Mauritius: Data Protection in the Financial Sector
1. Governing Texts
The protection of personal data in Mauritius is governed by the Data Protection Act 2017 ('the Act'), which came into force on 15 January 2018. The Act repeals and replaces the Data Protection Act 2004, and aims to be in line with current relevant international standards, in particular the European Union's General Data Protection Regulation (Regulation 2016/679) ('GDPR') on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The Act seeks, inter alia, to:
- simplify the regulatory environment for business in our digital economy; and
- promote the safe transfer of personal data to and from foreign jurisdictions, given the diversification, intensification, and globalisation of data processing and personal data flows.
The need for data protection law stems from the principle that everyone has the right to the protection of their private life, of which personal data forms an integral part. The right to privacy is expressly provided in Sections 3 and 9 of the Constitution of the Republic of Mauritius and Article 22 of the Mauritian Civil Code (only available in French here).
Mauritius has been party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') since 1 October 2016 and became the 6th State and first state in Africa to ratify the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108+').
Under the Act, personal data is defined as any information relating to a data subject, which is an identified or identifiable individual, in particular by reference to an identifier.
Subject to a few exceptions, the Act applies whenever a controller or a processor is processing the personal data of data subjects.
The Data Protection (Fees) Regulations 2020 (GN No. 152 of 2020) ('the New Regulations'), made under section 55 of the Act is in force since 1 August 2020. The New Regulations provide for the fees which are payable to the Data Protection Office ('the Office') for registration as a controller or processor, fees for renewal of registration and fees for obtaining certified copies of entries in the register. Alongside, the Office came up with new registration forms which were much awaited as registration of controllers was still being done by filling up registration forms made under the repealed Data Protection Act 2004, which was a very awkward situation, to say the least. The new registration forms cater not only for registration of controllers but also registration of processors, which never existed before, although processors are required under the law to register with the Data Protection Commissioner ('the Commissioner') just as controllers.
'Controller' means a person who, or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.
'Processor' means a person or public body that processes personal data on behalf of a controller.
The term 'processing' is given a very wide definition as an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Act does not apply to the exchange of information between ministries, government departments, and public sector agencies, as well as to the processing of personal data by an individual in the course of a purely personal or household activity (Section 3(4) of the Act). In addition, the processing of personal data for the purpose of historical, statistical, or scientific research may be exempt from the provisions of the Act where the security and organisational measures specified in Section 31 of the Act are implemented to protect the rights and freedoms of data subjects (Section 44(2) of the Act). Furthermore, the Act does not apply when the exception constitutes a necessary and proportionate measure in a democratic society (Section 44(1) of the Act).
There are data privacy requirements with respect to the financial sector which are highlighted below. However, all financial institutions such as banks, insurance companies, global business companies and companies in general, will need to abide by the Act, whenever they are processing personal data as controllers or processors.
Apart from the Act, there are other pieces of legislation in the financial sector that touches upon the issue of data privacy such as data retention and consent for processing. Such pieces of legislation are listed below:
- the Financial Services Act 2007 ('FSA');
- the Bank of Mauritius Act 2004 ('BOMA'); and
- the Banking Act 2004 ('the Banking Act').
According to Section 83 of the FSA, the Financial Services Commission ('FSC') shall furnish, when so required by the Bank of Mauritius ('BOM'), such information as may be required for the purposes of assisting it in the discharge of its functions. The BOM may publish, in whole or in part, any information so furnished. However, no information shall be published by the BOM where such publication would entail the disclosure of the financial affairs of any individual or enterprise without the consent in writing of the individual or enterprise.
According to Section 26 (Confidentiality) of the BOMA, nothing shall preclude (Section 26(4)):
- the exchange or disclosure of any information, under conditions of confidentiality, between the Bank and any public sector agency or law enforcement agency, where the Bank is satisfied that the public sector agency or law enforcement agency has the capacity to protect the confidentiality of the information imparted, or between the Bank and any other foreign regulatory agency performing functions similar to those of the BOM under the BOMA pursuant to any existing or future treaty, or agreement or memorandum of understanding entered into by the Bank or the State of Mauritius;
- the disclosure by the BOM to the FSC of such information as may be required by the FSC for the purposes of assisting it in the discharge of its functions;
- the disclosure of any information pursuant to an order made by the Judge in Chambers under Section 6 of the Mutual Assistance in Criminal and Related Matters Act 2003;
- the disclosure of any information to the Financial Intelligence Unit ('FIU') pursuant to Section 22 of the Financial Intelligence and Anti-Money Laundering Act 2002; or
- the disclosure of any information or data by the Bank to Statistics Mauritius to enable the Director of Statistics (currently, Ms. Li Fa Cheung Kai Suet) to discharge, or assist him/her in discharging, any of his/her functions under the Statistics Act.
The Banking Act
Section 64 (1) and (2) of the Banking Act provides for the duty of confidentiality which needs to be respected when one has access to the books, accounts, records, financial statements or other documents whether electronically or otherwise, of a financial institution.
The Banking Act however provides for a series of exceptions to the duty of confidentiality and this is provided for under Sections 64(3)-64(15) of the Banking Act.
One of those exceptions provided under Section 64(12) of the Banking Act is that the BOM may disclose to the auditor of a financial institution any information received under or for the purposes of the Banking Act where it considers that disclosing the information would enable or assist it in the discharge of its supervisory responsibilities. Furthermore, Section 64(13) of the Banking Act provides that the BOM may publish at such times as it may determine, information or data furnished under the Banking Act provided that the information or data do not disclose the particular financial situation of any financial institution or customer, unless the consent of the financial institution or the customer, as the case may be, has been specifically obtained.
In addition to the legislation outlined above, the following guidelines are applicable:
- the 2006 BOM Guidelines on Outsourcing by Financial Institutions (latest revision in March 2018) ('the BOM Guidelines on Outsourcing'); and
- the 2020 Anti-Money Laundering and Countering the Financing of Terrorism Handbook ('the AML/CFT Handbook').
The BOM Guidelines on Outsourcing
The BOM Guidelines on Outsourcing provide for safeguards that should be in place when financial institutions (those companies licenced by the BOM under the Banking Act) retain the services of cloud-based service providers. The BOM Guidelines on Outsourcing provide that the financial institution should perform the necessary due diligence and apply sound governance and risk-management practices when subscribing to cloud-based services. They further provide that financial institutions are ultimately responsible and accountable for maintaining oversight of cloud-based services and managing the risks of adopting cloud-based services, as in any other form of the outsourcing arrangement. As per the BOM Guidelines on Outsourcing, financial institutions should obtain their clients' consent for their information to be stored on the cloud in specified jurisdictions.
The BOM Guidelines on Outsourcing provides for restrictions which are imposed whenever the bank decides to outsource its activities to a service provider. There are also restrictions which apply when the bank retains the services of a cloud-based service provider
The BOM Guidelines on Outsourcing provides that depending on the nature and materiality of the outsourcing arrangement, financial institutions should consider the possibility of notifying in advance their customers that customer data may be transmitted to a service provider as part of their contractual arrangement with the customers.
The BOM expects financial institutions to be fully aware of cloud-based services characteristics such as data commingling and the possibility for processing to be carried out in different locations. Financial institutions are required to take appropriate measures with respect to data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance. They should ensure that the service providers have the capacity to identify and segregate customer data using strong physical or logical controls.
Cloud-based services restrictions
It is to be noted that the BOM is also working on guidelines for the implementation of cloud-based services by financial institutions. However, these guidelines which were open to public consultation have not yet been adopted.
The AML/CFT Handbook
As part of the FSC initiatives to assist the financial institutions in applying national measures to combat money laundering and terrorist financing, the FSC has developed its Anti-Money Laundering and Countering the Financing of Terrorism Handbook (the ‘AML/CFT Handbook’). The aim of the Handbook is to assist financial institutions in meeting their obligations under the Financial Intelligence and Anti Money Laundering Act 2002 ('FIAMLA'), the 2018 Financial Intelligence and Anti-Money Laundering Regulations ('FIAMLR') by providing guidance on different matters. It consolidates the FSC’s guidance on anti-money laundering, financing of terrorism and financing of proliferation of weapons of mass destruction.
It is designed to help financial institutions adopt a more effective, risk-based and outcome-focused approach.
Under the FIAMLA, a financial institution is an institution, or a person, licensed or registered or required to be licensed or registered under:
- section 14, 77, 77A or 79A of the Financial Services Act;
- the Insurance Act;
- the Securities Act; or
- the Captive Insurance Act 2015;
1.2. Supervisory authorities
The Office and the Commissioner
According to the Act, the Data Protection Commissioner ('the Commissioner') heads the Data Protection Office ('the Office'), which is a public office set up to discharge the Commissioner's functions under the Act. The Commissioner has the duty to ensure compliance with the Act and any regulations made under it and has wide enforcement powers to assist him/her in discharging this duty. One of the powers of the Commissioner is the issue or approval of such codes of practice or guidelines for the purposes of the Act as he/she thinks fit. As of now, there are no regulations that have been made under the Act, but the Office has issued guidelines on the Act.
As regards other supervisory authorities, the FSC regulates the non-banking financial services, and the BOM regulates the banking services.
The FSC, through its legislative framework, ensures the protection of consumers and investors. The FSC promotes access to financial services through the dissemination of financial information and awareness of the benefits and risks associated with the financial markets.
The BOM is responsible for the regulation and supervision of financial institutions, licensed by the BOM and carrying out activities in, or from within, Mauritius. The BOM is also the supervisory body in relation to anti-money laundering and countering the financing of terrorism (AML/CFT) for the banks non-deposit taking financial institutions and cash dealers. It issues Guidance Notes for this sector and has powers under FIAMLA and the Banking Act to impose regulatory sanctions for any breach of FIAMLA and its regulations by licensed entities.
The FIU was established under Section 9 of the FIAMLA in August 2002. It is the central Mauritian agency for the request, receipt, analysis, and dissemination of financial information regarding suspected proceeds of crime and alleged money laundering offences, as well as the financing of any activities or transactions related to terrorism to relevant authorities. It is the supervisory body for AML/CFT in relation to the real estate and jewellery sectors.
The FIU also issues guidelines to banks, financial institutions, cash dealers and members of the relevant professions on the manner in which a suspicious transaction report should be made. There is cooperation between the FIU and domestic investigatory or supervisory authorities, and exchange of information with overseas FIUs or comparable bodies. Furthermore, the FIU is assigned to conduct research on the causes and consequences of money laundering and terrorist financing through participation in projects. The FIU is a member of the National Committee on AML/CFT and is involved in instruction and awareness-creation on AML/CFT issues.
The FIU has set up the National Risk Assessment Working Group, which has been divided into sectoral teams, namely, the banking sector, the securities sector, the insurance sector, the other non-bank financial institutions sector, the global business sector, and the designated non–financial businesses and professions sector. The National Risk Assessment project is being coordinated by the FIU as the central agency and the Independent Commission Against Corruption ('ICAC'). The core function of the ICAC is to investigate and prosecute corruption and money laundering. It is also mandated to investigate terrorist financing as a predicate offence of money laundering. The ICAC starts investigations based on reports and information from government agencies and other sources. The ICAC may also start an investigation on its own initiative.
2. Personal and Financial Data Management
Financial institutions, being controllers of personal data, are under the same obligations as all controllers under the Act in relation to the collection, processing, and transfer of personal data.
Unless one of the exceptions to the application of the Act as highlighted above applies, a controller cannot collect personal data unless:
- it is done for a lawful purpose connected with the function or activity of the controller; and
- the collection of the data is necessary for that purpose.
Financial institutions which are processing data, have to abide by the obligations related to processing as set out in the Act in as much as they should ensure that the data are:
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in accordance with the rights of data subjects.
Sector-specific laws concerning the collection and processing of personal data
The FSA requires financial institutions licensed by it to keep records of the identity of each customer and of all their transactions. Guidelines issued by the FSC also specify the nature of customer identification documents which are required to be kept. For example, the institutions are required to maintain a register of beneficial owners of each of its customers and record such information as the FSC may determine.
Under the FIAMLA, financial institutions have the obligation to verify the identity of customers and any persons with whom they conduct transactions. The institutions are required to carry out customer due diligence ('CDD') and be satisfied with all the results obtained before carrying out any business transaction. They must ensure that all documents, data or information collected under the CDD process are kept relevant and up-to-date by undertaking reviews of existing records. For example, when collecting information for an individual, they are required to collect relevant identification data which includes name, current residential address, date and place of birth, nationality, and any occupation. A different set of information is required to be collected for other entities according to the AML/CFT Handbook. Financial institutions are also required to seek information about the source of funds which is an important aspect of CDD. Also, in relation to high-risk business relationships, institutions are required to apply enhanced due diligence.
Under the Banking Act, financial institutions which are regulated by the BOM can only open accounts for the deposit of money and securities, and rent out safe deposit boxes where they are satisfied that they have established the true identity of the persons in whose name the funds or securities are to be credited or deposited.
2.1. Legal basis for processing
According to the Act, no person shall process personal data unless the data subject consents to the processing for one or more specified purposes. Consent must be freely given, specific, informed, and an unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he/she signifies his/her agreement to personal data relating to him/her being processed.
There are however exceptions to the requirement of consent, and these are when the processing is necessary for any of the following:
- the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
- compliance with any legal obligation to which the controller is subject;
- in order to protect the vital interests of the data subject or another person;
- the performance of a task carried out in the public interest or in the exercise of official authority vested in the financial institution;
- the performance of any task carried out by a public authority;
- the exercise, by any person in the public interest, of any other functions of a public nature;
- the legitimate interests pursued by the financial institution or by a third party to whom the data are disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
- for the purposes of historical, statistical or scientific research.
One of the elements of consent is that it has to be freely given. If the data subject feels compelled to give his/her consent, such consent will not be considered as having been given freely. The data subject should be able to refuse consent without any detriment and also withdraw consent without any fear of any negative consequences.
Consent needs to be informed for it to be valid. This means that the data subject needs to understand what they are consenting to. It is necessary to provide the data subject with information so that he/she can give informed consent such as:
- the controller's identity;
- the purpose for which the data is being processed;
- the type of data being collected and used;
- the existence of a right to withdraw consent;
- information about the use of the data for automated decision-making including profiling; and
- the possible risks of data transfers due to absence of an adequacy decision and appropriate safeguards.
Under the Act, for consent to be valid, the wishes of the data subject should not be ambiguous and a statement or a clear affirmative action is required. This means that the data subject must have taken a deliberate action to consent to the particular processing. Silence or inactivity cannot be regarded as an active indication of choice.
Consent must be freely given, and, in determining whether consent was freely given, account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Under the Act, there is a type of personal data which is known as 'special categories of personal data.' This is data pertaining to a data subject's:
- racial or ethnic origin;
- political opinion or adherence;
- religious or philosophical beliefs;
- membership of a trade union;
- physical or mental health or condition;
- sexual orientation, practices, or preferences;
- genetic or biometric data uniquely identifying the data subject;
- the commission or alleged commission of an offence;
- any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in the proceedings; or
- such other personal data as the Commissioner may determine to be sensitive personal data.
As a general rule, special categories of personal data cannot be processed unless the individual has given his/her affirmative consent to the processing or where one (or more) of the exceptions apply, in addition to any of the following:
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for profit body with a political, philosophical, religious or trade union aim, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for:
- the establishment, exercise or defence of a legal claim;
- the purpose of preventative or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to a contract with a health professional subject to the obligation of professional secrecy;
- the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject; or
- protecting the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent.
According to the Act, data subjects should be kept informed by controllers (which would include financial institutions) of how their data are being processed, for what purpose, and on their rights. Financial institutions need to ensure that at the time of collecting personal data, the data subject concerned is informed of:
- the identity and contact details of the financial institution and, where applicable, its representative and any data protection officer ('DPO');
- the purpose for which the data are being collected;
- the intended recipients of the data;
- whether or not the supply of the data by that data subject is voluntary or mandatory;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the existence of the right to request from the controller access to, rectification, restriction, or erasure of personal data concerning the data subject, or to object to the processing;
- the existence of automated decision making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- the period for which the personal data shall be stored;
- the right to lodge a complaint with the Commissioner.
- where the personal data are not collected from the data subject, any available information as to their source;
- where applicable, that the controller intends to transfer personal data to another country and on the level of suitable protection afforded by that country; and
- any further information necessary to guarantee fair processing in respect of the data subject's personal data, having regard to the specific circumstances in which the data are collected.
Moreover, institutions should have effective policies and procedures in place, and communicate them to all their employees.
The Office has issued a Template for Data Protection Policy which controllers should use in order to inform their data subjects about the elements mentioned above.
There is a legal obligation on every controller to adopt policies so as to ensure and be able to demonstrate that the processing of personal data is performed in accordance with the Act. The Office has issued a Template on CCTV Policy which needs to be adopted whenever the controller collects CCTV footage of data subjects. As per the template, the data subjects need to be informed of, among other things, the purpose of the installation of the CCTV cameras, where the cameras will be installed, the retention period, the security measures taken to safeguard the CCTV footage. Other policies that are expected to be in place are a data protection policy, a retention policy, a data breach policy, an information security policy.
The Act makes it mandatory to appoint a DPO. Such a position-holder can be an existing employee or someone from outside the company. The DPO is the contact point with respect to data subjects, the Office, and internally within the organisation. Such a position-holder will be responsible to see to it that the policies which have been adopted are being implemented by conducting internal audits. There should be an official communication of the designation of the DPO. The minimum tasks that such a position-holder should carry out are:
- inform and advise the controller/processor and its employees about their obligations to comply with the Act and other data protection laws;
- monitor compliance with the Act and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits; and
- be the first point of contact for the Office and for individuals whose data are processed (employees, customers, amongst others).
DPOs are not personally responsible for non-compliance with data requirements as data protection compliance is the responsibility of the controller.
The Act also imposes obligations concerning security of processing on all controllers, including financial institutions which are involved in the processing of personal data. They must implement and maintain appropriate security and organisational measures for the prevention of unauthorised access to, alteration, disclosure or destruction of, or the accidental loss of the personal data in their control.
The measures referred to above shall include all of the following:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
If the financial institution is using the services of a processor:
- the financial institution in its capacity as a controller must choose a processor that is able to provide sufficient guarantees in respect of security and organisational measures for the purpose of complying with the security measures described above; and
- the financial institution and the processor shall enter into a written contract which shall provide that:
- the processor shall act only on instructions received from the financial institution; and
- the processor shall be bound by obligations of the controller as regards security measures to be taken.
As per the BOM Guidelines on Outsourcing, the BOM considers cloud-based services operated by service providers as a form of outsourcing and recognises that financial institutions may have recourse to such services to enhance their operations and service efficiency. According to the Guidelines:
- the cloud service provider should have a proven track record of at least three years;
- the usage of cloud-based services by financial institutions shall be restricted to non-core activities only;
- financial institutions should perform the necessary due diligence and apply sound governance and risk management practices when subscribing to cloud-based services;
- financial institutions are required to take appropriate measures with respect to data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance, and auditing;
- they should ensure that the service providers have the capacity to identify and segregate customer data using strong physical or logical controls;
- financial institutions are ultimately responsible and accountable for maintaining oversight of cloud-based services and managing the attendant risks of adopting cloud-based services, as in any other form of outsourcing arrangement;
- financial institutions should have recourse to private or hybrid clouds for hosting applications with sensitive data. Public clouds may be used, subject to the authorisation of the board of directors of the financial institution for Software-as-a-Service provided that the customer data reside on private clouds. Under no circumstances should data be stored on personal, free or community-based cloud storage services such as DropBox, OneDrive, or GoogleDrive;
- financial institutions should ensure that data on the cloud and the channel to access them are encrypted. The encryption key should be retained by the financial institutions;
- financial institutions should, at the time of seeking approval from their board of directors, ensure that they are in possession of a certificate of conformity from a legal practitioner, certifying that the systems in place comply with data protection and other applicable laws in Mauritius;
- cloud systems in place should demonstrate full business continuity and fall-backs;
- the functionality of financial institutions should not be affected due to possible disruptions in the system. The financial institution must implement proper business continuity planning for the access channel in case the main access is not available;
- on a yearly basis, financial institutions should provide the BOM a certificate of conformity from an independent reputable IT firm, certifying, among other things, compliance with the cloud-based services requirements set out in the BOM Guidelines. All systems, processes, and risk management practices should be well in place for the adoption of cloud technologies. The IT firm should conduct appropriate penetration tests to verify the security arrangements and the results of the penetration tests should be annexed to the certificate of comfort;
- it has to be ensured that the authorities of the country in which the cloud servers would be kept and the cloud service providers should, by no means, have access to the data of the financial institution;
- the financial institutions should obtain the consent of its clients for their information to be stored on the cloud in specified jurisdictions;
- financial institutions should include a clause in their agreements with their cloud service providers, authorising the BOM or any firm authorised by the BOM to carry out examinations at the cloud servers/data centres, at any time. The cost of the examination will be borne by the financial institution. Financial institutions should demonstrate that there would be a proper exit mechanism in place to provide for the deletion of all data stored on the cloud servers, in the event that they switch to another service provider or stop the service for any other reason. This arrangement should be included in the contract with the cloud service provider. The BOM should have the assurance that data would be erased from the cloud in these circumstances; and
- there should be a quick mechanism for prompt erasure of data in the case of the closure of a financial institution.
The Office has prepared presentations concerning data protection and cybersecurity. The Office recommends financial institutions to put a system in place where they map out the data that they need to collect, the laws that apply to that data, the data security that they have in place to protect it, a gap analysis of what needs to be addressed, take steps to bridge those gaps, and test to ensure compliance. This measure can be taken by institutions to assess the level of risk involved in the processing of personal data.
To ensure the security of processing, one of the legal requirements is for the controller to take all reasonable steps to ensure that any person employed by him is aware of, and complies with, the relevant security measures.
As per the FSC Circular Letter of 21 August 2019 to the Board of Directors of Management Companies re Cyber Security Risk Governance, the FSC expects as a minimum from management companies:
- understanding of the cyber risks, vulnerabilities, and impact associated in running their businesses, with supporting documentation;
- putting into place appropriate policies and procedures duly approved by the board to mitigate the risks;
- carrying out an annual cybersecurity risk assessment which is reported to the board;
- conducting regular IT audit and addressing identified loopholes accordingly;
- conducting penetration testing to ensure that their systems are not vulnerable or susceptible to cyber attacks;
- putting in place appropriate contingency arrangements that they can be deployed in the event of a cyber attack, including but not limited to, maintaining service levels for clients and informing relevant parties and authorities about the attack and its impact; and
- running a comprehensive technology risk and cyber security training programme at all levels.
Under the Act, institutions are required to carry out a Data Protection Impact Assessment ('DPIA') in cases where processing operations result in a high risk to the rights and freedoms of the data subject. It can be useful to assess multiple/single processing operations that are similar in terms of the risks presented. The DPIA must be carried out prior to processing, in other words, as early as is practically possible in the design of the processing activities. It helps incorporate the principles relating to processing of personal data by taking into account privacy by design principles. The Office has come up with a list of those high-risk processing operations for which a DPIA is mandatory and these include, when the behaviour of people is being evaluated by methods such as profiling, when there is the systematic monitoring by observing, monitoring or controlling data subjects, and when sensitive data are being processed on a large scale, etc.
The Office has designed a DPIA Questionnaire Form (see the list of forms and guidance here) that can help controllers or processors to assess their compliance status.
One of the principles enshrined in the Act is that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed. Thus, unless there is a legal obligation or some other justification to keep the personal data, the financial institutions are under the general obligation to destroy personal data where the purpose for processing has lapsed.
According to Section 29 of the FSA, financial institutions are required to maintain internal records of the identity of each of its customers and keep in relation to its business activities written records of any transaction carried out for a period of at least seven years after the completion of the transaction. These records include accounting files and business correspondence. Financial institutions are also required to keep and maintain, at all times, a register of the beneficial owners of each of its customers, and record such information as the FSC may determine.
Financial institutions are required to maintain these records as the FSC has the right to request for any records and documents at any time. The power to request for information is related to the duties of the FSC under the FIAMLA and the Prevention of Terrorism Act 2002 as well as its duty to due diligence verification on beneficial owners (Section 42 of the FSA).
The FSC is also required to exchange information with the BOM for the purpose of assisting the BOM in its discharge of its functions. However, the BOM cannot publish any information if that would entail the disclosure of the financial affairs of any individual or enterprise. In relation to global business companies ('GBC'), there is a higher degree of protection of their confidential information as compared to other financial institutions. There are only specified reasons for which the Supreme Court of Mauritius can order the information of a GBC to be produced. These reasons are:
- the application of the Director of Public Prosecutions, and on being satisfied that the confidential information is, in good faith, required for the purpose of any enquiry or trial into or relating to a serious offence including, but not limited to the trafficking of narcotics and dangerous drugs, arms trafficking or money laundering under the FIAMLA;
- the obligations of Mauritius under any international treaty, convention or agreement, and to the obligations of any public sector agency under any international arrangement;
- such disclosure is necessary for the purpose of administering the relevant laws, and of discharging a function under the law;
- disclosure pursuant to an agreement or arrangement for the exchange of information and under the condition of confidentiality, for the purpose of exercising its functions, in relation to a corporation holding a Global Business Licence or in relation to a financial institution carrying out any services or business activities under any of the relevant Acts; and
- the duty of the Commission to pass on information to the FIU (Section 22 of the FIAMLA).
Under the FIAMLA, financial institutions are required to keep records of transactions carried out for customers, for not less than seven years after completion of the transactions (Section 17(b) of FIAMLA and Section 33(3)(b) of the Banking Act. They are also under an obligation to keep records obtained through CDD measures, account files, records of suspicious transactions, business correspondence and records (Section 17(b) of FIAMLA, Sections 33(1), 33(2)(c ) and 33(3)(b) of the Banking Act, (Sections 29(1) and 29(2) of FSA and FIAMLA Regulation 8(1)(a)). Financial institutions are under obligations to keep sufficient transaction records to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity.
Mauritius adopted comprehensive laws which are relevant to AML/CFT. Mauritius has ratified all relevant international instruments (Vienna, Palermo, CFT, and UNCAC). In addition, Mauritius has entered into bilateral and multilateral agreements (e.g. the Harare/Commonwealth Mutual Legal Assistance Scheme and the Southern Africa Regional Police Chiefs Coordination Organisation) with other countries to facilitate international cooperation. Both money laundering and terrorist financing are extraditable offences. Further, the various domestic agencies, namely, ICAC, FIU, the Mauritius Revenue Authority (MRA), and the FSC, are able to exchange information with foreign counterparts.
The legal and regulatory frameworks relating to AML/CFT preventive measures in Mauritius are set out in the FIAMLA, the FIAMLR, the United Nations (Financial Prohibitions, Arms Embargo and Travel Ban) Sanctions Act 2019, the Anti-Money Laundering and Combatting the Financing of Terrorism and Proliferation (Miscellaneous Provisions) Act 2019, the Anti-Money Laundering and Combatting the Financing of Terrorism and Proliferation (Miscellaneous Provisions) Act 2020, BOM 2005 Guidance Notes on AML/CFT for Financial Institutions ('the BOM Guidance Notes'), , and the AML/CFT Handbook.
The authorities established a National Committee for AML/CFT, which is led by the Ministry of Financial Services and Good Governance. Functions of the National Committee include assessing the effectiveness of AML/CFT policies and measures, and making recommendations on policy reforms.
Regulations 3 and 14 of the FIAMLR, the AML/CFT Handbook and BOM Guidance Notes set out specific obligations in a number of key areas including:
- detailed CDD measures including CDD measures for politically exposed persons, legal persons, and arrangements as well as measures for enhanced and simplified due diligence;
- verify that any person purporting to act on behalf of a customer is so authorised, and shall identify and verify the identity of that person;
- identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, using relevant information or data obtained from a reliable source such that the reporting person is satisfied that he knows who the beneficial owner is;
- understand and obtain adequate and relevant information on the purpose and intended nature of a business relationship or occasional transaction;
- conduct ongoing monitoring of a business relationship
- record-keeping obligations;
- detailed requirements for risk profiling of customers as well as the measures to control the risks arising from new products and delivery channels;
- internal controls to protect licensees from the risk of laundering, including staff training and screening, internal controls and audit;
- processes for the making of suspicious transaction reports ('STRs'); and
- customer risk assessments estimating the risk of money laundering and the financing of terrorism, which must be undertaken prior to the establishment of a business relationship or carrying out an occasional transaction, with or for, that customer.
Financial institutions must adopt a robust approach and not refrain from asking their customers non-customary questions in circumstances of unusual activity. Any reluctance or failure by the customer to provide credible and verifiable answers should lead the financial institution to investigate the reason for this reluctance, establish any case for suspicion, and follow up with appropriate action.
Most of the financial institutions employ automated transaction-monitoring systems to detect and monitor transactions for purposes of reporting suspicious transactions to the FIU. The banking sector files the most Suspicious Transaction Reports ("STRs") (distantly followed by management companies) whilst there is negligible reporting by the other reporting entities in the financial sector. Most CDD measures are contained in the AML/CFT Handbook and BOM Guidance Notes. This has promoted understanding and application of the CDD obligations by financial institutions.
FIAMLA also obliges every bank and financial institution to verify, in such manner as prescribed, the true identity of all customers and other persons with whom they conduct transactions. In case of individuals, verification is carried out using original or certified official valid documents whereas identity of legal persons is verified using registration documents, copies of board resolutions, power of attorney and official valid documents of managers/officers appointed to act on behalf of the legal person. These verification documents can be said to constitute reliable and independent source documents (FIAMLR regulations 4.4 and 4.5).
FIAMLR regulation 9(d) requires financial institutions to implement due diligence procedures with respect to persons and business relations and transactions carrying high risk and with persons established in jurisdictions that do not have adequate AML/CFT systems in place.
Financial institutions should have policies and procedures in place to conduct due diligence on its customers sufficient to develop customer risk profiles either for particular customers or categories of customers. Financial institutions should use the information obtained during the customer identification and verification process to build an understanding of the customer's profile and behaviour.
Financial institutions must identify their customers, and where applicable, their beneficial owners and then verify their identities, which is essential to the prevention of money laundering and combatting the financing of terrorism. CDD is the means by which financial institutions are required to identify the customer and verify the identity of a customer that is a legal person or arrangement, through the following information:
- its name, legal form and proof of residence through the certificate of incorporation;
- trust deed in case of legal arrangements and, if the trust is registered, by checking with the relevant registry; and
- the address of the registered office by getting the details from the customer.
They are required to establish and verify the identity of customers as soon as practicable with a view to carrying out an initial transaction or reaching an understanding with the applicant regarding a future transaction. The institutions are further permitted to delay the verification provided:
- it is carried out as soon as reasonably practicable;
- it is essential not to interrupt normal conduct of business; and
- the money laundering risks are effectively managed.
The AML regulations require financial institutions to have in place a sound Know Your Customer ('KYC') procedure and policy. The essential elements of KYC standards should start from the financial institutions' risk management and control procedures and should include the following:
- customer acceptance policy;
- customer identification;
- ongoing monitoring of accounts and transactions; and
- risk management.
Ongoing monitoring is an essential aspect of effective KYC procedures. Ongoing due diligence should include scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the financial institution's knowledge of the customer, their business and risk profile, and where necessary, the source of funds. Financial institutions should have in place a monitoring system that is adequate with respect to their size, activities, and complexity, as well as the risks present in such institutions.
Some financial institutions have implemented risk-rating software which considers variables such as client location, source of funds and wealth, the destination of transactions, type of client and nature and purpose of the business relationship or transaction to determine the risk categorisation. They have criteria that would automatically rate a customer or transaction as high risk and thus require extra CDD measures. Based on the absence of the required records/information, the risk model will require financial institutions to disengage the relationship. Financial institutions also use commercial databases to verify customer identification as an independent source. The private sector also applies various forms of information/data, risk matrix formulation, and software platforms such as World-Check to determine the appropriate risk level for the application of enhanced CDD measures. The banks employ automated transaction-monitoring systems, while both banks and financial institutions have dedicated staff to manually check the relationships and transactions undertaken at every stage of the customer interaction, which includes conducting a thorough investigation of alerts generated by the automated tools.
The ultimate responsibility and accountability for ensuring compliance with AML/CFT laws, regulations, guidelines and instructions rest with the board of directors and senior management of the financial institution. The board of directors of the financial institution should be fully committed to an effective KYC programme by establishing appropriate procedures and ensuring their effectiveness. Explicit responsibility should be allocated within the financial institutions for ensuring that their policies and procedures are managed effectively.
Under the Banking Act, financial institutions may open accounts for deposits of money only where they are satisfied that they have established the identity of the person in whose name the funds are to be credited.
Section 55(1) of the Banking Act in respect of the identity of customers provides as follows:
'Every financial institution shall only open accounts for deposits of money and securities, and rent out safe deposit boxes, where it is satisfied that it has established the true identity of the person in whose name the funds or securities are to be credited or deposited or the true identity of the lessee of the safe deposit box, as the case may be.'
It is therefore mandatory for financial institutions to verify the true identity of their customers before opening any account, accepting any deposit of money and securities, and renting a safe deposit box. Financial institutions are prohibited from opening anonymous or fictitious accounts.
Reporting of suspicious transactions
Pursuant to Section 14 of the FIAMLA, every financial institution must, as soon as practicable, but no later than 5 (five) working days, make a report to the FIU of any transaction which the financial institution has reason to believe may be a suspicious transaction. The FIU has devised a Suspicious Transaction Form to that effect. Financial institutions are required to use the form which is available at the FIU to report suspicious transactions. The legislation protects those reporting or receiving reports of suspicious transactions of money laundering or additional information thereon from claims in respect of any alleged breach of client confidentiality or for disclosure of confidential information. The legislation also provides immunity from suit for reports made in good faith, even when the suspicion ultimately proves not to be well founded.
According to Section 13 of the FIAMLA, financial institutions which do not comply with their duties relating to supply of information requested by the FIU making of a report and verification or keeping of records shall on conviction be liable to a fine not exceeding MUR 1 million (approx. €25,000) and to imprisonment for a term not exceeding five years.
Financial institutions in Mauritius are subject to confidentiality provisions as part of widely accepted principles/ethics governing their relationship with their customers. However, the confidentiality requirements are not absolute as there are gateways for accessing and sharing information or data for purposes of complying with laws and regulations. For instance, there are statutory confidentiality requirements for financial institutions under the purview of the BOM (Section 64 (2) of the Banking Act). However, the duty of confidentiality does not apply where a financial institution is required to make a report or provide additional information to the FIU under Section 64(3) of the Banking Act.
The rules relating to confidentiality and banking secrecy can be found in the Banking Act. First, any person who has access to the books, accounts records, financial statements or documents of a financial institution has to take an oath in the manner set out in the Banking Act. There is a duty on any person who has access to these types of confidential information, during and after their relationship with the financial institution, not to disclose, directly or indirectly to any person, any information relating to the affairs of any of its customers, including any deposits, borrowings, or transactions or other personal, financial or business affairs, without the written consent of the customer or his/her personal representative. Should any person contravene such obligation prescribed by the law, he/she shall commit an offence and shall, on conviction, be liable in the case of an individual, to a fine not exceeding MUR 500,000 (approx. €12,500), and to imprisonment for a term not exceeding three years, or in any other case, to a fine not exceeding MUR 1 million (approx. €25,000).
The exception to the disclosure of confidential information without the consent of the customer is where the disclosure is made in the performance of the person's duties or the exercise of his/her functions under the banking laws or as directed in writing by the BOM.
The duty of confidentiality will not apply in the following circumstances:
- if a customer's card which has been issued by the financial institution is suspended or cancelled and the financial institution discloses;
- the customer is declared bankrupt in Mauritius or, in a case of a company, is being wound up;
- the customer has passed away, with or without leaving a will, and the information is required by his/her appointed personal representative or the executor of his/her will solely in connection to inheritance issues concerning the deceased's estate;
- civil proceedings arise involving the financial institution and the customer or his/her account;
- the information is required by a colleague in the employment of the same financial institution in Mauritius or an auditor or legal representative of the financial institution who requires and is entitled to know the information in the course of his/her professional duties;
- the information is required by another financial institution for the purpose of assessing the creditworthiness of a customer, provided that the information is being sought for commercial reasons and is of a general nature;
- the information is required to be disclosed by the financial institution for the purpose of discharging its responsibilities under the Banking Act;
- the CDD information is required to be disclosed, upon request, by the financial institution to another institution with which it maintains a correspondent banking relationship, provided that the institution has given to the financial institution a written undertaking regarding the confidentiality of the information provided;
- the CDD information is required to be disclosed by the financial institution for the purpose of meeting the requirement set out by the BOM with respect to domestic or cross-border wire transfers or reliance on a third party;
- the financial institution has been served with a garnishee order attaching monies in the account of the customer;
- any person is summoned to appear before a court and the court orders the disclosure of the information;
- the information is required for transmission to the Mauritius Credit Information Bureau or the Central KYC Registry established under BOMA;
- the financial institution is required to make a report or provides additional information on a suspicious transaction to the FIU under FIAMLA;
- the financial institution is required to provide information in compliance with the Asset Recovery Act 2011;
- where such information is required by the BOM for the purpose of assisting the FSC established under the FSA§ in the discharge of its functions under that Act or its obligations under any international agreement, convention or treaty to which it is a party; or
- the financial institution is required to provide information, documents and particulars to the Ombudsperson for Financial Services to enable him/her to discharge, or assist him/her in discharging, his functions under the Ombudsperson for Financial Services Act 2018.
However, financial institutions are allowed to disclose information for the purposes of conducting such risk management functions as may be approved by the BOM or centralised functions of audit, risk management, compliance, finance, IT or such other centralised function as the BOM may approve.
Where an officer of a foreign financial institution, or an officer of a central bank or banking regulator in a foreign country, or any other entity or agency, having the responsibility to supervise financial institutions or performing the functions of a central bank or a foreign supervisory authority having the responsibility of carrying out supervisory functions in respect of money laundering or terrorism financing, proposes to conduct an inquiry, audit or inspection of a financial institution in Mauritius or to conduct such other action that would involve the duty of confidentiality, he/she shall obtain the prior written authorisation of the BOM and be subject to the duty of confidentiality as note above, and any conditions that the BOM may impose before information of a confidential nature be made available to him/her.
A financial institution shall seek the prior approval of the BOM before providing any confidential information to any person who intends to carry out due diligence on the financial institution with a view to acquiring a share in the financial institution.
Any competent authority in Mauritius or outside Mauritius who requires any information from a financial institution relating to the transactions and accounts of any person, may apply to the court for an order of disclosure of such transactions and accounts or such part thereof as may be necessary. The court shall not make an order of disclosure unless it is satisfied that:
- the applicant is acting in the discharge of their duties;
- the information is material to any civil or criminal proceedings for the purpose of any inquiry into or relating to the trafficking of narcotics and dangerous drugs, arms trafficking, offences related to terrorism under the Prevention of Terrorism Act 2002 or money laundering under FIAMLA or;
- the disclosure is otherwise necessary, in all the circumstances.
It should be noted that the provisions of the Banking Act concerning the confidentiality of information prevail over any provisions of the Act.
The BOM and FSC have powers to access or require an institution to provide information or data on the purposes of performing its functions and responsibilities under the Banking Act (Section 51 of BOMA and Section 87 of FSA).
Exchange of information with domestic and international competent authorities
Section 64(14) of the Banking Act permits disclosure of information by the BOM to a central bank or any other entity which performs the functions of a central bank in a foreign country. This may pose challenges where a supervisory body which is not a central bank needs information from BOM.
There are no specific requirements for insurance companies in relation to the collection and processing of personal data in the Insurance Act 2005 or the Introductory Guide to the Data Protection Act 2017 (Volume 12), which was published by the Office. Therefore, insurance companies must comply with the Act when dealing with the personal data of the data subjects.
The National Payment Systems Act 2018 regulates many aspects of payment systems services in Mauritius. The main regulators which are required to cooperate for the purpose of effective oversight and supervision of the national payment systems are the FSC and the BOM. Moreover, under that Act, the BOM shall be the regulator which issues licences to a person to act as a payment service provider.
The FSC also issues payment intermediary services licences to those who wish to operate as an online payment service provider. One of the licensing conditions is that the company must maintain an unimpaired capital of at least MUR 2 million (approx. €50,000) or its equivalent. With a payment intermediary services licence, the company, which would be a GBC, can offer merchant online services for accepting electronic payments by a variety of payment methods including credit card, bank-based payments such as direct debit, bank transfer, and real-time transfer based on online banking
In relation to the transfer of personal data, financial institutions are required to satisfy the restrictions imposed by the Act. A financial institution may transfer personal data to another country where:
- it has provided to the Commissioner proof of appropriate safeguards with respect to the protection of personal data;
- the data subject has given explicit consent to the proposed transfer after having been informed of the possible risks of the transfer owing to the absence of appropriate safeguards;
- the transfer is necessary:
- for the performance of a contract between the data subject and the financial institution or the implementation of pre-contractual measures taken at the data subject's request;
- for the conclusion or performance of a contract concluded in the interest of the data subject between the financial institution and another person;
- for reasons of public interest as provided by law;
- for the establishment, exercise or defence of a legal claim;
- in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- for the purpose of compelling legitimate interests pursued by the financial institution or the processor which are not overridden by the interests, rights, and freedoms of the data subjects involved and where:
- the transfer is not repetitive and concerns a limited number of data subjects; and
- the financial institution or processor has assessed all the circumstances surrounding the data transfer operation and based on such assessment, has provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data; or
- the transfer is made from a register which, according to law, is intended to provide information to the public and which is open for consultation by the public or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down by law for consultation are fulfilled in the particular case. Such transfer shall not involve the entirety of the personal data or entire categories of the personal data contained in the register and, where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or in case they are to be the recipients
The Act regulates data outsourcing by imposing obligations on the data processor which will process data on behalf of the data controller. Where the financial institution is outsourcing its data processing, it must ensure that the data processor is providing sufficient guarantee in respect of security and organisational measures. The data processor is also required to ensure that any person employed by him/her is aware of and complies with the relevant security measures. The contractual agreement between the processor and the financial institution must provide that the data processor will act only upon the instructions received from the data controller and the data processor will be bound by the obligations devolving on the data controller.
The BOM Guidelines on Outsourcing (see section 1.1. above), have been issued by the BOM to cope with the risks associated with outsourcing in the financial system through the application of an appropriate regulatory framework. The main objective of the BOM Guidelines on Outsourcing is to set out a broad framework for financial institutions that have entered into outsourcing or are planning to outsource their business activities to service providers. It is intended to assist financial institutions to identify the nature of risks involved and to address them effectively.
Prior to the outsourcing of any activity, a financial institution should establish a comprehensive policy on outsourcing. The policy should guide the assessment of whether and how an activity should be outsourced.
The ultimate responsibility for implementing a risk management framework on outsourcing lies with management. The board of directors and management should, at all times, have a full understanding of the various risks associated with outsourcing.
Financial institutions are required to carry out stringent due diligence in selecting service providers. They should develop criteria that would enable them to select service providers, both within and outside Mauritius, that have the capacity and ability, both operationally and financially, to perform the outsourced activities. The due diligence exercise, based on updated information, should be duly documented and should include, as a minimum, an assessment of:
- the experience and competence of the service provider to implement and support the proposed activity over the contracted period;
- the reputation of the service provider in respect of the services offered, the quality and dependability of its personnel;
- the financial soundness of the service provider to fulfil its obligations, based on updated audited financial statements;
- the internal control systems, audit coverage, compliance, reporting and monitoring environment, system development and maintenance, insurance coverage, ability to respond, and the speed of response to service disruptions by the service provider;
- the commitment of the key service provider personnel towards compliance with rules and regulations to which the outsourcing financial institution is subjected, for example, senior officer;
- the capability to offer service support to ensure continuity of operations at the financial institutions and the reliance of service providers on sub- contractors and other parties; and
- the existence, at the service provider's level, of a process for business continuity management.
Outsourcing arrangements between financial institutions and service providers should be governed by formal and comprehensive written contracts. Contracts should clearly spell out the rights and responsibilities of each party. They should contain a clause that addresses the service provider's responsibility for confidentiality and security. Financial institutions that engage in outsourcing should take appropriate steps to protect confidential customer information. Financial institutions should expressly prohibit service providers from disclosing confidential customer information to any third-party except for regulatory purposes.
Financial institutions should abide by all relevant provisions of Section 64 of Banking Act when entering into an outsourcing agreement.
A financial institution should report to the BOM immediately about any unauthorised access or breach of confidentiality and security, directly or indirectly, by an outsourced service provider and the action/s it is proposed to take inconsequence.
A financial institution that intends to outsource a material activity is required to notify and obtain the prior authorisation of the BOM.
Financial institutions are free to outsource non-material activities and do not need to seek authorisation of the BOM, provided the activities do not require approval or authorisation under the Banking Act. However, they should ensure that adequate risk management procedures are in place at all times.
Financial institutions would not be allowed to outsource certain core activities. These activities should remain within the organisation in order not to lose control. Certain activities, if outsourced, might affect the management ability to run the business properly. Activities that are considered 'core' and should not be outsourced are:
- board and senior management functions such as strategic oversight;
- internal audit function; and
- compliance function.
Financial institutions that engage in cross-border outsourcing should take into account the country risk element and hence the capacity to keep under control the ability of the service provider to deliver the service uninterruptedly. They should avoid cross-border outsourcing arrangements with countries that do not have legislations on confidentiality and where regulators may be denied access to information held by such service providers.
The usage of cloud-based services by financial institutions shall be restricted to non-core activities only. Cloud-based services are subject to the same types of risks as in other forms of outsourcing arrangements. Financial institutions should, therefore, perform the necessary due diligence and apply sound governance and risk management practices when subscribing to cloud-based services. Financial institutions are required to take appropriate measures with respect to data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance, and auditing. They should ensure that service providers have the capacity to identify and segregate customer data using strong physical or logical controls.
Under the Act, personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of a personal data breach, the controller shall without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Office. Every effort should be taken to minimise the potential impact on affected individuals.
The Office has issued a Personal Data Breach Notification Form that institutions need to complete and send to the Office. The form includes prescribed requirements such as nature of the personal data breach, including where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records concerned, contact details of a contact point and the measures to address the breach and to mitigate the adverse effects of the breach.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall also communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear language the nature of the personal data breach and set out the same information and the recommendations as when the data breach is communicated to the Office.
The communication of a personal data breach to the data subject shall not be required where:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach, in particular, those that render the data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise; or
- it would involve disproportionate effort and the controller has made a public communication or similar measure whereby the data subject is informed in an equally effective manner.
The Office recommends institutions processing personal data to have a policy on dealing with information security breaches.
Financial institutions also have an obligation to report any unauthorised access or breach of confidentiality and security to the BOM under the Banking Act.
In 2018, Mauritius setup a 'Fintech and Innovation-Driven Financial Services Regulatory Committee' to elaborate the regulatory framework for the development of the FinTech industry in Mauritius. One of the keystone achievements of the Committee was to place Mauritius as the first jurisdiction in the world to offer a regulated framework for the custody of Digital Assets."
Digital assets an asset class
Through a guidance note issued in September 2018, the FSC recognised that digital assets may constitute an asset class for non-retail investors and certain type of investment funds in Mauritius (essentially funds not accepting retails investors).
A digital asset is considered as any token in electronic or binary form, which is representative of either the holder's access rights to a service or ownership of an asset. A digital asset, in this respect, includes a digital representation of value which:
- is used as a medium of exchange, unit of account, or store of value, which is not a legal tender, even if it is denominated in legal tender;
- represents assets such as debt or equity in the promoter;
- access to a blockchain-based application, service or product.
A digital asset excludes:
- any transaction in which a business, as part of an affinity or reward program, grants value which cannot be exchanged for legal tender, bank credit or any digital asset;
- a digital representation of value issued for use within an online gaming platform.
Mauritius offers investors a regulated space for investment funds to invest into digital assets, including crypto currencies.
The digital assets custodian
The FSC has taken a bold leap forward through the introduction of a licence to act as custody for digital assets. The Digital Custodian licensee provides the necessary technology to ensure that client has a secured and independent platform to safekeep their digital assets. The Financial Services (Custodian Services (Digital Asset)) Rules 2019 (Rules) were issued on 6 March 2019 to that effect.
The key elements of the license are as follows:
- The Custodian shall have an office in Mauritius from which it shall perform its core functions along with a representative in Mauritius who shall be an officer of sufficiently senior status and knowledgeable in the operations.
- The Custodian shall, at all times, have and maintain a minimum stated unimpaired capital which is the higher of:
- 35,000,000 MUR or an equivalent amount (US$ 1 million approx.); or
- an amount representing six months' operating expenses.
- The Custodian shall set up and maintain, at all times, a risk management framework to enable it to effectively develop and implement strategies, policies, procedures and controls to manage its operational risks.
- The Custodian shall put in place a redundancy system to ensure business continuity in the event that.
- The equipment and software used to perform core functions are not available from the main supplier.
- The primary staff assigned to perform a non-automated core function is unavailable.
- The Custodian shall also maintain appropriate disaster recovery facilities, with geographic segregation and equivalent security installations as its primary place of business in the event that such primary place of business becomes inoperative, to ensure business continuity and client asset protection.
- The Custodian shall also appoint an external independent third party to undertake an audit of all its systems, policies and processes regularly yearly.
The availability of a strong regulatory framework for Digital Custodians effectively creates a safe and regulated space for the conduct of FinTech activities in Mauritius.
The securities token offering
Securities Tokens are classified as securities under Mauritian regulations (alike to instruments such as shares, debentures, derivatives, amongst others). Such Security Tokens would be represented in digital format and may constitute share, debenture, derivative or a unit in a Fund.
The FSC has issued a guideline in April 2019 in relation to a Securities Token Offer (STO). STO means the issue of Securities Tokens, as a method of raising funds from investors, in exchange for the ownership or economic rights in relation to assets. Such offering shall be subject to the Securities Act (including the requirements for a prospectus).
The issuer of the STO shall ensure that it is properly regulated and that any STO has been appropriately approved by the FSC, however, no prior approval is required from the FSC when such offers are made to sophisticated investors (non-retail investors) and professional funds (non-retail funds).
The FSC has expressly allowed Reporting Issuers, Expert Funds or Professional Collective Investment Schemes to issue STOs.
The securities token trading systems
The FSC has clarified in June 2020 that they will licence Securities Token Trading Systems ('STTS').
An STTS is a platform that is designed for the trading of Securities Tokens and hence have unique features such as automatic clearing on a T+0 basis and direct placing of trades by clients.
In issuing the licence, the FSC would take into consideration the matters included in the STTS's rules such as type of Security Tokens, onboarding process, listing process and requirements, order execution rules, safekeeping procedures, reporting and publication, BCP rules, AML/CFT rules amongst others. The cybersecurity procedures and IT audits are also key aspects which would be assessed by the FSC prior to granting the licence.
The STTS shall also be required to have and maintain a minimum stated unimpaired capital of 35,000,000 MUR (approx. €745,660) or an equivalent amount as well as subscribe to an adequate professional indemnity insurance policy which shall indemnify the STSS, its employees and any person acting on its behalf against liability for any act, error or omission in the conduct of its operations.
They would also be required comply with the relevant and applicable Principles for Financial Market Infrastructures ('FMI's) issued by the Committee on Payments and Market Infrastructures ('CPMI') of the International Organisation of Securities Commissions ('IOSCO').
The regulatory sandbox licence
The Regulatory Sandbox licence ('RSL') recognise the dynamism in which the FinTech industry evolves.
Subject to approval, the RSL allows an investor to develop innovative business activities, including FinTech, for which no regulatory or legal framework exists in Mauritius. The RSL regime is spearheaded by the Economic Development Board in Mauritius and the latter acts as a coordinator with the different agencies in Mauritius (including the FSC and the BOM).
The RSL offers the opportunity to innovative FinTech promoters ahead of the regulatory curve to operate through a bespoke set of terms and conditions, even in the absence of a formal licensing framework.
The STTS licensee is also required to be controlled and managed from Mauritius and will be required to have at least three directors comprising of 30% independent directors and at least one resident director. The STTS licensee is also expected to appoint a Chief Technology Officer and will need to develop and apply proper safeguards to ensure that its systems and networks are fully protected, consequently limiting or containing the impact of a possible cybersecurity breach.
It is also worthy to note that the Government is granting an eight-year tax holiday to newly set-up companies that are engaged in innovation-driven activities on income derived from their intellectual property assets developed in Mauritius.
The Act provides the Commissioner with enforcement authority. The Commissioner may investigate complaints that the Act or its subordinate regulations have been or are being violated. The Commissioner authorises an officer to investigate the complaint or cause unless he/she is of the opinion that the complaint is frivolous or vexatious.
If the Commissioner is unable to arrange an amicable resolution for the parties concerned within a reasonable time frame, the Commissioner shall notify, in writing, the individual who made the complaint of the Commissioner's decision. Commissioner decisions may be appealed under Section 51 of the Act.
If the Commissioner is of the opinion that a controller or a processor has contravened, is contravening, or is about to contravene the Act, the Commissioner may serve an enforcement notice on the data controller or processor, requiring remedial efforts within a specified timeframe.
A person who, without reasonable excuse, fails or refuses to comply with an enforcement notice commits an offense, and, on conviction, is liable to a fine not exceeding MUR 50,000 (approx. €1,250) and to imprisonment for a term not exceeding two years.
If the Commissioner has reasonable grounds to believe that data are vulnerable to loss or modification, he/she may make an application to a Judge in Chambers for an order for the expeditious preservation of such data.
The Commissioner may also carry out periodical audits of the systems and security measures of data controllers or data processors to ensure compliance with data protection principles laid down in the Act.
Under Section 19M of FIAMLA, where an institution fails to comply with a direction given and the time period specified for compliance, the institution shall be liable to pay a penalty not exceeding MUR 5,000 (approx. €125) for each day on which such breach occurs as from the date on which the breach is notified.
Moreover, the FSC has the power to revoke or suspend the licence of any institution which damages the integrity of the financial services industry and for the protection of the interest of clients of the institution, for public interest in general, and for the protection of the good repute of Mauritius as a centre for financial services.
BOM also applies sanctions when it notes breaches, for example the BOM may revoke licences and suspend the licences of money changers due to breaches. BOM can also penalise its banks for non-compliance.
11. Additional Areas of Interest
Mauritius had, unsuccessfully, applied for an adequacy decision in 2010 on the now repealed 2004 Data Protection Act. Following the adoption of the Act, Mauritius has applied for an adequacy decision to the European Commission under the GDPR.
Shalinee Dreepaul Halkhoree Partner
Juristconsult Chambers, Ebène