Mauritius: FSC Rules Issued Under The Virtual Asset And Initial Token Offerings Services Act 2021 (VAITOS)

The VAITOS Rules came into force on 01 July 2022 and we set out below a summary of them:

(i) Virtual Asset and Initial Token Offerings Services (Capital and Other Financial Requirements) Rules 2022 (the Capital Requirement Rules);

(ii) Virtual Asset and Initial Token Offerings Services (Client Disclosure) Rules 2022 (the Client Disclosure Rules);

(iii) Virtual Asset and Initial Token Offerings Services (Custody of Client Assets) Rules 2022 (the Custody of Client Assets Rules);

(iv) Virtual Asset and Initial Token Offerings Services (Cybersecurity) Rules 2022 (the Cybersecurity Rules);

(v) Virtual Asset and Initial Token Offerings Services (Publication of Advertisements) Rules 2022 (the Publication of Advertisements Rules);

(vi) Virtual Asset and Initial Token Offerings Services (Risk Management) Rules 2022 (the Risk Management Rules); and

(vii) Virtual Asset and Initial Token Offerings Services (Statutory Returns) Rules 2022 (the Statutory Returns Rules).

The Capital Requirement Rules

Section 20 of VAITOS casts an obligation on a Virtual Asset Service Provider (VASP) to maintain such minimum stated unimpaired capital and such other financial requirements, as prescribed in the FSC Rules.

The Capital Requirements Rules provides for further details on this financial obligation.

(1) General requirements

As a general principle, the VASP must take into account the nature, scale and complexity of its activities and the risks to which it is or could be exposed to ensure sufficient unimpaired capital and liquidity resources of such nature, amount and quality that results in the adequate capital and liquidity resources of the VASP when taken as a whole.

The Capital Requirements Rules further sets out the matters which are relevant in determining the capital adequacy and financial requirements including its risk management assessment.

(2) Capital Requirements

The VASP must have as a minimum unimpaired capital and liquidity resources the greater of the own funds requirement or the prudential requirement. It is important to note that for the purposes of calculating the minimum unimpaired capital and liquidity resource, intangible assets such as goodwill should already be deducted prior to determining whether there is sufficient capital.
The own funding requirements that the VASP and the different licensees must comply with are listed in the schedule of the Capital Requirements Rules as illustrated in the table below:

As regards the prudential requirement, the VASP must have in place prudential safeguards equal to an amount of capital which is at least the higher of (i) one quarter of the fixed overheads of the VASP over the preceding year, reviewed annually and (ii) the financial resources requirements as determined under the VASP (Risk Management) Rules 2022.

(3) Fixed Overheads

The formula which should be used by the VASP to calculate its fixed overheads is prescribed as follows:

Fixed overheads = Total expenses after distribution of profits to shareholders (in most recent financial statements) + Third party expenses - Deductible items

Rule 9 and Rule 10 expands on the relevant deductible items and third party expenses respectively.

Coupled with the obligation to maintain adequate systems and controls to ensure the integrity and accuracy of its books and records, the VASP is equally required to maintain records of accounts and corresponding information which must be provided to the FSC upon request. In addition, the VASP must ensure that its books, records and accounts comply with internationally recognised accounting standards as applicable.

(4) Material change to projected relevant expenditure during the year

A material change in expenditure is explained where there is:

(a) either an increase or decrease of 30% or more in the VASP's projected relevant expenditure for the current year; or

(b) an increase or decrease of 100,000,000 Mauritian Rupees (or equivalent amount in another fiat currency) or more in the VASP's fixed overheads requirement based on projected relevant expenditure for the current year.

The VASP must immediately recalculate its fixed overheads and its basic liquid assets requirements as a result of a material increase as per above.

Additionally, a VASP that is planning to implement a material change to its business expenditure must calculate the anticipated impact of that change on its fixed overheads requirement (and its own funds requirement) before executing the relevant change, and make sure that it can meet its projected future obligations before making the relevant change.

Some of the examples of planned changes are (a) starting or ceasing a major business line, (b) acquiring or disposing of a major business or (c) undertaking a significant investment, upgrade or restructuring programme.

The Client Disclosure Rules

(1) General requirements

Generally, the VASP must ensure that communication of information to clients is clear, fair and not misleading. As such, the VASP is required to follow a number of safeguards as laid down in the Client Disclosure Rules.

(2) Disclosure requirements

As part of the general disclosure requirements imposed by the Client Disclosure Rules, the VASP must provide clients with certain information in writing before providing the relevant products and/or services.

The use of the FSC must not be used by the VASP in a way that is misleading or that would indicate or suggest endorsement or approval by the FSC of the relevant products or services of the VASP.

The Custody of Client Assets Rules

(1) General requirements

The Virtual Asset Custodian must make adequate arrangements to safeguard clients' ownership rights when holding the clients' virtual assets particularly in the event of the Virtual Asset Custodian's insolvency and to prevent the use of those virtual assets belonging to a client on the Virtual Asset Custodian's own account except with the client's express consent.

The Virtual Asset Custodian is also required to establish, implement and maintain adequate organisational arrangements to mitigate the risk of the loss of the virtual assets belonging to clients.

(2) Holding Virtual Assets

The Virtual Asset Custodian has inter alia the following obligations with respect to the virtual assets it holds:

(a) The legal title and rights of access to virtual assets must be registered by the Virtual Asset Custodian holding the virtual assets in custody. Where a Virtual Asset Custodian holds virtual assets with a nominee company, it shall accept the same level of responsibility to its clients and the FSC as the Virtual Asset Custodian would itself have if holding virtual assets directly.

(b) The Virtual Asset Custodian must ensure that any software and hardware it uses in holding virtual assets is reliable, resilient and compatible with the virtual assets being held.

(c) The Virtual Asset Custodian must appoint a suitably qualified and experienced independent third party professional to carry out an annual audit of the Virtual Asset Custodian's hardware and software used to hold virtual assets.

(d) The Virtual Asset Custodian is required to keep a record of the basis on which the appointed Virtual Asset Custodian for has determined that the third party auditor is independent, suitably qualified and sufficiently experienced to carry out the annual audit and such report must be kept for a minimum of 7 years.

(3) Depositing Virtual Assets with third parties

The Virtual Asset Custodian is allowed to deposit virtual assets held by it on behalf of its clients into an account or accounts opened with a Third Party Custodian provided that it exercises all due skill, care and diligence in the selection, appointment and periodic (and at least annual) review of the Third Party Custodian and of the arrangements for the holding and safekeeping of those virtual assets.

Third Party Custodian is defined in the Custody of Client Assets Rules as a person that is either licenced in Mauritius as a Virtual Asset Custodian, or operates from an establishment outside of Mauritius and holds an equivalent licence with a regulator in that jurisdiction

(4) Records and Accounts

The Virtual Asset Custodian must keep records which should be client-specific to enable it at any time and without delay to distinguish virtual assets held for one client from virtual assets held for any other client, and from the Virtual Asset Custodian's own applicable assets.

The Virtual Asset Custodian must also perform an internal custody record check as regularly as is necessary however same should not be more than two months between each internal custody record check.

In addition, the Virtual Asset Custodian must conduct on a regular basis, reconciliations between its internal records and accounts of virtual assets held by the Virtual Asset Custodian for clients and those of any third parties with whom those virtual assets are held and ensure that the reconciliations are carried out by an independent person.

Records must be retained by the Virtual Asset Custodian for a period of at least 7 years.

(5) Shortfalls and Discrepancies

Any discrepancy that is identified by the Virtual Asset Custodian following the carrying out of an internal custody record check or external custody reconciliation must prompt the Virtual Asset Custodian to take all reasonable steps to investigate the reason for the discrepancy and resolve it without undue delay.

Where the Virtual Asset Custodian identifies a discrepancy as a result of, or that reveals, a shortfall, which the Virtual Asset Custodian has not yet resolved, it must act in accordance with the steps laid down in Rule 21 of the Custody of Client Assets Rules until the discrepancy is resolved.

(6) Virtual Asset Custodian Failure

Paragraph (4) above will not apply to a Virtual Asset Custodian following its failure, i.e. upon the appointment of a liquidator or any equivalent procedure in any relevant jurisdiction.

The Virtual Asset Custodian must perform an internal custody record check and an external custody reconciliation that relates to the time of its failure or as soon as reasonably practicable. The internal custody record check and an external custody reconciliation must mark its reference point as the precise point in time at which the Virtual Asset Custodian's failure occurred.

The Virtual Asset Custodian is prohibited from disposing any virtual assets where this would be in violation of its obligations under the VAITOS or the relevant FSC Rules issued pursuant to section 52 of the VAITOS or to the law applicable to any Third Party Custodian used by the Virtual Asset Custodian, or any agreement the Virtual Asset Custodian has entered into.

(7) Notification Requirements

The FSC must be promptly notified in case of (1) failure of the Virtual Asset Custodian; (2) material inaccuracy, out of date or invalid internal records and accounts of the virtual assets held by the Virtual Asset Custodian for clients; (3) inability or material failure to take the steps required for the treatment of shortfalls; (4) inability or material failure to conduct an internal custody record check or an external custody reconciliation

The Cybersecurity Rules

Under the Cybersecurity Rules, a VASP has the obligation to establish and maintain appropriate systems and controls for managing cybersecurity and operational risks that can arise from inadequacies or failures in its processes and systems. The VASP must consider and ensure the following:

• consider the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities;
• controls that shall help it to prevent system and process failures or identify them to permit prompt rectification;
• whether the design and use of its processes and systems allow it to comply adequately with its contractual obligations and the FSC Rules;
• the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, as well as its processes for embedding security requirements into systems);
• the allocation of responsibilities between business and technology areas;
• its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
• the importance of monitoring to quickly detect cyber incidents and periodically evaluate the effectiveness of systems and controls.
• the impact of any outsourcing arrangements, as well as the interoperability risks when dealing with software and systems provided by third parties. As part of this, a virtual asset service provider shall seek to identify any dependencies of its business and protect its clients against any cybersecurity and operational risk caused as a consequence of these dependencies;
• there is adequate senior management oversight over its cybersecurity systems, and that there are clearly defined roles, responsibilities and accountability for personnel implementing, managing, and overseeing the effectiveness of the virtual asset service provider's cybersecurity strategy and framework
• the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational and cybersecurity risk
• all staff receive appropriate training in relation to cybersecurity.
  The cybersecurity strategy and framework must be reviewed at least annually and the VASP must submit the results of its review to the FSC annually.

In addition to the above the general requirements, the VASP must ensure business continuity by:

• implementing appropriate arrangements to reduce the likelihood and impact of a disruption (including by succession planning, systems resilience and dual processing). These arrangements shall be updated and tested to ensure their effectiveness.
• establishing a formal business continuity plans that outlines arrangements to reduce the impact of a short, medium or long-term disruption and shall including (i) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources; (ii) the recovery priorities for the VASP's operations; and (iii) communication arrangements for internal and external concerned parties. In drafting the business continuity plan, the VASP shall also consider how operating processes and systems at separate geographic locations may alter its risk profile;
• establishing escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information and processes to validate the integrity of information affected by the disruption, which must be reviewed and updated following changes to the VASP's operations or risk.

When choosing an insurance, the VASP must also bear in mind the non-monetary impacts (such as the impact on its reputation) and shall consider (a) the time taken by the insurer to pay claims and the VASP's funding of operations whilst awaiting payment of claims; (b) the financial strength of the insurer and (c) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small or limited number of specific losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).

The Publication of Advertisements Rules

Under the Publication of Advertisement Rules, 'advertisement' means commercial and promotional materials:

(a) communicated through any medium and in any form, including magazines and newspapers, radio and television, outdoor advertising, including billboards, window display and signs at public venues, the internet, including webpages, banner advertisement and social networking (e.g. Facebook and Twitter), product brochures and promotional fact sheets, direct mail (e.g. by post, facsimile or email), telemarketing activities and seminars and presentations to groups of people;

(b) used for the marketing or promotion of relevant products/services to consumers in Mauritius; and

(c) which are distributed through any medium currently known or hereafter developed.
The advertisement for services/products by a VASP must:

• be fair, clear, complete, concise, unambiguous and unbiased, and shall not be false, misleading nor deceptive;
• contain information that is timely and consistent with any relevant products/services;
• not suggest that the relevant products/ services are "low risk", where the contractual or other documentation contains a special risk warning;
• provide an equitable message in respect of the returns, benefits and risks associated with relevant products/services;
• be clearly identifiable and the media chosen for an advertisement shall be suitable for that advertisement.

In addition to the above general requirements, the advertisement ought to comply with the following:

(1) Disclosure requirements

A VASP must avoid extensive use of technical, legal terminology or complex language and excessive details in an advertisement. It shall ensure that all advertisements:

(a) include the VASP's full name and licence;

(b) are accurate and up to date, do not omit any material relevant facts, and do not make definitive statements that cannot be substantiated;

(c) which make assumptions, ensure that the assumptions are stipulated;

(d) use a design and presentation that shall be easily and clearly understood;

(e) use a tone that does not undermine the importance of the risks, and make clear if a consumer's capital is at risk;

(f) must not be given undue prominence of benefits compared to risks, and always give a fair, balanced and prominent indication of any relevant risks when referencing potential benefits;

(g) only refer to relevant products/services as having regulatory protection where this is accurate and not misleading;

(h) are consistent with any other information provided by the VASP;

(i) disclose adequate information concerning all applicable taxes and the impact of such taxes on consumers, and clearly state that tax treatment depends on the individual circumstances of each consumer and may be subject to change in future. Consumers shall be informed that it is their responsibility to seek additional and independent tax advice; and

(j) provide a balanced impression of both the short and long term prospects of the relevant products/services.

Comparison, reference to past performance or reference to future performance must only be made where this is clear, accurate, fair, balanced and not misleading, and does not take unfair advantage of the recipient of the communication.

The advertisements shall not disguise, diminish or obscure important statements or warnings.

The advertisement shall not contain the logo/authorisation of the FSC nor any connotation to the effect that the FSC is involved, has provided its approval of the products/services, without prior express authorisation from the FSC. The name of any regulator, including the FSC, shall not be used in a way that is misleading and shall not use the name of any regulator without seeking prior approval with the concerned regulator.

(2) Performance Information

The advertisements must not contain any projection of performance returns based on borrowing plans. Where past performance is being referred to, it shall be made objectively in a clear statement and not as an indicator of future performance.

(3) Fees and Costs

Fees or costs in an advertisement of relevant product/services ought to give a realistic impression of the overall level of fees and costs a consumer is likely to pay. An advertisement for relevant products/services have to state clearly when certain benefits are mutually exclusive. No attempts shall be made to conceal costs from the attention of consumers.

(4) Risk and Warning

An advertisement must adequately reflect and explain any special or unusual risks associated with relevant products/services. The consumer must be warned that changes to the rates of exchange may have an effect on the value, price or income obtained from relevant products/services, where the products/services are in any other currency than MUR.

(5) Cancellation rights

All cancellation rights (where applicable) must be adequately disclosed, along with the liabilities attached to the exercise of such right, to consumers in the advertisement or in the terms and conditions of the contract attached to the relevant products/services.

The VASP shall not provide or cause to be provided unreasonable inducements (which may constitute a real or apparent attempt to influence the choices or decisions of the consumers and includes entertainment and soft commissions) or gifts to the consumers.

In relation to internet advertisements, the VASP should take all reasonable step to ensure that the electronic versions of the advertisements are up to date and reasonably easy to access.

The Publication of Advertisement Rules shall apply to (i) any VASP; (ii) to any issuer of initial token offerings, that carries out business in or from Mauritius or intend to advertise and market relevant products/services in or from Mauritius; (iii) a business in Mauritius advertising and marketing relevant products/services outside of Mauritius, subject to the local applicable laws in the jurisdiction where the advertising and marketing is targeted.

These rules will not be applicable to situations whereby a VASP provides additional information to its existing clients by telephone ("help-lines") in relation to the products and services already purchased by these clients, without any form of inducement for them to purchase any additional products or services.

The Risk Management Rules

The Risk Management Rules provides that a VASP shall have in place sound, effective and comprehensive strategies, processes and risk management systems to assess and maintain, on an ongoing basis, the amounts, types and distribution of financial resources, non-financial resources, own funds and unimpaired capital. This shall adequately cover:

(a) the nature and level of the risks to which the VASP is/might be exposed, such that there is no significant risk that its liabilities cannot be met as they fall due, and that in the event of a winding up, its business can be wound up in an orderly manner, minimising harm to consumers, market integrity or to other market participants;

(b) the risk that the VASP might not be able to meet the obligations under the Capital Requirement Rules in the future; and

(c) the need for liquid assets adequate to cover its liabilities as they fall due.

The VASP must document how it has met the above general prudential requirement, which shall be reviewed annually and be completed within 4 months after the close of every financial year.

Types of risk

In identifying and managing the major sources of risks to which it may be exposed, a VASP must consider the following non-exhaustive categories of risks, in accordance to the nature and scale of its business:

(a) credit and counterparty risk;

(b) liquidity risk;

(c) operational risks;

(d) market risk;

(e) interest rate risk;

(f) the risk that their own funds held by the VASP are inadequate having regard to the economic substance of the transactions the VASP is involved in;

(g) risks arising from changes in the VASP's business, including the acute risk to earnings posed by falling or volatile income; the broader risk of a VASP's business model or strategy proving inappropriate due to macro-economic, geopolitical, industry, regulatory or other factors; and the risk that a VASP may not be able to carry out its business plan and desired strategy;

(h) the remuneration policy in place at the VASP;

(i) risk of excessive leverage;

(j) the risk to the VASP caused by its contractual or other liabilities to, or with respect to, any pension scheme;

(k) the risk that the VASP's financial position may be adversely affected by its relationships (financial or non-financial) with other entities in the same group or by risks which may affect the financial position of the whole group (e.g. reputational contagion);

(l) concentration risk, being the risk that a combination of risks exposures will cause a loss large enough to threaten the solvency or the general financial position of the VASP; and
(m) the risk that the risk mitigation techniques used by the VASP prove less effective than expected.

A VASP must document its assessment and management of the major sources of risks to which it may be exposed.

Insurance

In order to fulfil above general requirements, a VASP may use of an insurance policy covering the relevant services to mitigate its risks. When choosing its insurance, the VASP shall consider (a) the type of cover provided by that insurance; (b) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the VASP's funding of operations whilst awaiting payment of claims; (c) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and (d) the effect of any limiting conditions and exclusion clauses or excesses that may restrict cover to a small or limited number of specific losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).

The Statutory Returns Rules

(1) General requirements

As a general principle, a VASP must deal with the FSC in an open and cooperative way, and must disclose to the FSC appropriately anything of which the FSC expects notice.

The Statutory Returns Rules further set out that a VASP must give immediate notice to the FSC in the event of any breach of likely breach of the ACT or FSC Rules, including any conditions for obtaining a license, any changes in relation to any licence held by the VASP in any jurisdiction, failure to ensure confidentiality and reliability of clients' data and information, and material changes to the business continuity plan and outsourcing arrangements.

(2) Requirement for approval

The VASP must not make any material changes to its business activities unless an application has been approved by the FSC. An application for approval must be made using the Virtual Assets and ITO (Material change of business) Form. Once approved, the VASP must have 12 months or any such other period as the FSC may specify to implement the change. In the event that the change has not been made, the VASP can reapply for an approval.

The Statutory Returns Rules further provides that the VASP has a duty to promptly inform the FSC once it has implemented the relevant change.

(3) Annual reporting requirement

The Statutory Returns Rules imposes a duty on the VASP to provide a list of information in accordance with its Rule 6 to the FSC within 4 months after the close of each financial year.