Kenya: From grey to green? The VASP Act, 2025 and the road out of FATF’s watchlist

The Virtual Asset Service Providers Act, 2025 (Act) represents one of the most significant regulatory developments in Kenya’s financial sector in recent years. The Act responds directly to the Financial Action Task Force’s (FATF) reinforced expectations on the regulation of virtual assets and Virtual Asset Service Providers (VASPs), particularly under FATF Recommendation 15, which requires countries to license, supervise, and enforce anti‑money laundering, counter‑terrorism financing, and counter‑proliferation financing (AML/CFT/CPF) requirements on VASPs.

This article builds on our earlier analysis of Kenya’s draft Virtual Asset Service Providers Regulations (draft Regulations) issued by the National Treasury (available here), which examined the detailed regulatory architecture proposed for the virtual asset sector. With the enactment of the Virtual Asset Service Providers Act, 2025, Kenya has now moved from policy intent to binding legislation. While much attention has been given to the draft Regulations, this article takes a broader perspective, considering how the Act aligns with FATF standards and what that alignment means for Kenya’s efforts to be removed from the FATF grey list.

What does the FATF expect?

The FATF sets the global standards for preventing money laundering and terrorist financing in the virtual asset ecosystem. In broad terms, its expectations can be grouped into three key pillars:

• Licensing and supervision of VASPs: VASPs must be licensed and subject to robust regulatory oversight. Competent authorities must have the power to supervise VASPs and take corrective or enforcement action where requirements are breached.

• Strong compliance controls: VASPs are expected to implement risk‑based AML/CFT controls comparable to those applied to traditional financial institutions. These include customer due diligence, record‑keeping, suspicious transaction reporting, sanctions screening, and the so‑called “travel rule”, which requires the transmission of originator and beneficiary information with transactions.

• Cross-border cooperation: Countries must ensure that regulators and law enforcement agencies can cooperate and exchange information across borders, particularly given the inherently cross‑jurisdictional nature of virtual asset activities.

The Act: Kenya’s new architecture for virtual asset regulation

The Act introduces a comprehensive framework that directly addresses several of the FATF’s expectations for virtual asset regulation.

• Mandatory licensing: All virtual asset businesses operating in Kenya must obtain a licence from the relevant regulator before commencing operations. As part of the licensing process, regulators are empowered to conduct fit‑and‑proper assessments of shareholders, directors, and senior management to ensure they are competent, financially sound, and of good repute. This framework aligns with FATF’s requirement to prevent criminals or their associates from owning, controlling, or managing VASPs.

• Comprehensive AML/CFT/CPF obligations: The Act subjects VASPs to Kenya’s existing AML/CFT/CPF framework, bringing them squarely within the same compliance perimeter as banks and other regulated financial institutions. Licensed VASPs are treated as reporting institutions and must be registered with the Financial Reporting Centre. Regulators are granted inspection and supervisory powers, including the authority to require access to records, enforce sanctions compliance, and issue binding guidance. This integration is significant, as it ensures that virtual asset activities are not regulated in isolation but are embedded within Kenya’s broader financial crime prevention regime.

• Enforcement powers and penalties: The Act grants regulators wide enforcement powers. These include issuing warnings, directing remedial action, restricting or suspending business activities, removing unfit directors or senior officers, revoking licences, and imposing substantial administrative penalties. Serious contraventions, such as operating without a licence or breaching core AML obligations, may also attract criminal liability, including fines and imprisonment. These measures respond to FATF’s requirement that sanctions be effective, proportionate, and dissuasive.

• Transaction transparency rules: The Act anticipates the implementation of transaction transparency requirements, including the sharing of originator and beneficiary information for virtual asset transfers. While the granular requirements will be set out in regulations that are currently in draft, Kenya’s existing AML legislation already applies in the interim. Ensuring coherence between the VASP Act, its regulations, and Kenya’s broader AML framework will be critical, particularly as the AML statute takes precedence where inconsistencies arise.

• Cross‑border cooperation and information sharing: Kenyan regulators are expressly empowered to cooperate and exchange information with foreign supervisory and enforcement authorities, as well as with domestic agencies. This facilitates consolidated supervision and international enforcement coordination and directly addresses one of the FATF’s core expectations for regulating virtual asset activities.

Will the Act be sufficient to get Kenya off the grey list?

While the Act demonstrates strong alignment with FATF’s standards on paper, its recent enactment raises important questions around implementation and effectiveness.

• Practical enforcement: How consistently and rigorously will the new framework be enforced in practice?

• Regulatory capacity: Do the Central Bank of Kenya and Capital Markets Authority have adequate resources, technical expertise, and supervise tools to oversee a rapidly evolving and highly technical sector?

• Regulatory coordination: How effectively will coordination work between the two regulators and other key agencies, particularly the Financial Reporting Centre?

• Regulatory momentum: Will Kenya be able to demonstrate tangible and measurable progress before its next FATF assessment?

A turning point for Kenya’s digital economy

The Act marks a significant shift for Kenya’s digital economy. It brings virtual asset businesses into the formal regulatory framework through licensing, governance standards, and alignment with Kenya’s anti‑money laundering regime. This is an important step toward building trust in the sector and meeting international expectations.

If effectively implemented, the Act could help move Kenya from a high‑risk, grey‑listed environment to a more credible, investor‑friendly market. 

For fintechs, crypto platforms, and blockchain businesses, this translates into clearer rules, better access to banking and capital, greater regulatory certainty, and increased confidence from partners and customers. 

However, its success will depend on consistent supervision, meaningful enforcement, and continued regulatory engagement with the industry.

John Syekei is a partner in the Nairobi office of Bowmans and heads the firm’s Intellectual Property and Technology practice group in East Africa. Cynthia Amutete is a senior associate in the Nairobi office and a member of the Banking and Finance department. Stephanie Mulului is an associate in the Intellectual Property and Technology Department of the Nairobi office.