AML Compliance in Mauritius 2026: FIU, FCC, and AMLA Requirements for Fintechs and Regulated Businesses

Mauritius punches well above its weight as a financial centre. With a GDP of roughly USD 15 billion, the country administers investment structures with assets many times that size, managing capital flows into Africa and beyond. That role brings genuine AML exposure — and regulators have spent the years since the 2021 FATF exit building the enforcement infrastructure to match. VOVE ID supports regulated businesses in Mauritius with sanctions screening, transaction monitoring, and audit-ready compliance infrastructure for FSC and BoM requirements.

This guide covers the AML framework in Mauritius as it stands in 2026: the legal architecture, reporting obligations, enforcement landscape, and the changes introduced by AMLA 2026. For the underlying AML framework — how risk-based compliance works, what an effective transaction monitoring programme looks like, and how ML/TF/PF risks are assessed — see AML Requirements Explained: 2026.

FATF Status and the 2027 Evaluation

Mauritius was placed on the FATF grey list in February 2020 following a 2018 ESAAMLG mutual evaluation that identified significant gaps in its AML/CFT effectiveness. It exited the grey list in October 2021 — one of the first countries to exit before its FATF deadline — after demonstrating substantial reforms across its legislative, supervisory, and enforcement framework.

The country is rated compliant or largely compliant with 39 of 40 FATF Recommendations. The outstanding area — Recommendation 15 on virtual assets and VASPs — was upgraded from Partially Compliant to Largely Compliant in 2022.

The next ESAAMLG mutual evaluation is scheduled for 2027. This is actively shaping regulatory behaviour now. The FSC's enforcement escalation in 2025, the FCC's operational intensification, and the AMLA 2026 legislative overhaul are all, in part, preparation for demonstrating an effective system under evaluation conditions. Regulated entities should understand that the current environment reflects pre-evaluation posture — enforcement will be thorough.

The Legal Framework

Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA) is the primary AML legislation. It establishes the FIU, defines reporting persons, and creates the suspicious transaction reporting framework that underpins compliance for all financial institutions.

Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing Bill 2026 (AMLA 2026) is the most comprehensive reform since FIAMLA's enactment. It restructures the AML/CFT/CPF framework, introduces proliferation financing as a formal compliance pillar, and significantly strengthens enforcement powers. AMLA 2026 is a live compliance event, not a future project.

Financial Intelligence and Anti-Money Laundering (Administrative Penalties) Regulations 2025 (Government Notice No. 112 of 2025, effective 18 November 2025) introduced a tiered administrative penalty framework with fines up to MUR 250,000 for KYC and reporting failures.

Financial Crimes Commission Act 2023 established the FCC as the apex enforcement body, replacing the Independent Commission Against Corruption. Penalties under the FCCA reach up to MUR 20 million on conviction for financial crime.

United Nations Sanctions Act 2019 implements UN sanctions domestically. The FSC's license revocations in early 2025 — over 25 licenses revoked, 13 suspended — were substantially tied to failures under this Act.

The Regulators

Financial Intelligence Unit (FIU): Receives, analyses, and disseminates suspicious transaction reports. Under AMLA 2026, the FIU gains expanded data-sharing powers with foreign counterpart agencies and formal CPF intelligence responsibilities. The FIU is the destination for all STR filings.

Financial Services Commission (FSC): Primary supervisor for the non-bank financial sector — investment funds, global business licensees, securities dealers, insurance, and fintech platforms under the Financial Services Act and VAITOS Act. The FSC issues KYC and AML guidelines for its licensees and conducts supervisory inspections. Its enforcement activity in 2025 demonstrated willingness to act decisively on documentation gaps.

Bank of Mauritius (BoM): Supervises banks, payment service providers, and money changers. Issues AML/CFT guidelines specific to banking sector obligations, including transaction monitoring standards and STR filing procedures.

Financial Crimes Commission (FCC): Established 29 March 2024. Investigates, prosecutes, and prevents financial crimes — corruption, money laundering, fraud, and terrorism financing. Between December 2025 and March 2026, the FCC conducted 70 search operations, made 26 arrests, and restrained assets worth approximately MUR 160 million, with 108 cases actively before the courts.

Reporting Obligations

Suspicious Transaction Reports (STRs): All reporting entities — banks, fintechs, investment managers, corporate service providers, lawyers providing financial services — must file STRs with the FIU when they know, suspect, or have reasonable grounds to suspect money laundering, terrorism financing, or proliferation financing. There is no minimum transaction threshold for STR filing. AMLA 2026 introduces a 24-hour response window for regulatory and investigatory requests, reflecting the FIU's expectation of operational readiness.

Currency Transaction Reports (CTRs): Triggered for cash transactions above MUR 500,000 (approximately USD 10,800). Financial institutions must report these regardless of suspicion.

Cross-border declarations: Travellers carrying cash or negotiable instruments above MUR 500,000 are required to declare at customs. Financial institutions handling cross-border cash movements must apply corresponding due diligence.

Record retention: Minimum five years after the end of the business relationship for all CDD records, transaction records, and STR-related documentation.

AMLA 2026: What Changes in Practice

The AMLA 2026 overhaul introduces several changes with direct operational implications:

Proliferation financing integrated into the framework. Previously, CPF was a compliance consideration but not formally embedded in CDD requirements. AMLA 2026 requires entities to explicitly assess proliferation financing risk in customer risk assessments and maintain CPF-specific controls. This is not just a documentation change — it requires expanding the scope of sanctions screening to include PF-designated entities and updating risk assessment methodologies.

Expanded beneficial ownership definitions. Control through means other than direct shareholding — board representation, veto rights, contractual control — is now explicitly within scope. KYB files that only document registered shareholders are no longer adequate.

Centralised Information Management System (CIMS). A new data infrastructure enabling cross-agency coordination. In practice, this means regulators will have greater visibility into inconsistencies between filings across agencies — tax, AML, beneficial ownership registrations — which raises the stakes for data accuracy.

Strengthened CDD for complex structures. Enhanced evidence standards apply specifically to entities with complex or layered ownership — directly relevant given the volume of GBL holding structures registered in Mauritius.

National Strategy 2026–2029. The AMLA 2026 package aligns with Mauritius's published National Strategy for Combating Money Laundering and Countering the Financing of Terrorism 2026–2029, which sets out the jurisdiction's compliance priorities through the ESAAMLG evaluation window.

Sanctions Screening: The Enforcement Priority

The FSC's 2025 license revocations were a clear signal: sanctions screening failures carry the most immediate regulatory consequences in Mauritius. The UN Sanctions Act 2019 requires all reporting entities to screen against UN consolidated sanctions lists and to freeze assets and report immediately when a match is identified.

In practice, effective sanctions compliance in Mauritius requires:

• Screening at onboarding against UN, OFAC, EU, and relevant regional lists
• Ongoing screening as lists are updated (not just point-in-time at onboarding)
• Clear escalation procedures when potential matches are identified
• Documentation of screening decisions, including rationale for false-positive determinations

Given Mauritius's exposure to investment flows from the Gulf, Africa, and Asia, the realistic probability of encountering sanctioned individuals or entities in ownership structures is higher than in many comparable jurisdictions. VOVE ID's sanctions screening covers the major lists relevant to a Mauritius-based compliance programme — UN, OFAC, EU, and UAE — with ongoing monitoring capability rather than static point-in-time checks.

High-Risk Sectors and Sector-Specific Exposure

Global Business Companies and investment structures: The primary ML risk vector in Mauritius. Complex layered ownership, foreign UBOs, and substantial asset values make this the highest-risk category for financial institutions and corporate service providers.

Virtual assets: The VAITOS Act framework has brought VASPs under formal AML supervision, but the sector remains on heightened regulatory watch. AMLA 2026 explicitly expands controls on VASP activity. For the KYC/KYB requirements specific to VASPs in Mauritius, the obligations align with FATF Recommendation 15 — which Mauritius is now largely compliant with.

Real estate: A significant sector for ML risk in Mauritius, particularly high-value property transactions involving foreign buyers. The FIU has flagged real estate as a priority sector, with STR volumes in the sector increasing.

Trust and corporate service providers: Management companies administering GBL structures are directly in the AML supervision perimeter. Their compliance failings become the failings of the entities they administer — making robust CDD and ongoing monitoring essential.

What an Effective AML Programme Looks Like in 2026

With the ESAAMLG evaluation in 2027, the FSC and BoM are increasingly focused not just on documentation of policies but on demonstrable effectiveness — whether the controls actually work, and whether suspicious activity is being detected and reported.

An effective programme for a Mauritius-regulated entity in 2026 includes:

A documented risk assessment covering ML, TF, and now CPF risks — specific to the entity's business model, client base, and geographic exposure.

KYC and KYB files that trace to the natural person for every UBO above 20%, with biometric verification for foreign nationals where face-to-face verification is not practical.

Transaction monitoring calibrated to the business model — not a generic ruleset but one that flags activity inconsistent with the client's stated profile and risk category.

STR filing discipline — internal processes that ensure suspicious activity is reported within required timeframes, with adequate documentation of the basis for filing.

Audit-ready records — five years of retention, structured so that regulatory inspection does not require manual reconstruction of compliance history.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC/KYB/AML requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.