Thomas Louis Advocates

Thomas Louis Advocates

Thomas Louis Advocates

Thomas Louis Advocates

Rwanda’s Draft Law on Virtual Asset Business, 2026 | TLA Legislative Watch

May 7, 2026 by Thomas Louis Advocates Legislative Watch
Home | Legislative Watch | Rwanda’s Draft Law on Virtual Asset Business, 2026 | TLA Legislative Watch

Jurisdiction: Rwanda     Status: Before Parliament     Structure: 8 Chapters, 35 Articles

The Government of Rwanda has tabled the Draft Law on Virtual Assets Business (the “Draft Law”), currently before Parliament. The instrument is principle-based rather than prescriptive: licence categories, capital thresholds, fees, fit-and-proper criteria, governance, sandbox eligibility and administrative sanctions are all deferred to subsidiary CMA regulations. This Review benchmarks the Draft Law against its cited comparators — the Commonwealth Model Law, EU MiCA, Dubai VARA, Malaysia, and Kenya’s VASP Act 2025 / Regulations 2026 — and flags drafting and policy issues for parliamentary review.

Article 4 designates the Capital Market Authority (CMA) as the sole regulator — a deliberate departure from Kenya’s twin-peaks model (CBK plus CMA). Articles 5–7 set out CMA powers (including a power to ban specific asset types), functions (rule-making, supervision, AML/CFT, innovation, and central authority for international information exchange), and a CMA–BNR cooperation framework, with the BNR retaining monetary, payments-system and stability oversight.

ISSUE — COORDINATION AND ASSET-BAN POWERS Article 7 mandates a CMA–BNR consultation framework but specifies neither timeline nor public availability — contrast Kenya’s quarterly Coordination Committee under Regulation 142. Article 5(e), the power to ban asset types, carries no procedural safeguard, no obligation to give reasons, and no appeal route as drafted.

II.  LICENCE CATEGORIES

Article 9 imposes the basic licensing obligation; detailed application requirements are deferred to CMA regulations. Article 10 enumerates twelve listed services plus a residual catch-all conferring on the CMA the power to designate further services.

#Listed Service (Article 10)
1Operating a digital platform for issuing, listing, buying, selling and trading virtual assets
2Clearing and settlement of virtual asset transactions
3Exchange of fiat currency into virtual assets and vice versa
4Exchange between forms of virtual assets
5Transfer services for virtual assets on behalf of customers
6Reception and arrangement of orders
7Placement of virtual assets
8Custody and administration
9Virtual asset escrow services
10Investment advice
11Investment management
12Any other service determined by the CMA

This catalogue is broadly aligned with FATF Recommendation 15 and MiCA Article 3(1)(16). However, the Draft Law does not establish, in primary legislation, a system of licence categories mapping each licence to a defined subset of services. By contrast, Kenya’s instrument creates ten distinct licence categories — wallet provider, payment processor, exchange, broker, investment adviser, manager, three offering-provider sub-categories and stablecoin issuer — each with its own capital, fee and conduct profile.

III.  INITIAL MINIMUM PAID-UP CAPITAL

Article 11(1) imposes the obligation to maintain initial minimum paid-up capital. Article 11(2) defers the actual quantum to CMA regulations. There is no schedule, no anchor figure and no statutory tiering principle. Kenya’s Fifth Schedule, by comparison, prescribes paid-up capital ranging from KES 2.5M for an Investment Adviser to KES 500M for a Stablecoin Issuer. The absence of a statutory anchor leaves market participants without a basis to plan capital raises pending the issuance of regulations.

IV.  REGULATORY SANDBOX

Article 12 establishes a regulatory sandbox jointly administered by the CMA and the BNR for innovative business models not otherwise covered by the Draft Law, with a graduate able to apply for a full licence on successful testing. The substantive deferral is, in this case, defensible: sandbox criteria are intrinsically experimental and benefit from the ability to evolve. However, joint administration with the BNR raises the question of what happens where the two regulators disagree on admission — the Draft Law does not specify a tie-breaker.

V.  PROHIBITIONS (ARTICLE 13)

Article 13 contains the most consequential set of substantive prohibitions in the Draft Law: (i) natural persons cannot conduct VA business in Rwanda; (ii) virtual assets are not legal tender; (iii) virtual assets cannot be used as a means of payment for goods, services, debts or other financial obligations “unless authorised by the Central Bank”, with no process or criteria for such authorisation set out; (iv) VA mining facilities, ATMs and mixer/tumbler services require CMA authorisation in collaboration with other competent authorities, although the default position is prohibition and the authorisation route is not described; and (v) marketing, advertising and promotion of virtual assets or VA activity is prohibited absent a VASP licence — a wide drafting that, on its face, captures publishers, social-media influencers, conference organisers and journalists publishing on virtual assets.

VI.  ISSUANCE — TOKENISATION, IVAOS AND STABLECOINS

Tokenisation of Real-World Assets (Article 14)

Article 14 establishes a CMA-approval-based regime for the issuance and listing of tokens representing real-world assets. Substantively it requires CMA approval; valuation by a “qualified asset valuer” on a transparent, periodic basis; 100% collateralisation; ring-fencing of the underlying assets (which cannot be lent out for additional yield); custody by a “professional and licensed custodian” subject to regular CMA-determined audits; and verifiable documentation evidencing the issuer’s ownership. Article 14(6) excludes from tokenisation: sovereign assets, public infrastructure, personal identifiable information, artworks and “any other asset that cannot be transparently valued, legally enforced and ethically justified.” Article 14(7) preserves the CMA’s power to designate additional inappropriate tokenisation targets on “public interest or regulatory risk” grounds.

Initial Virtual Asset Offerings (Article 15)

Article 15 imposes a CMA-approval requirement on first-time public offers, and prescribes the contents of the supporting white paper: features, targeted investor categories, investor rights and issuer obligations, technology disclosures, risk disclosures (volatility, technology, cyber), tax-compliance attestation and ongoing periodic reporting commitments. The framework is broadly aligned with MiCA Article 6 and Kenya’s ICO white paper requirements but is materially less prescriptive in three respects: it does not impose joint and several liability on issuers, directors, significant shareholders and auditors for losses arising from a misleading white paper (Kenya’s draft Regulation 67 expressly does); it confers no retail withdrawal right (MiCA gives a 14-day right); and it is unclear whether CMA approval is a substantive (“merit”) review or a disclosure-based review — best practice is the latter, with explicit non-warranty language.

Stablecoins (Article 16)

Article 16 requires CMA approval for issuance, admission or listing; demonstration of the reserve and peg mechanism by a qualified asset valuer; 100% collateralisation, ring-fencing and a prohibition on lending reserves for yield; auditor confirmation of redemption-coverage liquidity; means of verification of the underlying reserve; and custody by a professional licensed custodian, audited regularly. Reserves must be separated from issuer assets and from other creditors’ claims in insolvency. Five protective elements present in MiCA, Singapore and the Kenyan framework are however absent: an express redemption-at-par right; a whitelist of permitted reserve assets; treatment of interest-bearing structures; multi-stablecoin reserve segregation; and a same-currency redemption rule.

VII.  VASP OPERATIONS AND CONDUCT (ARTICLES 17–25)

Chapter V sets out a principles-based regime aligned with FATF, IOSCO and MiCA. VASPs must submit periodic reports including a quarterly return covering account openings, transaction values and volumes, fraud incidents, customer complaints and remedial measures, and must file audited annual financial statements; suspicious transactions must be reported regardless of amount (Article 17). VASPs must immediately notify the CMA of insolvency risk, cyber-attacks (including attempted attacks), criminal proceedings in Rwanda or abroad, the opening or cessation of foreign operations, and any other event threatening financial-sector stability or integrity (Article 18).

Articles 19–20 require honest and fair conduct, due care, skill and diligence, customer asset protection, complaints mechanisms and effective corporate governance, with a minimum liquidity ratio left to the CMA. Article 21 implements FATF Recommendation 16 (the Travel Rule), requiring the originating VASP to collect and securely transmit prescribed originator and beneficiary information above a competent-authority-set threshold, and the receiving VASP to capture and hold it. Articles 24–25 impose customer data and asset protection, transaction-tracing tools for wallet screening, and a comprehensive technology and information-security regime including periodic independent audit — among the strongest operational provisions in the instrument.

ISSUE — ARTICLE 22 DRAFTING ANOMALY AND MISSING MARKET-ABUSE DEFINITIONS Article 22(1)(a) provides, in the English version, that the VASP “provides the consumer or the investor with the right advice that may incite them to buy, invest, make greater use of, or continue to use a certain product” — plainly inverted from any defensible consumer-protection standard. Article 23 also fails to define or prohibit specific market-abuse conduct (insider trading, market manipulation, front-running, wash-trading, spoofing, layering); MiCA Title VI and Kenya’s draft Regulation Part VIII both do.

VIII.  SUPERVISION AND ENFORCEMENT

Article 26 confers on the CMA the power to inspect or examine VASPs at any time, in the manner the CMA determines, and to appoint inspectors, examiners or experts; VASPs must cooperate fully. Article 27(1) provides that the CMA may take enforcement action “in its sole and absolute discretion”, with Article 27(2) requiring the CMA to consider the violated instrument, the nature, seriousness and impact of the violation, post-violation conduct and compliance history, and prior actions in similar cases. Article 27(4) lists available sanctions: written reprimand, enforcement notice, licence suspension or revocation, business cessation, and scope limitation. The phrase “sole and absolute discretion”, coupled with the absence of an express appeal route, is in tension with administrative-law fairness norms.

IX.  FAULTS, OFFENCES AND PENALTIES

Article 28 defers the catalogue of administrative faults, sanctions and procedure wholly to CMA regulations — there is no statutory floor or ceiling on administrative penalties. Articles 29–31 create three categories of criminal offence:

Offence (Article)PersonFine (FRW)Imprisonment
Unlicensed VA business (29)Natural person30M – 50M3 – 5 years (or fine alone)
Unlicensed VA business (29)Legal entity50M – 100M
Unlicensed marketing/advertising (30)Natural person5M – 10M6 months – 1 year (or fine)
Unlicensed marketing/advertising (30)Legal entity10M – 20M
False info / obstruction / unauthorised role (31)Natural person3M – 5M6 months – 2 years (or fine)

X.  FREEZING OF VIRTUAL ASSETS

Article 32 empowers a competent authority to order the freezing of virtual assets where there is suspected involvement in money laundering, terrorism financing, proliferation financing, fraud or other financial crimes. Freezing may be ordered on substantiated evidence or in the course of an investigation, and must comply with international sanctions including UN Security Council Resolutions. VASPs and issuers must comply with prohibitions on transactions with designated persons. The Draft Law does not, however, address operational details: fiat-conversion power, allocation of price-movement risk, chain-of-custody documentation, or fast-track restitution where freezing is ultimately lifted.

XI.  REGULATOR IMMUNITY, LANGUAGE AND ENTRY INTO FORCE

Article 33 confers immunity on the CMA, its Board members, senior managers and staff for actions and omissions taken in good faith. The provision is standard and comparable to section 30(3) of the Capital Market Law. However, the absence of a corresponding statutory appeal mechanism for those affected by CMA decisions — licence refusals, sanctions, classifications, asset bans — creates an asymmetry that we recommend be cured by an explicit appeal route to the High Court (Commercial Division) or a dedicated review body, with clearly stated timelines and standing rules.

Article 34 records that the law was “drafted in English, considered and adopted in Ikinyarwanda”, which under Rwandan legislative practice makes the Kinyarwanda version authoritative for interpretation. The Article 22(1)(a) anomaly noted above is unlikely to be the only such case; we recommend trilingual cross-checking before promulgation. Article 35 provides that the law comes into force on publication in the Official Gazette — with no transition period, no grace period, no grandfathering for existing operators and no staged commencement.

XII.  RECOMMENDATIONS FOR PARLIAMENTARY REVIEW

  1. Insert a transition period in Article 35 — a minimum of twelve months from gazettement, with a registration window and a deemed-licensing fast-track for operators already in regulatory dialogue.
  2. Anchor capital thresholds in primary law — either a tiered statutory schedule, or an obligation on the CMA to consult before publishing category-specific tiers, with size-and-risk calibration on the Singapore/South Africa model.
  3. Establish licence categories in primary law — map the Article 10 services to a defined set of licence types, parallel to Kenya’s ten-category framework.
  4. Define operative terms missing from Article 2 — “qualified asset valuer”, “professional and licensed custodian”, “industry standards”, “high-net-worth/qualified/institutional investors”, and “competent authority”, with cross-references made express where applicable.
  5. Strengthen Article 16 (stablecoins) — introduce redemption at par, a permitted-reserve whitelist, treatment of interest-bearing structures, multi-stablecoin segregation, a same-currency redemption rule and a regime for foreign-issued stablecoins (reciprocity or whitelisting).
  6. Specify the FATF Travel Rule threshold — either by reference to FATF Recommendation 16 or by a specific FRW figure with annual indexation.
  7. Define the Article 13(3) BNR-authorisation pathway — with statutory criteria, a published process, a decision timeline and an appeal mechanism. Stablecoin payments cannot operate in the regulatory limbo Article 13(3) creates.
  8. Disaggregate the mining/ATM/mixer prohibition — separate provisions and authorisation criteria with tax/energy/AML treatment proportionate to the risk of each.
  9. Carve out journalism, academia and education — from the Article 13(5) marketing prohibition to address constitutional and regional human-rights concerns.
  10. Replace “sole and absolute discretion” in Article 27 — with explicit procedural-fairness obligations, reasoned decisions and a statutory appeal route paired to Article 33 immunity.
  11. Define market-abuse offences expressly — insider trading, market manipulation, front-running, wash-trading, spoofing and layering, in line with MiCA Title VI and Kenya’s draft Regulation Part VIII.
  12. Add operational detail to the freezing power — fiat-conversion safeguards, allocation of price-movement risk, chain-of-custody and fast-track restitution.
  13. Specify mens rea in the Articles 29–31 offences — to align with Article 18 of the Penal Code.
  14. Publish the CMA–BNR memorandum of cooperation — within a fixed period from gazettement, with public-availability and audit obligations.
  15. Cross-check the trilingual drafting — the Article 22 anomaly is unlikely to be unique, and Article 34 makes the Kinyarwanda version operative.
  16. Correct typographical errors in the Table of Contents — “Ingingo ya 54” for “Ingingo ya 15”, “Article 178” for “Article 18”, and the duplication of “Ingingo ya 32” for what is in substance Article 33.

CONCLUSION

The Draft Law is a substantively well-grounded instrument. It draws on a defensible set of international comparators, aligns with FATF Recommendation 15 and the FSB’s “same activity, same risk, same regulation” principle, and reflects a coherent decision to regulate, rather than prohibit, virtual assets. The principal risks lie not in the policy but in the drafting: the volume of substantive content deferred to subsidiary regulations leaves a long uncertainty window after enactment; the absence of a transition period will technically criminalise an active informal market on day one; Articles 22, 27, 31 and 35 contain drafting choices likely to generate dispute; the stablecoin article omits five protective elements present in peer instruments; and trilingual cross-checks have not yet been performed. Each is correctable within the current parliamentary process, and with the changes recommended above the Draft Law would compare favourably with any peer instrument in Africa.

Rwanda VASP Regulations_TLA Legislative WatchDownload

Leave a Reply

Your email address will not be published. Required fields are marked *