VASP licensing in Kenya is now a question of statute, not policy. The Virtual Asset Service Providers Act, 2025 (Act No. 20 of 2025) commenced on 4 November 2025 and sets out, in black and white, who may run a crypto exchange, a custodian, a stablecoin issuer, a token issuance platform or a virtual asset payment gateway in or from the country. The catch is that the lights are not yet fully on. The licensing channel itself sits behind subsidiary Regulations that the Cabinet Secretary for the National Treasury has not yet gazetted, and the Central Bank of Kenya and the Capital Markets Authority have jointly confirmed that no VASP has been licensed and licensing will only begin once those Regulations are issued. This guide explains what the Act actually does, what is already binding on every Kenyan crypto business today, and what is still pending so you can plan around the transitional window that closes on 4 November 2026.

What Kenya’s VASP Act 2025 does, in plain English

The Act is short, structural and activity-based. Its stated purpose, in section 3, is “to provide for the legislative framework to license and regulate the activities of virtual asset service providers in and from Kenya.” Three features matter.

First, it does not create a new regulator. Section 5 designates the Capital Markets Authority and the Central Bank of Kenya as the two “relevant regulatory authorities”, with a residual power for the Cabinet Secretary to designate further bodies by Kenya Gazette notice. There is no standalone “VASP Authority”.

Second, it licenses activities, not firms. The First Schedule lists eleven virtual asset activities and assigns each one to either CBK or CMA. A business that wants to run a wallet and an exchange will need two licences from two regulators, not one combined VASP licence.

Third, it pairs the new licensing regime with consequential amendments to the Capital Markets Act, the Central Bank of Kenya Act, the National Payment System Act and the Proceeds of Crime and Anti-Money Laundering Act (Cap. 59A). The most consequential of these, for any operating crypto business today, is the POCAMLA amendment that makes every VASP a “reporting institution” from 4 November 2025. More on that below.

The Act commenced on 4 November 2025 by a single commencement date on the face of the gazetted text. There is no part-by-part appointed-day mechanism. Every Part of the Act is therefore in force, including the prohibition on unlicensed operation in section 8(2) and the transitional one-year compliance window in section 47.

Who counts as a VASP (definitions plus activities caught)

Two definitions in section 2 do the heavy lifting.

A “virtual asset” is “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes and does not include digital representation of fiat currencies, securities and other financial assets”. That definition catches most cryptocurrencies, stablecoins (which have their own sub-definition), tokenised real-world assets and most utility-token-like instruments. It carves out fiat (including any future central bank digital currency), securities and other financial assets, which remain in their existing regimes.

A “virtual asset service provider” is “a company licensed under this Act to carry on the business of virtual asset services”. Two points read into that definition tightly. Only a company qualifies (read with section 8 eligibility, which requires “a company limited by shares registered under the Companies Act or a foreign company limited by shares and registered under the Companies Act (Cap. 486)”). And the VASP label attaches only once licensed. Operating without a licence is captured separately.

The actual scope is set in the First Schedule, which the Act describes as the operative list of “virtual asset services”. The eleven heads, with the regulator assigned to each, are:

Section 4 then carves out five categories that fall outside the Act entirely: genuine closed-loop loyalty or utility points; digital representations of fiat currency issued by CBK or any other central bank; non-fungible tokens not used for payment, investment or any other financial purpose; non-fungible tokens that, “by [their] nature and function rather than the designation given by [their] issuer, [are] not used for payment or investment purposes”; and anything CBK or CMA expressly excludes by Gazette. Section 4(3) adds a separate carve-out for “virtual service tokens”, pure utility tokens that only unlock the issuer’s own service.

The substance-over-form NFT carve-out in section 4(2)(d) is the one Kenyan founders most often misread. Calling an instrument an “NFT” will not save it from licensing if it functions like a security, a payment instrument or a stablecoin. Regulators will look at function, not labels.

The territorial reach is wide. Section 3 covers activity “in and from Kenya”, and section 8(2) extends to anyone who “carries on, or purports to carry on” virtual asset services or “holds itself out as carrying on that business in or from Kenya”. A foreign-incorporated platform that targets or onboards Kenyan customers is in scope.

The dual regulator: CBK and CMA

The split between the two regulators is per activity, not per firm. CBK supervises the payments rail: custodial wallets, payment processors and stablecoin issuance. CMA supervises the markets rail: exchanges, trading and clearing platforms, brokers, investment advisors, asset managers, ICOs and virtual asset offerings, tokenisation and token issuance platforms.

That has three immediate consequences for how a Kenyan business plans its licensing. A combined wallet-plus-exchange business needs two licences. A stablecoin issuer that also runs the on-chain transfer rails needs CBK for issuance and could need CMA for any conversion or exchange feature. A “broker-dealer” that custodies client coin on the side needs both a CMA broker licence and a CBK custody licence.

The Cabinet Secretary may by Gazette notice designate other bodies as further regulators under section 5(c). For now, the regime is dual.

Section 6 spells out what the regulators may do: license, regulate, supervise and monitor, issue directions and enforcement actions, publish guidelines, cooperate with supervisors and investigating authorities, and “ensure financial soundness and stability of the financial system in respect of matters falling under this Act”. Section 7 gives the guiding principles: financial stability, market integrity, fostering innovation, and preventing conduct that damages the financial reputation of Kenya. The “foster innovation” anchor in section 7(c) is the legitimate basis for any future sandbox or no-objection request, when the regulators publish those tracks.

How the application process works

The mechanics live in section 10.

The applicant must be a company limited by shares, Kenyan or foreign, registered under the Companies Act (Cap. 486). Sole proprietors, partnerships, unlimited companies and trusts cannot hold a VASP licence directly.

The application goes to the regulator that matches the activity in the First Schedule. So a custodial wallet applies to CBK, an exchange applies to CMA, and a business doing both files two applications.

Under section 10(2), the application must be “in the manner and shall be accompanied by such fee as may be prescribed by the Cabinet Secretary”. The form, the supporting bundle and the application fee live in the Regulations. The Regulations are not yet gazetted.

Section 10(6) lists what the regulator must consider, which in practice is the structure of any serious application file. The applicant must show that it is eligible under section 8, that its personnel have the necessary skills and experience, that it can meet the Act’s requirements, that it can comply with consumer protection and data protection laws, that it can meet financial obligations including insurance, capital and solvency, that its directors and senior officers are fit and proper under section 18, that it meets cybersecurity standards under the Computer Misuse and Cybercrimes Act (Cap. 79C), that it has specified physical premises or data solutions the regulator deems suitable for accessing and retaining records, that its grant is in the public interest having regard to size, scope and complexity, and that it has complied with the Regulations.

The regulator may grant a licence “with or without conditions” or reject the application. Refusals must be written and reasoned (section 10(4)). Grants must be published in the Kenya Gazette within thirty days (section 10(7)). Applicants must notify the regulator of any change to information supplied within fourteen days (section 10(8)). Knowingly or recklessly providing false information at the application stage is an offence under section 40(2).

The Act does not impose a “decide within X days” turnaround on the regulator itself. [GAP: a statutory decision window is delegated to Regulations under s.49(2)(b) and is not yet gazetted. Until then, no firm SLA on regulator turnaround exists.]

If your business is already supervised in another sector (a payment service provider, a securities intermediary, a bank), section 11(k) requires a no-objection from the existing regulator before the VASP licence can be granted.

Capital, fit-and-proper, and the rest of the eligibility bar

Section 11 supplies the substantive assessment matrix. The regulator must weigh the size, scope and complexity of the service, the underlying technology, the applicant’s expertise, its AML/CFT/CPF procedures, its data protection systems, the risks the service poses to clients and the financial system, the applicant’s net worth, source of funds, capital reserves and financial stability, the likely impact on financial services in Kenya, the likelihood of promoting innovation and competition, the fit-and-proper status of directors and senior officers, and “if the applicant’s beneficial owners are fit and proper persons to have such ownership or control”.

Fit and proper is governed by section 18. The test applies to directors, senior officers and “such other person” the regulator names. The factors are wide: probity, competence, experience and soundness of judgment, diligence, educational and professional qualifications, knowledge of legal and professional obligations, evidence of dishonesty or fraud offences, evidence of any prior contravention of virtual asset law, and financial standing integrity. Section 11(j) extends the same test to beneficial owners at the licensing stage. Section 32(2)(a) extends it again, for AML purposes, to “significant shareholders, beneficial owners, directors, senior officers”. The CEO is a separately approved person under section 30 and needs prior regulator approval to be appointed.

Section 19 requires every VASP to “maintain a physical office in Kenya where its business activities are carried out”. A pure offshore operating model with a virtual presence does not work.

Section 20(1) requires at least three directors, all natural persons, and caps any one director at sitting on no more than two VASP boards.

Section 22(1) requires the VASP to “at all times maintain its business in a financially sound condition by complying with such capital, solvency and insurance requirements as may be prescribed”. Section 24(b) reinforces the duty to “maintain and hold the prescribed capital requirements”. The actual KES figures sit in the Regulations under section 49(2)(i)(vi) and section 49(2)(j). The Act expressly contemplates different figures for different activity types.

[GAP: minimum paid-up capital amounts per licence category (exchange, custodial wallet, broker, manager, advisor, payment processor, offering provider, tokenisation, token issuance platform, stablecoin issuer) are not in the Act. They are delegated to Regulations under s.49(2)(i)(vi). As of 30 May 2026, no Legal Notice gazetting those Regulations has been published on Kenya Law. Do not rely on any specific shilling figure quoted in advisory or media commentary until the Regulations are gazetted.]

[GAP: insurance minimums per licence category are delegated to Regulations under s.49(2)(j) and not yet gazetted.]

Conduct of business: client assets, custody, reporting

The conduct-of-business backbone is in sections 19 to 31, with section 44 on records.

Section 21 is the integrity provision. A VASP must conduct its business “with integrity at all times” and, specifically, “shall not undertake mixer or tumbler services or anonymity-enhancing services”. Operating a mixer, a tumbler or an anonymity-enhancing service in or from Kenya is a criminal offence under section 40(3). This bites CoinJoin-style architectures and privacy-coin services directly.

Section 24 is the omnibus list of ongoing duties: provide services honestly and fairly, maintain prescribed capital, manage conflicts, have adequate technological, financial and human resources, comply with the full range of AML/CFT/CPF preventive measures including targeted financial sanctions, have annual audited financial statements, safeguard client virtual assets, open and operate a Kenyan bank account, ensure data is recorded, stored, protected and transmitted “in accordance with laws in Kenya”, ensure marketing is fair, accurate, transparent and not misleading, plan for business continuity and disaster recovery, run a customer complaints mechanism, protect whistle-blowers, and take reasonable steps to prevent market abuse.

Section 31 is the segregation provision and, for any custodian, the most important clause in the Act. A VASP must “maintain, in its custody, a sufficient amount of each type of virtual asset in order to meet the licence holder’s obligations to the customer”, “meet the prescribed financial requirements relating to the virtual asset”, “segregate holdings of virtual assets on behalf of their clients from their own holdings or property, and from any other non-client virtual assets”, and “not subject the virtual asset to the claim of creditors of the licence holder”. In plain English: client crypto is bankruptcy-remote, fully reserved per token type, and held off the licensee’s balance sheet. The trust-account or sub-wallet architecture must be designed around this from day one.

Section 29 requires annual audited financial statements by an approved auditor, filed with the regulator within three months of the financial year end. Section 29(4) lets the regulator commission an ad-hoc audit at any time.

Section 44 governs records. On the regulator’s request, the VASP must give “online or automated real time read-only access to both its client’s and its own virtual asset transaction records”. Client and house transaction records must be kept “at its principal place of business for a period of not less than seven years”.

Section 25 places a personal statutory duty on the CEO to notify the regulator of eleven categories of adverse events. The list includes insolvency or likely insolvency, breach of the Act, material changes to the business or banking arrangements, likely or actual change of ownership, pending civil suits, cessation of the licensed business, resignation of directors or senior officers, and “a cyber-security incident”. A written report with mitigation steps must follow within seven working days.

Section 27 makes share issues and transfers in a VASP regulator-approved transactions. Listed VASPs can be exempted, but must still notify on any acquisition crossing 10% of issued share capital or voting rights, at the licensee or parent level.

Section 13 fixes the licence year as the calendar year: “A licence issued under this Act shall be valid from the date it is issued and shall expire on the 31 December of the year it is issued.” That structurally creates an annual renewal cycle. [GAP: the renewal procedure, renewal fee and any pro-ration rule for a licence issued late in the calendar year sit in Regulations under s.49(2)(c) and are not yet gazetted.]

Section 15 lists the grounds for suspension, variation or revocation: failure to comply with the Act, operating outside the licence, false or misleading information, fraudulent or misleading marketing, or a threat to the interests of clients. The regulator must give prior written notice with grounds, and must publish the action in the Kenya Gazette and on its website.

Section 16 governs surrender. A VASP that wants to exit must file a board resolution, a wind-down plan, an arrangement for client assets, a client notification plan and a declaration that liabilities have been discharged. The regulator supervises the surrender and may issue directions to protect customers during the wind-down.

Section 43 sets the appeal route. A refusal, an amendment, a revocation, a suspension or an enforcement action is appealable to “a court of law, a tribunal or a committee established by a written law of competent jurisdiction in Kenya”. The Act does not name a single bespoke VASP Tribunal. [GAP: in practice, CMA-stream decisions are a likely candidate for the Capital Markets Tribunal under the Capital Markets Act and CBK-stream decisions for the appellate body specified under the relevant CBK legislation, with the High Court as the residual venue. This is a practical inference, not a statutory route, and should be confirmed for each specific decision before any notice of appeal is filed.]

AML and CFT: VASPs as reporting institutions under POCAMLA

This is the part of the regime that is already live, regardless of whether the VASP Regulations have been gazetted.

The Second Schedule to the VASP Act amended the Proceeds of Crime and Anti-Money Laundering Act (Cap. 59A) by inserting virtual asset service providers into the core definition of “reporting institution”. Section 2 of POCAMLA now reads “‘reporting institution’ means a financial institution, designated non-financial business and profession or a virtual asset service provider”. That single amendment dragged the entire POCAMLA reporting-institution regime onto every Kenyan VASP from 4 November 2025.

The operational consequences are concrete.

Customer due diligence is mandatory. Section 45(1) of POCAMLA requires a reporting institution to “identify and verify any applicant seeking to enter into a business relationship with it or to carry out a transaction or series of transactions with it” by “requiring the applicant or customer to produce an official record reasonably capable of establishing the true identity of the applicant or customer”. Section 45(3) extends risk-based CDD to existing customers. Anonymous onboarding is over.

Ongoing monitoring is mandatory. Section 44(1) requires monitoring of “all complex, unusual, suspicious, large or such other transactions as may be specified in the regulations, whether completed or not”.

Suspicious Transaction Reports must be filed with the Financial Reporting Centre within two days of suspicion arising, under section 44(2).

Cash Transaction Reports above the Fourth Schedule threshold must be filed “whether they appear to be suspicious or not”, under section 44(7). The Fourth Schedule (read with section 44(3) of POCAMLA) fixes the trigger: “A reporting institution shall file reports on all cash transactions exceeding US$ 15,000 or its equivalent in any other currency carried out by it.” That figure was inserted by the Schedule to Act No. 10 of 2023 and is hard-coded in the Schedule itself, not delegated to FRC regulations. Section 44(6) closes the loop: the duty applies “whether they appear to be suspicious or not.”

Records must be kept for at least seven years from the completion of the transaction or the end of the customer relationship, under section 46(1) and 46(4).

Internal controls and a Money Laundering Reporting Officer are mandatory, under section 47.

Separate registration with the Financial Reporting Centre is mandatory, under section 47A. That is in addition to the VASP licence. Failing to register with the FRC is itself a criminal offence under section 47A.

Section 32 of the VASP Act then layers the regulator’s AML supervisory toolkit on top: vetting of significant shareholders, beneficial owners, directors and senior officers, onsite inspection, offsite surveillance, consolidated supervision of the group, production of documents, monetary, civil or administrative sanctions, and information sharing with other regulators.

Read together, the VASP Act and POCAMLA mean that even before any VASP has been issued a single licence, every Kenyan crypto business that meets the definition of a VASP is already a reporting institution with full CDD, monitoring, STR, CTR, MLRO and FRC-registration duties.

For broader anti-money-laundering and compliance support, see Fintech lawyer Kenya.

Data protection: where the DPA bites a VASP

A VASP holds national IDs, passports, addresses, transaction histories, wallet addresses, IP logs and counterparty data. Almost all of that is personal data. The Data Protection Act (Cap. 411C) treats the VASP as a “data controller” under section 2, defined as “a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data”, and frequently also as a “data processor” when it handles data on behalf of other parties.

Section 18(1) of the Data Protection Act is the gateway: “no person shall act as a data controller or data processor unless registered with the Data Commissioner.” Registration with the Office of the Data Protection Commissioner is therefore a precondition for processing any personal data, on top of the VASP licence and the POCAMLA registration with the FRC.

For the registration itself and the ongoing DPA compliance overlay, see ODPC registration service Kenya and the deeper coverage on Data protection lawyer Kenya.

Section 24(i) of the VASP Act reinforces the point by requiring every VASP to “ensure that recording, storing, protecting and transmission of the data processed by it is in accordance with laws in Kenya”. That is a direct statutory hook back into the Data Protection Act regime.

In practice, a Kenyan VASP runs three parallel registrations: the VASP licence with CBK or CMA (or both), the reporting-institution registration with the Financial Reporting Centre under POCAMLA, and the data-controller registration with the Office of the Data Protection Commissioner.

Tax: how virtual assets and VASP earnings are taxed in Kenya right now

The tax regime around virtual assets in Kenya has just been rewritten and a lot of online commentary is out of date.

The 3% Digital Asset Tax that the Finance Act 2023 inserted as section 12F of the Income Tax Act was repealed by the Finance Act 2025. The consolidated Income Tax Act (Cap. 470) as in force on 1 January 2026 records section 12F as “[Repealed by Act No. 9 of 2025, s. 8]”. Anyone still quoting a 3% gross-value Digital Asset Tax in 2026 is citing repealed law.

The replacement is on the indirect-tax side. The First Schedule, Part II of the Excise Duty Act (Cap. 472), as inserted by the Finance Act 2025 (Act No. 9 of 2025), s.46, provides that “Excise duty on fees charged on virtual assets transactions by virtual asset providers shall be ten percent of the excisable value.” The tax is on the platform’s fee, not on the gross transfer value. That is a materially different incidence and a materially smaller base than the regime it replaced.

[GAP: the filing cadence under the Tax Procedures Act, the registration mechanics with KRA, and the question of whether the platform remits or passes the duty through to the customer require a focused Tax Procedures Act pass before publishing client-facing figures. Treat the rate as confirmed at 10% of fees, treat the mechanics as a separate workstream.]

On capital gains, there is no bespoke statutory crypto capital-gains regime in the current consolidated law. Section 3(2) of the Income Tax Act lists chargeable classes of income, and none of those classes expressly names virtual or digital assets following the section 12F repeal. Gains on the disposal of crypto may still fall inside general income-tax principles depending on the facts (trading versus investment), but treatment will depend on the specific transaction and the taxpayer’s profile.

For founders and treasury teams structuring around this, the headline is: one live transaction tax (10% excise on platform fees), one repealed transaction tax (the old 3% digital asset tax), and an open question on capital gains that turns on facts. See Fintech lawyer Kenya for transaction-by-transaction tax structuring on a specific business model.

What it costs and how long it takes

Our fee depends on two things: how much of the journey we handle (advisory, application drafting, lodgement with the regulator, ongoing compliance support after grant), and the scope of the VASP business (a single-product custody-only operation versus a multi-product exchange plus custodian plus transfer agent, possibly with stablecoin issuance on top).

A founder doing one CBK custodial wallet licence with a clean fit-and-proper file and an existing Kenyan company will run a very different fee profile from a foreign exchange group that needs to register a Kenyan subsidiary, sit two parallel licence applications (CBK custody plus CMA exchange), restructure ownership for the section 27 share-approval regime, and stand up the AML, data protection and audit functions from scratch.

We will not quote a fee blind. We will scope the work, agree the deliverables and the milestones, and give you a fixed or capped fee against that scope. Book a consultation and we will price your file properly.

The official application fee and the official annual fee, on the regulator side, are not yet known. [GAP: section 10(2) and section 49(2)(c) of the VASP Act delegate all fees to Regulations made by the Cabinet Secretary for the National Treasury. As of 30 May 2026, no Legal Notice gazetting the VASP Regulations has been published on Kenya Law. Do not assume any specific KES application fee or annual renewal fee until the Regulations are gazetted.]

On turnaround, the Act does not bind the regulator to a specific decision window. Once a grant is made, the regulator must publish it in the Kenya Gazette within thirty days under section 10(7), and applicants must notify the regulator of changes to information within fourteen days under section 10(8). Beyond that, [GAP: any statutory or guideline turnaround for the regulator to decide an application will sit in the Regulations under s.49(2)(b) and is not yet gazetted].

The regulations gap (where the law is still being finished)

This is the section that catches more founders out than any other. The VASP Act is in force. The VASP Regulations are not.

Three pieces of public-record evidence anchor that statement.

First, the joint public notice issued by the Central Bank of Kenya and the Capital Markets Authority on 18 November 2025 stated, in terms, that “neither agency has licensed any VASPs to operate in or from Kenya under the new law”, that the Cabinet Secretary for the National Treasury “in consultation with the CBK and CMA is still developing regulations to provide further guidance and facilitate implementation of the VASP Act”, and that “the licensing of VASPs will commence upon issuance of these Regulations”.

Second, the National Treasury issued a public notice on 17 March 2026 inviting comments on “the draft Virtual Asset Service Providers Regulations, 2026 and Regulatory Impact Statement”. Public participation ran to 10 April 2026. The Treasury notice expressly described the instrument as draft.

Third, a Kenya Law search across legislation, gazettes and legal notices for “Virtual Asset Service Providers Regulations 2026” returns zero hits at the legislation and gazette-notice level as of 30 May 2026. Only the parent VASP Act (Act No. 20 of 2025) and the 2025 VASP Bill appear. No Legal Notice making Regulations under the VASP Act has been gazetted.

Three more housekeeping observations on the regulators’ own posture. CBK has not issued any virtual-asset circular since Banking Circular No. 14 of 2015 on Bitcoin, which predates the VASP Act. The CMA media page and the CMA Regulatory Sandbox page contain no guidance, sandbox criteria or public notice addressing VASPs, virtual assets, tokenisation or stablecoins. Neither regulator has yet published the register that section 17 contemplates, because no licences have been granted.

The practical translation is harsh and worth saying plainly. As of 30 May 2026, you cannot get a VASP licence in Kenya, full stop, because there is nothing to apply on. The licensing window will open when the Regulations are gazetted and the two regulators publish their forms, fees and prudential thresholds. Anyone today marketing themselves as a “CBK-licensed VASP” or a “CMA-licensed VASP” is, on the regulators’ own joint notice, misrepresenting.

[GAP: whether the National Treasury has, post 10 April 2026, submitted the Regulations to Parliament under the Statutory Instruments Act for the scrutiny period, and whether revised post-consultation text has been published, is not yet visible on the Treasury, CBK or CMA public pages.]

Penalties for operating without a license

The penalty structure for unlicensed operation is the largest in the Act.

Section 8(2) creates the prohibition: “A person shall not carry on, or purport to carry on, the business of virtual asset services, or hold itself out as carrying on that business in or from Kenya, unless that person is licensed to do so by the relevant regulatory authority under this Act.”

Section 8(3) makes contravention an offence. Section 40(3) sets the penalty: “in the case of an individual, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both; in the case of a company, to a fine not exceeding twenty-five million shillings.”

Three offences sit inside section 8(2): carrying on the business, purporting to carry on the business, and holding out (marketing the service) in or from Kenya. All three carry the same penalty band.

Section 41 of the Act pulls individual leadership into the same penal exposure. It reads: “Where any offence or contravention against this Act is committed by a licensee, a director, partner or any senior officer of the licensee who knowingly authorised, permitted or aided in the commission of the offence that individual also commits the contravention or offence and; is liable for any criminal, civil or administrative penalty to which the licensee is liable under this Act.” Three observations matter for personal-exposure planning. First, the class is “a director, partner or any senior officer.” Second, the mental element is knowingly plus one of three acts (authorised, permitted, or aided), so a pure negligence or “I didn’t know” defence is on its face available, which is a deliberately narrower hook than the classic Kenyan “consent, connivance or neglect” formula in the Companies Act. Third, once triggered, the same penalty exposure that attaches to the licensee attaches to the individual: criminal, civil, or administrative.

The transitional window in section 47 reads: “Upon the commencement of this Act, any person providing virtual asset services shall, within one year of the commencement, comply with the provisions of this Act.” Commencement was 4 November 2025. The window therefore closes on 4 November 2026.

That creates a live regulatory cliff. As of the date of this guide, the transitional window has 158 days to run and the licensing channel is not yet open. If the Regulations are not gazetted and the application process is not stood up before the window expires, any incumbent provider faces a structural choice: either prepare to file the moment the channel opens and document its good-faith effort, or wind down the Kenyan-facing service before 4 November 2026.

The section 40(3) penalty (KES 25,000,000 for the company, KES 10,000,000 and five years for individuals) is the cost of getting that call wrong.

Mistakes that get a VASP application rejected or trigger enforcement

Drawing on the face of the Act, the predictable mistakes are:

Frequently asked questions

Is the VASP Act in force? Yes. The Virtual Asset Service Providers Act, 2025 (Act No. 20 of 2025) was published in the Kenya Gazette on 21 October 2025, assented to on 15 October 2025 and commenced on 4 November 2025.

Can I get a VASP licence today? No. CBK and CMA confirmed jointly on 18 November 2025 that no VASP has been licensed and that licensing will only start once the Cabinet Secretary’s Regulations are issued. As of 30 May 2026, no Legal Notice making those Regulations has appeared on Kenya Law.

Who is the regulator: CBK or CMA? Both. The Act creates a dual-regulator model. CBK regulates custodial wallets, payment processors and stablecoin issuance. CMA regulates exchanges, trading and clearing and settlement platforms, brokers, investment advisors, asset managers, virtual asset offering providers (ICOs), tokenisation and token issuance platforms. A business that does both pays both.

Do I need to be a Kenyan company, or can my Dubai or BVI parent apply? Section 8(1) requires “a company limited by shares registered under the Companies Act or a foreign company limited by shares and registered under the Companies Act (Cap. 486)”. A foreign company can apply, but only if it has registered under the Companies Act. Sole proprietors, partnerships and unlimited companies cannot apply at all.

What is the minimum paid-up capital? Not yet known. Section 22(1) requires the VASP to maintain capital, solvency and insurance “as may be prescribed”. The actual figures sit in Regulations under section 49(2)(i)(vi). Those Regulations have not yet been gazetted. Treat any specific KES figure circulating in commentary as unconfirmed until the Legal Notice appears.

What is the application fee? Not yet known. Section 10(2) and section 49(2)(c) delegate the fee to the Cabinet Secretary’s Regulations. The Regulations are still draft as of 30 May 2026.

How long does the licence last? Section 13 fixes the licence year as the calendar year. Every licence expires on 31 December of the year it was issued, regardless of when in the year the licence was granted. Renewal procedure and renewal fee will sit in the Regulations.

I run an existing crypto business. How long do I have to comply? Section 47 gives existing operators one year from commencement to comply. The window closes on 4 November 2026. The fact that the licensing channel is not yet open does not, on the face of the Act, stop that clock.

Are NFTs caught? It depends on function, not label. Section 4(2)(c) carves out non-fungible tokens “not used for payment, investment or any other financial purposes”. Section 4(2)(d) adds a substance-over-form carve-out for NFTs that “by [their] nature and function rather than the designation given by [their] issuer, [are] not used for payment or investment purposes”. If your NFT promises a yield, trades on a secondary market with an expectation of profit, or operates as a payment instrument, calling it an NFT will not save it.

What about stablecoins? Stablecoin issuance is a separate, named activity under the First Schedule and is supervised by CBK. The detailed rules (reserve composition, attestation cadence, redemption-at-par timelines) are delegated to Regulations under section 49(2)(q) and are not yet gazetted.

Are crypto gains still taxed at 3%? No. The Digital Asset Tax in section 12F of the Income Tax Act was repealed by the Finance Act 2025. The replacement is a 10% excise duty on the fees a virtual asset provider charges per transaction, sitting in the First Schedule, Part II of the Excise Duty Act (Cap. 472), as inserted by the Finance Act 2025 (Act No. 9 of 2025), s.46. Anyone still quoting 3% on gross is citing repealed law. Separately, there is no bespoke statutory crypto capital-gains regime in the current consolidated Income Tax Act, so capital gains treatment depends on the facts of each transaction.

Do I still need to register with the Financial Reporting Centre and the ODPC if I have a VASP licence? Yes. They are separate registrations under separate statutes. POCAMLA section 47A requires registration with the Financial Reporting Centre and is a criminal offence to ignore. Data Protection Act section 18(1) prohibits acting as a data controller or processor without ODPC registration.

What is the penalty for operating without a licence? For a company, a fine of up to KES 25,000,000. For an individual, a fine of up to KES 10,000,000 or imprisonment of up to five years, or both. Section 41 then pulls in any director, partner or senior officer who “knowingly authorised, permitted or aided” the contravention: the individual is liable for the same criminal, civil or administrative penalty as the licensee. Negligence alone is not a basis for personal liability under s.41; knowledge plus one of the three acts is.

Where do I appeal a refusal or a revocation? Section 43 routes appeals to “a court of law, a tribunal or a committee established by a written law of competent jurisdiction in Kenya”. The Act does not name a single bespoke VASP tribunal, so the actual forum for each decision will depend on which regulator issued it and what the relevant parent legislation provides.

If you are building a crypto exchange, a custody business, a stablecoin issuer, a payment gateway or a tokenisation platform aimed at Kenyan users, the time to scope your file is now, while the Regulations are being finalised, not after they are gazetted and your competitors are already in the queue. We work with founders, treasury teams and foreign groups planning their Kenyan entry, and we cover the full stack: corporate structuring, the licensing strategy across CBK and CMA, the AML and POCAMLA build-out, the ODPC registration, and the tax position under the new excise regime. Book a consultation and we will scope your file.

Related reading on the firm’s site: Fintech lawyer Kenya, Data protection lawyer Kenya, ODPC registration service Kenya, Startup lawyer Kenya, AI law Kenya, and our hub on Technology and data law.