The Financial Services Commission (FSC) Mauritius has issued new Guidelines on the Frequency of Customer Due Diligence (CDD), providing greater clarity on the timing and frequency of customer reviews that financial institutions and other regulated entities must undertake as part of their AML/CFT obligations.

Issued under the Financial Services Act and the Financial Intelligence and Anti-Money Laundering Act (FIAMLA), the Guidelines become effective on 8 June 2026 and introduce specific minimum review periods for existing customers based on their risk profile.

Why the Guidelines Matter

Customer Due Diligence is a cornerstone of an effective AML/CFT framework. While firms have long been required to maintain up-to-date customer information and conduct ongoing monitoring, the FSC has now formalised minimum review frequencies to ensure that customer information remains accurate, relevant and risk sensitive.

The Guidelines emphasise that relying solely on trigger events is no longer sufficient. Instead, firms are expected to implement periodic reviews of customer information even where no specific event has occurred.

Minimum CDD Review Frequencies

Under the new Guidelines, firms are expected to conduct reviews of existing customer due diligence information at the following minimum frequencies:

These review periods represent minimum requirements and firms may choose to conduct reviews more frequently where justified by their risk assessment.

Trigger Events Still Apply

The FSC has clarified that periodic reviews do not replace event-driven reviews.

CDD reviews must also be undertaken whenever significant events or circumstances arise, including:

• Material changes in ownership or management structures;
• Changes in the risk classification of the customer’s jurisdiction;
• Identification of a Politically Exposed Person (PEP);
• Inconsistencies in customer information or verification documents;
• Expired or invalid identification information;
• Adverse media or negative information identified through screening processes; and
• Requests for new products or services that carry a higher level of risk.

The list is not exhaustive, and firms are expected to exercise professional judgment in identifying circumstances that warrant additional due diligence.

One-Year Implementation Period

The FSC expects licensees to establish and implement appropriate procedures and timelines to comply with the new requirements.

Importantly, reviews of existing customers should be completed within one year from the effective date of the Guidelines. This means firms should begin assessing their customer populations, risk classifications, and existing review schedules without delay.

Practical Considerations for Licensees

The new requirements present an opportunity for regulated entities to reassess the effectiveness of their AML/CFT frameworks. Firms should consider:

• Reviewing customer risk-rating methodologies;
• Ensuring customers are appropriately categorised as low, medium or high risk;
• Implementing automated review reminders and monitoring controls;
• Updating AML/CFT policies and procedures;
• Maintaining clear audit trails of completed reviews; and
• Ensuring adequate compliance resources are available to meet review deadlines.

Particular attention should be given to high-risk customers, where annual reviews will now be a minimum regulatory expectation.

Regulatory Consequences of Non-Compliance

The FSC has indicated that compliance with the Guidelines will be supervised and enforced through its regulatory powers.

Failure to comply with directions issued by the FSC may result in regulatory action and may expose firms to sanctions under the Financial Services Act, including financial penalties and other enforcement measures.

How FiveComply Can Assist

The implementation of risk-based CDD review cycles may require enhancements to compliance frameworks, customer risk assessment methodologies, monitoring procedures and governance arrangements.

FiveComply assists regulated entities in Mauritius and other international financial centres with:

• AML/CFT framework reviews;
• Customer risk assessment methodologies;
• Independent AML audits;
• Compliance monitoring programmes;
• Regulatory gap analyses; and
• Ongoing Compliance support.

For further information on how these Guidelines may affect your business, please contact our team.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal, regulatory, tax, or professional advice. Readers should seek independent professional advice before acting on any information contained herein.

The Securities (Amendment) Act, 2024 and related regulations, which came into force on 1 January 2025, introduced a number of changes affecting the operations and compliance obligations of Seychelles Securities Dealers. Existing licensees were granted an 18-month transition period to implement the new requirements, with compliance required by 30 June 2026.

As the transition period draws to a close, securities dealers should assess whether any additional measures are required to comply with the amended requirements. Some of the key changes are outlined below.

Enhanced Local Presence and Oversight

Licensed entities are required to maintain at least two resident fit and proper individuals in Seychelles who serve as directors, compliance officers or members of managerial staff.

Improved Client Classification and Investor Protection

The amended Conduct of Business Regulations introduced client classification requirements, requiring securities dealers to categorise clients as either retail or professional clients.

For certain leveraged and higher-risk products, securities dealers must conduct appropriateness assessments to determine whether a retail client possesses sufficient knowledge, experience and financial capacity to understand and absorb the associated risks.

The regulations also limit a retail client’s liability to the funds held in the client’s trading account.

Strengthened Complaint Handling Requirements

Licensed entities are required to appoint a resident individual responsible for complaints handling and establish internal procedures for managing complaints effectively. These procedures must be submitted to the Seychelles Financial Services Authority for approval before implementation.

The amended regulations also introduced specific requirements relating to the documentation of client complaints and the maintenance of a complaints database.

Clearer Risk Warnings for Investors

Securities dealers must include prominent risk warnings in their advertisements. These warnings must inform investors about potential losses, the risks associated with leveraged trading and the complexity of products such as CFDs, futures and options.

These warnings must be clearly displayed, including on websites and mobile applications.

Higher Capital Requirements

The reforms increased the minimum issued and paid-up capital requirement for securities dealers from US$50,000 to US$100,000. The capital must also be maintained in an approved bank account.

For further information on the amendments, please contact FiveComply.

Disclaimer

For information purposes only. This publication does not constitute legal, regulatory, financial or investment advice.

Mauritius continues to strengthen its position as a reputable international financial centre through an increasingly robust Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework. As the jurisdiction aligns more closely with Financial Action Task Force (FATF) standards, the Financial Services Commission (FSC) has placed growing emphasis on governance effectiveness rather than purely procedural compliance.

Recent FSC enforcement actions demonstrate a clear regulatory trend: AML compliance is no longer assessed solely on the existence of policies and documentation, but on whether governance frameworks operate effectively in practice.

For FSC-regulated entities, including Global Business Licence (GBL) entities, investment firms, insurers, and a wide range of licensed intermediaries, this means AML governance must become more proactive, risk-based, and operationally integrated.

At FiveComply, we support licensed and licence-seeking entities in Mauritius and internationally with AML governance reviews, compliance assessments, independent AML audits, and regulatory readiness projects aligned with FSC expectations and international best practice.

1.  The Regulatory Landscape in Mauritius

AML/CFT obligations in Mauritius are primarily governed by the Financial Intelligence and Anti-Money Laundering Act (FIAMLA), supported by the Financial Intelligence and Anti-Money Laundering Regulations, FSC-issued codes, and the detailed guidance set out in the FSC Handbook.

The FSC applies a risk-based supervisory approach aligned with FATF standards. Regulated entities are therefore expected not only to implement AML controls, but also to demonstrate that those controls are proportionate to their risk profile, properly implemented, and continuously monitored.

2. What AML Governance Means in Practice

Under FSC expectations, effective AML governance is generally built around:

• Board and senior management oversight
• Independent compliance functions
• Enterprise-wide risk assessments (EWRA)
• Clear escalation and reporting procedures
• Internal audit and independent assurance
• Risk-based customer due diligence and monitoring

A key regulatory expectation is that AML responsibility cannot be delegated entirely to compliance teams. Boards and senior management remain ultimately accountable for the effectiveness of the AML framework.

From our experience at FiveComply, many governance weaknesses observed in practice stem not from the absence of policies, but from the lack of meaningful oversight, ownership, and operational integration of those policies.

3. Common Weaknesses Identified in FSC Enforcement Actions

FSC enforcement actions continue to highlight recurring deficiencies across regulated entities.

Limited Board Engagement in AML Oversight

Boards often receive AML reporting without sufficient challenge, documentation, or active involvement in risk management decisions.

At FiveComply, we regularly support boards and senior management teams in strengthening AML reporting frameworks to ensure that oversight is both structured and demonstrable.

Weak or Static Enterprise-Wide Risk Assessments

Enterprise-wide risk assessments are frequently generic, outdated, or poorly connected to operational controls and onboarding processes.

Customer Due Diligence and Beneficial Ownership Gaps

Common issues include incomplete KYC files, insufficient beneficial ownership verification, and inconsistent application of enhanced due diligence measures.

Ineffective Transaction Monitoring Frameworks

Regulators increasingly focus on whether monitoring systems are properly calibrated, alerts are meaningfully investigated, and suspicious activity escalation processes function effectively.

Weak Compliance Function Independence

Insufficient resourcing, unclear reporting lines, and operational interference can significantly reduce the effectiveness of AML compliance functions.

4. Enforcement Actions Reflect Broader Regulatory Expectations

FSC enforcement actions should not be viewed purely as punitive measures. They also provide insight into the regulator’s evolving supervisory priorities.

Regulated entities are increasingly expected to demonstrate not only that controls exist, but that they are effective in practice and supported by appropriate governance structures.

In this environment, proactive governance reviews and independent AML assessments are becoming increasingly important components of regulatory preparedness.

5. Key Lessons for Regulated Entities

Based on current enforcement trends, regulated entities should focus on:

• Embedding AML governance at board level
• Maintaining dynamic and evidence-based risk assessments
• Ensuring compliance functions are independent and properly resourced
• Strengthening internal audit and independent AML testing
• Enhancing governance documentation and escalation frameworks

At FiveComply, we assist regulated entities in Mauritius with AML governance assessments, EWRA reviews, independent AML audits, remediation projects, and FSC regulatory readiness support aligned with evolving regulatory expectations and international best practices.

As FSC supervision continues to evolve towards effectiveness-focused compliance, proactive governance reviews and independent AML assessments are becoming essential for regulated entities seeking to strengthen their AML/CFT frameworks and reduce regulatory risk.

Disclaimer
This article is provided for general informational purposes only and does not constitute legal, regulatory, or tax advice.

The Internal Audit Function forms an important part of the governance and internal control framework of Cyprus regulated firms. Both the Cyprus Securities and Exchange Commission (“CySEC”) and the Central Bank of Cyprus (“CBC”) require regulated entities to maintain an independent Internal Audit Function responsible for assessing the adequacy and effectiveness of the institution’s systems, internal controls, policies, and procedures, in a manner proportionate to the nature, scale, and complexity of its activities.

In parallel, increasing regulatory focus on ICT risk management and operational resilience, particularly following the introduction of DORA, has further expanded supervisory expectations relating to internal control and assurance functions.

CySEC Expectations for Internal Audit Functions

 CySEC’s framework, including Circular C056 and subsequent supervisory guidance, places particular emphasis on the provision of independent assurance to the Board of Directors and Senior Management on the quality and effectiveness of the regulated entity’s internal control, risk management and governance systems and processes, including the assessment of internal controls, governance arrangements, AML/CFT procedures, and ICT and cybersecurity controls.

In relation to ICT and cybersecurity risks, recent CySEC Circular C751 relating to the requirements of Regulation (EU) 2022/2554 (“DORA”) states that ICT risk management frameworks are expected to be subject to regular internal audit reviews in line with the regulated entity’s audit plan and ICT risk profile. CySEC further emphasises the importance of appropriate segregation and independence between ICT risk management functions, control functions, and internal audit functions, as well as the establishment of formal follow-up procedures for the remediation of ICT audit findings.

Internal audit is expected to operate with an unrestricted scope covering all activities of the regulated entity, including outsourced activities. In determining the scope of its work, the Internal Audit Function is expected to independently identify and assess the key risks faced by the institution, including emerging and systemic risks, and evaluate how effectively these risks are being managed.

There should be no impediment to the Internal Audit Function’s ability to challenge senior management and report its concerns to the Board of Directors (“Board”).

The Internal Auditor is also responsible for establishing, implementing, and maintaining a risk-based internal audit plan. Audit planning is expected to focus on areas where risks are considered higher, while also taking into consideration the views of the Board and other control functions.

CySEC’s framework also places emphasis on the content and quality of Internal Audit Reports (“IA Reports”). IA Reports are expected to include:

• an overall description of the institution’s internal control, risk management, and governance framework;
• a description of the audit plan and the risk-based approach followed;
• details of regular and/or extraordinary audits performed;
• major findings and weaknesses identified during the audit process;
• recommendations proposed in relation to identified findings and deficiencies;
• management responses and corrective actions taken;
• any outstanding issues where remediation measures remain pending or insufficient; and
• follow-up procedures relating to previously identified findings and outstanding matters.

CySEC also expects IA Reports to be discussed by the Board, with Board minutes clearly documenting the corrective measures to be taken and the timetable for their implementation. The IA Report must be submitted to CySEC along with the minutes within 20 days from the date of the relevant meeting and not later than 4 months from the end of the calendar year.

The Central Bank’s of Cyprus (“CBC”) Expectations for Internal Audit Functions

The CBC has also increased supervisory focus on the content, scope, structure, and quality of IA Reports submitted by Electronic Money Institutions and Payment Institutions.

The recent CBC Guidance issued in January 2026, sets out the CBC’s minimum expectations regarding the annual submission of IA Reports and emphasises that institutions should uphold high standards of independence, professionalism, and transparency in the execution of their Internal Audit Functions.

The CBC further states that institutions are encouraged to utilise the IA Report as a strategic tool for risk management and continuous improvement, rather than merely as a regulatory compliance deliverable.

According to the CBC Guidance, each IA Report should commence with a concise Executive Summary which should:

• clearly state the audit scope, areas assessed, timeframe covered, and any exclusions or limitations concerning key risk areas;
• provide the Internal Auditor’s opinion on the overall internal control environment of the institution;
• summarise key audit findings, systemic weaknesses, and high-level recommendations for improvement; and
• include comments on remediation progress, management corrective actions, and relevant timelines.

The CBC also states that the Audit Plan for the forthcoming year (for the year ending 31 December 2025) should be risk-based and forward-looking and communicated to the relevant approving Board Authority in a timely manner. The Internal Auditor is expected to determine audit work based on the severity and criticality of the respective risks and verify the integrity of processes ensuring the reliability of the institution’s methods, techniques, assumptions, and information sources used in internal calculations and models.

The CBC further expects IA Reports to include:

• reference to the audit area or section reviewed;
• detailed description of identified deficiencies and the audit work performed, including the sample selected for review;
• classification of findings according to risk level and potential adverse impact;
• recommendations for corrective actions;
• management responses, agreed remediation plans, and expected timeframes for resolution; and
• follow-up on outstanding issues from previous audit engagements, including implementation status, delays, responsible owners, and updated target completion dates.

The CBC Guidance also states that Internal Auditors are expected to cover, on a yearly basis, key operational areas including:

• safeguarding of client funds;
• adequacy of governance arrangements;
• outsourcing arrangements and their review/monitoring;
• ICT risks;
• AML/CFT framework and monitoring;
• controls relating to ongoing compliance with licensing obligations and capital adequacy requirements; and
• controls relating to the ongoing correctness of regulatory reporting submissions.

In relation to ICT risks, the CBC specifically refers to review of the ICT risk management framework and ICT response and recovery plans under Regulation (EU) 2022/2554 (DORA). The Guidance also notes that micro-enterprises may perform these procedures on a best-effort basis.

Finally, the CBC states that IA Reports should be formally reviewed and approved by the institution’s Board of Directors, with Board minutes documenting the discussion and approval of the report made available to the CBC upon request.

Final Remarks

The role of internal audit within Cyprus regulated firms continues to evolve in line with increasing regulatory expectations relating to governance, internal controls, risk management, and operational resilience.

As regulatory frameworks continue to develop, Internal Audit Functions are expected to maintain effective and independent assurance processes capable of supporting sound governance and appropriate oversight of the institution’s activities.

A well-structured Internal Audit Function contributes not only to regulatory compliance, but also to the ongoing assessment and strengthening of the institution’s control environment and governance framework.

At FiveComply, we support Cyprus regulated firms through the provision of risk-based Internal Audit services tailored to the nature, scale, and complexity of each institution’s activities, while taking into consideration the evolving expectations of CySEC, the CBC, and the broader European regulatory framework. We seek to adopt a holistic approach in assessing the institution’s governance, control, risk management, operational, and compliance frameworks, while applying a risk-based methodology that places greater focus on areas carrying higher levels of risk and regulatory significance.

Seychelles remains a popular jurisdiction for forex brokers, CFD providers and generally international financial groups seeking a regulated and commercially practical licensing framework.

A Securities Dealer Licence, issued by the Financial Services Authority (FSA) Seychelles, allows a company to conduct securities dealing activities under a recognised regulatory framework. For entities looking to expand internationally, the Seychelles SDL can be an attractive licensing route, provided that the application is properly structured from the outset.

At FiveComply, we support clients throughout the Seychelles Securities Dealer Licence application process, from the initial structuring stage to company incorporation, preparation of the application package and communication with the FSA.

1.What is a Seychelles Securities Dealer Licence?

A Seychelles Securities Dealer Licence, also known as an SDL, authorises a company to carry out securities dealing activities from Seychelles, subject to the scope approved by the FSA.

The FSA will assess the overall strength of the applicant, including its business model, ownership structure, financial position, governance arrangements, key appointments and operational readiness.

For this reason, the application should be prepared carefully and consistently, with all supporting documents aligned with the proposed activities of the company.

2. Minimum Capital and Structure Requirements

A key part of the Seychelles SDL application is ensuring that the company has a proper corporate and capital structure.

The current capital requirement for a Seychelles Securities Dealer Licence is USD 100,000. The applicant must be able to demonstrate that the capital is properly supported and that the structure is transparent and suitable for the proposed regulated business.

From a structuring perspective, the FSA will generally expect the applicant to have:

• a properly incorporated Seychelles company;
• a minimum of two fit and proper directors;
• a minimum of two shareholders (corporate/legal entity or individuals);
• at least one fit and proper director resident in Seychelles;
• complaints officer resident in Seychelles;
• fit and proper compliance officer (outsourced or inhouse) resident in Seychelles;
• clearly identified ultimate beneficial owners;
• sufficient KYC and due diligence documentation for all key persons;
• a clear group structure, where corporate shareholders are involved.

The structure should be demonstrated properly, be transparent and supported by proper due diligence documentation. Where corporate shareholders are involved, the ownership chain must be clearly presented to the FSA.

As FiveComply, we add value during the whole licensing process by assisting clients in reviewing the proposed structure before submission, helping to identify any issues and prevent delays or additional regulatory queries.

3. Incorporation and SDL Application Process

The Seychelles SDL process begins with the proper setup of the applicant company as a domestic entity and the preparation of a complete application package for submission to the FSA.

At this stage, FiveComply takes a proactive and structured approach to ensure that the company is established under the correct corporate structure and in line with the intended licensing structure from the outset. Our team focuses on early identification of potential gaps, alignment of the corporate structure with the SDL requirements, and efficient coordination of the documentation required for the application.

Following incorporation, FiveComply prepares and coordinates the Securities Dealer Licence application package, ensuring that the business plan, policies, manuals, due diligence documentation and supporting information are consistent, professionally presented and aligned with the FSA’s expectations.

By managing the process efficiently and maintaining a regulator-focused approach, FiveComply helps clients reduce avoidable delays, respond effectively to FSA queries and move through the licensing process with greater clarity and confidence.

4. Substance Requirements

Substance is an important element of the Seychelles SDL application and is assessed in line with the applicant’s proposed activities and overall operating model.

As part of the application, the applicant is expected to demonstrate appropriate arrangements in Seychelles, including a suitable local business office, resident director arrangements, compliance and complaints handling functions and other operational arrangements relevant to the proposed business.

The substance structure should be proportionate to the scale and nature of the company’s activities and should be clearly reflected in the application documents, including the business plan, manuals and supporting information submitted to the FSA.

FiveComply can assist clients in assessing the appropriate substance approach for their proposed structure and, where required, coordinate the relevant local arrangements in Seychelles.

Through our established local presence and dedicated team of experts, we have developed a strong network of qualified and fit-and-proper professionals, allowing us to provide suitable and flexible solutions across our extensive international client portfolio.

5. Governance Requirements and Key Appointments

Governance is a central part of the FSA’s assessment.

The applicant must demonstrate that the company will be managed and controlled by suitable individuals with the necessary experience, integrity and understanding of the proposed regulated activities.

Key appointments include the Directors, Securities Dealer Representative, Compliance Officer, and Alternate Compliance Officer (where applicable).

The Securities Dealer Representative (SDR) is an important appointment in the SDL application. The SDR acts on behalf of the licensee in relation to securities business and should have relevant experience in securities dealing, brokerage, investment services or a related regulated environment.

The FSA will review the background and suitability of the proposed key persons as part of its fit and proper assessment. Therefore, selecting the right individuals from the beginning is essential for a strong application and this is where FiveComply’s expertise could be utilised.

6. Why Work with FiveComply for Seychelles SDL Licensing?

At FiveComply, our involvement goes beyond the preparation of application documents. We work with clients from the initial structuring stage to ensure that the proposed setup is commercially practical, operationally scalable and aligned with the expectations of the FSA Seychelles under the applicable Securities Act framework.

As a leading provider in Seychelles and through our experience in Seychelles licensing projects, we understand the regulatory and practical considerations surrounding corporate structure, capital planning, governance, local substance, key appointments and application preparation.

FiveComply has also established a strong operational network in Seychelles, working with local professionals and stakeholders involved in the licensing process. This allows us to provide efficient, practical and well-coordinated support throughout the SDL application journey.

Our Seychelles SDL licensing package includes:

• assessment of the proposed corporate and ownership structure;
• evaluation of CVs of proposed individuals;
• guidance on Securities Dealer Licence requirements;
• support with capital, governance and substance planning;
• preparation of business plans and financial projections;
• drafting of internal manuals, policies and operational documentation;
• guidance on the appointment of the resident director and local office requirements;
• provision of Compliance Officer and guidance on AML/CFT arrangements;
• coordination with local professionals and service providers;
• appointment of Complaints Officer;
• preparation of the SDL application package;
• regulatory communication and application management with the FSA, including regular follow-ups with the FSA officers.

Whether a business is launching a new brokerage, expanding into Seychelles or strengthening an existing international setup, proper structuring and preparation from the outset can make a significant difference to the licensing process.

If you are considering a Seychelles Securities Dealer Licence application, FiveComply can assist in assessing your proposed structure and preparing a clear, complete and professionally presented application for submission to the FSA.

Disclaimer

This article is provided for general informational purposes only and does not constitute legal or tax advice.

For Cyprus Investment Firms (CIFs), compliance is often treated as a reporting requirement. In reality, CySEC’s expectations extend well beyond the preparation of annual reports or the maintenance of policies.

The regulator’s focus is increasingly directed toward whether firms can demonstrate a coherent, functioning control environment, supported by proper oversight, documented testing, and consistent internal reporting. In this context, regulatory reports are not assessed in isolation, but as a reflection of how effectively the firm manages compliance in practice.

Reporting as an Indicator of Control Effectiveness:

CIFs are required to prepare a number of recurring reports, including the Compliance Officer Report, the Annual AML Report, the Risk Management Report, and prudential assessments such as Pillar II / ICARA.

These reports are expected to be:

• aligned with the firm’s actual operations and risk profile;
• supported by documented testing and verifiable data; and
• consistent across compliance, AML, and risk functions.

Where this is not the case, weaknesses in reporting often point to broader gaps in governance or control processes.

Where Firms Commonly Face Difficulties:

In practice, challenges tend to arise not from a lack of regulatory awareness, but from how compliance is structured and implemented internally.

Typical issues include:

• reliance on generic templates that are not tailored to the firm’s business model;
• findings that are not clearly supported by underlying testing;
• inconsistencies between internal reports, policies, and Board documentation; and
• limited linkage between identified risks and concrete remediation actions.

These gaps can become evident during CySEC reviews and may lead to increased supervisory scrutiny. 

The Shift Toward Evidence-Based Compliance:

Supervisory expectations have evolved toward a more evidence-driven approach. It is no longer sufficient to confirm that controls exist; firms must be able to demonstrate how those controls operate in practice.

This includes:

• clearly defined monitoring and testing methodologies;
• documented evidence supporting key conclusions;
• regular assessment of control effectiveness; and
• structured escalation and follow-up of identified issues.

This shift reinforces the need for a more organised and integrated compliance framework.

How FiveComply Adds Value:

At FiveComply, our approach to CySEC compliance support is focused on substance rather than form. We work closely with firms to ensure that regulatory reporting reflects actual operations, risks, and controls.

Our support includes:

• preparation and review of the Annual Compliance Report, ensuring alignment with CySEC expectations and Circular C553;
• drafting of the Annual AML Report, including risk analysis, client profiling, and assessment of monitoring systems;
• preparation of the Risk Management Report, with emphasis on risk identification, measurement, and mitigation;
• support with Pillar II / ICARA assessments, including capital adequacy analysis and stress testing considerations;
• development and enhancement of Compliance Monitoring Programmes and testing frameworks;
• alignment of reports with Board of Directors minutes, ensuring consistency and proper governance documentation.

Particular attention is given to ensuring that findings are clear, evidence-based, and linked to practical and proportionate recommendations. 

Enhancing Board Oversight and Regulatory Readiness:

Well-structured compliance reporting supports more effective Board oversight. It allows directors to:

• understand the firm’s key regulatory risks;
• assess the adequacy of internal controls;
• make informed decisions on remediation and resource allocation; and
• demonstrate active involvement in the firm’s compliance framework.

From a supervisory perspective, consistent and well-documented reporting also enhances the firm’s regulatory credibility and readiness for CySEC reviews or inspections. 

A Continuous Process, Not a One-Off Exercise:

Compliance reporting under the CySEC framework is not a static requirement. It requires ongoing monitoring, periodic reassessment, and timely updates to reflect changes in the firm’s operations, risk profile, and regulatory landscape.

Firms should therefore ensure that:

• reporting processes are embedded within their governance structure;
• control functions operate in a coordinated and consistent manner; and
• identified weaknesses are tracked and addressed in a timely and documented way.

Final Remarks:

CySEC compliance is not assessed based on the existence of documents alone, but on the strength and consistency of the framework behind them.

Structured compliance support plays a critical role in ensuring that firms can demonstrate this in practice. By aligning reporting, monitoring, and governance processes, firms are better positioned to meet regulatory expectations and manage risk effectively.

FiveComply supports Cyprus Investment Firms with practical, structured, and tailored compliance support, ensuring that reporting obligations are met in a way that is both regulator-ready and operationally meaningful.

The introduction of the Data Protection Act, 2023 in Seychelles marks a significant step toward strengthening data privacy and regulatory compliance across the financial services sector. For Securities Dealers, the Act brings increased scrutiny on how personal data is collected, processed, stored, and protected, particularly in an environment where digital onboarding, cross-border operations, and continuous client monitoring are standard practice.

One of the most frequently asked questions is whether a Data Protection Officer (DPO) must be appointed. The answer is not absolute. The legislation does not impose a blanket obligation on all entities. Instead, it introduces a conditional requirement, meaning that the need to appoint a DPO depends on the nature, scale, and scope of the organisation’s data processing activities.

The Data Protection Act applies broadly to both public and private entities operating in Seychelles that process personal data through structured or automated systems. Its primary objective is to protect individuals’ right to privacy while ensuring that organisations handle data in a transparent and accountable manner. For Securities Dealers, this includes handling client onboarding documentation, conducting KYC and AML checks, monitoring transactions, maintaining client communication records, and storing financial and identification data over extended periods.

Under the Act, a Data Protection Officer is required in situations where an organisation’s core activities involve large-scale processing of personal data, regular and systematic monitoring of individuals, or the processing of sensitive personal data on a significant scale. In the context of Securities Dealers, these criteria may become relevant given the continuous nature of transaction monitoring, the volume of client data processed, and the sensitivity of financial information handled. However, whether a specific firm meets these thresholds is not automatic and should be assessed on a case-by-case basis, taking into account factors such as client base, transaction volume, system architecture, and operational complexity.

Even in cases where the appointment of a DPO is not strictly required, many Securities Dealers choose to designate one as part of a broader compliance and governance framework. This reflects a growing recognition that data protection is closely linked to regulatory risk, operational integrity, and client trust. A DPO can provide oversight on how personal data is handled across the organisation, ensure that policies and procedures remain aligned with regulatory expectations, and act as a central point of coordination for data protection matters.

The role of a DPO also becomes particularly relevant in managing interactions with the Information Commission, which is the competent authority responsible for enforcing the Act. In practice, this may include supporting the firm during regulatory inspections, responding to queries, and facilitating communication in the event of a data protection concern or incident. In addition, the DPO plays an important role in ensuring that data subject rights such as access, rectification, deletion, and objection to processing are handled efficiently and in accordance with the law.

The Act places considerable emphasis on accountability. Securities Dealers are expected to implement appropriate technical and organisational measures to safeguard personal data, maintain accurate records of processing activities, and ensure that data is processed lawfully and for clearly defined purposes. This includes adopting internal controls, access restrictions, data retention policies, and security safeguards that are proportionate to the risks associated with their operations. Firms are also expected to assess potential risks through mechanisms such as data protection impact assessments, particularly where processing activities may affect the rights and freedoms of individuals.

Another important aspect of the framework is the handling of personal data breaches. Where a breach occurs, firms may be required to notify the regulator within a specified timeframe and, in certain cases, inform affected individuals. This further highlights the importance of having clear internal procedures and defined responsibilities for incident management, whether or not a formal DPO has been appointed.

Failure to comply with the Data Protection Act can expose firms to regulatory action, including enforcement measures and financial penalties. The Information Commission has the authority to investigate, issue enforcement notices, and impose sanctions where necessary. Beyond regulatory consequences, there is also a clear reputational dimension. In an industry built on trust, the ability to demonstrate strong data protection practices is increasingly seen as a key element of sound governance and responsible business conduct.

In conclusion, while the appointment of a Data Protection Officer is not universally mandatory under the Data Protection Act, 2023, it becomes relevant in specific circumstances tied to the scale and nature of data processing. For many Securities Dealers, evaluating this requirement is an important step in aligning with regulatory expectations and strengthening their overall compliance framework. Taking a proactive approach to data protection not only supports compliance but also contributes to long-term operational resilience and client confidence.

Need guidance on how to comply with the requirements, or tailored advice on data protection and the appointment of a DPO? Contact FiveComply today.

Disclaimer

This article is provided for general informational purposes only and does not constitute legal or tax advice.

 On 18 April 2026, Mauritius introduced a significant legislative reform with the enactment of the Anti-Money Laundering, Combatting the Financing of Terrorism and Countering Proliferation Financing (Miscellaneous Provisions) Act 2026 (“AMLA 2026”).

This landmark legislation represents a major advancement in Mauritius’ AML/CFT/CPF framework, strengthening the jurisdiction’s alignment with international standards and reinforcing its position as a robust and credible international financial centre.

Key Changes Under AMLA 2026

AMLA 2026 introduces wide-ranging amendments across multiple legislative frameworks, impacting financial institutions, virtual asset service providers (VASPs), securities dealers, and other regulated entities.

Key developments include:

• Introduction of proliferation financing risk into the AML/CFT framework, requiring firms to expand their risk assessments and controls
• Enhanced powers of authorities, including the Financial Crimes Commission and the Financial Intelligence Unit (FIU)
• Revised statutory timelines (24h / 48h) for responding to regulatory and investigatory requests
• Expanded beneficial ownership (BO) definitions, capturing control beyond direct shareholding
• Strengthened customer due diligence (CDD) requirements, particularly for complex structures
• Increased inter-agency information sharing, including with the Mauritius Revenue Authority
• Introduction of a Centralised Information Management System (CIMS) to enhance data collection, analytics, and regulatory coordination

Impact on Companies

AMLA 2026 is not merely a regulatory update; it represents a fundamental shift in how AML/CFT/CPF compliance must be approached.

Companies should prioritise:

1. Gap Analysis
Conduct a comprehensive review of existing AML/CFT frameworks to identify gaps against AMLA 2026 requirements.

2. Policy & Procedure Updates
Update internal documentation to reflect:

• Proliferation financing risk integration
• Revised beneficial ownership definitions
• Enhanced CDD and monitoring procedures
• 24h/48h regulatory response protocols

3. Governance & Board Oversight
Ensure:

• Board approval of updated policies
• Clear accountability structures
• Proper documentation and audit trails

Why AMLA 2026 Matters

The reforms introduced under AMLA 2026 highlight four key regulatory themes:

• Speed – Immediate response expectations
• Transparency – Enhanced beneficial ownership visibility
• Accountability – Stronger enforcement powers
• Integration – Increased coordination across authorities

For regulated entities, compliance must now be proactive, dynamic, and embedded across all business functions.

How FiveComply Adds Value

At FiveComply, we support financial institutions, and specifically Investment Dealers in navigating complex regulatory changes.

We can support you with:

• AMLA 2026 gap analysis and implementation roadmaps tailored to your business
• Full review and drafting of AML/CFT/CPF policies and procedures
• Beneficial ownership and CDD framework structuring aligned with regulatory expectations
• Design of regulatory response frameworks to meet 24h / 48h deadlines
• Board and governance advisory to ensure regulatory alignment
• Ongoing compliance support, including compliance, reporting, and audits

Final Thoughts

Mauritius continues to strengthen its position as a well-regulated and internationally aligned financial centre. AMLA 2026 is a decisive step forward, but it also raises the bar for compliance expectations.

For firms operating in or through Mauritius, the focus must now shift from reactive compliance to strategic implementation. The question is no longer whether firms should adapt, but how quickly and effectively they can do so.

Those who act early will not only ensure compliance but gain a strategic advantage in an increasingly demanding regulatory landscape.

Get in touch with FiveComply to ensure your framework is fully aligned.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal or tax advice.

The Seychelles Code of Corporate Governance is now in force and should be a priority area of focus for all affected FSA-regulated entities. Issued by the Financial Services Authority of Seychelles, the Code provides a formal governance framework intended to strengthen board accountability, internal controls, risk oversight, audit independence, corporate reporting, and conflict management across regulated businesses. The Code came into effect on 1 January 2026.

For regulated entities in Seychelles, this is not merely a governance guideline or best-practice recommendation. The Code expressly states that it has the force of law under section 33 of the Financial Services Authority Act, and failure to comply may expose a licensee, its directors, and its officers to regulatory consequences.

In practical terms, affected licensees should now be assessing whether their current governance arrangements are adequately aligned with the Authority’s expectations, including the structure and effectiveness of the board, committee oversight, internal audit arrangements, risk management systems, disclosure controls, and conflict of interest procedures.

1. Scope of Application

The Code applies to licensees under the following legislative frameworks:

• International Corporate Service Providers Act
• Securities Act (subject to limited exceptions)
• Mutual Fund and Hedge Fund Act (subject to stated exceptions)
• Virtual Asset Service Providers Act
• Seychelles Gambling Act
• Insurance Act

Accordingly, the Code is of direct relevance to a broad range of Seychelles-regulated entities, including securities dealers, VASPs, insurers, corporate service providers, and other licensed financial services businesses.

2. A Flexible Framework, But Not Optional Compliance

One of the key features of the Code is that it applies on an “apply or explain an alternative” basis. This allows some flexibility, recognising that governance structures may vary depending on the size, complexity, and operational model of the regulated entity. However, this should not be misunderstood as optional compliance. Where a principle cannot be implemented as written, the firm is expected to provide a proper explanation together with an appropriate alternative.

From a governance and regulatory perspective, firms should ensure that any alternative adopted is not only reasonable in theory, but also clearly documented, operationally effective, and capable of being justified to the Authority.

3. Key Governance Areas Covered by the Code

The Code is built around nine core principles:

1. Board Role and Responsibilities
2. Independence
3. Composition and Appointment
4. Corporate Culture
5. Remuneration
6. Risk Oversight
7. Corporate Reporting
8. Internal and External Audit
9. Management of Conflict of Interest

Taken together, these principles require regulated entities to adopt a more disciplined and demonstrable governance framework. This includes effective board oversight, proper segregation of roles, formal committee structures where appropriate, annual risk assessments, internal control review mechanisms, and clear reporting lines across key control functions.

4. Internal Audit Requirements Under the Seychelles Code of Corporate Governance

One of the most significant aspects of the Code is its express focus on internal audit.

The Code provides that the board should oversee the establishment and maintenance of an effective system of internal control to properly manage risk, assets, and capital, measured against internationally accepted internal audit standards and tested annually for adequacy. It further states that companies should have a dedicated internal audit function with clearly defined oversight and reporting structures. Where such a function has not been established, the full reasons should be disclosed to the regulator, together with an explanation of how adequate assurance is otherwise being obtained in relation to the effectiveness of the internal control framework.

This requirement significantly elevates internal audit from a secondary control function to a central component of the company’s governance architecture.

5. Why the Internal Audit Function Deserves Attention

For many regulated entities, internal audit has historically been treated as a secondary or developing function. Under the current framework, however, internal audit is clearly positioned as part of the company’s governance architecture and as an important component of board assurance.

A properly structured internal audit function supports:

• independent assessment of internal controls;
• stronger board oversight and accountability;
• better identification and escalation of governance weaknesses;
• more effective monitoring of operational, compliance, and regulatory risk;
• improved audit committee effectiveness; and
• greater regulatory credibility.

In practical terms, internal audit is no longer simply about review. It is about demonstrating that the business has an independent and structured mechanism for testing whether its control environment is functioning as intended.

6. How FiveComply Can Assist

For many entities, aligning with the new Seychelles corporate governance requirements will require more than minor amendments to existing documentation. It may involve a wider governance review covering board arrangements, committee structures, risk oversight, internal control frameworks, internal audit readiness, and reporting lines.

At FiveComply, we support firms with practical and commercially grounded assistance in relation to:

• corporate governance gap assessments;
• review of board and committee structures;
• governance documentation and policy enhancement;
• risk and internal control framework support;
• internal audit readiness assessments;
• design of internal audit reporting structures; and
• support in developing proportionate and defensible approaches where alternative arrangements are being relied upon.

Particular attention should now be given to the internal audit requirement, especially where no dedicated function currently exists or where the firm’s control assurance model remains informal or insufficiently documented.

7. Annual Disclosure and Ongoing Governance Monitoring

The Code also includes a disclosure form requiring licensees to confirm compliance with specific governance requirements, including committee arrangements, board evaluation, risk oversight, contingency planning, internal audit, external audit, audit committee matters, and conflict of interest controls. The form is required to be submitted by 31 December every year.

This reinforces that compliance under the Code is not a one-off implementation exercise. It requires continuous monitoring, board-level attention, and adequate documentation throughout the year.

8. Final Remarks

Now that the Seychelles Code of Corporate Governance came into effect on 1 January 2026, affected licensees should ensure that their governance framework is aligned with the Authority’s expectations and that any gaps are identified and addressed without delay.

For regulated entities, this is an important opportunity not only to meet a legal requirement, but also to strengthen governance standards, improve internal accountability, and enhance operational resilience.

FiveComply supports Seychelles-regulated entities with practical and tailored assistance in relation to corporate governance implementation, internal audit structuring, committee framework review, and overall regulatory readiness.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal or tax advice.

Mauritius Investment Dealer Licence Requirements: Capital, Structure & FSC Framework

Mauritius has established itself as a credible and well-regulated international financial centre, supported by a clear legal framework, a recognised regulator, a strong corporate and banking infrastructure and an attractive tax regime. For firms seeking to carry out brokerage and dealing activities through Mauritius, the relevant licensing regime is regulated by the Financial Services Commission Mauritius (FSC) under the Securities Act 2005 and the Securities (Licensing) Rules 2007.

For applicants, obtaining a Mauritius Investment Dealer Licence is not simply a filing exercise and without the correct partners it might prove burdensome. With a strong track record and extensive experience in licensing matters, we understand that the FSC assesses the proposed structure holistically, taking into account the licence category, the competence and experience of key individuals, the adequacy of capital, the robustness of internal controls, and the operational readiness of the business. The quality of the initial structuring is therefore a key determinant of licensing efficiency and long-term regulatory stability.

At FiveComply, together with AllServ Management Ltd, our licensed Management Company in Mauritius, we assist clients with the full licensing lifecycle from initial structuring and pre-assessment through to application submission, FSC interaction, and post-licensing implementation. Our approach is designed not only to support approval, but to build structures that are commercially workable and regulator-ready from day one.

1. What is a Mauritius Investment Dealer Licence?

A Mauritius Investment Dealer Licence authorises a company to undertake regulated securities activities, depending on the category of licence granted.

For firms operating in brokerage, securities execution, portfolio management, or advisory-linked dealing models, Mauritius offers a recognised and structured regime that is often attractive for cross-border financial services businesses seeking a balance between regulatory credibility and operational flexibility.

2. Mauritius Investment Dealer Licence Categories & Capital Requirements

Under the FSC framework, the applicable licence category depends on the nature and scope of the proposed activities. Each category carries its own regulatory requirements, including the applicable fee structure and capital expectations.

From a structuring perspective, selecting the correct category at the outset is critical. The FSC will expect the proposed activities, governance arrangements, financial resources, and internal controls to be fully aligned with the licence category being sought.

From a practical perspective, the applicable Mauritius Investment Dealer Licence requirements go beyond the minimum capital threshold alone. The FSC will also consider whether the proposed applicant has the financial substance, governance framework, and internal controls necessary to support the activities to be licensed.

For this reason, selecting the correct Mauritius Investment Dealer Licence category should not be approached as a mere formality. It is a core structuring decision that affects the capital position, compliance obligations, and overall strength of the application.

At FiveComply, together with AllServ Management Ltd, we assist clients in identifying the most suitable Investment Dealer Licence in Mauritius and in structuring the application in a manner that is both commercially workable and aligned with FSC expectations from the outset.

3. Key Regulatory Considerations for a Mauritius Investment Dealer Licence

The FSC places substantial weight on governance and the competence of key individuals.

Under the licensing rules, the applicant must satisfy the FSC that its internal structures, technical and financial means, staffing, and organisation are appropriate and sufficient for the efficient operation of the proposed business.

From a practical perspective, Mauritius Investment Dealer structures implemented by FiveComply and AllServ typically require the following setup:

• at least one shareholder, whether individual or corporate;
• at least one foreign director;
• at least two Mauritius-resident directors;
• a Compliance Officer and Money Laundering Reporting Officer (MLRO), typically provided by the Management Company;
• an Investment Dealer team comprising of two dealing team members.

The experience threshold for dealer roles is a key component of the Mauritius Investment Dealer licensing framework. Both dealers should demonstrate at least two years’ relevant experience in brokerage services within a regulated environment. From a regulatory perspective, this experience should evidence hands-on involvement in core dealing activities, including the receipt and handling of client orders, the execution and monitoring of trades, and client interaction in relation to trade confirmations and contract notes.

This is why the pre-assessment stage is critical. At FiveComply, we assess CVs and role suitability at an early stage to determine whether the proposed individuals are likely to meet FSC expectations before structuring the application.

4. Mauritius Investment Dealer Licence Timeline

The Mauritius Investment Dealer Licence process is a structured regulatory process overseen by the Financial Services Commission Mauritius (FSC). While each application is assessed on its own merits, timing will generally depend on the proposed business model, the complexity of the structure, and the quality and readiness of the documentation submitted.

We maintain a strong approval track record, supported by the consistently high quality of applications submitted. Typically, and based on our extensive track record, a Mauritius Investment Dealer Licence application can be assessed within approximately 1 to 3 months from submission. The speed of the process will largely depend on how efficiently the structure is organised from the outset and how complete, consistent, and regulator-ready the application is at the point of submission.

This is precisely where early planning makes a material difference. A properly structured application not only supports a more efficient FSC review process but also reduces avoidable delays and strengthens the overall regulatory positioning of the business.

This is where our experience adds value. This is where our experience comes in. As FiveComply and AllServ Management Ltd, we work closely with clients to streamline the Mauritius Investment Dealer Licence process and to position each application for the most efficient possible turnaround, without compromising regulatory quality or long-term compliance integrity. While these considerations may appear straightforward to us, they can often be more complex in practice.

5. Why to Work with FiveComply

At FiveComply, together with AllServ Management Ltd, we support clients with:

• strategic assessment of the appropriate Mauritius Investment Dealer Licence category;
• structuring of governance and key appointments in line with FSC expectations;
• preparation and coordination of regulator-ready application packages; and
• practical guidance designed to support both approval efficiency and post-licensing viability.

Our role is to ensure that the proposed structure is not only licensable, but commercially workable and credible under regulatory review.

For firms considering Mauritius Investment Dealer licensing, the opportunity is clear. Mauritius offers a respected regulatory environment, international credibility, an attractive tax regime and a well-established financial services ecosystem. But success depends on how the structure is built from the outset.

If Mauritius forms part of your expansion strategy, FiveComply and AllServ Management Ltd can assist you in building the structure properly, efficiently, and in line with FSC expectations.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal or tax advice. All applications are submitted through AllServ Management Ltd, duly licensed Management Company in Mauritius. Website: https://allserv.mu/