By Joseph Kihanya LLB LLM
Kenya’s Virtual Asset Service Providers (VASP) Act, 2025, signed into law on October 15, marks a turning point in how the country approaches digital finance, privacy, and data governance. It is more than a crypto law,it is a blueprint for how a developing digital economy can balance innovation with responsibility.
The Act introduces a clear legal framework for entities dealing in virtual assets such as cryptocurrencies, tokenised assets, and blockchain-based payment systems. Its central premise is simple: you can’t build a digital economy on weak foundations. Every firm operating in this space must now be licensed, transparent, and accountable—not just financially but also in how it handles data, manages risk, and protects consumers.
Embedding Privacy and Data Governance into Finance
A standout feature of the VASP Act is its integration of data protection into the core of financial regulation. Service providers must demonstrate full compliance with Kenya’s Data Protection Act, 2019 before obtaining a licence. Regulators will now assess how firms store, secure, and transmit customer data as part of their licensing review. This is a bold shift: data privacy is no longer treated as a separate issue but as a condition for doing business in digital finance.
The law also sets higher expectations for data governance. VASPs must keep detailed records of all transactions for at least seven years and grant regulators secure, real-time, read-only access. These measures will improve transparency, strengthen audit trails, and reinforce trust in the sector.
Cybersecurity and Institutional Trust
Cybersecurity readiness is now a legal obligation, not a voluntary best practice. Every VASP must comply with the Computer Misuse and Cybercrimes Act, implement ongoing risk-mitigation systems, and report cyber incidents within seven working days. The Cabinet Secretary for the National Treasury has been granted authority to issue additional cybersecurity audit rules, ensuring the system evolves with emerging threats.
Even regulators are bound by confidentiality. The Act prohibits the disclosure of sensitive information obtained during supervision, except under lawful exceptions such as court orders or anti-money laundering investigations. This reciprocal accountability is designed to build institutional trust in both directions between market participants and the state.
The Role of Subsidiary Legislation
The Act sets the framework, but the subsidiary legislation will define how it operates in practice. These forthcoming regulations, to be issued by the Treasury, are expected to cover key operational areas:
- Licensing procedures and categories: Defining how different types of virtual asset firms—exchanges, custodians, tokenisation platforms—will be classified, licensed, and supervised.
- Capital and solvency standards: Setting thresholds for liquidity, client-asset segregation, and insurance protection in case of insolvency.
- Stablecoins and tokenised assets: Clarifying treatment of stablecoins, reserve backing, and issuance of tokenised real-world assets.
- Cybersecurity and data standards: Specifying technical requirements for data storage, audit trails, and incident-reporting protocols.
- AML/CFT compliance: Detailing customer due diligence, transaction monitoring, and suspicious activity reporting to align with global Financial Action Task Force standards.
- Market conduct and consumer protection: Regulating advertising, conflict-of-interest rules, and complaint-handling procedures.
- Regulatory powers and enforcement: Laying out how regulators will monitor compliance, inspect records, and sanction breaches.
These rules will form the practical backbone of Kenya’s digital-finance oversight. The Act may set the tone, but the real test of fairness, innovation, and compliance will lie in how these regulations are crafted and implemented.
Positioning Kenya as a Regional Leader
As noted by Yogupay, which called the VASP Act a “historic milestone” for Kenya, the law gives long-awaited legal certainty to crypto and blockchain operators while aligning the country with international standards. It mirrors the Financial Action Task Force (FATF) recommendations and positions Kenya among the first African nations to bring crypto within a formal regulatory perimeter.
The hope is that this clarity will attract responsible innovation, making Kenya a trusted hub for tokenisation, remittances, and fintech development. Yet the challenge will be balanced ensuring that smaller startups can still enter the market without being buried under compliance costs.
Ultimately, the VASP Act represents Kenya’s decision to govern digital finance through principles of trust, security, and accountability. If implemented with care and integrity, it could become a regional model for how to regulate the digital economy without stifling its promise.