Buy a licensed company 
VASPs live data and insights 
Learn about crypto safety 
Read the latest research 
Kenya Signs the Virtual Asset Service Providers (VASP) Act 2025
Summary
- Licensing is now law and the clock starts when the Gazette drops.
- CBK takes payments and stablecoins while CMA takes markets and investment services.
- Client assets must be segregated and protected from company creditors if the rules are enforced.
- Firms get six months to apply and can operate while pending, but the lift is real.
- Early enforcement will show who is serious and who was riding the gap.
How We Got Here
Kenya ran on warnings for a decade. CBK told banks and the public in 2015 that bitcoin wasn’t legal tender and to steer clear. CMA warned on ICOs in 2018. There were no rules or licenses, just caution and closed doors at banks.
The policy turn started this year. Treasury put a full bill on the table on 4 April 2025. First Reading was on 8 April. Lawmakers passed it on 13 October 2025. Reports say the President signed on 15 October. The start date becomes real when the Kenya Gazette publishes the commencement notice.
And it makes sense. Crypto use kept growing. M-PESA made digital money normal. The vacuum got risky for users and too big to ignore.
What the Law Covers
A VASP is a company, local or foreign with compliance papers, that does an activity in the Schedule. Natural persons can’t run a VASP.
And what sits inside? Exchanges that match trades and move coins or cash if they custody or step in as counterparty; Wallet providers that store assets for clients and help move them; Payment processors and gateways that arrange VA-to-fiat or VA-to-VA. Brokers, investment advisers, asset managers; Tokenisation platforms; Initial offering providers. The Schedule ties these activities to CBK or CMA, sometimes both.
What’s not in are virtual service tokens that only unlock an app and can’t be traded, closed-loop points that can’t leave the issuer’s ecosystem, and NFTs that aren’t used for payment or investment.
The grey area still includes NFTs used as investments or payments, some DeFi fronts land inside if they meet the trading-platform test, but pure P2P chat rooms and listing sites sit outside.
Basically, if you take client assets, match trades, route payments, sell tokens to the public, or manage crypto portfolios in or from Kenya, you are in scope.
The New Rules of Entry
- You need a licence. Apply to the relevant regulator with the forms, fees, and proof you can meet the Act. They can grant with conditions or refuse and must explain a rejection in writing.
- Your licence lists what you’re allowed to do and where you sit. Keep it visible at your main office. It expires on 31 December of the year it’s issued.
- You must be a company with a registered office in Kenya and a Kenyan bank account. Natural persons can’t run this business.
- You put real people on the board. At least two directors. All natural persons. No director can sit on more than one VASP board. You appoint a chief executive for Kenya who passes a fit-and-proper test.
- Leaders must be fit and proper. The test looks at probity, competence, fraud history, solvency, qualifications, and more. Regulators can force action if someone fails.
- Prudential standards apply. Capital, solvency, and insurance levels will be prescribed. Expect minimum net assets if directed by the regulator.
- You file audited financials. Use an approved auditor. Deliver within six months of year-end or sooner if told.
- You build proper systems. Accounting and control records. Policies for obligations under this Act and other laws. Cybersecurity that meets the Computer Misuse and Cybercrimes Act.
If you miss these bars, enforcement follows. Suspensions, licence pulls, and heavy fines are on the table. Directors and senior officers who knew can be tagged too.
Money, Crime, Records
VASPs sit under AML/CFT/CPF supervision. Regulators can vet owners and officers, run onsite exams, demand documents, and issue rules under POCAMLA and the Prevention of Terrorism Act.
Reporting is mandatory. The Financial Reporting Centre sits in this frame and suspicious activity reporting flows through the system. Expect KYC, monitoring, and filings on request.
Breaches escalate through the Act’s penalty ladder and into criminal routes for the worst cases.
In a nutshell, if your monitoring flags a dodgy flow and you fail to file or can’t show records, you’ve broken the Act and the AML laws it ties into. The regulator can turn up, read your books in real time, and decide if you keep the licence while the fines land.
Custody and Client Funds
Your coins are not their balance sheet. That is practically the whole point.
Keep full reserves. A licensed platform must hold enough of each asset to cover what it owes customers. Client assets belong to the client. If the company fails, creditors do not touch them.
The rules allow the ministry to set hard standards for storage, controls, and audits. If a platform shuts down, the regulator oversees the handoff of client assets before sign-off.
And this is important because when a platform mixes balances or bets the treasury, users turn into unsecured creditors. Kenya’s book tries to kill that risk. Full reserves with a clear title and no creditor reach. If a platform cheats, the regulator has hooks to act.
Timelines that Matter
Treasury tabled the bill on 4 April 2025 and the First Reading was on 8 April. Parliament passed it on 13 October and reports say the President signed on 15 October. The clock officially starts when the Gazette publishes commencement. From that day, existing providers have six months to apply and can operate while the licence is pending. Miss the window and you are out of bounds.
Today, at State House, Nairobi, I had the honour of assenting to eight Bills passed by the National Assembly into law.
The Bills are: the National Land Commission (Amendment) Bill, 2023; Land (Amendment) Bill, 2024; and Wildlife Conservation and Management (Amendment) Bill,… pic.twitter.com/wT10DBdOI2
— William Samoei Ruto, PhD (@WilliamsRuto) October 15, 2025
For large exchanges, the clock is short but workable. You need a Kenyan entity, two directors, a local office, a Kenyan bank account, audited financials, working compliance, and systems that can provide read-only, real-time data to the regulator. Integration work and board appointments take time, so those steps start first.
For small OTC desks, the lift is heavier than it looks. You still need a company, governance, bank connectivity, accounting, and an audit trail. Capital and prudential numbers arrive by regulation, which adds uncertainty. Many desks will partner with a licensed platform or close rather than carry the full burden.
What Changes Today for Kenyan Users
On-ramps get cleaner. Most platforms will either line up for a licence or leave. That means fewer mystery sites and clearer terms.
KYC shows up everywhere. You will share IDs, proof of address, and sometimes source-of-funds. Yes, privacy does take a hit, so the trade-off is fewer fly-by-night operators. Custody should get safer if the rules are enforced. Client balances sit apart from company assets with full reserves and clear title.
Fees may and will likely creep up. Compliance, simply put, costs money. Expect a spread or a line item to cover audits, reporting, and local operations. Bank links can get faster if CBK plays ball. Licensed firms with Kenyan accounts are easier to connect. The first months will be messy while banks set a stance. Stablecoin use gets adult supervision. Issuers and payment processors move under CBK. “Weak” coins will struggle to meet the bar.
Some P2P desks will close. Some offshore apps will geo-fence Kenya. But scams get harder to run in public. Your data footprint may grow, and firms must keep records for years. So users will be better off moving long-term holdings to self-custody.
What Changes for Firms
This is a proper licence regime. You run a company in Kenya, not a chat room with a website.
You will have to budget for lawyers, auditors, compliance staff, a local finance function, and vendor tools. You will also have to plan for prudential rules. Capital, solvency, and insurance levels arrive by regulation.
Cybersecurity moves from slideware to requirements. You document controls, key management, incident response, and change management. If you custody client assets, you show storage procedures, reconciliations, and who can touch what. Remember that AML is an ongoing task and not something you do once.
Product scope narrows to what you can defend. If you match trades, move money, advise, issue, or run a tokenisation platform, you sit inside the perimeter. Staking, lending, and yield features get legal review first.
Perhaps one of the best things for users but not necessarily for firms is that marketing also tightens. You can’t be making promises you can’t keep. No public offerings without approval. And you will have to add risk warnings and keep copies of what you publish.
Furthermore, now, liability is personal at the top. Directors and senior officers who knew about violations can be named. Suspension and licence pulls are on the table, not just fines.
So if you build here, build like a proper financial institution. Have compliance in the product, controls in the code, and evidence ready to show.
Winners and Losers
Firstly, let’s examine the winners. Licensed exchanges with cash can carry audits, capital, and a real board. Payment firms with a CBK track record already have rails and bank trust. Telco-adjacent fintechs understand mobile money habits and can slot crypto payments into daily use. Global custodians sell segregation and safekeeping as core value. Local brokers that partner with a licensed shop keep clients and offload heavy compliance. Banks with a clean risk appetite get steadier fiat ramps. Audit firms and reg-tech vendors sell proofs, logs, and monitoring to everyone.
Now the losers. Thin-margin P2P desks lose because a licence and a Kenyan bank account kill the spread. Shadow broker chats lose because suspicious flow reporting turns their edge into a risk. Telegram escrow loses because custodial roles sit inside the perimeter and anonymous operators cannot pass fit-and-proper. Offshore apps that will not open a Kenya entity will geo-fence instead. ICO launch factories lose because prior approval and offering rules block the quick flip. Small wallets that hold customer funds without controls lose because custody is now a regulated promise.
There is a middle, of course. Local shops that partner may survive. They keep service, language, and on-the-ground trust while the licensed partner holds custody and market access.
Kenya vs. the Neighborhood
South Africa got there first and did it by slotting crypto into existing law, licensing CASPs as financial services providers under FAIS, pushing Travel Rule compliance through the FIC, and approving hundreds of licenses over 2023-2024. Kenya’s play is a stand-alone act with a split mandate: CBK for payments and stablecoins, CMA for markets and investment services.
The feel is closer to the EU’s MiCA on structure and custody rules (segregated client assets, fit-and-proper leadership, prudential hooks), though MiCA runs on an EU passport with strict stablecoin categories and heavier rulemaking still rolling out.
Kenya now sits between South Africa’s retrofit and the EU’s full framework, with enough overlap to attract serious firms if the details land cleanly.
The Holes
Taxes sit in the Finance Bill. How will KRA treat trading gains, staking, airdrops, and tokenised assets, and what rates apply to retail vs firms?
Also, prudential numbers are not fixed. What capital, solvency, and insurance levels will CBK and CMA set, and how will they scale with custody?
When does a chat admin or middleman become a regulated custodian if escrow is still grey in legal terms when trades route through P2P?
What about DeFi? If a front-end routes orders to smart contracts, who is the operator?
The bill implies that NFTs depend on use. When does a collection used for yield, fractional sales, or payments actually become a virtual asset offering?
If cross-border stablecoin flows are the stress test, will CBK cap which coins can be used and how do issues prove reserves?
And what about privacy? How will firms protect privacy while meeting live read-only requests and proving access stayed read-only?
And there is no clear mention or foreign licenses. Will recognition exist for South Africa or EU licenses? Or myst everyone start from zero?
Marketing and advice also need more detail. What actually triggers “investment advice” for all the influencers and affiliates and shillers, and what must these ads carry in terms of warnings?
How do complaints move, how fast must refunds or asset returns happen, and who pays when a platform error locks funds?
These and a lot more questions need to be answered in order to have a clear framework.
Enforcement Teeth
CBK and CMA can warn, direct, vary licence conditions, suspend, or pull the licence if you breach the Act, operate outside permissions, feed bad info, or put clients at risk. Notices are required and suspensions or revocations get published.
They can inspect on site, run off-site surveillance, demand documents, compel information for AML and counter-terror rules, and impose administrative or civil sanctions. They can issue binding guidance and coordinate with other agencies.
The penalty ladder includes escalating administrative fines with daily continuing fines, plus any other enforcement action the authority thinks is appropriate.
The criminal ceiling is up to KES 10 million for an individual or KES 20 million for a company, with extra daily fines if you keep going after conviction. Prison time is in play for some offences.
The most obvious example would be something along these lines. You run an exchange without a licence and keep a Kenya office. Regulators can show up, pull your books, publish your name, suspend the operation, and push for KES 20 million on the company with continuing daily fines. Your directors do not hide behind the logo.
The Politics Behind the Law
Leaders sell this as a gateway into Africa, tied to a young population that already lives on phones. The culture that M-PESA built makes crypto feel like a natural next step.
But the reality is a whole lot messier. CBK wants payments and stablecoins. CMA wants markets and anything that looks like an investment product. But many products sit in both buckets. If coordination holds, Kenya looks open and serious. If it breaks, firms get mixed signals and users get friction, and we have already seen what mixed signals can do to a region (i.e. MiCA).
Nonetheless, Kenya just gave crypto a legal home and a set of locks. The law unlocks clean on-ramps, safer custody, and bankable rails. It also restricts the shadow market and pushes every serious player into audits, capital, and live data access. But it can easily break on turf fights, weak enforcement, or rules that price out local builders. So naturally, the next few months decide which way it leans.
“A strong and overdue step for Kenya’s digital-asset ecosystem. The Act brings structure, accountability, and investor protection while signaling the region’s readiness for regulated innovation. Implementation will determine how well this balance holds.”
Frequently Asked Questions (FAQ)
When do the rules start to bite?
When the Gazette publishes commencement. From that day, the six-month window opens and existing providers must file.
Can I still use my current exchange?
If they apply, yes, while the licence is pending. If they do not, expect geofencing or a shutdown.
Will fees go up?
Most likely. Compliance and audits cost money. Some shops will add a spread or a line item. Compare total cost, not banner rates.
What happens to P2P?
Informal desks that touch custody or payments get pulled inside. Pure bulletin boards can stay outside, but the room to operate is smaller.
Are stablecoins allowed for payments?
Yes, under CBK oversight. Issuers and processors face rules on reserves, disclosures, and flows. Weak coins will struggle to pass.
How should I hold long-term coins?
Licensed platforms should be safer for trading balances. For long holds, self-custody still makes sense if you can manage it.
