Kenya has now joined the ranks of jurisdictions with a formal legal framework for digital assets. With the enactment of the Virtual Asset Service Providers Act, 2025 (the Act), Parliament has filled a long-standing regulatory gap.
The Act introduces a structured regime for licensing, compliance, and enforcement. It applies to entities dealing in virtual assets, cryptocurrencies, stablecoins, tokenized investment products, and related services.
Importantly, the law signals a clear policy direction. Innovation will no longer operate outside the rule of law. Kenya is not banning crypto. Instead, it is mainstreaming it. As a result, digital assets are now anchored within the financial system and subject to prudential standards, market conduct rules, and regulatory oversight.
Dual Oversight: Shared Mandate Between CBK and CMA
The Act establishes a dual regulatory structure. This reflects the hybrid nature of virtual assets.
On one hand, the Central Bank of Kenya (CBK) will oversee assets used mainly for payments. These include stablecoins and custodial wallet services. On the other hand, the Capital Markets Authority (CMA) will regulate investment-related activities.
These include token issuances, exchanges, brokers, and digital trading platforms.
This division mirrors the traditional split between money markets and capital markets. Therefore, each regulator operates within its technical expertise. In addition, the framework aligns Kenya with global practices, such as the EU’s MiCA and Singapore’s Payment Services Act.
Scope and Applicability
The Act applies to all persons conducting virtual asset business in or from Kenya. This includes both local entities and foreign companies with a compliance certificate.
However, the law makes specific exclusions. These include closed-system tokens like loyalty points, Central Bank Digital Currencies (CBDCs), and non-financial NFTs. The rationale is clear. These categories do not present the same systemic or consumer risks.
Overall, the scope is deliberate. It balances inclusion with restraint. By focusing on financially relevant activities, the Act avoids overreach while ensuring meaningful regulation where risk and value intersect.
Licensing: The New Entry Threshold
Under the Act, no entity may operate as a Virtual Asset Service Provider (VASP) without a license.
To qualify, applicants must meet several requirements. These include capital adequacy, sound governance, and compliance with Kenya’s Data Protection Act, 2019. In addition, a physical presence in Kenya is mandatory. Applicants must also appoint fit-and-proper directors and senior officers.
Licenses remain valid until 31 December each year. They are renewable, but only if compliance is maintained. Notably, the Act criminalizes unlicensed operations. Penalties can include up to KSh 10 million and imprisonment. As a result, the industry is held to the same standard as banks, insurers, and capital market intermediaries. Participation is no longer informal; it is earned through compliance.
Governance and Market Conduct Obligations
Licensees must meet strict governance and operational standards. For example, they are required to maintain segregated client accounts. They must also protect client assets from third-party claims. Furthermore, businesses must operate with integrity and prudence. Annual audits are mandatory. Regulators must be notified of key developments, such as ownership changes, cyber incidents, or material operational disruptions.
The Act also prohibits anonymity-enhancing tools, including mixers and tumblers. Although controversial, this aligns with Kenya’s broader anti–money laundering and counter-terrorism strategy. In addition, regulators are granted real-time, read-only access to transaction data. This is a significant development. It enhances oversight while still allowing legitimate business operations to continue.
Integration into AML and CFT Frameworks
A defining feature of the Act is its integration with Kenya’s anti–money laundering framework. Specifically, it amends POCAMLA and the Prevention of Terrorism Act.
As a result, VASPs are now classified as reporting institutions. They must conduct customer due diligence and maintain transaction records for seven years. They are also required to file suspicious transaction reports with the Financial Reporting Centre (FRC).
Moreover, regulators have broad inspection powers. They can vet shareholders, identify beneficial owners, and compel the production of documents.
This integration closes a critical compliance gap. For the first time, virtual asset activities are subject to the same integrity standards as banks, insurers, and capital market players.
Enforcement and Accountability
The Act provides regulators with a comprehensive enforcement toolkit. Administrative actions include warnings, directives, suspensions, and license revocations.
In addition, monetary penalties are substantial. Corporate breaches may attract fines of up to KSh 25 million, while individuals may face penalties of up to KSh 3 million.
Importantly, the Act introduces personal liability for directors and senior officers. Those who knowingly permit violations can be held accountable. Consequently, compliance becomes a board-level responsibility, not a routine formality.
This approach aligns with global governance. However, this will be balanced by greater legitimacy, improved investor confidence, and better access to banking services.
For banks, the framework creates new opportunities. Licensed VASPs can now integrate into the financial system under defined risk controls. This opens doors for custodial, settlement, and advisory services.
For investors, the benefits are clear. The Act enhances trust through disclosure requirements, asset segregation, and mandatory audits.
Transitional Provisions
Existing virtual asset providers have 12 months to comply with the new law.
This transition period is critical. For regulators, it provides time to clarify ambiguities and strengthen supervisory capacity. For VASPs, it offers a limited window to restructure governance, localize operations, and implement compliant systems.
Market Implications
For crypto exchanges and fintech startups, the Act marks a major shift. The sector is moving from a frontier market to a regulated industry.
Admittedly, compliance costs will increase
Conclusion
The Virtual Asset Service Providers Act, 2025, is more than a financial regulation. It is a statement of governance maturity.
It reflects Kenya’s ambition to match fintech innovation with strong institutional frameworks.
Ultimately, success will depend on execution. Regulators must supervise effectively without stifling innovation. At the same time, the private sector must adapt with discipline and accountability.
Should you have any questions on this legal alert, please do not hesitate to contact us at mail@kitllp.com.