Kenya is set to establish its first comprehensive regulatory framework for cryptocurrencies after Parliament passed the Virtual Asset Service Providers Bill, 2025.
The landmark legislation, which now awaits presidential assent, positions Kenya alongside South Africa and Mauritius as one of the few African nations with a crypto regulatory system meeting global standards.
In a significant pivot from the initial draft, lawmakers opted for a multi-agency oversight model rather than creating a new, standalone regulator. Supervision of virtual asset service providers (VASPs) will now fall under existing financial institutions, including the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA).
This decision involved gutting the bill’s original clause that proposed the creation of a separate Virtual Assets Regulatory Authority (VARA). The move aligns with concerns raised by the Financial Sector Regulators Forum, which warned that duplicating mandates would lead to legal ambiguity and hinder enforcement efforts.
A major point of contention was resolved when Parliament struck out a provision that would have granted a seat on the proposed regulator’s board to the Virtual Asset Chamber of Commerce (VACC). This is a private policy group accused by some crypto startups of acting as a proxy for the global exchange, Binance. Startups had previously raised alarms over an alleged attempt by the VACC to “capture” the new regulatory body. The final approved bill eliminates any such institutional board representation, effectively neutralizing the controversy.
Despite some opposition from stakeholders, the new law retains a strict provision requiring all licensed VASPs to:
- Maintain a physical office within Kenya.
- Appoint a board of at least three natural-person directors.
This rule is intended to curb ‘shell’ operations, enhance accountability, and ensure that key decision-makers can be held legally responsible within the country.
Under the new regime, all licensed virtual asset firms must adhere to a stringent set of compliance requirements aimed at meeting global Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) standards. These include:
- Segregating customer assets.
- Holding accounts in Kenyan banks.
- Appointing compliance officers.
- Undergoing independent IT audits.
- Implementing detailed anti–money-laundering and data protection frameworks.
The Bill provides existing operators with a 12-month grace period to comply with the new standards. Non-compliance could result in severe penalties, with violations carrying fines of up to Ksh. 25 million or five years in prison. The regulatory bodies have been granted powers to scale punishments based on the severity and profitability of the violations.