules, 2018.

2. Objective of the Bill is inter-alia to protect the autonomy of individuals in relation with their personal data, to create a framework for the use and flow of personal data and to establish a Data Protection Authority.

3. Policy encapsulates all e-commerce activities; awaiting public comments till 29 March 2019.

4. Provides for data localization 5. Provides for data localization. 6. Judgment passed by the Supreme Court of India

in Justice K.S Puttaswamy & Anr. v. Union of India & Ors (3) which upheld the right to privacy as a fundamental right.

Cyber Security131 1. Information Technology Act, 2000 2. National Cyber Security Policy, 2013 3. Cyber Security Framework in Banks, 2016,

issued by Reserve Bank of India 4. Basic Cyber Security Framework for

Primary (Urban) Cooperative Banks, 2018, issued by RBI

5. Reserve Bank Information Technology Pvt. Ltd.

1. To provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication.

2. An umbrella framework for defining and guiding security of the cyberspace.

3. To enhance the resilience of the banking system against cyber risk by enhancing current defenses.

4. To put in place a robust cyber security/resilience framework in urban cooperative banks to ensure adequate security.

5. An entity under the RBI solely to improve cyber resilience

National Policy on Electronics132

129 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 130 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 131 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf 132 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf



1. National Policy on Electronics, 2019, issued by Ministry of Electronics and Information Technology.

1. To provide support to the start-up ecosystem and skill development for emerging technologies, such as AI, IoT, drones etc. across sectors like defense, agriculture, health, smart cities, automation.

National Policy on Software Products133 1. National Policy on Software Products,

2019, issued by Ministry of Electronics and Information Technology

1. To develop India as the global software product hub, driven by innovation, improved commercialization, sustainable intellectual property, promoting technology start-ups and specialized skill sets, for development of the sector, based on ICT (information and communication technology).

133 https://www.gatewayhouse.in/wp-content/uploads/2019/03/Infographic-Fintech_Finalw_logo.pdf



5. ANCILLARY REGULATIONS IMPACTING FINTECH AND FINTECHS 5.1. OVERVIEW: To avoid regulatory ambiguity, gaps and arbitrage in fintech regulation, there is usually also a need to develop regulations - or for existing regulations to be clarified - for ancillary-type services and functions buttressing fintech ecosystem. That is, where fintech licensing deals broadly with the ‘who and ‘what,’ ancillary regulations deal with the ‘how.’ They could for example deal with new technologies as a whole, and/or their impact generally.

The ancillary regulations include those relating to innovations such as open banking; open finance; use of DLTs and crypto-assets; regtech; cloud computing; data localization; privacy and data protection rules relating to proper use of stored and accumulated data; AI/ML; and cyber-security.134 What they all in large measure have in common is a data-centric approach where these technologies interact with pools of ‘big data’ (data lakes). Exhibit 13 shows the intersection of financial regulations with ancillary laws and regulations pivoting around these data lakes.

The ancillary regulations are best supportive of (and complementary to) a functional, PBR approach to fintech regulation and should not deviate from the need for a technologically neutral approach to regulation, noted earlier. Generally, though, the presence of these ancillary regulations may lessen the friction in allowing authorized/licensed fintechs to employ technologies, business models and other functional activities in furtherance of their activities and verticals. And as many of these regulations may be the domain of a number of regulators or based on a number of regulations such that a measure of regulatory coordination is needed.

Exhibit 13: Intersection of Financial Regulations with Ancillary Laws and Regulations

Recognizing that data-centricity is increasing a key foundational pivot for both fintechs, large incumbents (through AI/ML, open finance, and open banking) and regulators (through regtech and suptech), there is a fundamental need by regulators to understand the overall and granular impact of these data-centric innovations on their regulatory remits.

134 Enriques, L (2017) Financial Supervisors and Regtech: Four Roles and Four Challenges, available at https://ssrn.com/abstract=3087292



5.2. DISTRIBUTED LEDGER/BLOCKCHAIN TECHNOLOGIES (DLTS):

The singularity of DLT is that of the emergence of distributed ledgers and the protocols that empower them and operating in a decentralized manner is that (ostensibly) often no single entity controls a distributed ledger.135

A sample of the legal and regulatory issues that would appear to be most pertinent to DLTs include the legality and enforceability of smart contracts; evidential weight of DLT-derived data; property rights in crypto-assets; time and place of contracting using a blockchain and smart contracts; the ‘chain’ of legal liabilities in the sector; competition issues in a decentralized environment; criminal use and liability; and which court may have jurisdiction over a matter involving DLTs and their applications in a ‘distributed’ multi-national nodes environment. Distributed record keeping or transaction processing may also blur regulatory and legal responsibilities that were traditionally based on bilateral principal-agent relationships.

As DLT-related regulations may be the domain of many regulators – for example a central bank, telecommunications regulator, and privacy regulator - a measure of regulatory coordination is needed.

5.3. CLOUD COMPUTING AND DATA LOCALIZATION RULES

Many regulators have some rules around data localization. That is, whether data should be stored on servers of an entity in its country of primary jurisdiction, and what data can be stored.

135 The emergence thought of permissioned, controlled ‘consortia’ DLTs for use in banking and other verticals has altered this ‘totally decentralized’ paradigm.



The emergence of cloud computing changes this paradigm, both at a localization level and what data is stored and used. Because data is placed in a technology ‘cloud,’ there can be no single point of failure, which is nirvana for especially developing countries given many instances where there is a lack of reliable power.

Exhibit 14: Cloud Computing Storage and Personally Identifiable Information (PII)

Type Managed by Infrastructure Owner

Dedicated hardware

Data Type Stored PII Exposure

Public CSP CSP No Customer, internal Probably Not

Private, external CSP CSP Yes Customer,

internal Probably Not

Private, internal Internal Internal Yes Customer,

internal No

Hybrid Mixed Mixed Depends on CSP contract

Customer, internal Probably Not

As with DLTs, cloud computing-related regulations may be the domain of many regulators such that a measure of regulatory coordination is needed. The trend however globally is towards use of cloud computing and removal of data-localization-based restrictions, specifically bifurcating rules around storage and use of PII versus non-PII data. Complicating policies on cloud computing though are the differing types of cloud services available:

● IaaS - Infrastructure as a Service ● PaaS - Platform as a Service ● SaaS - Software as a Service ● BaaS - Backend as a Service

Many fintechs though want to use cloud service providers (CSPs) simply as an extension of their own servers, storing data in an encrypted form that does not expose PII customer data to the cloud provider. Even where there are regulations allowing cloud computing of some form, fintechs see any potential requirement to keep data in a local CSP as impractical and would rather have the option to use major international CSPs such as Amazon, Microsoft or IBM.

5.4. DATA PROTECTION AND PRIVACY: Where vast amounts of personal data are shared and transferred around the globe instantaneously, it becomes increasingly difficult for people to maintain control of their personal information.136 This is the role of ‘data protection’ as the consort of practices,

136 Sightline Innovation (2019) Why we need data protection laws, available at https://www.sightlineinnovation.com/news-sightline/why-we-need-data-protection



safeguards, and binding rules put in place to protect personal information. It also ensures that individuals remain in control of it by being able to decide whether or not they want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information.137

By the end of 2019, almost 100 jurisdictions had some sort of data protection laws. Often though, there are gaps in data protection laws when faced with technological innovations often expose gaps in data protection laws, or contradictions with especially financial sector laws. These may or may be cured by ancillary laws and regulations that are sector-specific or principles-based. In their absence, two motifs may inform schemes for data protection: data protection by design and data protection by default.138 The former employs pseudonymization to replace personally identifiable material with artificial identifiers, as well as encryption to encoding data so that only those authorized can have access to read the data.

5.5. ARTIFICIAL INTELLIGENCE (AI) AND MACHINE LEARNING (ML)

While AI and ML are seen as some of the most innovative forms of fintech, at the algorithmic level.139 As AI and ML have both been around for decades. The new monikers ‘AI’ and ‘ML’ simply reflect use of more (big) data to model and train algorithms used in AI/ML. That is, where it has found a renaissance is in the amount of data available for analyzing, coincident with exponential increases in storage and computer processing power, both significantly improved with the emergence of cloud computing power and ‘data lake’ storage offered by cloud computing providers. This makes AI/ML more practical to operationalize and use.

Their use in fintech applications may also create entirely new risks, for instance, where decisions are taken, or functions are performed by AI-powered ‘black box’ algorithms without human intervention or which are not comprehensible to customers or supervisors. AI and ML’s resurgence has thus led to increased regulatory scrutiny, especially on the nature of (automated) credit decisions, potential ‘red-lining’ of classes of persons, and the privacy of user data through de-anonymization of user data that may, and usually is, an artifact of the process of using data derived140 from multiple data sets when ‘training’ AI systems through ML.141

137 Access Now (2018) Data protection: why it matters and how to protect it, available at https://www.accessnow.org/data-protection-matters-protect/ 138 EU (2019) What does data protection ‘by design’ and ‘by default’ mean?, available at https://bit.ly/34D9XcZ 139 What makes AI systems so powerful is that it is a different logic to that of humans who will always ask ‘why’ and seek correlation with data sets. With AI, correlation between data sets is the conclusion it derives at. The AI dilemma for entities is whether to use the (output) data knowing humans may not necessarily understand the methodology – including ML - used to create it. 140 This training is used to produce the models for AI that are used for making automated decisions and forecasts 141 A modern AI/ML methodology is to ingest data, clean label and transform in centralized data hub, explore data, train the data using ML, and then create inference and correlation in the virtual world.



Hereto, the need for increased ‘explainability’ – a term of art the AI/ML industry use for internal and regulatory reporting - from entities to regulators142 has correspondingly increased.143

Regulatory frameworks may thus be needed to ensure the ethical application of AI solutions, particularly in the context of credit scoring and Robo-advisors/wealth management, the core elements of which rest on explainability or interpretability of automated decisions and the ethical use of data. The need to disclose to consumers that they may be interacting with an AI-powered ‘bot’ – such as a chatbot for consumer inquiries on web sites - is also an emerging regulatory focus.144

5.6. OPEN BANKING: Open banking is a new data-sharing paradigm that enables customers to consent to third-party providers (fintechs) accessing their payment account information and or making payments on their behalf. In many jurisdictions where it is available, it allows fintechs to access data usually held in a proprietary and exclusive manner by large financial institutions such as banks. Fintechs access this data through open (standardized) APIs. Exhibit 15 shows a stylized implementation of open banking.145

142 Invariably, the industry undertakes ‘model management’ of AI as part of a risk management processes. Calibration takes place against recent historical data, and not using data that may have been subject to different (and now redundant) regulatory regimes. 143 To facilitate ‘explainability,’ a privacy layer is usually inserted in the AI software stack by an entity being supervised to ensure conformity with privacy and anti-algorithmic bias rules and to allow their regulator to see data rather than that regulator having to subpoena all data. 144 A state law in California requires that consumers be informed if they are interacting with an AI-powered chatbot. Other laws may codify the need for fairness and privacy in AI use and decision-making. The law, with certain exceptions, makes it unlawful for any person to use a ‘bot’ to ‘communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.’ See Natlawreview (2019) California Social Media Bot Disclosure Law Coming Soon, available at https://bit.ly/2EUfzUI 145 IBM (2019) Open banking APIs are open for business, available at https://ibm.co/2tQLcwk



Exhibit 15: Stylized Use of Open Banking146

Open banking services which have developed in a number of jurisdictions include:147

• Account aggregation • Automatic product switching • Account data access to inform lending decision • Balance transfer management (credit cards) • Personal financial management • High balance sweeping • SME financial management • Cashflow optimization • Account-to-account money transfer • Interest maximization • Merchant payments

Open banking is the first data sharing and data access initiative of this scale to be underpinned by legislation requiring industry institutions to provide access to other providers. In Australia and Singapore for example, banks are adopting open banking to make data available for

146 ibid 147 UK Department for Business, Energy and Industrial Strategy (2018) Goals-Based And Rules-Based Approaches To Regulation, available at https://bit.ly/2ZdS16R; Black, J ( 2008) Forms and Paradoxes of Principles Based Regulation, available at https://ssrn.com/abstract=1267722; Allen, J (2013) Securities Regulation of Ontario Venture Issuers: Rules or Principles?, available at https://bit.ly/2ESIqc5






consumers on credit/debit card, deposits, and transaction accounts, mortgage accounts of consumers, and recommended products.148

The UK has created an ‘Open Banking Standard’ that allows consumers to access their financial data more easily and securely, with one utility of this being that they can manage their wealth easier and transfer banking services in a simpler manner than before. It also gives developers more latitude in creating new services and tools for banking consumers to manage their finances. In mainland China, open banking is not mandated by legislation.

5.7. OPEN FINANCE 5.7.1. Overview: Open finance builds on the principles of open banking through the sharing of data which provides new ways for customers and businesses to make the most of their money. Open finance would extend those principles to a wider range of products. It offers potentially significant benefits to financial service providers through increased efficiency, new service offerings and new ways of making decisions.149 It is based on the principle that the data supplied by and created on behalf of financial services customers are owned and controlled by those customers and any re-use of this data by fintechs takes place in a safe and ethical environment with informed consumer consent. In most cases this would mean fintechs could access the same information and perform the same functions as those available digitally to the customer. That is:

• Collect a customer’s financial data to present to them (‘read’ access). • Undertake or initiate transactions on the customer’s behalf - for example initiating

payments, switching accounts, making an investment, applying for credit - and presenting the data back to customers (‘write’ access) as well as receiving any necessary permissions.

However, it requires extensive digitalization and efficient storage of data, giving fintechs capabilities in terms of understanding and servicing their customers and would allow them to offer new products to current customers and identify new ones. Whether and to what extent they do is likely to have a significant impact on how open finance develops in a particular sector. Access for fintechs could be provided through APIs or through a modified customer interface to connect directly to a bank’s website with a customer’s consent. Access would be provided by that customer’s current financial services provider under a clear framework of consent. Exhibit 16 shows the potential open finance scheme for Pakistan.150

148 This is part of the Customer Data Right regulations granting greater access to consumer data. . In Singapore, open banking is regulated by a non-mandatory governance framework. See also Bahrain fintech Bay (2019) fintech Regulations Report 2019, available at https://bit.ly/2SwkUtB 149 UK FCA (2019) Call for Input: Open finance, available at https://bit.ly/2QozEYF 150 https://www.tezfinancialservices.pk/tfs/fintech.php

https://www.tezfinancialservices.pk/tfs/fintech.php



Exhibit 16: Potential Open Finance Schemes for Pakistan151

As data and technology are increasingly driving changes in financial markets, regulators need to understand how this change will shape markets and shape regulation in the future and how open finance can develop to best meet consumers’ needs and enhance competition in the interests of consumers. The ability of fintechs to share data through an API would require ‘read/write’ regulatory approval for each scheme and sharing between fintechs of a customer’s data would require customer consent for each scheme. Ideally, the sharing would be cloud-computing based.

Open finance could facilitate financial management applications that look across all products held by an individual or business, giving them a holistic view of their financial circumstances. 5.7.2. Advantages of Open Finance152 By making it easier for consumers and businesses to compare price and product features and switch product or provider, open finance could be beneficial in the general insurance, cash savings and home mortgage markets. This would mean that a financial services customer who consents to a fintech accessing their financial data could be offered tailored products and services as a result. This could help widen access to advice and support, boost efficiencies for businesses and access to credit, and spur innovation. It could also allow fintechs to develop services that benefit consumers and businesses, improve

151 https://www.tezfinancialservices.pk/tfs/fintech.php 152 UK FCA (2019) Call for Input: Open finance, available at https://www.fca.org.uk/publications/calls-input/call-input-open-finance

https://www.tezfinancialservices.pk/tfs/fintech.php

https://www.fca.org.uk/publications/calls-input/call-input-open-finance




competition, financial capability and inclusion. Using aggregated (collected) data to offer advice and services, and execute transactions on behalf of their customers, fintechs can make it easier for their customers to act on this information. Examples include automating switching and renewals that remove friction and encourage shopping around. This could help consumers get a better deal and increase competition. Access to data could give customers more competitively priced quotations based on the product features they are most interested in.

5.7.3. Risk of Open Finance153 While open finance is a laudably aspirational goal to democratize access to data that may increase consumer financial access and health, as well as increasing competition, it may also engender some risks if not properly planned. Some of these risks are outlined in Exhibit 17.

Exhibit 17: Risks that open finance could pose to customers and competition in the financial sector.

Risk Potential Outcome

Exclusion Greater sharing of data could lead to customers with certain characteristics being excluded from certain markets or exclusion of consumers who opt out of data sharing

Misuse of Data

Consumers may provide consent to share their data but not be aware of how their data is ultimately used; Increased risks of fraud if data is held by fintechs with poor system security and governance.

Poor Consumer Outcomes

Auto-switching could lead to consumers becoming focused solely on price over other factors affecting suitability.

Competition If certain firms chose not to participate in open finance this could lead to the exclusion of specific products and reduced choice for consumers. This could hurt (rather than enhance) competition.

Operational Operational resiliency may be affected by significant changes to IT systems to support open finance.

5.8. REGULATORY SUPPORT FOR FINTECH INNOVATION 5.8.1. Regulatory Sandboxes Regulatory sandboxes are flexible frameworks to facilitate beneficial innovation in the financial sector while still managing risks such as consumer protection and stability of the marketplace.154 They are controlled, safeguarded environments for both regulated and

153 UK FCA (2019) Call for Input: Open finance, available at https://www.fca.org.uk/publications/calls-input/call-input-open-finance 154 FCA (2015) Regulatory Sandbox, available at https://bit.ly/2EG5Lez





unregulated institutions, including fintech participants to live test innovations for a limited duration, a process which would ordinarily be stifled by regulatory uncertainty or incompatibility under the regulator’s supervision.155 Some regulatory requirements may be required to be relaxed to establish a regulatory sandbox and allow participants to operate where regulatory uncertainty or incompatibility exists.

As of 4Q 2019, over 50 countries had operational or proposed regulatory sandboxes.156 They were originally established in developed countries to inter alia promote competition, innovation, consumer benefits and financial inclusion and are structured in a variety of ways with regards to eligibility, criteria, costs, timing and exit processes.157 Complementary regulatory innovations such as innovation offices or hubs, are designed to enhance and increase knowledge sharing and promote a collaboration between Fintech ecosystem participants.

Specifically, regulatory sandboxes can address regulators’ challenges in understanding existing and emerging innovations, as well as a fintech’s challenges in understanding complex regulations and regulatory expectations.158 Experimentation with sandboxes and then dialogue with sandbox participants, whether the technologies used ultimately fail or succeed, also allows regulators to better understand technologies and the risks associated with them. It may also be under the supervisory scope of another regulator.159

Collaboration between different authorities to initiate sandbox initiatives may thus be necessary. This usually manifests as a memorandum of understanding (MOU) between regulators.

5.8.2. Innovation Offices Another fintech innovation-enabling strategy employed by some regulators is what is variously called an ‘innovation office. Ultimately, these will in some form engage with, and provide regulatory clarification and even technical assistance in the form of certification to fintechs that may not have the resources and initial capability to pursue their innovation to the application stage. Innovation office activities may also be augmented by financial assistance in the form of state innovation or ‘challenge’ funds.160

155 MAS (2017) Financial Regulation – The Forward Agenda, available at https://bit.ly/2kL4RZx; Toronto Center (2017) Regulatory Sandboxes, available at https://bit.ly/2Hx0EAg; Electronic Money (2017) Regulators and Fintech: Influence Is Mutual?, available at https://bit.ly/2HsUJw8 156 Perlman, L, Wechsler, M & Gurung, N (2018) The State of Regulatory Sandboxes in Developing Countries, available at www.dfsobservatory.com; CGAP (2017) Regulatory Sandboxes and Financial Inclusion, available at https://goo.gl/XMAA2m; Buckley, R (2017) Regtech & Financial Inclusion, available at https://dfsobservatory.com/event/regtech-financial-inclusion 157 ibid. 158 Toronto Center (2017) Regulatory Sandboxes, available at https://bit.ly/2Hx0EAg 159 Banking Stakeholders Group (2017) Regulatory Sandboxes, available at https://bit.ly/2qtolRZ 160 See also University of Cambridge (2019) Early Lessons on Regulatory Innovations to Enable Inclusive fintech: Innovation Offices, Regulatory Sandboxes, and RegTech, available at https://bit.ly/2PL7eZM



As Exhibit 11 above shows however, in most developing world jurisdictions, sandboxes are the preferred innovation vehicle for financial regulators though. Pipelines to these sandboxes may be from innovation offices, some run by NGOs.161

5.9. CENTRALIZED KYC UTILITIES FOR AML/CFT COMPLIANCE:

For AML purposes, there is a general need to access government and (competitor) private data to support KYC processes. This could be to compare suspicious transactions and persons, as well as the general need for improving the compliance management expertise of non-bank service providers so as to avoid de-risking of financial ecosystem and attracting sanctions.

Thereto, a centralized function that supports KYC is preferable, and similarly, establishing a compliance officer’s forum to improve capacity building and collegial information sharing.162

5.10. TECHNOLOGY OUTSOURCING: Technology outsourcing is the practice of hiring resources outside of an organization to handle certain information technology functions. Companies often outsource data storage because it is cheaper to contract a third party than to buy and maintain their own data storage devices and facilities.

Increasingly, banks and other financial institutions are using third party service providers, including group companies to carry out various activities, functions and processes. A large constituent part of this outsourcing is the use of cloud computing, described earlier.

161 For example in Mozambique, where fintech competitions run by NGOs will qualify fintechs for the regulatory sandboxes run by the central bank. 162 The SECP appears to be spearheading this initiative in Pakistan, although it appears to have stalled.



6. LEGAL, POLICY AND REGULATORY ENVIRONMENT FOR FINTECHS AND FINTECH IN PAKISTAN

A The Legal System in Pakistan

6.1. THE LEGAL SYSTEM IN PAKISTAN: The legal system in Pakistan is derived from the English common law through the adoption of the laws and structures of British India, itself a codified legal system based on nineteenth century English law.

An important component of common law legal system is that it is flexible and evolutionary, adapting to changed circumstances whilst maintaining precedent to the degree needed and possible. This flexibility is favorable for fintechs if any legal dispute arises.

6.2. ‘RELEVANT’ FINTECH REGULATORS AND POLICY MAKERS

There are a number of regulators who are most proximate to fintechs operating in Pakistan as well as enabling uses of fintech and related technologies:

These include, but are not limited to the:

● State Bank of Pakistan ● Securities Exchange Commission of Pakistan ● Pakistan Telecommunications Authority ● National Database and Registration Authority ● Ministry of Information Technology and Telecommunications

Exhibit 18: International Regulatory Environment Assessment of Pakistan.

The Economist’s Global Microscope 2018 report163 ranked Pakistan at 21st out of 55 countries surveyed for an enabling regulatory environment for financial inclusion and rapid growth of mobile financial transactions. The report cited low specialized regulatory capacity for fostering innovation, lack of incentives for digital technologies, limited supervisory capacity of regulators – but excluding SBP - and inadequate oversight over informal financial sector.

163 Economist (2018) The Global Microscope 2018 on Financial Inclusion, available at https://bit.ly/2Su0mSt



B Regulators with Primary Remit Over Fintech and Fintechs

6.2.1. State Bank of Pakistan Pakistan’s central bank, the State Bank of Pakistan (SBP) is the prudential and payments regulator that controls the financial system in the country. Exhibit 19 shows snapshot of the payment system including entities regulated by SBP and some other entities like International Payment Schemes, NCCPL and NADRA playing a role in the payment system of the country but falling under the purview of SECP and Ministry of Interior.

Exhibit 19: Payment System Snapshot - State bank of Pakistan164

SBP has oversight inter alia over what it terms ‘branchless banking,’ electronic money and any new services that touch on its remit. It issued rules for PSO and PSPs in October 2014 for e-payment gateways and payment system providers and operators. With the ‘branchless sector’ relatively stagnant, SBP moved to catalyze it by issuing EMI regulations in 2019 in the forms of corresponding mandatory interoperability regulations. All of these could act as platforms for carefully controlled and regulated fintech-led growth.

164 Report on fintechs in Pakistan for Chemonics by Mr. Talha Leghari, July 2019.



6.2.2. Security Exchange Commission of Pakistan The Securities and Exchange Commission of Pakistan (SECP) is the financial and corporate registration regulatory agency. It executes on industry requirements, which are passed on to them through the Ministry of Commerce or the SBP in the form of written requests.

Due to its omnibus remit though, SECP - has more regulatory leeway than SBP although on cross-border payments, regulatory remits are not clear.

SECP also maintains a self-onboarding online registration portal, with the back end of this system is maintained by Companies Registration Office. Registrations are undertaken under Section 42 of the Companies Act, supporting five types of businesses: leasing, housing finance, discounting, investment finance and microfinance. While it issues licenses for capital market services, non-bank finance companies (NBFCs), it currently has no defined licensing categories per se for fintechs and relies on the SBP to provide it with registration parameters for classes of potential company registrants.

Many fintech apply for the Investment Finance license – at a cost of PKR 550,000 - allowing a company to issue guarantees. A few lending and nano-lending entities operate under the NBFI/NBFC license category.

While the Consultant was unable to meet the SECP, previous interactions by Chemonics staff revealed that the SECP was concerned with establishing a separate framework for fintechs, ostensibly because of lack of awareness of the various fintech types nor of the capacities of the businesses involved in the space. They expressed though a specific need to have a consultant or a technical expert who understands the businesses to help draft and pin down the requirements of the fintechs.

Further, while the SECP regularly conducts outreach sessions to allow SMEs to understand the registration process, limited interest is reportedly shown by businesses in these events as SMEs are reportedly reluctant to come under the tax umbrella. Crowd-funding and similar angel investments have reportedly never approached the SECP for a separate entity because of a lack of both demand and supply.

In November 2019, the SECP launched a startup portal to encourage technology innovation in Pakistan. The portal features list of startups, simplified user experience for registration, access to mentors and incubation centers, online guides and video tutorials for startup companies.165 It is reportedly also reviewing the Companies Act to facilitate startups and provide a conducive environment to young innovative entrepreneurs. Similar reforms are planned for Private Equity and Venture Capital Regulations, as well as draft Equity Crowd-funding Regulations, setting up facilitation desks at Company Registration Offices.166

165 Crowd-funding services are currently not authorized by the SECP. Business Recorder (2017) On crowd-funding in Pakistan, available at https://bit.ly/2ZnUSdd/. It is however creating draft Equity Crowd-funding Regulations. Daily Times (2019) SECP launches startup portal to encourage tech innovation, available at https://bit.ly/2ZthIQI 166 ibid

https://www.brecorder.com/2017/04/03/341210/on-crowd-funding-in-pakistan/



In December 2019, it released draft guidelines for its planned regulatory sandbox, the first regulatory sandbox in Pakistan.167

6.2.3. Pakistan Telecommunication Authority: Pakistan Telecommunication Authority (PTA) is the primary regulator for the telecommunications industry in Pakistan. It regulates the establishment, operation and maintenance of telecommunication systems and the provision of telecommunications services.

The PTA issued Regulations for Technical Implementation of Mobile Banking in 2016 and worked with SBP for its Regulations for Mobile Banking Interoperability in 2016.168 For TPSP/mobile banking interoperability, an entity must first get a license from PTA and then approval from SBP.169

6.2.4. Ministry of Information Technology and Telecommunication

The Ministry of Information Technology and Telecommunication (MOITT) is a Cabinet-level ministry of the Government of Pakistan (GOP) concerned with Information Technology and Telecommunications. MOITT runs 5 incubation centers, including the Ignite National Technology Fund to support research and development projects proposed by industry and academia.

6.2.5. The National Database and Registration Authority:

Pakistan’s National Identification Authority (NADRA) provides customer verification services to a select class of industry participants, charging a fee per inquiry on commercial basis. In April 2018, it reduced the verification cost per enquiry to PKR 10 for each mobile wallet account opening at industry level.170

6.2.6. Competition Commission of Pakistan (CCP) The Competition Commission of Pakistan (CCP) is an independent agency of the Government of Pakistan for the enforcement of economic competition laws in Pakistan. It was created in 2007 through the promulgation of the Competition Ordinance, 2007.

167 Securities and Exchange Commission of Pakistan Draft Regulatory Sandbox Guidelines, available at https://propakistani.pk/wp-content/uploads/2019/12/SEC-Regulatory-Sandbox-Guidelines-2019.pdf 168 https://www.pta.gov.pk/en/history 169 See Annex 1 170 NADRA charges a flat fee for incumbents, but charges different fees with non-banking participants. This asymmetry exists despite the fact that both types use NADRA APIs for same purpose.

https://www.pta.gov.pk/en/history



6.3. GOVERNMENTAL INITIATIVES ON FINTECHS AND FINANCIAL INCLUSION

The Government of Pakistan (GOP) has over time attempted to improve aspects of fintech and SMEs especially where it impacts financial inclusion. The recognition is part of the National Financial Inclusion Strategy (NFIS),171 formulated in 2015 – and updated in 2018 - to address many issues hampering financial inclusion.

This includes the need to:

• Promote digital transactional accounts through digitization and increased number of access points to achieve scale / viability.

• Lowering verification and revalidation cost of digital accounts to facilitate account acquisition on massive scale

• Fostering innovation to develop client centric products and services so as to facilitate account usage through need-based products and services

• Expanding the ATM network and connect Pakistan Post to National Payment System so as to enhance access points

• Adopting automated land records for speedy disbursement of Agri-loans: provision of online access of land record to banks

• Digitizing microfinance by linking microfinance industry with digital platform • Creation of electronic collateral registry by facilitating financing to un-incorporated

SMEs especially small enterprises • Developing credit scoring models for micro and small enterprises –and enhancing

usage through instant credit decision • Developing Sharia-compatible frameworks for banking and non-banking MFIs by

providing Islamic financial services to low income segment population; and • Developing programs for women entrepreneurship

The NFIS provides clearly defined targets and incentives to strengthen the effort towards the utilization and promotion of fintech in the country, intended to be reached by 2025. Fintechs are seen as an enabler to achieve these goals, provided proper direction is provided to them through policies and regulations.

Following the implementation of the NFIS, the business environment for SMEs and fintech companies in Pakistan improved slightly according to the World Bank’s Doing Business Report 2017.172 Pakistan was one of the global top 10 improvers in this report, which followed from three substantial reforms in cross-border trade; through updating electronic customs platforms in Lahore and Karachi; and improving access to credit information by legally guaranteeing borrowers’ rights to inspect their own data.

The report though says that more work needs to be done to help translate the benefits of these three reform areas for the businesses, especially the SMEs, for example legal acceptance of land titles issued through the digitization system needs to be confirmed. And while Pakistan’s recent improvements are encouraging, the report finds that local

171 http://www.sbp.org.pk/ACMFD/National-Financial-Inclusion-Strategy-Pakistan.pdf 172 World bank (2017) Doing Business 2017, available at https://www.doingbusiness.org/en/reports/global-reports/doing-business-2017



entrepreneurs still face difficulties in many areas such reliable electricity as both Karachi and Lahore experience power outages on a daily basis. Enforcing contracts is also a challenge as it takes almost three years to settle a commercial dispute in Pakistan, compared to the global average of 637 days.

C Regulatory Coordination

6.4. REGULATORY COORDINATION AND INTERACTIONS BETWEEN REGULATORS, AND WITH POLICY MAKERS

Key to catalyzing any new sector is cooperation between regulators to carve out in explicit details which regulator has remit over which components of a particular ecosystem. This cooperation is critical where there is potential for cross-jurisdictional components which if not addressed, could potentially cause regulatory arbitrage.

We are aware of the following inter-regulator MOUs, which are largely general in nature:

● An MOU was signed between SBP and PTA in January 2012 and renewed in 2016 to cooperate on ‘branchless banking’ and mobile financial services, which includes enabling interoperability and USSD access and pricing.

● MoITT issued Policy Directive to Support Technical Implementation of Mobile Banking including Mobile Money Transfers and Remittances in 2008 to the PTA.173

● The SECP and SBP signed a MOU in March 2009 for collaboration, coordination and sharing knowledge in mutual domains. SBP has indicated that they are willing to sign an MOU with SECP for ‘fintech.’ They are also willing to establish a joint coordination committee and joint working group on ‘fintech’ between SBP and SECP.

● The SBP signed a MOU with NADRA in November 2014.174 ● The CCP signed a MOU with the SBP in June 2017 for establishing arrangements

between the two institutions for cooperation, collaboration and sharing of information.175

Key though is a (missing) ‘national’ definition of fintech since once this baseline is achieved, it will enumerate operationally and functionally what fintechs can do. Given the ancillary regulations that are required to catalyze fintech and fintechs, regulatory coordination can then be undertaken with greater measure of confidence. SBP indicate though that it is interacting with the MOITT on cloud computing and data protection laws and regulations.

173 SBP signed a MoU with NADRA15 on November 17, 2014 reducing the variation cost to PKR.10 for each m-wallet account opening at industry level, This was implemented in April 2018 by NADRA. Karandaaz (2019) Policy & Regulatory Bottlenecks For Digital Financial Services In Pakistan, available at https://bit.ly/39cnhHS 174 ibid 175 Karandaaz (2019) Policy & Regulatory Bottlenecks For Digital Financial Services In Pakistan, Available at https://bit.ly/39cnhHS



D CURRENT REGULATORY SCHEMES IMPACTING FINTECHS IN PAKISTAN

6.5. PREVALENCE OF RULE-BASED, INSTITUTIONAL LICENSING FRAMEWORK

As noted above, there are several government entities and regulators involved in authorizing or regulating components that – functionally – encapsulate fintech activities. These are shown in Exhibit 20 below. The regulations fastening on these functions are however institutional, in the form of one-size-fits-all licenses that mirror the capacity of large incumbents, not startups. These requirements are not startup friendly.

Annex 1 for example indicates the type of licensing structure and requirements for TPSPs.

Exhibit 20: Government entities and regulators involved in authorizing or regulating components that encapsulate fintech activities.

Type Government Entity Currently Available Cloud Computing SBP; MoITT Yes Data Protection MoITT Policy Guidelines Yes Digital ID MoITT; NADRA176 Yes Equity Crowd funding SECP No, not allowed177 Insurance SECP Yes Intellectual Property Rights IPO-Pakistan Yes Investing SECP Yes IT Outsourcing SECP; SBP Yes, but very restricted KYC Utility SECP, SBP No, not live Lending SECP; SBP Yes P2P Lending SECP; SBP No, not allowed178 P2P Payments SBP Yes Payments SBP Yes

While SBP in particular has made efforts to promote and outline regulations for the fintech sector, from the perspective of fintechs and other ecosystem participants in Pakistan, what is clearly still required is a cogent pathway for embracing new entrants as well as recognizing new and evolving product categories and verticals, and evolving technologies. The most important and direct step taken by SBP to promote and facilitate fintechs was the drafting and enacting of laws pertaining to PSOs and PSPs in 2014. Until then there had been no detailed

176 NADRA falls under the Ministry of Interior, which is in the process of developing a data policy. 177 Crowdfunding services are currently not authorized by the SECP. Business Recorder (2017) On crowd-funding in Pakistan, available at https://bit.ly/2ZnUSdd/. It is however creating draft Equity Crowdfunding Regulations. Daily Times (2019) SECP launches startup portal to encourage tech innovation, available at https://bit.ly/2suLk4j 178 Both SECP and SBP perform this function in their own capacity and has clear guidelines for supervised entities.

https://www.brecorder.com/2017/04/03/341210/on-crowd-funding-in-pakistan/



regulatory framework for payment systems, which impeded the entry of new payment systems and services.

PSPs and PSOs are subject to the full supervision and oversight of the SBP, and can also make agreements with banks, financial institutions, merchants, other PSOs and PSPs, or any other company for the provision of services.

There are however significant limitations related to this type of licensing regime:

● Industry participants are prohibited from handling customer or participant funds or conducting any banking activity. That is, they are limited to B2B-only interactions, and no B2C activity.

● The effectiveness of the new regulation is limited by the lack of delineation of the roles of PSPs and PSOs.

● There is only one license fee, no matter the size of the entity.

So far, only two institutions have been granted PSO/PSP status: 1Link (for switching) and NIFT (for cheque processing). Exhibit 21 shows SBP’s onboarding process for SMEs in payments



Exhibit 21: SBP’s Onboarding Process for SMEs In Payments

SBP has developed an onboarding process for fintechs who wish to apply for PSP/PSO licenses which it terms a ‘sandbox-lite’ process. From the SBP perspective, this process gives SBP an opportunity to not only assess the viability of an entity and its proposed offering, but also provides a level of capacity building for SBP staff. SBP indicate that they often assist PSPs in how to submit proposals that are strong enough and practical. The entity should only approach SBP with an idea that is practical. It can take on average up to a year to fine tune their business model and approach. Those who are eligible include those with a bare minimum infrastructure that indicates that their solution is workable, compliant with AML and consumer protection perspectives. There are three phases to the SBP’s ‘sandbox-lite’ process:

● Phase 1 – In Principle: The first phase is the in-principle phase in which the entity come with in-principle approvals. SBP will then discuss proposals and amend as needed, and then go to SECP and became incorporated.

● Phase 2 – Pilot Phase: This is the go-to-market phase where the SBP works with

entities on a business proposal. Once they are confident the proposal is sound, the entity will come to the Central Bank who will send an Information Security team for an audit and then certify it.

● Phase 3 - Authorization: After certification, the entity will get authorization and begin

operations.

In May 2016, the SBP introduced Regulations for Mobile Banking Interoperability to facilitate transactional interoperability that would allow users to transfer funds between mobile accounts from one service provider to another.

These regulations included clear guidelines in relation to Third Party Service Providers (TPSPs) to execute transactional interoperability.179 In one realm, a TPSP provides technical support for mobile banking services as it is licensed by PTA and authorized by SBP to provide technical services for channeling, routing and switching transactions for branchless/mobile banking only.

In another realm, PSOs/PSPs can provide prepaid card and mobile money solutions; white label ATM and POS operators and agent networks; as well as inter-bank direct-debit products.

SBPs frameworks for Electronic Money Institution (EMI) licenses allows non-banks to issue and maintain stores of value, although they must partner with banks for storage of consumer funds.

179 See Annex 1



Exhibit 22: Limitations of a One-Size-Fits-All Regulatory Approach to Financial Ecosystem Regulation in Pakistan

The SBP has a one-size-fits all approach to licensing for PSP/PSOs and EMIs, which is does not appear to be fintech startup-friendly. As a result, a ROI takes a very long time and discourages investors.

Specifically, the license fees are unaffordable for startups and appears to be focused on those entities that are (already) well-funded. Startups however can only raise money from investors if they show traction, but it is self-evident that they will not gain any traction without (an expensive) approval, which – after due diligences SBP – can take up to a year. 180

For example, the 2019 EMI licenses that allow non-banks to issue and maintain stores of value for consumers, require that the EMI pay a large license fee similar to the PSP/PSO licenses as well as partner with a bank to store pooled consumer value. For fintechs, this one-size-fits-all license fee that does not reflect a risk-based approach to service provision and entity size and disrupts the economics of obtaining an EMI license. It is again self-evident that startups need to defer expenses as much as possible to focus on building viable products with business potential and that relatively high licensing costs removes capital for development. This will limit activities to entities with the institutional capacity and framework to qualify.

A better approach may be for SBP (and SECP) to institute a tiered license fee - as needed - that reflects the relative risks of entities as they grow in size whereby any license fee would increase according to specified tier levels as the entities grow in size and potential risks to the financial ecosystem, financial integrity and to consumers increase.

Overall, entities who in the FSB definition could be classed as ‘independent’ fintechs feel that there is first, a general inability or reluctance to recognize fintechs in terms of current regulatory frameworks, and second that there is a lack of urgency and progress in allowing them to operate independently – especially with B2C services - without the need for their activities to be tethered to a currently licensed or authorized financial institution such as a bank. Specifically, there appears to be a chicken-and-egg situation between the services and entities the SBP (currently) license or authorize, and whether the SECP will allow registration to operate specific service where those services are not necessarily allowed or even specified within the SECP’s own licensing or authorization regime.

Using the lending domain as an example of this situation, while SECP do allow loans if the entity has a NBFC license for housing finance, investment finance, and leasing, if a fintech wants to provide non-traditional lending services to consumers using new technology platforms, then SECP will not license these innovations.181 It will instead indicate to the fintech

180 According to SBP, the extended time often relates to lack of follow-up PSPs/PSOs post their in-principle approval or pilot. While SBP assign resources for this activity, there is a time limit for both SBP and an applicant. 181 Tez Financial, a Karachi -based digital Non-Bank Microfinance Company (NBMFC) offers nano-loans based on mobile data usage patterns. It has integrated with EasyPaisa, UBL Omni, and SimSim as its branchless banking partners. It has also partnered with two of the largest insurance companies in Pakistan—EFU Life and Jubilee General—to provide life and health coverage. They were required to obtain a NBFC/I license. SECP allowed a category of nano-lending in 2016-17. FinSMEs (2018) Tez Financial Services Raises $1.1M in Seed Funding, available at https://bit.ly/378fDMH



that authorization/licensing from SBP is required. However, there may not be category at SBP to authorize/license the service/activity or entity, leaving the potential service/activity in a regulatory gap and so unable to independently provide services. That is, any service such as such as P2P lending and crowd-funding platforms and deposit ostensibly serving a similar market segment to banks requires a NBFI license – if at all possible - from the SBP.

Use of a rule-based, institutional approach to regulation of the financial ecosystem means that many innovations cannot be easily introduced into the Pakistani market. The net result is that if licensed banks provide equivalent or similar services/activities to those contemplated by fintech, the banks will not face competition.

A similar constriction of service provision based on rule-based, institutional approach is that current PSP/PSO regulations addresses specific activities such as white-labelled ATMs, e-commerce gateways, and remittances.

However if a fintech wants to provide services - such as use of DLTs or crypt-assets - that are ostensibly outside the perimeter of the current PSP/PSO regulations, then there is no provision within the inflexible SBP rule-scheme that would allow then to be authorized by the SBP. Similarly, a constriction applies to what the SECP and/or PTA will license or authorize.

6.6. LIMITATIONS IN ACQUIRING ENABLEMENT If a fintech wants to undertake (card) acquiring services through provision of a dongle or similar payment instrument capture device or facility, regulations do not allow them to offer this independently: they need to go through an existing PSP and bank and utilize their authorization for acquiring.182

6.7. LIMITATIONS IN ACQUIRING CUSTOMER INFORMATION FOR KYC

A constriction for fintechs relates to KYC, and the requirement by SBP for biometric authentication for consumer onboarding and transaction authentication. The issue here is that for EMIs and other fintechs who have a B2C model is that they cannot get direct access to NADRA but have to incur additional per-lookup fees through indirect third-party access.

182 Indonesia, the US and the EU for example allow acquiring to some degree that is independent from banks. For banks who acquire cards in Pakistan, they have to go for an acquiring license from a payment scheme.



6.8. ANCILLARY LAWS, REGULATIONS AND POLICIES IN PAKISTAN RELEVANT TO FINTECH

Ancillary regulations may also be needed to address regulatory gaps for technologies and processes that fintechs (and others) will invariably need in pursuing their innovations. Exhibit 23 shows the status of ancillary laws, regulations and policies in Pakistan relevant to fintech.

These include those increased access to data held in data lakes held (often exclusively) by large incumbents; using open finance and open banking schemes; addressing cloud computing use; contractual and evidential certainty in the use of DLTs; ability to share and use KYC data in a centralized manner; data protection requirements for all entities; and use of AI and ML to replace or augment human decision making.



Exhibit 23: Status of Ancillary Laws, Regulations and Policies in Pakistan relevant to Fintech

Focus Area Relevance Status In Pakistan AI/ML ● Allows use of data

mining ● Delineates perimeter/s

for AI/ML in decision making

● No national AI/ML policy

Centralized eKYC Utility

● Provides full spectrum of CIV

● Facilitates smaller fintechs access to all databases

● SECP-driven process, through NCCPL ● EMIs and other fintechs who have a B2C

model cannot get direct access to NADRA and need 3rd party access.

Cloud Computing

● Allows startup and fintechs to use CSPs for save on server costs and to reach scale quickly.

● Section 32 of Banking Act appears to disallow cloud computing for banks.

● SBP indicates that it is interacting with the MoITT on cloud computing and data protection laws and regulations.

Crypto-Assets ● Brings certainty to growing global crypto economy

● Crypto assets not allowed in Pakistan ● No framework planned as yet

Data Protection/Privacy

● Brings certainty to use of data for non-traditional use cases

● Protects consumers

● Section 32a of Banking Act appears to disallow cloud computing for banks.

● Data protection law being discussed by cabinet

DLT/blockchain

● Brings certainty to growing global crypto economy eg evidentiary, notarization

● Use of smart contracts

● No national DLT policy ● Crypto-currency exchanges not allowed

by SBP

Open APIs ● Allows full interoperability with data from all fintech and banks

● Only a few bank and non-banks have opened up their APIs for developer community183

● Regulations are not available. Open Banking ● Allows full

interoperability with data from all fintech and banks

● Only a few banks have opened up their APIs for developer community

● Regulations are not available. Regulatory Sandbox

● Allows startups to test use cases on a temporary basis

● Full sandbox program not available, but planned

● SBP has ‘sandbox-lite’ for PSO/PSP applicants.

Technology Outsourcing

● Allows banks, financial institutions, startups and fintechs to contract with 3rd party entities

● SBP in December 2019 released new guidelines, requiring outsourcing arrangement outside Pakistan, excluding group outsourcing, to require their prior approval,



183 ProPakistani (2017) Telenor Pakistan Opens its APIs to Developers, available at https://propakistani.pk/2017/04/25/telenor-pakistan-opens-apis-developers/ ProPakistani (2017) HBL Launches Open Payments API in Pakistan, available at https://bit.ly/2MsrTj8

https://propakistani.pk/2017/04/25/telenor-pakistan-opens-apis-developers/



7. RECOMMENDED APPROACHES FOR FINTECH REGULATION IN PAKISTAN 7.1. OVERVIEW Noting the high barriers for many fintechs in Pakistan to fulfill initial licensing requirements, there is a need to reassess the ability of the inflexible rules-based, institutional approach to not only regulating fintechs, but also in being able to catalyze innovation in that sector.

It is proposed here that regulators transition to a risk-based approach whereby regulation of the fintech and financial sector follows a principle of ‘same activity creating the same risks being regulated by the same rules.’ Practically this manifest in the pairing a risk-based principle-based approach with functional implementation, based on a modern regulatory ethos of technology neutrality. Based on the risk profile of an entity, regulations may however be tiered.

A Overall Implementation Methodologies

7.2. IMPLEMENTING A RISK-BASED APPROACH TO REGULATION OF FINTECH AND FINTECHS

Use of a risk-based approach departs from the traditional institutional-based framework in place in Pakistan such that the same regulations should apply regardless of whether the activities are led by an incumbent financial institution or fintech start-ups.184 This principle should apply to all types of rules, including prudential rules, organizational requirements or conduct rules.

This means that market participants offering the same service or product should be regulated by rules or principles, or a hybrid of both, that are truly activity-based and conceived according to the risks that the specific activities produce – in particular for customers.

This policy approach should apply to all types of rules, including prudential rules, organizational requirements or conduct rules. The corollary therefore is that where there is reduced risk, entities should be subject to fewer sets of regulations and requirements. This approach should also embrace the concept of technological neutrality of financial regulation and supervision, whereby regulation and supervision should not prefer or prejudice a specific provider or technology.

Using a tiered approach, if a fintech startup poses less risk to the financial ecosystem or consumers, then for example, its license fees should be proportional to the risk. In a principles-based (versus a rules-based) approach, where the risk assessment – based on enumerated functional activities - in both instances is less, then the fintech could simply notify the regulator

184 Whether or not the fintech is controlled by a financial institution or housed in its own sandbox.



of its activities. As the risks increase based on risk metrics in the PBR motif, then the entity’s activities would require authorization from the regulator, followed then by licensing should it trigger the next metric in overall risk.

The similarity of the relevant activity should be considered by taking a functional view not just of its activities, but also of its effect, for example for consumer risk and thus standards of protection needed. The same activities can still be subject to differing regulatory obligations where they do not entail the same risks, whether individually or in combination.185

B Use of Data-Centric Regulatory Approaches

7.3. ANCILLARY LAWS AND REGULATIONS FOR ENSURING DATA-CENTRICITY AND REGULATORY CERTAINTY 7.3.1. Overall Approaches As noted above in Section 4, ancillary laws and regulations are the (necessary) how component of fintech regulation. They are critical to providing a true enabling environment for fintech and fintechs by clarifying use of systems and technologies fintechs in Pakistan may create or use.

These include those focusing on cloud computing; data protection and general sharing of data; open use of standardized APIs; AML/KYC; as well as legal certainty around use of DLTs - including smart contracts and crypto-assets.

Pairing the how with the who and what of regulation would necessarily involve increased amount of regulatory coordination between regulators - usually a very glacial process.

There is also a need – but only as required - then to strengthen frameworks for access to, processing and sharing of data, in order to promote innovation and competition and establish a level playing field amongst market participants.

For regulators, this involves access to accurate and contemporaneous data necessary not only for their internal ‘regtech’ use, but also for supervisory purposes for determination the degree of adherence of supervised entities to any rules or principles (as desired regulatory policy ‘outcomes’). Modern analytical tools can help make sense of this data to employ

185 Describing the risk that an activity creates is more complex, as this requires an assessment of all consequences of that activity in its broader context. If activities, albeit the same, entail different risks, they can be subject to different rules.



quantitative analysis to clarify enforcement priorities and the potential costs of non-compliance.

There are some risks though: for example, on availability of data where some consumers may or may not be able to provide certain forms of data and may be (unfairly) excluded from access to services. These consumers should not be disadvantaged in their access to financial services and therefore policymakers will need to make difficult choices taking account of new types of available data.186

Overall, a data-centric regulatory approach catalyzes and complements a number a domain required to catalyze fintech development in Pakistan. Measures should be developed to provide legal certainty on the access to and processing of non-personal data by different stakeholders.

Some of these measures are outlined in Exhibit 15 and relate to the need for a swathe of new and/or updated ancillary regulations needed as part of regulatory innovation. Exhibit 24 indicates the requirements for ancillary laws, regulations and policies in Pakistan relevant to certainty in fintech.

Exhibit 24: Regulatory Innovations Needed in Pakistan For Fintech-related Enablement.

Most of the regulatory innovations required to catalyze fintech innovation in Pakistan – particularly PBR approaches - are data-centric and may require ancillary regulations from non-financial regulators. Regulatory capacity-building and coordination will be required to facilitate this.

186 For example whether the use of a fitness tracking device can be considered to be a permissible pre-condition for access to health insurance UK FCA (2019) Call for Input: Open finance, available at https://bit.ly/2QozEYF



7.3.2. Implementation of Open Banking and Open Finance Regimes for Pakistan

Access by fintechs to established payment systems or banks is not mandated, nor is there an open API regime, nor a well-defined access regime for fintechs. That is, the only method whereby an independent fintech can (fully) access the full suite of developed APIs that could give them a competitive edge is to partner with a bank or regulated institution.187

Exhibit 25 shows examples of data that could be shared in an API-driven open finance ecosystem.

Because data access – especially with its national security, data localization, data protection and privacy implications – is a sensitive and complex issue, financial and non-financial regulators should meet to coordinate on a national strategy. Given though that this may coordination may take a while to organize and implement and given the befits of sharing of even relatively small data sets, SECP and SBP as the primary financial regulators should coordinate on implementing an open banking and/or open finance regime on a limited scale.

Given also that most banks have been reluctant to share data with fintechs unless it is on their terms, a prescriptive open banking/open finance regime would be recommended to advantage fintechs and catalyze new business models.

The CCP may need to be involved in this process if there are any concerns about anti-competitive behavior by incumbents in implementing these new regimes. Similarly, the MoITT may need to be involved in setting or mediating on any required API standards.

187 ibid



Exhibit 25: Data that could be shared in an API-driven open finance ecosystem, with appropriate regulatory endorsement by the SBP and SECP.

These examples demonstrate how a range of data could be shared by providers as part of open finance.

Financial Sector

Example of Open Finance Data Sharing

Savings ● Product information (features, terms including fees or charges) ● Balance and transaction information

Mortgages ● Product information (features, terms including fees or charges) ● Balance (size of the loan) and property value ● Payment history

Consumer Credit

● Product information (features, terms including fees or charges) ● Credit amounts, limits and balances ● Payment and usage history

Investments ● Product information (features, terms including fees or charges) ● Balance and transaction information ● Investment history and historical risk exposure

Pensions

● Product information ● Fund value and projection ● Contribution history ● Fees and charges for invested assets ● Current contribution rate

Insurance ● Product information (policy features, terms including fees or charges,

exclusions) ● Basic customer data (name, address, claims history data) ● Additional customer information

Open finance would require a range of common and agreed standards, including:188

● Technology architecture (e.g. open APIs) ● Operating principles, processes and practice ● Security protocols ● Certain areas of user experience design ● Service level agreements for performance ● Liability models ● Dispute resolution ● Consent management and data rights

188 UK Department for Business, Energy and Industrial Strategy (2018) Goals-Based And Rules-Based Approaches To Regulation, available at https://bit.ly/2ZdS16R




● Authentication and identity management

7.3.3. Artificial Intelligence and Machine Learning Rules from SBP and PTA on the use of customer data by fintechs using AI analysis of ‘big data’ sets to for example, create alternative credit scoring data sets have led to confusion about how data can be used. This issue should be settled in terms of a new data privacy law and similarly, rules that prevent algorithmic bias in decision making.

Rules from SBP and PTA189 on the use of customer data by fintechs using AI analysis of ‘big data’ sets to for example, create alternative credit scoring data sets have led to confusion about how data can be used. This issue should be settled in terms of a new data privacy law and similarly, rules that prevent algorithmic bias in decision making.

7.3.4. Enhancing Data Protection and Data Privacy Overall, a data-centric regulatory approach catalyzes and complements a number a domain required to catalyze fintech development in Pakistan. Measures should be developed to provide legal certainty on the access to and processing of non-personal data by different stakeholders. However, companies should be encouraged to implement technical and organizational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start. In the latter, companies/organizations should by default ensure that personal data is processed with the highest privacy protection so that by default personal data isn’t made accessible to an indefinite number of persons. This may curtail data for processing, storage and accessibility. In a social media context for example, users’ profile settings should by default be set in the most privacy-friendly manner. 190

The regulatory lodestar on data privacy and protection should be data protection by default,191 and not data protection by design unless circumstances require it.

New regulations on cloud computing should address the regulatory confusion - identified by fintechs in Pakistan - precipitated by Section 32a of the Banking Act which relates to a generic prohibition on ‘sharing’ of customer data–with others without customer consent. As a cloud computing policy – discussed below - is notably often a multi-jurisdictional issue, impacted regulators in Pakistan would need to coordinate on determining the boundaries between PII and non-PII data that can be stored on cloud systems, if any at all. For the same overall reasons, privacy regulations generally and within current regulations or laws should be updated, clarified or developed as required.192

189 PTA relates to customer data for TPSP services, whole for AI/ML and over all data policy, the Interior Ministry is the relevant regulator. 190 ibid 191 EU (2019) What does data protection ‘by design’ and ‘by default’ mean?, available at https://bit.ly/34D9XcZ 192 Zetzsche, D; Buckley, R; Arner, D & Barberis, J (2017) Regulating a Revolution: From Regulatory Sandboxes to Smart Regulation, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3018534

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3018534



7.3.5. Clarification of Cloud Computing Use While SBP have some evolving rules around cloud computing for data storage, there appears to be a disconnect in the interpretation of Section 32a of the Banking Act on customer data:

● For SBP, the section means customer data must be stored only on the data controllers’ own premises and servers and thus does not allow data to be stored in a third-party cloud environment.

● For fintechs, they see cloud computing providers simply as being extension of their own servers, storing data in an encrypted form that does not expose customer data to the cloud provider. Given the lack of reliable power in many instances, fintechs also see any potential requirement to keep data in a local cloud provider as impractical and would rather have the option to use non-Pakistani providers such as Amazon, Microsoft or IBM.

● There are significant cost savings to cloud services versus purchase and maintenance of physical infrastructure implementation of IaaS for example can save 30–60% of IT infrastructure costs.193

The MOITT indicates in its 2018 Digital Pakistan Policy that it wants to promote cloud infrastructure and associated delivery models such as PaaS, SaaS, and IaaS for offering internally to attract local and international markets through special incentives programs.

SBP indicates that it is considering new cloud computing regulations in line with what other central banks feel is best practice. The nature of the interaction between the MoITT and PTA on these issues is unclear.

As noted earlier, the new regulations should address the regulatory confusion - identified by fintechs in Pakistan - precipitated by Section 32a of the Banking Act which relates to a generic prohibition on ‘sharing’ of customer data–with others without customer consent. Any changes to the Act, or an incorporation by reference to any new national cloud computing laws, should differentiate between storage of data in an encrypted form that the Cloud Service Provider (CSP) cannot view, effectively acting only as a ’dumb’ storage medium for a fintech even though, potentially, encrypted PII may be placed on a CSP server.

7.3.6. Clarification of Technology Outsourcing Perimeters

The SBP in December 2019 revised some sections of its Framework for Risk Management in Outsourcing Arrangements by Financial Institutions to facilitate banks outsourcing with third parties and, ostensibly, manage potential risks.

Specifically, its increased risk profile – in the view of SBP - of financial institutions due to their increasing dependence on third parties and group companies. In the new rules, any

193 As KMPMG notes, because of the complexity involved, making the complete business case for cloud adoption requires detailed information about the expected ongoing benefits (lower operations costs), the one-time up-front migration costs, the write-off or depreciation run-off costs for the legacy assets, and the financial benefits for the investment. KPMG (2015) Cloud Economics: Making the Business Case for Cloud, available at https://assets.kpmg/content/dam/kpmg/pdf/2015/11/cloud-economics.pdf



outsourcing arrangement outside Pakistan, excluding group outsourcing, requires SBP’s prior approval. All such requests must be signed by the head of compliance and include details of the functions to be outsourced, rationale for the outsourcing, details relating to the proposed service provider, agreement with the service provider, business continuity plan, disaster recovery arrangements and a legal opinion that the arrangement does not violate any relevant local law.194

In case where outsourcing arrangement involves confidential customer information, supervised entities must seek specific consent of the customer or encrypt or anonymize any PII of customers so that their identities cannot be readily inferred. They must also retain information of all such cases, which will be reviewed by SBP team during on-site inspection.

IT outsourcing is also not allowed for critical IT systems/functions and applications of the supervised entity, such as core banking applications including branchless banking, mobile wallets of branchless banking, databases relating to information of customers, information security and primary and disaster recovery functions.

7.3.7. Improving Protections for the Intellectual Property Rights of Fintechs

A major concern of fintechs in Pakistan is the fear that their intellectual property could be appropriated and intellectual property rights (IPR) are ignored. The Intellectual Property Organization of Pakistan (IPO-Pakistan) controls patent, trademark issuance, but enforcement of IPR by the courts is seen to be lacking and ineffective given the length of time it takes to resolve commercial disputes in Pakistan in the context of startups with limited funds to challenge misuse of their IPR. These need to be addressed, particularly to safeguard the interests of local and foreign investors in the fintech ecosystem.

7.3.8. Use of KYC Utilities for Collaborative Compliance

AML/KYC – especially in the context of Pakistan having recently being grey listed by FATF195 – is an important component of fintech development. NADRA’s CNIC and identification data is the primary source of verification in Pakistan and is accessible to all ecosystem participants on commercial terms. However, financial ecosystem participants have different levels of access to prospective customers’ information for Customer Identification and Verification (CIV) purposes. That’s is, current regulations allow remote account opening for ‘Level 0’ customers, but for those not pursuing a mobile approach they cannot access this data in the absence of access to a centralized validation service.

A centralized facility can be used to integrate data from multiple sources, allowing for lower Customer Due Diligence (CDD) costs for all participants. Under the Centralized Know Your Customer (KYC) Organization Rules, 2017 in terms of the Securities Act, 2015, the

194 Framework for Risk Management in Outsourcing Arrangements by Financial Institutions, available at http://www.sbp.org.pk/bprd/2019/C6.htm 195 Pakistan has until February 2020 to improve its counter-terror financing operations in line with an internationally agreed plan or face actions against it. DW (2019) Pakistan avoids FATF ′black list,′ gets stern warning, available at https://www.dw.com/en/pakistan-avoids-fatf-black-list-gets-stern-warning/a-50870561



National Clearing Company of Pakistan Limited (NCCPL) was designated by the SECP as a Centralized Know Your Customer ‘KYC’ Organization (CKO). It commenced services in June 2019.

Mobile-based ecosystem participants are also limited in ability to verify and ensuring sustained ownership of the SIM cards of competing mobile operator customers, with some of the view that a functionality needs to be put in place to resolve this limitation. This will not only provide functionality for compliance but will also help in the prevention of fraudulent BB activities through exchange of timely information between participants, resulting in enhanced consumer trust in the long-term.

C Regulatory Coordination Mechanisms

7.4. FACILITATE COORDINATION OF ANCILLARY REGULATION AND POLICIES

As described above in Section 6.3, ancillary regulations are those which is required to enable critical functionality for fintech development, primarily in enabling use of technologies and access to data not held by a fintech, but which may be critical to its operations and business model.

Noting the scope of ancillary laws and regulations that may impact fintech and fintechs the status of these laws and regulations in Pakistan is detailed below in Exhibit 26.

7.5. FACILITATE COORDINATION ON SANDBOXES AND INNOVATION OFFICES

Since SECP in December 2019 announced its regulatory sandboxes, a system of sandboxes as each regulator launches them should be further harmonized so that every regulator follows common principles and standards, while the rules and procedures are as streamlined and transparent as possible. A similar coordination mechanism should apply to any innovation offices whether it from regulators or GOP ministries.

SBP indicate that they have a ‘sandbox-lite-type’ onboarding process to assist prospective PSO/PSP applicants, described in Exhibit 21.

Here, applicants must convince SBP of the practicality of their proposal. SBP indicate that the biggest risk of a sandbox is reputational risk. SBP do not favor a physical sandbox in a lab at SBP (or jointly, with SECP) as, they indicate, there is no capacity at SBP and SECP for physical sandbox as a lab. Instead they favor a logical sandbox approach.



There is as yet no implementation of an EU-like international pass-porting of ‘sandbox’ authorizations. SBP indicate that this has been discussed in the South Asian Association for Regional Cooperation (SAARC) forum with a view to collaborating on system-specific regulation and implementation of sandboxes.

These initiatives could ensure a level playing field in terms of access to sandbox and innovation schemes, as firms would be have to conform to a common testing framework, thereby enhancing confidence in, and portability of, test outcomes, and network effects by better and more formalized coordination between regulatory sandboxes. Further, all market participants should be treated equally: irrespective of the size or degree of establishment on the market, innovators of all kinds should be able to apply without discrimination.



8. CONCLUSIONS AND RECOMMENDATIONS

This Report encapsulates observations on the evolving, but still nascent ‘fintech’ sector in Pakistan and methods to catalyze and regulate it.

Based on these observations, and trends in fintech regulation worldwide, a number of recommendations are provided in this Report, categorized by regulatory framework and policies; market conditions, innovation and conduct; and regulatory capacity and coordination. The recommendations are summarized in Exhibit 26. A color-coded priority scale is also provided per recommendation, reflecting the consultant’s view of relative timeframes for the adoption of the recommendations so as to catalyze fintech adoption in Pakistan.

Overall, while digital financial services (mobile money) innovation has been shown to reduce financial exclusion through the application of innovative ‘fintech’ technologies and business models, the opportunities (and potential risks) of fintech are constantly under review by regulators. Faced with the challenges of these new technologies and business model, financial sector regulators are rethinking their regulatory approaches, often transitioning away from the traditional - but increasingly inflexible and thus often ineffective - institutional and rules-based approaches.

Increasing numbers are adopting variants of the more flexible, and technologically neutral principles- and functional-based approaches, particularly suited to the emerging focus on data-centricity. They address the who and what components of financial regulation. These models are largely unconstrained by a need to revisit regulatory policy with the emergence of every new generation of technology or business model. The concept of technological neutrality of financial regulation and supervision typically means that regulation and supervision should not prefer or prejudice a specific provider or technology.

Based on these approaches, the outcomes are important. That is, provided that the (fintech) innovator can demonstrate how it intends to mitigate the risks to the public and the risk of its innovation being used for money laundering or the financing of illicit activities, regulators could allow their innovation to proceed to market and transition into a regulated environment.196

Complementary to the use of functional, principles-based regulation to address the rapid pace of innovation and business models, ancillary regulations address the how, completing the trilogy of regulatory foci. Thereto, and to avoid regulatory ambiguity, gaps and arbitrage, laws and regulations for ancillary-type functions and services would need to be developed, or existing regulations clarified to allow authorized/licensed fintechs to use them in furtherance of their activities and verticals. Use of regulatory sandboxes to facilitate transition towards the principles-based approach rather than a ‘big bang’ approach.

In the context of increasing data-centricity, these regulations could cover inter alia the use of ‘big data’ sets; requirements for cloud computing and data localization/safe harbor rules; sharing of data for anti-money laundering purposes. And in the DLT realm, address changes to contract law for smart contracts use, and how or whether to recognize data stored for evidential and other

196 European Banking Authority (2018) Risks And Opportunities Arising From Fintech, available at: https://ssrn.com/abstract=3359399



purposes. Similarly, they could also curate the growing use of artificial intelligence and machine learning to analyze data in a manner that does not create or perpetuate algorithmic biases and unintended red lining of classes of people for access to financial services and products. For the same overall reasons, privacy regulations generally and within current regulations or laws should be updated, clarified or developed as required such that restrictive regulations do not handicap technological innovation and market use.

The approach can also catalyze emerging models of ‘open finance’ and ‘open banking’ that are interoperable and cohesive that would maximize competition and efficiency, drive up rates of adoption and inclusion, and minimize friction and confusion for the end customer. It would ensure the whole system is based around the customer and their journey. Given that many of these primary and ancillary issues may fall within the remit of one or more regulators, pairing the how with the who and what of regulation would necessarily involve increased amount of regulatory coordination between regulators and government departments - usually a very glacial process. Coordination is also important so as to avoid introduction of anti-innovation artefacts into policy-making techniques via ‘regulatory policy development by enforcement.’ The current coordination mechanism in Pakistan is insufficient though for an omnibus mechanism for understanding and integrating ancillary regulations.



Exhibit 26: Summary of Issues, Effects And Recommendations For Development Of The Fintech Ecosystem In Pakistan.

Category Issue Effect on Fintech

In Pakistan Report Recommendation(s) Effects

A] Regulatory Framework and Policies

Limitation of current, rules-based, institutional frameworks [A1]

Limits fintech development in Pakistan

Investigate implementation of a functional. PBR approach to fintech-related regulation [A1a]

SECP, SBP

Investigate implementation of a risk-based approach to fintech-related regulation [A1b]

SECP, SBP

Investigate use of a technologically-neutral approach in development of new, or adaptation of existing, laws or regulations impacting fintech and fintechs [A1c]

SECP, SBP

High Barriers to Entry for Startups & fintechs

Startups, and fintech investors in particular are dis-incentivized to develop fintech products

Implementation of a Transitional Regulatory Regime using hybrid RBR and PBR approaches For Enabling Fintechs [A2a]

SECP, SBP

Coordination between Regulators for implementation of Regulatory Sandboxes [A2b]

SECP, SBP

Lack or Unclear Ancillary Laws & Regulations Causing Regulatory Ambiguity & Gaps

Regulatory ambiguity and gaps

Coordination needed on ancillary laws and regulations affecting financial ecosystem participants [A3a]

SECP, SBP; PTA; MoITT, MoJ, CCP;

NADRA The regulatory lodestar on data privacy and protection should be data protection by default,197 and not data protection by design unless circumstances require it [A3b]

SECP, SBP; PTA; MoITT, MoJ, CCP;

NADRA

B] Market Conditions, Innovation & Conduct

Data ownership is too concentrated in Pakistan & should be shared using mandated standards

There is a general inability to obtain data sets, or freely use external resources. This hampers fintech development and financial integrity, and stifles consumer choice. This is largely due a lack of, or clarity of ancillary laws and regulations.

Implement Open Banking, Open Finance and Open APIs policies.[B1a]

SECP, SBP; MoITT, CCP;

NADRA Clarify rules on use of Artificial Intelligence use in financial services to prevent algorithmic biases and data-exclusion [B1b]


NADRA

Clarify and/or implement less restrictive rules on cloud computing use and data localization [B1c]


NADRA Clarify rules on data privacy and data protection for the use and storage of non-PII and PII [B1d]


NADRA Improve the ability of fintechs to undertake Technology Outsourcing [B1e]

SECP, SBP; MoITT, NADRA

C]- Regulatory Capacity & Coordination

Moves towards implementation of sandbox approach, & functional/PBR approach may be stymied by lack of

Fintechs could face regulatory uncertainties and compliance burdens

Improve capacity-building for industry participants, regulators and policy makers through common forums [C1a]

SECP, SBP; MoITT, MoJ,

CCP; NADRA; financial

ecosystem participants; Incubators



regulatory capacity

Priority Scale For Regulatory Fintech Catalyzation in Pakistan

Near Term Medium term Long Term

197 EU (2019) What does data protection ‘by design’ and ‘by default’ mean?, available at https://bit.ly/34D9XcZ



CATEGORY A REGULATORY FRAMEWORKS AND POLICIES IN PAKISTAN

Issue A1

Limitations of Current Rules-based, Institutional Framework

Effect on Fintech Development

It is clear that the current institutional, rules-based approach requiring a designated company to fit within an institutional framework and specific set of activities as offered by SBP and SECP severely limits entities from operationalizing new innovations, products and technologies and competing with larger entities on a level-playing field. The absence of a vibrant, competitive fintech ecosystem and influx of venture capital in Pakistan reflects this. In particular, this reflect the fact that the current regulatory framework(s) lacks the following: ● A variety in institutional classifications employed by SECP and SBP that

can accommodate fintechs ● Flexible product verticals and categorizations that recognize and adapt to

evolving technologies and services ● License fees affordable for startups and SMEs

Recommendation A1a

Investigate use of a data-centric. functional, principles-based regulatory approach to fintech-related regulation

● SBP, SECP, PTA and MoITT should meet to discuss the implementation

of a PBR functional approach to fintech regulation. Any perimeter should be designed widely.

● The latter pair in particular suit the emerging focus on data-centric

regulation and fintech innovation discussed earlier but not being constrained by needing to revisit regulatory policy with the emergence of every new generation of technology or business model.

● From these regulatory priorities, what may manifest and which may be

appropriate for the Pakistani context is a hybrid regime using elements of institutional, principle, product and functional approaches that combines the certainty expected by regulators with the flexibility and enablement (and to some degree, also certainty) desired by fintech SMEs.

● Any new regulations should strive for a harmonized set of rules, inter-

operability and platform utilization security protocols, covering a given functional activity across all players simultaneously, rather than treating players differently according to their characteristics to avoid artificially segmenting the market and limiting competition.

● A transitional regime should be used to help current regulated entities and

newly regulated entities to transition smoothly to the new requirements.



Issue A2 High Barriers to Entry For Startups, And Fintechs In Particular

Effect on Fintech

Development

Startups, and fintech investors in particular are dis-incentivized to develop fintech products. However, evolving international best-practice for fintech-relevant and/or focused198 regulation is that regulatory and compliance obligations of an entity should be dynamic, adapting to its size, activity portfolio, and risk as it evolves and grows.

ecommendation A2a

Implementation of a Transitional Regulatory Regime using hybrid RBR and PBR approaches For Enabling Fintechs

● Relevant regulators should appropriately categorize and

understand the benefits and applicability of a technology or vertical. Regulators should have the ability to create a less onerous regime for small entities falling below certain thresholds. This would mean using a risk-based approach to regulation, ideally using a tiered approach that reflects higher requirements fastening on an entity

198 For example a specific fintech law.

This means implementing a (aspirational) combination of a PBR functional approach which allows for more flexibility for SMEs to firstly, enter into a market through an authorization or a license using a PBR approach, and then secondly, not be constrained a rules-based approach that reflects a one-size-fits-all approach to what services can be offered.

Recommendation A1b

Investigate implementation of a risk-based approach to fintech-related regulation. A risk-based approach to fintech-related regulation approach may include using high-level approaches (e.g. risk- or function-based) to deal with challenges brought about by new technologies, and complement them with a sub-set of specific regulations that are directed at an identified activity or function – such as payments, AML/KYC. If needed, these could then be further broken down into product-specific regulation that is still anchored in principle-based regulation, for example with specific consumer protection guidelines or rules.

Recommendation

A1c

Investigate use of a technologically-neutral approach in development of new, or adaptation of existing, laws or regulations impacting fintech and fintechs. A technologically-neutral approach should be used where possible in development of new, or adaptation of existing, laws or regulations such that policies and regulations should foster healthy competition between players, regardless of whether they offer conventional approaches or use new technological solutions.



potentially greater risk to the systems and consumers as it grows in size and reach. This should start with entry-level regulation (disclosure), with the tiered increases in oversight, as needed, as the entities grow.

● In line with the PBR, functional approach to regulation, tiered based

license fees should be introduced that are reflective of the risk levels of entities. Startups enter a market through an authorization should ideally not attract any license fees, although this may be dependent on the type of functional vertical the startup fits into.

● This transition also avoids a ‘big bang’ approach which some

regulators would find too overwhelming, given their need to retain elements – particularly for the banking and lending sector – of the rules-based, institutional approach.

Recommendation A2b

Coordination between Regulators for implementation of Regulatory Sandboxes

● A transitional regulatory regime may also require implementation of varieties of regulatory sandboxes to act as a buffer – in a codified ‘transition period’ - if regulators wish to move from the strict rules-based, institutional approach to the more flexible and encompassing regime.

● This may mean creating a regulatory sandbox environment that allows innovations to be tested within defined criteria including time and product restrictions. It would also allow the regulator the opportunity to measure the impact of the new services and/or technologies, whilst crafting appropriate regulations or authorization criteria for post-sandbox – ‘playbox’ – implementations.

● The SBP should coordinate with the SECP in relation to the SECPs sandbox approach.

Issue A3

Lack of, or Unclear Ancillary Laws and Regulations Affecting Fintech And Fintechs

Effect on Fintech

Development

Regulatory ambiguity and gaps

Recommendation A3a

Coordination between Regulators Is Needed on Ancillary Laws and Regulations Affecting Financial Ecosystem Participants

● Where required, ancillary laws and regulations – for example for

cloud computing, big data/data privacy implication, and algorithmic trading and decision making - should be simultaneously altered to such that restrictive regulations do not handicap technological innovation and market use.

● These may include new or updated laws and regulations on DLT/blockchain; crypto-assets; crowdfunding; P2P transfers; AI explainability; cloud computing, as well as on technical and cybersecurity standards.

● Coordination is needed between SECP, SBP; MoITT, MoJ, CCP and NADRA.

Recommendation A3b

The regulatory lodestar on data privacy and protection should be data protection by default,199 and not data protection by design unless circumstances require it.

199 ibid

CATEGORY B MARKET CONDITIONS. INNOVATION AND CONDUCT

Issue B1 Data Ownership Is Too Concentrated in Pakistan and Should Be Shared Using Mandated Standards


There is a general inability to obtain data sets, or freely use external resources. This hampers fintech development and financial integrity, and stifles consumer choice. This is largely due a lack of, or clarity of ancillary laws and regulations.

Recommendation B1a

Implement Data-sharing polies such as Open Banking, Open Finance and Open APIs

● Concentration of data in the hands of large institutions may be ameliorated though through use of open APIs where there is either mandated access to data by fintechs for both fintech and regtech use, the latter in the form of centralized KYC Utility solutions.

● There is a need to strengthen frameworks for access to, processing and sharing of data, in order to promote innovation and competition and establish a level playing field amongst market participants.

● Data that could be shared include those relating to savings; mortgages; consumer credit; investments; pensions; and insurance. Data sets and lakes can also be used for compliance and suptech purposes.

● Investigate with other regulators and MoITT a common and agreed technical standards, especially those for common APIs.

Recommendation B1b

Clarify and/or implement less restrictive rules on cloud computing use and data localization

● Given that SMEs globally are using cloud services to scale servers and to save costs on internal infrastructure, of urgent need is regulatory clarification on the use of cloud computing servers:

o For data storage either of company data, and/or o For data storage of some customer data o Housed within Pakistan; and/or o Provided by international providers with server farms housed

outside Pakistan, and/or o As a platform and infrastructure services.

● Restrictions on data localization should be loosened given that most fintechs use (or will use) cloud services.

● Loosen restrictions as far as possible on use of cloud storage mechanisms for data storage and applications

Recommendation B1c

Clarify rules on use of Artificial Intelligence use in financial services to prevent algorithmic biases and data-exclusion.

Recommendation B1d

Clarify rules on data privacy and data protection for the use and storage of non-PII and PII

Recommendation B1e

Improve the ability of fintechs to undertake Technology Outsourcing Restrictions on technology outsourcing should be loosened given that most fintech startups will be unable to implement a number of in-house systems. Portions of SBP’s December 2019 rule set that revised some sections of its Framework for ‘Risk Management in Outsourcing Arrangements by Financial Institutions’ could be applied to fintechs.

CATEGORY C REGULATORY CAPACITY AND COORDINATION

Issue C1 Regulatory Capacity Building and Coordination Challenges


Regulators globally often lack capacity to engage in fintech (and regtech) environments with a full understanding of the scope and implication of technologies and products being proposed or introduced. Fintechs could face regulatory uncertainties and compliance burdens as central banks try to balance innovation and stability so they are more likely to impose stricter regulations to deal with the new and unknown risks posed by the changing financial landscape. Pakistan is no exception to this challenge.

Recommendation C1a

Improve Capacity-Building for Industry Participants, Regulators and Policy Makers Through Common Forums ● While regulators usually have their own systems – internal and

external – for undertaking capacity-building, collegial forums between industry participations, regulators, and policy makers represent an effective and contemporaneous method to outline new technologies and their regulatory implications.

● A common forum between industry participants, regulators and policy makers through should be instituted, with regulator meetings scheduled.

9. ANNEXURE/ APPENDICES ANNEX - 1: JULY 25, 2019 FINTECH WORKSHOP REPORT200 A workshop was organized by USAID SMEA on Regulatory Framework for Fintechs with the participation from State Bank of Pakistan, NADRA, Fintech Firms, Banks, Karandaaz and Fintech Association of Pakistan. Chief of Party USAID SMEA, Mr. Farrukh Mehboob Khan began the workshop and illustrated the agenda and aims of the SMEA project. The first session was conducted by International Consultant, Dr. Leon Perlman. International Context for Fintech Regulatory initiatives were explained to the participants taken by USA, UK, Bahrain, UAE, Singapore and Australia and Regulatory Sandboxes utilized enabling Open Banking, Crypto Assets, Distributed Ledger Technology, Robo Advisory, Artificial Intelligence, Payment Services, e-KYC, Cloud Computing, Alternate Lending and Crowd Funding. To enable new fintech products and services, general and newer models for regulatory approaches for regulators were discussed at length. Dr. Perlman further explained the working of sand boxes for onboarding fintech firms, rules to be applied, potential risks, implementation challenges and perceived benefits to be derived from the sand boxes. The session ended with Regulatory Sandboxes experience and the public private partnerships approach adopted by Australia, Bahrain, Jordan, Singapore, UAE and UK resulted in cross border collaboration for fintech services. The second session was conducted by local consultant, Mr. Talha Leghari. The session looked at more diverse set of issues pertaining to the local fintech ecosystem. He started off by explaining working of an efficient fintech ecosystem and the roles and responsibilities of governments, banks and the entrepreneurs, major participants of a fintech ecosystem. The participants were informed about the working of the local fintech industry, mostly dominated by banks and how the regulatory and licensing regimes hampering the growth of fintech firms. The session was ended with NFIS key targets set for 2023 and how fintech firms are assumed to cover the grey areas left by incumbent banks in Pakistan. The workshop participants were divided into 4 groups for a 30-minute breakout session. Each group was assigned a topic for discussion pertaining to Ecosystem Development, Regulatory Framework for Fintechs in Pakistan, Sandbox and Business Aspects. After the breakout session, participants’ feedback was recorded for further working and reporting. Key takeaways for the workshop include:

● Company definition at the SECP level ● Sandbox approach required for inter-governmental collaboration for regulating fintech

firms with unique business model and services ● Tax incentives for fintech firms

200 Adapted from the report on the workshop for Chemonics by Mr. Talha Leghari

● Need of a Technical Sandbox to test new emerging technologies ● Public Private Partnerships to expand the ecosystem ● Data Protection Act to be made available by government ● There should be a hybrid regulatory approach including institutional and functional for

fintechs as a new framework. ● Fintech startups should be regulated with a tiered approach and capital requirements

based on level of scalability and not from the very start ● There should be a cushion for fintech firms in the working capital to cover losses.

ANNEX - 2: SALIENT FEATURES OF THE THIRD-PARTY SERVICE PROVIDER LICENSE IN PAKISTAN201

201 Rizvi, S; Naqvi, B; and Tanveer, F (2018) Is Pakistan Ready to Embrace Fintech Innovation?, available at https://bit.ly/2PR1e1X

Back

USAID Small and Medium Enterprise Activity [email protected]

mailto:[email protected]

Regulatory Framework for Fintechs in Pakistan

Documents

Transcript of Regulatory Framework for Fintechs in Pakistan