Pakistan’s Virtual Assets Regulatory Authority (PVARA) announced its sandbox framework on February 20, 2026, positioning it as a structured pathway from innovation to licensing. The framework’s four-stage design appears thoughtful on paper.
In practice, it reveals an authority attempting regulatory sophistication with serious lapse in the institutional architecture to deliver it, and without even acknowledging the gap.
PVARA’s most prominent structural weakness is the complete absence of published criteria for what PVARA considers “in scope” versus “prohibited.” Stage 1 applicants must submit business descriptions and risk frameworks, then wait for PVARA’s subjective judgment on whether the proposal is “in scope, not prohibited, and worth closer look.” PVARA publishes no checklist, no model templates, no definition of prohibited activity, no guidance on what “scope” actually means.
The consequence is that teams cannot determine whether they qualify without burning resources on applications that may be rejected for reasons never articulated. Innovation becomes selection for compliance budgets rather than merit.
Compare this to Singapore’s MAS, which publishes explicit tiered licensing pathways with clear activity definitions. Even the sandbox of Hong Kong publishes transparent rejection reasons after reviewing applications. In comparison, PVARA offers nothing.
A startup cannot tell whether its product is prohibited, out of scope, or simply “not worth a closer look” according to unstated criteria. This creates what regulators call “regulatory uncertainty,” which directly translates into capital flight as firms simply won’t invest in testing environments where the entrance requirements are unknowable.
Pakistani teams with genuinely innovative ideas will apply to Dubai’s VARA or Singapore’s MAS instead, because they can actually understand the rules. PVARA will likely attract only teams with nowhere else to go, which is exactly the opposite of what a sandbox is supposed to do.
As the following figure compares PVARA’s sandbox against the region’s best:
Stage 2 requires a supervisory committee review of “technical functionality, risk mitigations, and consumer protection.” PVARA publishes no committee composition, no decision criteria, no reasoning for approvals or rejections, no explicit definition of what “fit and proper” means, and no appeal mechanism.
This is the most dangerous stage as custody design, key management, and incident response evaluation require specialist capacity. If PVARA’s committee lacks crypto-specific technical expertise, decisions drift toward who looks credible rather than who is actually safe. And because evaluations are secret, neither the market nor independent experts can verify whether decisions are sound or arbitrary.
The constant risk of an committee rejecting a technically superior but poorly-presented application in favor of a well-groomed but technically weaker competitor is ever-present. Without published reasoning, this bias becomes structural. Teams cannot prepare for what is actually being evaluated because the evaluation criteria themselves are hidden.
Singapore’s MAS addresses this through published policy papers on what constitutes acceptable risk management. Dubai’s VARA articulates specific technical standards for custody and cold storage.
PVARA offers opaque committee deliberation and an implicit threat that “fit and proper” is whatever the committee decides it is.
Stage 3 restricts tested firms to “approved ramps and service providers only.” PVARA has published no list of approved providers, no criteria for what makes a provider approvable, and no process for a firm to challenge whether a necessary provider has been approved.
This creates a devastating bottleneck. Imagine a team building a stablecoin remittance product. They cannot test without on-ramps and off-ramps. If PVARA’s approved provider list consists of three banks with no appetite for crypto, the sandbox becomes impossible to use. Not because the product is bad, but because the infrastructure PVARA itself mandated is unavailable.
The sandbox is supposed to stress-test products under live conditions. Restricting firms to an artificially limited set of service providers means the product never gets tested under realistic conditions. The failure modes the sandbox is supposed to surface like operational scalability, custody reliability, incident response at volume, never appear.
Moreover, the approved provider list, if narrow, inadvertently creates gatekeepers. If only three custodians are approved, those three become de facto gatekeepers controlling access to the sandbox itself. This reshapes the market by extracting rents from innovation rather than enabling it.
PVARA claims to conduct “continuous monitoring” with power to “adjust limits or pull the plug.” These sound rigorous until one asks what they actually mean. What data must firms log? What incident reporting deadlines apply? What severity thresholds trigger intervention? When does a performance issue become cause for termination versus extension?
Without answers, “continuous monitoring” becomes periodic reporting, and periodic reporting is where risks hide. A quarterly report on user growth and transaction volume tells PVARA nothing about whether custody is actually secure, whether incident response protocols work, or whether the product is drifting toward uses it was not approved for.
A firm could test for 18 months, never surface a custody breach because volume remains low, graduate to full licensing, and then suffer a catastrophic loss at scale. The sandbox produces false confidence instead of genuine insight.
Dubai’s VARA addresses this through defined data submission requirements and incident reporting SLAs. Singapore’s MAS mandates real-time monitoring of trading activity. PVARA offers no such specificity. “Continuous” monitoring without defined data requirements and response thresholds is just hope with regulatory framing.
PVARA permits testing for “up to 18 months,” with extension possible to a further six months. This is long enough for a sandbox to quietly fail or simply exist in a regulatory grey area indefinitely.
This is a known sandbox pathology. Jurisdictions around the world have experienced pilot programs that outlived their purpose, created constituency expectations for permanence, and ultimately became regulatory status quo rather than actual testing. 18 months is long enough for that to happen, particularly when Stage 3 evaluation criteria are vague.
Stage 3 grants firms “conditional no-action relief,” which technically means tolerance for operating in a grey area, not regulatory endorsement. But consumers will read “sandbox participant” as “approved by PVARA,” conflating tolerance with safety. PVARA has published no guidance distinguishing these, and provides no mechanism for firms to clearly communicate sandbox participation without implying approval.
This is especially dangerous for remittance products and stablecoins, i.e., products that directly hold consumer funds. A remittance user might place $5,000 with a sandbox-stage firm believing PVARA has verified its safety. The firm could be technically sound or catastrophically vulnerable. PVARA’s lack of clarity on what “sandbox” actually signifies to consumers creates acute misrepresentation risk.
PVARA’s decision to create four distinct stage is actually a sound architecture. It forces decision-making at multiple gates, preventing either rubber-stamp approvals or arbitrary single-point rejections. Each stage has a different purpose, and the progression is sensible.
Most importantly, the Supervisory Agreement mechanism in Stage 2 converts theoretical obligations into enforceable constraints. User caps, transaction limits, and mandatory custody controls are contractual terms with consequences for breach.
Compare this to early-stage sandboxes in some jurisdictions that relied on honor systems. PVARA understood that sandbox testing requires teeth. The Supervisory Agreement is where that understanding is actually visible in the framework.
Stage 3’s caps (500 users, $1,000 daily transaction limits, 18-month windows) are conservative, but appropriately so for a first-generation sandbox. These limits are large enough to surface real operational challenges (500 users can stress test customer service and incident response), but small enough to contain losses if something goes catastrophically wrong.
An 18-month window with 500 users and $1,000 daily caps means a firm’s maximum exposure is roughly $180 million across the full test period (assuming full adoption and constant cap utilization). That is large enough to matter operationally but small enough that a catastrophic failure does not destabilize the broader ecosystem or exhaust PVARA’s resolution capacity.
Many jurisdictions began with caps that were either unrealistically low (10 users, $100 per transaction) or dangerously high (no real limits at all). PVARA’s staging is proportionate. It shows someone actually thought about what constitutes “stress testing” versus “full deployment.”
PVARA’s requirement that firms implement “mandatory custody controls” is explicitly non-negotiable. Firms cannot test custody-less or custodian-optional designs in the sandbox, which is the correct approach.
Custody is the single largest source of loss in crypto. A sandbox that allows teams to test without real custody would be testing under conditions that bore no resemblance to reality and would produce false confidence.
Many regulators have permitted “self-custody” testing or “governance token” alternatives however, PVARA said no.
PVARA explicitly permits Shariah compliance as part of Stage 1 submissions and acknowledges it as relevant to supervisory review. This is recognition that a significant portion of Pakistan’s population operates within Islamic finance frameworks, and that sandbox-tested products should be compatible with how actual customers operate.
Contrast this with jurisdictions that treat Islamic compliance as a niche or afterthought. PVARA built it into the framework itself. This is smart regulatory design because it reduces the risk that sandbox-tested products fail when deployed in actual market conditions due to customer dissatisfaction or community pushback.
It also signals that PVARA understands its own market. Dubai’s VARA faced similar considerations and integrated Shariah compatibility into its licensable asset categories, and PVARA has followed suit. This is one of the few places where PVARA shows evidence of having thought carefully about Pakistan-specific context rather than simply copying overseas models.
Stage 4 explicitly names “discontinuation” as a possible outcome, not just full licensing or extension. The implication is that some firms will fail. PVARA is not pretending all sandbox participants will succeed. They acknowledges that the point of testing is to identify what works and what doesn’t, and that “doesn’t work” is a valid, valuable outcome.
However, PVARA has published no criteria for what constitutes failure. So while discontinuation is theoretically possible, it remains unclear what actually triggers it. But the architectural choice to make discontinuation explicit and expected is still sound.
PVARA’s sandbox design is competent. It is not innovative, but it is not obviously broken. The catastrophic gap is between what the framework designs and what PVARA appears capable of delivering.
The framework requires:
PVARA has announced none of these. The authority has not published a single document explaining how it will conduct supervision, how it will make decisions, what it expects from firms, or how consumers should understand sandbox participation.
PVARA appears to be counting on the framework itself to carry the authority, to somehow make good decisions without the infrastructure to make decisions systematically.
PVARA’s sandbox will be judged not by its design but by its execution. Can the authority actually supervise firms under conditions it has not publicly defined? Will it publish reasoning for decisions? Will it actually discontinue firms that fail? Will it move from sandbox to full licensing in a way that demonstrates the testing produced genuine insight? Questions like these remain unanswered as of yet.
The framework provides room for this to work, but PVARA’s silence on implementation details suggests the authority may not yet have answered these questions itself. If so, the sandbox will become what Pakistan’s crypto market currently is: an ecosystem operating alongside regulation, not within it.
Pakistani sandbox has the structure. What it lacks is demonstrated commitment to making that structure actually govern.