Mauritius, first jurisdiction in the world to issue Custodian Services Licence for Digital Assets
What are Digital Assets?
As its name suggests, and contrary to traditional assets, digital assets exist solely in digital form and are secured by private keys controlling them. In the context of the Financial Services (Custodian services (digital asset)) Rules 2019, Digital Asset are defined as:
- any token, in electronic or binary form, which represents either the holder’s access rights to a service or ownership of an asset;
- a digital representation of value which:
- is used as a medium of exchange, unit of account, or store of value but which is not a legal tender, even if it is denominated in legal tender;
- constitutes assets such as debt or equity; or
- provides access to a blockchain-based application, service or product.
The FSC’s definition of a Digital Asset however excludes:
- any transaction in which a business grants value which cannot be exchanged for legal tender, bank credit or any digital asset, as part of an affinity or reward programme; or
- the use of Digital Assets within an online gaming platform.
Role of a custodian
Custodians are key to ensure the protection and preserving the wealth of both individuals and corporates. Their role is to provide proper asset segregation, ensuring the assets are protected against misappropriation, misuse, theft, or loss. To comply with transparency and good governance requirements, the services of a qualified custodian is required.
The three major responsibilities of a custodian towards an investor:
- Assets safekeeping: maintain proper record of ownership, valuation, accounting, and reporting of assets owned by a fund or an investor
- Trade processing: track, settle and reconcile assets that are acquired and disposed of by the investor
- Servicing: maintaining all economic benefits of ownership such as income collection and corporate actions
Strong digital asset ecosystem
The Custodian Services (Digital Asset) Licence in Mauritius show the positive progress the crypto economy is witnessing. In September 2018, Mauritius recognised Digital Assets as an asset-class for investment by Sophisticated and Expert Investors, Expert Funds and Specialised Collective Investment Schemes. At that time, the regulatory framework relating to the custody of securities and physical assets (Financial Services Act 2007) was inappropriate for the custody of digital assets. In 2019, a licensing framework specifically for digital asset custodian services was introduced by the FSC.
Secure and effective custodianship significantly reduces the risks of investing in digital assets. Implementing and strengthening regulatory compliance (through rigorous IT security, asset protection, improved transparency and market surveillance), is a significant step in the creation of a strong digital asset ecosystem, and towards the democratisation of digital assets exchanges and the access to new pools of local, regional and international capital. With an exponential growth in Fintech activities, the major limiting factor was the lack of appropriate custody services for the safekeeping of digital assets.
- Relocate to Mauritius: the ideal place to live and do business
- Global Business Company in Mauritius – All you need to know
- E-commerce in Mauritius: the ideal platform for your international strategy
The implementation of best practices and compulsory licensing requirement for custodians of digital are expected to broaden the scope of digital exchanges. It has the capacity to to enhance trust and confidence in the Mauritius jurisdiction, attract interest from the institutional investors and retail investors. These rules are the foundation for the sustainable growth of digital asset in Mauritius.
Licensing and compliance requirements to abide by as a holder of a Custodian Services (Digital Asset) Licence
To be authorised to provide custody services for digital assets in Mauritius, a person or company should apply for the Custodian Services (Digital Asset) Licence in accordance with Part IV of the Act. Under this Licence, the holder needs to respect the requirements, as set out in the Financial Services (Custodian services (digital asset)) Rules 2019, to be able to operate lawfully. You can access the complete set of rules here.
In addition, the holder of a Custodian Services (Digital Asset) Licence – as a financial institution, should also comply with all laws and regulations in force relating to Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) in Mauritius, and the FSC Code on the Prevention of Money Laundering and Terrorist Financing.
Operations in Mauritius
The company holding of a Custodian Services (Digital Asset) Licence must carry out its Core Income Generating Activities from its offices in Mauritius. The Custodian is now allowed to outsource these core business activities without prior approval from the FSC.
To perform those core functions, the Custodian must also employ staff members who are proficient, competent and experienced in the operations of a custodian. Staff involved in core business activities need to go succeed a fitness and propriety tests in accordance with best industry standards (prior to recruitment and thereafter on a recurrent basis). The Custodian also needs to ensure its staff members performing core functions have properly defined and documented duties and responsibilities, and ensure that staff are provided with appropriate training on a regular basis for their respective duties and responsibilities.
The Custodian needs to have a representative in Mauritius, knowledgeable in operating custodians. The representative will be responsible for maintaining the records (including due diligence records, board minutes, resolutions and transaction records) of the custodian, performing any statutory filings, and will act as a liaison with the FSC for any correspondence, notice or summons.
Infrastructure for continuous operations
The Custodian needs to have appropriate infrastructure, systems and procedures in place to ensure that its core functions remain continuously operational, and that it operates efficiently in accordance with industry standards and best practices.
The Custodian has to restrict access to keys, seeds and other information relating to digital asset it holds to authorised staff. The Custodian must maintain an up-to-date authorised staff list as well as an access rights management log, along with clearly defined procedures to enable or revoke access rights.
In addition, the Custodian has to demonstrate that it has the ability to provide its clients with uninterrupted access to all their assets in custody, especially in the event that it cannot fulfil its custody agreement or the business ceases to operate.
Minimum capital requirement
The Custodian must maintain a minimum stated unimpaired capital of above:
- MUR 35 million (or an equivalent amount in other convertible currencies); or
- an amount representing 6 months’ worth of operating expenses (as reported in the latest audited financial statements).
The governance structure of the Custodian must provide effective supervision of its activities, taking into consideration the nature, scale and complexity of the business. The Custodian must also have adequate internal controls and adopt strategies, policies, processes and procedures in accordance with principles of sound corporate governance and risk management.
With its registered office in Mauritius, the Custodian is to be managed by a board of directors composed of at least 3 directors, of which a minimum of:
- one must be resident in Mauritius; and
- 30% of the directors being independent directors.
Disaster recovery and Business Continuity
To ensure business continuity and the safekeeping of client assets, the Custodian is required to maintain appropriate disaster recovery facilities in multiple secure and geographically diverse locations. These secondary locations must have equivalent security features as its primary place of business in case the latter becomes inoperative.
Moreover, the Custodian must carry out frequent internal audits on storage devices to make sure that backups have not been removed or tampered with.
Customer protection and custody agreements
An agreement for custody and safekeeping of digital asset must contain:
- the particulars of the services to be provided and the related fees;
- the location of assets;
- the method of holding assets;
- information about the standard of care to be exercised by the custodian; and
- the Custodian’s responsibility in case of loss digital assets.
Each client must receive an original of the signed custody agreement within 30 days of signature.
Operational risk management
The Custodian must have and maintain a comprehensive operational risk management programme, which is documented and includes strategies to identify, monitor, and mitigate operational risks, together with an operational risk reporting system.
Audit of policies and procedures
The Custodian must appoint a qualified external independent third party to undertake an audit of all its systems, policies and processes at least once every year, in accordance with best industry standards and practices.
The Custodian must document and address any shortcoming identified during the audit. It also needs to keep records of such audits and any remedial actions implemented and be made available to the Commission for inspection.
Key and seed generation stage
To ensure the security of digital assets, the Custodian must create and manage private keys in a specialised and controlled offline environment. The Custodian is required to adopt the best industry security safeguards in the seed creation and key generation process in order to protect the seeds and keys from speculation and collision.
A minimum of three (3) staff members must be involved in the seed creation process. Furthermore, the Custodian must ensure that each seed is stored on an encrypted, password-secured device, and that proper safeguards are in place to prevent individuals involved in seed creation from getting access to the systems for the initiation of transactions.
Segregation of clients’ assets
Putting together digital assets that belong to different clients increases the possibility of losing assets of multiple clients in case of theft. Custodians are therefore required to have adequate procedures to ensure that digital assets belonging to different clients are not kept together at a single address or in a common wallet, and that no address or wallet is assigned to more than a single client.
Digital assets storage strategy
The Custodian must implement a strategy in line with best industry standards and practices, taking into consideration factors including:
- the volume of transactions;
- the speed at which those transactions are to be executed; and
- the risk appetite of each client.
Built on blockchain technology, Digital assets are highly secure. To date, major theft or loss of digital assets have occurred:
- online: To mitigate the risk of cyberattacks, the clients’ private keys need to be held in secure locations in cold storage (not connected to the internet) if they are not required for transaction purposes; or
- because of deficient Multi-Signature Authorisation. Indeed, the custodian must ensure that nobody is able to initiate and complete a transaction, and that the risks of collision between signatories are mitigated. Each signatory must provide a justification for approving and rejecting a transaction, and the Custodian must keep these justifications in its records.
Security infrastructure for on-site cold storage of digital assets
The Custodian needs to have an secured physical infrastructure, including guarded access to the facilities with restricted admittance to authorised employees only, vault storage with dual key requirements, and 24/7 closed-circuit television system, amongst others. The access procedures must be documented and be made available to the FSC.
Procedures for security breaches
The Custodian must implement procedures to protect digital assets held in custody in case, or suspicion, of a security breach. The Custodian must notify the client of any security incident relating to digital assets under custody.
A yearly audit of procedures by an external independent third party is required
Recordkeeping and reporting
In addition to maintaining the digital assets secure, Custodians must maintain up-to-date transactional records, and file quarterly financial statements and audited annual financial statements with the FSC.
Mauritius: the first jurisdiction in the world to offer a regulated framework for the custody of Digital Assets
Mauritius is an IFC of repute and substance. Indeed, the island nation ranks first among African countries on international indices, including ICT development, good governance, ease of doing business, political and social stability, and economic freedom amongst others. With the digitisation of assets and transactions, Mauritius has set its sight on becoming a FinTech hub. The FinTech sector will undeniably contribute to the growth of the Mauritius IFC. It provides the opportunity to offer value-added and innovative services, and enhances the attractiveness and competitiveness of the IFC for such activities. Being the first jurisdiction in the world to issue a Custodian Services (Digital Asset) Licence, Mauritius affirms its position as a FinTech hub in and for Africa.
Mauritius ranks first among African countries on international indices, including for ICT development and ease of doing business. In a statement, the Honorable Pravind Jugnauth, Prime Minister of the Republic of Mauritius said that Mauritius is committed to fast-tracking “the country’s move to an age of digitally-enabled economic growth”. This has started with the modernisation of the FinTech environment with the Financial Services (Custodian services (digital asset)) Rules 2019 framework. Being part of Africa, Mauritius is looking “forward to fostering further innovation and bringing more prosperity to the region”, he added.
How can Sunibel Corporate Services help you ?
- Setting up your company
- Assist with the application of the Licence with the FSC
- Assist with the recruitment process and payroll of your team
- Finding an office in Mauritius
- Provision of directors and company secretary
- Opening of bank accounts in nominated currencies
- Accompanying for the application for occupation and/or residence permits
- Corporate administration and other services
Should you wish set up your company in Mauritius, to have more information about this license, to know if it is appropriate for you, or need assistance with an application –
A few key definitions:
Blockchain: a type of distributed ledger technology which is a way of recording and sharing data across multiple data ledgers, with each individual ledger having the exact data records and are collectively maintained and controlled by a distributed network of computer servers referred to as nodes.
Cold storage: a method of storing digital asset or information whereby the device used for storage is not connected to the internet.
Core functions: functions related to operational and governance protocols, safekeeping of digital asset and transaction management.
Custodian: the entity entrusted with the custody of digital asset.
Custody: the safekeeping of digital asset being held or transacted.
Key: a cryptographic key which is used by a cryptographic algorithm to transform plain text into encrypted form or vice versa;
Safekeeping of digital asset: the contractual obligation according to which a custodian is required to secure and preserve digital asset being held in custody through the generation and securing of seeds and keys as well as management of addresses and wallets relating to digital asset including recovery processes for seeds and keys which have either been corrupted or otherwise compromised.
Seed: an alphanumeric phrase generated through the process of entropy.
- Setting up and register a company in Mauritius
- Relocate to Mauritius: the ideal place to do business and live
- Setting up a Trust in Mauritius
Disclaimer and important notices
This article is a brief overview of the Financial Services (Custodian services (digital asset)) Rules 2019 made by the Financial Services Commission under section 93 of the Financial Services Act. It is in no way to be perceived as legal advice. This document has been prepared using sources believed to be reliable. However, their accuracy and completeness cannot be fully guaranteed. The statements and opinions it incorporates were formed after careful consideration and maybe subject to change without notice. This document is not, and should not be construed as, an offer or the solicitation of an offer to sell any services. The use of any information contained in this document shall be at the sole discretion and risk of the user. Sunibel Corporate Services Ltd does not provide legal or tax advice and this document should not be construed as such. Sunibel Corporate Services Ltd expressly disclaims any and all liability for inaccuracies contained in the document and shall not be held liable for any damage that may result from any use of the information presented herein.
For more information, please see our terms and conditions.
Book your meeting
Error: Contact form not found.