The publication of Law No. 023/2026 of 25/05/2026 regulating virtual asset business ("the law”) marks a defining moment in Rwanda’s digital finance regulatory journey. This development is best understood not as a sudden policy shift, but as the formalisation of a trajectory that has gradually moved from caution to structured engagement with virtual assets.

For several years, Rwanda’s stance on virtual assets was characterised by regulatory caution. Crypto-assets were widely treated as high-risk instruments, with public messaging emphasizing that they were not legal tender and operated outside a formal regulatory perimeter.

The new law does not reverse that position. Instead, it consolidates it while introducing a licensing and supervisory framework that allows virtual asset activities to operate within defined legal boundaries.

In that sense, the law represents a refinement rather than a rupture: it draws a clear line between unregulated activity and permitted market participation under supervision.

A shift to regulated participation, not unrestricted adoption

A central feature of the law is its calibrated approach. It does not seek to mainstream crypto-assets as a parallel currency system. Instead, it creates a controlled entry framework for virtual asset service providers (VASPs), ensuring that only licensed and supervised entities can operate in the sector.

This distinction is important. The law is not an endorsement of virtual assets as money. Rather, it is a regulatory architecture designed to manage risk while enabling innovation—particularly in areas such as exchanges, custody services, tokenisation platforms and related digital financial infrastructure.

The emphasis remains firmly on safeguarding financial stability, consumer protection, market integrity, Anti-Money Laundering (AML)/Countering the financing of terrorism (CFT) and combating financing of proliferation (CPF) compliance, rather than promoting unrestricted market expansion.

Institutional design: a dual regulator model

One of the most significant policy choices in the law is its institutional design. The Capital Market Authority of Rwanda (CMA) is designated as the lead regulator for virtual asset business, reflecting a clear classification of these instruments as capital markets or investment-related products rather than currency.

At the same time, the National Bank of Rwanda (BNR) retains an essential oversight role wherever virtual assets intersect with payment systems or monetary policy considerations. This is particularly relevant given that the law restricts the use of virtual assets as a means of payment unless explicitly authorised by the central bank.

This dual structure creates a functional balance: CMA leads on licensing and market conduct, while BNR safeguards monetary and payment system stability. The Financial Intelligence Centre (FIC) remains central to the AML/CFT/CPF enforcement framework.

Defining the perimeter of regulated activity

The law casts a relatively wide regulatory net over identifiable virtual asset activities. These include exchange platforms, trading systems, custody and administration services, settlement and clearing functions, brokerage and advisory services, escrow arrangements, token issuance, and investment management activities.

However, it is equally notable for what it excludes. Fully decentralised protocols without identifiable operators fall outside the immediate scope of regulation.

This reflects a deliberate focus on intermediaries and structured service providers, although it also leaves important questions open regarding the future Treatment of Decentralized Finance (DeFi) arrangements, Decentralized Autonomous Organizations (DAOs), and non-custodial infrastructure.

Licensing as a gatekeeping mechanism

A key policy feature is that virtual asset business is reserved exclusively for licensed legal entities. Natural persons are not permitted to conduct such business in their individual capacity.

This reinforces a clear regulatory philosophy: virtual asset activity is to be institutional, accountable, and compliance-driven. Market participation will therefore require formal incorporation, governance systems, compliance capacity, and ongoing regulatory engagement.

Tight boundaries around payments and high-risk activity

The law takes a cautious stance on the use of virtual assets in the broader economy. They are not permitted as legal tender or general means of payment for goods, services, or financial obligations unless authorised by the BNR.

It also restricts or prohibits certain activities considered high-risk from a financial integrity perspective, including virtual asset ATMs, mining operations, and mixer or tumbler services.

These provisions reflect a clear policy direction: Rwanda is not seeking to develop an unregulated parallel payment system or anonymity-driven transaction environment. Instead, it is prioritizing traceability, supervision, and systemic control.

Tokenisation and stablecoins: innovation under supervision

The law’s explicit recognition of tokenisation and virtual asset offerings is one of its more forward-looking elements. It opens the possibility for real-world asset tokenisation, including in sectors such as real estate, commodities, and financial instruments.

At the same time, these activities are tightly regulated and subject to approval, disclosure, and investor protection requirements. This positions tokenisation as a regulated capital markets innovation rather than an unregulated fintech experiment.

Stablecoins receive particular attention given their hybrid nature. They sit at the intersection of payments, investment, and monetary stability. The law therefore subjects their issuance and listing to regulatory approval, while leaving critical technical and prudential details, such as reserve backing, redemption mechanisms, and custody arrangements, to future regulation.

Compliance-heavy operating environment for VASPs

For licensed virtual asset service providers, the law establishes an ongoing compliance framework rather than a one-off licensing requirement.

Obligations include AML/CFT/CPF controls, customer due diligence, transaction monitoring, governance standards, cybersecurity and technology risk management, segregation of client assets, reporting duties, consumer protection measures, and market conduct rules.

In effect, VASPs are brought into a regulatory environment closely aligned with traditional financial institutions, with continuous supervision and reporting obligations.

Alignment with global AML standards: the travel rule

A key pillar of the framework is its alignment with international AML standards, particularly the "travel rule” under Article 24.

The rule requires that when virtual assets are transferred through a service provider, identifying information about both the originator and beneficiary must be collected, retained, and shared.

This positions Rwanda within the global regulatory consensus that seeks to ensure traceability of virtual asset transfers and reduce their misuse for illicit financial flows.

Balancing opportunity and regulatory burden

From a policy perspective, the law offers clear advantages. It provides legal certainty, enhances investor protection, strengthens AML/CFT oversight, and signals Rwanda’s willingness to support regulated digital financial innovation.

However, it also introduces a more demanding compliance environment. Licensing, governance, cybersecurity, liquidity management, and reporting obligations will inevitably increase operating costs for market participants.

This creates an important structural tension: the framework may strengthen credibility and attract institutional actors, but could also raise entry barriers for smaller innovators depending on how implementing regulations are calibrated.

Unresolved questions and implementation risk

While the law establishes the core architecture, its practical impact will depend heavily on secondary regulations. Key areas still to be clarified include licensing categories, capital and liquidity thresholds, tax treatment of virtual asset transactions, DeFi and DAO classification, and transition arrangements for existing operators.

The success of the framework will therefore rest not only on its legal design, but on the clarity, proportionality, and predictability of its implementation.

Regional positioning

Rwanda’s approach aligns with a broader continental trend toward formal virtual asset regulation, alongside jurisdictions such as Kenya, South Africa, and Mauritius. However, its emphasis on capital markets regulation through the CMA, as well as its explicit treatment of tokenisation and stablecoins, gives it a distinct institutional orientation.

In that sense, Rwanda is positioning itself not simply as a regulator of risk, but as a potential structured hub for compliant digital finance activity in the region.

Conclusion

Ultimately, the law reflects a careful balancing act: enabling innovation while maintaining strong safeguards over financial stability, consumer protection, and financial integrity.

Its significance lies less in opening the virtual asset market and more in defining its boundaries. The real test will lie in implementation – whether the regulatory framework evolves into a predictable, proportionate system that supports innovation, or whether compliance complexity limits the very market development it seeks to structure.

Emmanuel Muragijimana is a Partner at K-Solutions & Partners, while Tamara Munya Buranga is an Associate at K-Solutions & Partners.