The Complete System Walkthrough

How Nabdx Actually Works
— Every Layer Explained

No jargon. No assumptions. From what an API is, to where investor data lives, to how a CNIC becomes a verified investment account in under 3 minutes.

🗺 The Big Picture
🔌 What is an API?
🏛 Government Databases
👤 Investor Journey
🗄 Data & Storage
⚙️ Full Tech Stack
⚖️ Who Owns What
Chapter 01

The Big Picture

Before diving into mechanics, you need a mental model. Think of Nabdx as a translation layer — governments speak one language, banks speak another, investors don't speak any of them. Nabdx is the interpreter, the record-keeper, and the compliance officer all in one.

🏛 Government Databases
NADRAEvery Pakistani's CNIC identity record, biometric fingerprints, photo
SECP RegistryAll registered companies, AMC licenses, investor blacklists
SBP / BanksBank accounts, existing KYC done by Scheduled Banks & EMIs
NCCPL / PSXStock trading accounts, CDC investor numbers, portfolio data
API
Calls
Encrypted
⚡ NABDX (You)
Orchestration EngineRoutes every request to the right government API automatically
Compliance LayerAML/CFT screening, risk scoring, PEP checks, CTR/STR alerts
Audit VaultPermanent, tamper-proof record of every single verification ever done
DeduplicationInvestor verified once → used by all AMCs. No repeat NADRA calls.
API
Responses
+ Webhooks
🏢 Your Clients (AMCs)
Asset Management CompaniesSehl Account fund investors — onboarded in minutes not days
Stockbrokers (TREC)PSX trading account + KYC done via Nabdx
BanksInvestment products, mutual funds sold by bank branches / apps
Fintechs / AppsJazzCash, Nayapay, etc. embed your SDK in their app
💡

The key insight: Nabdx doesn't replace anything the government does. Governments already have the data. AMCs already need the data. Nobody had built a clean, compliant, fast pipe between them. That's the gap Nabdx fills — and why SECP Circular 03/2026 just opened the legal door for you to exist.

Chapter 02

What is an API — and Who Builds What?

This is the most important concept to understand. An API is simply a door that one computer opens so another computer can walk through and ask for data. Here's how it works in your world.

🤔 What exactly is an API in plain English? +
Imagine NADRA has a massive database of every Pakistani's CNIC details. Normally to access it, you'd send a human, fill a form, wait weeks. An API (Application Programming Interface) is like a special intercom button on the wall of that database building. You press the button, speak a specific request in a specific format, and within seconds the database talks back with the answer — all automatically, computer to computer, with no human involved. That's the entire concept.
Your app → sends request → NADRA's intercom → NADRA's computer processes it → sends answer back → your app receives it. All in < 2 seconds.
🏛 Does the government build the API, or do you? +
This is the critical question. The government (NADRA, SECP) builds and hosts their own APIs. They are the ones who open that intercom door. Your job — Nabdx — is to connect to that door, authenticate, and use it. Think of it this way: WhatsApp didn't build the internet or phone networks. They just built an app that uses those existing networks cleverly. Nabdx doesn't build NADRA's database. You build the system that talks to it on behalf of your clients.
NADRA builds & maintains: their API (the door) + their database (the building)
Nabdx builds & maintains: the API connector + compliance logic + client-facing API + dashboards
AMCs build: their app/website that calls Nabdx's API
🔑 How do you get permission to use government APIs? +
You don't just walk up and knock. Governments give access through a formal process: an MoU (Memorandum of Understanding) or a formal API agreement. You apply, they review your security practices, legal standing, and use case, then they give you a special key called an API key or credentials. Every time you call their API, you present this key — like showing a badge at a security checkpoint. They verify it, then grant access. No key = no access. Your SECP notification approval is basically proof to NADRA that you're legitimate enough to receive a key.
Process: Apply → Legal review → MoU signed → NADRA issues API credentials → You integrate → Go live
🔌 What API does Nabdx expose to AMCs? +
Nabdx builds its own API on top of government APIs. Your clients (AMCs, banks, fintechs) don't directly call NADRA — they call Nabdx's API. This is where you add value: one clean, simple, standardized API that handles all the complexity behind the scenes. An AMC submits investor details through a single API call — and Nabdx handles whether to call NADRA, or use a cached verification, runs the AML check, logs everything, and returns a structured compliance result. The AMC never needs to understand how NADRA works.
AMC submits → Nabdx orchestrates → verification result + risk classification + audit reference returned. One call. Under 3 minutes.
Chapter 03

Government Databases — What Exists, What You Connect To

Pakistan's government databases are more mature than most people realize. Here's exactly what each one holds, what API access looks like, and what Nabdx does with it.

🏛 NADRA Verisys
What it holds: Every Pakistani's CNIC record, photo, fingerprints, date of birth, address, family tree. Pakistan's most complete identity database — 230M+ records.

API Access: NADRA Verisys is an existing commercial API service. Banks and telecoms already use it. Access requires a formal MoU and is subject to per-query usage fees negotiated directly with NADRA.

What Nabdx does: Calls Verisys with CNIC number → gets identity confirmation → stores reference number in Audit Vault.
🔑 MoU Required · Existing API
+
💻 NADRA Biometric
What it holds: Fingerprint templates and facial recognition data for all registered citizens.

API Access: More restricted than Verisys. Available through NADRA's e-Sahulat network or direct biometric device integration. Mobile liveness check APIs are emerging.

What Nabdx does: For higher-risk investors, triggers biometric liveness verification. Sends selfie → NADRA matches against CNIC photo → returns match score.
🔑 Special Permission · Device Integration
+
📋 SECP Registry API
What it holds: All SECP-registered entities, AMC licenses, blacklisted investors, beneficial ownership records, company directors.

API Access: SECP has publicly available data portals. Direct API access requires formal registration as a regulated entity. Your SECP notification gives you leverage here.

What Nabdx does: Cross-checks investor CNIC against SECP watchlists. Validates AMC license status. Confirms circular compliance requirements are met.
🔑 Regulatory Entity Access
+
🏦 SBP / FI KYC Relay
What it holds: KYC already done by Scheduled Banks, Microfinance Banks, EMIs (JazzCash, EasyPaisa, Nayapay).

API Access: No single SBP API. Instead, Nabdx signs data-sharing agreements with individual financial institutions. Where a customer has already been KYC'd at a partner institution, that institution confirms it to Nabdx — which relays the status to the AMC. No re-verification needed.

What Nabdx does: Checks if investor is already verified at a partner FI. Uses that existing KYC instead of re-doing NADRA — faster, cheaper.
🔑 Bilateral FI Agreements
⚠️

Reality check: NADRA Verisys already works commercially — banks use it today. The SECP and SBP pieces require relationship-building and formal agreements. This is why your regulatory approval path runs in parallel with the technical build. You can't code your way into government databases — you have to negotiate your way in.

What Nabdx Also Integrates
📊 NCCPL / CDC — Investor Account Linkage +
The National Clearing Company of Pakistan (NCCPL) and Central Depository Company (CDC) maintain all stock investor accounts. When Nabdx onboards an investor for a stockbroker, it checks NCCPL to see if this CNIC already has a trading account. If yes, link it — no new CDC account needed. If no, trigger CDC account creation. This is a crucial data source for the stockbroker side of the business.
Existing CDC accounts are automatically identified and linked — no duplicate account creation needed.
🌐 AML / Sanctions Databases +
Beyond Pakistan's government sources, Nabdx must screen against international sanctions lists: UN Security Council sanctions, OFAC (US Treasury), EU sanctions, and Pakistan's own NACTA terrorism watchlist. These are maintained as downloadable databases that you update regularly (daily/weekly). You don't call an API for these — you download the lists, store them locally, and run every investor CNIC against them in milliseconds. Commercial AML platforms like Refinitiv, Dow Jones Risk, or ComplyAdvantage offer real-time API versions.
Check: investor name + CNIC → screen against UN + OFAC + EU + NACTA → flag or clear
Chapter 04

The Investor Journey — Step by Step

Here is exactly what happens, at every layer of the system, from the moment an investor taps "Open Account" to the moment their Sehl Account is active. This is the core product flow.

1
Investor opens AMC app and taps "Create Investment Account"
The investor is using the AMC's own app (e.g., Meezan Bank's app, an AMC's investor portal, or a fintech like JazzCash). They never see "Nabdx" — it's invisible infrastructure. The AMC's front-end collects basic info: CNIC number, phone number, email, selfie photo. This is the AMC's UI, their design, their brand — Nabdx is running silently behind it.
AMC App / WebsiteUser Interface LayerNo Nabdx Branding
2
AMC's backend calls Nabdx API with investor data
The AMC's server (their backend code) takes the data and sends it to Nabdx via an API call. It's like the AMC pressing a button that says "Nabdx, please verify this person for me." The call goes over the internet, encrypted (HTTPS), to Nabdx's servers. The AMC authenticates using their unique Nabdx API key — so Nabdx knows which AMC is calling and bills them accordingly.
HTTPS POST RequestAPI Key AuthenticationAMC → Nabdx
3
Nabdx checks: Has this CNIC been verified before?
Before calling NADRA (which costs money and takes time), Nabdx checks its own database: has this investor ever been verified by any Nabdx client? If YES — Nabdx returns the cached verified status immediately. No NADRA call. No delay. This is the deduplication capability enabled by Circular 03/2026 condition (4). If an investor already opened a Sehl Account at one AMC, when they approach another AMC today, Nabdx skips the NADRA call entirely.
Deduplication CheckNabdx Internal Database< 100ms
4
If new investor: Nabdx calls NADRA Verisys API
Nabdx sends the CNIC number to NADRA's Verisys API. NADRA responds with: name, father's name, date of birth, gender, alive/deceased status — confirmed from their national registry. If biometric is needed (higher risk tier), Nabdx also sends the investor's selfie to NADRA's facial matching service, which compares it against their CNIC photo. NADRA sends back a match score. This entire exchange takes 1–3 seconds.
NADRA Verisys API CallEncrypted TLS 1.31–3 secondsPer-query fee to NADRA
5
AML / Sanctions Screening runs simultaneously
In parallel with the NADRA call, Nabdx's compliance engine screens the investor's name, CNIC, and date of birth against: Pakistan's NACTA terrorist watchlist, UN Security Council sanctions list, OFAC (US Treasury), EU sanctions, and any SECP blacklists. It also checks whether the investor is a Politically Exposed Person (PEP) — a government official, their family, or associates. A risk score (LOW / MEDIUM / HIGH) is generated. This takes milliseconds since the lists are stored locally in Nabdx's own database.
AML ScreeningPEP CheckRisk Tier AssignmentRuns in Parallel
6
Everything is logged in the Audit Vault — permanently
Before sending any response, Nabdx writes an immutable record to its Audit Vault: timestamp, CNIC hash, NADRA reference number, verification method used, AML result, risk score, which AMC requested it, and a cryptographic hash of the entire record (so it can't be altered later). This record is what SECP can inspect at any time per condition (3) of the Circular. The AMC also receives a copy of the reference number to store in their own system.
Immutable RecordSECP-InspectableCryptographic HashWORM Storage
7
Nabdx sends response back to AMC — account activated
Nabdx sends a structured JSON response to the AMC: verification status (APPROVED / FLAGGED / REJECTED), risk tier, Nabdx reference number, and verified investor details. The AMC's system receives this, creates the Sehl Account record in their own database, and shows the investor: "Your account is ready." Total time from investor pressing submit to account being active: under 3 minutes for a new investor, under 30 seconds for a returning one.
JSON ResponseAMC Creates AccountInvestor Notified< 3 min total
Chapter 05

Data & Storage — What Lives Where

This is one of the most important architectural decisions you'll make. Where does investor data live? Who stores what? How is it protected? Here's the answer — layer by layer.

⚠️

Critical principle: Nabdx is NOT a data warehouse for investor financial records. You are a verification middleware. The AMC stores the full investor account and transaction data in their own systems. Nabdx only stores what's needed for compliance proof and deduplication. Less data held = less liability.

Verification Cache
Nabdx — Primary DB
Encrypted relational database · Managed cloud hosting · Pakistan-adjacent region
Stores verified investor identity records for deduplication. When the same CNIC comes in from any AMC, Nabdx checks here first before calling NADRA. Contains: CNIC hash (never the raw CNIC), verification date, NADRA reference, risk tier, last AML check date.
CNIC hash Verified ✓ Risk tier NADRA ref# Date verified
Audit Vault
Nabdx — WORM Storage
WORM-compliant object storage + cryptographic hash anchoring · Immutable by design
Write-Once-Read-Many storage. Every single API transaction is logged here permanently. SECP can request inspection access at any time. Records are cryptographically signed — any tampering is detectable. This is what satisfies Circular condition (3). This data never changes and never deletes.
Full transaction log Cryptographic hash NADRA raw response AML result AMC identity Timestamp
AML Watchlists
Nabdx — Local Cache
In-memory screening layer + daily refresh from OFAC, UN, EU, NACTA sources
Sanctions lists downloaded daily from global sources and stored locally for fast screening. Never calls an external API during an onboarding event — all screening happens in-house at millisecond speed. Lists are versioned so you can prove which version was used when screening any investor.
UN Sanctions OFAC SDN EU Sanctions NACTA Watchlist PEP Database
AMC Account Data
AMC's Own Servers
AMC's own database (their responsibility) · Nabdx never stores this
The full investor profile — name, address, bank account, investment portfolio, transaction history, contact details — all of this lives in the AMC's own systems. Nabdx sends them the verification confirmation + risk score. They store the rest. This is crucial: Nabdx is not liable for financial data breaches at the AMC level.
Full investor profile Bank account Portfolio Transactions Not Nabdx's problem
Nabdx API Logs
Nabdx — Operational
Centralized log management platform · 90-day rolling operational window
Every API call made by every AMC is logged: timestamp, AMC identity, endpoint called, response time, success/failure, HTTP status code. Used for billing (per-verification), SLA monitoring, debugging, and security anomaly detection. This is separate from the Audit Vault — these are operational logs, not legal compliance records.
API call logs Response times Error rates AMC usage metrics
What data does Nabdx NEVER store?
❌ Nabdx Never Stores
Raw CNIC number
Only a one-way hash
PII Risk
Biometric images
Sent to NADRA, never retained
PII Risk
Investor bank details
AMC's responsibility
PII Risk
Investment portfolios
Never touches Nabdx
PII Risk
Transaction history
AMC's own system
PII Risk
✅ Nabdx Does Store
CNIC hash (SHA-256)
For deduplication only
Encrypted
NADRA reference #
Proof of verification
Ref Only
Verification timestamp
Audit trail
Encrypted
Risk tier (LOW/MED/HIGH)
AML output
Classification
AML screening result
Compliance record
Encrypted
Chapter 06

Full Technology Stack

Every technology Nabdx needs to build — from the server that handles API calls, to the database that stores audit records, to the dashboard your AMC clients use. You don't need to understand every tool, but you need to know they exist and why.

API Layer
API Gateway
Secure API Management Layer
The front door. Every API call from every client hits here first. Validates credentials, enforces rate limits, routes requests to the appropriate internal service.
Orchestration
Verification Engine
Proprietary Orchestration Service
The brain. Decides: cached verification or live check? Which data source? Routes the request, aggregates results, triggers the compliance layer.
Government Integration
NADRA Connector
Dedicated Integration Module
A dedicated service that speaks NADRA's protocol. Handles authentication, retries, error handling, and response normalization — fully isolated from the rest of the system.
Compliance
AML Engine
Proprietary Screening Service
Screens every name against watchlists using advanced name-matching logic. Handles transliteration variance. Assigns risk tier in real time.
Primary Database
Verification Store
Enterprise Relational Database · Encrypted
Stores hashed identity records for deduplication. Encrypted at rest and in transit. Fully managed, high-availability configuration.
Audit & Compliance
Audit Vault
WORM-Compliant Object Storage
Write-once, read-many. Legally immutable. Every transaction permanently recorded. SECP-accessible. Cannot be altered or deleted.
Speed Layer
Cache & Watchlists
In-Memory Data Layer
Ultra-fast in-memory storage for AML screening lists and frequently accessed deduplication results. Dramatically reduces average response time.
Messaging
Event Queue
Durable Message Queue
When the system is under load, requests queue instead of failing. Ensures no verification is lost during traffic spikes.
Client Portal
Compliance Dashboard
Web Application
Dashboard for client compliance teams. View onboarding stats, AML alerts, audit logs, generate reports, manage API credentials.
Observability
Monitoring & Logs
Real-Time Observability Stack
Real-time alerts if anything breaks. API response time tracking. Error rate dashboards. SLA reporting for clients.
Security
Encryption & Auth
TLS · Token Auth · Key Management
All data in transit encrypted. API credentials managed securely. Encryption keys handled by a dedicated key management service. Zero plaintext secrets.
Infrastructure
Cloud Hosting
Managed Cloud · Pakistan-Adjacent Region
Multi-availability zone for 99.9% uptime. Data residency in or near Pakistan for regulatory compliance. Auto-scaling handles demand spikes.
💡

Every layer is independent. The architecture is modular by design — each component can be upgraded, replaced, or scaled without touching the rest of the system. This means Nabdx can start lean and grow without rebuilding from scratch.

Chapter 07

Who Owns What — Liability & Responsibility Map

This is the legal and operational question you must have crystal clear — because AMCs will ask it, SECP will ask it, and investors' lawyers will ask it if something ever goes wrong. Here is the definitive answer.

Area Who's Responsible What That Means Practically
Conducting identity verification
Nabdx
 Nabdx calls NADRA, receives result, stores reference. AMC doesn't need to verify identity independently per Circular condition (4).
AML / CTR / STR generation
Nabdx assists
AMC owns
 Nabdx flags transactions and provides AML alerts. But per condition (7), the AMC cannot delegate this obligation away — they must act on alerts and file CTR/STRs themselves. Nabdx is the early warning system, not the compliance officer.
Ongoing investor monitoring
Nabdx provides feed
AMC acts
 Nabdx provides a continuous AML monitoring feed (daily re-screening of existing investors against updated watchlists). The AMC receives alerts and takes action. Responsibility for action is the AMC's.
Storing investor financial records
AMC only
 Portfolio, transactions, bank accounts, correspondence — all AMC's database. Nabdx never touches this. AMC is fully liable for their own data security here.
Storing verification audit records
Nabdx
 NADRA reference numbers, verification logs, AML results — Nabdx's Audit Vault. SECP inspects Nabdx for these, not the AMC directly. Nabdx provides AMC access to their own records too.
SECP regulatory compliance for onboarding
Nabdx ensures
AMC is legally liable
 Nabdx builds the compliant system. But the legal obligation under the Securities and Companies ordinance rests with the AMC — they are licensed. Nabdx is their tool. Contracts must clearly define this boundary.
NADRA API relationship
Nabdx
 Nabdx holds the NADRA MoU, pays the per-query fees, manages the API credentials. AMCs don't need their own NADRA relationship — that's Nabdx's entire value proposition.
Focal person & SECP contact availability
AMC
Nabdx (for its institution)
 Per condition (5): AMCs must maintain up-to-date focal persons available to SECP. Nabdx's compliance console helps AMCs manage this, but it's the AMC's obligation. Nabdx also maintains its own focal persons as a notified 3rd party.
Data encryption in transit
Nabdx
 Nabdx ensures all data between AMC ↔ Nabdx ↔ NADRA is TLS 1.3 encrypted. AMC must also secure their own internal data handling — Nabdx's contract specifies this requirement.
If a fraudster gets onboarded Depends on where failure was If NADRA confirmed identity correctly and AML came back clean: liability rests with NADRA's data quality and/or the fraudster. If Nabdx's AML screening missed a flagged name: Nabdx may share liability. This is why errors & omissions insurance is essential for Nabdx from day one.
⚠️

Most important legal protection for Nabdx: Every client that integrates must sign a detailed Service Agreement that defines exactly where Nabdx's obligation ends and the client's begins. The boundary around AML duties — particularly the non-abdication principle under condition (7) of the Circular — must be clearly defined and legally stress-tested. Professional liability coverage is essential from day one.

🏆

Nabdx's strategic position is designed deliberately: Nabdx provides the infrastructure but holds a compliance assistance role — not a compliance guarantee role. That's exactly where a profitable middleware company should sit: generating revenue on every onboarding event, while regulatory accountability for financial crime prevention appropriately rests with the licensed institution.