Parliament passed the Virtual Asset Service Providers Bill on 7th October 2025. That clears the path for lawful crypto payments in Kenya.
Banks, PSPs, digital lenders, fintechs, telcos, marketplaces and global VASPs can plan real products that accept or move value using virtual assets. The opportunity is immediate, but it is a regulated one. Success will depend on a smart licensing strategy, careful product design, clean data and tax controls, and partnership models that work in production.
Kenya’s Crypto Journey
Kenya’s crypto activity grew for years without a dedicated statute. Exchanges, wallets and peer to peer platforms served Kenyan users, often from abroad. Volumes rose through retail trading, remittances, merchant acceptance experiments, gaming and token projects. According to figures presented to Parliament, Kenyans processed close to USD 2 billion via decentralised protocols last year, with approximately 6.1 million users, making Kenya third in Africa on on chain volume.
CBK’s Position
The Central Bank has, since 2015, consistently issued public notices cautioning the public on virtual currencies, stating that crypto is not legal tender and warned on volatility and fraud. Banks were discouraged from crypto exposures. At the same time, CBK allowed innovation in payments through licensed PSPs, creating a mature rails environment. Crypto remained outside the perimeter, which limited institutional adoption and slowed formal integration with mainstream payments.
Why the Shift Now
Three drivers explain the new law. First, Kenya is on the FATF grey list and is under increased monitoring for AML and CFT gaps. That status raises due diligence costs, scares off counterparties, and complicates correspondent banking. The VASP Bill is part of the fix. It brings crypto activity into a supervised perimeter, makes VASPs reporting institutions, and gives regulators clearer powers to examine, audit and enforce. Second, Kenya wants innovation that is supervised rather than outlawed. Third, the taxman has already redesigned how crypto is taxed. The legal and tax pillars are now aligning.
What Changes With the Act
With policy and tax now aligned, here is what changes once the Act takes effect;
- Licensing becomes mandatory for exchanges, custodial wallets, brokerages, payment gateways and stablecoin issuance. CBK will lead on payments, custody and wallets. CMA will supervise investment like tokens and secondary markets. Treasury will issue regulations and can open sandboxes. Expect post assent guidelines that set capital, safeguarding, reporting and cyber standards. Foreign VASPs that already serve Kenyans will be expected to regularize or partner.
- It embeds within existing financial and sector laws. The VASP regime does not replace other frameworks. You will still need to meet CBK payment service obligations and the National Payment System Act, banking prudential rules, CMA conduct rules for investment like products, foreign exchange and remittance requirements, consumer protection and data protection duties, and any sector specific rules in areas such as telecoms, gaming or insurance. In practice you design to the stricter obligation where rules overlap.
Practical Effects for Payments Players
Institutions that wish to accept or settle in crypto now have two lawful paths to market. Either hold a VASP licence or integrate with a licensed VASP.
- Apply for your own VASP licence if you need control of custody, pricing and margins. You gain credibility and capture more value, but you carry full compliance cost.
- Partner with a licensed VASP if speed matters. You keep your app and users. The partner provides custody, on and off ramps, AML and reporting through APIs. Negotiate strong SLAs, audit rights, change of law clauses and exit plans. Many Kenyan financial institutions followed this partner first then licence later path when PSP laws were introduced. Expect a similar arc here.
With the path chosen, here is what foreign teams should know about operating in Kenya.
Kenya at a Glance for Foreign Decision Makers
Kenya is a mature payments market with very active regulators and financial institutions. Crypto now moves into a supervised perimeter. Expect licensing with real compliance, pilots through sandboxes, and coordinated oversight on AML and data. Foreign VASPs that pair credible local substance with strong controls can launch and scale.
Operating Footprint and Personnel
Expect to maintain a Kenyan entity with a registered office, a named compliance lead and AML lead, and the ability to produce audit ready records on request. Reporting is periodic with event driven notifications for material incidents. We set this up and we run the first cycle with you so internal teams see what good looks like.
The Tax Position
The Finance Act 2025 repealed the Digital Asset Tax and introduced a ten percent excise duty on virtual asset transaction fees. This is a shift from taxing the principal value to taxing the platform service margin. It is simpler and fairer in daily operations, but there are grey areas. Until KRA issues guidance on cross border supply and fee types, price conservatively and keep clean schedules for audits. Income tax and VAT still apply under ordinary rules where relevant. Record keeping and invoicing need to show the fee line clearly. With tax designed in, the next gates are privacy and treasury.
Ambiguities to Plan for
- Scope of fees. Trading fees, spreads, deposit or withdrawal charges, network fees and listing or minting fees may be treated differently. Assume a broad view until guidance says otherwise.
- Cross border supply. Foreign VASPs serving Kenyan users will face questions on registration, agents and withholding. Prepare for conservative interpretations.
- Stablecoins and NFTs. Issuance and management fees, staking or validator commissions and token creation charges need treatment notes and internal positions.
- Overlap risk. Watch for double counting when crypto features are embedded in other regulated services.
- KRA behaviour. Expect early guidance through public notices, enforceable practice through audits, a preference for simple withholding points and a request for platform data extracts.
The right response is to design tax in from day one. Structure contracts, invoices, product flows and data to isolate the excisable fee, calculate it correctly and remit on time.
Privacy, Data and DPIA
Crypto features involve personal data and financial metadata. Before launch, complete a DPIA that covers wallet linking, address analytics, sanctions screening, profiling risk, retention, cross border data flows and other important features. Confirm lawful basis, set a cross border transfer mechanism, lock processor clauses and breach timelines, and treat linkable wallet addresses as personal data. Set up encryption at rest and in transit, strict access controls and user rights workflows. If you rely on a partner VASP, require contractual commitments on minimisation, residency and audits and carry out due diligence. Handle user data safely and then govern value flows safely.
Forex, Treasury and Cross Border Flows
Stablecoin and token flows touch foreign exchange rules. Decide exposure policy. Convert quickly to Kenya Shillings or hold a measured float with limits. Keep dual ledgers for on chain and fiat and reconcile daily. Keep source of funds records and settlement proofs for every net position.
What Integration Really Looks Like
Integration is a coordinated build across product, risk, treasury, tax, data and legal. You choose the right VASP model, align it with your licence posture, agree clear commercial and compliance roles, and design a user journey that is transparent on pricing, timing and support. You set sensible limits, put monitoring in place, and document how settlement, reconciliations and exceptions will work. You sign vendor terms that protect the business and you launch through a controlled pilot so you learn safely before scale. The detailed blueprint sits with us and we tailor it to your stack, your risk appetite and your timelines.
What to Expect in Terms of Oversight After Assent
- Regulators in Kenya begin by inviting structured pilots, then harden rules and enforce. Firms that design for this cycle win. Banks, PSPs, Digital Credit Providers and capital markets intermediaries that already report to CBK or CMA will likely move faster. They still need crypto specific capability, but their governance head start matters.
- Expect post assent guidelines that spell out licence classes, application steps, fees, capital, safeguarding, reporting templates and cyber standards. A sandbox phase is likely. Early pilots with caps can help applicants prove controls while regulators learn from real data.
- Foreign VASPs already serving Kenyans will seek local licences or partnerships. Banks and PSPs with strong compliance teams may have an advantage in approval timelines.
Customer Experience for Live Products
If you already run a digital app and add crypto as a payment method, plan for some user realities to keep regulators comfortable and users happy. Some of these basics are listed below.
- Clear onboarding. Adopt a clear KYC process that verifies identity, screens for sanctions and PEPs, checks source of funds when risk flags appear, and keeps accurate records.
- Time clarity. Explain confirmations in simple words and show progress on screen.
- Fee clarity. Show network fees and your service fee. Show final numbers before a user taps pay. Kenyan regulators are very sensitive to consumer protection issues.
- Refunds policy. Explain when refunds are possible and when they are not. Give a short help flow that a normal user understands.
- Education. Short in app tips about security, recovery and scams.
- Disputes. Build a human support path and a compliant complaint process.
- Accessibility. Offer a fiat fallback and make the crypto path optional, not forced.
Kenya in a Regional and Global Context
Cavendrys studies the crypto landscape nonstop and turns insight into execution.
Lessons from Peers that Already Regulate
Nigeria. The Central Bank lifted its banking ban in December 2023 and issued guidance for banks to serve licensed VASPs, while the securities regulator tightened its digital asset rulebook and moved against unregistered platforms and disruptive peer to peer flows.
South Africa. Crypto assets were designated financial products, bringing providers into FAIS licensing and AML registration, and the supervisor has since approved many CASP licences with ongoing oversight.
Mauritius. A dedicated virtual assets statute created clear VASP categories, issuer duties, AML expectations and active supervision by the financial services regulator with real local substance.
European Union. MiCA took effect with stablecoin rules applying first and the broader CASP regime following, standardising token classes, issuer reserves and CASP conduct, custody and disclosure duties.
Singapore. Under the Payment Services Act the regulator layered AML and conduct rules and adopted a stablecoin framework that requires full reserves, approved custody of reserves and timely redemption.
East Africa Snapshot
Rwanda is getting serious about regulating virtual assets, moving away from past warnings to set up a formal system. In March 2025, the National Bank of Rwanda and the Capital Market Authority shared a draft law that will put the CMA in charge of licensing and overseeing all virtual asset service providers, with strict rules against money laundering and fraud. Activities proposed for prohibition include use of virtual assets as official money, energy intensive mining, standalone crypto ATMs, mixing or tumbling services, and tokenisation of the Rwandan currency.
Uganda’s stance on virtual assets is mixed. The central bank has been critical of private cryptocurrencies and a High Court ruling in 2023 limited their use for payments. At the same time the country is pursuing tokenisation projects and a central bank digital currency pilot, leaving retail crypto in a grey area while the state advances blockchain initiatives.
Tanzania continues to warn that virtual currencies are not legal tender, yet a High Court ruling in 2024 affirmed that crypto transactions, while unregulated, are not inherently illegal. With new taxation on digital assets and discussion of a central bank digital currency, the market operates with cautious pragmatism in the absence of a comprehensive framework.
Kenya’s move may catalyse a regional race. Entities may seek Kenyan licences first, then expand across the region.
--
How Cavendrys can help you win this market: Cavendrys advises on regulatory readiness, licensing and product integration for technology led financial services across East Africa. Their team combines policy design, regulator engagement and transactional execution.
What Cavedrys delivers:
- Regulatory mapping, licence strategy and application packs.
- Sandbox planning, pilot design and go live approvals.
- Crypto payment architecture reviews that align with CBK, CMA and Treasury expectations.
- Data protection readiness, DPIAs and cross border data flow solutions.
- Tax design, invoicing and reporting workflows and engagement with KRA.
- Vendor due diligence, security posture assessments and full form commercial agreements with VASP partners.
- Enablement and product support.
- Partnerships, joint ventures and market entry structures for foreign VASPs.
- Dispute and investigations support if things go wrong.
Cavendrys helps clients use Kenya as a practical launch pad into East Africa. Cavendrys brings deep knowledge of the market landscape and regulatory expectations in Uganda, Kenya, Rwanda and Tanzania, and they work alongside vetted local counsel and technical partners in each jurisdiction to align product, policy and contracts. You get one coordinated team that can brief your board, open regulator dialogue, and manage execution from Nairobi outward while ensuring all local legal work is handled by counsel admitted in those countries.
Insight on what a phased mandate would look like:
- Phase one. Readiness and regulator engagement. Outputs. Regulator brief, DPIA draft, tax and billing model, vendor short list, draft term sheet.
- Phase two. Pilot build and bank alignment. Outputs. Signed partner terms or licence pack, sandbox plan, reconciliations, support scripts, training.
- Phase three. Licence and scale. Outputs. Filed licence, board go live pack, monitoring dashboards, first quarterly compliance cycle.
--
Read the original publication at Cavendrys
