Virtual Asset Service Providers (VASPs) are businesses that handle cryptocurrencies and digital tokens on behalf of users. This includes exchanges where people buy and sell crypto, platforms that transfer virtual assets between users, wallet providers that hold crypto for clients, and firms that manage or administer digital assets. In simple terms, if a company touches customer crypto as part of its service, it is likely to be treated as a VASP.
At the global level, the main reference point is the Financial Action Task Force (FATF). ATF requires countries to clearly define VASPs in law and ensure they are licensed or registered. Once licensed, Virtual Asset Service Provider must follow anti-money laundering (AML) and counter-terrorist financing (CFT) rules. These include knowing who their customers are (KYC), monitoring transactions for suspicious activity, keeping records, and complying with the Travel Rule. The Travel Rule requires VASPs to share basic sender and recipient information when crypto is transferred between platforms, similar to how banks share details for wire transfers.
While FATF sets the baseline, each country decides how licensing works in practice. In the European Union, the Markets in Crypto-Assets (MiCA) regulation creates a single framework across all member states. A VASP licensed in one EU country can operate across the bloc without applying again in each market. This “passporting” system is designed to reduce fragmentation while keeping common rules on governance, capital, and consumer protection.
The United States follows a more layered approach. At the federal level, VASPs must register with the Financial Crimes Enforcement Network (FinCEN) as money services businesses. On top of that, many states require separate licences. New York’s BitLicense is often cited as the most demanding, with strict rules on capital, cybersecurity, reporting, and management approval. As a result, some firms operate in most US states but exclude New York.
In Asia, countries such as Singapore and Japan apply close supervision through their financial regulators. Licensing focuses on financial soundness, internal controls, and system security, given the risks of hacking and fraud. Firms must show they can protect customer funds and operate resilient technology systems. Dubai has taken a different route by setting up the Virtual Assets Regulatory Authority (VARA), a dedicated regulator for crypto activities. VARA offers clear licence categories and staged approvals, allowing firms to grow from limited testing to full operations under supervision.
Across Africa, regulation has developed quickly in response to high crypto use, especially for remittances, payments, and access to digital financial services. For years, many regulators relied on warnings or informal guidance. That approach is changing as countries move toward laws that mirror FATF standards and bring crypto businesses into the regulated financial system.
Kenya provides a clear example of this shift. The Virtual Asset Service Providers Act, 2025, assented to in October and effective from November, sets out how VASPs in Kenya are defined, licensed, and supervised. The Capital Markets Authority (CMA) is named as the lead regulator, with the Central Bank of Kenya involved where virtual asset activities connect to payment services.
Under the Act, VASPs operating in Kenya must apply for a licence, maintain a physical office in the country, and appoint resident directors. They are required to keep customer assets separate from company funds, put in place strong AML and CFT controls, protect users through clear disclosures, and submit regular reports to regulators. In simple terms, crypto firms must now operate much like other regulated financial institutions, with clear accountability and oversight.
This framework replaces years of regulatory uncertainty with defined rules. Crypto businesses can operate lawfully, while authorities gain tools to deal with fraud, illicit finance, and consumer harm. For users, it means dealing with licensed firms that are subject to supervision rather than informal or offshore platforms.
Other African countries have taken different but related paths. In South Africa, the Financial Sector Conduct Authority licenses crypto firms as Crypto Asset Service Providers under the Financial Advisory and Intermediary Services Act. By late 2025, more than 300 licences had been approved, creating a large, supervised market. Nigeria regulates crypto through its Securities and Exchange Commission, which treats many digital assets as securities under the Investment and Securities Act 2025. Firms receive provisional VASP approvals and must follow rules on advertising, custody, and investor protection. Mauritius has one of the most established systems, with the Financial Services Commission issuing specific VASP licences for exchanges, brokers, custodians, and token issuers, combined with local presence requirements.
Across these markets, the core compliance expectations are similar. VASPs must assess customer risk, monitor transactions, report suspicious activity, protect personal data, and cooperate with regulators. While the legal structures differ, the goal is the same: allow crypto services to operate within clear boundaries.
Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.