KYC, KYB & AML compliance checklist
Mauritius KYC, KYB & AML
An implementation-focused checklist for fintechs, banks, payment service providers, FSC licensees and other reporting persons operating in Mauritius. It translates the Financial Intelligence and Anti-Money Laundering Act 2002 as currently amended, the FIAML Regulations 2018, current FIU reporting procedures, sector guidance from the Bank of Mauritius and Financial Services Commission, beneficial-ownership rules, targeted-financial-sanctions controls, payment licensing and data-protection requirements into operational actions and audit evidence.
- Reviewed
- 15 July 2026
- Version
- 1.0
- control areas
- 11
- implementation checks
- 58
Direct answer
What does the Mauritius compliance checklist cover?
The Mauritius checklist translates primary KYC, KYB and AML rules into 11 control areas and 58 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Primary AML law
- FIAMLA 2002, as amended
- Financial intelligence unit
- FIU Mauritius
- Banking and payment supervisor
- Bank of Mauritius
- Non-bank financial supervisor
- Financial Services Commission
- Core AML record period
- At least 7 years
- STR deadline
- Within 5 working days after suspicion arose
- FATF status
- Not under increased monitoring
Implementation detail
Mauritius compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Confirm scope, authorities and permissionsStart with the statutory reporting-person perimeter, then apply the rules and guidance of the authority supervising the particular entity and activity.5 items+
Document whether each entity and activity is a reporting person under FIAMLA.
- Implementation action
- Map every legal entity, product and customer journey to the FIAMLA definition and Schedule, including financial institutions and the specified designated non-financial businesses and professions. Record the applicable regulatory body or supervisory authority; do not assume that every Mauritius business has identical FIAMLA duties.
- Evidence to retain
- Signed perimeter memorandum; entity-product matrix; reporting-person classification; supervisor map.
- Primary citation
- FIAMLA, ss. 2 and 14; Schedule, as amended
Recognise FIU Mauritius as the national financial intelligence unit and STR recipient.
- Implementation action
- Maintain a controlled channel for FIU registration, electronic STR filing, FIU requests and feedback. FIU is the central agency established under FIAMLA to receive, request, analyse and disseminate relevant financial information.
- Evidence to retain
- FIU registration; goAML organisation profile; nominated contacts; request log.
- Primary citation
- FIAMLA, ss. 9-10 and 14C; Registration by Reporting Person Regulations 2019
Keep Bank of Mauritius and FSC scopes separate.
- Implementation action
- Apply the Bank's AML/CFT/CPF Guideline to banks, non-bank deposit-taking institutions, cash dealers, money lenders and National Payment Systems Act licensees within its stated scope. Apply the FSC AML/CFT Handbook to financial institutions under FSC's non-bank and global-business purview. Treat each as sector guidance issued under supervisory powers, not as a universal replacement for FIAMLA or the Regulations.
- Evidence to retain
- Licence inventory; supervisor-to-obligation matrix; sector-guidance applicability opinion.
- Primary citation
- Bank of Mauritius AML/CFT/CPF Guideline 2020, paras. 2.01-2.06; FSC AML/CFT Handbook, chs. 1-2
Obtain the required financial-services or payment permission before operating.
- Implementation action
- Classify banking, deposit-taking, cash-dealer, money-lending, payment, securities, insurance, global-business, management-company and virtual-asset activities under the relevant enabling law. Verify the licence on the competent authority's current register and map each service to the permission actually granted.
- Evidence to retain
- Licence or authorisation; legal perimeter opinion; service-to-permission map; regulator-register check.
- Primary citation
- Banking Act 2004; National Payment Systems Act 2018; Financial Services Act 2007; VAITOS Act 2021, where applicable
Assign accountable owners across AML, sanctions, company, payment and privacy regimes.
- Implementation action
- Maintain a RACI covering FIU and goAML, Bank or FSC supervision, CBRD beneficial-ownership filings, National Sanctions Secretariat notices, payment licensing and Data Protection Office registration and incident reporting.
- Evidence to retain
- Approved RACI; appointment records; committee terms; regulatory calendar.
- Primary citation
- FIAMLA; FIAML Regulations 2018; Companies Act 2001; Sanctions Act 2019; NPS Act 2018; Data Protection Act 2017
02Build a risk-based AML/CFT/CPF programmeThe statutory programme must connect documented risk assessment, senior-approved controls, competent officers, training and independent assurance.5 items+
Maintain a written, current business risk assessment.
- Implementation action
- Assess customer, country, product, service, transaction, delivery-channel, third-party and technology risks, considering the current national and sector risk assessments. Document methodology, inherent risk, controls, residual risk and action owners; update for material change and before new products or technologies launch.
- Evidence to retain
- Business risk assessment; methodology; data pack; change triggers; mitigation plan.
- Primary citation
- FIAMLA, s. 17(1)-(4); Mauritius Second National ML/TF Risk Assessment 2025
Establish senior-approved policies, controls and procedures proportionate to the business.
- Implementation action
- Cover CDD, beneficial ownership, ongoing monitoring, PEPs, sanctions, STRs, records, reliance, outsourcing, employee screening, training and independent audit. Monitor implementation, review and enhance the controls, and preserve a written record of the policies, changes and internal communication.
- Evidence to retain
- Senior-approved policy suite; control library; version history; communication and training records.
- Primary citation
- FIAMLA, s. 17A
Appoint the required Compliance Officer, MLRO and Deputy MLRO with suitable seniority and access.
- Implementation action
- Document appointments and reporting lines, provide unrestricted access to books, records and staff, and separate compliance oversight from the MLRO's internal-disclosure assessment and external-reporting role. Apply any sector-specific approval or notification requirement imposed by the Bank or FSC.
- Evidence to retain
- Appointment letters; fit-and-proper records; board minutes; access test; succession plan.
- Primary citation
- FIAML Regulations 2018, regs. 22, 26-27; applicable Bank or FSC requirements
Screen employees, train relevant staff and test the programme independently.
- Implementation action
- Apply risk-sensitive recruitment screening and continuing role-based training. Maintain an independent audit function that tests legal compliance and control effectiveness; set scope and frequency according to risk and applicable supervisory guidance rather than assuming a single statutory calendar for all sectors.
- Evidence to retain
- Screening files; training curriculum and attendance; independent audit plan and reports; remediation log.
- Primary citation
- FIAML Regulations 2018, reg. 22; FSC AML/CFT Handbook, chs. 12-13; Bank AML/CFT/CPF Guideline 2020
Apply group-wide and foreign-branch controls where relevant.
- Implementation action
- For a financial group, implement group policies, information-sharing safeguards and consistent controls across branches and majority-owned subsidiaries, subject to local-law constraints. Escalate any host-country impediment to the home supervisor and apply additional risk measures.
- Evidence to retain
- Group policy; jurisdiction gap analysis; information-sharing protocol; supervisor correspondence.
- Primary citation
- FIAML Regulations 2018, regs. 23-24; applicable Bank or FSC guidance
03Identify and verify individual customersCDD must establish the customer, anyone acting for the customer, the beneficial owner and the intended relationship using reliable, independent evidence.6 items+
Do not establish or maintain anonymous or fictitious-name accounts.
- Implementation action
- Configure onboarding and account controls to require a verified legal identity and to block fabricated, placeholder or materially inconsistent identity information.
- Evidence to retain
- Account-opening rules; blocked test cases; exception log.
- Primary citation
- FIAMLA, s. 17B
Identify and verify the customer and beneficial owner using reliable, independent sources.
- Implementation action
- Collect the prescribed natural-person information and verify it through valid official documents, data or information appropriate to the risk and channel. Identify and verify any representative and confirm the representative's authority to act.
- Evidence to retain
- Customer file; identity evidence; verification provenance; mandate or authority record.
- Primary citation
- FIAML Regulations 2018, regs. 3-4 and 8
Understand the purpose and intended nature of the relationship or occasional transaction.
- Implementation action
- Record the expected products, activity, counterparties, source and destination patterns and commercial rationale needed to create a defensible customer-risk and monitoring profile.
- Evidence to retain
- Purpose statement; expected-activity profile; risk score and rationale.
- Primary citation
- FIAML Regulations 2018, reg. 3(1)(d)
Apply CDD at every statutory trigger.
- Implementation action
- Trigger CDD when establishing a business relationship; conducting an occasional transaction at or above the prescribed threshold, including linked transactions, or a wire transfer in the circumstances specified by the Regulations; where ML/TF is suspected; and where there are doubts about previously obtained identification data. Keep any prescribed amount in a controlled legal register rather than hard-coding an unsupported universal threshold.
- Evidence to retain
- CDD trigger matrix; threshold register; workflow configuration; test results.
- Primary citation
- FIAML Regulations 2018, reg. 8
Verify identity before or during establishment and tightly control any permitted deferral.
- Implementation action
- Complete verification before or during establishment of the relationship or the occasional transaction. Defer completion only where the Regulation's conditions are met: it is essential not to interrupt normal business, verification occurs as soon as reasonably practicable and ML/TF risks are effectively managed. Use documented risk limits that prevent unrestricted use before completion.
- Evidence to retain
- Verification timestamps; deferral approval; restricted-service controls; completion monitoring.
- Primary citation
- FIAML Regulations 2018, reg. 9
Do not proceed where required CDD or EDD cannot be completed.
- Implementation action
- Do not open the account, commence the relationship or perform the transaction, or terminate the relationship as applicable, and file an STR where required. Preserve the decision without alerting the customer to an STR or related analysis.
- Evidence to retain
- Decline or exit record; investigation file; STR decision and filing reference; access restrictions.
- Primary citation
- FIAML Regulations 2018, regs. 12(3) and 13; FIAMLA, ss. 14 and 16
04Verify businesses and beneficial ownersKYB must establish legal existence, governing powers, ownership and control, then trace the customer to the natural persons who ultimately own or control it.5 items+
Verify the legal person's identity, status and authority structure.
- Implementation action
- Obtain and verify the name, legal form and proof of existence, constitutional or governing instruments, powers that regulate and bind the entity, registered office and principal place of business, and relevant senior managing persons and authorised signatories.
- Evidence to retain
- Current CBRD or foreign-registry extract; constitutional documents; director and signatory records; address checks.
- Primary citation
- FIAML Regulations 2018, regs. 3 and 5
Apply the statutory legal-person beneficial-owner cascade accurately.
- Implementation action
- Identify and take reasonable measures to verify every natural person who ultimately has an ownership interest of 20 per cent or more. Where ownership does not identify the beneficial owner or there is doubt, identify control through other means; if no natural person is identified, record the relevant senior managing official. Preserve the actions taken and difficulties encountered.
- Evidence to retain
- Layered ownership chart; percentage calculation; control analysis; senior-manager fallback rationale; verification record.
- Primary citation
- FIAML Regulations 2018, reg. 6
Identify all relevant parties to trusts and similar arrangements.
- Implementation action
- For a trust, identify and reasonably verify the settlor, trustee, beneficiaries or class of beneficiaries, and where applicable the protector or enforcer, plus any other natural person exercising ultimate effective control. Identify equivalent persons for other legal arrangements.
- Evidence to retain
- Trust deed; party register; control chart; verified identity files; change undertaking.
- Primary citation
- FIAML Regulations 2018, reg. 7
Reconcile CBRD information without treating the registry as conclusive CDD.
- Implementation action
- Compare registry, constitutional, customer and independent evidence, investigate discrepancies and document why the identified natural persons satisfy the AML cascade. Obtain current information rather than relying only on a certificate or customer declaration.
- Evidence to retain
- CBRD search; discrepancy log; corroborating evidence; approved BO conclusion.
- Primary citation
- FIAML Regulations 2018, regs. 5-7; Companies Act 2001, ss. 11 and 91
Meet the company's own beneficial-ownership register and filing duties.
- Implementation action
- For a Mauritius company, maintain the separate, accurate and up-to-date register required by section 91, including the ownership structure and applicable nominee information; preserve records of identification action and the beneficial owner's written declaration; make information available forthwith to competent authorities. Confirm CBRIS filing events and deadlines, including the current change-filing rules. Companies incorporated before the relevant 2025 amendment had to meet the new declaration requirement by 30 June 2026.
- Evidence to retain
- Section 91 register; written BO or UBO declarations; CBRIS receipts; change log; authority-access procedure.
- Primary citation
- Companies Act 2001, ss. 11 and 91, as amended by Act 10 of 2024 and Finance Act 2025
05Apply PEP, enhanced and remote due diligenceHigher-risk relationships require stronger information, approval, source and monitoring controls, while remote onboarding must achieve reliable identity assurance.5 items+
Detect foreign, domestic and international-organisation PEPs, including applicable family members and close associates.
- Implementation action
- Use risk-based systems to determine whether the customer or beneficial owner is a PEP and establish the connected-person relationship. Do not use database screening as a substitute for customer and ownership analysis.
- Evidence to retain
- PEP screening result; relationship analysis; match disposition; review history.
- Primary citation
- FIAML Regulations 2018, regs. 2 and 15
Apply the full foreign-PEP measures and risk-based domestic or international-organisation PEP measures.
- Implementation action
- For a foreign PEP who is a customer or beneficial owner, obtain senior-management approval, take reasonable measures to establish source of wealth and source of funds, and conduct enhanced ongoing monitoring. Apply those measures to domestic and international-organisation PEPs where the relationship is higher risk, in accordance with regulation 15.
- Evidence to retain
- Senior approval; source-of-wealth and source-of-funds corroboration; enhanced monitoring plan.
- Primary citation
- FIAML Regulations 2018, reg. 15
Apply enhanced CDD whenever higher ML/TF risk is identified.
- Implementation action
- Obtain additional customer, ownership, purpose, source-of-funds or source-of-wealth and transaction information, obtain senior approval where appropriate and increase monitoring in proportion to the identified risk. Apply relevant measures for countries identified by competent authorities or FATF, without treating nationality alone as a conclusion.
- Evidence to retain
- EDD checklist; enhanced evidence; approval; monitoring configuration; review schedule.
- Primary citation
- FIAML Regulations 2018, reg. 12; applicable Bank or FSC guidance
Use simplified CDD only for a substantiated lower-risk case.
- Implementation action
- Document why the lower risk is consistent with the latest national or supervisory risk assessment and apply measures commensurate with that risk. Do not use simplified CDD where there is knowledge, suspicion or reasonable grounds concerning ML/TF or another person acting behind the transaction.
- Evidence to retain
- Lower-risk rationale; NRA mapping; approved simplified measures; exclusion tests.
- Primary citation
- FIAML Regulations 2018, reg. 11
Control non-face-to-face and new-technology risk before launch.
- Implementation action
- Assess impersonation, document fraud, device, cyber, data, outsourcing and transaction risks; implement proportionate authentication, liveness or equivalent presence controls where used, reliable document checks, fraud controls and escalation. Follow the additional Bank or FSC expectations applicable to the licensee.
- Evidence to retain
- Channel risk assessment; vendor due diligence; model and liveness tests; exception and incident logs.
- Primary citation
- FIAMLA, s. 17(3); FIAML Regulations 2018; Bank AML/CFT/CPF Guideline 2020; FSC AML/CFT Handbook
06Monitor activity and report suspicionMonitoring must stay aligned with current customer information and route suspicious completed, proposed and attempted activity confidentially to FIU through goAML.6 items+
Conduct ongoing monitoring throughout every business relationship.
- Implementation action
- Scrutinise transactions, including source of funds where necessary, for consistency with the customer, business and risk profile; keep CDD data current and relevant, with particular attention to higher-risk customers.
- Evidence to retain
- Monitoring scenarios; alert history; customer reviews; profile updates; tuning decisions.
- Primary citation
- FIAML Regulations 2018, reg. 3(1)(e)
Examine complex, unusually large, unusual-pattern and apparently purposeless activity.
- Implementation action
- Investigate background, purpose, parties, source and destination; record the analysis and determine whether an internal disclosure and external STR are required. Calibrate monitoring to the business model rather than relying on generic rules alone.
- Evidence to retain
- Case file; supporting information; analyst rationale; escalation decision.
- Primary citation
- FIAML Regulations 2018, regs. 12 and 28-29; applicable Bank or FSC guidance
File an STR within 5 working days after suspicion arose.
- Implementation action
- The reporting person or auditor must file electronically with FIU through the production goAML environment no later than 5 working days after the suspicion arose. Cover completed, proposed and attempted transactions where the statutory suspicion test is met; do not wait for proof of an offence.
- Evidence to retain
- Suspicion timestamp; MLRO assessment; goAML acknowledgement; deadline-control report.
- Primary citation
- FIAMLA, s. 14(1); FIU STR reporting page; FIU Guidance Note 4
Register the reporting person and maintain production goAML readiness.
- Implementation action
- Complete FIU organisation registration through the MLRO, maintain authorised users, delegation and current contact details, test access and retain a controlled contingency process consistent with FIU instructions.
- Evidence to retain
- Registration acceptance; user register; access test; delegation record; continuity exercise.
- Primary citation
- FIAMLA, s. 14C; Registration by Reporting Person Regulations 2019; FIU goAML guides
Protect STR confidentiality and prevent tipping off.
- Implementation action
- Restrict STR, internal disclosure and FIU-request information to authorised personnel; ensure customer communications, exits and information requests do not reveal that an STR has been or will be made or that an investigation is underway.
- Evidence to retain
- Need-to-know matrix; confidential case repository; disclosure log; staff training.
- Primary citation
- FIAMLA, ss. 16 and 16A; FIU Guidance Note 4
Respond promptly and completely to lawful FIU and supervisory requests.
- Implementation action
- Preserve data lineage, identify an accountable response owner, authenticate the request, provide complete records securely and retain the request, response and approval trail without compromising confidentiality.
- Evidence to retain
- Request register; response package; approval and delivery evidence; legal hold.
- Primary citation
- FIAMLA, ss. 10, 19E and 19J-19K
07Implement targeted financial sanctionsUN and domestic designations require screening, immediate prohibitions and freezing, prescribed reporting and strict controls against making assets or services available.5 items+
Screen against both listed-party and designated-party information.
- Implementation action
- Screen customers, beneficial owners, controllers, counterparties, payees and relevant transaction parties at onboarding, before execution and promptly after list updates. Use the National Sanctions Secretariat and UN lists and record fuzzy-match and ownership-control logic.
- Evidence to retain
- List inventory; screening logs; update timestamps; match procedures; control tests.
- Primary citation
- Sanctions Act 2019, ss. 7, 18-25 and 41; National Sanctions Secretariat guidance
Apply prohibitions and freezes immediately.
- Implementation action
- Where the Act requires a prohibition or freeze, do not deal with the funds or other assets and do not make funds, assets or services available, directly or indirectly, to or for the benefit of the listed or designated party. In the Act, immediately means without delay and no later than 24 hours.
- Evidence to retain
- Freeze timestamp; blocked-transaction record; asset inventory; legal and compliance decision.
- Primary citation
- Sanctions Act 2019, ss. 18-25 and definition of immediately
Submit the prescribed match and asset reports to the correct authorities.
- Implementation action
- Report screening outcomes, including funds or no funds identified where required by the applicable procedure, to the National Sanctions Secretariat and the AML/CFT supervisor. Where information relating to a listed party is known to a reporting person, submit it immediately to FIU under the statutory route and file an STR where required.
- Evidence to retain
- NSSEC report; supervisor report; FIU STR acknowledgement; zero-asset or positive-asset evidence.
- Primary citation
- Sanctions Act 2019, ss. 25 and 39-41; FIU TFS FAQ; applicable Bank or FSC procedure
Do not release frozen assets without lawful authority.
- Implementation action
- Maintain the freeze until delisting, lapse, court or statutory authorisation, and process permitted expenses or other exceptions only through the prescribed procedure. Verify delisting before unfreezing and preserve the approval trail.
- Evidence to retain
- Freeze register; licence or order; delisting verification; unfreeze approval and timestamp.
- Primary citation
- Sanctions Act 2019, ss. 26-34; National Sanctions Secretariat guidance
Test sanctions controls independently.
- Implementation action
- Test list ingestion, aliases, transliteration, ownership and control, rescreening, payment interdiction, case escalation, reporting and unfreezing. Document gaps and remediate without waiting for a live match.
- Evidence to retain
- Sanctions test plan; seeded-match results; issue register; remediation evidence.
- Primary citation
- Sanctions Act 2019, ss. 40-41; Bank TFS implementation page; FSC TFS guidance
08Retain records and support reconstructionAML records must remain complete, retrievable and sufficient to reconstruct customers, decisions and transactions over the statutory period.5 items+
Retain customer and beneficial-owner records for at least 7 years after the relationship ends.
- Implementation action
- Keep identification and verification evidence, ownership and control analysis, customer risk assessments and business correspondence for at least 7 years after termination of the business relationship, subject to any longer lawful hold or sector rule.
- Evidence to retain
- Retention schedule; lifecycle configuration; sample retrieval; legal-hold register.
- Primary citation
- FIAMLA, s. 17F; FIAML Regulations 2018, reg. 14
Retain domestic and international transaction records for at least 7 years after completion.
- Implementation action
- Preserve sufficient originator, beneficiary, amount, currency, date, account, channel, agent, screening and decision data to reconstruct each transaction and answer FIU or supervisory requests swiftly.
- Evidence to retain
- Transaction archive; data-lineage map; reconstruction test; access log.
- Primary citation
- FIAMLA, s. 17F; FIAML Regulations 2018, reg. 14
Retain each STR and its supporting record for at least 7 years from filing.
- Implementation action
- Store the internal disclosure, MLRO assessment, supporting evidence, filed report, acknowledgement and any FIU correspondence in a segregated, access-controlled repository.
- Evidence to retain
- STR archive; goAML receipt; access matrix; retrieval test.
- Primary citation
- FIAML Regulations 2018, regs. 14 and 27-29; FIU Guidance Note 4
Extend retention when a competent authority requires it.
- Implementation action
- Implement legal holds capable of overriding ordinary deletion where FIU, the Bank, FSC, an investigatory authority or another competent authority requires records to be preserved for longer.
- Evidence to retain
- Legal-hold notice; system lock; release approval; audit trail.
- Primary citation
- FIAML Regulations 2018, reg. 14; applicable FIU, Bank or FSC requirement
Make records swiftly available without weakening confidentiality.
- Implementation action
- Index records by customer, beneficial owner, account, transaction and case; test retrieval and controlled export; ensure only authorised persons can access STR and sanctions information.
- Evidence to retain
- Retrieval service levels; access logs; test reports; secure-delivery procedure.
- Primary citation
- FIAML Regulations 2018, regs. 14 and 22(2); FIAMLA, ss. 16 and 19J-19K
09Protect personal and biometric dataKYC, screening and monitoring data remain subject to the Data Protection Act 2017 even where processing is necessary for a legal AML obligation.6 items+
Register as a controller and, where applicable, as a processor before processing.
- Implementation action
- Complete the Data Protection Office registration applicable to each legal role. Registration certificates are valid for 3 years; renew them and notify changes in registered particulars within 14 days. Designate the officer responsible for data-protection compliance.
- Evidence to retain
- Controller or processor certificate; renewal calendar; change notices; DPO appointment.
- Primary citation
- Data Protection Act 2017, ss. 14-18 and 22(2)(e); Data Protection (Fees) Regulations 2020
Map every KYC processing purpose to a lawful basis and minimise collection.
- Implementation action
- Document purposes, lawful grounds, necessity, data categories, recipients, retention, rights and security for identity, biometric, device, transaction, screening and investigation data. Separate mandatory compliance processing from optional analytics and marketing.
- Evidence to retain
- Record of processing; lawful-basis assessment; privacy notice; minimisation review.
- Primary citation
- Data Protection Act 2017, ss. 22-23 and 27-33
Apply special-category safeguards to biometrics, offences and PEP-related data.
- Implementation action
- Treat biometric data uniquely identifying a person and offence or alleged-offence information as special-category data. Document the section 28 lawful basis and the additional section 29 condition, limit access and protect templates and source images throughout their lifecycle.
- Evidence to retain
- Special-category assessment; biometric architecture; access controls; deletion and security tests.
- Primary citation
- Data Protection Act 2017, ss. 2, 28-29 and 31
Complete a DPIA before high-risk identity or monitoring processing.
- Implementation action
- Perform a data-protection impact assessment before processing likely to create high risk, including large-scale special-category processing or systematic and extensive automated evaluation with significant effects. Consult the Office where residual high risk or another consultation trigger remains.
- Evidence to retain
- DPIA; necessity and proportionality assessment; mitigation plan; consultation record.
- Primary citation
- Data Protection Act 2017, ss. 34-35
Control transfers of personal data outside Mauritius.
- Implementation action
- Map every cloud, verification, screening and support location and satisfy one of the section 36 transfer conditions. Where appropriate safeguards cannot be provided, obtain the Office's prior authorisation under section 35 rather than relying on an undisclosed offshore processor.
- Evidence to retain
- Transfer map; safeguards; contracts; explicit-consent record where applicable; DPO authorisation.
- Primary citation
- Data Protection Act 2017, ss. 35-36
Operate the statutory personal-data-breach workflow.
- Implementation action
- Require processors to notify the controller without undue delay. Unless the breach is unlikely to create risk to rights and freedoms, notify the Commissioner no later than 72 hours after awareness, explain delay where applicable and communicate high-risk breaches to affected persons as required.
- Evidence to retain
- Incident log; awareness timestamp; DPO notification; data-subject communication; lessons learned.
- Primary citation
- Data Protection Act 2017, ss. 25-26
10Operate payment-service controlsPayment products add Bank of Mauritius licensing, governance, security, safeguarding and reporting duties to the general FIAMLA baseline.5 items+
Obtain Bank authorisation or a payment-service-provider licence where required.
- Implementation action
- Classify system-operation, clearing, settlement and payment services under the National Payment Systems Act and the 2021 Regulations as amended in 2024. Submit the prescribed application and do not rely on a technology-provider label to conduct a regulated service without permission.
- Evidence to retain
- NPS legal classification; authorisation or licence; application file; conditions register.
- Primary citation
- National Payment Systems Act 2018; NPS (Authorisation and Licensing) Regulations 2021, as amended in 2024
Provide only the services and functions covered by the permission.
- Implementation action
- Map acquiring, payment-account, transfer, card, cash-in or cash-out, payment-initiation, aggregation and other functions to the licence and current Bank framework. Verify counterparties on the Bank's current licensee list.
- Evidence to retain
- Service-to-licence map; regulator-register check; partner due diligence; product approval.
- Primary citation
- NPS Act 2018; NPS licensing regulations; Bank of Mauritius payment licensee register
Apply the Bank AML/CFT/CPF Guideline to NPS licensees within scope.
- Implementation action
- Implement the Guideline's customer-risk, CDD, monitoring, wire-transfer, record, governance and sanctions expectations in addition to FIAMLA and the Regulations. Do not present the Bank Guideline as governing an FSC-only licensee outside the Bank's stated scope.
- Evidence to retain
- Bank-guideline gap analysis; control map; board approval; supervisory-return calendar.
- Primary citation
- Bank of Mauritius AML/CFT/CPF Guideline 2020, paras. 2.01-2.06
Maintain safe, secure, efficient and resilient payment operations.
- Implementation action
- Implement governance, access, fraud, cyber, continuity, reconciliation, incident and customer-protection controls required by the Act, licence conditions and current Bank directives or guidelines. Preserve complete transaction traceability for AML monitoring and authority requests.
- Evidence to retain
- Governance records; security architecture; reconciliations; continuity tests; incident reports.
- Primary citation
- National Payment Systems Act 2018, including ss. 17 and 24; applicable Bank directives and licence conditions
Apply the July 2026 Payment Aggregator Guideline only where the activity falls within its scope.
- Implementation action
- For an aggregator model, assess the current Bank Guideline for Payment Aggregators, licensing position, merchant due diligence, settlement, risk, security and consumer obligations. Record which provisions are binding through the Act, licence or direction and which are supervisory guidance.
- Evidence to retain
- Aggregator perimeter assessment; merchant-control framework; settlement map; Bank correspondence.
- Primary citation
- Bank of Mauritius Guidelines page; Guideline for Payment Aggregators, 10 July 2026
11Launch, oversee and evidence compliancePublication-ready policies are not enough; every rule needs an owner, tested system implementation and retrievable evidence.5 items+
Run a documented pre-launch regulatory gate.
- Implementation action
- Confirm perimeter, licences, FIU and goAML registration, CDD and beneficial-owner rules, PEP and sanctions controls, monitoring, records, CBRD status, Data Protection Office registration and DPIA, payment permission, outsourcing and incident readiness before production.
- Evidence to retain
- Launch checklist; accountable approvals; unresolved-risk register; production decision.
- Primary citation
- FIAMLA; FIAML Regulations 2018; applicable Bank, FSC, CBRD, NSSEC and DPO instruments
Control reliance and outsourcing without transferring responsibility.
- Implementation action
- Use third-party CDD reliance only where the statutory conditions are met, obtain core CDD information immediately and ensure identification documents are available without delay. Assess processors and technology providers, contract security and audit rights and maintain the reporting person's responsibility.
- Evidence to retain
- Third-party assessment; reliance decision; contract; data-access test; exit plan.
- Primary citation
- FIAMLA, ss. 17D-17F; FIAML Regulations 2018, reg. 21; applicable Bank or FSC outsourcing guidance
Track legal and supervisory change from the primary authorities.
- Implementation action
- Monitor FIU, Bank, FSC, CBRD, National Sanctions Secretariat, Data Protection Office and FATF publications. Treat bills and consultation papers as horizon-scanning items until enacted or brought into force, and update controls only against verified legal status.
- Evidence to retain
- Legal inventory; alert subscriptions; impact assessments; implementation tickets.
- Primary citation
- Official FIU, Bank, FSC, CBRD, NSSEC, DPO and FATF publications
Test control effectiveness and remediate findings.
- Implementation action
- Use risk-based compliance monitoring and independent audit to test onboarding, beneficial ownership, PEPs, sanctions, payment, transaction monitoring, STR, privacy and recordkeeping controls. Report material deficiencies to senior management and the board and track them to evidence-based closure.
- Evidence to retain
- Monitoring plan; audit reports; issue register; governance reporting; closure evidence.
- Primary citation
- FIAML Regulations 2018, reg. 22; Bank AML/CFT/CPF Guideline 2020; FSC AML/CFT Handbook
Preserve a defensible control-to-law record.
- Implementation action
- For every material obligation, retain the primary source, interpretation, scope, configuration, test, owner, approval and effective date. Label Bank and FSC guidance as guidance and the VOVE article as contextual implementation material, not legal authority.
- Evidence to retain
- Obligations register; control-to-law map; source archive; approvals; release and test history.
- Primary citation
- FIAMLA, ss. 17 and 17A; applicable primary and sector sources

11 control areas and 58 implementation checks, with direct regulatory sources.
Download the Mauritius KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Mauritius implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
28 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Financial Intelligence and Anti-Money Laundering Act 2002, current Bank of Mauritius publicationBank of Mauritius · Primary legislation
- FIAMLA consolidation updated as at 2024Financial Intelligence Unit Mauritius · Primary legislation consolidation
- Financial Intelligence and Anti-Money Laundering Regulations 2018Bank of Mauritius · Primary regulation
- Financial Intelligence and Anti-Money Laundering (Registration by Reporting Person) Regulations 2019Bank of Mauritius · Primary regulation
- Financial Intelligence and Anti-Money Laundering (Administrative Penalties) Regulations 2025Financial Intelligence Unit Mauritius · Primary regulation
- Report a Suspicious Transaction: 5-working-day deadline and electronic filingFinancial Intelligence Unit Mauritius · Official reporting procedure
- goAML production environment and registration resourcesFinancial Intelligence Unit Mauritius · Official reporting portal
- Guidance Note 4 on suspicious transaction reportingFinancial Intelligence Unit Mauritius · Official FIU guidance
- AML/CFT/CPF framework, 2025 national risk assessment and 2026-2029 strategyBank of Mauritius · Official AML portal
- Guideline on AML/CFT and Proliferation, January 2020Bank of Mauritius · Sector supervisory guidance
- Current FSC AML/CFT Handbook landing pageFinancial Services Commission Mauritius · Official sector guidance portal
- FSC AML/CFT Handbook, current published PDFFinancial Services Commission Mauritius · Sector supervisory guidance
- Companies Act 2001, amended through the Finance Act 2025Corporate and Business Registration Department · Primary legislation
- AML/CFT/CPF (Miscellaneous Provisions) Act 2024, including company beneficial-ownership amendmentsNational Assembly of Mauritius · Primary amending legislation
- United Nations Sanctions Act 2019, current 2026 consolidationNational Sanctions Secretariat · Primary legislation
- National Sanctions Secretariat legislation and current list resourcesNational Sanctions Secretariat · Official sanctions portal
- Guidelines on implementation of targeted financial sanctionsGovernment of Mauritius · Official sanctions guidance
- Implementation of targeted sanctions and reporting expectationsBank of Mauritius · Official supervisory procedure
- National Payment Systems Act 2018, current Bank of Mauritius publicationBank of Mauritius · Primary legislation
- National Payment Systems (Authorisation and Licensing) Regulations 2021Bank of Mauritius · Primary regulation
- National Payment Systems licensing and current licensee registerBank of Mauritius · Official licensing portal
- Payment-system guidelines, including Guideline for Payment Aggregators dated 10 July 2026Bank of Mauritius · Official sector guidance portal
- Data Protection Act 2017Data Protection Office Mauritius · Primary legislation
- Registration and renewal of controllers and processorsData Protection Office Mauritius · Official registration procedure
- Data Protection (Fees) Regulations 2020 and registration formsData Protection Office Mauritius · Primary regulation and official forms
- Jurisdictions under increased monitoring, 19 June 2026FATF · Official FATF statement
- Mauritius removed from increased monitoring, October 2021FATF · Official FATF statement
- AML Compliance in Mauritius 2026VOVE ID · Contextual implementation guide; not legal authority
Direct answers
Mauritius KYC, KYB and AML questions
Who supervises AML compliance in Mauritius?+
FIU Mauritius receives and analyses STRs and directly regulates specified professions and occupations within its remit. The Bank of Mauritius supervises banks, non-bank deposit-taking institutions, cash dealers, money lenders and National Payment Systems Act licensees within its scope. FSC supervises the non-bank financial-services and global-business sectors under its purview. The statutory FIAMLA baseline applies according to reporting-person status, while Bank and FSC handbooks or guidelines remain sector-specific.
When must a suspicious transaction report be filed?+
FIAMLA section 14(1) and FIU's official reporting page require the reporting person or auditor to file with FIU within 5 working days after the suspicion arose. The obligation covers suspicious completed, proposed and attempted transactions. Filing is electronic through the production goAML environment, and the customer must not be tipped off.
What beneficial-owner threshold applies for AML customer due diligence?+
FIAML Regulations 2018 regulation 6 requires identification and reasonable verification of every natural person who ultimately has an ownership interest of 20 per cent or more in a legal-person customer. If ownership does not identify the beneficial owner or there is doubt, identify control through other means; if no natural person is identified, use the relevant senior-managing-official fallback. This AML cascade is distinct from, and must be reconciled with, the company's own Companies Act section 91 register and filing duties.
How long must AML records be kept?+
Core FIAMLA and FIAML Regulations records are generally retained for at least 7 years: customer and beneficial-owner identification and business correspondence after the relationship ends, transaction records after completion, and STR records from filing. A competent authority, legal hold or applicable sector rule may require longer retention.
Can a fintech onboard customers fully online?+
The law does not create a blanket prohibition on remote onboarding, but the reporting person must reliably identify and verify the customer and beneficial owner, assess new-technology and non-face-to-face risks, and apply controls proportionate to those risks. Any permitted deferred verification must meet regulation 9's conditions and be completed as soon as reasonably practicable. Bank- and FSC-supervised firms must also follow their own sector guidance.
What must be done for a sanctions match?+
Screen against current UN listed-party and Mauritius designated-party information. Where the Sanctions Act requires it, prohibit dealings and freeze immediately, meaning without delay and no later than 24 hours; do not make assets or services available; report through the prescribed National Sanctions Secretariat and supervisory channels; and immediately submit known listed-party information to FIU, including an STR where required. Do not unfreeze without lawful authority or verified delisting.
Must KYC data controllers and processors register with the Data Protection Office?+
Yes, section 14 of the Data Protection Act 2017 requires controllers and processors to register. Certificates are valid for 3 years, registered changes must be notified within 14 days, and an officer responsible for data-protection compliance must be designated. High-risk biometric or automated processing may also require a DPIA and consultation, and cross-border transfers must meet section 36.
Is Mauritius on the FATF grey list?+
No. FATF removed Mauritius from increased monitoring in October 2021, and Mauritius is not named on the FATF increased-monitoring list dated 19 June 2026. This does not eliminate domestic risk-based CDD, enhanced due diligence, sanctions or reporting obligations.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.0
This checklist is general information, not legal advice. It reflects official materials available on 15 July 2026. Applicability depends on the entity, licence, product, customer and sector. Confirm current requirements, reporting formats, supervisory expectations, payment permissions, sanctions notices and privacy filings with FIU Mauritius, the Bank of Mauritius, the Financial Services Commission, the National Sanctions Secretariat, the Corporate and Business Registration Department, the Data Protection Office and qualified Mauritian counsel before launch.