The Virtual Asset Service Providers Act, 2025: Kenya’s Bold Step Toward Crypto Regulation

Table of Contents

1. Introduction and Purpose of this Guide

   
   

2. Why Kenya Moved to Regulate Virtual Assets: Legislative Background

   
   

3. When the Act Became Law and Which Bodies Will Supervise It

   
   

4. Who and What Falls Inside the Act (Scope and Definitions)

   
   

5. Licensing Framework and Fit and Proper Requirements

   
   

6. Anti-Money Laundering, KYC And Reporting Obligations

   
   

7. Consumer Protection, Custody and Operational Resilience

   
   

8. Supervisory Powers, Sanctions and Enforcement Toolkit

   
   

9. Tax, Accounting and Cross-Border Issues to Watch

   
   

10. Litigation and Regulatory Risk: The Worldcoin Decision and Implications for VASP's

    
    

11. Practical Compliance Checklist and Recommended Next Steps for Firms and Counsel

    
    

12. Conclusion: Balancing Innovation, Inclusion and Risk

    
    

13. Frequently Asked Questions (FAQ)

1. Introduction and Purpose of this Guide

   
   

   This practical briefing explains the Virtual Asset Service Providers Act, 2025 (the Act) from the perspective of law firms, compliance teams and investors who must act now. The guide summarises the law’s main provisions, highlights immediate compliance priorities and explains regulatory and litigation risks that have emerged alongside the new legal framework.

   
   

   It is written for in-house counsel,  Virtual Asset Service Providers (VASP) founders, fund managers, professional advisers and regulators who need clear, usable guidance rather than academic description.

   
   

2. Why Kenya Moved To Regulate Virtual Assets: Legislative Background

   
   

   Kenya’s move to a statutory regime reflects international standards and domestic policy choices to protect consumers, prevent illicit finance and unlock fintech investment. The draft Bill and parliamentary scrutiny focused on risks associated with unlicensed intermediaries, money laundering and market integrity while seeking to position Kenya as a competitive digital finance hub.

   
   

   The government’s published Bill and parliamentary reports show the legislative intent to balance innovation with strong safeguards.

3. When the Act Became Law and Which Bodies Will Supervise It

   
   

   The Act was enacted in 2025 and received presidential assent 0n 15th October 2025. The statute assigns supervisory roles between established regulators: the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA), with the Cabinet Secretary for the National Treasury empowered to make regulations and coordinate implementation.

   
   

   The intention is to split oversight by product and activity so that stablecoins and certain payment functions fall under the CBK’s remit while trading platforms and exchanges will be supervised by the CMA. These allocations and the enactment timeline were emphasised during parliamentary debate and in contemporaneous reporting.

4. Who and What Falls Inside The Act (Scope And Definitions)

   
   

   The Act adopts an activity-based approach. Entities captured include custodial wallet providers, virtual asset exchanges, brokers, custodians, custodial wallet providers, payment gateway operators and firms that issue or manage virtual assets, including certain token offerings and stablecoins.

   
   

   The Act also covers services “in or from Kenya,” which will capture locally incorporated entities and, in some circumstances, foreign providers who target Kenyan users. The practical consequence is that many different business models; on-ramp/off-ramp services, token issuers and custodial platforms must review their business models against the Act’s definitions before deciding whether to apply for a licence.

5. Licensing Framework and Fit and Proper Requirements

   
   

   The Act makes licensing mandatory for all described activities. Licensing criteria are deliberately broad and include governance, capital adequacy, suitability of directors and senior managers, operational and IT controls, cyber-security measures and proof of adequate financial resources. Applications will require comprehensive business plans, compliance manuals, Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) policies and evidence of board-level oversight.

   
   

   The law also contemplates ongoing reporting and renewal conditions rather than a one-off permit. Many advisers recommend that prospective applicants begin preparing board-approved policies, compliance frameworks and audited financials now because regulators are likely to apply strict fit-and-proper tests in the first licensing wave.

6. Anti-Money Laundering, KYC and Reporting Obligations

   
   

   A core purpose of the Act is to bring VASPs within Kenya’s Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) regime. The law requires robust KYC and customer due diligence, transaction monitoring, suspicious transaction reporting to the Financial Reporting Centre (or the designated AML authority) and record-keeping obligations.

   
   

   The Act harmonises with Financial Action Task Force (FATF) recommendations by making VASPs subject to the same basic obligations as banks and other reporting entities. Practically, this means establishing screening for beneficial ownership, politically exposed persons, sanctions lists and implementing transaction monitoring systems capable of handling crypto-native patterns (such as chain analysis and clustering).

   
   

   Failure to demonstrate effective AML systems will likely lead to early licence refusals or supervisory enforcement.

7. Consumer Protection, Custody and Operational Resilience

   
   

   The Act emphasises consumer safeguards. Licensing conditions will include requirements for segregation of client assets where applicable, clear disclosures at onboarding, and minimum standards for custody and disaster recovery. Regulators have signalled an expectation that VASPs adopt internationally recognised custody and security standards, conduct regular penetration testing and maintain incident reporting protocols.

   
   

   Firms offering custodial wallets should plan to disclose insurance arrangements, reconciliation processes and proof of reserves when applying for licence. Operational resilience extends to third-party risk: cloud-hosting, key management providers and outsourced AML vendors will be scrutinised during licensing.

8. Supervisory Powers, Sanctions and Enforcement Toolkit

   
   

   The Act grants supervisors broad powers: to grant, suspend and revoke licences; to conduct inspections and audits; to issue enforcement notices; and to impose administrative fines and criminal sanctions for severe breaches. The law also contemplates coordination with other regulators (data protection, tax, market conduct) and the ability to freeze assets pending investigations.

   
   

   VASPs should therefore assume aggressive supervision in the early implementation phase as regulators test the supervisory framework and seek to deter misconduct. Non-compliant operators face licence revocation, high fines and, potentially, criminal exposure for executives where wilful misconduct is established.

9. Tax, Accounting and Cross-Border Issues to Watch

   
   

   Tax authorities have already signalled interest in virtual asset related revenue and VAT implications. VASPs must plan for KRA reporting obligations, correct accounting for token issuance and receipts, and transfer pricing where group structures cross borders.

   
   

   Cross border data sharing requests and mutual legal assistance are likely to increase, so VASPs with international customers should review data transfer controls and legal bases for processing. Counsel should advise clients on the tax treatment of tokenised assets, stablecoin operations and the tax consequences of trading/platform fees, and engage with professional accountants early to ensure filings are defensible.

10. Litigation And Regulatory Risk: The Worldcoin Decision and implications for VASPs

    
    

    Recent litigation in Kenya has already shaped the regulatory environment for digital projects. In Republic v Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Ex parte Applicants); Data Privacy & Governance Society of Kenya (Interested Party) (Judicial Review Application E119 of 2023) [2025] KEHC 5629 (KLR) (Judicial Review) (5 May 2025) (Judgment), the High Court found that Worldcoin’s biometric data collection breached data protection and constitutional safeguards, underscoring regulatory scrutiny where novel technologies intersect with personal data and consent.

    
    

    The Worldcoin dictum signals two lessons for VASPs: first, operations that depend on personal or biometric data must comply strictly with the Data Protection Act and secure documented, informed consent and data protection impact assessments; second, regulatory consent and engagement matter ventures that operate without explicit regulatory clarity risk injunctive relief and reputational harm.

    
    

    VASPs should therefore build privacy by design into product architecture and pre-emptively consult the Office of the Data Protection Commissioner where relevant.

11. Practical Compliance Checklist and Recommended Next Steps for Firms and Counsel

    
    

    Start with a short compliance sprint. The recommended immediate tasks are: prepare a gap analysis (governance, AML, custody, cyber-security), assemble application documents (governance charters, audited financials, compliance manuals), perform privacy impact assessments where personal data is processed, implement transaction monitoring and chain-analysis tooling, and appoint an experienced head of compliance with clear senior management accountability.

    
    

    Simultaneously plan for stakeholder engagement: open lines of communication with the CBK/CMA, consult with tax counsel, and where possible join industry associations to share best practice. For established firms with user bases, consider a voluntary remediation and customer notification plan to demonstrate good faith to supervisors. Finally, prepare public disclosures and terms of use updates consistent with licence conditions.

12. Conclusion: Balancing Innovation, Inclusion and Risk

    
    

    The Virtual Asset Service Providers Act, 2025: Kenya’s Bold Step Toward Crypto Regulation. The VASP Act is a turning point for Kenya’s digital finance ecosystem. It creates a pathway to legitimacy, opens channels for institutional investment, and raises consumer protection standards. At the same time, the compliance burden is significant and will require operational investment, robust governance and careful legal advice.

    
    

    Success for VASPs will depend on thoughtful compliance-first product design, proactive regulator engagement and strong stewardship by boards and senior management. Those who prepare early and demonstrate credible controls will be best positioned to benefit as Kenya seeks to become a regional hub for regulated digital finance.

13.   Frequently Asked Questions (FAQ)

Q1: Do I need a licence to operate a non-custodial wallet in Kenya?

Yes. The Act is activity-based. Even non-custodial services that fall within the statutory definitions may require registration or licensing depending on the service profile and whether the provider is offering other regulated functions such as exchange or brokerage. Check definitions carefully and obtain legal advice early.

Q2: Which regulator do I apply to for a licence?

It depends on the activity. Stablecoin issuance and certain payment functions will be supervised by the CBK while exchanges and trading platforms fall under the CMA. The Cabinet Secretary will publish regulations to clarify the licensing routes; therefore applicants should monitor gazetted regulations and engage the relevant regulator during the application phase.

Q3: How will AML obligations differ from those for banks?

Obligations are broadly aligned with the national AML/CFT framework and FATF recommendations, but the operational tools differ. VASPs must augment traditional KYC with crypto-specific transaction monitoring, blockchain analytics and enhanced verification for on-chain transactions. Expect similar reporting standards but new technology-driven monitoring expectations.

Q4: Will the law affect cross-border token offerings?

Yes. Token issuers that market to Kenyan investors or conduct offerings “in or from Kenya” are likely within scope. Cross-border offerings require careful structuring, disclosure and often local legal counsel to determine whether a Kenyan prospectus, licence or exemption is required.

Q5: What are the sanctions for non-compliance?

The Act provides for administrative fines, licence suspension or revocation, and criminal penalties in cases of wilful or egregious conduct. Supervisors can also issue enforcement orders and coordinate with law enforcement to freeze assets during investigations. Firms should assume strict enforcement in the early years.

Q6: How should law firms advise clients now?

Advise clients to stop operating new high-risk products without legal clearance, conduct a rapid compliance gap assessment, prepare licence dossiers and adopt privacy and AML-by-design approaches. Also advise on dispute and litigation readiness in light of recent cases and to maintain transparent engagement with regulators.

Author’s note: This guide summarises the Act and current developments as of October 2025 and highlights practical legal and compliance issues. It is not legal advice. For entity-specific advice, licence preparation or representation before regulators or courts contact a qualified Kenyan legal adviser.