Bitcoin Magazine
Kenya’s New VASP Law: A No-BS Legal Guide for Bitcoin and Crypto Builders
Kenya has passed a Virtual Asset Service Providers (VASP) law that fundamentally reshapes the regulatory landscape for digital assets in the country.
In plain English: it doesn’t regulate Bitcoin the protocol or your private self-custody. Instead, it regulates companies that touch customer assets — exchanges, custodians, token issuers, investment advisors, brokers, and trading platforms.
The law creates a licensing perimeter around commercial intermediaries and gives regulators enforcement teeth over that perimeter. Think of it as drawing a regulatory fence around businesses that handle other people’s bitcoin and crypto, whilst leaving individual users and peer-to-peer (P2P) transactions outside the gate.
This distinction is critical: the Act targets virtual asset services, not the underlying technology or private ownership. If you’re holding your own keys and transacting directly with another person, you’re outside the licensing regime. But the moment you start offering custody, brokerage, advisory, or platform services to the public, you’re inside the perimeter — and you need a license.
Key takeaway: The VASP Act concerns commercial intermediaries, not individual users. Self-custody and P2P transactions remain unregulated, but businesses touching customer assets face full licensing requirements.
What Parts of “Crypto” the Law Does Regulate: The Licensing Perimeter
Licensed VASPs are any Kenya-registered (or compliant foreign) companies that perform the activities listed in the Schedule to the Act. These activities map to specific regulators — primarily the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA) — and trigger comprehensive compliance obligations.
Exchanges & Trading Platforms: Brokers, trading platforms, and services facilitating fiat-to-VA or VA-to-VA exchanges. Both centralized and certain decentralized platforms that hold custody or market-make against clients fall within scope.
Custody & Wallet Providers: Any service holding client coins on their behalf. If you control the keys to customer assets, you’re a custodian and need licensing, capital adequacy, segregation, and audit requirements.
Investment Advisors & Managers: Providing advice or discretionary management of virtual asset portfolios for clients. This captures both retail advisory and institutional asset management services.
Token Issuance & Tokenization: Initial virtual asset offerings (ICOs/STOs) and real-world asset (RWA) tokenization. These fall primarily under CMA oversight as they intersect with securities and capital-markets regulation.
Escrow & Platform Operators: Services providing escrow functions for virtual asset transactions and certain platform operators facilitating multi-party trades or settlements.
Each activity triggers specific obligations: licenses, capital and solvency requirements, fit-and-proper assessments, AML/CFT/CPF controls, conduct standards, cybersecurity measures, advertising rules, periodic audits, and ongoing reporting. The breadth is deliberate — regulators want bank-grade compliance from anyone touching customer assets.
Key Definitions for Terms in the Act
Virtual asset: A digital representation of value that can be traded, transferred, or used for payment or investment purposes. Explicitly excludes fiat currency, e-money, and securities (which have their own regulatory regimes).
Virtual Asset Trading Platform: A centralized or decentralized platform that facilitates exchange and either (i) holds custody of client assets, or (ii) market-makes against clients. Both limbs trigger licensing.
Virtual Service Token: Pure utility tokens that are non-transferable and used solely within a closed ecosystem. These fall outside the licensing perimeter — a narrow carve-out for genuine utility.
These definitions matter because they set the boundaries of regulatory jurisdiction. The Act uses functional language (“digital representation of value”) rather than technology-specific terms, meaning it’s designed to be technology-neutral and capture future innovations. However, this breadth also creates interpretive grey areas — expect subsidiary regulations and guidance to clarify edge cases.
Who’s in Charge? Dual Regulators and Subsidiary Powers
Central Bank of Kenya (CBK) + Capital Markets Authority (CMA)
These are the joint lead regulators for VASPs, with activity-based allocation. CBK typically oversees payments, custody, and exchange functions; CMA handles token offerings, investment advice, and tokenized securities. The Cabinet Secretary for National Treasury can designate additional regulators by Gazette notice — so watch for future expansions of the regulatory perimeter.
Subsidiary Regulations (The Real Power)
The Treasury CS has broad discretion to issue subsidiary regulations that flesh out critical details: stablecoin frameworks, tokenization standards, capital adequacy ratios, solvency tests, insurance requirements, conduct rules, advertising standards, cybersecurity mandates, and more.
Expect a lot of the actual policy to be decided here — the Act is a framework; the regs will be the teeth.
Practical implication: The act is deliberately high-level. Founders and compliance teams should track the gazetting of subsidiary regulations closely — those will determine capital thresholds, operational standards, and day-to-day compliance burdens. Early engagement with regulators during consultation periods is advisable if you’re planning a VASP business.
What the Law Doesn’t Regulate
Outside the licensed perimeter, the Act does not (on its face) outlaw or require licensing for:
- Owning Bitcoin in self-custody (your own keys, your own wallet) — this is private property, not a regulated service.
- Paying another person directly wallet-to-wallet (peer-to-peer) — private contractual settlement between two parties remains outside the scope.
- Running a non-custodial wallet app where users hold their own keys and you provide only software (absent other regulated activities like brokerage or custody).
The Act explicitly applies to “virtual asset services” (the Schedule list) offered in Kenya; it is not a general ban or license requirement on private use of bitcoin or other virtual assets.
That said, unlicensed businesses offering any Schedule activity can face enforcement, fines, and criminal penalties. The line between “private use” and “carrying on a business” will be tested in practice — habitually dealing for the public, even informally, could morph you into an unlicensed broker.
Pros & Cons (Gloves Off)
Potential Pros
Legal Clarity for Institutions: Pensions, banks, fintechs, and corporates now have a rulebook to engage with digital assets. Licensed on-ramps and custodians with proper compliance make institutional adoption feasible.
Consumer Safeguards: Fit-and-proper tests, capital adequacy, audits, asset segregation, cybersecurity standards, and conduct rules reduce “cowboy operator” risk. Retail users benefit from recourse mechanisms and dispute resolution.
Tax Clean-Up: The punitive 3% Digital Asset Tax on transaction value was repealed by Finance Act 2025. Kenya now pivots to excise duty on VASP fees — much friendlier for savers and long-term holders. Tax targets platforms’ charges, not the full notional trade value.
Pathway for Tokenization & RWAs: Clear CMA oversight for tokenized securities and real-world assets unlocks capital-markets pilots and enterprise use cases (land registries, trade finance, supply-chain tokenization).
Real Cons
Gatekeeping via Licenses: Dual regulators plus high capital, insurance, and AML burdens can lock out SMEs and open-source teams. Big banks and fintechs win by default; innovation may be stifled by compliance costs.
Subsidiary-Rules Risk: Broad discretion given to the Treasury CS can tighten rules on stablecoins, self-hosted wallet interfaces, P2P marketplaces, or Lightning gateways later. Policy can “narrow the pipe” after headlines fade and public attention wanes.
Surveillance Creep: Strict know-your-customer (KYC) laws and record-keeping across VASPs, plus mandatory data-sharing with AML bodies, raises privacy risks for ordinary users who rely on custodial rails. Expect financial surveillance to intensify.
Category Error: Bitcoin ≠ generic “virtual asset.” Lumping bearer digital cash with issuer-based tokens invites over-regulation of money as though it were a security or product. The Act doesn’t correct that fundamental conceptual flaw.
From a Bitcoin Lens: Acquiring, Saving & Spending
Acquiring BTC
Via VASPs (exchanges/brokers): Expect full KYC, fee-based excise duty, AML transaction monitoring, withdrawal policies, and proof-of-funds queries. Institutional-grade on-ramps should improve in quality and reliability — but at the cost of privacy and friction.
Peer-to-peer: Private purchases and sales between individuals remain outside the licensing perimeter, as long as you’re not carrying on a Schedule business. Be careful not to morph into an unlicensed broker or exchange by habitually dealing for the public (e.g., running a Telegram group offering regular buy/sell services).
Practical upshot: Retail users can still dollar-cost-average non-custodially via P2P or occasional licensed platform buys; businesses wanting routinized, high-volume flows will likely use licensed platforms to manage compliance and audit trails.
Saving in BTC (Self-Custody)
Keeping Bitcoin on your own wallet (hardware or software where you control the keys) is not prohibited by the Act. This is private property, akin to holding gold or foreign currency at home.
Corporate treasuries: Companies can hold BTC on balance sheet, but must follow IFRS accounting standards (usually classified as intangible asset at cost with impairment testing; or inventory if you’re a market-maker). Create a board-approved treasury policy covering allocation limits, custody arrangements, key management, and audit trails. Kenya applies IFRS; the IFRS Interpretations Committee 2019 guidance (IAS 38 treatment) is the usual reference.
Spending / Paying in BTC
Direct wallet-to-wallet payments between two parties (e.g., paying a supplier, settling an invoice, tipping a creator) are not regulated as a VASP activity. Freedom of contract applies; the state can tax income or gains, but doesn’t pre-approve the medium of settlement.
If you provide a payment service that sits in the flow of customer funds — custody, routing, conversion, settlement facilitation — you’re likely a VASP-type business and need licensing. Lightning gateways that take custody or provide fiat conversion will fall within scope; pure routing nodes operated by users themselves likely won’t.
Constitution, Tax & Company Compliance — Outside the VASP Fence
Constitutional Stakes
Property & Privacy: Self-custodied keys are a form of digital property and personal data. Any future subsidiary regulation that compels key disclosure or bulk monitoring must pass constitutional tests under Kenya’s 2010 Constitution: necessity, proportionality, and respect for fundamental rights (Articles 31, 40). The VASP Act doesn’t override these rights — it creates a licensing regime for intermediaries, not a surveillance charter for private wallets.
Freedom of Contract & Association: Two people agreeing to settle an obligation in Bitcoin exercise freedom of contract (Article 36). The state can tax the income or gains, but needn’t pre-approve the medium so long as no other law (e.g., money-laundering statutes) is violated. The VASP Act doesn’t prohibit private contractual settlement in virtual assets.
Tax (Post-Finance Act 2025)
No More 3% DAT
The punitive Digital Asset Tax on transaction value is repealed. Instead, Kenya now levies excise duty on VASP fees (the platform’s charge for service). This doesn’t tax peer-to-peer notional flows directly; it taxes the intermediary’s commission.
Income / Capital Gains
Individuals: Kenya taxes income; gains may be taxable if you’re trading as a business or receive BTC for services rendered. Passive long-term appreciation without a realization event isn’t typically taxed until disposal — but document your cost basis (date acquired, cost in Kenyan shillings (KES), transaction ID (txid)).
Companies: Realized gains/losses hit profit & loss under IFRS; taxable under corporate income tax when realized. If BTC is held as inventory (e.g., market-making), trading profits are ordinary income. If held as intangible asset, impairment losses are deductible but unrealized appreciation isn’t taxed until sale.
VAT
Generally no VAT on money or money-like instruments; but VASPs’ service fees can attract VAT or excise depending on classification. Confirm with your tax advisor once subsidiary regulations land. Excise on VASP fees is already indicated in Finance Act 2025.
Accounting & Audit (IFRS)
Classification: Most corporate treasuries treat Bitcoin as an intangible asset (IAS 38). Market-makers and traders may classify as inventory (IAS 2).
Measurement: Intangibles are typically carried at cost less impairment (no upward revaluation through P&L until disposal), which can significantly understate economic value on the balance sheet. Pair this with management metrics in notes: BTC units held, fair-value footnotes, value-at-risk (VaR) disclosures.
Controls: Dual-control of private keys, SOC-audited custody providers (if using external custody), board-approved treasury policies, segregation between treasury holdings vs operational float, and regular reconciliation of on-chain balances.
Company Law & General Compliance
If you offer any Schedule VASP activity (brokerage, custody, platform, advice, token issuance), you must: incorporate appropriately, apply to the relevant regulator(s), meet capital and solvency requirements, pass fit-and-proper assessments, implement AML/KYC/CFT controls, comply with cybersecurity and conduct standards, adhere to advertising rules, file periodic reports, and undergo audits.
If you only hold BTC on your balance sheet, pay suppliers in BTC by mutual agreement, or accept BTC as settlement (converted immediately or held) without acting as a custodian or exchange for the public, you’re not a VASP — standard Companies Act and tax rules apply, but no VASP license is required.
Actionable Playbooks: What You Should Do Now
For Ordinary Kenyans
Learn self-custody: Choose a reputable non-custodial wallet (hardware or mobile), back up your seed phrase properly (offline, multiple secure locations), and practice small sends to familiarize yourself with the process.
DCA with exits: Use licensed on-ramps for KES-to-BTC conversions when convenient, but immediately withdraw to your own wallet. Keep detailed records: date, KES cost basis, txid, and wallet address.
Peer-to-peer payments: You can pay or receive BTC directly wallet-to-wallet. If it’s income (e.g., freelance work), declare it for tax. If you dispose of BTC at a gain, track your cost basis to calculate taxable gain accurately.
For SMEs / Corporates
Board-approved BTC Treasury Policy: Document allocation limits (e.g., % of reserves), risk management (volatility, custody, counterparty), key management procedures (multi-sig, hardware security modules), and accounting treatment (IFRS classification, impairment testing).
Non-custodial acceptance: Accept BTC from customers directly into your own wallet, or via a payment processor that settles instantly to you in BTC or KES (minimising custodial exposure and regulatory risk).
Avoid “accidental VASP” risk: Don’t hold client BTC, don’t broker or exchange for the
public, don’t run a trading platform—unless you affirmatively intend to obtain a VASP license and bear the compliance costs.
Tax & audit ready: Maintain ledgers of BTC units held, adopt a consistent cost-basis method (FIFO, LIFO, or specific identification), and record KES functional-currency conversions at transaction dates for P&L and tax purposes.
For Builders & Founders
Decide your regulatory posture: Non-custodial software (safer, outside licensing perimeter) vs custodial/market-facing VASP (licensing roadmap, capital requirements, ongoing audits, and compliance overhead).
Design for self-custody first: Prioritize user control of keys, composability with Lightning and other open protocols, and clean data trails users can export for tax reporting and auditability.
Engage regulators early: If pursuing a VASP license, begin dialogue with CBK/CMA during the application drafting phase. Understand their expectations on capital, systems, AML controls, and governance before you’re too far down the build path.
Stay agile on subsidiary regs: Monitor Gazette notices and public consultations — subsidiary regulations will define day-to-day compliance burdens, stablecoin rules, and emerging areas like Lightning or DeFi interfaces.
Bottom Line: What This Really Means
This law licenses intermediaries; it does not outlaw Bitcoin self-custody or peer-to-peer use.
The VASP Act will make bank-grade, compliant on-ramps more available — institutional capital can now flow into licensed custodians and exchanges with regulatory certainty. That’s a win for legitimacy, consumer protection, and formalizing the industry.
But it also centralizes power in licensed platforms, with all the usual trade-offs: higher fees, mandatory KYC, financial surveillance, slower iteration due to compliance overhead, and a bias towards incumbents (banks, large fintechs) who can afford the capital and legal costs. Smaller, open-source teams and peer-to-peer marketplaces face an uphill battle.
For Citizens & SMEs
The winning strategy is simple: learn self-custody, document your flows meticulously (dates, amounts,cost basis, txids), and don’t become a VASP by accident. Keep your Bitcoin on your own keys, transact peer-to-peer where possible, and use licensed platforms only when necessary for fiat conversion or institutional compliance.
For Builders Choosing the VASP Route
Assume bank-like compliance from day one: capital adequacy, fit-and-proper directors, AML/KYC systems (transaction monitoring, sanctions screening, suspicious-activity reporting), cybersecurity frameworks (ISO 27001, penetration testing), segregated client assets, external audits, and ongoing regulatory reporting. Budget for legal and compliance personnel; this isn’t a lean startup play.
The VASP Act is a double-edged sword: it legitimizes the industry and invites institutional participation, but it also imposes gatekeeping and surveillance that can undermine the open, permissionless ethos of Bitcoin. Your move depends on your goals — freedom and sovereignty, or legitimacy and institutional access.
Sources & Further Reading
Official Bill Text
Virtual Asset Service Providers Act (Kenya): Definitions (Part II), scope of application (Part III), Schedule of regulated activities, regulator mapping (CBK/CMA allocation), licensing framework, capital and solvency requirements, fit-and-proper standards, AML/CFT/CPF obligations, conduct and advertising rules, and enforcement provisions.
Finance Act 2025 (Tax Changes)
Repeal of the 3% Digital Asset Tax on transaction value; introduction of excise duty on VASP service fees. Confirms shift from taxing notional trade value to taxing intermediary charges — much friendlier for long-term holders and peer-to-peer users.
Passage & Dual-Regulator Design
Reuters, Parliament of Kenya official records, and press coverage of the Bill’s passage and pending/reported presidential assent. Commentary on the CBK/CMA co-ordination mechanism and the Cabinet Secretary’s subsidiary regulation powers.
IFRS Accounting Guidance
IFRS Interpretations Committee (2019) guidance on holdings of cryptocurrencies: IAS 38 (intangible assets) treatment, cost-less-impairment model, disclosure requirements. Kenya applies IFRS for corporate financial reporting; this is the authoritative reference for balance-sheet classification of Bitcoin and other virtual assets.
Constitutional Framework
Constitution of Kenya 2010: Articles 31 (privacy), 36 (freedom of association), 40 (property rights), and 47 (fair administrative action). These provisions anchor individual rights against over-reach in subsidiary regulations (e.g., compelled key disclosure, bulk surveillance without judicial oversight).
This guide is for informational purposes and does not constitute legal, tax, or financial advice. Consult a qualified Kenyan lawyer, tax advisor, or accountant for your specific circumstances. Law and regulations evolve; verify current status before acting.
This post Kenya’s New VASP Law: A No-BS Legal Guide for Bitcoin and Crypto Builders first appeared on Bitcoin Magazine and is written by Robert Kirubi.
Türkçe 
English 
Română 
Eesti 
한국어 
日本語 
Русский 
Deutsch 
Español 
简体中文 
Français 
繁體中文 
Português 
Italiano 
Polski 
Nederlands 
Bahasa Indonesia 
Ελληνικά 
Українська 
Български 
Čeština 
Suomi 
Magyar 
Latviešu valoda 
Lietuvių kalba 
Norsk bokmål 
Slovenčina 
Slovenščina 
Svenska
Bir yanıt yazın