Executive summary

The Virtual Assets Service Providers Act  (VASP Act) officially came into force on 21 October 2025, marking a significant milestone in Kenya's efforts to regulate the virtual assets sector. The VASP Act establishes a comprehensive legal framework for the supervision and licensing of virtual asset service providers (VASPs) and designates specific regulatory authorities responsible for its implementation. The enactment of the VASP Act follows international scrutiny highlighted in an International Monetary Fund (IMF) Technical Assistance Report, which noted that the absence of dedicated regulation had previously exposed Kenya to financial crime risks and contributed to its "grey listing" by the Financial Action Task Force (FATF). The new law seeks to address these concerns by aligning Kenya's regulatory approach with global standards and strengthening the country's anti-financial crime framework.

Understanding virtual assets — essential terms under the VASP Act

The VASP Act defines a virtual asset as a digital representation of value that can be traded or transferred electronically and used for payment or investment purposes, excluding traditional financial instruments such as fiat currencies and securities. Importantly, digital tokens used solely within closed ecosystems are not considered virtual assets, and non-fungible tokens (NFTs) are only covered under this definition if used for payment, investment or financial purposes.

A VASP is any company licensed under the VASP Act to offer services related to virtual assets. These services are wide-ranging and include operating digital wallets, running exchanges, processing payments, providing brokerage and investment advice, managing virtual asset portfolios, issuing new digital tokens and facilitating the tokenization of real-world assets.

Designation of CBK and CMA as regulatory bodies

The VASP Act designates the Capital Markets Authority (CMA) and the Central Bank of Kenya (CBK), along with any other body appointed by the Cabinet Secretary, as the primary regulators. These authorities are tasked with licensing VASPs, regulating virtual asset offerings, and issuing guidelines to promote financial stability, innovation and market integrity. They also hold enforcement powers, including issuing warnings and directives, imposing restrictions, suspending or revoking licenses, and levying administrative penalties to ensure compliance and accountability.

Licensing requirements for VASPs

To operate as a VASP in Kenya, an entity must be a company limited by shares, registered either locally or as a foreign company under the Companies Act. Accordingly, individuals and other business structures are expressly excluded from eligibility. The licensing process requires applicants to submit a formal application to the relevant regulatory authority, accompanied by prescribed fees and supporting documentation as may be prescribed in the regulations to be enacted pursuant to the VASP Act.

Regulatory authorities are required to evaluate a range of factors in considering an application, including the applicant's organizational structure, the expertise and experience of its personnel, and the adequacy of its internal controls and safeguards. Applicants must demonstrate robust procedures for anti-money laundering (AML) and counter-terrorism financing (CTF), compliance with consumer protection and data protection laws, and the ability to meet financial obligations such as insurance, capital and solvency requirements.

Furthermore, applicants are required to maintain a physical office in Kenya and have specified physical premises or data solutions that the regulatory authority has deemed suitable for record-keeping, and to show that their proposed operations serve the public interest, considering the size, scope and complexity of their business. Licenses are valid until 31 December of the year issued and may not be transferred or assigned without prior approval from the regulator.

General obligations of VASPs

The VASP Act imposes certain obligations on VASPs. Some of these obligations include the following.

Meeting fit and proper assessments: Directors, senior officers and key personnel of licensed VASPs must meet fit and proper standards. This involves assessments of professional competence, experience, integrity and financial standing to ensure suitability for leadership roles.

Maintaining ongoing notifications and reporting to the regulator: Licensees are required to maintain ongoing communication with the regulatory authority. They must promptly notify the regulator of significant developments, including insolvency risks, changes in ownership or management, involvement in criminal proceedings, material changes to business operations, or cybersecurity incidents. These notifications must be accompanied by detailed reports outlining the circumstances and mitigation measures.

Maintaining capital, solvency and insurance requirements: Providers are obligated to maintain adequate financial resources and insurance coverage appropriate to the nature and scale of their operations. This ensures the ability to meet obligations to clients and maintain operational stability.

Implement procedures for conflict of interest management: Licensees are required to implement policies and procedures to identify, avoid and manage conflicts of interest. The interests of clients, service providers and third parties must be appropriately safeguarded to promote fairness and transparency.

Establish cybersecurity measures: VASPs are required to establish and maintain effective cybersecurity measures in accordance with the Computer Misuse and Cybercrimes Act. These measures are designed to protect systems and data from unauthorized access and cyber threats.

Protect customer assets: VASPs are obligated to safeguard customer assets by maintaining sufficient reserves, segregating client holdings from their own and ensuring that client assets are not subject to claims by the provider's creditors.

Comply with the Data Protection Act: Any person processing personal data under the VASP Act is required to comply with the Data Protection Act.

Prevention of money laundering, terrorism financing and proliferation financing

The VASP Act grants regulatory authorities the power to supervise and enforce compliance with AML, CTF and counter-proliferation financing (CPF) obligations. This includes vetting significant shareholders and senior officers, conducting inspections and surveillance, and requiring the production of documents and information relevant to AML/CTF/CPF compliance. Regulatory authorities may impose sanctions for violations, issue guidelines and directions, and collaborate with other agencies to ensure effective prevention and detection of illicit activities within the virtual asset sector.

Virtual asset offering

The VASP Act also establishes a framework for issuing and promoting virtual asset offerings in Kenya. A virtual asset offering is defined as a method of raising funds whereby an issuer issues virtual assets and offers them in exchange for funds.

It is worth reiterating that only companies, not individuals, can issue or promote such offerings, and every issuance must be approved by the relevant regulatory authority. The application process requires issuers to submit comprehensive documentation detailing the nature of the virtual asset, the characteristics of the offering and the target investor base. Regulatory authorities retain the power to object to or require modifications of an offering if there are discrepancies in advertising, undisclosed issuers or deviations from approved terms. Issuers are further required to comply with ongoing disclosure and conduct standards, ensuring transparency and investor protection throughout the lifecycle of the offering.

Conclusion

Effect of the VASP Act: The VASP Act marks a major turning point for Kenya's digital asset industry. It introduces a clear regulatory framework that legitimizes the sector and reduces risk for institutional investors and traditional financial institutions. This certainty builds confidence, encouraging wider participation and partnerships with licensed providers. By allowing regulated virtual asset offerings, the VASP Act opens new channels for raising capital, driving innovation and market growth. As the industry matures under this structure, players can tap into opportunities ranging from new investment products to cross-border collaborations.

On the flip side, broad definitions and strict eligibility requirements may create challenges for smaller startups and unconventional projects, slowing innovation and market entry. While these safeguards protect market integrity, ongoing review and flexibility will be essential to keep pace with technology and evolving market needs.

Next steps for stakeholders

For those currently providing virtual asset services in Kenya, compliance with the VASP Act's licensing requirements is mandatory within one year of its commencement. New entrants must secure a license before beginning operations. All VASPs should proactively develop and implement robust policies and procedures to meet the VASP Act's standards on AML, customer due diligence, capital adequacy, insurance and consumer protection. It is also important to stay informed about additional regulations issued by the Cabinet Secretary, as these will clarify licensing fees, financial requirements and operational guidelines.

For those who would like to learn more about these developments and their practical implications, EY Law will be hosting a webinar on this topic on 26 November 2025. To register or for more details, please use this link.