Kenya’s push to tax virtual assets has reached a turning point. The Finance Bill 2026, currently before Parliament, proposes to compel every virtual asset service provider to file annual information returns with the Kenya Revenue Authority, covering all transactions by Kenyan users. The question the bill does not answer is how much of that data the taxman can actually touch and under what conditions.
What the law already allows
The Tax Procedures Act sets the baseline. Section 59 empowers KRA to issue a notice demanding access to records or information about any person’s tax liability. Where access is refused, Section 60 allows the Commissioner to seek a court order granting entry to any building, place, property, document, or data storage device. Courts have confirmed these powers are constitutional, with the Court of Appeal in 2020 reinstating Section 60 after the High Court had suspended it.
Parliament drew a line in 2025. When the Finance Bill 2025 proposed deleting Section 59A(1B) — the clause that bars KRA from compelling businesses to share customer personal data — the National Assembly Finance Committee rejected it. The committee found the proposal failed the constitutional threshold under Article 31, which guarantees the right to privacy. The clause survived. The Finance Bill 2026 returns to the same ground through a different approach: mandatory VASP reporting, without specifying what data must be filed or setting a transaction threshold below which reporting does not apply.
A one-size-fits-all problem
Banks do not operate this way. Commercial banks file monthly, quarterly, and annual reports with the Central Bank, each categorised by type. Customer-level transaction data does not form part of routine regulatory returns. For large cash transactions, the Central Bank’s Banking Circular Number 5 of 2022 sets a uniform threshold: banks must report all cash transactions exceeding USD 10,000 to the Financial Reporting Centre under the Proceeds of Crime and Anti-Money Laundering Act.
The proposed VASP framework sets no equivalent threshold. The draft VASP Regulations 2026 introduce mandatory reporting requirements without distinguishing between providers by size, transaction volume, or risk profile. A small local platform processing retail payments faces the same reporting burden as a large exchange handling institutional flows. Industry players, including those who spoke at the Kenya Blockchain and Crypto Conference in May 2026, warned that this approach favours established foreign firms with compliance infrastructure over local startups that lack the capacity to absorb those costs.
Where data protection law intersects
Virtual asset service providers collect significant user data through Know Your Customer processes. That data places them squarely within the scope of the Data Protection Act 2019, as both data processors and data controllers. The Act obliges them to enforce data minimisation — collecting only what is necessary to provide the service. The VASP Act separately requires providers to retain client data for up to seven years.
Section 51 of the Data Protection Act provides for exemptions from data privacy protections where disclosure is necessary for tax purposes. That exemption matters, but it does not remove the requirement for proportionality. Warranting further data collection beyond what KYC already captures, without probable cause or a court order, crosses into territory the Data Protection Act was written to prevent.
Blockchain technology, the infrastructure that makes virtual assets work, is built on verifiable transaction records. That transparency does not mean user data becomes freely reportable to a regulator without procedural safeguards. Decentralised finance operates differently from traditional finance. Treating the two as equivalent — requiring identical disclosure obligations without accounting for how on-chain transactions are structured — produces rules that neither fits.
Three questions the bill must answer
The Finance Bill 2026, the VASP Act, and the draft VASP Regulations 2026 collectively move toward mandatory disclosure without resolving the framework that should govern it. Three questions remain open.
First, what data must a VASP file with the commissioner, and what falls outside the scope of a standard information return? Second, under what conditions does the taxman gain access to customer-level transaction data beyond what a routine return contains? Third, at what transaction value does a VASP become obligated to report to the Financial Reporting Centre — and should that threshold mirror the USD 10,000 standard that applies to banks, or reflect the different risk profile of virtual assets?
Kenya has a workable foundation in its existing tax, anti-money laundering, and data protection statutes. The gap is not legal authority — KRA already holds considerable powers. The gap is a clear, proportionate procedure that tells providers exactly what to report, when, and to whom, without requiring disclosure that goes beyond what the law and the constitution permit.
By Maryanne Njuguna, Co-Founder, Tech Rift Africa
