KYC Compliance in Mauritius 2026: FSC and Bank of Mauritius Requirements for Fintechs and Regulated Businesses

Mauritius occupies an unusual position in African financial services. It functions simultaneously as a domestic market and as a holding jurisdiction for investment structures across the continent — which means KYC obligations here apply not just to local customers, but to the cross-border entities, fund investors, and global business licensees that flow through Port Louis every day. For any regulated platform operating in or through Mauritius, getting identity verification right is not optional. VOVE ID helps fintechs and regulated businesses manage KYC workflows across Mauritius and beyond — from document verification to biometric checks.

This guide covers the KYC framework in Mauritius, the regulators who enforce it, and the compliance realities for digital onboarding in 2026. For the underlying KYC framework — what CDD is, how risk tiers work, and what a compliant onboarding flow looks like — see KYC Requirements Explained: 2026.

The Regulatory Architecture

KYC obligations in Mauritius sit within a dual-regulator structure. The Bank of Mauritius (BoM) supervises banks, payment service providers, and other deposit-taking institutions. The Financial Services Commission (FSC) covers the non-bank sector: investment funds, global business companies, insurance, securities dealers, and fintech licensees operating under the Financial Services Act.

Both regulators derive their KYC mandates from the Financial Intelligence and Anti-Money Laundering Act 2002 (FIAMLA), which establishes the baseline for customer due diligence, record-keeping, and suspicious transaction reporting. The FSC and BoM translate FIAMLA obligations into sector-specific guidelines — meaning the practical requirements for a payment service provider differ from those for a fund administrator, even though the underlying legal framework is the same.

The Financial Intelligence Unit (FIU) sits above both as the national body receiving and analysing suspicious transaction reports (STRs). The Financial Crimes Commission (FCC), established on 29 March 2024, consolidates investigation and prosecution of financial crime — absorbing the former Independent Commission Against Corruption and Asset Recovery Investigation Division into a single apex enforcement body.

What KYC Requires: The Core Obligations

Under FIAMLA and the regulations issued by FSC and BoM, every reporting entity must apply Customer Due Diligence (CDD) at onboarding. The minimum requirements are:

For individual customers: full name, date of birth, nationality, residential address, and verification of identity through an acceptable document. Where the individual is acting on behalf of another person, verification of that authority is also required.

For corporate customers: legal name, registration number, registered address, nature of business, and identification of directors and ultimate beneficial owners. The UBO threshold in Mauritius is 20% — lower than the 25% standard used in most jurisdictions, which means more individuals fall within scope for verification.

Enhanced due diligence applies to high-risk clients including politically exposed persons (PEPs), clients from high-risk jurisdictions, complex ownership structures, and non-face-to-face relationships. For EDD cases, the depth of identity verification goes beyond documents — source of funds, source of wealth, and senior management sign-off are typically required.

Records must be retained for a minimum of five years after the end of the business relationship, under both FSC and BoM rules.

Acceptable Identity Documents

For individual verification in Mauritius, the primary accepted documents are:

• Mauritius National Identity Card (NIC) — mandatory for citizens aged 18 and above
• Passport — standard for foreign nationals
• Residence permit — for expatriates resident in Mauritius

For address verification, acceptable documents typically include utility bills, bank statements, or official correspondence dated within three months.

Mauritius has a high banking penetration rate and strong document infrastructure domestically. The friction point arises with the substantial volume of foreign nationals flowing through global business structures — particularly individuals from jurisdictions with less standardised documentation. Platforms onboarding investors or directors from across Africa, South Asia, or the Middle East need document coverage that goes well beyond Mauritian IDs.

VOVE ID's document verification covers 190+ countries, which directly addresses this gap — particularly for fund administrators and corporate service providers onboarding directors or beneficial owners who are not Mauritian residents.

Digital Onboarding: Where Mauritius Stands

Mauritius has been building toward national eKYC infrastructure for several years. MauPass, the government's digital identity platform, provides access to public services but has not yet been extended to the financial sector for real-time identity verification. The Bank of Mauritius has signalled intent to develop a central eKYC registry accessible to financial institutions, but as of 2026 this remains in development.

In practice, this means regulated entities cannot rely on a national eKYC utility to verify customers. Digital onboarding workflows must be built on document capture, OCR, liveness detection, and face matching against the submitted document — the same stack used in jurisdictions without a mature national digital ID system.

The Electronic Transactions Act and the Data Protection Act 2017 both provide legal recognition for electronic identity verification in Mauritius, meaning a properly documented digital onboarding flow does carry legal weight. The requirement is that the method of verification is demonstrably reliable and independent — which is precisely what biometric liveness checks and automated face matching are designed to provide.

For platforms onboarding international clients remotely — the standard model for Mauritius-based fund administrators and corporate service providers — the absence of a national eKYC system is less a gap than a confirmation that API-based verification is the correct infrastructure choice.

Risk Classification and the Risk-Based Approach

Both FSC and BoM require regulated entities to apply a risk-based approach — meaning KYC intensity is calibrated to client risk rather than applied uniformly. In practice, this means maintaining a documented risk classification system with at least three tiers: low, standard, and high.

Low-risk indicators in the Mauritian context include: domestic customers with straightforward occupation and income, simple product types (basic payment accounts), and customers not connected to high-risk jurisdictions.

High-risk indicators include: PEPs and their close associates; customers from jurisdictions on FATF grey lists or EU high-risk lists; complex or layered corporate structures (particularly relevant given the volume of GBL holding companies in Mauritius); cash-intensive businesses; and customers with no apparent nexus between their profile and the nature of the transaction.

The risk assessment must be documented at onboarding and reviewed on an ongoing basis. For high-risk clients, enhanced monitoring — including review of transactions against the stated business purpose — is mandatory.

PEPs and Sanctions Screening

Mauritius is a regional financial hub with substantial exposure to political and business figures from across Africa, South Asia, and the Gulf. PEP screening is therefore not a background obligation — it is a material compliance requirement.

Under FSC and BoM guidelines, PEPs must be identified at onboarding and subject to enhanced due diligence: senior management approval for establishing the relationship, documentation of source of wealth, and heightened ongoing monitoring. Domestic PEPs — Mauritians holding or having recently held public functions — fall within scope alongside foreign PEPs.

Sanctions screening obligations cover UN sanctions lists, which Mauritius implements domestically through the United Nations Sanctions Act 2019. The FSC revoked over 25 licenses and suspended 13 in early 2025 for failures specifically related to UN Sanctions Act compliance — a concrete illustration of how seriously the regulator treats screening gaps.

VOVE ID's sanctions screening covers UAE, UN, EU, OFAC, and other major lists — the relevant coverage set for a jurisdiction like Mauritius with a genuinely international client base.

The AMLA 2026 Update

The Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing Bill 2026 (AMLA 2026) represents the most significant overhaul of the Mauritian AML/CFT framework since FIAMLA. Key changes relevant to KYC practice include:

Expanded UBO definitions — control beyond direct shareholding is now captured, meaning beneficial ownership analysis must go deeper into complex structures.

Strengthened CDD requirements for complex structures, with enhanced evidence standards for file documentation.

Revised reporting timelines — 24-hour and 48-hour response windows for regulatory and investigatory requests.

Centralised Information Management System (CIMS) — a new data infrastructure enabling regulatory coordination across agencies.

Proliferation financing is now formally integrated into the CDD framework, requiring entities to explicitly consider CPF risk in their customer risk assessments — not just ML and TF.

For regulated entities, AMLA 2026 is not a future project. It is a current compliance requirement, and the FSC has signalled through its 2025 enforcement activity that the bar for acceptable KYC documentation has risen.

Friction Points in Practice

Foreign national onboarding is the most common operational challenge. A significant share of directors, shareholders, and UBOs in Mauritius-registered structures are not Mauritians. Verifying individuals from across Africa and Asia without face-to-face interaction requires biometric verification — liveness detection and face matching against the passport or national ID — not just a photocopy.

Complex corporate structures present the second major friction point. GBL companies with layered ownership — common in Mauritius investment holding structures — require tracing UBOs through multiple layers. This is a manual and error-prone process without automation.

Ongoing monitoring is frequently under-resourced. Onboarding checks are well understood; the systems for reviewing customer profiles after onboarding, and triggering re-KYC when risk indicators change, are less consistently implemented.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC/KYB/AML requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.