Mauritius -- AML/CFT Compliance Regulatory Overview

**The Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS Act 2021):** This is the cornerstone legislation specifically regulating virtual assets and VASPs. It designates VASPs as "reporting entities" and brings them under the scope of AML/CFT obligations. It provides for the licensing, regulation, and supervision of VASPs by the Financial Services Commission (FSC).

**The Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA 2002) (as amended):** This is the overarching AML/CFT legislation in Mauritius. It establishes the general AML/CFT framework, defines "money laundering," sets out the obligations of reporting entities (including VASPs by virtue of the VAITOS Act), and empowers the Financial Intelligence Unit (FIU).

**The Prevention of Terrorism Act 2002 (POTA 2002) (as amended):** This Act provides the legal framework for combating the financing of terrorism and related offenses.

**FSC Rules for Virtual Asset and Initial Token Offering Services 2022:** These rules, issued by the FSC under the VAITOS Act, provide detailed requirements for VASPs, including specific AML/CFT obligations.

**FSC Guide to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) for Licensed Institutions:** While a general guide, it applies to all licensed entities, including VASPs, providing guidance on implementing AML/CFT programs.

**Identification and Verification of Customers:**

Obtain reliable identifying information for all customers (natural persons and legal entities).

**Natural Persons:** Full name, date of birth, place of birth, nationality, residential address, unique identification number (e.g., passport, national ID card). Verification requires independent, reliable source documents (e.g., certified copies of ID, utility bills).

**Legal Entities:** Legal name, legal form, proof of incorporation/registration, address of registered office and principal place of business, names of directors/partners/trustees, and identification of individuals authorized to act on behalf of the entity. Verification typically involves corporate documents.

Identify and take reasonable measures to verify the identity of the **beneficial owner(s)** of the customer.

For legal entities, this means identifying the natural person(s) who ultimately own or control 25% or more of the entity, or who otherwise exercise control through other means.

Understand the ownership and control structure of the customer.

**Purpose and Nature of Business Relationship:**

Understand the purpose and intended nature of the business relationship or occasional transaction (e.g., source of funds, source of wealth, intended types of virtual asset transactions).

Continuously monitor the business relationship to ensure that transactions being conducted are consistent with the VASP's knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.

Regularly update customer information and beneficial ownership data.

Applied in higher-risk situations, including:

Customers who are **Politically Exposed Persons (PEPs)**, their family members, or close associates.

Customers from high-risk geographic areas (as identified by FATF or local regulators).

Transactions involving new or developing technologies or products that favour anonymity.

Complex, unusually large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

EDD measures include obtaining senior management approval, taking reasonable measures to establish the source of wealth and source of funds, and conducting enhanced ongoing monitoring.

Permitted in situations where the risks of money laundering and terrorist financing are low, and specific conditions are met. This must be justified by the VASP's risk assessment.

**Obligation to Report:** Any VASP that has reasonable grounds to suspect that a transaction (or attempted transaction) involves funds or virtual assets that are the proceeds of crime, or are linked to terrorist financing, *must* report it.

**To Whom:** All Suspicious Transaction Reports (STRs) must be filed with the **Financial Intelligence Unit (FIU) Mauritius**.

**Timelines:** Reports must be made *without delay* after forming the suspicion.

**"No Tipping-Off":** VASPs and their employees are prohibited from disclosing to the customer or any third party that an STR has been filed or that information relating to a potential STR is being sought or provided.

**Transaction Records:** All records related to virtual asset transactions (e.g., transaction date, type, amount, parties involved, virtual asset addresses/identifiers).

**Customer Identification Data:** All documents and information obtained during the CDD process (e.g., copies of identification documents, beneficial ownership information, risk assessments).

**Business Correspondence:** Records of internal and external communications related to customer accounts and transactions.

**Training Records:** Records of AML/CFT training provided to staff.

**Internal Reports:** Any internal suspicious activity reports or related analyses.

**Retention Period:** Records must be retained for a minimum period of **7 years** after the business relationship is terminated or the occasional transaction is completed.

**Financial Services Commission (FSC) Mauritius:**

**Role:** The FSC is the integrated regulator for the non-bank financial services sector and global business in Mauritius. Under the VAITOS Act 2021, the FSC is responsible for licensing, regulating, and supervising VASPs, including ensuring their compliance with AML/CFT obligations. They conduct regular inspections, reviews, and enforce compliance through administrative penalties.

**Financial Intelligence Unit (FIU) Mauritius:**

**Role:** The FIU is the central national agency responsible for receiving, analyzing, and disseminating financial intelligence related to money laundering and terrorist financing to law enforcement agencies. VASPs report their suspicious transactions directly to the FIU. While the FSC supervises AML program implementation, the FIU is the recipient and primary analyzer of STRs.

**Comprehensive:** Mauritius has enacted specific primary legislation, the Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS Act), along with accompanying rules and guidelines, to regulate the virtual asset sector from end-to-end. This covers licensing, conduct of business, consumer protection, and AML/CTF.

**Proactive:** The regulatory framework was designed to align with international best practices and recommendations for virtual assets and Virtual Asset Service Providers (VASPs).

**Not a Ban or Partial:** Crypto trading and related services are not banned; instead, they are legally permitted but subject to stringent licensing and oversight.

**Role:** The FSC is the primary regulator responsible for licensing, supervising, and regulating Virtual Asset Service Providers (VASPs) and Initial Token Offerings (ITOs) under the VAITOS Act. It oversees the conduct of business, prudential requirements, and compliance with AML/CTF obligations for licensed entities.

**Role:** While the BoM is the central bank responsible for monetary policy and the stability of the financial system, it does not directly license or regulate VASPs. Its role in the virtual asset space is more focused on monitoring macroeconomic implications and broader financial stability, and potentially providing a regulatory sandbox for innovative solutions that might involve central bank digital currencies (CBDCs) or other novel payment systems.

**Role:** The FIU, established under the FIAMLA, is responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and suspicious activity reports (SARs) related to money laundering and terrorist financing. VASPs are reporting entities to the FIU.

**Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS Act 2021)**

**Date:** Enacted in December 2021, and its provisions came into full effect in stages, largely operational by early 2022.

**Purpose:** This is the cornerstone legislation. It provides a comprehensive legal framework for:

Defining "Virtual Asset" and "Virtual Asset Service Provider (VASP)."

Establishing a licensing regime for VASPs.

Regulating Initial Token Offerings (ITOs).

Setting out requirements for customer due diligence, record-keeping, AML/CTF compliance, cybersecurity, and consumer protection.

Empowering the FSC to issue rules and guidelines.

https://www.fscmauritius.org/en/legal-framework/acts (Search for "Virtual Asset and Initial Token Offering Services Act 2021").

*Direct Link (if available and stable, check FSC for latest)*: Often available through a legal database like `https://www.lexisnexis.com/` (paid service) or directly from FSC. As laws are updated, the FSC's legal framework page is the most reliable source for the current version.

**Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA 2002, as amended)**

**Date:** Originally enacted in 2002, but has undergone several amendments to align with evolving FATF standards, including those relating to virtual assets.

**Purpose:** This Act forms the primary legal basis for Mauritius's AML/CTF regime. It mandates reporting obligations for designated institutions (including VASPs under the VAITOS Act) regarding suspicious transactions, sets out the functions of the FIU, and establishes penalties for AML/CTF offenses.

**URL:** Also found on the FSC's legal framework page or the FIU's website:

The FSC has issued specific rules under the VAITOS Act, such as:

Virtual Asset and Initial Token Offering Services (Licensing) Rules 2022

Guidelines on Risk Management and Internal Controls for VASPs.

**URL:** These are typically found in the "Regulatory Framework" or "Rules & Guidelines" section of the FSC website:

**Licensing is Mandatory:** Any entity wishing to operate as a VASP in Mauritius must obtain a license from the FSC. This includes:

Operating a virtual asset exchange (for trading between virtual assets and fiat, or between different virtual assets).

Providing custody and/or administration of virtual assets.

Participating in and providing financial services related to an issuer’s offer and/or sale of a virtual asset (e.g., ITOs).

Providing portfolio management, advisory services, or other financial services related to virtual assets.

**Stringent Compliance:** Licensed VASPs are subject to:

**AML/CTF Obligations:** Strict customer due diligence (KYC), suspicious transaction reporting, record-keeping, and internal controls in line with FATF recommendations.

**Capital Requirements:** Specific minimum capital requirements based on the type of VASP license.

**Operational Requirements:** Robust cybersecurity frameworks, data protection, business continuity plans, and internal governance.

**Consumer Protection:** Requirements for clear disclosures, transparent fee structures, and handling of client assets.

**Reporting:** Regular reporting to the FSC on their activities and financial health.

**Investor Protection:** The regulatory framework aims to protect investors by ensuring licensed entities meet specified standards for security, transparency, and integrity.

https://www.fscmauritius.org/en/legal-framework/acts (Search for "Financial Intelligence and Anti-Money Laundering Act 2002").