April 11, 2025
Mauritius Virtual Asset Service Providers (VASP)
VASP (Virtual Asset Service Providers) Licensing in Mauritius
Legal & Consultancy Support for Virtual Asset Service Providers
Why Mauritius for VASP Licensing?
Mauritius has emerged as a leading FinTech destination in Africa through the implementation of the Virtual Asset and Initial Token Offering Services Act 2021 (VAITOS). This progressive legislation aligns with FATF standards and strengthens the country’s regulatory framework for virtual assets and token offerings.
At Zitadelle AG, we offer end-to-end legal and consultancy services to help clients successfully obtain and maintain their Virtual Asset Service Provider (VASP) licenses with the Financial Services Commission (FSC) of Mauritius.
What Is a VASP?
Under the VAITOS Act 2021:
A Virtual Asset is a digital representation of value that can be traded or transferred digitally and used for payment or investment purposes.
A Virtual Asset Service Provider (VASP) is an entity that, on behalf of others, provides one or more of the following services:
Exchange between virtual assets and fiat currencies
Exchange between virtual assets
Transfer of virtual assets
Safekeeping or administration of virtual assets or instruments enabling control over them
Financial services related to an issuer’s sale or offer of virtual assets
Mauritius FSC – The Regulatory Authority
The Financial Services Commission (FSC) is the primary regulator for VASPs in Mauritius, overseeing licensing, compliance, and supervision within the non-bank financial services sector.
VASP License Requirements
To apply for a VASP license in Mauritius, you must:
Be a Mauritius-registered company
Maintain a physical office with local staff (including two resident directors, a Compliance Officer, and an MLRO – outsourcing is allowed, but only partially)
Obtain FSC approval before appointing officers
Notify the FSC of any material change in business activities
Ensure all stakeholders meet the FSC’s "fit and proper" criteria
Application for a VASP authorization and Important Requirements
Setting up a Virtual Asset Service Provider (VASP) in Mauritius requires adherence to the regulatory framework established by the Virtual Asset and Initial Token Offering Services (VAITOS) Act 2021. Below is a step-by-step guide outlining the key requirements and process for obtaining a VASP license.
Step 1: Company Incorporation Reservation
· Reserve a registration of a Category 1 Global Business Company (GBC1) with the Financial Services Commission (FSC) of Mauritius- registration of a company is going to occur only after the in-principle approval by the FSC
· The FSC will request that the Company is going to have a physical office in Mauritius from where operations will be conducted – it will be one of the requirements of the in-principle approval.
Step 2: Appointment of Key Personnel
Senior Executive Director & Head of Operations / Independent Director
o Senior Executive Director & Head of Operations – must be resident and have 3-5 years of experience in virtual currencies – appointment will be required if not during the application, then at the in-principle approval level
o Independent Director – (apart from the resident 2 directors) – must be appointed and should have experience in virtual currencies & be resident.
Money Laundering Reporting Officer (MLRO) / Compliance Officer:
o The Company is required to appoint a full-time MLRO, Deputy MLRO, and Compliance Officer, meeting the requirements of the Competency Standards issued by the FSC and submit the due diligence documents, including PQ forms- outsourcing 100% of these functions to a local trust company will not be enough.
Step 3: IT and Cybersecurity Infrastructure
· The company must implement a robust IT system to support virtual asset operations, ensuring data security, transaction integrity, and compliance with FSC cybersecurity requirements.
· Implement secure storage solutions for cryptocurrency assets, specifying whether assets will be held in hot or cold wallets.
· A well-structured Business Continuity Plan (BCP) should be in place to handle system failures or cyber threats.
· The Company must implement an effective Information Security Management System (ISMS) and internal controls aligned with ISO/IEC 27001 to ensure data confidentiality and integrity, system security and reliability, as well as stability and resilience in its IT operating environment.
· Demonstration that the Company has sufficient resources to facilitate and support incident response and recovery procedures that are aligned with ISO/IEC 27035.
Step 4: Website and Digital Presence
· The company must maintain a professional website with clear information about services, security policies, and regulatory disclosures.
· The website should align with international standards and provide seamless user experience and security features.
Step 5: Compliance Documentation and Business Plan
· Prepare and submit a comprehensive Business Plan detailing the company’s structure, operations, and financial projections.
· Draft and submit a Compliance Manual covering AML/CFT policies, transaction monitoring, and risk assessment frameworks.
· Ensure that policies and procedures meet the FSC’s regulatory standards and international best practices.
Step 6: Pilot Testing and Independent Assessment
· The Company is required to conduct pilot testing on its platform and submit an independent assessment report on its effectiveness and readiness to operate.
· The pilot test must:
o Be conducted in a controlled environment with a sample group of simulated users who will act as real customers, performing all system-supported actions from a customer’s standpoint.
o Provide insights into how the system performs in real-world conditions, with emphasis on exception handling, such as failed transactions.
o Identify any issues or improvements needed before a full-scale launch.
· The Company shall submit an audit/assessment report carried out by an independent expert or consultant on its information technologies, systems, and platform in line with ISO/IEC 27001 or other best information security standards and practices.
o This independent audit/assessment shall include identification, analysis, and evaluation of weaknesses in its ISMS.
o All weaknesses identified must be remediated and independently validated.
o The Company must submit a penetration test report evaluating IT security, including stress testing of cyber defenses by simulating real-world attack tactics, techniques, and procedures.
· The Company is required to submit a SOC Type 2 report or an equivalent independent report on the proposed liquidity providers/ tech providers.
Step 7: Insurance and Risk Management Compliance
· The Company is required to submit an insurance quote as per Rule 6(1) of the VAITOS (Risk Management) Rules 2022, read together with Rule 5(1) and Rule 7(1) of the VAITOS (Capital and Other Financial Requirements) Rules 2022.
Step 8: License Application Submission
· Submit the completed VASP License Application to the Financial Services Commission (FSC), including all required documents, such as:
o Business Plan
o Compliance Manual
o IT and cybersecurity framework details
o CEO and key personnel credentials
o Details of cryptocurrency custody arrangements
o Financial projections and capital requirements compliance
Step 9: Review and Approval by FSC
· The FSC will review the application, conduct due diligence checks, and assess the company’s compliance with VAITOS Act requirements.
· The company may be required to provide additional clarifications or supporting documents during the review process.
· Upon successful assessment, the VASP license will be granted, allowing the company to legally operate virtual asset services in Mauritius.
Ongoing Compliance and Reporting Obligations
· VASPs must adhere to ongoing compliance requirements, including AML/CFT reporting, periodic audits, and maintaining regulatory filings with the FSC.
· The MLRO/Compliance Officer is responsible for ensuring continuous monitoring and submission of suspicious transaction reports (STRs) when necessary.
· The company must also maintain transparent records of transactions and ensure its IT infrastructure remains compliant with evolving security standards.
By following these steps, entrepreneurs can successfully establish a VASP in Mauritius while ensuring full compliance with the jurisdiction’s regulatory framework.
Ongoing Compliance Obligations
All licensed VASPs must:
Implement robust systems to:
Record, store, and protect transaction data
Monitor transactions and prevent abuse
Ensure settlement of rights and liabilities
Safeguard client assets
Plan for business continuity
Class S license holders have additional obligations:
Monitor for suspicious trading activity and manipulation
Suspend or restrict trading when necessary
Maintain professional indemnity insurance
Types of VASP Licenses & Capital Requirements
Code | Class of Licence | Business Activities | Minimum Capital Requirement |
VA - 1.1 | Virtual Asset Broker Dealer (Class M) | Carry out activities such as exchange between virtual assets and fiat currencies; or exchange between one or more forms of virtual assets. | MUR 2,000,000 or its equivalent in any other fiat currency. |
VA - 1.2 | Virtual Asset Wallet Services (Class O) | Transfer of virtual assets | Sufficient working capital in fiat currency to continue business for a period of 12 months, based on realistic forecasts for the business in different market conditions (both negative and positive scenarios). |
VA - 1.3 | Virtual Asset Custodian (Class R) | Responsible for safekeeping of virtual assets or instruments enabling control over virtual assets; administration of virtual assets or instruments enabling control over virtual assets. | MUR 5,000,000 or its equivalent in any other fiat currency |
VA -1.4 | Virtual Asset Advisory Services (Class I) | Participation in and provision of financial services related to an issuer’s offer and/or sale of virtual assets. | Sufficient working capital to be capable of meeting its debts as they fall due. |
VA - 1.5 | Virtual Asset Market Place (Class S) | - Virtual asset exchanges must apply for a Class S (Virtual Asset Market Place) license. - A Virtual Asset Exchange is a centralized or decentralized virtual platform, whether in Mauritius or in another jurisdiction which facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, a commission, a spread or other benefit and which – (i) holds custody, or controls virtual asset, on behalf of its clients to facilitate an exchange or (ii) purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer. The definition of Virtual Asset Exchange also includes the owner or operator of the virtual platform, but excludes a platform only providing a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner. | MUR 6,500,000 or its equivalent in any other fiat currency |
KYC & Documentation Checklist
For Individuals:
Signed CV & Personal Questionnaire
Certified ID (passport or national ID)
Certified proof of address (not older than 3 months)
Certified education documents
Certified bank reference + recent statement
Optional: Police clearance certificate
For Corporate Entities:
Certificate of Incorporation & Current Standing
Relevant licenses or registration documents
List of shareholders & directors
Latest audited financial statements or corporate profile
Corporate structure chart including UBOs
Other Required Documents:
Application & Authority Forms
Written consent from promoters/controllers
Business Plan
Internal Control, AML/CFT & Risk Manuals
Complaint Handling Procedure
Disaster Recovery Plan
Draft Service Agreement
Tailored Pricing & Consultation
The cost of licensing services will depend on the class of license required and the complexity of your application. For a custom quote and consultation, please get in touch with our team.
