1. Introduction

In view of establishing Mauritius as the centre for the FinTech ecosystem in the region, the Financial Services Commission, Mauritius (the “FSC”) has been setting up regulatory frameworks for innovation-driven financial services in the jurisdiction over the past years.

In this regard, the FSC issued a Guidance Note on 17 September 2018 on the Recognition of Digital Assets as an asset-class for investment by Sophisticated and Expert Investors.

In addition, with effect from 01 March 2019, through the Custodian Services (Digital Asset) licence and corresponding rules, Mauritius became the first International Financial Centre (“IFC”) to offer a dedicated regulatory landscape for the safekeeping of Digital Assets2. Subsequently, on 08 April 2018, the FSC published a second Guidance Note clarifying the regulatory approach in relation to Securities Tokens Offerings (STOs). A further Guidance Note on Security Token Offerings and Security Token Trading Systems was issued on 15 June 2020 to provide for a common set of standards for STOs and the licensing of Security Token Trading Systems in Mauritius.

The FSC is now setting up the regulatory landscape for the FinTech Service Provider (FSP) licence. Issued under section 14 of the Financial Services Act (“FSA”), the FSP licence aims at offering providers of technology services to financial institutions3, with a conducive supervisory regime should they wish to establish a commercial presence and operate in or from within Mauritius.

2. Background and Context

With the enhanced nexus between technology and financial services over the recent years, we have been witnessing the increased use of new or emerging technologies or the innovative use of existing technologies in financial services.

The insurance landscape provides a suiting illustration of the cooperation between insurers and technology service providers. Over the recent years, innovative technology-driven insurance solutions (InsurT ech) have been developed, including technology-assisted underwriting for improved accuracy, big data analytics to predict client behavioural patterns for risk assessment or Artificial Intelligence-powered claim management systems.

^{2 A Digital Asset is a digital representation of value that can be digitally traded and functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value but does not have legal tender status. A Digital Asset is considered as encompassing a “Virtual Asset” as defined by the Financial Action Task Force (FATF) in the FATF Recommendations as updated in October 2020}

^{3 “Financial Institution” has the same meaning as in the Financial Intelligence And Anti-Money Laundering Act 2002}

Financial institutions are also gradually turning to Regulatory Technology (RegTech) solutions, predominantly by collaborating with technology service providers, to assist them in meeting their statutory obligations.

With its licensees increasingly relying on providers of RegTech solutions, whether through the in-house use of programmes developed and maintained by these providers or via an outsourcing arrangement, it becomes crucial for the FSC to ensure that these service providers are in good standing.

Accordingly, the FSP licence and its corresponding regulatory framework are intended for the licensing and supervision of these technology service providers offering RegTech, other technology solutions or software as a service, to financial institutions.

The holder of the FSP licence, which will be issued under section 14 of the FSA, will be a licensee of the FSC and will be required to ensure strict adherence with the relevant Acts4 under the administration of the FSC. It will also be required to abide by all other applicable enactments including the Financial Intelligence and Anti-Money Laundering Act and the Data Protection Act as well as subsidiary legislations issued thereunder.

4. Approach

Section 18 of the FSA requires the applicant for a licence to have adequate resources, infrastructure and staff with the appropriate competence, experience and proficiency to carry out the activity for which the licence is sought. Once the licence has been issued, the holder is required to maintain appropriate resources, infrastructure and staffing to retain its licence.

The relevant Acts being essentially technology-agnostic, the assessment of the capacity of an entity to provide services under the FSP licence will be based on its business plan submitted with its application. The applicant will be required to demonstrate therein, its ability to meet the requirements of section 18 of the FSA through the operational and governance protocols elaborated in this Consultation Paper as well as the fitness and propriety of its officers.

In respect of its operational and governance protocols, the holder of the FSP licence will be required to comply with best standards and practices established by the industry, where applicable.

The approach proposed by the FSC in some parts of this Consultation Paper is explicit and prescriptive, while in other parts, “standards” and “industry practices” have been mentioned in view of setting the minima criteria whilst keeping the requirements voluntarily wide. The FSC expects that as industry expertise develops in this field of activity, these best practices and standards may then be considered to develop activity-specific guidelines for the FSP licence.

^{4 “Relevant Acts” is defined under section 2 of the FSA.}

Governance Standards

Legal Form

The applicant for the FSP licence will have to be a corporate body, trust, société or partnership set up in Mauritius.

Subject to meeting the conditions prescribed under the FSA, the holder of the FSP licence may apply for a Global Business Licence under Part X of the FSA.

Objective of the business

The objectives of the applicant for the FSP licence, as detailed in its business plan, will have to be limited to the development, provision and maintenance of technology solutions or software, in or from within Mauritius and operations arising directly therefrom, on a commercial basis, for use in the carrying out or delivery of financial services..

A single entity will not be permitted to undertake any other financial business activities5 under an FSP licence. Such other financial business activities will have been undertaken by a separate legal entity holding the relevant licence from the FSC, as may be applicable.

For the avoidance of doubt, where the proposed activity of the applicant for the FSP licence matches any other financial business activities regulated by the FSC, the applicant will be required to apply for the appropriate licence. The application for the FSP licence will accordingly not be entertained in those scenarios.

 

Minimum Stated Capital

The holder of the FSP licence shall, at all times, have and maintain a minimum stated unimpaired capital of not less than MUR 500,000 or such higher amount as the FSC may determine.

 

Governance

An applicant for the FSP licence shall:

(i) Ensure that its governance structure provides effective oversight of its activities, taking into consideration the nature, scale and complexity of its business;

(ii)  Establish adequate internal controls and adopt strategies, policies, processes and procedures in accordance with principles of sound corporate governance and risk management;

2. (iii)  Maintain its registered office and place of business in Mauritius, as may be applicable; and

3. (iv)  Have a board of directors composed of not less than three (3) directors, at least one (1) of whom shall be resident6 in Mauritius.

 

Representative in Mauritius

The applicant must also have, at all times, a representative in Mauritius who shall be responsible:

1. (i)  For filing with the FSC such document as may be required under the relevant Acts and any other enactment;

2. (ii)  To act as liaison with the FSC for any correspondence, notice or summons; and

3. (iii)  To maintain records of the FSP licence-holder in line with the applicable statutory requirements.

In the event that the applicant for the FSP licence is opting for the Global Business regime, the representative may be its Management Company.

 

Staffing

The applicant will have to ensure that it has adequate staffing with the appropriate competence, experience and proficiency to perform their functions properly. It will also be required to clearly define and document the duties and responsibilities of its staff in line with its operational requirements.

Such staffing details and responsibility allocation plans, in line with its business needs, will have to be submitted to the FSC as part of its procedure manuals at the time of the application for the FSP licence.

^{6     In case the applicant applies for a Global Business Licence, it will be required to comply with section 71 of the FSA     including, but not limited to, having at least 2 directors, resident in Mauritius, of sufficient calibre to exercise independence of mind and judgement.}

 

Outsourcing

In the application, full disclosure must be made to the FSC regarding functions which the applicant proposes to outsource to any third party and the rationale for the proposed outsourcing.

The applicant must have appropriate protocols so that the third party is subject to adequate due diligence both in terms of its fitness and propriety as well as its capacity to fulfil the outsourced function. Details of such due diligence conducted must be kept on record by the applicant.

Notwithstanding any outsourcing arrangement, the applicant will retain full responsibility vis- à-vis the FSC for the failure by the third party to fulfil the outsourced function.

 

Strategy for equipment procurement

The applicant will have to maintain a documented strategy for the procurement of equipment used for its activities from alternative suppliers in case of failure by the main supplier(s) to comply with contracts for delivery of such equipment. At any point in time, the applicant must have in place the appropriate infrastructure to ensure that the core tasks relating to its activities are fully functional at all times.

 

Efficiency and Performance

The applicant must demonstrate that appropriate systems and procedures are in place to operate in an efficient manner.

 

Anti-Money Money laundering and Countering the Financing of Terrorism (“AML/CFT”)

The applicant, as part of its application, will be required to submit a report consisting of an in- depth assessment of the potential money laundering and terrorist financing risks posed by its operations as well as the procedures, systems, controls and protocols that will be established in relation to those risks. Once licensed, prior to starting its operations, the licensee will be required to have those AML/CFT systems and controls in place.

The holder of the FSP licence will also be required to ensure, at all times, strict adherence to the Financial Intelligence and Anti-Money Laundering Act and subsidiary legislations issued thereunder.

 

Statutory Reporting

The applicant must have in place, a system to ensure that it complies with its statutory reporting requirements as prescribed under the applicable laws.

 

Management of operational risks

The applicant’s procedures must include a comprehensively documented Operational Risk Management Programme (“ORMP”) englobing all current industry risks. The ORMP must be audited on an on-going basis to cater for emerging risks to its business.

This ORMP, to be applied in the operations of the applicant and communicated to all relevant personnel, will need to include, inter alia:

1. (i)  Strategies developed to identify, assess, monitor and control/mitigate operational risks;

2. (ii)  Policies and protocols relating to operational risk management and controls;

3. (iii)  Methodology to assess operational risks; and

4. (iv)  Operational risk reporting system.

 

Processes and systems testing

Once it has been licensed by the FSC, the holder of the FSP licence must cause its processes and systems to be tested regularly. Evidence of such tests and the findings must be appropriately documented and made available to the FSC for inspection, upon request. The schedule for processes and systems testing must be included in its protocols to be submitted to the FSC at the time of application.

The testing schedule must include procedural risks, as well as, high impact financial risks and may extend to:

1. (i)  Penetration testing and vulnerability scans; and

2. (ii)  System integrity audits.

Systems testing must be undertaken in line with the industry’s best standards and practices and may be conducted by the licensee, independent third parties or both. The participation of external parties will be highly relevant in defining risks and tests, which may have been overlooked by the licensee.

 

Incident Reporting

The applicant must have in place appropriate protocols to ensure that any incident, which results in an interruption of its operations, is properly logged and documented with details of the cause of the incident, impact, method used to resolve the incident and timeframe for doing so. The processes of the applicant will have to provide for such a report to be periodically escalated to the applicant’s management and board of directors for their information. The report may also be used to update the existing processes and systems in view of plugging any identified gaps.

 

External Audit of policies and procedures

The applicant must have in place appropriate arrangements for its policies and procedures to be externally audited. The external audit findings must be used to address any shortcomings identified. Records of the audit findings along with documentation of any remedial actions implemented must be kept and made available for inspection by the FSC upon request. The first external audit will have to be conducted within the first year of operation and thereafter on a recurrent basis, in line with industry best standards and practices.

 

Use of Automation

The applicant may have recourse to the use of automation in relation to its functions. The proposed automation of its functions will have to be disclosed in its procedures submitted at the time of application.

For any use of automation to perform operational functions, the ORMP is to be duly updated to provide for scenarios to be followed in the event that the automation fails.

 

Record keeping

The applicant must document its procedures relating to record keeping on its clients, including details of business relationship therewith. Such records must be in line with the appropriate statutory requirements and must be available for inspection by the FSC, upon request.

 

Business Continuity

Personnel

For the purposes of business continuity, the applicant will be required to have:

1. (i)  As part of its protocols, a system to ensure the continuity of its operations in the event that the primary personnel assigned to perform a non-automated core function is unavailable. This may include having back-up staff with appropriate expertise to perform the applicable function; and

2. (ii)  A suitable alternate site to continue its operations, in the event that the primary business location is compromised

Disaster Recovery

The FSC will require that the applicant maintain appropriate disaster recovery facilities, with appropriate geographic segregation and equivalent security installations as the main place of business, in view of ensuring business continuity.

Statutory Compliance

The applicant, once licensed, must ensure that it complies, at all times, with all applicable laws in Mauritius including data protection, and where applicable, the relevant laws in the other jurisdictions in which it operates.

Cybersecurity and Cyber Resilience

The Applicant will be required to have in place an appropriate cybersecurity and cyber resilience system in line with best industry standards to ensure the preservation of confidentiality, integrity and availability of its information and/or its information systems.

 

Conclusion

The FSC is seeking the views of the industry, its stakeholders and the public on this Consultation Paper in line with its collaborative approach .Interested parties are invited to send their comments, feedback and suggestions in relation to the regulatory framework proposed in this Consultation Paper not later than 05 March 2021 on the following e-mail address: fspconsultation@fscmauritius.org.

 

...........................................

FSC House, 54 Cybercity, Ebene, Republic of Mauritius
Tel: (230) 403 7000 Fax: (230) 467 7172
E-mail: fscmauritius@intnet.mu, Website: www.fscmauritius.org