The Kenya VASP Bill (Virtual Asset Service Providers Bill), 2025

The Virtual Asset Service Providers Bill, 2025,

The Virtual Asset Service Providers Bill, 2025, aims to establish a legal framework for regulating virtual asset service providers (VASPs) in Kenya and to mitigate risks associated with the misuse of virtual assets and VASP services.

Here’s a simplified breakdown of its key provisions:

1. What are Virtual Assets and VASPs?

• Virtual Asset: A digital representation of value that can be traded or transferred digitally for payment or investment purposes. This excludes digital representations of fiat currencies, e-money, securities, and other financial assets.
• Virtual Asset Services: These are activities listed in the Schedule of the Bill. They include:
  • Virtual Asset Wallet Provider: Offers storage for virtual assets on behalf of others and facilitates exchanges or transfers.
  • Virtual Asset Exchange: Provides a digital platform for exchanging virtual assets for fiat currency or other virtual assets. This includes trading, clearing, and settlement platforms.
  • Virtual Asset Payment Processor: Arranges transactions involving virtual assets and fiat currency, or between virtual assets.
  • Virtual Asset Broker: Facilitates exchanges of virtual assets on behalf of clients.
  • Virtual Assets Investment Advisor: Provides investment advice on virtual assets, initial virtual asset offerings, and non-fungible tokens.
  • Virtual Asset Manager: Manages portfolios containing virtual assets on a discretionary basis.
  • Initial Virtual Asset Offering Provider: Issues and sells virtual assets to the public for fundraising.
  • Virtual Asset Tokenization: The process of converting real-world assets into digital tokens on a blockchain.
  • Virtual Asset Escrow Service Provider: Holds a virtual asset in trust until transaction obligations are met.
  • Virtual Asset Validator/Administrator/Miner: Institutional units that validate and confirm transactions.
• Virtual Asset Service Provider (VASP): A local company incorporated under the Companies Act, or a foreign company with a certificate of compliance under the Companies Act, that conducts one or more of the virtual asset activities listed in the Schedule. Notably, “virtual service tokens” (digital tokens whose sole function is to provide access to an application or service, or provide a service or function directly to its owner, and are not transferable or exchangeable with a third party) are not considered virtual assets, and services involving only these tokens do not require a license under this Act.

2. Regulatory Authorities The relevant regulatory authorities for this Act are:

• The Capital Markets Authority (CMA).
• The Central Bank of Kenya (CBK).
• Any other body designated by the Cabinet Secretary.

Their functions include licensing VASPs, approving initial virtual asset offerings, regulating and supervising promoters of such offerings, issuing directions for non-compliance, and ensuring financial soundness and stability in the virtual assets sector. They are guided by principles of financial stability, market integrity, fostering innovation, and preventing damage to Kenya’s financial reputation.

3. Licensing Requirements

• Prohibition: No person can carry on the business of virtual asset services in or from Kenya without a license from the relevant regulatory authority. Natural persons are explicitly prohibited from carrying on this business.
• Application: Applicants must submit an application with prescribed information and fees. The regulatory authority can grant a license (with or without conditions) or reject the application if requirements are not met.
• Eligibility: Only eligible persons as specified under section 3(1) (local or foreign companies) can be licensed.
• Considerations for Licensing: The regulatory authority will consider factors such as the applicant’s skills and experience, ability to meet financial and consumer/data protection requirements, fit and proper assessment of directors and officers, cybersecurity measures, and public interest. They also consider the risks posed to clients or the financial system, and the potential for innovation and competition.
• License Duration: A license is valid from its issuance date until December 31st of the same year.
• Transfer/Assignment: A license cannot be transferred or assigned without prior written approval from the relevant regulatory authority.
• Suspension/Revocation: A license can be suspended, varied, or revoked if the licensee fails to comply with the Act, operates outside its permitted scope, provides false information, or if client interests are threatened.
• Register of Licensees: Each regulatory authority will maintain a public register of licensees, including their name, address, authorized services, issuance date, and license status.

4. General Obligations for VASPs

• Fit and Proper Assessment: Directors, principal officers, and other key personnel must be deemed “fit and proper” by the regulatory authority, considering their probity, competence, experience, and financial integrity.
• Registered Office: VASPs must maintain a registered office in Kenya.
• Prudent Business Conduct: Licensees must conduct their business prudently, including complying with laws and regulations, maintaining adequate records and controls, and having appropriate insurance.
• Integrity: VASPs must conduct business with integrity, acting with due care, skill, and diligence, and dealing fairly with clients.
• Capital, Solvency, and Insurance: VASPs must maintain financially sound conditions by complying with prescribed capital, solvency, and insurance requirements.
• Conflict of Interest: Policies and procedures must be in place to avoid, mitigate, and deal with conflicts of interest between the licensee, its clients, and third parties.
• Customer Assets Protection: VASPs must hold sufficient virtual assets to meet customer obligations, meet prescribed financial requirements, hold virtual assets for the customer, and ensure virtual assets are not subject to claims of the license holder’s creditors.
• Ongoing Notifications: The chief executive officer must notify the regulatory authority of significant events such as insolvency, substantial non-compliance, criminal proceedings, or cybersecurity incidents.
• Material Changes: Licensees must seek approval from the regulatory authority for material changes to their business, such as changes in business activity, mergers, acquisitions, or changes in directorship.
• Ownership Changes: Issuance or transfer of shares in a licensee requires regulatory approval, though exemptions exist for publicly traded companies under certain conditions.
• Cybersecurity: Licensees must implement appropriate and effective cybersecurity measures.
• Audited Financial Statements: VASPs must prepare annual audited financial statements and submit them to the regulatory authority.
• Chief Executive Officer: A VASP must appoint a chief executive officer responsible for day-to-day management in Kenya, and this appointment requires regulatory approval.

5. Prevention of Money Laundering, Terrorism Financing, and Proliferation Financing (AML/CFT/CPF) The relevant regulatory authority will supervise and enforce AML/CFT/CPF compliance by VASPs. This includes vetting shareholders, directors, and officers, conducting inspections and surveillance, compelling information production, imposing sanctions for violations, and issuing regulations and guidelines.

6. Initial Virtual Asset Offering (IVAO)

• Approval Required: A person cannot issue or promote an IVAO in or from Kenya, or seek its admission to trading on a virtual asset trading platform, unless approved under this Act. Natural persons are not eligible to promote or issue IVAOs.
• Regulatory Scrutiny: The regulatory authority may object to an IVAO after it has commenced if, for example, advertising is inconsistent with the application, the issuer was not disclosed, or the issuance is detrimental to public interest.

7. Investigation and Examination The relevant regulatory authority has powers to conduct compliance inspections and investigations, appoint examiners, and request information and documents from licensees and related entities. Providing false or misleading information is an offense.

8. Enforcement, Offences, and Penalties The regulatory authority can take various enforcement actions for violations, including issuing warnings, directing remedial action, imposing restrictions or prohibitions, suspending or revoking licenses, initiating investigations, and imposing administrative penalties. Penalties for offenses under the Act can include significant fines and imprisonment for individuals and companies. Directors and senior officers who knowingly authorize or permit an offense by a VASP are also liable.

9. Miscellaneous Provisions

Transitional Provisions: Existing virtual asset service providers have six months from the Act’s commencement to apply for a license and can continue operating until their application is decided.

Confidentiality: Information acquired by the regulatory authority is confidential, with exceptions for lawful court requirements, consent, statistical disclosure, and disclosures under other relevant laws.

Appeals: Aggrieved persons can appeal decisions of the regulatory authority to the relevant body.

Client Transaction Records: Licensees must provide online or real-time read-only access to client and their own virtual asset transaction records if required by the regulatory authority, and maintain these records for at least seven years.

Protection from Liability: The regulatory authority and its agents are protected from liability for actions done in good faith in the proper discharge of their duties.

Regulations: The Cabinet Secretary, on the advice of the relevant regulatory authority, can make regulations to carry out the provisions of the Act.