President William Ruto signed Kenya’s Virtual Asset Service Providers Act into law in October 2025, ending what regulators had taken to calling the “wild west” era of crypto in East Africa’s largest economy. The signing was part of a package of eight bills assented to simultaneously — an administrative detail that understated the significance of what changed. Kenya became one of the first African nations to establish a comprehensive, unified legal framework for digital assets, and every crypto business operating in or from Nairobi now has a compliance clock running.
For founders, the question is no longer whether to comply. It is how.
Who the VASP Act Targets — and Who It Leaves Alone
The VASP Act’s design philosophy is specific: it regulates companies, not crypto. Individual users who self-custody Bitcoin, hold private keys, or transact peer-to-peer are explicitly outside its scope. The law draws a regulatory fence around commercial intermediaries — the exchanges, custodians, brokers, and platform operators that handle customer assets.
The licensed categories are comprehensive. Virtual asset exchanges and trading platforms — both centralized and certain decentralized platforms that hold custody or market-make against clients — require a license. Custodians and wallet providers controlling customer keys must comply with capital adequacy, segregation, and auditing requirements. Investment advisors and portfolio managers handling client digital asset portfolios fall under Capital Markets Authority oversight. Token issuers offering digital assets or conducting real-world asset tokenization must register with the CMA. Escrow operators and payment gateways processing crypto transactions are included. So are stablecoin issuers.
If your business touches customer funds or assets in any of these categories, the VASP Act applies to you. If you are a developer building self-custody tools, or a user trading on your own behalf, you fall outside the Act’s perimeter — for now.
The Regulators: CBK and CMA
The Act designates two primary regulatory bodies, and the boundary between them matters for compliance strategy. The Central Bank of Kenya takes jurisdiction over payment-related virtual asset services — payment gateways, stablecoin issuers, and any VASP whose primary activity resembles a payment service. The Capital Markets Authority governs investment and trading activities — exchanges, custodians, portfolio managers, and token issuers.
The Cabinet Secretary for the National Treasury holds residual power to designate additional regulatory bodies in the future. That clause matters for founders planning ahead: the regulatory perimeter is not fixed. As new product categories emerge — DeFi protocols, NFT marketplaces, tokenised real-world assets — Treasury can extend oversight without new legislation.
What Compliance Actually Requires
The VASP Act imposes five core obligation categories on licensed entities, each with operational implications.
Fit and proper assessment is the first gate. Company directors, senior officers, and beneficial owners must pass regulatory scrutiny before a license is granted and as a condition of renewal. This means full disclosure of ownership structures, documented evidence of professional competence, and clean criminal and regulatory records. For founders who have operated in grey markets or under ambiguous regulatory regimes in other jurisdictions, this is the most consequential hurdle.
Customer asset protection is the second. Licensed VASPs must maintain sufficient reserves of each crypto asset type to meet customer obligations — a reserve requirement analogous to banking liquidity rules. Client assets must be segregated from the company’s own holdings. Co-mingling is not permitted. Custodians that have operated without these disciplines in the informal market will need significant operational restructuring.
Capital and solvency requirements form the third pillar. The precise capital floors are set through subsidiary regulations rather than the Act itself — meaning the CBK and CMA will publish detailed requirements that founders need to monitor as they emerge. The Act’s language around solvency and insurance creates an expectation of meaningful financial substance, not a nominal registered presence.
AML/CFT controls are the fourth requirement and carry the highest enforcement risk for non-compliance internationally. All licensed VASPs must implement Anti-Money Laundering and Counter-Financing of Terrorism programmes — including Know Your Customer processes, transaction monitoring, suspicious activity reporting, and sanctions screening. Kenya’s Financial Reporting Centre is the designated authority for AML/CFT oversight in the VASP sector. Given that Kenya ranks among the top three crypto markets on the continent by peer-to-peer trading volume, the FRC’s enforcement capacity will be tested quickly.
Physical presence and record-keeping are the fifth set of obligations. Every licensed VASP must maintain a registered physical office in Kenya — not a post box or virtual address. Record-keeping requirements are extensive and carry multi-year retention obligations. This is a meaningful operational cost for lean startups that previously operated distributed or remote-first.
The Compliance Timeline Founders Need to Know
The VASP Act does not create an immediate shutdown risk for operating businesses. Kenya’s legislative tradition in financial regulation is to build in grace periods for existing operators to regularise their status. However, operating without a license after the grace period expires is now explicitly illegal under Kenyan law, and the enforcement powers available to the CBK and CMA include fines, license revocations, and criminal referral.
The practical compliance sequence for a Kenya-based crypto business is: determine which regulatory category applies to your product, identify whether you report to CBK or CMA, and begin the license application process. The CMA has published guidance on its VASP application requirements. The CBK is expected to publish subsidiary regulations covering capital requirements and payment-specific obligations in the first half of 2026.
For founders operating cross-border platforms that serve Kenyan users from outside the country, the picture is less clear. The Act’s territorial scope extends to any entity “conducting digital asset business in or from Kenya” — a formulation broad enough to capture foreign platforms with significant Kenyan user bases. How the CBK and CMA will interpret and enforce this provision against offshore platforms is the most significant legal uncertainty remaining.
The Bigger Picture: Nairobi’s Gateway Ambition
Kuria Kimani, chair of Kenya’s Parliamentary Finance Committee, told Reuters at the time of the Act’s passage that Kenya aimed to become “the gateway into Africa” for digital assets. That ambition connects to a broader pattern of Nairobi positioning itself as the continent’s most regulated — and therefore most credible — fintech jurisdiction. The M-PESA precedent looms large: Kenya’s willingness to give mobile money regulatory space in 2007 created the infrastructure that now drives over $50 billion in annual M-Pesa transactions.
The VASP Act attempts the same move for crypto: regulate early, regulate clearly, and attract the serious capital and serious operators that clear rules enable. Whether Nairobi can execute on that ambition depends not just on the quality of the legislation — which is genuinely solid — but on the capacity of the CBK and CMA to license and supervise a complex and fast-moving sector without strangling innovation in the process.
For founders, the compliance burden is real. The alternative — operating in regulatory uncertainty with the risk of sudden enforcement action — is worse. Nigeria’s experience with Binance and crypto exchanges in 2024 demonstrated what happens when a major African market decides to act against unregulated crypto players without a framework in place: market disruption, operator exits, and user harm without a regulatory structure to manage the fallout.
Kenya chose a different path. The compliance work starts now.
