MAURITIUS: REGULATORY FRAMEWORK FOR THE CUSTODY OF DIGITAL ASSETS
Custodians play an important role in investors’ protection and in safeguarding the wealth of many individuals and entities. In several instances, the services of a qualified custodian is compulsory in order to satisfy requirements for transparency and good governance, provide proper asset segregation, and safeguard investors’ confidence. However, contrary to the custody of many traditional assets where the asset itself or its proxy is held by the custodian, digital assets exist solely in digital form while functioning as bearer instruments, and are only as secure as the private keys controlling them. To address the specific challenges in relation to the custody of digital assets, a regulatory framework has been introduced in Mauritius to provide guidance to persons carrying out custodian services for digital assets, and to clarify the standards of care to be expected in the custody of those assets.
Background
In Mauritius, regulation 21 of the Securities (Collective Investment Schemes and Closed-end Funds) Regulations 2008 requires every Collective Investment Scheme (CIS) to have a custodian, with a person issued with a custodian licence under S 100 of the Securities Act 2005 authorised to hold the assets of a CIS. A Custodian services (Non-CIS) licence, issued in accordance with S 14 of the Financial Services Act 2007, allows the licence holder to provide custody services to clients other than CIS.
In 2018 the Mauritius Financial Services Commission (FSC) recognised digital assets as an asset class for investment by sophisticated and expert Investors. However, it was felt that the regulatory framework relating primarily to the custody of securities and physical assets was inappropriate for the safekeeping of digital assets. In 2019 a licensing framework specifically for digital asset custodian services was introduced by the FSC.
Compulsory licensing requirement
Persons intending to provide custody services for digital assets in Mauritius are required to obtain a Custodian Services (Digital Asset) licence issued by the FSC. No person can lawfully carry out custody services for digital assets in Mauritius without such a licence.
AML/CFT compliance
The holder of the Custodian Services (Digital Asset) licence, while being a licensee of the FSC, is simultaneously considered to be a financial institution under the Mauritius Financial Intelligence and Anti-Money Laundering Act 2002. It is has the obligation to comply with all laws and regulations in force relating to Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT), as well as with the FSC Code on the Prevention of Money Laundering and Terrorist Financing.
Representative in Mauritius
The custodian shall have at all times a representative in Mauritius who must be sufficiently knowledgeable in the operations of the custodian. In addition to acting as a liaison with the FSC for any correspondence, notice or summons, the representative will hold responsibility for the proper maintenance of the records of the custodian, including due diligence records, board minutes and resolutions, as well as perform any statutory filings in line with the applicable legal requirements.
Core income generating activities in Mauritius
The custodian is required to maintain at all times an office in Mauritius from which it would perform its core business activities, and have a suitable number of staff with the appropriate proficiency, competence and experience to properly perform those core functions. Staff involved in core functions are to meet fitness and propriety tests in accordance with best industry standards, and none of the core functions can be delegated or outsourced without prior approval from the FSC.
Governance
The governance structure should provide for the effective oversight of its activities, taking into account the nature, scale and complexity of the business. The custodian shall maintain its registered office in Mauritius, be managed by a board of directors consisting of a minimum of 3 directors (with a minimum of one director resident in Mauritius), and at least 30% of the directors being independent directors.
Minimum capital requirement
The business of the custodian must be appropriately capitalised, with the maintenance at all times of a minimum unimpaired capital equivalent to 6 months’ operating expenses, or 35 million Mauritian rupees, whichever is higher.
Infrastructure for continuous operations
The custodian would have to demonstrate adequate resources in terms of infrastructure, systems and skills to ensure that its core functions can be fully operational at all times and that it is able to operate efficiently in accordance with best industry practices and standards.
Customer protection and custody agreements
Custody agreements are to contain, not only particulars of the services to be provided and the related fees, but also information about the standard of care to be exercised by the custodian, and the custodian’s responsibility in case of lost digital assets. Each client is to be provided with an original of the signed custody agreement within 30 days of signature.
Operational risk management program
The custodian should have a comprehensively documented operational risk management program which would include strategies to identify, monitor, and mitigate operational risks, together with an operational risk reporting system.
Regular systems testing and audit
Systems testing are to be undertaken in accordance with best industry standards and practices at least once every quarter, and may be conducted by the custodian, independent third parties or both.
At least once every year, a comprehensive audit of the custodian’s systems, policies and processes is to be undertaken by an appropriately qualified independent external third party. Any shortcoming identified by the audit must be addressed.
Safeguards at key and seed generation stage
The proper creation and management of private keys in a specialized and controlled offline environment significantly enhance the security of digital assets. Thus, the FSC rules prescribe that the best industry security safeguards be adopted in the seed creation and key generation process so that the seeds and keys are sufficiently resistant to speculation and collision. A back-up mnemonic (coded) pass-phrase is to be generated as part of the seed and the pass-phrase used to regenerate the seed if necessary.
At least 3 staff members are to be involved in the process of generating entropy (unpredictability and randomness) during the seed creation, with no single person possessing all facts or knowledge of the entirety of the seed or back-up mnemonic phrase.
Additionally, the custodian’s protocol must include safeguards to prevent individuals involved in seed creation from getting access to the systems for the initiation of transactions.
Client asset segregation
Pooling together of assets belonging to different clients, while easing operational challenges for custodians, increases the possibility of bulk theft of those assets. The FSC rules prescribe that custodians should ensure that digital assets belonging to different clients are not pooled together at a single address or in a common wallet, and that no address or wallet is assigned to more than a single client.
Storage strategy for digital assets
Because they are built on blockchain technology, digital assets are by nature highly secure and hack-proof. Up to now, all major theft or loss of digital assets has occurred online or because of deficient multi-signature safeguards.
To mitigate against clients’ losses from cyberattacks, it is good practice for the clients’ private keys to be held in secure locations in cold storage (not connected to the internet) if they are not required for transaction purposes. The FSC rules recommend that the storage strategy be in accordance with best industry standards and practices taking into account factors such as the volume of transactions, the speed at which those transactions are to be executed, and the risk appetite of each client.
Multi-signature authorisation
The systems and procedures of the custodian should ensure that no single person is able to initiate and complete a transaction, and that the risks of collision between signatories are mitigated. The rationale for approving and rejecting a transaction is to be documented by each signatory, and the custodian should maintain proper records of the rationale for approving or rejecting transactions.
Robust cold storage solution
Regarding on-site cold storage, the custodian will have to demonstrate to the FSC the existence of an adequately secured physical infrastructure, including guarded access to the facilities with restricted admittance to authorised personnel only, vault storage with dual key requirements and 24/7 closed-circuit television system. Access procedures will have to be adequately documented and must be made available to the FSC upon request.
Procedures for security breaches
The custodian should have in place procedures to protect digital assets held in custody in the event of a security breach, or if a security breach is suspected. The custodian is to promptly notify the client of any security incident relating to digital assets under custody.
Disaster recovery plan
To assure digital asset preservation, keys are to be carefully encrypted and sharded (split), and those shards stored offsite in several secure and geographically diverse locations. Access to those key shards would only be possible through the confirmatory actions of several pre-authorised parties whose identities have been established through multi-factor authentication protocols.
The custodian must ensure that frequent (at least on a quarterly basis) internal audits of the backup seeds are performed on storage devices to ensure that those backups have not been removed or tampered with.
Uninterrupted access
The custodian has to demonstrate that it can provide its clients with perpetual access to all the assets in custody in the event that it cannot fulfil its custody agreement or the business ceases to operate.
Recordkeeping and statutory reporting
In addition to maintaining the digital assets secure, custodians have a variety of other recordkeeping and reporting obligations, including maintaining up-to-date transactional records, and filing of quarterly financial statements and audited annual financial statements with the FSC.
Healthy digital asset ecosystem
Secure and effective custodianship significantly reduces the risks of investing in digital assets and is an important part of a healthy digital asset ecosystem. While Fintech activities have been developing exponentially, one major growth limiting factor to the entrance of institutional investment into the digital asset marketplace has been the lack of appropriate custody services for the safekeeping of digital assets. The FSC rules, by imposing compulsory licensing requirement for custodians of digital assets, and by encouraging best industry practices and standards in the delivery of those services, seek to enhance trust and confidence in the Mauritius jurisdiction, while laying the foundation for the sustainable development of digital asset custodian services in Mauritius.
DTOS provides valuable insights and value-added services to businesses and individuals with regard to their evolving present and future needs. Should you have any query in relation to the topic covered and require any assistance, please do not hesitate to contact us. We shall be pleased to assist you.