Business Licensing

VASP License in Mauritius – Governance, Custody, and AML/CFT Essentials for Global Founders 

Mauritius AML/CFT requirements

Mauritius is an ideal jurisdiction for crypto business with a regulatory framework that is in line with the FATF VASP requirements. Applying for a Mauritius VASP license has become one of the most attractive crypto business jurisdictions for businesses.  

The Financial Services Commission (FSC) of Mauritius has made it clear that it will grant licenses to companies that have proper governance and custody. Many applications are rejected not because of their business model, but because either their governance, key personnel, or custody models have not reached the relevant standards. 

Regardless of whether you are just planning on registering a cryptocurrency business in Mauritius or are already at the stage of applying for Mauritius VASP registration, this guide will cover governance, custody, and compliance patterns that will pass regulatory scrutiny, as well as pitfalls to avoid. Post company registration in Mauritius, most global business owners explore major fintech and crypto licenses.  

Let’s understand what a Mauritius Virtual Asset Service Provider is

In Mauritius, a Virtual Asset Service Provider (VASP) is any entity that enables the transfer, exchange, protection, or issuance of virtual assets, including cryptocurrencies and digital tokens. The Virtual Asset and Initial Token Offering Services Act (VAITOS Act) regulates all the activities, and this aligns Mauritius with global standards for digital asset regulation in Africa.

The FSC Mauritius has classified VASPs into several categories: 

  • Exchange/platform operators 
  • Custody providers 
  • Broker/OTC desks 
  • Token issuers 
  • Portfolio managers 

All the above categories have their own distinct capital, licensing, and AML/CFT obligations for virtual  asset providers. For instance, custody providers must provide crypto custody architecture, proof of  reserves, and separation of assets. Token issuers, on the other hand, have to follow tougher rules around disclosure and governance. 

The first step to secure an FSC Mauritius crypto license is when you understand the classification and structuring of a compliant, scalable crypto business in Mauritius. 

Also Read : How to Register a Company in Solomon Islands as a Foreigner?

Why Governance & Custody Matter to Regulators? 

While licensing Virtual Asset Service Providers (VASPs), Mauritius regulates two primary goals: first, to protect clients’ assets, and second, to ensure financial integrity through AML/CFT compliance. These two goals guide how the Financial Services Commission (FSC) considers applications for a VASP license in Mauritius. 

The risk lens of the regulator emphasizes: 

  • Operational resilience 
  • Assets segregation 
  • Duty segregation 
  • Access controls 
  • Conflict-of-interest management 
  • Continuity planning 

The most common reasons for license rejection or enforcement are because of governance failures. Additionally, applicants fail to demonstrate the governance framework that guarantees transparency, accountability, and risk mitigation instead of just mentioning technical capability. 

VASP Classes & the Regulatory Expectations 

Each VASP class in Mauritius has its own individual governance and custody expectations. The first step to form a compliant license application is to identify your VASP class. 

Identify your VASP class: 

VASP Class Governance & Custody Requirements Regulator Will Ask For 
Exchange / Trading Platform Independent custody, client asset segregation, reconciliation, and internal audit Proof of segregation and audit trail 
Custodian / Wallet Provider Multi tier controls, insurance, cold/hot wallet policy, proof of reserves Third party attest and wallet architecture 
Broker / Over-The- Counter Desk Integrated KYC/EDD, monitoring of transactions, and policies for managing conflicts of interest AML manual and monitoring to ls 
Issuer / Token Project Token governance, smart contract audits, treasury custody, and vesting controls Smart contract audit report and treasury standard operating procedures (SOPs) 
Portfolio Manager / Fund Segregation of client funds and trustee arrangements, and fee governance Trustee arrangement and fee policy 

It is essential to understand your classification, as it is easier to integrate your governance, custody, and 

AML/CFT frameworks with Mauritius VASP requirements.

Governance: Board, Policies & People That Pass 

Always remember that governance is both documentary (evidence and policies) and structural (board and committees). A clear note of accountability and proof of implementation is expected by the regulators. 

Here is a step-by-step description of the governance framework that a VASP in Mauritius must establish to meet regulatory expectations. 

Step 1: Board and Senior Management 

  • Independent board members with financial, tech, and compliance experience. 
  • Must have defined roles such as CEO, MLRO, CTO, CISO, and Head of Custody. 
  • Board minutes and conflict-of-interest registers. 

Step 2: Committees and Reporting Lines 

  • Risk, audit, and compliance committees. 
  • Direct reporting lines from the Money Laundering Reporting Officer/Chief Information Security Officer to the board. 

Step 3: Policies and Evidence 

  • Written policies such as Governance, Risk, InfoSec, Crypto Custody, Business Continuity, Incident Response, and Outsourcing. 
  • Living behind evidence, such as logs, board packs, internal audits, and third-party reviews.  

Step 4: Vendor and Outsourcing Governance

 

  • Custodian due diligence, Service Level Agreements, penetration testing, and sub-custodian oversight. 
  • Policies that are implemented, not just written; regulators want proof of that. 

Technology and Custody Architecture That Regulators Will Accept 

Custody is both technical and organizational, whereas regulators consider architecture, controls, and operational resilience. 

To know your crypto custody is safe, regulator-ready, and auditable, follow the steps below explaining how to design, secure, and prove: 

Step 1: Custody Models 

  • Full segregation with licensed third-party custodians: preferred for client assets. 
  • In-house custody: acceptable with strong governance, audits, and insurance. 
  • Hybrid: cold storage for reserves, along with hot wallets for operations with exposure limits. 

Step 2: Key Technical Controls 

  • Multi-party computation (MPC) or multi-sig. 
  • Hardware Security Modules (HSMs). 
  • Separation of signing versus operational authority. 
  • Tamper-proof audit trails, immutable logs. 
  • Secure Software Development Life Cycle (SDLC) and smart contract audits. 

Step 3: Operational Controls 

  • Wallet reconciliation, proof-of-reserves, and role-based access. 
  • Transaction approval workflows and incident playbooks. 
  • Penetration testing and third-party security assessments. 

Step 4: Insurance & Attestations 

  • Custody versus operational risk coverage. 
  • SOC 2, ISAE 3402, PCAOB-style attestations. 

You must include a custody diagram showing hot/cold wallets, key holders, and third-party custodians. 

AML/CFT Expectations: What Passes 

Anti-Money Laundering (AML) or Counter Financing of Terrorism (CFT) is a core pass/fail area for Virtual Asset Service Provider (VASP) compliance in Mauritius. Regulators assess systems, culture, and reporting. 

Below are the steps explaining how a VASP should detect, prevent, and report financial crime risks while  serving  regulators so that it functions ethically and transparently. 

Step 1: KYC & EDD 

  • Risk-based KYC tiers. 
  • Ongoing monitoring process. 
  • Enhanced Due Diligence (EDD) for Politically Exposed Persons (PEPs) and high-risk jurisdictions. 

Step 2: Transaction Monitoring 

  • Provide real-time alerts. 
  • Rules for mixing or tumbling and source-of-funds logic. 
  • Chain analysis tools. 

Step 3: Suspicious Transaction Reporting 

  • Money Laundering Reporting Officer (MLRO) responsibilities. 
  • Does internal escalation 
  • Timely reporting to the Financial Intelligence Unit (FIU). 

Step 4: Record Keeping & Audit 

  • Retention policies 
  • Historical trail production 

Step 5: Training & Culture 

  • Regular staff training. 
  • Attestations and compliance KPIs. 

Do not miss focusing on whether there is weak onboarding, missing transaction monitoring, and  incomplete source-of-funds checks. 

Reporting, Audit, and Supervisory Expectations 

Timely reporting, audit access, and supervisory cooperation are expected by the regulators. 

  • Proper monthly reconciliations. 
  • Keep proof-of-reserve reports. 
  • Incident and AML reports. 
  • Annual external audits. 

Please ensure reputable auditors with experience in event crypto. In case of emergencies, regulators may request cold-wallet access when needed to set up urgency protocols. 

Common Pitfalls and How You Can Avoid  Them 

 Common Pitfalls Mitigation 
Treating custody as entirely technical Governance evidence + board oversight 
Complete dependency on unaudited reserves Third-party affirmation 
Vague outsourcing contracts Documented SLAs + audit rights 
Poor asset segregation Wallet architecture + reconciliation logs 
No MLRO or escalation path Appoint an MLRO + define reporting lines. 
Missing incident response plans Draft playbooks + test backups 

Step-by-Step Checklist to Prepare a VASP License Application in Mauritius 

To prepare a complaint VASP license application in Mauritius, follow the checklist below: 

  1. Identify your VASP class and map license requirements. 
  1. Appoint board & officers (MLRO, CTO, CISO) with CVs and disclosures. 
  1. Draft core policies: Governance, Custody, InfoSec, AML/CFT, Business Continuity. 
  1. Design custody architecture diagram (hot/cold, key holders, third-party custody). 
  1. Contract with custodians or prepare SOPs with SLAs and audit rights. 
  1. Implement KYC or monitoring tools and draft an AML manual. 
  1. Commission tech audits (e.g., penetration test and smart contract audit) and obtain third-party attestations. 
  1. Prepare reconciliation and reserves procedures with sample reports. 
  1. Run internal dry-run: compile board packs, minutes, evidence binder. 
  1. Engage with local counsel and submit a complete application. 

To support your documents, attach files such as CVs, policies, diagrams, audit reports, AML manual, and  board minutes. 

Conclusion and a Quick Checklist 

In order to get a VASP in Mauritius, applicants must have the following: 

  • A clear governance structure. 
  • Powerful custody architecture. 
  • Demonstrable AML/CFT controls. 
  • Third-party attestations. 
  • Audited financials. 

A Quick Checklist for the VASP License in Mauritius: 

  • Board & MLRO appointed. 
  • Custody design diagram. 
  • AML/CFT program in place. 
  • Third-party audits & attestations. 
  • Reconciliation & reporting procedures. 

How Enterworld can help with VASP Licensing in Mauritius? 

Are you in need of a VASP-ready company structure in Mauritius? Enterworld is a reliable solution for your problem. We help our clients with the company registration, ready to file the license and governance design. Schedule a compliance health check or document review today, and get started with your company registration and VASP licensing. 

Top Questions Regarding About VASP Licensing in Mauritius

What is a VASP in Mauritius? 

A Virtual Asset Service Provider (VASP) is any entity that enables the transfer, exchange, protection,  or issuance of virtual assets, including cryptocurrencies and digital tokens. The Virtual Asset and  Initial Token Offering Services Act (VAITOS Act) regulates all the activities, and this aligns Mauritius with global standards for digital asset regulation  in Africa. 

Who regulates VASPs in Mauritius? 


The Financial Services Commission (FSC) is the main regulator controlling VASPs in Mauritius. It executes compliance under the VAITOS Act, FSC Rules, and AML/CFT regulations issued by the Financial Intelligence Unit (FIU). 

What are the different classes of VASP licenses in Mauritius? 

VASPs are normally classified into service categories such as: 
Exchange or trading platform 
Custodian or wallet provider 
Broker or intermediary 
Token issuer 
Portfolio manager or investment adviser 
Each class has different governance, capital, and reporting requirements. 

What governance standards do regulators expect from a VASP? 

Regulators expect a clear governance framework- including qualified board members, documented roles (CEO, MLRO, CISO), defined reporting lines, independent committees, and written policies covering governance, risk, and information security. 

What does “proof of implementation” mean in VASP governance? 

It means showing regulators evidence that policies are followed in practice – e.g., meeting minutes, board packs, audit logs, compliance reviews, and proof of segregation of duties, not just having policies on paper. 

Why is custody a critical part of a VASP license in Mauritius? 

Custody ensures client assets are secure and segregated. Regulators look for multi-sig or MPC key management, strong wallet security, insurance, reconciliation processes, and independent custody attestations. 

Can a VASP in Mauritius self-custody digital assets? 

Yes, but only if it demonstrates robust governance and technical safeguards- including segregation of client assets, hot/cold wallet controls, and periodic audits. Many firms prefer licensed third-party custodians for compliance assurance. 

What are the key AML/CFT obligations for a VASP? 

VASPs must perform KYC, enhanced due diligence, transaction monitoring, report suspicious activity to the FIU, and maintain detailed records. They must also appoint a Money Laundering Reporting Officer (MLRO). 

What are the common reasons for license rejection in Mauritius? 

Most rejections result from weak governance, unclear accountability, missing policies, or inadequate custody arrangements. Applicants often fail to provide evidence that controls are actually implemented. 

How long does it take to obtain a VASP license in Mauritius? 

The licensing process typically takes 3–6 months, depending on the completeness of documentation, background checks, and regulator feedback. Well-prepared applications with clear governance frameworks move faster. 

What reporting obligations does a VASP have after licensing? 

Licensed VASPs must submit periodic reports (financial statements, AML/CFT reports, and incident disclosures) and proof of reserves or reconciliations to the FSC. Annual external audits are usually required. 

Are foreign founders allowed to set up a VASP in Mauritius? 

Yes. Mauritius allows foreign ownership, but the commodity must be locally incorporated and have resident directors and compliance officers. You can learn more about company registration in Mauritius through the official portal. 

What documents are needed for a VASP license application? 

Key documents include: 
Incorporation certificate 
Business plan and financial projections 
Board and management CVs 
Governance and AML/CFT policies 
Custody architecture and SOPs 
Insurance proof and third-party attestations 

Does a VASP need a local office or staff in Mauritius? 

Yes. Regulators anticipate a physical presence, local directors, and key control functions (compliance, risk, and audit) to be based in Mauritius. This is purely remote, and “mailbox” setups are not accepted. 

Foreign Ownership Rules in the United States What Founders Must Know
Business Licensing

How to Get a Certificate of Good Standing in the Cayman Islands?

The Cayman certificate of good standing, which is a legal document, is issued by the Registrar of Companies. The document provides a legal status to the co...

Jan 09, 2026

Foreign Ownership Rules in the United States What Founders Must Know
Business Licensing

A Complete Guide to Hiring and Expanding Your Business in Australia: Work Visas, Payroll Compliance, and Localisation

Expanding within Australia for global companies and investors promotes a stable and high-growth marketplace. It brings top-notch talent and gateway access...

Dec 11, 2025

Subscribe to our newsletter blogs

Stay updated with our latest insights and expert tips. Subscribe now!

Enterworld