1) The core shift: licensing as operational readiness

Early-stage teams sometimes treat licensing as a binary hurdle: “licensed or not licensed.” In practice, regulators treat licensing as a continuous assurance framework. It requires firms to demonstrate before launch and throughout operations that they can manage financial risk, conduct and consumer risk, financial crime risk, technology and operational risk, and data governance.

This changes how founders should plan. If licensing is treated as a late-stage filing exercise, it often collides with reality: incomplete governance, unclear control ownership, weak documentation, and vendor arrangements that do not match the regulatory story the firm wants to tell.

2) Who regulates payment services in Kenya

For most payment service providers and payment systems, the Central Bank of Kenya (CBK) is the anchor regulator under the National Payment System framework. CBK’s focus is pragmatic: safeguarding the integrity and stability of the payment ecosystem and protecting users.

Depending on the model, other authorities may also be relevant: the Capital Markets Authority (particularly where virtual assets or investment-adjacent features appear), the Communications Authority (where telecom rails/authorisations are integral), the Financial Reporting Centre (AML/CFT reporting posture), the ODPC (data protection compliance), and the KRA (tax compliance).

3) The payments licensing perimeter (substance over labels)

The fastest way to understand licensing is to describe the product functionally rather than in marketing terms. Regulators are generally less interested in whether a product is called a “platform” or a “technology provider,” and more interested in what it controls: transaction initiation and processing, issuance of stored value, operation of a payment instrument/system, control over settlement flows, and the integrity of communications to users.

In practical terms, licensing outcomes often turn on where the business sits in the value chain: whether it is processing payments, operating payment rails, issuing e-money, or touching customer funds even briefly.

4) PSP licensing pathways: why “PSP” is not one licence

“PSP licence” is commonly used as a shorthand, but in practice there are categories that reflect different risk profiles particularly the distinction between facilitating payments and issuing stored value.

Electronic retail payments/transfer services (without e-money)

This category generally captures providers facilitating electronic retail payment transactions such as gateways, acquiring/processing, and bill payments without issuing stored value (e-money).

Small E‑Money Issuer (SEMI)

SEMI structures recognise that some wallet products are low-value or limited in scope. While thresholds may differ, the underlying supervisory expectations remain meaningful: governance, AML/CFT controls, cybersecurity posture, and reporting capability must be credible.

E‑Money Issuer

Where a platform issues, stores, and redeems e-money—particularly where it is usable with third parties—the regulatory intensity typically rises. At this level, safeguarding structures, reconciliations, consumer risk, and operational resilience become central.

Payment instruments and payment systems

Where a business owns or operates payment instruments/systems (including switching or settlement-adjacent infrastructure), the authorisation posture can shift again, particularly where scale raises systemic considerations.

5) Virtual assets: what the VASP Act signals

Kenya’s Virtual Asset Service Providers Act, 2025 signals a formal shift toward licensing and supervision of digital asset activity. While implementing regulations and guidelines are awaited, the strategic implication for product teams is immediate: classify activities honestly (custody, exchange, issuance, advisory) and build for licensing readiness governance, AML/CFT maturity, cybersecurity controls, and defensible disclosures.

6) When payments drifts into banking-style regulation

A common strategic risk is designing a payments product that quietly begins to resemble deposit-taking or bank-like services. Where a model involves deposit-like accounts, savings behaviour, or lending structures, the licensing framework can shift into a materially stricter regime under the Banking Act. Product design should therefore be treated as regulatory design, particularly where the roadmap includes credit, savings, or account-like features.

7) Compliance as a commercial asset

For growth-stage fintechs, licensing and compliance are often viewed as cost centres. In reality, they are frequently deal accelerators. Sophisticated counterparties increasingly ask for evidence: who owns AML/CFT controls, what cybersecurity standards are implemented, how personal data is handled, what incident response looks like, and whether vendor relationships allocate responsibilities clearly.

Firms that can answer these questions with coherent documentation governance papers, policies, logs, and enforceable contracts move faster in negotiations and inspire confidence.

8) Timelines and capital: planning realistically

Licensing is a project, not a form. A realistic plan allows time for pre-application engagement, application review, regulator queries, and final issuance steps. Depending on the model and readiness, timelines can extend over several months and, in some cases, closer to a year.

Minimum capital requirements vary by category. By way of illustration, examples commonly referenced for certain PSP categories include: Small E‑Money Issuer (KES 1,000,000), electronic retail payments services (KES 5,000,000), e‑money issuer (KES 20,000,000), and designated payment instrument issuer (KES 50,000,000). Capital, however, is rarely the only determinant of speed; governance and operational controls are often what determine momentum.

How MN Legal helps

Disclaimer: This article is general information and does not constitute legal advice. Licensing requirements vary by jurisdiction and facts. For advice on your specific model, please contact MN Legal.