Ghana's VASP Act

Why Virtual Assets Can No Longer Exist Outside the Law

Africa has reached the point where digital value can no longer exist outside the law. The real legal question is no longer whether virtual assets exist, but who bears risk when they do. That shift matters because, for much of the last decade, virtual asset activity across the continent expanded in a regulatory twilight. Central banks issued warnings, securities regulators published investor alerts, and the market continued to grow through offshore exchanges, informal agents, messaging groups, and app-based distribution channels that sat well beyond traditional supervision.

The problem with that legal vacuum was never simply that virtual assets were novel. It was that value was moving, being stored, priced, transferred, and sometimes lost, without a clear system for allocating responsibility when things went wrong. When platforms failed, when hacks occurred, when yield schemes collapsed, and when retail users suffered losses, the central difficulty was not technological uncertainty alone. It was the absence of a clear legal perimeter identifying who could intermediate digital value, under what conditions, and with what consequences.

That is the background against which Ghana enacted the Virtual Asset Service Providers Act, 2025, Act 1154. The Act reflects a wider regulatory move across Africa toward accepting that virtual assets can no longer be treated as activity outside the financial system merely because their legal character is contested. Even where a state does not recognise a token as legal tender, people may still use it for payment, transfer, remittance, investment, and store of value. Once that happens at scale, a legal system must decide whether to ignore the activity, prohibit it outright, or regulate the points of intermediation through which risk is transmitted.

Ghana’s answer is to regulate the service layer. That is why the Act focuses on Virtual Asset Service Providers, or VASPs, rather than attempting to legislate digital assets in the abstract. In legal and policy terms, that is a significant choice. Most consumer harm, market abuse, custody failure, and financial-crime exposure arise not at the level of code, but at the level of intermediation. It is the service provider that holds customer assets, facilitates exchange, promotes products, structures transactions, or offers wallet, advisory, and payment functions. By targeting the service provider, the law identifies the actor through whom supervision, licensing, sanction, and liability can be made operational.

Act 1154 is therefore not simply a recognition statute. It is a market-organisation statute. It decides that virtual asset activity in or from Ghana must be capable of registration, licensing, supervision, restriction, sanction, and, where necessary, controlled liquidation. In doing so, it moves the conversation from novelty to governability. The legal point is not to declare that every digital asset is legitimate. The legal point is to ensure that where digital value is intermediated, it is intermediated by entities that are visible to the regulator, subject to entry controls, and capable of being held to account.

That shift is particularly important because informal virtual asset markets often create the illusion of decentralisation while in practice relying on concentrated points of trust. Users may believe they are interacting with a borderless system, but they usually enter through exchanges, payment processors, brokers, wallet providers, promoters, or advisory channels. Those are the points where money laundering risk, customer harm, conflicts of interest, and operational failure tend to concentrate. They are also the points where law can most effectively intervene.

Act 1154 responds to this by making it unlawful to provide or purport to provide a virtual asset service unless the provider is registered, licensed, or otherwise legally permitted to operate under the Act. That prohibition is the foundation of the entire regime. It signals that the virtual asset market is no longer to be treated as a zone of tolerated informality. It is now part of the legal and supervisory order.

The wider significance of the Act lies in what it says about Ghana’s regulatory posture. Ghana is not merely acknowledging that virtual assets exist. It is deciding that digital value must enter the legal system through identifiable gateways, operated by entities that can be assessed, supervised, and, if required, removed from the market. That is a major legal inflection point. It means the future of virtual asset activity in Ghana will depend less on technological rhetoric and more on questions of legal classification, institutional competence, corporate structure, and accountability.

This is what makes Act 1154 important beyond the virtual asset sector itself. It is part of a broader legal shift in which financial law is being asked to absorb new forms of digital intermediation without surrendering core principles of prudential oversight, market integrity, and consumer protection. The Act does not resolve every definitional or supervisory challenge. But it does establish a basic proposition that now seems unavoidable: where digital value circulates in the market, the law must decide who may stand between that value and the public, and on what terms.

Act 1154 and the Legal Perimeter of Virtual Asset Services

The first legal question under Ghana’s Virtual Asset Service Providers Act, 2025 is not innovation, but classification. Before regulators can supervise virtual asset activity, they must determine what falls within the Act, what falls outside it, and what type of conduct is legally significant enough to trigger registration, licensing, or sanction. Act 1154 addresses that problem by building its perimeter around function rather than around a closed list of technologies.

The Act defines a virtual asset as a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes, but which does not include a digital representation of fiat currency, securities, or a central bank digital currency. The definition captures the legal-economic role played by the asset rather than the branding attached to it. In practice, that means the regime is capable of extending across cryptocurrencies, stablecoins, non-fungible tokens, utility tokens, and digital collectibles, subject to the regulator’s power to exclude certain categories where appropriate.

That definitional approach matters because virtual asset markets evolve faster than statutory amendment cycles. If the law tied itself too tightly to named technologies or product labels, it would become obsolete almost immediately. Instead, Act 1154 takes an activity-based approach. It asks what is being done, for whom, and with what legal and market effect. This is why the statutory definition of a virtual asset service is deliberately broad. It captures business activity conducted for or on behalf of another person involving the handling, movement, exchange, safekeeping, transfer, control, trade, administration, issuance, or tokenisation of virtual assets.

The range of activities listed under the Act is significant. It includes advisory, brokerage, payment processing, lending and borrowing, mining, validation, promotional, and distribution services, as well as exchange traded funds based on virtual assets. This signals that the Act is not confined to classic exchange activity. It is trying to govern the full service architecture through which digital value is introduced into the market, promoted to users, managed for clients, or embedded into financial products.

Legally, this is a functional perimeter. It does not depend on whether the operator describes itself as a crypto exchange, a fintech platform, a wallet provider, an educator, or a technology company. If the business model performs an intermediation function in relation to virtual assets, the Act may apply. That gives regulators room to respond to changing market structures without requiring Parliament to amend the law each time a new service model emerges.

The same logic explains why the Act expressly captures innovative virtual asset services. Rather than allowing novelty to operate as a loophole, the law treats innovation as a potential reason for closer regulatory attention. New delivery methods, new token structures, and new modes of intermediation are not presumed to be outside the legal perimeter merely because they are not yet common. This is one of the regime’s most important design features. It allows the Act to remain technologically flexible while preserving regulatory control over emerging forms of risk.

The perimeter is also shaped by exclusion and overlap. Not every digital asset activity falls solely within Act 1154. Where a virtual asset or a service performed in relation to it falls within the legal concept of securities or securities intermediation, the operator must also comply with the Securities Industry Act, 2016, Act 929. This is a critical point. The VASP regime is not a back door into capital markets activity. If the substance of the product is securities business, securities law remains engaged. The Act therefore works not as an isolated regime, but as part of a wider financial-law framework in which classification determines which regulator, or combination of regulators, has authority.

The prohibitory structure of the Act reinforces the perimeter. It is unlawful to provide or purport to provide a virtual asset service unless the provider is registered, licensed, or otherwise lawfully permitted to operate under the Act. It is also unlawful for unauthorised persons, including applicants, to suggest that they are regulated or authorised. That is not a technical drafting point. It is a direct legal response to a market in which fraudulent actors often launder credibility through language, websites, public claims, and superficial compliance signals.

What emerges from this architecture is a legal perimeter that is intentionally elastic in method but strict in effect. The Act is broad enough to capture evolving service models, but clear enough to establish that anyone performing intermediation in or from Ghana must expect legal scrutiny. For investors and operators, that has immediate consequences. Business models can no longer rely on ambiguity as a strategy. Product design, customer-facing language, service bundling, and jurisdictional positioning now carry regulatory consequences.

In practical terms, the first legal exercise for any operator is therefore classificatory. Before asking whether a licence is available, or whether capital requirements can be met, the business must determine whether its activities constitute a virtual asset service, whether those activities are registrable or licensable, whether another enactment is triggered, and whether the regulator may reclassify the activity into a different legal box. Under Act 1154, classification is not a preliminary technicality. It is the entry point to legality itself.

Market Entry Under Act 1154: Registration, Licensing and Waiver

Act 1154 is, in large part, a market-entry statute. It determines who may legally intermediate virtual assets in or from Ghana and through which route that access may be obtained. The regime does not create a single point of entry for every operator. Instead, it uses three principal legal gates, registration, licensing, and waiver, each of which reflects a different level of risk, market significance, or pre-existing supervision.

Registration is the Act’s first gate. It applies to persons already engaged in registrable virtual asset services before the commencement of the Act, those intending to provide a service for which registration is required under the Schedule, supervised persons who are not granted a waiver, and those directed by the relevant authority to apply for registration. Applications must be made in the prescribed form, accompanied by the required information and fee, and applicants must notify the regulator of any material changes in the information submitted within fifteen days.

Registration is not a mere filing exercise. The regulator assesses whether the applicant, including its shareholders, beneficial owners, trustees, and senior officers, is fit and proper. Conditions may be imposed at the point of approval or later, taking into account the nature, scale, and risk profile of the business. Within ninety days of receiving a complete application, the regulator must determine the application and communicate reasons where registration is refused. Registration lasts for twelve months and must be renewed not later than three months before expiry.

The legal significance of registration lies partly in its limits. A registered person must not provide a service for which a licence is required and must not imply that it is licensed to carry out licensable activity. In other words, registration is a distinct legal status, not a lighter version of a licence. It is one of the ways in which the Act differentiates low-intensity or differently structured services from those that warrant fuller prudential or market-conduct control.

Licensing is the central gate for higher-risk or market-structuring activity. A person must apply for a licence where it was already engaged in a licensable service before commencement, seeks to provide a licensable service under the Schedule, or is directed by the regulator to do so. The application process mirrors registration in requiring prescribed forms, supporting information, fees, and ongoing notice of changes. But the substantive review is deeper. The regulator considers public interest, the prevention of exploitation, the size and complexity of the business, the fitness and propriety of controlling persons and senior officers, and whether the applicant has the necessary skills, technology, facilities, records, accounting systems, cybersecurity measures, capital, risk management arrangements, and corporate governance framework.

That review reveals what the licence represents. A licence under Act 1154 is not simply permission to operate. It is a regulatory judgement that the applicant is capable of carrying on a virtual asset service within a supervised framework. It is therefore both an entry approval and an institutional quality test. The regulator may impose additional conditions and must publish notice of the licence on its website within thirty days of issuance. Like registration, licences are valid for twelve months and must be renewed.

The Schedule illustrates how entry routes are allocated across business models. Registration with the Bank of Ghana is required for certain services such as non-custodial wallet services and some dealing functions. Registration with the Securities and Exchange Commission is required for services such as virtual asset issuance and asset tokenisation. Joint oversight applies to advocacy services. On the licensing side, the Bank of Ghana regulates services such as custodial wallets, payment processing, stablecoin issuance, and virtual asset lending and borrowing, while the SEC regulates exchanges, exchange traded funds, virtual asset management, investment advisory, and brokerage. The classification of the service therefore determines both the legal route and the relevant authority.

The third gate is waiver. This is one of the most commercially important aspects of the Act for already-regulated institutions. A regulator may waive licensing or registration requirements where the virtual asset service does not materially change the nature of the activity for which the person is already licensed and where the existing supervisory framework is sufficient to cover the additional activity. In effect, the Act recognises that some institutions may not need a full additional layer of entry approval if the virtual asset activity is a supervised extension of a regulated business.

But a waiver is not a permanent exemption from scrutiny. It is conditional, and it may be revoked where conditions are breached, the activity changes materially, or the scale, complexity, or risk of the virtual asset service increases. For firms and investors, this means a waiver should not be treated as a lesser legal burden. It is a narrower, revocable permission built on the regulator’s continuing comfort that the institution remains within a manageable prudential profile.

Taken together, registration, licensing, and waiver reveal the underlying design of the regime. Ghana is not creating a one-size-fits-all authorisation model. It is distinguishing between business models, levels of risk, and existing supervisory relationships, and allocating market entry accordingly. That design offers flexibility, but it also places a premium on careful legal classification and early regulatory engagement. Under Act 1154, the route into the market is itself a core legal question.

Who Regulates What? The Multi-Regulator Design of Act 1154

One of the most consequential design choices in Act 1154 is that it does not treat virtual assets as the exclusive domain of a single regulator. Instead, it builds a coordinated supervisory model centred on the Bank of Ghana and the Securities and Exchange Commission, while allowing the Minister of Finance to prescribe additional regulatory bodies where necessary. This matters because virtual asset businesses do not fit neatly into a single legal category. Depending on their structure, they may resemble payment services, securities dealing, custody, issuance, technology-enabled intermediation, or a combination of all of these.

Act 1154 responds to that reality by allocating regulatory authority according to function. A relevant regulator has overall supervisory authority over the virtual asset service assigned to it in the Schedule, and those authorities are required to collaborate in implementing the regime. The Bank of Ghana has already established a Virtual Assets Regulatory Office to fulfil its responsibilities under the Act. That institutional step is important because it indicates that implementation is not being treated as a purely theoretical allocation of power. Dedicated supervisory machinery is being built around the statute.

The Act also creates a coordinating committee made up of the Bank of Ghana and the SEC, with representation from the Ministry responsible for Finance, the Cyber Security Authority, and the Financial Intelligence Centre. Other persons may be co-opted where necessary. The committee’s mandate includes reviewing and coordinating cooperation, implementation, supervision, and information-sharing. In practical terms, this is the mechanism through which Ghana seeks to avoid fragmented regulation in a sector where risks routinely cut across monetary stability, market integrity, data security, and financial crime.

The Schedule shows how this division of labour works. The Bank of Ghana is assigned authority over services that look most like payment, custody, or prudential intermediation, including custodial wallet services, payment processor functions, stablecoin issuance, and virtual asset lending and borrowing. The SEC is assigned authority over services that resemble investment intermediation or capital-markets activity, including virtual asset exchanges and trading platforms, exchange traded funds, portfolio management, investment advisory, and brokerage. Some areas, such as advocacy and certain forms of innovation, may fall under joint oversight.

This approach is legally coherent because the nature of virtual asset activity is hybrid. A token may function as an investment product, a payment instrument, or both. A platform may handle customer assets, provide exchange functionality, promote products, and collect user data, all within a single business model. If the law assigned the whole field to one regulator without recognising these differences, it could either over-centralise authority or leave regulatory seams that sophisticated actors would exploit.

At the same time, a multi-regulator framework is only as strong as its coordination under pressure. In ordinary conditions, shared authority can be managed through meetings, memoranda, and consultation. The harder question is what happens when a licensed operator fails, when a major cyber incident occurs, when an enforcement action has cross-border implications, or when retail harm becomes politically salient. In those moments, the market will not care about internal jurisdictional theory. It will look for a coherent public response, clear leadership, aligned supervisory judgment, and coordinated action across agencies.

That is why the coordinating committee is more than an administrative detail. It is part of the regime’s credibility architecture. If it functions well, it can reduce duplicated supervision, align risk assessment, and create a predictable licensing environment. If it functions poorly, firms may face conflicting instructions, regulatory delay, or inconsistent classification outcomes that increase uncertainty and undermine investor confidence.

For firms, the existence of multiple regulators also has practical consequences from the outset. Legal analysis must go beyond asking whether the business is a VASP. It must also determine which regulator has primary authority, whether another enactment is engaged, and whether the service mix could trigger concurrent oversight. That has implications for application strategy, disclosure, governance design, compliance staffing, and even board composition. Businesses that assume they can resolve these issues late in the process are likely to encounter delay or regulatory friction.

From a policy perspective, Ghana’s model reflects a realistic understanding of digital finance. Virtual asset regulation is not simply about recognising a new asset class. It is about fitting a new form of digital intermediation into an existing legal order without collapsing the distinctions that financial law depends on. Payments, securities, financial integrity, and cyber resilience each bring different regulatory logics. Act 1154 does not eliminate those differences. It attempts to organise them.

That is the strength of the model, but it is also the challenge. The success of Act 1154 will depend not only on the quality of the statute, but on whether the Bank of Ghana, the SEC, and associated agencies act as one system when it matters. In a hybrid market, fragmented supervision is itself a risk. Ghana’s legal answer is coordination. The market will now test whether that coordination is operational, timely, and trusted.

Ownership, Governance, Enforcement: How the Act Allocates Legal Responsibility

Act 1154 does not merely authorise virtual asset service providers. It makes them governable, auditable, and punishable. That is one of the clearest signs that the Act is designed as a serious market-regulation statute rather than a symbolic recognition framework. The law is built on the view that if a business is permitted to intermediate digital value, it must also be capable of being controlled through corporate structure, governance rules, ownership transparency, and credible enforcement.

This begins with legal form. An applicant for registration, a licence, or a waiver must be a company incorporated under the Companies Act, 2019, a partnership under the Incorporated Private Partnerships Act, 1962, or a non-Ghanaian company that complies with the external company provisions of the Companies Act. A VASP must maintain a registered office in Ghana and have at least three directors at all times, including one resident director and one independent director without a vested interest in the VASP. These requirements do more than create administrative formality. They force market participants, including foreign investors, into locally legible corporate vehicles with identifiable governance organs and a real operational presence.

Ownership control is treated with similar seriousness. A person must not acquire, dispose of, or transfer five per cent or more of the outstanding shares or partnership interest in a VASP without regulatory approval. Approval is also required for cumulative acquisitions amounting to ten per cent or more of total voting rights. Even where changes occur by operation of law, notification must be given within fourteen days, together with details of the event and the identity of the recipient. This means that control over a VASP is not a purely private matter between counterparties. It is a regulated event because ownership structure affects prudential soundness, accountability, and supervisory visibility.

The rationale is straightforward. In a sector exposed to financial crime, conflicts of interest, and rapid operational failure, regulators need to know who controls the institution and whether those persons are fit to do so. Control thresholds also matter in transactional practice. Investors, acquirers, and founders cannot assume that share transfers or capital raises will proceed solely on corporate-law timelines. Regulatory approval becomes part of deal execution, and the inability to obtain it may affect valuation, closing conditions, and post-investment rights.

Governance responsibility under the Act is also reinforced through the fit-and-proper assessment of shareholders, beneficial owners, trustees, and senior officers. This signals that the regulator is not simply licensing a product or platform. It is assessing the people who stand behind the institution. The legal and commercial implication is that VASP diligence must go beyond technology review or market opportunity. Controllers, officers, and governance arrangements are part of the regulatory risk profile of the business.

These governance rules are backed by an enforcement architecture that is unusually robust. Regulators may revoke or restrict licences, registrations, waivers, and other approvals where obligations are breached, where business is carried on unlawfully or contrary to conditions, where information is false or misleading, where client interests are undermined, or where anti-money laundering law is contravened. Revocations must be publicised on the regulator’s website within seven days. Public disclosure matters because enforcement is not only corrective. It also serves a signalling function in the market.

The Act also empowers regulators to issue cease-and-desist orders where conduct is unsafe or unsound, or where a person operates without the required authorisation. Non-compliance constitutes an offence punishable by substantial fines, imprisonment, or both, and continuing contraventions attract daily penalties. In addition, regulators may take remedial action necessary to secure compliance, including requiring the removal of senior officers or trustees and the divestment of ownership interests.

This suite of powers changes the legal posture of the market. Regulatory action under Act 1154 can move quickly, can be public, and can affect both management and ownership. For investors, that means regulatory posture is not a peripheral compliance issue. It is central to enterprise value. Due diligence must therefore examine licence conditions, prior regulatory correspondence, AML and governance findings, ownership history, and the suitability of key personnel. Transaction documents may need to allocate regulatory risk through warranties, covenants, information undertakings, and exit or step-in rights triggered by regulatory events.

What emerges is a clear allocation of responsibility. The Act does not accept the argument that virtual asset firms are too decentralised, too technological, or too innovative to be governed through ordinary legal tools. It treats them as institutions that must be legally constituted, transparently controlled, competently managed, and vulnerable to sanction if they fail to meet required standards. That may raise barriers to entry, but it also makes the market more intelligible. Under Act 1154, responsibility is not left to the mythology of decentralisation. It is assigned through law.

Operational Duties, Winding Up, and the Real Test of Implementation

The real legal credibility of Act 1154 lies not only in how firms enter the market, but in how they are supervised once inside it and how they can be made to exit when things go wrong. That is why the Act imposes continuing operational duties and detailed winding-up controls. The underlying logic is simple. A VASP should not merely be capable of obtaining approval. It should also be capable of surviving supervision, meeting obligations as they fall due, and, if necessary, being resolved without disorderly harm to customers and creditors.

The operational obligations imposed by the Act are continuous and prudential in character. VASPs must maintain financial soundness through compliance with capital, solvency, and insurance requirements, although the detailed thresholds are left to the regulators. They must maintain accounts in line with International Financial Reporting Standards, submit to regulatory inspection, and produce audited financial statements where required. They must comply with anti-money laundering, countering the financing of terrorism, and counter-proliferation financing requirements, including suspicious transaction reporting and independent assessments where directed. They must also operate whistleblowing frameworks with internal reporting, confidentiality, and protection mechanisms, and maintain effective cybersecurity controls to safeguard systems, customer assets, and data.

Taken together, these obligations make it clear that a VASP licence is a living prudential regime rather than a one-time approval. Compliance costs will be recurring. Governance systems, reporting infrastructure, internal controls, and security capabilities must be built into the business model from the start. For investors, that means initial licensing expense is only one part of the regulatory equation. The more important commercial question is whether the institution can sustain compliance as the business grows in scale and complexity.

The exit rules are equally important. A licence holder or registered person must not begin a voluntary winding up without prior regulatory approval and must first give notice of its intention. The regulator must certify that the VASP is capable of winding up voluntarily and meeting its obligations to customers and creditors as they accrue. If the firm cannot do so in full, the regulator must appoint a receiver to wind up its affairs. The same applies where a licence or registration is revoked. In that event, the regulator must, without delay, appoint a receiver to liquidate the VASP.

The receiver’s powers are extensive. The receiver may access and control the books, affairs, and assets of the VASP and take steps necessary for efficient liquidation. With regulatory approval, the receiver may continue operations as a bridge institution, transfer assets and liabilities through sale to another provider, and manage operations and claims. The receiver may repudiate burdensome contracts where necessary to protect customers, subject to liability for actual direct damages assessed at the repudiation date. The receiver may also set aside certain pre-receivership transactions, including gratuitous transfers, affiliate transactions, transactions supported by fraudulent documents, and transactions undertaken to withhold assets from customers or creditors.

These provisions matter because they move the law beyond authorisation into resolution. A market becomes materially safer when participants know not only how a provider is licensed, but how it will be handled if it fails. Act 1154 insists that virtual asset businesses must be capable of efficient liquidation, not merely efficient launch. That is a significant legal signal to both operators and investors.

The harder question is whether implementation will match structure. Ghana has already taken steps toward operationalising the Act. The Bank of Ghana issued a mandatory registration notice to identify persons providing virtual asset services in or from Ghana. It then followed with an implementation roadmap that moves from stakeholder engagement and consultation to the deployment of a registration portal, draft directives and guidelines, and phased operationalisation of the licensing regime. Joint engagement by the Bank of Ghana, the SEC, and the Financial Intelligence Centre points to a coordinated approach, but timelines have already shown some slippage, which suggests that implementation may evolve as the regime settles.

That leads to the real test of the Act. The market will not price structure alone. It will price implementation. Four questions are likely to define the credibility of the regime. First, how quickly and clearly will the regulators publish the subsidiary rules needed to operationalise capital thresholds, custody standards, cybersecurity baselines, and reporting requirements? Second, will licensing and classification decisions be consistent enough for firms to plan with confidence? Third, will enforcement be prompt, proportionate, and visible enough to create trust in the market? Fourth, will the multi-regulator model hold together under stress, particularly in the event of platform failure, cyber incidents, or cross-border supervisory pressure?

Those are not secondary matters. They determine whether Act 1154 becomes a reliable legal framework or merely a formal statute with uncertain operational weight. Ghana has already made the deeper legal bet of the Act clear. Virtual asset activity must be visible, supervised, and capable of orderly exit. The remaining question is whether the institutions charged with implementation can make that vision durable in practice.

--

Read the original publication at N. Dowuona & Company