The State Bank of Pakistan (SBP) has permitted exchange companies to use Virtual Private Networks (VPNs) for conducting operations such as currency exchange, inward and outward remittances, utility bill payments, and other services. This decision is part of the updated Regulatory Framework for Exchange Companies, which outlines strict operational and security requirements for these entities.

According to the framework, exchange companies must establish redundant network connections to their primary and secondary sites through VPNs or dedicated links, with restricted internet access to ensure security. Additionally, both primary and secondary data centers must be located within Pakistan, and companies may outsource workloads to local Cloud Service Providers (CSPs) while adhering to stringent security protocols to protect operating systems, software, networks, and databases.

The SBP has also introduced a robust compliance mechanism for exchange companies, including high paid-up capital requirements, operational monitoring systems, and enhanced security controls. Companies are required to implement monitoring procedures to regulate access to sensitive data and systems for both users and vendors.

Public Services and Operations
Exchange companies are authorized to install ATMs for PKR at their outlets in collaboration with banks, without requiring prior approval from the SBP. They may also act as agents for banks and microfinance institutions to offer branchless banking services under the SBP’s Branchless Banking Regulations. Furthermore, exchange companies can enter agreements with utility providers such as WAPDA, KE, PTCL, and SSGC to collect utility bill payments in PKR on their behalf.

Business Continuity and Disaster Recovery
The framework mandates that exchange companies develop a comprehensive Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to minimize financial losses, ensure uninterrupted customer service, and mitigate the impact of disruptions on business operations.

Inward and Outward Remittances
For inward home remittances, exchange companies must seek prior approval from the SBP before commencing operations. All foreign currency (FCY) received as inward remittances must be surrendered in equivalent US Dollars to the interbank market on the same day. For outward remittances, companies are only authorized to process personal financial transactions for individuals and are prohibited from handling trade or commercial payments, including payments for services or commissions, on behalf of individuals or corporate clients.

Exchange companies are allowed to process outward remittances up to 75% of the inward remittances mobilized during the preceding month. They are required to retain copies of identification documents, such as CNICs, NICOPs, POCs, or passports with valid visas, after verifying the originals. Biometric verification of Pakistani nationals is mandatory for all transactions, with records maintained for compliance purposes.