Mauritius -- Custody Regulations Regulatory Overview

Mauritius has established a comprehensive regulatory framework for virtual assets and virtual asset service providers (VASPs) through the Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS Act 2021), administered by the Financial Services Commission (FSC). This framework is robust and aligns with international standards, particularly those set by the Financial Action Task Force (FATF).

Here's a breakdown of the cryptocurrency/digital asset custody regulations in Mauritius:

Primary Regulatory Framework

The primary legislation governing virtual assets and related services, including custody, is:

• Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS Act 2021): This Act defines various virtual asset services and mandates licensing for providers.
  • URL: https://www.fscmauritius.org/media/108984/virtual-asset-and-initial-token-offering-services-act-2021-final-version-gazetted.pdf
• FSC Rules (Virtual Asset and Initial Token Offering Services) 2022: These rules provide specific details and requirements for implementing the VAITOS Act.
  • URL: https://www.fscmauritius.org/media/109968/fsc-rules-virtual-asset-and-initial-token-offering-services-2022.pdf

Additionally, Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) obligations are central:

• Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA 2002)
• Guidance Notes on Anti-Money Laundering and Combating the Financing of Terrorism for Virtual Assets and Virtual Asset Service Providers (VASPs)
  • URL: https://www.fscmauritius.org/media/106317/guidance-notes-on-aml-cft-for-vasps-final-version.pdf

1. Custodial License Requirements

Under the VAITOS Act 2021, a firm providing "Custodian Wallet Service" is classified as a Virtual Asset Service Provider (VASP) and requires a license from the FSC.

• Definition of Custodian Wallet Service (Section 2, VAITOS Act 2021): "a service to safeguard virtual assets or instruments enabling control over virtual assets, on behalf of natural or legal persons."
• Licensing Process: Applicants must submit a detailed application to the FSC, including:
  • A comprehensive business plan.
  • Evidence of "fit and proper" persons for directors, beneficial owners, and senior management.
  • Robust governance arrangements, including internal controls, risk management systems (operational, financial, IT, cybersecurity).
  • Adequate financial resources.
  • An independent audit function.
  • Compliance with AML/CFT obligations.
• Minimum Stated Capital (Schedule 1, FSC Rules (VAITOS) 2022):
  • A licensee providing "Custodian Wallet Service" must maintain a minimum stated capital of MUR 1,500,000 (approximately USD 37,500, subject to exchange rate fluctuations).

2. Segregation of Client Assets Rules

Mauritius's framework includes clear provisions for the segregation of client assets.

• VAITOS Act 2021 (Section 13(1)(g)): A VASP shall "manage client virtual assets and money received from clients in a manner that protects the interests of clients, and, in particular, ensures that they are segregated from the assets of the VASP."
• FSC Rules (VAITOS) 2022 (Rule 12 - Client Virtual Assets and Money):
  • Mandates that a licensee must maintain separate accounts for client virtual assets and money received from clients, distinct from its own assets.
  • Requires the licensee to clearly identify and account for client virtual assets and money, and to maintain proper records.
  • Prohibits the use of client virtual assets or money for the licensee’s own benefit or for the benefit of any third party without explicit client consent and where permitted by law.

3. Insurance/Bonding Requirements

While the VAITOS Act and its immediate rules do not explicitly mandate a specific insurance policy or bond for Custodian Wallet Service Providers, the framework implicitly addresses financial robustness and risk mitigation:

• Minimum Stated Capital: The requirement for minimum stated capital (MUR 1.5 million) serves as a financial buffer.
• Risk Management Framework (Section 13(1)(b) of VAITOS Act and Rule 9 of FSC Rules (VAITOS) 2022): Licensees are required to have "robust risk management policies and procedures" covering operational risks, technology risks, and financial risks. This implies that firms should consider professional indemnity insurance or other risk transfer mechanisms as part of their overall risk mitigation strategy, especially given the high-value nature of custodial services.
• The FSC may, on a case-by-case basis or through further guidance, require specific insurance coverage if deemed necessary for the protection of clients.

4. Cold Storage Mandates

The Mauritian framework emphasizes secure management of virtual assets and cryptographic keys, rather than explicitly mandating a specific percentage of cold storage, but the principles strongly support its adoption.

• VAITOS Act 2021 (Section 13(1)(d)): A VASP shall "implement adequate systems and controls for safeguarding client virtual assets, including cryptographic keys."
• FSC Rules (VAITOS) 2022 (Rule 9 - Risk Management and Internal Controls): Requires licensees to establish and maintain robust systems and controls, including:
  • Cybersecurity Policies: Procedures for protecting against unauthorized access, use, disclosure, disruption, modification, or destruction of information.
  • Key Management: Secure procedures for the generation, storage, and backup of cryptographic keys.
  • Business Continuity and Disaster Recovery Plans: Ensuring continued operation and recovery of services and data in case of disruption.
• While not explicitly stating "cold storage," the emphasis on safeguarding cryptographic keys, robust cybersecurity, and recovery plans strongly implies that cold storage, multi-signature wallets, and hardware security modules (HSMs) are best practices expected to meet these requirements, particularly for significant holdings.

5. Qualified Custodian Definitions

Mauritius does not define a separate category of "qualified custodian" distinct from its licensing regime. Instead, any entity licensed by the FSC as a "Custodian Wallet Service Provider" under the VAITOS Act 2021 is, by definition, considered a qualified custodian for virtual assets within Mauritius.

The qualification comes from meeting the stringent licensing requirements imposed by the FSC, which include:

• Meeting minimum capital requirements.
• Demonstrating robust operational, technical, and risk management capabilities.
• Adhering to strict AML/CFT obligations.
• Having fit and proper personnel.
• Undergoing regular supervision and audits by the FSC.

6. Pending Custody Legislation

As of my last update, there isn't specific new custody legislation pending that would fundamentally alter the existing framework established by the VAITOS Act 2021 and its accompanying Rules. The VAITOS Act is a relatively recent and comprehensive piece of legislation (enacted in 2021).

However, regulatory environments are dynamic:

• Amendments and Updates: The FSC continuously monitors the virtual asset landscape and international best practices (e.g., FATF guidance). As such, there may be ongoing updates, amendments to the existing Rules, or new Guidance Notes issued to clarify or strengthen specific aspects of VASP operations, including custody.
• Consultation Papers: The FSC typically publishes consultation papers before introducing significant changes to allow industry feedback. It's advisable for market participants to monitor the "Laws & Regulations" and "Publications" sections of the FSC website for any such announcements.

Disclaimer: This information is for general informational purposes only and does not constitute legal or financial advice. The regulatory landscape for virtual assets is complex and subject to change. It is essential to consult with legal and compliance professionals specializing in Mauritian financial services law for specific advice regarding cryptocurrency custody regulations and licensing in Mauritius.