Global Regulations and Requirements for KYC Onboarding
(powered by KYCC small icon KYC-Chain)

Contact us

permanent addressphotograph
permanent addressphotograph
current&permanent addressnature of applicant's businessfinancial status
Mauritian National Identification Card
Electronic Transactions Act 2000
The Financial Intelligence and Anti Money Laundering Act 2002 (“FIAMLA”) and the Prevention of Corruption Act 2002 (“POCA”) were enacted in 2002. The FIAMLA Regulations were introduced in 2003.
The Bank of Mauritius (“BOM”)
The Financial Services Commission (“FSC”)
Yes, every financial institution, bank or cash dealer is required to carry out customer due diligence for transactions exceeding MUR350,000 or an equivalent amount in foreign currency USD10,000).
Where the customer is an individual, the original or a certified copy of an official, valid document containing details of his current permanent address, a recent photograph of him and such other
Every relevant person shall establish and verify; the identity and the current permanent address of an applicant for business; and the nature of the applicant's business, his financial status and the capacity in which he is entering into the business relationship with the relevant person.
Financial institutions are required to identify and verify (to the same level as a personal customer) all UBOs who directly or indirectly hold 20% or more of the capital or voting rights of a company. Specific requirements apply to banks and licensees of the FSC. Broadly, financial standing, qualifications and reputation, financial integrity and character would be considered.
Guidance issued by the regulatory authorities provides for specific circumstances where enhanced CDD should be applied. For example, enhanced due diligence must be applied where the ML/TF risk is high or where an applicant to a bank has been rejected by another bank.
Enhanced due diligence should be applied by financial institutions in connection with PEPs, including: a) obtaining further customer due diligence information (identification and relationship information) from either the customer or independent sources (such as the internet, public or commercially available databases); b) verifying additional aspects of the customer due diligence information obtained; c) obtaining additional information required to understand the purpose and intended nature of such a business relationship; d) taking appropriate and reasonable measures to establish the source of the funds and source of wealth of the customer, any beneficial owner and underlying principal; and e) carrying out more frequent and more extensive ongoing monitoring on such business relationships including setting lower monitoring thresholds for transactions connected with such business relationships.
The Licensee should: a) gather sufficient information about their correspondents to understand fully the nature of the correspondent’s business. Factors to consider include information about the correspondent’s management, major business activities, where they are located; their money-laundering prevention and detection efforts; and the identity of any third party entities that use the correspondent services; b) determine from publicly available information the reputation of the institution and quality of the institution’s regulation and supervision, including whether it has been subject to money laundering or terrorist financing investigation or regulatory action; c) assess the institution’s AML/CFT controls and ascertain that they are adequate and effective and establish correspondent relationships with foreign financial institutions only if they are satisfied that the foreign financial institutions are effectively supervised by the relevant authorities and have effective customer acceptance and KYC policies; d) obtain approval from senior management before establishing new correspondent relationships; and e) document the respective AML/CFT responsibilities of each institution.
Yes, financial institutions should refuse to enter into or continue a correspondent relationship with a financial institution incorporated in a jurisdiction in which the correspondent has no physical presence and which is unaffiliated with a regulated financial group (i.e. it may involve a shell financial institution).
In accepting business from non-face to face customers, financial institutions must apply effective customer identification procedures as well as specific and adequate measures to mitigate the high risk posed by non-face-to-face verification of customers. The Code on the Prevention of Money Laundering and Terrorist Financing enacted by the FSC stipulates that for non-face to face business relationships, additional steps (Enhanced Due Diligence) in relation to identification and verification is required.
The FIAMLA imposes only a duty to report STRs. However, the POCA imposes an obligation upon a public officer to report any act of corruption that he suspects to have happened within or in relation to that public body to the Independent Commission Against Corruption (“ICAC”).
Yes. Offences for failing to report an STR and tipping off are punishable by a fine not exceeding MUR1m (approx. USD28,620) and imprisonment for a term not exceeding five years. Supervisory authorities may take regulatory action in the event of non-compliance.
No. As far as we are aware, there is no requirement to use automated suspicious transaction monitoring technology
There is no specific provision under domestic law.
Mauritius is a member of the Egmont Group and has signed a number of Memorandum of Understandings on exchange of information with its foreign FIUs.
Guidelines from the regulatory authority require that the institution review their practices as part of their general external and internal audit processes.
There is no requirement for an independent external audit report, however financial institutions have to make a report on themselves to the BoM: reports are issued on a yearly basis
reports are submitted to the Bank of Mauritius
no, the report is not part of the Financial Statement.
As above, there is no requirement for an independent external audit report, however financial institutions have to make a report on themselves to the BoM. There are no specific requirements for the content of an external report on a bank’s AML systems and controls: a) yes, sample testing of KYC files is required; b) no, sample testing of SAR reports is not required; and c) this would be part of the review of KYC review.
we are governed by the Data Protection Act 2004. Per the Act, personal data refers to (i) data which relate to an individual who can be identified from those data or; (ii) data or other information including an opinion forming part of a database, whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the data, information or opinion
the Data Protection Act 2004 applies only to personal data
Yes, “sensitive personal data" means personal information concerning a data subject and consisting of information as to: a. racial or ethnic origin; b. political opinion or adherence; c. religious belief or other belief of a similar nature; d. membership to a trade union; e. physical or mental health; f. sexual preferences or practices; g. the commission or alleged commission of an offence; and h. any proceedings for an offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Per the Data Protection Act 2004, no data controller shall, except with the written authorisation of the Commissioner, transfer personal data to another country. No personal data shall be processed, unless the data controller has obtained the express consent of the data subject. Notwithstanding the above, personal data may be processed without obtaining the express consent of the data subject where the processing is necessary: a) for the performance of a contract to which the data subject is a party; b) in order to take steps required by the data subject prior to entering into a contract; c) in order to protect the vital interests of the data subject; d) for compliance with any legal obligation to which the data controller is subject; e) for the administration of justice; or f) in the public interest.
financial institution
MUR 350,000
Yes, for example the guidelines issued by the FSC for Effective Customer Risk Assessment.
Certified copies should be provided.
No. There is a general confidentiality obligation upon banks (s64 Banking Act 2004) to keep the information on their customers confidential. Such an obligation may only be lifted by way of a court order.