Kenya Virtual Assets and Service Providers Bill, 2025 (“VASPS”)

by: Muigai Githu, Patrick Nguri & Sumeiya Yunis

Introduction

The Kenya Virtual Assets and Service Providers (“VAPS”) Bill 2025 came up in response to the prominence of virtual assets in Kenya and the evident need for a comprehensive regulatory framework to oversee their use. Previously, regulatory issues regarding crypto assets and related activities were dealt with in line with existing mandates of regulatory authorities; the Central Bank of Kenya (“CBK”) and the Capital Markets Authority (“CMA”). However, according to a Technical Assistance Report by the IMF dated 10^th January 2025, while the CBK and CMA had issued public notices and guidelines regarding virtual assets, the organisations’ rulemaking in this area was limited.

The CBK had issued several directives concerning virtual assets including the infamous December 2015 public notice cautioning the public on virtual currencies such as Bitcoin. The notice highlighted associated risks including their decentralized and unregulated nature, potential for misuse in illicit activities and lack of consumer protection in case of platform failures. In addition to the public notice, the CBK issued a circular to all financial institutions advising against dealing in virtual currencies or facilitating transactions involving them. However, in May 2023, the CBK published a discussion paper on the potential introduction of a Central Bank Digital Currency. The paper acknowledged the growing interest in Virtual Assets (VAs) and the associated risks including anti-money laundering and countering financial terrorism concerns.

Accordingly, the Bill sets out its objective as the provision of a legislative framework to license and regulate the activities of virtual asset service providers in and from Kenya. The scope of the Bill ought to cover all aspects of regulation and development of the virtual assets ecosystem in Kenya.

Key Considerations

Functional Clarity

At the Bill’s policy stage, we noted a lack of clarity in assigning roles to regulators and the need for harmonization. Despite providing an implementation matrix with specific objectives, the draft policy of December 2024 provided a lists of over twenty implementing institutions for each implementation objective. Fortunately, Section 6 of the Act has clearly established the Regulatory Authorities as:

1. The Capital Markets Authority,
2. The Central Bank of Kenya, or
3. any other public body that the Cabinet Secretary may designate.

In the First Schedule, the Bill clearly categorizes the different types of virtual asset services, outlining their functions, descriptions and the corresponding Regulatory Authority for each. This structured classification enhances regulatory clarity and minimizes jurisdictional overlap. For example, the Central Bank of Kenya (CBK) is tasked with overseeing wallet services, reflecting its role in supervising payment systems and custodial functions, while the Capital Markets Authority (CMA) regulates services such as exchanges and Initial Coin Offerings (ICOs), which align more closely with investment and trading activities. The benefit of this approach is that it ensures each regulatory authority focuses on areas within its core mandate, improving oversight efficiency, fostering compliance and offering clearer guidance to market participants.

In the exercise of these functions, the Bill also provides for guiding principles including ensuring financial stability, market integrity, fostering innovation and most importantly, preventing, detecting and restraining conduct that causes or may cause damage to the financial reputation of the country.

We expect that such a clear institutional framework and guiding principles will reduce legal ambiguity and position Kenya as a competitive player in the global digital economy. As according to an analysis by EY, virtual asset entrepreneurs gravitate towards jurisdictions with regulatory certainty in terms of licensing and registration while investors are better able to assess their risks and protect their interests.

We have observed a promising trajectory in South Africa, where the Financial Sector Conduct Authority (FSCA) issued a directive in 2023 requiring all Virtual Asset Service Providers (VASPs) to register for licenses. As of the most recent update, the FSCA has received 420 applications for Crypto Asset Service Provider (CASP) licenses and approved 248. This licensing process has supported the FSCA’s broader goal of protecting financial consumers from the risks commonly associated with cryptocurrencies, such as fraud, theft and market manipulation.

Licensing Procedure

As a starting point, the Bill prohibits any person or entity from conducting virtual asset services in or from Kenya without obtaining a license from the relevant regulatory authority.

The licensing process itself requires applicants to submit a formal application to the appropriate regulatory authority accompanied by the necessary documentation and the prescribed application fee. The Authority has the discretion to grant a license with or without conditions or reject an application that does not meet the criteria set out in the Bill. However, in the event an an application is denied, the authority must provide written reasons for the decision.

In assessing an application, the relevant authority will consider among other factors,

1. whether the applicant is a qualified entity under section 3(1),
2. whether it has adequately skilled and experienced personnel; and
3. whether if licensed, the entity will be able to comply with financial obligations, inclusive of insurance, capital and solvency requirements.

Once a license is granted under this Bill, the Regulatory Authority shall within 30 days from the date of grant, publish a notification in the Kenya Gazette.

Under Section 12 of the Bill, a decision to grant a license, the relevant regulatory authority shall consider factors such as

1. the size, scope and complexity of the of the virtual asset service, underlying technology, method of delivery of the service and virtual asset utilization;
2. the knowledge, expertise and experience of the applicant;
3. procedures for money laundering, terrorist financing and proliferation financing
4. the internal safeguards and data protection systems being utilized by the Applicant;
5. the risks that the virtual asset service may pose to clients, other licensees or to the financial systems in Kenya;
6. the net worth, source of funds, capital reserves and financial stability of the applicant;
7. the impact that the virtual asset service may have on the financial services in Kenya;
8. the likelihood that the service shall promote innovation, competition and benefits to consumers;
9. if the applicant’s directors, senior officers are fit and proper persons to hold the respective positions;
10. if the applicant’s beneficial owners are fit and proper persons to have such ownership or control;
11. if the applicant is already operating in a regulated sector, a no-objection shall be required from the relevant regulator; and
12. any other consideration that the relevant regulatory authority may require.

Alignment with the existing AML//CFT framework

Previously, Kenya’s approach to money laundering and terrorist financing lacked specific provisions tailored to virtual assets and virtual asset service providers (VASPs), creating a regulatory gap. The Bill addresses this by:

1. placing a requirement under Section 12 for any VASPs applying for licensing to procedures for money laundering, terrorist financing and proliferation financing,
2. by amending the Proceeds of Crime and Anti-Money Laundering Act (Cap. 59A) to include a definition of a VASP;
3. Expanding the existing definition of a “reporting institution” under POCAMLA to explicitly include VASPs; and
4. Prohibiting the use of anonymity-enhancing services.

One main factor under this area is the Bill’s prohibition of anonymity enhancing services, which are defined under section 2 to mean, offering, facilitating or executing transactions in digital assets, with the effect or intention of concealing information. These services are often designed to obscure wallet addresses, transaction histories, or user identities. With the ban, the Bill promotes transparency, traceability in virtual asset transactions.

This is a critical step toward ensuring that the virtual asset ecosystem in Kenya is subject to the same rigorous oversight and compliance obligations as traditional financial institutions.

Obligations for VASPs and Enforcement Actions under the Bill

The Bill imposes a clear set of duties on licensed VASPs, including maintaining accurate records, conducting customer due diligence (CDD), reporting suspicious transactions, and ensuring compliance with data protection and consumer protection standards. From a regulatory perspective, these obligations allow the regulators to monitor operations effectively, assess systemic risks, and enforce compliance. For consumers and investors, these duties foster trust by ensuring that service providers operate responsibly and ethically.

Additionally, Section 12 appropriately addresses key concerns around data and consumer protection which are a pain point in global virtual asset regulation. By requiring regulators to consider these factors when granting licences, and placing obligations on the VASPs, the Bill helps safeguard users from risks such as fraud, misrepresentation, and financial loss.

These obligations are reinforced by the Act’s provision for broad administrative enforcement powers granted to the relevant regulatory authorities. These powers include the issuance of formal written notices to non-compliant licensees and directions to undertake remedial action where necessary. These measures serve as softer enforcement tools, enabling regulatory oversight without resorting to rigid or punitive approaches that could stifle growth of the sector.

Where more serious breaches occur, the authorities are empowered to take stricter action, including suspending or revoking licenses or virtual asset offerings, initiating investigations into alleged non-compliance, and imposing non-administrative penalties. The Bill also provides for criminal offences and associated penalties. The inclusion of penalties for company executives, including directors and senior officers who knowingly facilitate or permit violations, is a significant step towards holding individuals accountable in addition to the corporate entity. This ensures that corporate governance within VASPs is not only a matter of compliance at the organizational level but also at the personal level for key decision-makers. These penalties provide a strong deterrent against misconduct and reinforce the Bill’s emphasis on ensuring accountability within the sector.

Moreover, this tiered enforcement framework supports a responsive and proportionate regulatory approach, balancing market discipline with sectoral growth.

Conclusions

The Kenya VASPs Bill, 2025, establishes a clear regulatory framework that assigns oversight responsibilities to the Central Bank of Kenya and the Capital Markets Authority. It aims to ensure transparency, security and accountability within the virtual asset ecosystem through stringent penalties, administrative enforcement powers. By assigning duties and the requirement for licensing to the VASPs, the Bill creates a balanced approach that fosters growth while addressing risks.

As the sector evolves and the bill comes into force, the development of subsidiary legislation will be crucial in providing clarity on technical standards and operational guidance.