Financial Strategy

Module 60 — Financial Regulation & Compliance

SECP jurisdiction and enforcement powers, SBP banking oversight, AML/CFT obligations under Pakistan's FATF commitments, OFAC and international sanctions screening, and building a compliance framework that protects the CFO personally.

Learning Objectives

  • Understand SECP's regulatory powers and enforcement tools
  • Navigate SBP's oversight of banking, treasury, and foreign exchange
  • Implement AML/CFT obligations required of all financial services firms
  • Screen for OFAC sanctions and understand international compliance obligations
  • Build a compliance framework that protects the company and the CFO personally

1. SECP — Securities and Exchange Commission of Pakistan

SECP's Jurisdiction

SECP regulates:

  • Capital markets: PSX, PMEX (commodity exchange), CDC (central depository), NCCPL (clearing)
  • Corporate entities: All companies registered under Companies Act 2017 (even non-listed)
  • Non-bank financial institutions (NBFIs): Leasing companies, investment banks, housing finance, modarabas
  • Insurance companies: Both life and non-life insurers
  • Private pension funds and provident funds
  • Real Estate Investment Trusts (REITs)

Not regulated by SECP: Commercial banks (SBP jurisdiction), microfinance banks (SBP), DFIs (specialized regulatory framework).

SECP's Enforcement Powers

PowerDescription
Show cause noticeFirst step: SECP issues notice requiring company to explain alleged violation
InspectionSECP may inspect books, accounts, and records of any company
InvestigationAppoint investigators to examine specific transactions
DirectionsIssue binding directives to companies and directors
PenaltiesImpose financial penalties (up to PKR 25M per violation)
DisqualificationBar directors from acting as directors
ProsecutionRefer to criminal courts for prosecutable offences
License suspensionSuspend or revoke NBFI or insurer license

SECP Reporting Obligations for Listed Companies

CFO must ensure timely filing of:

  • Quarterly financial statements (30 days after quarter end)
  • Annual financial statements (within 4 months of year end)
  • AGM notice and minutes
  • Related party transaction disclosures
  • Material information announcements
  • PSX filings (all material announcements)

2. SBP — State Bank of Pakistan

SBP's Regulatory Mandate

SBP is the central bank of Pakistan and the primary regulator for:

  • Commercial banks (both domestic and foreign bank branches)
  • Microfinance banks
  • Exchange companies (foreign exchange dealers)
  • Payment service providers and EMIs (Electronic Money Institutions)
  • Development Finance Institutions (DFIs)

Key SBP Regulations Affecting Corporate CFOs

Foreign Exchange Regulations:

  • All foreign currency transactions require compliance with the Foreign Exchange Manual (SBP)
  • Import payments: LC (Letter of Credit) or direct payment through authorized dealer bank
  • Export proceeds: must be repatriated within defined periods (typically 180 days for goods)
  • Outward remittances: capital account transactions require SBP approval above thresholds
  • Borrowing in foreign currency (EFS/FE-25): SBP approval required for offshore loans

Corporate Finance Transactions:

  • Offshore borrowings (foreign loans): SBP's FE-25 regulations specify permitted purposes, tenors, and conditions
  • Cross-border guarantees: SBP approval required
  • Investment abroad by Pakistani companies: capital account approval required

Key SBP Circulars for CFOs:

  • Prudential Regulations for Corporate / Commercial Banking — governs bank lending to corporates (single borrower limits, sector limits, collateral requirements)
  • SBP Circular No. 7 / 2017: export refinance scheme (EFS) regulations
  • SBP BPRD Circulars: banking policy and regulatory directives

SBP's Monetary Policy Impact on CFOs

SBP sets the Policy Rate (the rate at which SBP lends to commercial banks overnight). When SBP raises policy rate:

  • KIBOR (Karachi Interbank Offered Rate) rises
  • Variable rate loans (KIBOR + spread) become more expensive
  • CFO must model interest rate sensitivity in financial projections
  • CFO should consider hedging or fixing rates via interest rate swaps if available

3. AML/CFT — Anti-Money Laundering & Counter-Financing of Terrorism

Anti-Money Laundering Act 2010 (AMLA): Primary AML legislation. Requires financial institutions and DNFBPs (Designated Non-Financial Businesses and Professions) to have AML programs.

Anti-Terrorism Act 1997 (ATA): CFT (Counter Financing of Terrorism) obligations.

NACTA (National Counter Terrorism Authority): Coordinates CFT activities.

Regulatory oversight of AML/CFT:

  • Banks: SBP issues AML/CFT regulations under AMLA
  • NBFIs: SECP issues AML/CFT guidelines
  • Accountants, lawyers, real estate agents: SECP/professional bodies

Pakistan's FATF Journey

FATF (Financial Action Task Force) is the global standard-setter for AML/CFT. Pakistan was placed on the FATF Grey List in June 2018, requiring it to address 27 action items.

Pakistan was removed from the Grey List in October 2022 after completing the action plan.

Why this matters for CFOs:

  • During grey list period: international correspondent banks applied enhanced due diligence to Pakistani entities, causing delays and costs in international transactions
  • Pakistan continues to implement FATF standards to maintain "regular follow-up" status
  • International banks still apply heightened scrutiny to Pakistan-origin transactions
  • CFO must ensure the company's compliance program satisfies international bank requirements to maintain correspondent banking relationships

AML/CFT Program Requirements

For regulated entities (banks, NBFIs, insurance companies), a compliant AML/CFT program must include:

1. Know Your Customer (KYC):

  • Identify and verify customer identity (for individuals: CNIC; for companies: incorporation docs, UBO identification)
  • Ultimate Beneficial Owner (UBO): identify individuals who ultimately own or control >25% of a company
  • Enhanced Due Diligence (EDD): politically exposed persons (PEPs), high-risk countries, complex structures

2. Transaction Monitoring:

  • Real-time monitoring of transactions against rule-based thresholds
  • Unusual transaction detection: cash transactions > PKR 2.5M, structuring (multiple transactions below threshold)
  • Suspicious Transaction Reports (STRs) filed with Financial Monitoring Unit (FMU) within 7 days

3. Suspicious Transaction Reporting (STR):

  • File with FMU (Pakistan's financial intelligence unit under Ministry of Finance)
  • "Tipping off" prohibition: cannot tell the customer you have filed an STR

4. AML Officer:

  • Designated AML/CFT Compliance Officer (typically reports to CEO and board)
  • Not the same as the CFO (independence requirement)

5. Employee Training:

  • Annual AML/CFT training for all relevant staff
  • Board-level AML awareness

AML Risk for Corporate CFOs (Non-Financial Companies)

Even non-financial corporates face AML risk in specific scenarios:

  • Cash-intensive businesses: High cash turnover creates AML risk; banks will scrutinize large cash deposits
  • Real estate transactions: Large real estate deals are a known money laundering channel
  • Trade finance: Over/under invoicing to move money across borders
  • Related party transactions: Complex related party networks can be used to obscure beneficial ownership

4. OFAC Sanctions and International Compliance

What OFAC Is

The Office of Foreign Assets Control (OFAC) is a US Treasury department agency that administers and enforces economic and trade sanctions. Even non-US companies transacting in USD or through US banks can trigger OFAC compliance requirements.

Sanctions Programs Relevant to Pakistan

Iran sanctions: Pakistan's proximity to Iran creates risk — companies must not facilitate transactions with Iranian entities, especially if USD-denominated.

North Korea sanctions: Similar prohibition; any North Korea nexus is a red flag.

SDN List (Specially Designated Nationals and Blocked Persons): Any person or entity on the SDN list is banned from US financial system. Transacting with SDN-listed parties exposes the company (and CFO personally) to OFAC penalties.

Why Pakistani CFOs Must Care About OFAC

Even non-US companies processing USD transactions use US correspondent banking networks. If a payment touches a US bank and involves a sanctioned party or country, the US bank will block the transaction and potentially report to OFAC.

Consequences of OFAC violations:

  • Transaction rejected and frozen
  • Civil penalties: up to USD 1.3M per violation (or 2× the value of the transaction)
  • Criminal penalties: fines + imprisonment for willful violations
  • Loss of US banking access

OFAC Compliance Program for Pakistan Companies

For companies with significant international business:

  1. Screen counterparties against OFAC SDN list before transacting
  2. Screen countries of origin for all transactions (Iran, North Korea, Syria, Cuba — primary concern)
  3. Automated screening tools: Many international banks provide API-based screening
  4. Due diligence on UBOs: Ensure no SDN-listed individual ultimately controls a counterparty
  5. Record keeping: Document all screening results

5. Building a Compliance Framework

Three distinct functions that CFOs frequently confuse:

FunctionFocusReports To
LegalContracts, litigation, regulatory adviceCFO or CEO
ComplianceRegulatory adherence, policy enforcementCEO / Board
RiskEnterprise risk identification and managementCFO or CRO

CFO's role: Own financial compliance (SECP, SBP, tax); support legal and compliance teams; ensure resources are allocated.

The Compliance Framework Components

1. Policies and Procedures:

  • AML/CFT policy, insider trading policy, whistleblower policy, related party transactions policy
  • Must be board-approved, documented, and distributed

2. Training:

  • Annual compliance training for all employees (plus AML-specific training for relevant staff)
  • Board-level compliance training annually

3. Monitoring:

  • Regular internal audit of compliance program
  • Compliance monitoring calendar (all regulatory filings and their deadlines)

4. Reporting:

  • Compliance reports to audit committee quarterly
  • SECP/SBP/FBR filings on schedule

5. Incident Response:

  • Clear process for regulatory investigations: who speaks to regulators, how documents are preserved
  • Legal privilege protection: route inquiries through legal counsel

CFO's Self-Protection Checklist

When the CFO signs accounts, approves transactions, or makes regulatory filings, document:

  • The information you relied on
  • Who provided that information
  • Whether you raised concerns (and the board's response)
  • That you acted in good faith on the information available

This documentation is your defense if the business later suffers a compliance failure.


Self-Assessment

  1. BIQAI Group's treasury team wants to make a USD 5M payment to a supplier in Turkey. The bank's compliance team flags the transaction because one of the Turkish supplier's directors shares a name with an individual on the OFAC SDN list (though it appears to be a common name). As CFO: (a) what is your legal obligation before the payment proceeds, (b) what information do you need from the supplier to clear the flag, (c) what is the worst-case consequence if the payment goes through without proper screening and the name is indeed the same person?

  2. BIQAI Group's FMU receives an STR from the company's AML compliance officer about a series of cash transactions totaling PKR 8.5M over 10 days from a distributor (each transaction just under PKR 2.5M threshold). As CFO: (a) what does this transaction pattern suggest, (b) what is your obligation under the AML Act regarding the STR, (c) can you discuss this STR with the distributor to seek clarification, and (d) what commercial action should you take?

  3. BIQAI Group is planning to issue a USD 100M bond in international capital markets. The bond documentation requires the company to provide representations about sanctions compliance. Design a 5-point OFAC compliance screening process that you would implement before signing the representation, and identify the three highest-risk areas in BIQAI Group's current business that would require the most intensive screening.