Kenya has now joined jurisdictions with a formal legal framework for digital assets. The Virtual Asset Service Providers Act, 2025 fills a long-standing regulatory gap and mainstreams cryptocurrencies and digital assets under law.

Dual Oversight: CBK & CMA

The Act establishes a dual regulatory structure reflecting the hybrid nature of virtual assets:

• Central Bank of Kenya (CBK) – oversees payment-related assets, stablecoins, and custodial wallet services.
• Capital Markets Authority (CMA) – regulates investment-related activities, including token issuances, exchanges, brokers, and digital trading platforms.

Each regulator works within its technical expertise, aligning Kenya with global standards like the EU’s MiCA and Singapore’s Payment Services Act.

Scope and Applicability

The Act applies to all persons conducting virtual asset business in or from Kenya, including local and foreign entities. Certain exclusions exist, including loyalty tokens, CBDCs, and non-financial NFTs, which present minimal systemic risk.

Licensing Requirements

• No entity may operate as a VASP without a license.
• Applicants must meet capital adequacy, governance, compliance with the Data Protection Act, 2019, and maintain a local presence.
• Directors and senior officers must be fit and proper.
• Unlicensed operations are criminalized: penalties up to KSh 10 million and imprisonment.
• Licenses are annual, renewable upon maintained compliance.

Governance and Market Conduct

Licensees must comply with strict operational standards:

• Maintain segregated client accounts and protect client assets.
• Operate with integrity and prudence; mandatory annual audits.
• Report ownership changes, cyber incidents, or operational disruptions to regulators.
• Prohibition of anonymity-enhancing tools like mixers and tumblers.
• Regulators have real-time read-only access to transaction data.

Integration with AML/CFT Framework

The Act integrates with Kenya’s anti-money laundering and counter-terrorism laws, amending POCAMLA and the Prevention of Terrorism Act. VASPs are now reporting institutions, required to:

• Conduct customer due diligence and maintain records for seven years.
• File suspicious transaction reports with the Financial Reporting Centre.
• Provide access to regulators for inspection of shareholders, beneficial owners, and documents.

Enforcement and Accountability

• Regulators can issue warnings, directives, suspensions, and revoke licenses.
• Corporate fines: up to KSh 25 million; individual fines: up to KSh 3 million.
• Directors and senior officers may be held personally liable for violations.
• Compliance is now a board-level responsibility.

Transitional Provisions

Existing virtual asset providers have 12 months to comply. This window allows restructuring, localization, and system upgrades for regulatory compliance.

Market Implications

The Act moves crypto from a frontier market to a regulated industry. Compliance costs may rise, but it enhances investor confidence, banking integration, and governance standards.

Conclusion

The Virtual Asset Service Providers Act, 2025 anchors Kenya’s digital assets within a regulated financial framework, balancing innovation with governance, compliance, and investor protection.