Executive Summary

The Virtual Asset Service Providers Act, 2025 (the Act) establishes a comprehensive regulatory framework for virtual asset activities in Kenya. It represents a pivotal shift from an unregulated digital market to a supervised and compliance-driven ecosystem.

For corporate boards, the Act introduces both heightened compliance obligations and strategic opportunities. It demands proactive governance, strong internal controls, and transparent regulatory engagement.

Key takeaways for boards

• Compliance transformation: The Act imposes new licensing, governance, and reporting requirements that will materially affect operating models and capital structures.
• Dual regulatory oversight: Activities may fall under both the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA), creating a dual-compliance environment requiring coordinated regulatory engagement.
• Governance and accountability: Directors and senior officers face personal liability for non-compliance. A “fit and proper” framework, active oversight, and clear documentation of board actions are essential.
• Strategic imperative: Robust compliance and transparency will not only mitigate regulatory risk but also strengthen market trust, investor confidence, and long-term competitiveness.

1. Introduction and Purpose

This report provides a board-level legal and strategic interpretation of the Virtual Asset Service Providers Act, 2025. It is designed to:

• Outline the Act’s key provisions and regulatory expectations.
• Assess the governance, compliance, and operational implications.
• Guide the Board in setting direction, oversight, and resourcing priorities for implementation.

The transition to a regulated environment requires boards to view compliance not as a cost, but as a strategic investment in trust, stability, and long-term market positioning.

Part I: Preliminary provisions (sections 1–4)

1.1 Overview

This section defines the Act’s scope and key terms, determining which entities and activities fall within regulatory oversight.

1.2 Key definitions

• Virtual asset: A digital representation of valuethat can be traded, transferred, or used for payment or investment. Excludes fiat currencies, securities, and other financial instruments governed by separate legislation.
• Virtual Asset Service Provider (VASP): A licensed company providing virtual asset services as defined in the First Schedule.
• Anonymity-enhancing services: Activities that amounts to offering, facilitating or executing transactions in digital assets, with the effect or intention of concealing information.

1.3 Jurisdiction and Exemptions

The Act applies to all VASPs offering services in Kenya, including foreign entities serving Kenyan clients.
Exemptions apply to:

• Closed ecosystems (e.g., in-game or loyalty tokens)
• Central bank-issued digital currencies
• Non-financial NFTs
• Non-transferable service tokens

1.4 Board considerations

• Regulatory perimeter: Ensure that all current and future products are formally assessed against the Act’s definitions.
• Legal validation: Obtain expert opinion before classifying any asset as exempt to avoid inadvertent unlicensed operation.
• Strategic clarity: Map all virtual asset-related activities to determine whether dual compliance under the CMA and CBK is triggered.

Part II: Regulatory oversight (sections 5–7)

2.1 Regulatory model

The Act adopts a dual-regulatory framework:

• CMA: Oversees investment-oriented virtual asset activities.
• CBK: Oversees payment, custody, and stable coin functions.

Regulators are empowered to license, supervise, enforce, and cooperate with domestic and international agencies.

2.2 Strategic implications

This dual structure mirrors global best practices, aligning Kenya’s framework with international regulatory standards such as those of the Financial Action Task Force (FATF).

However, it also introduces regulatory complexity particularly for entities offering both trading and payment functionalities.

2.3 Board considerations

• Regulatory mapping: Develop a matrix aligning business lines with the responsible regulator.
• Engagement strategy: Establish formal regulatory relationships early; transparency will build trust and reduce approval timelines.
• Cross-jurisdictional compliance: Align internal standards with FATF and international norms to position the company as a compliant market leader.

Part III: Licensing requirements (sections 8–17)

3.1 Overview

Licensing is the gateway requirement for all VASP operations. Only companies limited by shares (local or registered foreign entities) are eligible.

Operating without a license is a criminal offense.

3.2 Key licensing criteria

Regulators assess applicants on:

• Organizational capability: Competence, governance, and skilled personnel.
• Financial soundness: Capital adequacy, solvency, and insurance coverage.
• AML/CFT/CPF compliance: Robust frameworks and operational readiness.
• Internal controls and cybersecurity: Adequacy and effectiveness.
• Fit and proper status: Integrity, competence, and reputation of directors and key officers.

Licenses are:

• Conditional and renewable annually (valid until December 31 each year).
• Non-transferable without prior approval.
• Subject to suspension or revocation for non-compliance or endangerment of client interests.

3.3 Board considerations

• Governance oversight: Treat licensing as a strategic program requiring cross-functional alignment (legal, finance, compliance, IT).
• Resource allocation: Ensure sufficient capital and human resources for both application and ongoing compliance.
• M&A and investment planning: Factor license transfer restrictions into any acquisition, restructuring, or capital-raising strategy.
• Continuous compliance: Institute board-level monitoring of license renewals and regulatory interactions.

Part IV: Governance and operational obligations (sections 18–31)

4.1 Overview

This part establishes core conduct and prudential requirements for licensed VASPs, including governance, financial soundness, and client asset protection.

4.2 Key obligations

(a) Fit and proper requirements:
Regulators must deem all directors and senior officers fit and proper. The assessment covers probity, competence, financial integrity, and legal compliance.

(b) Conduct of business:

• Maintain a physical office in Kenya.
• Minimum three directors per company; restrictions on cross-directorships.
• Operate with prudence, integrity, and transparency.
• Prohibition of anonymity-enhancing services.

(c) Capital, solvency, and insurance:
VASPs must maintain financial soundness and obtain prescribed insurance cover.

(d) Ongoing obligations:
Robust reporting, data management, business continuity, and whistleblower protection mechanisms.

(e) Notifications and change control:
The CEO must notify the regulator of material events (e.g., insolvency, criminal proceedings, cybersecurity breaches). All ownership or material operational changes require prior regulatory approval.

(f) Cybersecurity and audit:
Annual audits and effective cybersecurity frameworks are mandatory. Client assets must be segregated and protected from creditor claims.

4.3 Board considerations

• Governance integrity: Institute rigorous due diligence for all board and senior appointments.
• Compliance as core function: Embed regulatory compliance into daily operations, supported by internal monitoring and Board oversight.
• Client asset segregation: Prioritize architectural and legal mechanisms to safeguard client holdings.
• Transparency and reporting: Cultivate a compliance culture of proactive disclosure and open communication with regulators.

Part V: Anti–money laundering, counter–terrorism financing, and proliferation financing (sections 32–33)

5.1 Overview

AML/CFT/CPF provisions form the cornerstone of the Act, aligning with FATF standards. Regulators have wide-ranging powers for inspection, data access, and enforcement.

Non-compliance constitutes a criminal offense with significant penalties.

5.2 Strategic context

Given Kenya’s FATF grey listing, regulators will enforce stringent due diligence and monitoring standards. This heightens both regulatory scrutiny and reputational risk.

5.3 Board considerations

• Compliance leadership: Ensure AML/CFT/CPF is governed at Board level and embedded within risk and audit committee oversight.
• Operational investment: Allocate sufficient resources for transaction monitoring, recordkeeping, and reporting systems (e.g., RegTech solutions).
• Personnel: Appoint a competent, empowered Money Laundering Reporting Officer (MLRO) with direct access to the Board.
• Reputational safeguards: Recognize that AML failures carry systemic reputational and legal consequences extending to directors personally.

Part VI: Virtual asset offerings (section 34)

6.1 Overview

This Part introduces a regulated pathway for token issuance and public offerings of virtual assets within or from Kenya.
Issuers must obtain prior approval from the Capital Markets Authority (CMA) before offering or promoting any virtual asset to the public.

6.2 Key requirements

• Eligibility: Only incorporated companies may issue or promote virtual asset offerings.
• Approval process: Formal application and disclosure obligations similar to securities prospectuses.
• Regulatory discretion: The CMA may object to an offering inconsistent with the submitted application or deemed contrary to public interest.

6.3 Board considerations

• Strategic opportunity: Properly structured offerings could serve as innovative capital-raising mechanisms (e.g., tokenized assets).
• Governance oversight: Ensure disclosure accuracy and investor-protection measures mirror those of listed securities.
• Regulatory engagement: Early consultation with CMA will streamline approvals and mitigate reputational risk.

Part VII: (Reserved)

No substantive provisions under the current Act. Boards should remain alert for future amendments introducing prudential or consumer-protection standards under this Part.

Part VIII: Enforcement actions (sections 39–41)

8.1 Overview

This Part empowers regulators with a broad suite of administrative and criminal enforcement tools. Penalties extend to both corporate entities and individual officers.

8.2 Administrative actions

Regulators may:

• Issue formal warnings or remedial directives.
• Restrict or suspend business operations.
• Require removal of directors or senior officers.
• Impose administrative fines (up to KES 10 million for companies).

8.3 Criminal offences and penalties

Penalties are tiered by severity:

Tier	Example Offence	Company Fine	Individual Penalty
1	Illegal share transfer	Up to KES 5 m	Up to KES 3 m / 3 yrs imprisonment
2	False information	Up to KES 20 m	Up to KES 7 m / 3 yrs imprisonment
3	Unlicensed operation or AML breach	Up to KES 25 m	Up to KES 10 m / 5 yrs imprisonment

8.4 Individual liability

Directors, partners, and senior officers who knowingly authorise, permit, or aid an offence are personally liable.

8.5 Board considerations

• Accountability: Document board deliberations and compliance oversight to demonstrate due diligence.
• D&O coverage: Review and, where necessary, enhance directors & officers’ insurance to reflect new statutory exposures.
• Culture of compliance: Foster an enterprise-wide ethic of integrity and escalation to prevent willful or negligent breaches.

Part IX: Miscellaneous and transitional provisions (sections 42–48)

9.1 Key provisions

• Appeals: Decisions by regulators may be appealed to relevant courts or tribunals.
• Access to records: Regulators must be granted real-time, read-only access to transaction data; records must be retained for ≥ 7 years.
• Transitional period: Existing operators have 12 months from commencement to achieve full compliance and licensing.

9.2 Strategic implications

The requirement for regulator access introduces significant systems and data-governance obligations. The transitional year is a non-negotiable compliance window, not a grace period.

9.3 Board considerations

• Implementation program: Oversee a time-bound compliance roadmap with defined milestones and accountability.
• Systems readiness: Ensure IT infrastructure supports secure, regulator-accessible audit trails.
• Legal oversight: Maintain ongoing dialogue with counsel to confirm that transitional measures meet statutory expectations.

Part X: Delegated powers and subsidiary regulations (section 49)

10.1 Overview

The Cabinet Secretary, advised by the regulators, holds power to issue subsidiary regulations covering detailed operational requirements.

10.2 Areas of anticipated regulation

• Application processes and fees.
• Prudential standards (capital, solvency, liquidity).
• Insurance and cybersecurity specifications.
• Tokenization, stablecoin, and ICO procedures.

10.3 Board considerations

• Regulatory monitoring: Establish a standing management process to track new regulations and update policies accordingly.
• Agility in compliance: Maintain flexibility in systems and governance structures to adapt quickly to evolving rules.
• Continuous education: Schedule periodic board briefings to stay abreast of regulatory developments and market benchmarks.

Schedules

First schedule: virtual asset activities and responsible regulators

Activity	Function	Description	Regulator
Wallet Provider	Custody	Manage client private keys	CBK
Exchange	Transfer / Conversion	Facilitate VA-to-fiat or VA-to-VA trades	CMA
Payment Processor	Gateway Services	Enable VA-based payments	CBK
Broker	Brokerage	Execute trades for clients	CMA
Investment Advisor	Advisory	Provide virtual-asset investment advice	CMA
Asset Manager	Portfolio Management	Manage virtual-asset portfolios	CMA
Offering Provider	ICO / Tokenization	Issue or sell new virtual assets	CMA
Stablecoin Issuer	N/A	Create and manage approved stablecoins	CBK

Second schedule: consequential amendments

Amends the Proceeds of Crime and Anti-Money Laundering Act to designate VASPs as reporting institutions, cementing their AML/CFT/CPF obligations.

Board considerations

• Regulatory clarity: Map business lines to the correct regulator to prevent scope confusion.
• Holistic compliance: Integrate AML/CFT responsibilities with those under the primary Act for unified control.

Concluding remarks for the board

The Virtual Asset Service Providers Act, 2025 redefines Kenya’s digital-finance ecosystem.
It demands a compliance-first posture anchored in governance discipline, financial prudence, and technological integrity.

Strategic imperatives

1. Embed compliance governance
   • Elevate regulatory compliance to a board-level agenda item.
   • Establish a dedicated compliance committee or enhance existing audit-risk mandates.
2. Oversee licensing and transition
   • Treat licensing as a structured transformation program with defined deliverables.
   • Align project governance, resources, and timelines to the one-year transition window.
3. Strengthen board and management fitness
   • Enforce continuous “fit and proper” assessments and succession planning.
   • Ensure directors possess relevant digital-asset, risk, and regulatory expertise.
4. Fortify financial and operational resilience
   • Maintain sufficient capitalization, insurance, and cybersecurity coverage.
   • Invest in compliance technology for transaction monitoring and reporting accuracy.
5. Monitor evolving regulations
   • Create a standing mechanism for horizon-scanning regulatory updates.
   • Adapt corporate policies swiftly to emerging prudential or conduct standards.

Closing Note

Successful navigation of the VASP Act requires strategic foresight, disciplined governance, and proactive regulator engagement.
Boards that lead with transparency and compliance maturity will not only meet statutory obligations but also differentiate their organizations as trusted participants in Kenya’s evolving digital-asset economy.