Regulating Virtual Assets: Fintechs Prepare for New Compliance Demands

By Richard NUNEKPEKU &Harold Kwabena FEARON

In continuation of its dedication to overseeing digital assets, the Bank of Ghana (BOG) has initiated the registration process for all Virtual Assets Service Providers (VASPs) functioning within Ghana, such as exchanges, wallet administrators, and custodians.

This preliminary registration process aims to assist the Bank in identifying active participants, evaluating operational risks, and establishing initial oversight prior to the implementation of the upcoming Virtual Asset Service Providers (VASPs) Act.

It represents the initial tangible action in integrating virtual asset businesses within the regulatory framework and indicates the Bank's determination to act swiftly and firmly once the law is passed.

In contrast to mobile money, which is an electronic version of traditional currency (fiat), virtual assets like cryptocurrencies have emerged as completely new digital-only forms of value. Utilizing blockchain technology, they are starting to act as stores of value, means of exchange, and measures of worth – roles typically fulfilled by fiat money. As their usage expands worldwide, authorities across the globe are working quickly to establish clear regulations for their application.

In Ghana, the Central Bank has also acknowledged the need for regulatory clarity. It has stated its plan to establish a formal regulatory system by the end of September 2025, by enacting a new Virtual Asset Service Providers Act – Ghana's initial thorough virtual assets legislation.

For financial technology firms functioning in Ghana or considering market expansion, the new legislation will impose various compliance responsibilities: licensing conditions, anti-money laundering and counter-terrorism financing measures, reporting guidelines, and additional requirements. Being prepared for these compliance expectations and ensuring adherence will be essential for these companies to stay competitive and compliant once the law is implemented. Considering this, this article predicts the compliance challenges, including potential new ones that the upcoming law might bring, and provides some actionable steps for service providers to maintain compliance.

The foundational compliance demands

Although the upcoming Virtual Asset Providers Act is set to establish a specific licensing and regulatory framework for VASPs, the compliance challenges it will bring might not be completely new for participants in the fintech industry. In several respects, the expected standards will resemble the current compliance responsibilities that are already in place for Payment Service Providers (PSPs) and other authorized financial service providers.

Similar to all business organizations, VASPs must establish and register with current primary general regulators including the Office of the Registrar of Companies (ORC), the Ghana Revenue Authority (GRA), the Social Security and National Insurance Trust (SSNIT), the Data Protection Commission, and the appropriate District, Municipal, or Metropolitan Assemblies. The compliance requirements associated with these fundamental legal registrations will remain in effect, and VASPs will be expected to adhere to these responsibilities thoroughly.

Additionally, VASPs are anticipated to follow general financial regulatory guidelines that fintech and financial service companies have traditionally adhered to, such as strong Know Your Customer (KYC) procedures, following Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) measures, and meeting data protection and privacy requirements outlined in the Data Protection Act.

Furthermore, regulatory demands are expected to cover aspects like cybersecurity protections, risk-focused internal controls, and adhering to applicable international certifications such as ISO/PCI DSS along with best practice standards relevant to digital financial services. In essence, although the VASP framework will provide a more organized and customized compliance approach for virtual asset providers, many of its conditions will be based on current regulatory bases.

Some expected new regulatory obligations

Although the regulation of Virtual Assets is expected to be based on the current regulatory framework, it may bring about certain new compliance obligations due to the inherent risks involved. The Central Bank will implement a risk-focused and principle-based compliance system that aligns with global standards and draws from experiences in regions that have already pioneered regulations in the virtual asset sector.

Based on an initial review of the Bank’s Draft Guidelines concerning Digital Assets and remarks from its leadership, the planned regulatory system is expected to be significantly influenced by the principles established under the EU's Markets in Crypto-Assets (MiCA) framework, Singapore's Payment Services Act, Nigeria's SEC Rules for Digital Assets, and Kenya's proposed Virtual Asset Service Providers Bill 2025, along with other similar frameworks. These global examples offer a comprehensive view of what compliance might entail in Ghana.

1. Licensing and regulatory authorization: Ghana's strategy is anticipated to establish a formal licensing system, potentially categorized based on function—such as a cryptocurrency exchange, wallet service, broker-dealer, or custodian. This aligns with the EU's Markets in Crypto-Assets Regulation (MiCA), which requires comprehensive licensing for all types of Crypto Asset Service Providers (CASPs), including fit-and-proper evaluations for leaders and senior staff, along with the provision of thorough business plans, governance structures, and internal policies.

In the same way, Singapore's Monetary Authority (MAS) mandates licensing under its Payment Services Act for Digital Payment Token (DPT) services. Entities offering such services must go through thorough approval procedures to prove their financial stability, internal controls, risk management systems, and cybersecurity readiness.

Kenya's 2025 VASP Bill aims to implement a tiered licensing system, distinguishing between issuers, exchange platforms, custodial services, and wallet providers. In Ghana, we anticipate that the Central Bank will follow a comparable approach, categorizing functions and applying different levels of compliance requirements depending on the risk and size of the service.

1. AML/CFT adherence and the FATF travel rule:Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) will serve as key components of Ghana's regulatory framework for Virtual Asset Service Providers (VASPs). The Financial Action Task Force (FATF)'s Travel Rule, requiring VASPs to gather and share details about the sender and recipient of transactions, has established an international standard.

The EU's updated Transfer of Funds Regulation, known as MiCA, along with Singapore's AML Guidelines (PSN02), all implement the Travel Rule. These regulations require VASPs to conduct Customer Due Diligence (CDD), keep detailed transaction records, watch for warning signs, and report any unusual activity.

In Nigeria, the SEC's digital asset framework mandates that authorized VASPs establish risk-focused AML/CFT programs that comply with the nation's Money Laundering (Prohibition) Act. This involves providing staff training, conducting compliance reviews, and designating a specific compliance officer. Ghana, which is part of both the FATF and the Inter-Governmental Action Group against Money Laundering in West Africa (GIABA) (the regional FATF equivalent for West Africa), is expected to enforce AML/CFT responsibilities in line with these global standards. Consequently, VASPs will need to record risk evaluations, develop client verification procedures, implement transaction surveillance mechanisms, and ensure ongoing employee education as part of their compliance duties.

1. Information security, confidentiality, and digital safety:The EU's GDPR, which works in conjunction with MiCA, and Singapore's Personal Data Protection Act (PDPA), set standards that are expected to impact Ghana's approach. Both regions mandate digital asset companies to implement data minimization, privacy-by-design concepts, and encryption methods.

Furthermore, the Central Bank's Draft Guidelines regarding Digital Assets highlight a significant focus on cybersecurity strength, indicating that VASPs may need to adopt intrusion detection systems, perform routine penetration testing, and establish disaster recovery plans. For example, the MAS mandates mandatory cybersecurity reviews and bans DPT service providers from offering lending or staking services to individual customers in order to reduce systemic risk. These regulatory requirements are anticipated to be key components of the legislation governing VASPs in Ghana.

1. Consumer rights and financial education:Consumer safety is a key regulatory priority worldwide, and Ghana is anticipated to adopt similar measures. With MiCA, individuals or entities issuing crypto assets and cryptocurrency exchanges must provide explicit risk disclosures, ensure customers comprehend the product details, and keep client funds separate from company resources. Singapore's MAS has taken additional steps by mandating that service providers evaluate customer understanding and willingness to take risks prior to accepting them as clients, and by prohibiting the promotion of digital asset services in public areas or through mass media—actions aimed at protecting retail investors from potential speculative losses.

In the context of Ghana, we expect that the law and regulations will incorporate robust consumer-focused responsibilities, such as transparent fee explanations, product risk markings, channels for lodging complaints, compulsory methods for resolving disputes, and necessary remedies in cases of improper selling or fraud.

1. Management, internal safeguards and disclosure:Numerous regions require the regular submission of financial statements, compliance audits, and operational reports. With MiCA, CASPs must establish a complaints handling system and face regulatory oversight that involves on-site visits and enforcement authority. In Kenya, the VASP Bill suggests submitting quarterly operational reports and mandates the hiring of compliance officers and internal audit roles.

In Ghana, the Central Bank may ask VASPs to appoint a Compliance Officer, provide regular reports, and inform the regulator about any significant business changes. Service Providers might also need to have annual audits, establish governance frameworks, and put in place internal controls similar to those mandated for other financial institutions regulated by the central bank.

1. Innovation trial and temporary regulatory compliance:Another key feature of contemporary VASP systems is innovation. In Japan, regulatory sandboxes are being utilized to support stablecoin initiatives. Singapore's MAS also provides regulatory sandbox frameworks that enable startups to trial their offerings in controlled settings before obtaining full licenses. The UAE's Virtual Assets Regulatory Authority (VARA), via its sandbox, facilitates regulated testing and carefully managed expansion of emerging virtual asset platforms.

Ghana's current Fintech and Innovation Office manages a comparable regulatory sandbox, which could potentially be expanded to include VASP scenarios. This might offer emerging service providers a crucial opportunity to trial blockchain products, token creation processes, or cryptocurrency trading models while being monitored by the regulatory authority.

Suggestions for establishing compliant VASPs

As Ghana gets ready to introduce regulations for virtual assets, the experiences of regions that have already implemented VASP regulatory systems provide useful insights. By learning from these global best practices, Ghana can create a balanced, progressive, and situation-appropriate framework that supports innovation while maintaining the integrity of the financial system. In this context, adopting the following recommendations and regulatory lessons will contribute to establishing a strong virtual asset regime in Ghana:

1. Clear definition and functional categorization of VASP operations:A key advantage of the EU's MiCA regulation, Kenya's VASP Bill 2025, and Singapore's MAS framework is their clear categorization of virtual asset service providers. Rather than implementing a uniform approach, these regions differentiate between custodians, exchanges, brokers, wallet service providers, and issuers, adjusting compliance requirements according to the risks involved in each category. Ghana should follow a comparable functional model, ensuring that regulatory obligations are balanced and directly aligned with the particular services provided.
2. Effortless and clear licensing procedure:In Nigeria, delays and unpredictability in the licensing procedure are said to have discouraged innovation. On the other hand, Singapore and the UAE have established efficient digital licensing platforms, defined timeframes for regulatory responses, and explicit pre-licensing checklists. Ghana could prevent similar issues by implementing a clear, organized application process that features a regulatory pre-engagement phase and publicly available service-level timelines for approvals or inquiries.
3. Integrated anti-money laundering and counter-terrorist financing financial monitoring system:Many regions currently implement the FATF Travel Rule, requiring the gathering and sharing of information about the sender and recipient. Nevertheless, nations such as South Korea and Japan have taken additional steps by incorporating real-time risk assessment, data exchange between agencies, and blockchain analysis into their anti-money laundering systems. Ghana could improve the Financial Intelligence Centre's (FIC) abilities to manage blockchain investigations and collaborate with private companies specializing in blockchain monitoring to better regulate VASPs.
4. Stringent data protection and cyber security regulations:As observed in Hong Kong, Singapore, and Switzerland, cybersecurity and data protection are not viewed as optional components but as fundamental elements of digital asset regulation. These regions implement routine vulnerability assessments, data localization requirements, mandatory breach disclosure, and encryption standards. Ghana's regulatory approach should enhance the Data Protection Act, 2012, by mandating VASPs to have cyber-risk insurance, adopt secure coding methods, and undergo independent third-party evaluations.
5. Regulatory proportionality for new businesses and low-risk VASPS:Overly strict compliance demands on small entities may hinder competition. Kenya's proposed VASP Bill presents a proportionate regulatory approach, providing different levels of licensing that modify requirements according to company size, transaction volume, and potential systemic risk. Ghana could explore implementing a comparable tiered system to prevent smaller fintechs and local VASP startups from being driven out of the market.
6. Regulatory sandbox and innovation areas:Countries such as the UK, Japan, and Singapore have established secure settings for innovation by implementing regulatory sandboxes and financial technology centers. These frameworks enable new offerings to be evaluated under less stringent compliance requirements prior to full implementation. The Central Bank needs to officially expand its sandbox to cover VASP-related services, such as tokenized assets, stablecoins, and decentralized finance applications.
7. Coordination between regulators: The realm of virtual assets frequently overlaps with various responsibilities – financial services, capital markets, cybersecurity, data privacy, and taxation. For example, the UAE's VARA works closely with the Central Bank, the Ministry of Economy, and the Securities Authority. Therefore, Ghana should encourage strong cooperation among the Bank of Ghana, the Securities and Exchange Commission (SEC), the Data Protection Commission, FIC, GRA, Cyber Security Authority, and other business regulators to maintain consistent regulation and avoid overlaps or gaps in oversight.
8. Consumer rights and financial education:In countries with high regulatory standards such as Japan, South Korea, and Singapore, authorities have imposed restrictions on VASP advertising aimed at the general population and require VASPs to evaluate user comprehension of risks prior to registration. Ghana could adopt a forward-thinking approach by mandating that VASPs provide risk disclosures in simple language, restrict aggressive promotional activities targeting inexperienced users, and promote public awareness initiatives about virtual asset risks and consumer rights.

Conclusion

As Ghana is about to implement regulations for its digital asset sector via the upcoming Virtual Asset Providers Act, the nation has a unique and timely chance to create a robust, forward-looking regulatory system. The Bank of Ghana's initiative to establish regulation is both essential and praiseworthy. However, as observed in other regions, successful regulation needs to maintain a delicate equilibrium—safeguarding the system and the public without stifling innovation.

In Ghana's fintech sector, the future is evident: regulation is on the horizon, requiring increased transparency, governance, and adherence to rules. However, it also offers credibility, trust from investors, and an opportunity for international integration. In the end, the effectiveness of Ghana's virtual asset framework will not only rely on the content of the law but also on its execution, inclusiveness, and the industry's preparedness to meet these requirements. We have provided some suggestions in this article.

>>>Richard Nunekpeku serves as the Managing Partner at Sustineri Attorneys PRUC and works as a Technology Consultant. He earned his LL.M from Cornell University (Cornell Tech), where he expanded his knowledge in Law, Technology, and Entrepreneurship. He was also honored with the 2024 CALI "Excellence for the Future Award" for outstanding performance in AI Law and Policy studies at Cornell University, New York. He is open to receiving opinions on this article viarichard@sustineriattorneys.com

>>>Harold Kwabena Fearon serves as an Associate with Sustineri Attorneys PRUC within the Corporate, Governance, and Transactions Practice Group, focusing on delivering legal services to Startups/SMEs, Technology-driven businesses, Fintech firms, and other innovative enterprises. He is open to receiving opinions on this article throughharold@sustineriattorneys.com

Provided by SyndiGate Media Inc. (Syndigate.info).