The Seychelles Code of Corporate Governance is now in force and should be a priority area of focus for all affected FSA-regulated entities. Issued by the Financial Services Authority of Seychelles, the Code provides a formal governance framework intended to strengthen board accountability, internal controls, risk oversight, audit independence, corporate reporting, and conflict management across regulated businesses. The Code came into effect on 1 January 2026.

For regulated entities in Seychelles, this is not merely a governance guideline or best-practice recommendation. The Code expressly states that it has the force of law under section 33 of the Financial Services Authority Act, and failure to comply may expose a licensee, its directors, and its officers to regulatory consequences.

In practical terms, affected licensees should now be assessing whether their current governance arrangements are adequately aligned with the Authority’s expectations, including the structure and effectiveness of the board, committee oversight, internal audit arrangements, risk management systems, disclosure controls, and conflict of interest procedures.

1. Scope of Application

The Code applies to licensees under the following legislative frameworks:

• International Corporate Service Providers Act
• Securities Act (subject to limited exceptions)
• Mutual Fund and Hedge Fund Act (subject to stated exceptions)
• Virtual Asset Service Providers Act
• Seychelles Gambling Act
• Insurance Act

Accordingly, the Code is of direct relevance to a broad range of Seychelles-regulated entities, including securities dealers, VASPs, insurers, corporate service providers, and other licensed financial services businesses.

2. A Flexible Framework, But Not Optional Compliance

One of the key features of the Code is that it applies on an “apply or explain an alternative” basis. This allows some flexibility, recognising that governance structures may vary depending on the size, complexity, and operational model of the regulated entity. However, this should not be misunderstood as optional compliance. Where a principle cannot be implemented as written, the firm is expected to provide a proper explanation together with an appropriate alternative.

From a governance and regulatory perspective, firms should ensure that any alternative adopted is not only reasonable in theory, but also clearly documented, operationally effective, and capable of being justified to the Authority.

3. Key Governance Areas Covered by the Code

The Code is built around nine core principles:

1. Board Role and Responsibilities
2. Independence
3. Composition and Appointment
4. Corporate Culture
5. Remuneration
6. Risk Oversight
7. Corporate Reporting
8. Internal and External Audit
9. Management of Conflict of Interest

Taken together, these principles require regulated entities to adopt a more disciplined and demonstrable governance framework. This includes effective board oversight, proper segregation of roles, formal committee structures where appropriate, annual risk assessments, internal control review mechanisms, and clear reporting lines across key control functions.

4. Internal Audit Requirements Under the Seychelles Code of Corporate Governance

One of the most significant aspects of the Code is its express focus on internal audit.

The Code provides that the board should oversee the establishment and maintenance of an effective system of internal control to properly manage risk, assets, and capital, measured against internationally accepted internal audit standards and tested annually for adequacy. It further states that companies should have a dedicated internal audit function with clearly defined oversight and reporting structures. Where such a function has not been established, the full reasons should be disclosed to the regulator, together with an explanation of how adequate assurance is otherwise being obtained in relation to the effectiveness of the internal control framework.

This requirement significantly elevates internal audit from a secondary control function to a central component of the company’s governance architecture.

5. Why the Internal Audit Function Deserves Attention

For many regulated entities, internal audit has historically been treated as a secondary or developing function. Under the current framework, however, internal audit is clearly positioned as part of the company’s governance architecture and as an important component of board assurance.

A properly structured internal audit function supports:

• independent assessment of internal controls;
• stronger board oversight and accountability;
• better identification and escalation of governance weaknesses;
• more effective monitoring of operational, compliance, and regulatory risk;
• improved audit committee effectiveness; and
• greater regulatory credibility.

In practical terms, internal audit is no longer simply about review. It is about demonstrating that the business has an independent and structured mechanism for testing whether its control environment is functioning as intended.

6. How FiveComply Can Assist

For many entities, aligning with the new Seychelles corporate governance requirements will require more than minor amendments to existing documentation. It may involve a wider governance review covering board arrangements, committee structures, risk oversight, internal control frameworks, internal audit readiness, and reporting lines.

At FiveComply, we support firms with practical and commercially grounded assistance in relation to:

• corporate governance gap assessments;
• review of board and committee structures;
• governance documentation and policy enhancement;
• risk and internal control framework support;
• internal audit readiness assessments;
• design of internal audit reporting structures; and
• support in developing proportionate and defensible approaches where alternative arrangements are being relied upon.

Particular attention should now be given to the internal audit requirement, especially where no dedicated function currently exists or where the firm’s control assurance model remains informal or insufficiently documented.

7. Annual Disclosure and Ongoing Governance Monitoring

The Code also includes a disclosure form requiring licensees to confirm compliance with specific governance requirements, including committee arrangements, board evaluation, risk oversight, contingency planning, internal audit, external audit, audit committee matters, and conflict of interest controls. The form is required to be submitted by 31 December every year.

This reinforces that compliance under the Code is not a one-off implementation exercise. It requires continuous monitoring, board-level attention, and adequate documentation throughout the year.

8. Final Remarks

Now that the Seychelles Code of Corporate Governance came into effect on 1 January 2026, affected licensees should ensure that their governance framework is aligned with the Authority’s expectations and that any gaps are identified and addressed without delay.

For regulated entities, this is an important opportunity not only to meet a legal requirement, but also to strengthen governance standards, improve internal accountability, and enhance operational resilience.

FiveComply supports Seychelles-regulated entities with practical and tailored assistance in relation to corporate governance implementation, internal audit structuring, committee framework review, and overall regulatory readiness.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal or tax advice.

Mauritius Investment Dealer Licence Requirements: Capital, Structure & FSC Framework

Mauritius has established itself as a credible and well-regulated international financial centre, supported by a clear legal framework, a recognised regulator, a strong corporate and banking infrastructure and an attractive tax regime. For firms seeking to carry out brokerage and dealing activities through Mauritius, the relevant licensing regime is regulated by the Financial Services Commission Mauritius (FSC) under the Securities Act 2005 and the Securities (Licensing) Rules 2007.

For applicants, obtaining a Mauritius Investment Dealer Licence is not simply a filing exercise and without the correct partners it might prove burdensome. With a strong track record and extensive experience in licensing matters, we understand that the FSC assesses the proposed structure holistically, taking into account the licence category, the competence and experience of key individuals, the adequacy of capital, the robustness of internal controls, and the operational readiness of the business. The quality of the initial structuring is therefore a key determinant of licensing efficiency and long-term regulatory stability.

At FiveComply, together with AllServ Management Ltd, our licensed Management Company in Mauritius, we assist clients with the full licensing lifecycle from initial structuring and pre-assessment through to application submission, FSC interaction, and post-licensing implementation. Our approach is designed not only to support approval, but to build structures that are commercially workable and regulator-ready from day one.

1. What is a Mauritius Investment Dealer Licence?

A Mauritius Investment Dealer Licence authorises a company to undertake regulated securities activities, depending on the category of licence granted.

For firms operating in brokerage, securities execution, portfolio management, or advisory-linked dealing models, Mauritius offers a recognised and structured regime that is often attractive for cross-border financial services businesses seeking a balance between regulatory credibility and operational flexibility.

2. Mauritius Investment Dealer Licence Categories & Capital Requirements

Under the FSC framework, the applicable licence category depends on the nature and scope of the proposed activities. Each category carries its own regulatory requirements, including the applicable fee structure and capital expectations.

From a structuring perspective, selecting the correct category at the outset is critical. The FSC will expect the proposed activities, governance arrangements, financial resources, and internal controls to be fully aligned with the licence category being sought.

Licence Category	Scope of Licence	Capital Requirement (MUR: Mauritian rupee)
Investment Dealer Full-Service (Including Underwriting)	Allows the licensee to trade in securities as principal with the intention of reselling such securities to the public, to underwrite or distribute securities on behalf of an issuer or holder, to provide investment advice ancillary to its business, and to manage client portfolios.	MUR 10 million
Investment Dealer Full-Service (Excluding Underwriting)	Allows the licensee to carry out full dealing activities, excluding the underwriting or distribution of securities on behalf of an issuer or holder.	MUR 1 million
Investment Dealer (Broker)	Allows the licensee to execute orders for clients, manage client portfolios, and provide advice on securities transactions to clients.	MUR 700,000
Investment Dealer – Discount Broker	This category allows the licensee to execute client orders without giving investment advice.	MUR 600,000

From a practical perspective, the applicable Mauritius Investment Dealer Licence requirements go beyond the minimum capital threshold alone. The FSC will also consider whether the proposed applicant has the financial substance, governance framework, and internal controls necessary to support the activities to be licensed.

For this reason, selecting the correct Mauritius Investment Dealer Licence category should not be approached as a mere formality. It is a core structuring decision that affects the capital position, compliance obligations, and overall strength of the application.

At FiveComply, together with AllServ Management Ltd, we assist clients in identifying the most suitable Investment Dealer Licence in Mauritius and in structuring the application in a manner that is both commercially workable and aligned with FSC expectations from the outset.

3. Key Regulatory Considerations for a Mauritius Investment Dealer Licence

The FSC places substantial weight on governance and the competence of key individuals.

Under the licensing rules, the applicant must satisfy the FSC that its internal structures, technical and financial means, staffing, and organisation are appropriate and sufficient for the efficient operation of the proposed business.

From a practical perspective, Mauritius Investment Dealer structures implemented by FiveComply and AllServ typically require the following setup:

• at least one shareholder, whether individual or corporate;
• at least one foreign director;
• at least two Mauritius-resident directors;
• a Compliance Officer and Money Laundering Reporting Officer (MLRO), typically provided by the Management Company;
• an Investment Dealer team comprising of two dealing team members.

The experience threshold for dealer roles is a key component of the Mauritius Investment Dealer licensing framework. Both dealers should demonstrate at least two years’ relevant experience in brokerage services within a regulated environment. From a regulatory perspective, this experience should evidence hands-on involvement in core dealing activities, including the receipt and handling of client orders, the execution and monitoring of trades, and client interaction in relation to trade confirmations and contract notes.

This is why the pre-assessment stage is critical. At FiveComply, we assess CVs and role suitability at an early stage to determine whether the proposed individuals are likely to meet FSC expectations before structuring the application.

4. Mauritius Investment Dealer Licence Timeline

The Mauritius Investment Dealer Licence process is a structured regulatory process overseen by the Financial Services Commission Mauritius (FSC). While each application is assessed on its own merits, timing will generally depend on the proposed business model, the complexity of the structure, and the quality and readiness of the documentation submitted.

We maintain a strong approval track record, supported by the consistently high quality of applications submitted. Typically, and based on our extensive track record, a Mauritius Investment Dealer Licence application can be assessed within approximately 1 to 3 months from submission. The speed of the process will largely depend on how efficiently the structure is organised from the outset and how complete, consistent, and regulator-ready the application is at the point of submission.

This is precisely where early planning makes a material difference. A properly structured application not only supports a more efficient FSC review process but also reduces avoidable delays and strengthens the overall regulatory positioning of the business.

This is where our experience adds value. This is where our experience comes in. As FiveComply and AllServ Management Ltd, we work closely with clients to streamline the Mauritius Investment Dealer Licence process and to position each application for the most efficient possible turnaround, without compromising regulatory quality or long-term compliance integrity. While these considerations may appear straightforward to us, they can often be more complex in practice.

5. Why to Work with FiveComply

At FiveComply, together with AllServ Management Ltd, we support clients with:

• strategic assessment of the appropriate Mauritius Investment Dealer Licence category;
• structuring of governance and key appointments in line with FSC expectations;
• preparation and coordination of regulator-ready application packages; and
• practical guidance designed to support both approval efficiency and post-licensing viability.

Our role is to ensure that the proposed structure is not only licensable, but commercially workable and credible under regulatory review.

For firms considering Mauritius Investment Dealer licensing, the opportunity is clear. Mauritius offers a respected regulatory environment, international credibility, an attractive tax regime and a well-established financial services ecosystem. But success depends on how the structure is built from the outset.

If Mauritius forms part of your expansion strategy, FiveComply and AllServ Management Ltd can assist you in building the structure properly, efficiently, and in line with FSC expectations.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal or tax advice. All applications are submitted through AllServ Management Ltd, duly licensed Management Company in Mauritius. Website: https://allserv.mu/

Seychelles has become a leading jurisdiction for investment firms seeking a Securities Dealer Licence due to its efficient regulatory framework, reasonable operational costs, and evolving tax environment. However, recent regulatory developments and international standards have shifted the focus from simple licensing structures to properly substantiated, operationally sound entities.

One of the key advantages available to Seychelles Securities Dealers is access to a preferential tax regime under the Seventh Schedule of the Business Tax Act. This may include a preferential tax rate (commonly referenced as 1.5% on gross revenue), depending on the structure and activity of the licensee. However, this benefit is not automatic and is strictly conditional upon meeting the substantial activity requirements and obtaining confirmation from the Financial Services Authority (FSA).

Where the substantial activity requirements are not met, the licensee will not be eligible for the preferential tax regime and will instead be subject to the standard Seychelles corporate tax rates, currently applied on a progressive basis as follows:

• 15% on taxable income up to SCR 1,000,000; and
• 25% on taxable income above SCR 1,000,000.

Economic Substance Requirements in Seychelles

Economic substance is no longer a procedural or administrative requirement. It is a central regulatory and tax condition applicable to licensees under the Securities Act, 2007, as amended, and the Securities (Substantial Activity Requirements) Regulations, 2018.

In line with the FSA Substantial Activity Requirements Guidelines, a licensee will only be eligible to benefit from the preferential tax regime where it can demonstrate that:

• Core income generating activities (CIGA), as defined under Regulation 4 of the Securities (Substantial Activity Requirements) Regulations, are conducted in Seychelles;
• The licensee employs a reasonably adequate number of suitably qualified persons in Seychelles; and
• The licensee incurs an adequate level of operating expenditure within Seychelles, proportionate to the nature, scale, and complexity of its business.

Importantly, the assessment of adequacy is conducted on a case-by-case basis by the Financial Services Authority (FSA), taking into consideration the size, revenue, and operational complexity of the licensee.

Critical Requirement: FSA Confirmation

A key legal requirement often overlooked is that the preferential tax treatment is only available where the licensee obtains annual written confirmation from the Financial Services Authority (FSA) that the substantial activity requirements have been met for the relevant financial year.

In practice:

• The licensee must submit a formal request to the FSA (typically by 31 January of the following year);
• This includes a self-declaration form, organisational structure, and employee establishment list; and
• The FSA will assess and issue its determination, which must be submitted to the Seychelles Revenue Commission (SRC) together with the Annual Tax Return.

Without this confirmation, the preferential tax regime does not apply, and the licensee will be subject to the standard Seychelles business tax rates.

Outsourcing and Operational Structure

The Regulations provide flexibility in structuring operations, but with clear limitations.

Core income generating activities may be outsourced to third-party service providers only where:

• The activities remain physically performed in Seychelles; and
• The licensee demonstrates adequate supervision and control over such outsourced functions.

Where core income generating activities are outsourced outside Seychelles, the substantial activity requirements will generally be considered not to have been met.

Front-Office vs Back-Office Activities

The regulatory framework recognises that certain front-office activities may be conducted outside Seychelles. However, this is subject to strict conditions.

Specifically:

• Front-office activities may be performed outside Seychelles;
• Provided that the corresponding middle-office and back-office functions relating to the same activities are undertaken in Seychelles.

This distinction is critical when structuring international brokerage operations and must be carefully assessed to ensure compliance.

Operational Presence in Seychelles

In practical terms, demonstrating substantial activity typically involves establishing a meaningful operational footprint in Seychelles.

This may include:

• Maintaining an appropriate operational presence in Seychelles (which includes office facilities);
• Ensuring active involvement of locally based personnel in core business functions;
• Demonstrating real decision-making and operational execution within the jurisdiction; and
• Maintaining adequate local expenditure aligned with the scale of operations.

It is important to note that the law does not prescribe a “one-size-fits-all” model but rather requires proportionality between the business activity and the level of substance maintained.

Not Meeting the Substantial Activity Requirements

Failure to meet the substantial activity requirements has direct tax implications.

Where a licensee does not satisfy the substance requirements and/or does not obtain FSA confirmation:

• The preferential tax regime will not apply; and
• The entity will be subject to the standard Seychelles business tax rates.

Additionally, inaccurate or misleading information provided to the FSA in relation to substance may result in enforcement action under the Financial Services Authority Act.

Conclusion

Seychelles continues to position itself as a competitive and credible jurisdiction for Securities Dealers. However, the regulatory landscape has clearly evolved from a registration-based approach to a substance-driven framework aligned with international standards (including OECD BEPS Action 5 principles).

For Securities Dealers, economic substance should not be viewed as a regulatory burden, but rather as a fundamental component of building a compliant, credible, and tax-efficient international structure.

Licensees that properly implement and evidence their substantial activity in Seychelles are able to access the available preferential tax regime, while strengthening their overall regulatory standing and operational resilience.

How FiveComply Can Assist

Navigating the substantial activity requirements and aligning operational structures with both regulatory and tax expectations, requires a careful and practical approach.

At FiveComply, we support Securities Dealers in establishing and maintaining compliant, substance-driven structures in Seychelles. Our services include:

• Advising on substance requirements and operational structuring in line with the Securities (Substantial Activity Requirements) Regulations;
• Assisting with the preparation and submission of the annual FSA substance confirmation request;
• Providing resident Compliance Officer and corporate governance support;
• Supporting the establishment of local operational presence, including coordination of office setup and staffing; and
• Ongoing regulatory and post-licensing advisory to ensure continued compliance.

Our approach is practical and tailored to each client’s business model, ensuring that regulatory requirements are met without overcomplicating operations.

For further information or to discuss your structure, feel free to reach out to our team.

 

Disclaimer

This article is provided for general informational purposes only and does not constitute legal or tax advice.

The introduction of Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) marks a fundamental transformation in the regulatory treatment of crypto-assets within the European Union. While crypto activities were previously subject to fragmented national frameworks, MiCA establishes, for the first time, a harmonised licensing regime governing both the issuance of crypto-assets and the provision of related services.

This shift reflects a broader regulatory objective: to integrate crypto-assets into the existing financial regulatory architecture, while addressing risks related to investor protection, market integrity, and financial stability.

As with other major EU regulations, MiCA is not simply an additional layer of compliance. It introduces a new operating model, requiring firms to reassess their structure, governance, and service offering in order to continue operating within the EU.

 

A New Licensing Perimeter for Crypto Activities

MiCA introduces a clear distinction between different categories of crypto-assets and activities, each subject to specific requirements.

At its core, the regulation applies to:

• crypto-assets other than asset-referenced tokens (ARTs) and e-money tokens (EMTs),
• asset-referenced tokens (commonly referred to as stablecoins), and
• crypto-asset services provided on a professional basis.

The latter introduces the concept of Crypto-Asset Service Providers (CASPs), which now fall within a formal licensing regime under Title V of MiCA.

 

The scope of regulated services is deliberately broad and mirrors, to a significant extent, the structure of investment services under MiFID II. These include:

• custody and administration of crypto-assets
• operation of trading platforms
• exchange of crypto-assets for funds or other crypto-assets
• execution, reception and transmission of orders
• placing of crypto-assets
• portfolio management and advice and
• transfer services on behalf of clients

This alignment is not incidental. It signals a regulatory intention to treat crypto-asset services with a level of scrutiny comparable to traditional financial services.

 

Authorisation as a Precondition for Market Access

Under MiCA, the provision of crypto-asset services within the EU is conditional upon authorisation as a CASP, unless the entity already holds a licence under another EU financial services framework and opts to use the notification regime.

This represents a significant departure from existing national regimes. Entities currently registered under local crypto frameworks are required to undergo a full authorisation process in order to continue operating post-MiCA.

Although MiCA provides for a transitional period, this is limited in scope. Importantly, firms operating under transitional arrangements do not benefit from passporting rights and may face restrictions on cross-border activities.

In parallel, MiCA introduces a notification-based regime (Article 60) for already authorised entities, such as investment firms or UCITS management companies. These entities may provide crypto-asset services upon notifying their competent authority, subject to strict procedural requirements.

The notification process itself is structured and time-bound. Firms must submit the required information at least 40 working days prior to commencing services, with the competent authority conducting an initial completeness assessment within 20 working days. Any requests for additional information may temporarily suspend the process.

 

From Licensing to Substance: Governance and Operational Requirements

The MiCA authorisation process is not merely formal. It is designed to assess whether firms are capable of operating in a safe, transparent, and resilient manner.

Applicants are required to provide detailed information covering:

• their legal structure and organisational setup,
• governance arrangements and internal control mechanisms,
• safeguarding of client assets and segregation arrangements,
• risk management and compliance frameworks, and
• the suitability and integrity of management and shareholders.

In addition, MiCA introduces specific expectations in relation to operational resilience and ICT risk. CASPs must implement security measures covering access controls, system integrity, and incident management, as well as business continuity arrangements and recovery planning.

The emphasis is clear: licensing is conditional on the existence of an operationally effective framework, not merely documented policies.

 

Ongoing Obligations and Investor Protection

MiCA establishes an extensive set of ongoing obligations that extend well beyond the point of authorisation.

These include requirements relating to:

• conduct of business, including the obligation to act honestly, fairly, and professionally,
• management of conflicts of interest,
• transparent and non-misleading communications, and
• the maintenance of adequate systems and controls.

Investor protection is a central element of the framework. Where firms provide advice or portfolio management, they are required to conduct suitability assessments, taking into account the client’s knowledge, objectives, and risk tolerance. These assessments must be reviewed on an ongoing basis and supported by periodic reporting to clients.

At the same time, MiCA introduces requirements aimed at preserving market integrity, including the detection and reporting of market abuse and the disclosure of inside information.

 

Passporting and the EU Single Market

One of the most significant features of MiCA is the introduction of passporting rights for authorised CASPs.

Once authorised in one Member State, a CASP may provide services across the EU without the need for additional licences. This creates, for the first time, a truly single market for crypto-asset services.

However, this benefit is conditional upon full MiCA authorisation. Firms operating under transitional regimes or relying on national registrations do not benefit from this passporting framework, which reinforces the importance of timely authorisation.

 

Reverse Solicitation: A Narrow and Controlled Exemption

MiCA also addresses the concept of reverse solicitation, which has historically been used by firms to provide services without local authorisation.

Regulatory guidance makes clear that this exemption is interpreted narrowly. Any form of marketing or communication targeting EU clients, including through digital channels, may be considered solicitation.

In practice:

• marketing through social media, affiliates, or influencers may fall within the scope of solicitation,
• the exemption applies only to the initial client request, and
• firms cannot rely on this exemption to offer additional or different services over time.

This significantly limits the ability of non-EU firms to access the EU market without authorisation.

 

Fees and Supervisory Costs

MiCA introduces a structured fee framework, covering both authorisation and ongoing supervision.

At the authorisation stage, fees vary depending on the type of services provided. For example, operating a trading platform entails higher fees compared to execution or advisory services, reflecting the increased complexity and risk.

On an ongoing basis, CASPs are subject to annual supervisory fees comprising:

• a fixed component, determined by the services provided, and
• a variable component, based on the firm’s turnover from crypto-asset services.

The variable component applies progressively, with percentages decreasing as turnover increases, and is capped at €500,000 annually.

This structure introduces a proportional approach, aligning supervisory costs with the scale of the firm’s activities.

 

A Shift from Access to Accountability

MiCA represents more than a licensing exercise. It reflects a broader shift from a relatively open and lightly regulated environment to one characterised by accountability, governance, and operational robustness.

Firms can no longer rely on minimal structures or fragmented compliance approaches. The regulation requires:

• integration of governance, risk, and compliance functions,
• clear allocation of responsibilities at management level, and
• continuous monitoring and adaptation of operational frameworks.

In this sense, MiCA aligns crypto-asset regulation with the broader expectations applied to financial institutions.

 

FiveComply’s Perspective

From an implementation perspective, the main challenge under MiCA is not the interpretation of the regulation, but its practical application within complex and evolving business models.

Firms are often required to reassess fundamental aspects of their operations, including their service classification, outsourcing arrangements, and technological infrastructure.

In particular, the interaction between MiCA requirements and existing regulatory frameworks (such as MiFID II or AML obligations) introduces an additional layer of complexity that must be carefully managed.

Experience shows that the most effective approaches are those that focus not only on regulatory alignment, but on operational readiness, ensuring that governance, systems, and controls are capable of supporting ongoing compliance in practice.

 

Get in touch with our team to discuss your MiCA licensing strategy or CASP authorisation process:
📞 +357 25 34 00 25
📧 regulatory@fivecomply.com

The Digital Operational Resilience Act (DORA) marks a significant evolution in the European Union’s regulatory approach to ICT risk within the financial sector. While financial institutions have long been subject to requirements relating to operational risk, outsourcing, and cybersecurity, DORA introduces, for the first time, a harmonised and enforceable framework specifically focused on digital resilience.

This shift reflects a broader regulatory recognition that financial entities are no longer exposed solely to traditional operational risks, but to increasingly complex and interconnected digital vulnerabilities driven by technological dependence, third-party providers, and cross-border infrastructures.

As a result, DORA is not simply an additional compliance obligation. It represents a structural change in how firms are expected to design, operate, and oversee their ICT environment.

 

A Structural Shift in Regulatory Expectations

DORA establishes a comprehensive framework covering ICT risk management, incident reporting, operational resilience testing, and third-party risk oversight. Its objective is not limited to ensuring that firms maintain adequate policies, but to ensure that they are capable of withstanding, responding to, and recovering from ICT disruptions that may impact critical or important functions.

This reflects a transition from fragmented regulatory requirements to a unified model that places digital resilience at the core of supervisory expectations. Increasing reliance on external ICT providers, particularly cloud services, has also introduced new dimensions of systemic risk, prompting regulators to extend their focus beyond individual firms to the stability of the financial system as a whole.

In this context, DORA introduces a level of rule-based approach and operational depth that goes beyond previous frameworks, requiring firms to move from theoretical compliance to demonstrable resilience.

 

Implementation Is Not Merely Technical

Despite the clarity of its objectives, many firms continue to approach DORA as a technical or documentation-driven exercise. In practice, this approach often leads to frameworks that are formally aligned with regulatory requirements but lack operational effectiveness.

A key challenge lies in the fact that DORA is not limited to IT functions. It requires coordination across risk management, compliance, internal audit, and senior management, as well as alignment with business strategy and operational processes. Where ICT risk remains isolated from broader organisational decision-making, firms face difficulties in achieving the level of integration required by the regulation.

The implementation of DORA therefore requires a shift from isolated structures to a holistic and integrated approach, where ICT risk is embedded across all relevant functions.

 

Common Pitfalls in Practice

In practice, several recurring challenges have emerged across financial entities implementing DORA.

A primary issue is the tendency to prioritise policy development over operational capability. While firms may establish comprehensive ICT risk management frameworks on paper, these frameworks are not always supported by effective processes, tools, and controls capable of functioning under stress conditions. This disconnect between documentation and execution undermines the core objective of ensuring continuity of critical services.

Fragmentation also remains a significant concern. Many organisations continue to operate with separate frameworks for cybersecurity, IT operations, outsourcing, and business continuity, resulting in inconsistencies in how risks are identified, assessed, and managed. DORA requires these elements to be integrated into a single, coherent framework, capable of addressing risks in a consistent and comprehensive manner.

Another area frequently underestimated is the integration of ICT risk into governance structures. DORA places clear responsibility on the management body, requiring active oversight and involvement in ICT risk management. Where senior management engagement is limited, decisions relating to outsourcing, technology, and operational models may not fully reflect resilience considerations.

 

Operational Challenges: Incident Reporting and Testing

The requirements relating to ICT incident reporting introduce a level of complexity that many firms have not previously encountered. DORA requires the classification of incidents based on defined criteria, as well as the submission of initial, intermediate, and final reports within strict timelines. Implementing these requirements requires not only clear internal procedures, but also the ability to detect incidents promptly, assess their impact accurately, and ensure effective internal escalation.

Similarly, the expectations surrounding resilience testing have significantly increased. DORA requires firms to adopt a risk-based approach to testing that reflects their operational dependencies and threat landscape. This includes scenario-based testing and, for certain firms, advanced techniques such as threat-led penetration testing. Basic technical testing alone is insufficient to capture the broader operational impact of disruptions, particularly in environments characterised by interconnected systems and external dependencies.

 

Third-Party Risk: A Central Regulatory Focus

One of the most significant areas of focus under DORA is ICT third-party risk management. The growing reliance on external providers, particularly in the context of cloud computing and technology platforms, has introduced new forms of concentration and systemic risk.

DORA requires firms to maintain a detailed register of ICT third-party providers, including information on services provided, criticality, and contractual arrangements. In practice, many organisations face challenges in obtaining a complete and accurate view of their outsourcing landscape, particularly where subcontracting chains are involved.

Importantly, DORA reinforces that outsourcing does not transfer responsibility. Financial entities remain fully accountable for ensuring that outsourced services meet regulatory expectations, requiring continuous monitoring, robust contractual arrangements, and effective oversight mechanisms.

 

Assurance, Continuity, and Ongoing Compliance

The effectiveness of the ICT risk management framework must be supported by independent assurance. DORA requires regular internal audit and review processes to assess the adequacy and effectiveness of controls. This introduces additional expectations in terms of expertise, independence, and the integration of ICT risk into audit planning.

At the same time, DORA is not designed as a one-time implementation exercise. The regulation introduces a continuous obligation to monitor, review, and update frameworks in response to changes in the firm’s operations, technological environment, and threat landscape. A static approach to compliance is incompatible with the dynamic nature of ICT risk.

 

A Strategic Perspective on Digital Resilience

Beyond its technical and regulatory dimensions, DORA reflects a broader strategic shift in the financial sector. It recognises that digital resilience is not only a matter of individual firm stability, but a key component of financial system integrity.

The increasing interconnection between financial institutions and shared ICT infrastructures means that disruptions can extent rapidly across markets. As such, DORA requires firms to consider their role within a wider ecosystem, extending beyond internal risk management to the management of systemic dependencies.

Firms that approach DORA solely as a compliance obligation may achieve formal alignment with the regulation, but risk overlooking its broader implications. By contrast, those that embed digital resilience within their operating model can enhance operational robustness, improve incident response capabilities, and strengthen stakeholder confidence.

 

FiveComply’s Perspective

At FiveComply, we observe that the primary challenge in DORA implementation is not the interpretation of the regulation itself, but its practical application across complex organisational structures.

Firms increasingly recognise that achieving compliance requires more than aligning documentation with regulatory requirements. The focus has shifted towards ensuring that ICT risk frameworks are operational, integrated, and capable of supporting real-world resilience under stressed conditions.

Our experience shows that the most effective implementation approaches are those that prioritise:

• alignment between ICT risk management and business strategy,
• clear governance structures with active management body involvement,
• comprehensive mapping and oversight of ICT third-party providers, and
• the development of testing and incident response capabilities that reflect actual operational dependencies.

DORA implementation is therefore not a standalone exercise, but part of a broader process of strengthening operational resilience and regulatory positioning. Firms that approach it strategically are better positioned to adapt to ongoing regulatory developments and evolving technological risks.

 

Looking Ahead

DORA represents a fundamental transformation in how ICT risk is regulated within the European financial sector. Its implementation requires more than policy updates or procedural adjustments; it requires a reassessment of how risk is identified, managed, and integrated across the organisation.

The distinction between compliance and resilience is central. While compliance can be achieved through documentation and formal alignment, resilience requires operational capability, integration, and continuous adaptation.

As regulatory expectations continue to evolve, firms that successfully operationalise DORA will be better positioned to navigate an increasingly complex and technology-driven environment, where the ability to withstand disruption is not only a regulatory requirement, but a defining characteristic of sustainable financial institutions.

 

Get in touch with our team to discuss your DORA implementation or regulatory strategy:
📞 +357 25 34 00 25
📧 regulatory@fivecomply.com

The Seychelles Securities Dealer License continues to serve as a widely used regulatory framework for international brokerage firms offering online trading, forex, and CFD services. Regulated by the Financial Services Authority (FSA) of Seychelles, the regime has recently undergone significant legislative updates following the enactment of the Securities (Amendment) Act, 2024 and accompanying amendment regulations.

These amendments introduce several important changes affecting Securities Dealer Licensees, including strengthened corporate governance requirements, increased capital thresholds, enhanced investor protection measures, and revised licensing fees. Firms operating under the Seychelles Securities Dealer regulatory framework must ensure that their compliance systems, operational procedures, and governance structures are updated to reflect these changes.

The amendments entered into force on 30 December 2024. However, entities that were already licensed prior to the introduction of the amendments have been granted a transitional period of eighteen (18) months to comply with the new provisions, ending on 30 June 2026.

 

A.  Changes to the Licensing Framework and Corporate Governance Requirements

One of the most significant regulatory developments introduced by the amendments is the transition to a perpetual licensing regime for Securities Dealer licenses. Under the revised framework, a Seychelles Securities Dealer License will remain valid unless it is suspended, revoked, or surrendered, replacing the previous system where licenses were issued for a fixed annual period.

Despite the introduction of a perpetual license model, license holders must still meet ongoing regulatory obligations. In particular, Securities Dealer licensees are now required to pay their annual license fees and submit a compliance certificate to the Financial Services Authority by 31 January of each year.

The amendments also introduce enhanced corporate governance requirements. Securities Dealer licensees must appoint two individual directors, with at least one director required to be a resident of Seychelles. Additionally, the framework requires that there be at least two resident fit and proper individuals in Seychelles, which may include directors, compliance officers, or other managerial staff responsible for overseeing the operations of the licensed entity.

These provisions are intended to strengthen regulatory oversight and ensure that licensed brokerage firms maintain sufficient operational substance within the jurisdiction.

 

Investor Protection Measures and Operational Requirements

The amendments also introduce several important measures aimed at strengthening investor protection and operational oversight within the Seychelles securities sector.

One of the key changes relates to client classification requirements for restricted speculative investments, as per the FSA definition. Securities Dealer licensees offering leveraged products (e.g. CFDs) should now classify their clients as either retail clients or professional clients before offering access to leveraged products. Professional clients may include regulated financial institutions, institutional investors, governments, large corporate entities meeting specific financial thresholds, or high-net-worth individuals who satisfy the relevant asset and experience criteria.

Where clients are classified as retail clients, Securities Dealer licensees must conduct an appropriateness assessment to determine whether the client possesses the knowledge and experience necessary to understand the risks associated with the specific leveraged products e.g. CFDs.

The amendments also introduce negative balance protection for retail clients, meaning that the liability of a retail client trading restricted speculative investments is limited to the funds held in the client’s trading account. This provision ensures that retail investors cannot incur losses exceeding the amount deposited with the securities dealer.

Additional regulatory obligations include enhanced advertising and risk warning requirements, under which Securities Dealer licensees must ensure that promotional materials prominently display risk warnings explaining the potential losses and complexity associated with trading financial instruments such as securities, derivatives, and other leveraged products.

The amendments further strengthen oversight of outsourcing arrangements. While support functions may be outsourced to external service providers, core operational functions may only be delegated to affiliated entities and require prior approval from the Financial Services Authority.

 

Capital Requirements and Revised Licensing Fees

The updated regulatory framework also introduces an increase in the minimum capital requirement for Securities Dealer licensees. The minimum issued and paid-up share capital has been increased from USD 50,000 to USD 100,000, and this capital must be maintained at all times in a bank account with a bank licensed under the Financial Institutions Act or another equivalent jurisdiction approved by the FSA. More information on how the FSA interprets ‘equivalent jurisdictions’ can be provided from FiveComply during your next consultation session.

In addition to the increased capital threshold, the amendments introduce revised regulatory fees.

The application fee for a Securities Dealer license has increased from USD 1,500 to USD 3,000, while the annual license fee has increased from USD 3,000 to USD 6,000. The fees for the Securities Dealer Representative remain the same for both the application and ongoing maintenance of the license. Additional fees have also been introduced for matters such as additional trade names, domain names, and regulatory approvals for changes in shareholding or corporate structure.

These changes reflect the continued evolution of the Seychelles financial services regulatory framework, with a focus on strengthening governance standards and investor protection within the jurisdiction.

 

Preparing for Compliance with the New Framework

Although the amendments entered into force on 30 December 2024, existing Seychelles Securities Dealer License holders have until 30 June 2026 to fully comply with the new requirements.

During this transitional period, licensees should review their corporate governance arrangements, client onboarding procedures, capital structures, and internal policies to ensure full alignment with the revised legislative framework.

At FiveComply, we support firms operating under the Seychelles Securities Dealer License framework by assisting with regulatory compliance, policy development, and ongoing liaison with the Financial Services Authority of Seychelles. As regulatory expectations continue to evolve, maintaining a robust compliance framework is essential for firms seeking to operate successfully in the Seychelles financial services sector.

Contact us today to learn how FiveComply can support your firm with Seychelles Securities Dealer licensing, regulatory compliance, and ongoing FSA engagement.

📍 Seychelles | Mauritius | Cyprus | UAE

📞 +357 25 34 00 25

📧 info@fivecomply.com

🌐 fivecomply.com

For more than a decade, Cyprus has served as one of Europe’s primary entry points for investment firms seeking access to the European market. While the regulatory landscape has evolved significantly, authorisation by the Cyprus Securities and Exchange Commission (CySEC) continues to represent a strategically important milestone for financial institutions operating within the EU.

 However, the nature of CySEC licensing has changed. What was once viewed primarily as an entry procedure has increasingly become a process centred on operational substance, governance maturity, and long-term regulatory sustainability. 

 

A Mature Regulatory Environment:

CySEC today operates within a far more demanding European supervisory framework than in previous years. The implementation of MiFID II, the Investment Firms Regulation and Directive (IFR/IFD), enhanced AML obligations, and upcoming crypto-asset regulation under MiCA have collectively reshaped supervisory expectations.

As a result, licensing is no longer assessed solely on documentation completeness. Regulators increasingly evaluate whether applicants demonstrate realistic operational models, effective internal controls, and governance structures capable of supporting ongoing supervision. 

For firms, this means preparation begins well before submission — and extends beyond policies and procedures to the credibility of the people and ownership structure behind the firm.

In practice, one of the most decisive elements in a CySEC licensing application is the suitability of the shareholders. While applicants often focus heavily on documentation and operational setup, CySEC places significant emphasis on whether qualifying shareholders meet the regulator’s fit-and-proper requirements, including experience in a regulated environment, financial soundness, transparency of source of wealth, reputation, and the ability to support the firm’s long-term stability.

Experience shows that shareholder assessment frequently represents the most critical stage of the authorisation process.

 

The Impact of Crypto Regulation:

The emergence of crypto-asset regulation within the European Union — particularly through the Markets in Crypto-Assets Regulation (MiCA) — has become one of the primary drivers reshaping how investment firms approach CySEC licensing and regulatory strategy.has introduced an additional layer of strategic planning for investment firms.

Rather than operating crypto activities separately, many firms are now evaluating how digital-asset services interact with existing CySEC authorisations, governance structures, and compliance frameworks. This has led to increased demand for licence extensions, structural reviews, and regulatory alignment exercises ahead of MiCA implementation.

The transition highlights a broader trend: regulatory frameworks are converging, requiring firms to adopt integrated compliance approaches rather than siloed licensing strategies.

 

Licensing Is No Longer One-Dimensional:

A notable shift in recent years is the growing number of firms seeking extensions or modifications to existing authorisations rather than entirely new licences.

These include:

• expansion of investment services and activities
• introduction of new financial instruments
• restructuring of business models
• integration of crypto-related activities
• alignment with evolving EU regulatory frameworks

We have observed a clear increase in demand for licence extensions aligned with MiCA developments, as firms recognise the operational efficiency of expanding existing regulatory permissions rather than establishing separate regulatory structures.

In many cases, firms can strategically position themselves to operate both traditional financial instruments and crypto-asset activities under an aligned regulatory framework, creating operational continuity while reducing regulatory fragmentation. This approach has become increasingly attractive as European regulation moves toward convergence between traditional finance and digital assets.

Regulatory strategy has therefore become continuous rather than transactional. Firms increasingly revisit their authorisations as their business models evolve alongside market and regulatory developments.

 

Governance Expectations: What Firms Often Underestimate:

Despite CySEC’s well-established framework, applicants frequently underestimate where regulatory scrutiny is primarily focused during the licensing process.

While governance structure and documentation remain important, the assessment begins with the suitability of the Company’s shareholders. In practice, application timelines are frequently impacted not by policies or operational arrangements, but by the shareholder assessment process: CySEC places significant emphasis on qualifying shareholders meeting fit-and-proper requirements.

Beyond ownership assessment, CySEC also expects a management body capable of exercising genuine oversight and independent judgment. This includes meeting minimum structural expectations such as:

• at least two Executive Directors, actively involved in day-to-day management;
• at least two Non-Executive Independent Directors, providing independent oversight; and
• a Board composition demonstrating sufficient local substance and regulatory familiarity, with the majority of directors being Cyprus-based.

Ultimately, regulatory approval is based on the combined assessment of shareholders and directors, ensuring both sound ownership and effective governance capable of sustaining long-term regulatory compliance.

 

Common Challenges Firms Encounter:

Applicants frequently underestimate the importance of regulatory coherence — ensuring that business plans, policies, staffing arrangements, ownership structure, and governance model present a consistent and credible narrative.

Delays often arise not from regulatory rigidity, but from gaps between commercial ambition and regulatory readiness. Successful applications therefore depend on early strategic planning and alignment with CySEC expectations from the outset.

 

FiveComply’s Perspective:

At FiveComply, we have observed a clear evolution in how firms approach CySEC authorisation. Increasingly, clients seek not only assistance with initial licensing, but ongoing regulatory guidance as their activities expand across new services, instruments, and regulatory regimes — particularly in connection with MiCA-driven licence extensions.

Our experience shows that successful licensing outcomes depend less on documentation volume and more on correctly structuring:

• shareholder eligibility and transparency,
• governance composition,
• regulatory strategy, and
• operational substance from day one.

Our experience spans new CySEC authorisations, licence extensions, crypto-related regulatory structuring, and ongoing compliance implementation. In each case, the objective remains the same: aligning business growth with sustainable regulatory positioning.

 

Looking Ahead:

As European financial regulation continues to develop, CySEC remains a key gateway for firms seeking regulated access to the EU market. The regulator’s increasing supervisory maturity reflects broader European trends emphasising transparency, governance, and operational substance.

CySEC licensing is increasingly less about obtaining approval and more about building a structure capable of operating successfully under continuous supervision — where shareholder suitability, governance strength, and strategic regulatory planning play a decisive role.

With extensive experience advising firms across the CySEC regulatory framework, FiveComply supports financial institutions throughout the full licensing lifecycle — from initial authorisation and licence extensions to compliance implementation and ongoing regulatory support. 

 

Get in touch with our team to discuss your CySEC licensing or regulatory strategy:

📞 +357 25 34 00 25
📧 regulatory@fivecomply.com

 

 

 

Seychelles has established a formal regulatory regime for Virtual Asset Service Providers (VASPs) through the Virtual Asset Service Providers Act, 2024.

Under this framework, any entity operating a crypto exchange, crypto brokerage, digital asset wallet, custody platform, or virtual asset investment service in or from Seychelles must obtain a Seychelles VASP licence issued by the Financial Services Authority (FSA).

The Seychelles VASP regime is designed to position the jurisdiction as a regulated international hub for digital asset businesses, while ensuring compliance with international AML/CFT and FATF standards.

For founders launching or relocating crypto exchanges, trading platforms, custody solutions and more, regulatory success depends on three key pillars:

Scope clarity. Substance alignment. Governance integrity.

At FiveComply, our Licensing team specialises in structuring and licensing Virtual Asset Service Providers in Seychelles, ensuring applications are regulator-ready and aligned with the expectations of the Seychelles Financial Services Authority (FSA).

1. What Activities Require a Seychelles VASP Licence?

A Seychelles VASP licence is required where a company carries on virtual asset services in or from Seychelles.

The regulatory framework recognises four main licence categories:

1. Virtual Asset Exchange

Platforms facilitating the trading or exchange of digital assets, including crypto-to-crypto and crypto-to-fiat exchanges.

2. Virtual Asset Wallet / Custody Service

Businesses providing custody or safeguarding of virtual assets, including hosted wallets and custody platforms.

3. Virtual Asset Broker

Entities acting as intermediaries executing digital asset transactions on behalf of clients.

4. Virtual Asset Investment Provider

Companies offering digital asset investment management, advisory, or portfolio services.

Important Regulatory Conditions

Under the VASP Act:

• Only Seychelles-incorporated companies (domestic entities or International Business Companies – IBCs) may apply.
• Individuals cannot hold a VASP licence.
• Certain activities are expressly prohibited, including:
  • crypto mining operations
  • mixing or tumbling services designed to obscure transaction traceability.

One of the most common causes of regulatory delays is misclassification of the business model. The FSA assesses the actual operational structure, not merely the description in the licence application.

FiveComply assists clients in mapping their operational model to the correct VASP licence category, ensuring regulatory alignment from the outset.

2. Minimum Capital Requirements for a Seychelles VASP Licence

The Virtual Asset Service Providers (Capital and Other Financial Requirements) Regulations, 2024 prescribe minimum paid-up capital requirements depending on the licence category.

Minimum capital thresholds include:

• USD 150,000 — Virtual Asset Exchange
• USD 75,000 — Virtual Asset Broker
• USD 25,000 — Virtual Asset Wallet (Custody) Service Provider
• USD 50,000 — Virtual Asset Investment Provider

Where a company applies for multiple VASP licence categories, capital requirements must reflect the combined risk exposure of the activities conducted.

The required capital must:

• Be fully paid-up
• Be supported by clear source of funds documentation
• Be maintained continuously after licensing

For crypto exchanges and custody providers, capital planning must reflect asset safeguarding obligations and operational risk, not merely statutory minimums.

FiveComply supports applicants with:

• source of wealth and source of funds analysis
• regulatory-aligned financial projections
• capital structuring strategies.

A robust capital framework significantly reduces regulatory queries and licensing delays.

3. Substance Requirements for VASP Companies in Seychelles

The Seychelles VASP framework requires genuine economic presence in the jurisdiction.

Applicants must demonstrate operational substance, including:

• a physical office in Seychelles
• at least two natural person directors
• at least one resident director
• a local Compliance Officer
• adequate staffing proportionate to the scale of operations
• board and management meetings conducted in Seychelles
• records accessible from the Seychelles office
• local complaint handling oversight

FiveComply supports VASP clients with:

• resident director solutions
• local compliance officer appointments
• complaints handling officer support
• physical office arrangements
• governance and operational structuring

This ensures the business meets both licensing requirements and ongoing substance expectations.

4. Governance Requirements and Key Appointments

Strong governance is a core requirement for obtaining a Seychelles VASP licence.

Board Requirements

• Minimum two natural person directors
• At least one director resident in Seychelles
• All directors must satisfy Fit and Proper criteria

Mandatory Key Functions

The regulatory framework expects the appointment of:

• Directors
• Compliance Officer
• Principal Officer(s)
• Information Security Officer
• External Auditor (to be appointed within 30 days of licensing)

Fit and Proper Assessment

The Fit and Proper Code for VASPs evaluates:

• professional experience
• industry competence
• financial soundness
• reputation and integrity
• absence of adverse regulatory findings.

Failure to appoint qualified and experienced individuals is one of the most common reasons for licensing delays or regulatory queries.

FiveComply conducts Fit and Proper pre-assessments prior to application submission to ensure regulatory expectations are met.

5. AML/CFT and Compliance Framework Requirements

VASPs licensed in Seychelles must maintain a comprehensive AML/CFT compliance framework aligned with:

• Seychelles AML legislation
• FATF recommendations
• FSA supervisory expectations.

Generic templates are easily identifiable and often lead to multiple regulatory queries.

FiveComply develops customised regulatory frameworks tailored to each VASP applicant’s operating model.

6. Ongoing Compliance Obligations for Seychelles VASPs

Obtaining a Seychelles VASP licence is only the first step. Licensed entities must comply with ongoing regulatory obligations.

These include:

• payment of annual licence fees
• submission of annual compliance returns
• substance reporting
• annual AML reporting
• cybersecurity reporting
• audited financial statements prepared under IFRS
• maintaining records for at least seven years

The FSA may also request access to transaction records or operational data where required.

FiveComply provides post-licensing compliance support, assisting VASPs with regulatory reporting and ongoing FSA engagement.

7. Seychelles VASP Application Assessment

The FSA reviews only complete licence applications. Incomplete submissions could be rejected.

Why Work with FiveComply for Seychelles VASP Licensing?

FiveComply’s Offshore Division specialises in crypto licensing and financial regulation across offshore jurisdictions.

Our expertise includes among others:

• Seychelles VASP licensing
• Seychelles Securities Dealer licences
• governance and Fit & Proper structuring
• AML/CFT framework development
• capital planning and regulatory alignment
• resident director and substance solutions
• post-licensing compliance support.

Each project is structured based on the client’s operational model, regulatory strategy and risk exposure, ensuring applications are fully aligned with FSA expectations.

8. Start Your Seychelles VASP Licence Application

Seychelles has emerged as a regulated jurisdiction for digital asset businesses, offering a structured framework for crypto exchanges, brokers and custody providers.

However, regulatory approval requires:

• correct licence categorisation
• strong governance structures
• genuine local substance
• robust AML/CFT controls
• strategic regulatory engagement.

If you are planning to launch or relocate a crypto business in Seychelles, our team can guide you through the entire VASP licensing process, from initial structuring to regulatory approval.

Secure your Seychelles VASP licence with confidence.

📧 info@fivecomply.com
🌐 fivecomply.com

Over the past few years, the United Arab Emirates has steadily transformed into one of the most attractive regulatory destinations for financial services firms seeking international expansion. What was once viewed primarily as a regional financial centre has evolved into a jurisdiction increasingly considered alongside established global regulatory hubs.

A key driver behind this development has been the evolution of the Capital Markets Authority (CMA) (ex-SCA) — and the continued maturation of its licensing and supervisory framework.

Today, firms are no longer approaching the UAE solely for commercial presence or market visibility. Instead, they are seeking regulated status under the CMA as part of broader strategic expansion plans, often through licensing structures such as CAT-1 and CAT-5 authorisations aligned with their operational model.

 

A Shift in How Firms View UAE Regulation:

Historically, many financial institutions prioritised European licences for credibility and offshore jurisdictions for operational flexibility. The UAE now occupies a distinct middle ground: a jurisdiction offering both regulatory substance and commercial accessibility.

This balance has become particularly attractive to brokerage groups, fintech firms, investment intermediaries, and digital-asset related businesses aiming to diversify their regulatory footprint while maintaining proximity to rapidly growing investor markets across the Middle East, Africa, Europe and Asia.

Importantly, the CMA framework emphasises genuine operational presence. Licensing is increasingly focused on governance standards, compliance infrastructure, and clearly defined business models rather than purely formal registration. As a result, firms entering the UAE market are expected to demonstrate long-term commitment and regulatory readiness from the outset.

 

Increasing Regulatory Interest — and Why Now:

Recent market developments suggest a noticeable acceleration in licensing interest. Firms are reassessing jurisdictional strategy amid evolving global regulatory expectations, rising operational scrutiny in traditional markets, and the need for geographically diversified structures.

The UAE offers several advantages within this context. Its regulatory environment is internationally aligned yet commercially pragmatic. In parallel, continued government investment in financial innovation has reinforced confidence among both startups and established institutions.

In parallel with this growing interest, demand has increased for both CAT-1 and CAT-5 licenses in the UAE, reflecting different operational approaches adopted by market participants. Under the CMA licensing framework, a CAT-1 licence in the UAE typically supports firms operating a full brokerage model, enabling them to onboard and service clients directly within the UAE under a fully regulated structure. By contrast, CAT-5 licence holders in the UAE generally focus on introduction and promotion activities, referring clients to other regulated entities while maintaining a regulated presence in the region.

For many applicants, a CMA licence is no longer viewed simply as market entry into the UAE, but as a strategic regulatory anchor supporting international growth.

 

Navigating the Licensing Process:

Despite growing interest, obtaining authorisation under the CMA framework remains a structured and detail-driven process. Applicants must clearly articulate their operating model, governance arrangements, and compliance controls, while ensuring alignment between commercial objectives and regulatory permissions.

In practice, challenges often arise not from regulatory complexity itself, but from misalignment between a firm’s intended activities and the licensing structure selected at the initial stage. Early strategic planning therefore plays a decisive role in determining both application timelines and overall success.

Regulator engagement also tends to be iterative, requiring applicants to demonstrate transparency, preparedness, and a clear understanding of local regulatory expectations.

 

FiveComply’s Perspective

At FiveComply, we have observed first-hand the increasing sophistication of firms approaching UAE CMA licensing, including successful applications for both CAT-1 and CAT-5 authorisations. Applications are becoming more strategic, with organisations seeking not only approval but sustainable regulatory positioning within the region.

Our role typically extends beyond application preparation to include regulatory structuring, governance design, and ongoing compliance alignment — ensuring that licensing outcomes support long-term operational objectives rather than short-term market entry.

 Having supported clients across multiple CMA licensing categories, we continue to see the UAE emerge as a central jurisdiction within global expansion strategies for financial services businesses.

 

Looking Ahead:

As financial regulation continues to evolve globally, jurisdictions capable of combining credibility, accessibility, and regulatory clarity are likely to attract sustained industry attention. The UAE, under the CMA framework, appears increasingly positioned within this group.

For firms evaluating their next stage of international growth, establishing a regulated presence in the UAE is becoming less a question of opportunity and more one of strategic timing. Success, however, depends not only on selecting the right jurisdiction, but on approaching licensing with a clear regulatory strategy and a well-structured operational model from the outset.

Against this backdrop, firms increasingly seek advisors with practical experience navigating the CMA framework and supporting applications beyond the initial approval stage.

With an active on-the-ground presence in Dubai and extensive experience supporting firms across multiple Capital Markets Authority (CMA) licensing categories, compliance implementation, and ongoing regulatory support, FiveComply assists financial institutions in establishing and scaling their regulated presence in the UAE with confidence.

 

Get in touch with our team:

📞 +357 25 34 00 25
📧 regulatory@fivecomply.com

Analysis of the Financial Services Authority’s 2024 Annual Report: Key Regulatory Developments and Sector Insights in Seychelles

 
1. Introduction

The Financial Services Authority (“FSA”) in Seychelles has published its 2024 Annual Report, outlining a year marked by regulatory consolidation, strengthened supervisory frameworks and closer alignment with international standards. As Seychelles continued refining its financial services landscape, the 2024 report provides clarity on the jurisdiction’s direction, priorities and progress across several core areas.

The article highlights and analyses the most significant developments of the past year, based on information published in the Report.

 

2. Implementation of the VASP Framework

The Virtual Asset Service Providers Act, 2024 (“VASP Act, 2024”) together with its suite of supporting regulations, became fully operational during the year. These instruments establish requirements for licensing, cybersecurity controls, client asset protection, advertising standards and the registration of ICOs and NFTs.

This framework brings Seychelles into alignment with FATF Recommendation 15 and positions the jurisdiction among the few in the region with a complete and modern regulatory regime for virtual asset activities. According to the Report, this is intended to safeguard market integrity while enabling innovation in areas such as digital assets and fintech.

 

3. Strengthened AML/CFT Oversight and Alignment with FATF

The Report outlines continued reforms to the national AML/CFT framework, driven by the FSA, the Central Bank of Seychelles and the FIU. Notable outcomes include the upgrade of FATF Recommendation 4, which concerns the ability of a jurisdiction to freeze, seize and confiscate of crime through effective legal and operational measures, to Compliant. The ongoing implementation of the AML/CFT Act, 2020 and related Beneficial Ownership reforms and coordinated supervision across sectors further strengthened the jurisdiction’s ability to detect, prevent and respond to financial crime risks.

 

4. Removal from the EU Blacklist and Progress on Tax Transparency

The Report confirms that Seychelles was removed from the EU’s Annex I (i.e. commonly referred to as “Blacklist”) and placed on the grey list in February 2024, awaiting the results of the supplementary review in 2025. The shift followed substantive legislative updates on ownership information and the submission of a request for an OECD Global Forum supplementary review, which was scheduled for 2025.

The move to the grey list reduced reputational and operational risks for the jurisdiction, while the upcoming supplementary review underscores the need for continued improvement in information availability and exchange-of-information practices.

 

5. Advancement of International Organisation of Securities Commissions (IOSCO) Technical Assistance

During the year, the FSA finalised the ‘Terms of Reference for a Technical Assistance’ programme with IOSCO. This programme will review the legal and supervisory framework governing securities, identify deficiencies and recommend the reforms necessary for Seychelles to meet the IOSCO Multilateral Memorandum of Understanding standards.

The Report notes that this work forms the basis for Seychelles’ planned reapplication for Ordinary Membership and MMoU signatory status. Achieving these milestones would significantly strengthen cross-border regulatory cooperation and enhance the jurisdiction’s standing in global capital markets.

 

6. Continued Economic Growth Driven by Tourism and ICT

The economic section of the Report demonstrates that Seychelles recorded real GDP growth of 3 percent in 2024. Growth was supported primarily by tourism, with 352,762 visitors arriving during the year, and by the ICT sector, which expanded by 10 percent as digitalisation efforts intensified.

Although external pressures such as higher freight costs and a weaker rupee affected inflation and operating conditions, the Report highlights a stable overall economic environment, which supports the ongoing development of the non-bank financial services sector.

 

7. Strengthening Institutional Capacity and Risk Management

The Report highlights internal advancements within the FSA, particularly in governance, staff development and risk management. Key initiatives included the development of strategic risk management documents, enhancements to internal audit processes and the introduction of Strategic Planning Champions to support implementation of the 2021-2025 Strategic Plan.

 

 

8. Conclusion

The 2024 Annual Report demonstrates continued progress in strengthening Seychelles’ regulatory frameworks and institutional capacity. The developments in digital asset regulation, AML/CFT alignment, tax transparency, international cooperation and internal governance reflect a jurisdiction prioritising stability, transparency and long-term credibility.

Looking ahead, Seychelles is positioned for a pivotal year as it moves toward further FATF re-ratings, the Global Forum supplementary review and renewed engagement with IOSCO. The direction set in the 2024 Annual Report suggests continued regulatory strengthening, greater international alignment and a more structured supervisory environment for firms operating in the jurisdiction.

For business entering or operating in Seychelles, FiveComply provides streamlined licensing and compliance solutions aligned with the latest regulatory developments, from digital asset regulation to strengthened AML/CFT and transparency standards.

 

Disclaimer: This article is provided for general informational purposes only and does not constitute legal, regulatory or professional advice. Readers should seek independent advice before taking any action based on the information contained herein.