The Virtual Asset Service Providers (VASP) Act, 2025 is Now Law – A New Era for Crypto & Digital Finance in Kenya

Executive Summary

Following our previous alert on the Virtual Asset Service Providers Bill, 2025, we are pleased to confirm that the regulatory landscape for digital assets in Kenya has officially shifted. The Virtual Asset Service Providers Act, 2025, was assented to by His Excellency the President on October 15, 2025, and officially commenced operation on November 4, 2025.

The Act’s commencement makes compliance obligations immediately relevant to all existing and prospective VASPs serving Kenyan users. Its stated purpose is to license, regulate, and supervise the activities of VASPs in and from Kenya, including exchange, custody, transfer, issuance, and other virtual asset services, while integrating them into Kenya’s anti-money laundering and counter‑terrorist financing (AML/CFT) framework.

The Act applies to both local and foreign entities that offer virtual asset services in Kenya, with limited exclusions for closed-loop tokens, certain non-financial NFTs, and central bank digital currency, which remain subject to other sectoral laws.

Undoubtedly, the Act transforms Kenya from a “grey” regulatory zone into a fully regulated jurisdiction, aligning with FATF (Financial Action Task Force) standards and placing Kenya at the forefront of African digital finance innovation.

Key Provisions & Critical Changes

The Act solidifies the framework proposed in the Bill with several critical clarifications that existing and prospective crypto-asset operators, fintechs, and blockchain enterprises must note:

1. The Dual Regulatory Regime
   The Act settles on a dual‑regulator architecture by establishing a clear Twin-Peak Model:
   • Central Bank of Kenya (CBK): Retains primary jurisdiction over Virtual Asset Wallet Providers (custodial services), Virtual Asset Payment Processors, and issuers of Stablecoins (digital representations of fiat) and activities that functionally resemble payment systems or e-money.
   • Capital Markets Authority (CMA): Assumes oversight for Virtual Asset Exchanges, Digital Asset Brokers, Investment Advisors, Fund Managers, and Tokenization platforms (e.g., Real World Asset tokenization).
   • The two regulators are empowered to license VASPs, approve offerings, issue guidelines and directives, monitor compliance, provide AML/CFT feedback to industry, and advise the Cabinet Secretary on policy and subsidiary legislation.
2. Licensing & Corporate Structure & Transition Period
   • No Individual Licensees: The Act explicitly prohibits natural persons from operating as VASPs. Only companies incorporated in Kenya or registered foreign companies (branches) with a physical office in Kenya are eligible for licensing.
   • Fit and Proper Test: Directors, CEOs, and Significant Shareholders must undergo rigorous vetting to ensure they meet integrity and financial soundness criteria.
   • Transitional Period: Existing providers are subject to a statutory transition window of one (1) year from the commencement date, within which they must apply for and obtain licences or cease operations, making early compliance planning critical. Operating without a license after this window lapses is a criminal offense carrying fines of up to KES 20 million or imprisonment for directors.
3. Mandatory AML/CFT & Reporting Obligations
   VASPs are now designated as Reporting Institutions. This triggers immediate compliance requirements under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA):
   • Mandatory Know Your Customer (KYC) and Customer Due Diligence (CDD) protocols.
   • Requirement to report Suspicious Transactions to the Financial Reporting Centre (FRC).
   • Implementation of the “Travel Rule” for crypto-asset transfers by prohibiting anonymity tools and concealment of transaction trails or beneficial ownership to preserve traceability and reduce ML/TF risks in the crypto ecosystem.
4. Consumer Protection & Data Privacy
   Building on the Data Protection Act, 2019, the VASP Act mandates:
   • Asset Segregation: Client funds/assets must be held separately from the VASP’s operational funds to protect against insolvency.
   • Cybersecurity Audits: Licensees must conduct annual third-party systems audits to ensure the integrity of the Distributed Ledger Technology (DLT) infrastructure.
   • Processing of Personal Data: Any person processing personal data under this Act shall comply with the Data Protection Act
5. Enforcement, Surrender, Revocation & Register
   • Regulators may suspend, vary, or revoke licences for non-compliance, misleading conduct, fraud, endangering clients, or risk to the financial system.
   • Licence surrender by a VASP requires prior notice, board resolution, a plan for winding up, clients’ asset arrangements, notifications to clients, and clearance of liabilities. The regulator supervises the process to safeguard client interests.
   • Regulators must maintain and publish a public register of licensed VASPs, with names, addresses, authorized services, licence status, and date of issuance.

Immediate Market Realities: What’s Happening Now

• Despite the Act’s commencement, no VASP has yet been licensed. As of November 2025, licensing is pending issuance of detailed Regulations by the National Treasury in consultation with CBK and CMA. Consequently, the licensing of VASPs will commence upon the issuance of the regulations.
• Once Regulations are published, existing crypto exchanges, wallet providers, payment gateways, stable-coin issuers, token issuers, and other VASPs will need to apply promptly, or cease operations pending licensing, otherwise risk criminal prosecution.
• The Act aligns Kenya with global standards (e.g., as advocated by the Financial Action Task Force (FATF)) on AML/CFT/CPF, enhancing investor confidence and potentially unlocking foreign institutional capital into compliant platforms.

How Njaga & Co. Advocates LLP can assist

At Njaga & Co Advocates LLP and as a leading firm in Fintech Regulation and Commercial Law, we are well‑placed to guide VASPs, fintechs, financial institutions and investors through the new VASP Act lifecycle, from market entry to ongoing supervision. We offer:

• Regulatory Readiness Audits: We review your current business model (Exchange, Wallet, or Payment Rail) to determine whether you fall under CBK or CMA jurisdiction.
• Licensing & Authorization: Full support in compiling and lodging license applications, including drafting the required Business Continuity Plans and IT Security Policies.
• AML/CFT Policy Drafting: Developing bespoke Anti-Money Laundering manuals and KYC procedures that satisfy the Financial Reporting Centre (FRC).
• Legal Opinions: Providing definitive legal opinions on Token Classification (Utility vs. Security) for entities exploring ICOs or STOs.
• Dispute Resolution: Representation in regulatory enforcement actions or investor disputes under the new regime.

Frequently Asked Questions (FAQs)

Q: I am a foreign crypto exchange with users in Kenya. Do I need a license?
A: Yes. The Act applies to any entity conducting business “in or from” Kenya. If you are actively targeting Kenyan consumers, you must register a local presence (Subsidiary or Branch) and obtain a license.

Q: Can an individual operate as a VASP?
A: No. The Act requires VASPs to be companies incorporated or registered under the Companies Act, and explicitly excludes natural persons from carrying on virtual asset services in or from Kenya.

Q: When will licensing applications open?
A: Licensing will commence upon issuance of CBK/CMA regulations, which are currently in the process of formulation.

Q: Are there minimum capital or solvency thresholds spelt out in the Act?
A: The Act requires compliance with “such capital, solvency and insurance requirements as may be prescribed.” The actual thresholds will be set out in the forthcoming Regulations.

Q: What should businesses do now?
A: VASPs and crypto‑adjacent businesses should immediately commission a regulatory impact review, begin preparing licensing documentation, and design or upgrade AML/CFT, governance, cybersecurity, and consumer‑protection frameworks to meet the new standards, ideally within the transition period signalled in the Act and related to the forthcoming guidelines.

Q: What are the main compliance risks if a provider delays licensing?
A: Operating without a licence exposes entities and individuals to criminal prosecution, administrative fines, potential shutdown of operations, and reputational damage, and may also complicate future licence applications where a history of non-compliance is considered in fit‑and‑proper assessments.

Disclaimer: This article provides general information and does not substitute legal advice on specific circumstances of any individual or organization. While the information is accurate as of the date published, we cannot guarantee it remains accurate at the time you read it or that it will stay current. Before acting on any of this information, please seek professional legal advice tailored to your situation.