By The Weekly Vision Reporter
The licensing of Virtual Asset Service Providers (VASPs) has been suspended until regulations are issued by the National Treasury, Cabinet Secretary John Mbadi, to operationalise the new law that took effect on 4 November. In a joint statement, the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA) explained that the Virtual Asset Service Providers Act, 2024, provides the legislative framework for regulating and supervising VASPs.
The Act also imposes obligations on such providers in the prevention of money laundering, terrorism financing, and proliferation financing, and designates the CBK and CMA as the regulators responsible for licensing, supervision, and oversight of VASPs in Kenya. “The Act provides for the CBK and CMA to license VASPs in accordance with the services listed in the First Schedule to the Act. Accordingly, the Cabinet Secretary, National Treasury, acting pursuant to the Act and upon the advice of the CBK and CMA, is developing regulations to guide implementation. Consequently, the licensing of VASPs will commence only upon issuance of these regulations. At present, neither the CBK nor the CMA has licensed any VASP to operate in or from Kenya under the Act,” the statement read.
Technology policy lawyer Joseph Kihanya, a Senior Fellow specialising in digital regulation, welcomed the development, describing the new law as establishing a clear and robust legal framework for entities dealing in cryptocurrencies, tokenised assets, and blockchain-based payment systems. “Its central premise is straightforward: you cannot build a thriving digital economy on shaky foundations. Every firm operating in this space must now be licensed, transparent, and accountable, not only financially but also in its handling of data, risk management, and consumer protection,” he said.
Mr Kihanya highlighted a standout feature of the Act: the integration of data protection into the heart of financial regulation. VASPs must now demonstrate full compliance with the Data Protection Act 2019 before a licence can be granted. “Regulators will evaluate how firms store, secure, and transmit customer data as an integral part of the licensing process.
This marks a bold shift; data privacy is no longer a peripheral concern but a core condition for doing business in digital finance,” he added. The new law further imposes stringent data-governance requirements: VASPs must retain detailed transaction records for at least seven years and grant regulators secure, real-time, read-only access.
These measures, Kihanya noted, will significantly enhance transparency, strengthen audit trails, and build greater public trust in the sector.
