Mauritius -- Licensing Requirements Regulatory Overview

**Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS Act 2021):** This Act defines various virtual asset services and mandates licensing for providers.

**FSC Rules (Virtual Asset and Initial Token Offering Services) 2022:** These rules provide specific details and requirements for implementing the VAITOS Act.

**Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA 2002)**

**Guidance Notes on Anti-Money Laundering and Combating the Financing of Terrorism for Virtual Assets and Virtual Asset Service Providers (VASPs)**

**Definition of Custodian Wallet Service (Section 2, VAITOS Act 2021):** "a service to safeguard virtual assets or instruments enabling control over virtual assets, on behalf of natural or legal persons."

**Licensing Process:** Applicants must submit a detailed application to the FSC, including:

Evidence of "fit and proper" persons for directors, beneficial owners, and senior management.

Robust governance arrangements, including internal controls, risk management systems (operational, financial, IT, cybersecurity).

**Minimum Stated Capital (Schedule 1, FSC Rules (VAITOS) 2022):**

A licensee providing "Custodian Wallet Service" must maintain a minimum stated capital of **MUR 1,500,000** (approximately USD 37,500, subject to exchange rate fluctuations).

**VAITOS Act 2021 (Section 13(1)(g)):** A VASP shall "manage client virtual assets and money received from clients in a manner that protects the interests of clients, and, in particular, ensures that they are segregated from the assets of the VASP."

**FSC Rules (VAITOS) 2022 (Rule 12 - Client Virtual Assets and Money):**

Mandates that a licensee must maintain separate accounts for client virtual assets and money received from clients, distinct from its own assets.

Requires the licensee to clearly identify and account for client virtual assets and money, and to maintain proper records.

Prohibits the use of client virtual assets or money for the licensee’s own benefit or for the benefit of any third party without explicit client consent and where permitted by law.

**Minimum Stated Capital:** The requirement for minimum stated capital (MUR 1.5 million) serves as a financial buffer.

**Risk Management Framework (Section 13(1)(b) of VAITOS Act and Rule 9 of FSC Rules (VAITOS) 2022):** Licensees are required to have "robust risk management policies and procedures" covering operational risks, technology risks, and financial risks. This implies that firms should consider professional indemnity insurance or other risk transfer mechanisms as part of their overall risk mitigation strategy, especially given the high-value nature of custodial services.

The FSC may, on a case-by-case basis or through further guidance, require specific insurance coverage if deemed necessary for the protection of clients.

**VAITOS Act 2021 (Section 13(1)(d)):** A VASP shall "implement adequate systems and controls for safeguarding client virtual assets, including cryptographic keys."

**FSC Rules (VAITOS) 2022 (Rule 9 - Risk Management and Internal Controls):** Requires licensees to establish and maintain robust systems and controls, including:

**Cybersecurity Policies:** Procedures for protecting against unauthorized access, use, disclosure, disruption, modification, or destruction of information.

**Key Management:** Secure procedures for the generation, storage, and backup of cryptographic keys.

**Business Continuity and Disaster Recovery Plans:** Ensuring continued operation and recovery of services and data in case of disruption.

While not explicitly stating "cold storage," the emphasis on safeguarding cryptographic keys, robust cybersecurity, and recovery plans strongly implies that cold storage, multi-signature wallets, and hardware security modules (HSMs) are best practices expected to meet these requirements, particularly for significant holdings.

Demonstrating robust operational, technical, and risk management capabilities.

Adhering to strict AML/CFT obligations.

Having fit and proper personnel.

Undergoing regular supervision and audits by the FSC.

**Amendments and Updates:** The FSC continuously monitors the virtual asset landscape and international best practices (e.g., FATF guidance). As such, there may be ongoing updates, amendments to the existing Rules, or new Guidance Notes issued to clarify or strengthen specific aspects of VASP operations, including custody.

**Consultation Papers:** The FSC typically publishes consultation papers before introducing significant changes to allow industry feedback. It's advisable for market participants to monitor the "Laws & Regulations" and "Publications" sections of the FSC website for any such announcements.

**FSC Website (Virtual Assets section):** https://www.fscmauritius.org/en/legal-framework/virtual-assets

Applicants must maintain a minimum unimpaired stated capital or reserves as prescribed by the FSC.

As per the **Virtual Asset and Initial Token Offerings Services (Licence for Virtual Asset Service Providers) Rules 2022**, the minimum unimpaired stated capital for a VASP (holding a full licence) is **MUR 1,200,000 (approximately USD 26,000 - USD 30,000, depending on exchange rates)**.

This capital must be maintained at all times.

Robust AML/CFT policies, procedures, and controls are paramount. VASPs are considered "reporting entities" under the **Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA)**.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) for higher-risk clients.

Reporting suspicious transactions to the Financial Intelligence Unit (FIU).

Appointing an AML/CFT Compliance Officer.

Compliance with the FSC's AML/CFT Handbook and national AML/CFT legislative framework is mandatory.

Applicants must demonstrate adequate local presence and economic substance in Mauritius. This typically includes:

A physical office in Mauritius.

Local directors and skilled employees, proportionate to the nature and scale of the business. At least one director must be ordinarily resident in Mauritius.

Adequate operational and management infrastructure.

Books and records to be kept in Mauritius.

All directors, shareholders, senior management, and beneficial owners must satisfy the "fit and proper" criteria established by the FSC. This involves checks on honesty, integrity, reputation, competence, and financial soundness.

A comprehensive business plan outlining the proposed activities, target market, operational procedures, risk management framework, financial projections, and technological infrastructure.

Robust IT systems, cybersecurity measures, data protection protocols, and disaster recovery plans are essential to safeguard virtual assets and customer data. Independent security audits may be required.

A sound risk management framework covering operational, financial, legal, and reputational risks associated with virtual asset services.

Shares, debentures, bonds, unit trusts, futures contracts, options, and any other instrument that is commonly known as a security or is capable of being traded in a capital market.

An interest in a collective investment scheme.

**An investment of money (or virtual assets):** Where an investor contributes capital.

**In a common enterprise:** Where the fortunes of the investor are interwoven with those of the promoter or issuer, or a third party.

**With an expectation of profits:** The primary motivation for acquiring the token is financial gain.

**Deriving solely or substantially from the efforts of others:** The success of the investment depends largely on the managerial or entrepreneurial efforts of the issuer, promoter, or a third party, rather than the active participation of the token holder.

**Payment Token:** A virtual asset intended to be used as a means of exchange or for payment.

**Utility Token:** A virtual asset intended to provide access to a specific application, service, or product.

**Security Token:** Explicitly defined as a virtual asset that **"meets the definition of a 'security' under the Securities Act 2005."** This is the direct link.

**Hybrid Token:** A virtual asset combining characteristics of two or more of the above categories.

**Security Tokens:** These are tokens that represent traditional securities such as:

**Equity tokens:** Represent ownership in a company, with rights like dividends, voting rights, or a share in profits.

**Debt tokens:** Represent a loan or debt instrument, offering interest payments or repayment of principal.

**Asset-backed tokens:** Represent fractional ownership in real-world assets like real estate, art, or commodities, where the token holder expects returns from the asset's performance or management by others.

**Tokens granting a share of future profits/revenue:** Where the token holder's return is tied to the success or performance of an underlying business or project managed by the issuer.

**Hybrid Tokens with Security Characteristics:** If a hybrid token possesses features that grant rights typically associated with securities (e.g., profit-sharing, governance rights in a centralized entity, or a promise of returns tied to the efforts of others), it will likely be treated as a security.

**Securities Act 2005 Compliance:** Issuers of security tokens must comply with the Securities Act 2005. This typically entails:

**Prospectus Requirements:** Issuing a prospectus (or other approved disclosure document) and registering it with the FSC, unless an exemption applies (e.g., private placement, small offering, offer to sophisticated investors). The prospectus must contain all material information necessary for investors to make an informed decision.

**Licensing:** The issuer or any party involved in the distribution or marketing of the security token may require appropriate licenses (e.g., Investment Dealer, Investment Adviser) from the FSC.

**VAITOS Act 2021 Compliance for ITOs:** Even if it's a security token, an Initial Token Offering (ITO) falls under the VAITOS Act. This requires:

**Prior Approval from the FSC:** An issuer must obtain prior approval from the FSC for any ITO.

**Submission of Documents:** This includes a whitepaper, legal opinion, business plan, AML/CFT compliance framework, and other prescribed information. The whitepaper must disclose all relevant information about the token, project, risks, and use of proceeds.

**Compliance with AML/CFT:** Strict Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) requirements apply.

**VAITOS Act 2021 Compliance:** Issuers of non-security tokens still require **prior approval from the FSC for an ITO**.

**Whitepaper and Disclosure:** A comprehensive whitepaper must be submitted to and approved by the FSC, providing clear and transparent information about the token, its functionality, risks, and the project.

**AML/CFT Compliance:** Strict AML/CFT measures must be in place.

**Regulated Exchanges:** Secondary trading of security tokens is generally expected to occur on a licensed securities exchange (like the Stock Exchange of Mauritius for traditional securities) or an FSC-approved market specifically designed for security tokens.

**VASP Licensing:** Any platform or entity facilitating the secondary trading of security tokens, acting as an exchange, broker, or custodian, must be licensed as a Virtual Asset Service Provider (VASP) under the VAITOS Act.

**Market Conduct Rules:** These platforms must adhere to market conduct rules, transparency requirements, and investor protection measures akin to traditional securities markets.

**VASP Licensing:** Secondary trading of non-security tokens typically takes place on virtual asset exchanges. These exchanges must be licensed by the FSC as Virtual Asset Service Providers (VASPs) under the VAITOS Act.

**AML/CFT Compliance:** VASPs are subject to stringent AML/CFT obligations, including customer due diligence (CDD) and transaction monitoring.

**Operational Requirements:** Licensed VASPs must meet capital requirements, IT security standards, and other operational guidelines set by the FSC.

**Issuing Warnings and Guidance:** The FSC regularly issues communiques and guidance notes to inform the public and industry participants about the regulatory requirements and risks associated with virtual assets and token offerings.

**Licensing and Compliance:** The primary enforcement mechanism is ensuring entities comply with licensing requirements under the VAITOS Act (for VASPs and ITOs) and the Securities Act (for security tokens). Operating without the necessary license or approval would be a significant breach.

**Anti-Money Laundering (AML) Compliance:** A significant area of enforcement and supervision for the FSC relates to AML/CFT compliance for all virtual asset service providers and ITOs, aligning with FATF standards.

**Sandbox Approach:** Mauritius also operates a Regulatory Sandbox Licence, allowing innovative businesses (including blockchain and crypto projects) to test their products and services in a controlled environment before full market rollout, thereby reducing the likelihood of non-compliance.

**Significant Fines:** Both for individuals and corporate entities.

**Imprisonment:** For serious offenses, particularly related to operating without a license or engaging in fraudulent activities.

**Revocation of Licenses:** For licensed entities.

**Cease and Desist Orders:** To stop illegal offerings or activities.

**Financial Services Commission (FSC) Mauritius:**

Available through the Attorney General's Office or FSC publications.

Link (often found in FSC Library or government portal): https://www.fscmauritius.org/media/1335/securities-act-2005.pdf (PDF on FSC site)

**FSC Guidance Notes and Communiques:**

The FSC regularly publishes guidance. Check the "Laws & Regulations" and "Publications" sections on the FSC website for the latest communiques and guidance notes on virtual assets and ITOs.

A useful starting point is often under the "Circulars and Communiques" or "Legal Framework" sections on their site. Specific guidance for VAITOS Act implementation will be found there.