Blockchain & Crypto-Assets 2026 Comparisons

Local Regulation

The regulation of blockchain and crypto-asset businesses is shared among several key bodies, each with a distinct statutory mandate.

Capital Markets Authority

The CMA regulates virtual asset exchanges, brokers, investment advisers, fund managers, tokenisation platforms, and ICO or token offering providers under the VASP Act. Its supervisory approach emphasises market integrity, investor protection, white paper accuracy, and the prevention of market manipulation and insider trading.

Central Bank of Kenya

The CBK regulates virtual asset payment services, custodial wallet providers, stablecoin issuers, and entities involved in the conversion of fiat currency to crypto-assets. Its approach focuses on monetary stability, payment system integrity, consumer deposit protection, and the enforcement of reserve and redemption requirements for stablecoins.

Office of the Data Protection Commissioner

The ODPC enforces compliance with the Data Protection Act, 2019 for blockchain-based businesses that process personal data, including KYC information and biometric data. Its supervisory approach includes investigating complaints, conducting compliance audits, and imposing sanctions for unlawful data processing, as demonstrated in the Worldcoin enforcement action.

Financial Reporting Centre (FRC)

The FRC is Kenya’s financial intelligence unit, responsible for supervising VASPs for AML/CFT compliance under the POCAMLA. It receives and analyses suspicious transaction reports, conducts inspections of VASPs, and exchanges information with foreign financial intelligence units to combat money-laundering and terrorism financing.

Alignment With International Standards

The VASP Act and subsequent regulations are explicitly designed to address the FATF’s expectations, particularly Recommendation 15, which requires countries to license, supervise and enforce anti-money laundering and counter-terrorism financing (AML/CFT) requirements on VASPs.

The government has also enhanced its institutional capacity for this purpose, with the CMA acquiring blockchain surveillance tools from Chainalysis for market oversight and establishing a multi-agency task force to co-ordinate enforcement across the CMA, CBK and investigative bodies.

Beyond FATF standards, Kenya is demonstrating its commitment to broader international co-operation. The VASP Act expressly empowers local regulators to exchange information with foreign supervisory and enforcement authorities, addressing the cross-border nature of virtual-asset activities.

Classification of Crypto-Assets

The VASP Act defines a virtual asset as “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes’’. This classification explicitly excludes digital representations of fiat currencies (such as mobile money or central bank digital currencies (CBDCs)), as well as securities and other financial assets already regulated under existing capital markets laws. Utility tokens and non-fungible tokens (NFTs) are also not included in the Act.

The CBK regulates payment-like assets (stablecoins, wallets, payment processors), while the CMA regulates investment-like assets (exchanges, tokenised securities, ICOs).

The VASP Act

Crypto-assets are now subject to the VASP Act, which came into force on 4 November 2025, and its accompanying draft VASP Regulations, 2026. The VASP Act is a self-contained framework that creates a new category of regulated financial service providers, rather than retrofitting crypto-assets into older laws.

The Act introduces a dual-regulator model: the CBK regulates payment-related crypto-firms, including stablecoin issuers, wallet providers, and payment processors, while the CMA oversees exchanges, brokers, investment advisers, managers, tokenisation platforms, and ICO providers.

While the VASP Act is in force, the formal licensing process for virtual asset firms has not yet begun. The process awaits the finalisation of the draft VASP Regulations, 2026, which are expected to be completed in the first half of 2026 following a public consultation period that closed in April 2026.

Under Kenya’s VASP Act,  a comprehensive list of crypto-asset activities is regulated and any person offering these services “in or from Kenya” must obtain a licence from the relevant regulatory authority. The CBK regulates virtual asset payment processors, custodial wallet providers, and stablecoin issuers. The CMA regulates virtual-asset exchanges, brokers, investment advisers, managers, and virtual-asset offering providers, including those involved in ICOs and the tokenisation of real-world assets. The definition of a “virtual asset” under Kenyan law excludes digital representations of fiat currencies, securities, and other financial assets already regulated under the CMA.

Prohibited Services

The most explicit prohibitions target services designed to obscure transaction trails. The Act specifically prohibits “anonymity-enhancing services” and “mixer or tumbler services” that conceal the origin or destination of virtual-asset transactions, reflecting FATF concerns regarding money-laundering and terrorist-financing. Algorithmic stablecoins, which maintain their peg without holding corresponding liquid reserves, are not recognised as stablecoins under the statutory definition and therefore cannot be issued by a licensed VASP, making them implicitly prohibited. Decentralised finance protocols also fall outside the regulatory ambit.

Regarding the distinction between retail and professional markets, the VASP Act draws no such distinction. The licensing requirements apply uniformly regardless of whether the VASP serves retail clients or institutional investors.

New Regulations

Several key crypto-asset regulations are expected to come into force in Kenya over the next 12 months. The draft Virtual Asset Service Providers (VASP) Regulations, 2026, which operationalise the VASP Act, 2025, are expected to be finalised in the first or second quarter of 2026 following a public consultation period that closed on 10 April 2026. Once issued, the CBK will begin licensing stablecoin issuers, wallet providers and payment processors, while the CMA will oversee exchanges, brokers, fund managers, tokenisation platforms and ICOs.

Notably, the one-year transitional period for existing VASPs expires on 4 November 2026, after which unlicensed operators face criminal penalties including fines of up to KES10 million or imprisonment for up to five years

Additionally, the Finance Bill 2026, introduced to parliament on 30 April 2026, proposes significant new reporting and tax disclosure requirements for crypto-asset businesses. Under proposed amendments to the Tax Procedures Act (new Sections 6C and 6D), VASPs would be required to file annual information returns with the Kenya Revenue Authority disclosing user identities, wallet information and transaction histories.

The Bill is expected to be enacted in June 2026, with certain digital reporting requirements scheduled to take effect from 1 January 2027.

Legal Wrappers

The use of a legal wrapper such as a fund does not exempt investors or fund managers from the licensing and compliance requirements that apply to direct participation in virtual asset activities. The VASP Act targets the provision of “virtual asset services” in or from Kenya, and this includes managing, advising on, or holding virtual assets on behalf of clients, regardless of whether those clients are retail investors or institutional funds.

Regulated Firms

Regulated firms and investment funds with exposure to crypto-assets face significant regulatory consequences under Kenya’s VASP Act, 2025. A fund manager that provides advisory or discretionary management services involving virtual assets must obtain a VASP licence, with the specific category depending on the activity: investment advisers require paid-up capital of KES2.5 million, asset managers require KES30 million, and tokenisation or token issuance providers require KES200 million.

Prudential requirements

These include maintaining unencumbered minimum capital, holding insurance coverage (including professional indemnity insurance of not less than KES500,000), keeping client assets segregated from operational funds at all times, and maintaining reserve assets equivalent to 100% of client liabilities.

Conduct-of-business obligations

These include “fit and proper” assessments for all directors and key personnel, AML/CFT compliance with seven-year record retention and suspicious transaction reporting to the FRC, real-time read-only access for regulators, cybersecurity measures under the Computer Misuse and Cybercrimes Act, and full consumer protection disclosures.

The Kenyan VASP framework imposes significant capital, disclosure and governance requirements on issuers. Under the Regulations, ICO and tokenisation providers must meet minimum paid-up capital of KES200 million and liquid capital of KES40 million, while stablecoin issuers require KES500 million paid-up capital. A detailed white paper must be published before any marketing commences and the offering requires CMA approval including a 0.5% fee on the value of the successful offer.

Issuers must be incorporated in Kenya (or registered as a foreign company), maintain a local physical office, pass “fit and proper” tests for directors and significant shareholders, and comply with AML/CFT obligations including seven-year record retention and suspicious transaction reporting to the FRC.

A detailed white paper is the cornerstone of the disclosure regime and must be published before marketing begins, with company directors held personally accountable for its accuracy.

The white paper must comprehensively outline:

• the nature of the virtual asset;
• the characteristics of the offering;
• the target investor base;
• governance structures;
• operational details;
• risk factors (including price volatility, cybersecurity threats, and any conflicts of interest);
• how user funds will be managed, and the rights of token holders (including redemption mechanisms where applicable);
• the issuer’s registered office;
• contact details, the licence number (once issued); and
• a clear statement that the offering has received regulatory approval.

CMA and CBK have the power to object to, reject, or require modifications to an offering if there are discrepancies between the white paper and the actual offering, if the advertising is misleading, or if the offering deviates from the approved terms.

Framework to Combat Market Abuse and Insider Trading

Kenya has introduced a framework to combat market abuse in the virtual asset space under the VASP Act and the Regulations. The framework explicitly prohibits market manipulation, including intentionally inflating or deflating the price of a virtual asset through false orders, misleading statements, or creating artificial trading volume (such as pump-and-dump schemes).

Insider trading – that is, using material, non-public information related to a virtual asset or a VASP to acquire an unfair trading advantage for oneself or others – is also prohibited. Additionally, false trading or wash trading, through entering into transactions that do not involve a genuine change in beneficial ownership or creating a false appearance of active trading, is forbidden.

To enforce these prohibitions, VASPs must conduct thorough due diligence before listing any virtual asset on their platform and implement systems for real-time or ongoing monitoring of trading activity to detect and flag suspicious patterns. Suspicious transactions, including potential market abuse, must be reported to the FRC. Non-compliance can lead to suspension or revocation of licences, and individuals involved in market abuse schemes may face criminal prosecution, with penalties including significant fines and imprisonment. These rules apply to all licensed entities operating in or from Kenya and are designed to mirror the standards found in traditional financial markets.

Differences Between VASP and Traditional Frameworks

The most significant distinction is that virtual asset issuers are not subject to a continuous disclosure obligation. Under the Capital Markets Act, a publicly listed company must immediately disclose any inside information to the market. The VASP framework currently lacks this duty, meaning the flow of information is less regulated, and the definition of what constitutes material, non-public information is entirely untested for virtual assets. Until case law develops, this difference will create uncertainty for those trading on information related to tokenised projects, as there is no statutory trigger for when such information must be publicly released.

Key Enforcement Actions

Kenya’s regulatory stance on virtual assets has evolved through a series of key enforcement actions. The CBK issued its first warning in December 2015 via Banking Circular No 14 of 2015, cautioning financial institutions against engaging in or facilitating virtual currency transactions and warning the public that “Bitcoin and similar products are not legal tender”.

This was followed in 2019 by the Wiseman Talent Ventures (KeniCoin) case, where the CMA issued a public caution against the ICO. The High Court upheld the CMA’s jurisdiction, applying the US Howey test to determine that the tokens constituted securities, ruling that “the absence of a specific regulatory framework for cryptocurrencies did not oust the jurisdiction of the general regime of law” and that the CMA could proceed with investigations to protect the public.

In the Worldcoin case, the company’s collection of biometric data in Kenya was found to be unlawful. The court found that Worldcoin failed to conduct a mandatory DPIA, collected consent that was not “free and informed” because it was induced by cryptocurrency payments, and transferred sensitive data outside Kenya without adequate safeguards. The court ordered the permanent deletion of all the biometric data collected from Kenyans, with the Office of the Data Protection Commissioner confirming in November 2025 that it had supervised the deletion in Germany.

Most recently, in May 2026, Kenyan authorities arrested a Binance P2P trader linked to fraud. The court approved a seven-day detention for investigation, while Binance complied with the National Police Service’s request to restrict access to several P2P accounts in Kenya. These co-ordinated actions demonstrate that regulators and law enforcement are aggressively pursuing crypto-related fraud using existing legal frameworks even before the new VASP licensing regime is fully operational.

Cross-border breaches

Kenyan regulators have taken an aggressive approach to cross-border breaches by asserting extraterritorial jurisdiction under the VASP Act, 2025, which deems any person deriving “economic benefit or income from Kenya” to be operating “in or from Kenya” regardless of physical presence.

In practice, Kenya has demonstrated its willingness to enforce these provisions. Authorities arrested a Binance P2P trader linked to a KES58 million investment scam, and Binance complied with a National Police Service request to restrict several P2P accounts in Kenya. The High Court ordered Worldcoin to delete all biometric data collected from Kenyans, applying local data protection law to a global project. Additionally, the “agent arrangements” clause in the draft regulations forces foreign interfaces to either obtain their own licence or operate under a licensed local VASP that assumes full consumer liability.

Future Enforcement

The attitude of Kenyan regulators will likely harden further over the next 12 months. The Regulations are expected to be finalised in the coming weeks. A key driver is Kenya’s urgent target to exit the FATF grey list, which demands demonstrable enforcement against unlicensed crypto-activities and full alignment with Recommendation 15 on VASP supervision.

This enforcement trajectory is reinforced by domestic pressures: consumer protection (following high-profile scams), tax revenue capture (the Finance Bill 2026 compels VASPs to disclose user data to the KRA), and financial stability concerns.

The primary trigger is the condition that one must obtain a licence to be able to provide virtual asset services in or from Kenya unless licensed. This prohibition applies regardless of where a business is incorporated. A foreign entity offering crypto-asset services to Kenyan users (even from a server in another country) is deemed to be operating “in or from Kenya” and must therefore hold a licence.

Specific Activities That Trigger Licensing

The law defines the specific “virtual asset services” that require a licence. These are listed in the First Schedule of the Act. A licence is triggered if a company limited by shares (incorporated locally) engages in, or facilitates, any of the following on behalf of third parties – virtual asset exchanges; custodial wallet services; virtual payment processing; stablecoin issuance; virtual asset brokers, advisers and managers; as well as various tokenisation platforms.

Impact on Legal and Corporate Structures

Natural persons (individuals) are prohibited

An individual cannot obtain a VASP licence. The law explicitly prohibits natural persons from offering virtual asset services. Only a company limited by shares (incorporated locally) may apply.

Substance requirements: Merely incorporating is insufficient. To maintain a licence, an entity must demonstrate substantial local presence, including a physical office in Kenya and a board of at least three directors who are natural persons.

Compliance timelines

Transitional period: Existing VASPs were granted a one-year transitional period beginning 4 November 2025.

Deadline: This period expires on 4 November 2026.

Enforcement: After this date, operating without a licence constitutes a criminal offence. Penalties include fines of up to KES10 million or imprisonment for up to five years for individuals, and fines of up to KES25 million for companies.

Territorial Limits

There are no territorial limits on the requirement to obtain a licence. The Act explicitly applies to any person offering virtual asset services “in or from Kenya”, and the test for whether a person is operating in or from Kenya is functional and economic, not physical. A person is deemed to be operating “in or from Kenya” where that person derives an economic benefit or income from Kenya, regardless of physical presence and regardless of the jurisdiction of incorporation.

Transitional Period

The licensing requirements under the VASP Act, 2025 are indeed new, having come into force on 4 November 2025. However, the Act includes a one-year transitional period for existing virtual asset service providers. The transition period runs for one year from the Act’s commencement date. It began on 4 November 2025 and will expire on 4 November 2026.

The Licensing Process

Step 1: Determine your regulator (dual-regulator model)

The CBK regulates stablecoin issuers, virtual asset payment processors, and virtual asset wallet providers (custodial/payments-focused).

The CMA regulates virtual asset exchanges, brokers, investment advisers, managers, ICO/token offering providers, and tokenisation platforms.

Step 2: Pre-application preparation (estimated three–12 months)

Gap analysis: The business must be assessed against the specific capital and governance requirements for its category.

Documentation: Over 19 mandatory documents must be compiled, including business plans, AML/CFT policies, cybersecurity audits, and white papers (for token issuers).

Capital raising: Paid-up capital must be unencumbered cash and must be deposited/available prior to application.

Step 3: Submission

Application fee: Generally KES100,000 (KES20,000 for advisers).

Fees are non-refundable if the application is withdrawn or rejected.

Document submission: The following should be submitted to the relevant regulator (the CBK or CMA) – the second schedule application form, incorporation documents, the KRA PIN, the requisite mandatory documents, and audited financials.

Step 4: Regulatory review and interview

The regulator may require an in-person interview with directors and senior officers to assess their “fit and proper” status.

The regulator assesses financial integrity, AML/CFT capability, and technology infrastructure.

Step 5: Approval and licensing

Upon approval, the licence fee must be paid (eg, exchanges pay a licence fee of KES1 million).

Licences are typically valid for one year (expiring 31 December) and must be renewed annually.

Substance Requirements (Local Presence)

Substance requirements are strict and non-negotiable.

Legal incorporation

The entity must be a company limited by shares incorporated in Kenya under the Companies Act, 2015 (foreign companies must register a local subsidiary).

Physical office

A registered physical address in Kenya with suitable premises for record-keeping is mandatory. Virtual offices are unlikely to suffice.

Operational infrastructure

Technology systems must be production-ready at the application stage (prototypes are not accepted).

Servers and data systems must support real-time transaction recording and seven-year record retention.

Asset segregation

Consumer virtual assets must be segregated from the VASP’s operational funds at all times (strictly enforced).

Local Personnel and Governance Requirements

The framework mandates that key decision-makers be anchored in Kenya and subject to regulatory vetting.

Board of directors

A minimum of three directors is required. At least one third must be independent (non-executive).

Key management personnel

A CEO, compliance officer (AML/CFT expertise), and internal auditor must be appointed.

"Fit and proper" test

All directors, the CEO, compliance officer, senior officers, significant shareholders (≥10% ownership), and beneficial owners must all be tested.

Criteria: Regulators assess probity (police clearance), competence (CV/qualifications), and financial soundness.

Shareholding cap (the 33.33% rule)

For exchanges, stablecoin issuers, and wallet providers, no single person may control more than 33.33% of voting rights, shares, or board appointments without regulatory pre-approval.

Prudential Capital Requirements

Capital must be unencumbered (not borrowed, loaned, or subject to liens).

Stablecoin issuers

Stablecoin issuers face the highest requirement with paid-up capital of KES500 million and liquid capital of KES100 million or 100% of current liabilities for at least 30 days, whichever is higher.

ICO providers, tokenisation providers, and token issuance platforms

ICO providers, tokenisation providers, and token issuance platforms each require paid-up capital of KES200 million and liquid capital of KES40 million or 8% of total liabilities, whichever is higher.

Virtual asset exchanges and wallet providers

Virtual asset exchanges and wallet providers each require paid-up capital of KES150 million, with exchanges requiring liquid net worth equal to 50% of estimated gross operating costs for the next 12 months, and wallet providers requiring liquid capital of KES30 million or 100% of current liabilities for at least 30 days, whichever is higher. Virtual asset payment processors require paid-up capital of KES50 million and liquid capital of KES10 million or 20% of paid-up capital, whichever is higher.

Virtual asset brokers and managers

Virtual asset brokers and managers each require paid-up capital of KES30 million and liquid capital of KES6 million or 8% of total liabilities, whichever is higher.

Virtual asset investment advisers

Virtual asset investment advisers have the lowest threshold, with paid-up capital of KES2.5 million and liquid capital of KES1 million or 8% of total liabilities, whichever is higher.

All VASPs are required to notify the relevant regulatory authority of any material change to the business; a term defined to include a merger with or acquisition of another legal person and the sale of a subsidiary or acquisition of a controlling interest in another entity. The Act prohibits any person from acquiring or disposing of shares, or otherwise causing a change in control, without prior regulatory consent.

Specific Triggers Requiring Pre‑Approval

The following transactions require formal regulatory approval before completion:

• any change in shareholding of the VASP – irrespective of whether it results in a change of control;
• issuance of new shares that could alter control dynamics;
• acquisition of a controlling interest in a VASP or in another entity by a VASP;
• merger with or acquisition of another legal person by a VASP; and
• sale of a subsidiary where the VASP is either the buyer or the target.

The detailed approval timelines, fees, and procedural requirements will be published in subsidiary regulations once finalised by the CBK and CMA.

Vetting of Acquirers: The “Fit and Proper” Test

Any person acquiring a controlling interest in a licensed VASP will be subject to the same “fit and proper” test that applies to initial licence applicants. The regulator assesses:

• competence – relevant qualifications, experience in virtual assets or financial services;
• probity – clean criminal record, absence of regulatory sanctions, financial integrity; and
• financial soundness – source-of-funds verification, ability to support the VASP’s capital requirements.

For CBK‑regulated entities (wallets, payment processors, stablecoin issuers), additional scrutiny may apply to ensure the acquirer does not jeopardise financial stability or payment system integrity.

Licence Non‑Transferability

VASP licences are not transferable, except with prior written regulatory approval. Any change in the legal or beneficial ownership of the licensed entity effectively requires the regulator to re‑assess the licence holder’s eligibility.

Kenya’s VASP licences are territorially restricted to Kenya and cannot be automatically passported into other jurisdictions. The Act does not provide for mutual recognition of licences or any mechanism allowing a Kenyan VASP licence to grant easier access to foreign markets without additional local authorisation.

It bears mention however, that in March 2026, the CBK and the National Bank of Rwanda signed an MoU to develop a Licence Passporting Framework for Payment Service Providers (PSPs) between the two countries.

Once implemented, a licensed payment company in Kenya (including fintechs and mobile money operators) could expand into Rwanda without undergoing an entirely new licensing process, based on the mutual recognition of licences. The framework remains subject to finalisation and would still require supervision by both regulators.

This initiative is currently limited to PSPs under the CBK’s traditional payments remit. It does not yet extend to VASPs regulated by the CMA. However, it signals a change in regional direction towards passporting for financial services licences within the East African Community.

Kenya imposes material restrictions on cross‑border marketing of blockchain and crypto‑asset services.

Extra‑Territorial Scope – “In or From Kenya”

A person is deemed to operate in or from Kenya if they derive an economic benefit or income from Kenya, irrespective of physical presence. Consequence: An offshore provider actively marketing to Kenyan consumers cannot assume that a lack of local establishment removes it from regulatory scope.

Broad Definition of “Marketing”

This covers online marketing, social media, white papers, brochures, seminars, telemarketing, and any promotional communication intended to promote virtual assets or related services.

Content and fairness requirements

• Prohibited: False, misleading, deceptive, or non‑compliant advertisements.
• Mandatory: Marketing must be fair, clear, complete, concise, unambiguous, unbiased, and in plain language.
• Identifiers required: Licensee name, licence number, registered office, and (where applicable) third‑party promoter.

Specific Disclosure Obligations

Any reference to fees, costs, commissions, performance, or product features must not be misleading and must fairly reflect risks and limitations.

Internet advertising must not obscure warnings or reduce visibility of disclosures.

Approval Requirements

General VASP activity in or from Kenya requires a licence.

ICO promotion requires a specific application and approval; marketing may not begin before the white paper is published.

Stablecoin marketing is subject to stricter controls in that it:

• must be consistent with the published white paper;
• must clearly state the redemption right at par value;
• must identify the issuer’s website and contact details; and
• may not be disseminated before the white paper is published.

Reverse Solicitation

The draft Regulations do not expressly recognise reverse solicitation as a safe harbour or exemption. As the framework focuses on offering services in or from Kenya and on targeted promotions, reverse solicitation would at best be a factual defence in a narrow case, not a guaranteed exemption.

Laws and Regulations

The marketing of digital assets in Kenya is governed by a combination of general consumer protection laws and a bespoke framework under the VASP Act, 2025 and its associated draft VASP Regulations, 2026. Unlike the UK, Kenya does not have a separate advertising standards body dedicated to digital assets; instead, the proposed regulations integrate strict marketing rules directly into the financial services licensing regime, enforced by the CMA and the CBK.

Marketing communications must be fair, clear, not misleading, and presented in plain language. These rules apply to any person or entity offering virtual asset services “in or from Kenya”, defined broadly as deriving economic benefit from the country irrespective of physical presence. Advertising is defined widely to include websites, social media, email campaigns, seminars, and recorded presentations.

Key restrictions and requirements include:

• prior approval for token offerings, requiring a “no objection” notice from the regulator before any marketing campaign may commence;
• a licensing requirement, meaning only licensed VASPs may advertise their services;
• content and disclosure rules, requiring clear disclosure of fees, withdrawal conditions, and risks, with risk warnings prohibited from being hidden in fine print, margins, or behind links, and a ban on misleading advertisements or promises of guaranteed profits; and
• third-party liability, meaning promotions by influencers or third-party marketers are subject to the same rules and penalties.

Separately, the Consumer Protection Act, 2012 establishes a baseline for all advertising, prohibiting false or misleading representations about goods or services.

There is no explicit statutory or regulatory “white-label agent” model under the current VASP framework, meaning an unlicensed foreign firm cannot simply re-brand a local VASP’s licence and legally offer its own branded products to Kenyan users without acquiring authorisation or a clearly sanctioned agency arrangement approved by the regulators.

That said, two limited structures can emulate a white-label-like outcome under strict regulatory constraints. First, an external firm may operate as an agent or sales channel of a licensed VASP, with the licence holder remaining the regulated party responsible for compliance, AML/CFT, and conduct obligations, provided the arrangement is approved by the CMA or CBK. Second, an external firm can license technology or infrastructure from a licensed VASP, but to the extent it “sells into Kenya”, the local-facing entity must either be itself licensed as a VASP in Kenya or operate under a regulated payment or banking licence partner that wraps the crypto-enabled service into its own authorised product.

The VASP Act, 2025 and its implementing regulations do not contemplate decentralised finance (DeFi) as a regulatory category. The framework is designed for centralised, licensed entities with legal personality, identifiable management, a physical presence in Kenya, and the ability to comply with prudential, governance and AML/CFT obligations.

The VASP Act, 2025 and its implementing regulations do not expressly address whether CeFi firms may utilise DeFi protocols in connection with providing products and services into Kenya. There is no specific prohibition on CeFi–DeFi integration, nor is there explicit permission or dedicated guidance. The practical implication is a de facto prohibition on CeFi firms using DeFi in connection with serving Kenyan users, as doing so would place the licensed firm in breach of regulatory requirements to deal exclusively with authorised persons.

The VASP Act establishes a comprehensive licensing regime for all virtual asset activities. Critically, it mandates that only a “company limited by shares” incorporated under the Kenyan Companies Act (Cap 486) can be licensed to operate as a VASP. This implies that the regulatory framework is purpose-built for centralised, accountable entities with identifiable human controllers. This legal requirement immediately disqualifies a decentralised autonomous organisation (DAO), which lacks a defined legal personality under Kenyan law. Consequently, it is legally impossible for a DAO to obtain the licence required to offer DeFi services to the public in or from Kenya.

Under Kenya’s VASP regime, a “DeFi structure” cannot be set up as a decentralised, autonomous protocol. The regulatory framework is designed exclusively for centralised, licensed entities with legal personality, identifiable management, a physical presence in Kenya, and the ability to comply with prudential, governance, and AML/CFT obligations.

There is no specific judicial or regulatory guidance on how a purely decentralised, autonomous DeFi protocol would be treated in the event it caused financial harm in Kenya. The newly enacted legal framework (the VASP Act, 2025) does not contemplate DeFi as a regulatory category, and there are no reported enforcement actions specifically against a DeFi protocol.

Crypto-asset payments are permitted under the VASP Act, 2025 and Regulations. Any entity offering crypto-payment services “in or from Kenya” must obtain a licence from the CBK (for payments, wallets and stablecoins) or the CMA (for exchanges and tokenisation).

Tokenised real-world assets are regulated as virtual assets, subjecting them to the new VASP regime, with the regulatory trigger being the use of distributed ledger technology rather than the nature of the underlying asset. By contrast, non-blockchain equivalents such as traditional securities or real estate investment instruments are regulated under the Land Act, Capital Markets Act or the Companies Act.