1. Quick Regulatory Snapshot and Status
Q: When did the Virtual Assets Service Providers Act 2025 (VASP Act) become effective?
A: The Act was gazetted on October 21, 2025, and became effective on November 4, 2025.
Q: What is the primary function of the VASP Act?
A: It provides the legal framework for the licensing, regulation, and supervision of Virtual Asset Service Providers (VASPs) in Kenya, including establishing obligations for Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and Counter-Proliferation Financing (CPF).1
Q: Which regulatory bodies are designated to oversee VASPs?
A: There is a dual regulatory structure:
- The Central Bank of Kenya (CBK)
- The Capital Markets Authority (CMA)
Q: Has VASP licensing commenced yet?
A: No. As explicitly stated in a joint notice by CBK and CMA, licensing will only commence once the detailed Regulations operationalizing the Act are drafted and issued by the Cabinet Secretary, National Treasury. Currently, no entity has been licensed under the Act.
Q: Is there a deadline for existing VASPs already operating in Kenya to comply?
A: Yes. The Act provides a statutory transition window.2 Existing VASPs have one (1) year from the commencement date (i.e., until November 4, 2026) to apply for and obtain a license or cease their operations.
2. Eligibility and definitions
Q: How is a ‘virtual asset’ defined under the Act?
A: A digital representation of value that can be digitally traded or transferred and used for payment or investment purposes.3
- Exclusions: It specifically excludes digital representations of fiat currencies (like e-money), securities, and other traditional financial assets (like Central Bank Digital Currencies).
Q: Who is eligible to apply to operate as a VASP in Kenya?
A: To be eligible, an entity must be a company limited by shares that is either:
- A domestic company registered under the Companies Act; or
- A foreign company registered as a subsidiary in Kenya, holding a certificate of compliance under the Companies Act.
Q: Can an individual (natural person) apply for a VASP license?
A: No. Natural persons are explicitly prohibited from operating as VASPs.
3. Permitted Virtual asset activities and regulator
The Act defines specifically permitted activities. An applicant must identify which activity they intend to undertake to determine their primary regulator.
| Virtual Asset Activity | Primary Function(s) | Regulator(s) |
| Virtual Asset Wallet Provider | Facilitates the storage (custody) of virtual assets and enables the transfer or exchange of those assets. | CBK |
| Virtual Asset Payment Processor | Arranges transactions involving the exchange of virtual assets and fiat currency, or exchange between different virtual assets. | CBK |
| Virtual Asset Offering Provider | Issues and sells virtual assets to the public. | CBK (for Stablecoin issuance) CMA (for ICOs, tokenization platforms) |
| Virtual Asset Exchange | Operates a digital platform for trading, exchanging, and transferring virtual assets. | CMA |
| Virtual Asset Broker | Facilitates the exchange between virtual assets through an exchange or wallet provider on behalf of clients (retail or institutional). | CMA |
| Virtual Assets Investment Advisor | Offers investment advice on virtual assets, including ICOs and NFTs. | CMA |
| Virtual Asset Manager | Manages client portfolios containing virtual assets on a discretionary basis. | CMA |
4. Expected licensing requirements
While final regulations are pending, the Act lays out the core requirements prospective applicants must prepare to meet.
A. Corporate Structure & Governance
- Physical Presence: Must maintain a physical office in Kenya with suitable premises or data systems for recordkeeping.
- Board Composition: Appoint at least three (3) directors, all of whom must be natural persons.
- Fit and Proper Test: Directors, senior management, and significant shareholders must pass rigorous “Fit and Proper” assessments regarding their probity, competence, and financial soundness.
- Governance framework: Demonstrate strong and effective corporate governance mechanisms.
B. Financial & Operational Capacity
- Capital Adequacy: Demonstrate adequate financial capacity, including minimum capital, solvency, and insurance coverage appropriate to the size and complexity of operations.
- Liquidity: Demonstrate adequate liquidity reserves to ensure uninterrupted operations.
- Asset Segregation: Implement strict policies to segregate client funds/assets from the VASP’s own operational funds to protect clients in the event of insolvency.
C. Technology & Compliance
- Cybersecurity: Comply with standards under the Computer Misuse and Cybercrimes Act, including regular third-party security audits (pen-tests).
- AML/CFT/CPF: Implement robust systems for KYC (Know Your Customer), KYB (Know Your Business), transaction monitoring, and suspicious activity reporting.
- Data Protection: Demonstrate capability to meet requirements under the Data Protection Act.
5. Required preparation documents checklist
Prospective applicants should begin collating the following documentation in anticipation of the licensing portal opening:
| Category | Key documents to prepare |
| Company Incorporation | Memorandum and Articles of AssociationShareholder RegisterCertificate of IncorporationCertificate of Compliance (for foreign companies) |
| Fit and Proper Persons | Certified copies of IDs/Passports for Directors/Senior ManagementComprehensive CVsCertified current police clearance certificatesDuly completed Fit and Proper Questionnaires (when available) |
| Business Strategy | Detailed Business Plan (including management structure and financial projections for at least three years)Details of current activities (for existing VASPs) |
| Compliance & Risk Manuals | AML/CFT/CPF PolicyKYC/KYB and Customer Due Diligence ProceduresSuspicious Transaction Reporting Policies Risk Management FrameworkCustody/Segregation of Client Assets PolicyDraft Compliance Manual and Internal Audit Charter |
| Technology & Security | Information Security PolicyCybersecurity Framework and recent Pen-test/Security Audit ReportBusiness Continuity and Disaster Recovery PlanData Protection Policy |
| Client Facing | Client Terms & User Agreements (must contain clear risk disclosures)Draft outsourcing agreements (if applicable) |
6. Key Duties and Obligations Post-Licensing
Once a license is obtained, a VASP has ongoing statutory obligations:
- Honest & Fair Conduct: Conduct business prudently, with integrity, and in the best interests of clients.
- Financial Soundness: Continuously maintain the prescribed minimum capital, solvency, and insurance requirements.
- Conflict of Interest Management: Establish and maintain internal policies to identify and manage conflicts of interest between the licensee, clients, and service providers.
- Operational Compliance: Strictly adhere to laws governing AML, CFT, CPF, data protection, and cybersecurity on an ongoing basis.
- Financial Reporting: Submit audited accounts to the relevant authority within three (3) months of the end of every financial year.
- Change Management: Notify the authority within 14 days of any material changes to ownership, key officers, or business structure.
