Regulatory Alerts2021-12-06
Guideline for Digital Banks
The Bank of Mauritius issued this December 2021 guideline to establish a comprehensive regulatory framework for banks operating exclusively through digital or electronic channels. It mandates a two-stage licensing process comprising a mobilisation period of up to two years and a transitional period of up to three years, during which restricted digital banks must deploy technology infrastructure, recruit senior staff, and meet specific capital and governance thresholds. The framework grants targeted exemptions from traditional banking laws while ensuring robust risk management, customer protection, and clear exit mechanisms before granting full digital banking status.
BOM / BSD 43 / December 2021 BANK OF MAURITIUS Guideline for Digital Banks December 2021
This page is intentionally left blank.
i TABLE OF CONTENTS INTRODUCTION .............................................................................................................................. 1 Purpose ............................................................................................................................................ 1 Authority.......................................................................................................................................... 1 Scope of Application........................................................................................................................ 1 Relation to other guidelines issued by the Bank of Mauritius....................................................... 2 Effective date ................................................................................................................................... 2 Interpretation................................................................................................................................... 2 Section 1: Application Process for Digital Banking Licence........................................................... 4 Section 2: Licensing stages................................................................................................................. 6 Mobilisation Period ......................................................................................................................... 6 Transitional Period.......................................................................................................................... 7 Section 3: Prudential and Regulatory Requirements for Restricted Digital Banks.................. 10 Shareholding Structure................................................................................................................. 10 Mobilisation Period ....................................................................................................................... 10 Transitional Period........................................................................................................................ 11 Section 4: Exemptions applicable to Restricted Digital Banks..................................................... 12 Capital requirements..................................................................................................................... 12 Significant ownership.................................................................................................................... 12 Corporate Governance .................................................................................................................. 12 Regulatory Reporting .................................................................................................................... 13 Section 5: Business Plan................................................................................................................... 13 Section 6: Exit Plan........................................................................................................................... 14 Section 7: Exit from Banking Industry........................................................................................... 15 Section 8: Risk Management ........................................................................................................... 15 Section 9: Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation ............................................................................................................................. 15 Section 10: Physical office in Mauritius.......................................................................................... 16 Section 11: Record Keeping............................................................................................................. 16 Section 12: Customer Protection and Data Protection.................................................................. 16 Section 13: Reporting Requirement................................................................................................ 17
This page is intentionally left blank.
1 INTRODUCTION Section 5(1) of the Banking Act 2004 provides that no person shall engage in, inter alia, digital banking business in Mauritius without a banking licence issued by the Bank of Mauritius. Digital banking business is defined in the Banking Act 2004 as ‘banking business carried on exclusively through digital means or electronically’. Further, section 7(7E) of the Banking Act 2004 states that ‘a bank which has been granted a banking licence to carry on exclusively digital banking business by the central bank may be exempted from such provisions of the Banking Act 2004 and be subject to such terms and conditions and guidelines as the central bank may determine’. Pursuant to section 52(1) of the Banking Act 2004, a bank licensed under section 7(5) of the Banking Act 2004 to carry on exclusively private banking business or exclusively Islamic banking business, may, with the approval of the Bank of Mauritius, carry on its licensed activities solely through digital means or through electronic delivery channels. Purpose The purpose of this Guideline for Digital Banks (Guideline) is to give effect to the abovementioned provisions of the Banking Act 2004 and to set out the regulatory and supervisory framework for operating a digital bank in Mauritius. A digital bank refers to a bank carrying on banking business exclusively through digital means or electronically. The Guideline specifies additional requirements to, or exemptions from the legal, regulatory and supervisory framework applicable to traditional banks and the terms and conditions under which the Bank of Mauritius shall consider these exemptions under section 7(7E) of the Banking Act 2004. The Guideline shall also apply to a bank licensed to carry on exclusively private banking business or exclusively Islamic banking business solely through digital means or through electronic delivery channels under section 52(1) of the Banking Act 2004. Authority This Guideline isissued under the authority ofsection 50 of the Bank of Mauritius Act 2004 and sections 7(7E) and 100 of the Banking Act 2004. Scope of Application This Guideline shall apply to banks licensed under section 7(5) of the Banking Act 2004 to carry on exclusively: (i) digital banking business (digital bank); and (ii) private banking business or Islamic banking business solely through digital means or through electronic delivery channels under section 52(1) of the Banking Act 2004 (digital private bank or digital Islamic bank).
2 Relation to other guidelines issued by the Bank of Mauritius A bank licensed under section 7(5) of the Banking Act 2004 to carry on exclusively – (i) digital banking business; (ii) private banking business or Islamic banking business solely through digital means or through electronic delivery channels, shall be subject to the prudential and regulatory requirements applicable to banks unless where explicitly otherwise stated by the Bank of Mauritius in this Guideline or in the Guideline on Private Banking or Guideline for Institutions Conducting Islamic Banking Business, as the case may be. Effective date This Guideline shall come into effect on 6 December 2021. Interpretation In this Guideline, “Act” means the Banking Act 2004; “Bank” means the Bank of Mauritius established under section 3 of Bank of Mauritius Act 2004; “bank” has the same meaning as in the Act; “banking business” has the same meaning as in the Act; “banking laws” has the same meaning as in the Act1 ; “digital bank” means a bank licensed under section 7(5) of the Act to carry on exclusively digital banking business and shall include a digital private bank and a digital Islamic bank; “digital banking business” has the same meaning as in the Act, and refers to banking business carried on exclusively through digital means or electronically; “digital banking licence” refers to the licence granted to a digital bank; “digital Islamic bank” refers to a bank licensed under section 7(5) of the Banking Act 2004 to carry on exclusively Islamic banking business solely through digital means or through electronic delivery channels; “digital on-boarding” refers to the process of establishing a business relationship with a customer solely through digital means or electronically;
1 The banking laws are accessible at https://www.bom.mu/about-the-bank/legislation.
3 “digital private bank” refers to a bank licensed under section 7(5) of the Banking Act 2004 to carry on exclusively private banking business solely through digital means or through electronic delivery channels; “capital adequacy ratio” is as set out under the Guideline on Scope of Application of Basel III and Eligible Capital; “liquidity coverage ratio” is as set out under the Guideline on Liquidity Risk Management; “mobilisation period” refers to the first two years following the issue of the digital banking licence; “physical presence” has the same meaning as in the Act; “private banking business” has the same meaning as in the Act; “prudential or regulatory requirements” refer to guidelines, instructions or directives issued to banks by the Bank2 ; “related party” has the same meaning as in the Act; “restricted digital bank” means a digital bank operating in the restricted phase; “restricted phase” refers to the mobilisation period and the subsequent transitional period; “senior officer” has the same meaning as in the Act; “significant interest” has the same meaning as in the Act; “significant shareholder” refers to a shareholder who has significant interest in a digital bank; “transitional period” refers to the subsequent period of three years following the end of the mobilisation period.
2 The guidelines issued by the Bank are accessible at: https://www.bom.mu/financial-stability/supervision/guideline.
4 Section 1: Application Process for Digital Banking Licence 1.1 Applications from body corporates for a digital banking licence shall be made by submitting to the Bank the duly filled application form as available on the website of the Bank. An applicant shall also comply with section 5 of the Act. 1.2 The application for a digital banking licence shall be determined in accordance with section 6 of the Act. 1.3 The Bank may, following its determination of the application, grant or refuse the application. 1.4 In accordance with section 7 of the Act, no licence shall be granted by the Bank unless it is satisfied: i. that the applicant has: a. demonstrated that the directors or senior officers of the applicant have technical knowledge, experience in banking or finance and are fit and proper persons to carry on the proposed banking business; b. sufficient financial resources and an adequate capital structure to serve as a continuing source of financial support for the proposed bank; c. demonstrated the soundness and feasibility of the applicant’s plans for the future conduct and development of the business of the proposed bank, including accounting and internal control systems; d. the ability and willingness to comply with such other conditions as the central bank may impose under the banking laws; and ii. as to the history and character of the business and management of the applicant; iii. as to the convenience and needs of the community or market to be served; iv. as to the fitness and suitability of the applicant’s shareholders, particularly shareholders holding a significant interest; and v. where the applicant forms part of a group predominantly engaged in banking activities, that the corporate structure of the group or its geographical location or the banking law in the home country of the group does not hinder effective consolidated supervision. 1.5 Additionally, the applicant must be able to demonstrate to the satisfaction of the Bank that: i. at least one of its significant shareholders shall have relevant track record in operating an existing business in a banking, financial technology, e-commerce, communications or related fields;
5 ii. its board of directors collectively possess requisite expertise and experience in the fields of technology and related risks, digital banking business as well as in credit, liquidity, interest rate risks and other banking risks relevant to the activities of the digital bank; iii. it will meet the requirements for substantial activities, that is, it shall have a principal place of business in Mauritius, at least ten suitably qualified full-time officers, including the Chief Executive Officer (CEO), Deputy CEO and other key functional heads, and its annual operating costs should not be less than 25 million Mauritian rupees; and iv. it will meet the applicable minimum capital requirement at the onset and on an ongoing basis. 1.6 Where the applicant is a branch or a subsidiary of a bank incorporated abroad and is making an application either singly or in joint venture with a bank incorporated in Mauritius, section 7(3) of the Act requires that the bank incorporated abroad is a reputable international bank, having operated as a bank in the jurisdiction of its head office for at least 5 years, and is subject to consolidated supervision by competent foreign regulatory authorities. 1.7 Where the bank incorporated abroad has operated for less than five years, the Bank may consider the application if: a. the applicant is able to, inter alia, demonstrate, to the satisfaction of the Bank, the adequate experience and track record of its shareholders, board members (as applicable) and senior officers including those to be assigned to the bank in Mauritius, in the field of banking, financial technology, e-commerce or other related fields; and b. the applicant is subject to consolidated supervision by competent foreign regulatory authorities and these authorities have no objection to its proposal to carry on digital banking business in Mauritius. 1.8 The board of directors of a digital bank shall consist of at least one Mauritian citizen residing in Mauritius. 1.9 The applicant shall also ensure that the name under which it intends to operate complies with the requirements of sections 4 and 7(4) of the Act as well as section 61 of the Bank of Mauritius Act.
6 Section 2: Licensing stages 2.1 Successful applicants shall commence business as a restricted digital bank. 2.2 A restricted digital bank shall develop its governance, internal control and risk management frameworks during the restricted phase. Accordingly, it shall conduct limited banking business and shall ensure that the frameworks remain commensurate with the risks associated with these activities during the restricted phase. It shall be subject to prudential and regulatory requirements as detailed under section 3 of this Guideline during the restricted phase. 2.3 The restricted phase shall comprise a mobilisation period of not more than two years and a subsequent transitional period of not more than three years. There is no minimum period for exiting the restricted phase as long as the restricted digital bank meets all the requirements to the satisfaction of the Bank. 2.4 Applicants shall communicate their proposed mobilisation and transitional periods at the time of application. 2.5 A restricted digital bank shall submit to the Bank a plan detailing the timelines and milestones for the deployment of the requisite governance, internal control and risk management frameworks, the relevant policies, processes, and systems, and other activities planned during the mobilisation and transitional periods. Mobilisation Period 2.6 During the mobilisation period and before proceeding to the transitional period, a restricted digital bank is required to have: i. tested and deployed its technology infrastructure and systems; ii. developed its policies and procedures; iii. recruited the required senior officers and other staff; iv. implemented the requisite governance, internal control and risk management framework; and v. developed its business model including its products and services and target market. Restricted Digital bank Mobilisation Period (2 years) Transitional Period (3 years) Digital Bank
7 2.7 A restricted digital bank shall seek the authorisation of the Bank to move to the transitional period at least 90 days before the expiry of the mobilisation period. The Bank may, following consideration of the application for authorisation, either grant or refuse to grant the authorisation. 2.8 In determining whether to grant the authorisation, the Bank shall consider whether the restricted digital bank has demonstrated to the satisfaction of the Bank, that it has been able to deploy the requisite technologies and the relevant internal control, risk management and governance frameworks and as well as the other planned activities to move to the next phase, that is, the transitional period. 2.9 The Bank shall, within 60 days of receipt of a request for authorisation, inform the restricted digital bank of its decision to grant or refuse to grant the authorisation. The request shall be duly accompanied with all such information and documents as may be required to determine the application. 2.10 Where the Bank grants the authorisation, the restricted digital bank shall immediately proceed to the transitional period. 2.11 Where the Bank refuses to grant the authorisation, it shall inform the restricted digital bank of the reasons for which its request has been refused and afford the restricted digital bank with an opportunity to make representations against its decision. Any representation shall be made within 7 days of the decision of the Bank. The Bank shall, after considering the representations, communicate its final decision to the restricted digital bank within 14 days of receipt of its representations. 2.12 Where the Bank maintains its decision to refuse to grant the authorisation or where no request for authorisation or representation is received within the prescribed period, the Bank shall require the restricted digital bank to immediately cease operation. 2.13 The restricted digital bank shall, within 7 days of the communication of the decision of the Bank under paragraph 2.12, inform the Bank that it will surrender its licence pursuant to section 11(7) of the Act and proceed with the voluntary liquidation of the bank under section 70 of the Act. 2.14 If the restricted digital bank fails to communicate its decision to surrender its licence within the prescribed period, the Bank shall proceed to revoke same pursuant to section 17 of the Act and the bank shall be placed under receivership pursuant to section 75 of the Act. 2.15 Where the licence is revoked by the Bank, the directors and management of the restricted digital bank shall not act, or continue to act, as a director of, or be directly or indirectly concerned, in the management of a financial institution, without the approval of the Bank under section 47 of the Act. Transitional Period 2.16 During the transitional period, a restricted digital bank shall further enhance its information systems, internal control, corporate governance and risk management framework to meet prudential and regulatory requirements applicable to banks
8 (excluding those which are explicitly exempted) at the end of the restricted phase. 2.17 A restricted digital bank shall seek the authorisation of the Bank to operate as a digital bank at least 90 days before the expiry of the transitional period. In this connection, the restricted digital bank shall submit: i. a written confirmation from its board of directors that it meets all the prudential and regulatory requirements applicable to a bank, including the minimum capital requirement of 400 million Mauritian rupees or an equivalent amount in any freely convertible currency (or such other capital requirement as may be prescribed) together with all relevant documentation to support this confirmation; ii. an external audit confirmation on its capital position; and iii. a report on the adequacy, appropriateness and effectiveness of its cyber and technology risk management framework and of its governance, internal control and risk management framework from an independent reputable firm. The Bank may, where deemed relevant, appoint an independent firm that will conduct such assessment. The cost of the assessment shall be borne by the restricted digital bank. 2.18 The Bank shall determine the request taking into consideration, inter alia, the performance and viability of the business of the restricted digital bank, the appropriateness of its governance, internal controls and risk management framework and its compliance with the prudential and regulatory requirements. 2.19 The Bank shall, within 60 days of receipt of a request for authorisation, inform the restricted bank of its decision to grant or refuse to grant the authorisation. The request shall be duly accompanied with all such information and documents as may be required to determine the application. 2.20 Where the Bank grants the authorisation, the restricted digital bank shall have 30 days to start operating as a digital bank. 2.21 Where the Bank refuses to grant the authorisation, it shall inform the restricted digital bank of the reasons for which its request has been refused and afford the restricted digital bank with an opportunity to make representations against its decision. Any representation shall be made within 7 days of the decision of the Bank. The Bank shall, after considering the representations, communicate its final decision to the restricted digital bank within 14 days of receipt of its representations. 2.22 Where the Bank maintains its decision to refuse to grant the authorisation or where no request for authorisation or no representation is received within the prescribed period, the Bank shall require the restricted digital bank to immediately cease operation. 2.23 The restricted digital bank shall, within 7 days of the communication of the decision of the Bank under paragraph 2.22, inform the Bank that it will surrender its licence pursuant to section 11(7) of the Act and proceed with the voluntary liquidation of the bank under section 70 of the Act.
9 2.24 If the restricted digital bank fails to communicate its decision to surrender its licence within the prescribed period, the Bank shall proceed to revoke same pursuant to section 17 of the Act and the bank shall be placed under receivership pursuant to section 75 of the Act. 2.25 Where the licence is revoked by the Bank, the directors and management of the restricted digital bank shall not act, or continue to act, as a director of, or be directly or indirectly concerned, in the management of a financial institution, without the approval of the Bank under section 47 of the Act. 2.26 The restricted digital bank shall cease to conduct banking business during the mobilisation period and/or during the transitional period where the Bank deems that: i. the business model of the restricted digital bank is no longer viable; ii. the restricted digital bank is not able to meet the objectives set out in its business plan; or iii. the restricted digital bank fails to comply with the terms and conditions of the Bank to transition to a digital bank. 2.27 In the above circumstances, the Bank shall issue a written notice to the restricted digital bank requiring it to immediately cease business. The restricted digital bank may within 7 days of the written notice make its representations to the Bank. The final decision of the Bank on the representations shall be communicated to the restricted digital bank within 14 days of the receipt of the representations. 2.28 The restricted digital bank shall communicate to the Bank its decision to surrender its licence pursuant to section 11(7) of the Act and proceed with the voluntary liquidation of the bank under section 70 of the Act: i. within 7 days of the notice to cease business where no representation is made within the prescribed period; or ii. within 7 days of the Bank’s decision where a representation is made and the Bank maintains its decision. 2.29 If the restricted digital bank fails to communicate its decision to surrender its licence within the specified period mentioned above, the Bank shall proceed to revoke same pursuant to section 17 of the Act and the bank shall be placed under receivership pursuant to section 75 of the Act. 2.30 Where the licence is revoked by the Bank, the directors and management of the restricted digital bank shall not act, or continue to act, as a director of, or be directly or indirectly concerned, in the management of a financial institution, without the approval of the Bank under section 47 of the Act.
10 Section 3: Prudential and Regulatory Requirements for Restricted Digital Banks 3.1 Besides other laws applicable to a company, a restricted digital bank shall comply with banking laws, the Guideline on Fit and Proper Person Criteria, the Guideline on Related Party Transactions, the Guideline on Corporate Governance, the Guideline on Credit Concentration Risk, Guideline on Credit Risk Management, Guidelines on Outsourcing by Financial Institutions, Guideline on Liquidity Risk Management, Guideline on Maintenance of Accounting and Other Records and Internal Control Systems, the Guideline on the Computation of Debt-to-Income Ratio for Residential Property Loans, Guidelines for Calculation and Reporting of Foreign Exchange Exposures of Banks, the minimum capital requirements prescribed in this Guideline and the prudential limits set out under this section. The requirements pertaining to Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation (AML/CFT) are laid down in section 9 of this Guideline. 3.2 A restricted digital bank shall implement an appropriate governance, internal control and risk management framework and apply other prudential and regulatory requirements in a proportionate manner taking into consideration the nature, size and complexity of its business operations. Shareholding Structure 3.3 There shall generally be no change in shareholding of the restricted digital bank during the mobilisation and transitional periods, except with the approval of the Bank. Mobilisation Period 3.4 During the mobilisation period, a restricted digital bank shall: i. solicit deposits solely from its shareholders, employees and related parties; ii. operate with an asset size not exceeding 1 billion Mauritian rupees or an equivalent amount in any freely convertible currency; iii. offer only simple credit and deposit products; iv. deal only with resident customers, with the exception of its shareholders, employees and related parties; v. maintain, at all times, a capital adequacy ratio of 15 per cent3 ; vi. maintain the minimum cash reserve ratio prescribed by the Bank;
3 The capital adequacy ratio shall be calculated taking into consideration the requirements under the Guideline on Scope of Application of Basel III and Eligible Capital, Guidelines on Operational Risk Management and Capital Adequacy Determination, Guideline on Measurement and Management of Market Risk and Guideline on Standardised Approach to Credit Risk.
11 vii. hold, at all times, a reserve fund equivalent to three months of operating expenses in addition to the minimum capital requirements; viii. maintain a minimum liquidity coverage ratio of 120 per cent4 on a consolidated basis, for assets and liabilities denominated in Mauritian rupees and for assets and liabilities denominated in each significant foreign currency; and ix. any other prudential limits/prudential or regulatory requirements prescribed by the Bank. Transitional Period 3.5 During the transitional period, a restricted digital bank shall: i. operate with an asset size not exceeding 2 billion Mauritian rupees or an equivalent amount in any freely convertible currency; ii. offer only simple credit and deposit products; iii. maintain, at all times, a minimum capital adequacy ratio3 of 12.5 per cent; iv. maintain the minimum cash reserve ratio prescribed by the Bank; v. maintain a minimum liquidity coverage ratio4 above of 100 per cent on a consolidated basis, for assets and liabilities denominated in Mauritian rupees and for assets and liabilities denominated in each significant foreign currency; vi. any other prudential limits/prudential or regulatory requirements prescribed by the Bank. 3.6 The cap on the asset size may, subject to approval by the Bank, be increased during the transitional period provided that: i. the minimum capital and the cap on the asset size increase in tandem by a ratio of not more than 1:10; and ii. the governance, internal control and risk management frameworks remain commensurate with the asset size, complexity and nature of the business.
4 The liquidity coverage ratio shall be computed as set out in the Guideline on Liquidity Risk Management.
12 Section 4: Exemptions applicable to Restricted Digital Banks 4.1 The exemptions under this section shall be subject to the approval of the Bank. Capital requirements 4.2 A restricted digital bank shall commence operations with an amount paid as stated capital or an amount of assigned capital, as the case may be, of not less than 200 million Mauritian rupees or an equivalent amount in any freely convertible currency held in assets in or outside Mauritius, as may be approved by the Bank. 4.3 During the restricted phase, the bank will be required to maintain, at all times, a minimum amount of stated or assigned capital of not less than 200 million Mauritian rupees or an equivalent amount in any freely convertible currency, after deduction of the accumulated losses of the bank. 4.4 At the end of the restricted phase, the minimum capital requirement applicable shall be 400 million Mauritian rupees or an equivalent amount in any freely convertible currency held in assets in or outside Mauritius, as may be approved by the Bank, after deduction of the accumulated losses of the bank. Significant ownership 4.5 During the restricted phase, the shareholders of the restricted digital bank may own a significant interest of 10% or more* of the bank’s capital or voting rights provided that: i. the shareholders undertake in writing to the Bank not to influence or impede the prudent management and functioning of the restricted digital bank in accordance with sound banking practices; ii. the restricted digital bank has in place a board of directors chaired by an independent director and which is composed of a majority of independent directors*; iii. the board of directors collectively have proven experience in matters of regulatory compliance, risk management and audit; and iv. the restricted digital bank demonstrates at any point in time that all business transactions with shareholders are conducted at arms-length.
- Conditions of significant interest will not apply to subsidiaries and branches of foreign banks. Corporate Governance 4.6 The Guideline on Corporate Governance requires banks to establish an Audit committee, a Conduct Review committee, a Risk Management committee, and a Nomination and Remuneration committee. A restricted digital bank may only establish an Audit Committee and an executive-level Risk Management Committee. In such instances, the board of directors of the restricted digital bank shall be
13 responsible for the tasks assigned to the other board sub-committees and for laying down the risk management strategy, risk appetite and key risk policies. 4.7 A restricted digital bank may share selected senior officers with its parent entity provided that these senior officers are able to demonstrate that they have relevant banking experience and that there is a dedicated team of officers working at the bank. Regulatory Reporting 4.8 A restricted digital bank shall, upon request, be exempted from the requirement to submit regulatory returns which may not be applicable to its business model. Section 5: Business Plan 5.1 Section 5(1)(f) of the Act requires an applicant to submit, at the time of application, a business plan giving the nature of the planned business, organisational structure and internal control, projected financial statements including cash flow statements for each of the next 3 financial years. 5.2 In addition to the requirements specified in paragraph 5.1, the business plan shall, inter alia, include: i. the projected financial statements for additional 2 financial years to cover a period of 5 financial years. ii. the business model, including the products and services to be offered, the channels to be used to offer the product and services and the target market; iii. the sources of funding and its capital and liquidity strategy; iv. the proposed governance, internal control, and risk management (including the cyber/technology risk management) frameworks; v. the proposed staffing requirement including the areas related to technology and risk management and how these would be met; vi. the business strategy that demonstrates a sustainable business model from the restricted phase to a digital bank. The business strategy shall be documented and shall, as a minimum, include: a. clear timelines and milestones to enable the Bank and the applicant to track the progress against the proposed plan; b. measures required to comply with all prudential requirements applicable throughout the restricted phase and thereafter; and c. measures to meet the minimum capital requirement at the end of the restricted phase;
14 vii. measures to address customers’ queries or complaints; viii. details of any outsourcing arrangements and other reliance on third-party service providers; and ix. a description of the plans in respect of its cyber and technology risk management framework and infrastructure, which shall, as a minimum, cover: a. an overview of system architecture diagram and network architecture diagram; b. the cloud strategy (if any) and its deployment model; c. the technologies and digital innovations tools to be used; d. planned IT/cyber risk governance framework; e. the business continuity plan and disaster recovery plan; f. the measures (technology, people and process) to manage cybersecurity threats; and g. risk assessment reports on third parties that would be providing critical services (as applicable). Section 6: Exit Plan 6.1 The applicant shall submit, at the time of application, an exit plan, which demonstrates that it can go into voluntary liquidation under section 70 of the Act in an orderly manner during the restricted phase under the circumstances stipulated in section 7 of the Guideline, taking into consideration the interests of depositors. The exit plan shall, as a minimum, cover: i. the circumstances under which the voluntary liquidation will be triggered; ii. the channels to be used to repay depositors and the source of funding for making the payments; and iii. the communication and engagement strategy detailing the means and timeline for keeping relevant stakeholders (such as the Bank, customers, investors) informed. 6.2 The exit plan shall be accompanied by a written undertaking from its significant shareholders to make up for any shortage of assets to cover the digital bank’s outstanding deposit liabilities.
15 Section 7: Exit from Banking Industry 7.1 In addition to the circumstances laid down under paragraphs 2.13, 2.23 and 2.28, a restricted digital bank may go into voluntary liquidation where it is of the view that its business model is no longer viable and/or it will not be able to meet the objectives set out in its business plan to transition to a digital bank. Section 8: Risk Management 8.1 The board of directors and the senior management of a digital bank shall, among others, ensure that: i. they understand the types of risk to which it is exposed, and put in place appropriate systems to identify, measure, monitor and control these risks; ii. they are fully aware of cyber and technology-related risk and implement an appropriate and robust cyber and technology risk management framework; and iii. appropriate controls and safeguards (including multifactor authentication, as relevant) are implemented to support identity proofing and authenticate digital instructions and digital signatures. Section 9: Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation 9.1 A digital bank shall comply with the relevant statutory and regulatory requirements relating to AML/CFT, namely the relevant AML/CFT Legislations and guidelines issued by the Bank, such as the Guideline on Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation, the Guideline on the implementation of Targeted Financial Sanctions under the United Nations (Financial Prohibitions, Arms Embargo and Travel Ban) Sanctions Act 2019 and any other relevant guidelines/legislations, including those in respect of digital onboarding of customers applicable to banks. 9.2 A digital bank shall take appropriate steps to identify, assess and understand the money laundering and terrorism financing and proliferation financing (ML/TF/PF) risks of customers, countries or geographic areas and products, services, transactions or delivery channels. 9.3 In complying with the relevant statutory requirements and the provisions of guidelines, a digital bank shall implement programmes against money laundering and the financing of terrorism and proliferation which are commensurate with the ML/TF/PF risks identified, and which shall include the following internal policies, procedures and controls – (i) compliance management arrangements, including the appointment of a compliance officer at management level; (ii) screening procedures to ensure high standards when hiring officers; (iii) ongoing training programmes for its directors and officers; and (iv) an independent audit function to test the programmes.
16 9.4 In so doing, a digital bank should as far as possible adopt an appropriate and intelligent risk-based approach and always consider additional measures that could be necessary to mitigate its identified ML/TF/PF risks. 9.5 A digital bank shall ensure that its customer due diligence measures are commensurate with the associated ML/TF/PF and cyber/technology risks. 9.6 A digital bank shall apply appropriate measures to authenticate and verify the identity of the customers through reliable and independent means at on-boarding stage and to authenticate documents provided by customers. 9.7 In addition to demonstrating compliance with the requirements of the Anti-Money Laundering and Combating the Financing of Terrorism and Proliferation regulatory framework, applicants should be able to demonstrate compliance with the requirements in a fully digitalised environment. Section 10: Physical office in Mauritius 10.1 In line with paragraph 1.5(iii) of this Guideline, a digital bank shall have a principal place of business in Mauritius. This physical office shall be used solely for administrative purposes, to deal with customer complaints or to interact with the Bank. Such office shall not be used to conduct banking business with customers and shall, at all times, be made accessible to the Bank for on-site examinations. Section 11: Record Keeping 11.1 A digital bank shall comply with the requirement of section 33 of the Act on records and ensure that its records are, at all times, readily accessible to the Bank. 11.2 Due to the nature of the business operations, most if not all of the data of the digital bank are expected to be in an electronic format. The design of technology solutions in a digital bank should allow for easy and quick access to complete and accurate information required by the Bank to perform its supervisory duties. Section 12: Customer Protection and Data Protection 12.1 A restricted digital bank shall take all reasonable steps to ensure that all customers are made aware that it is operating as a restricted digital bank that is subject to a pre-defined restricted phase. 12.2 A digital bank shall duly inform and educate its customers of the financial products and financial services and the appropriate security measures to be taken in this respect. 12.3 A digital bank shall ensure compliance with the relevant data protection laws and regulations.
17 Section 13: Reporting Requirement 13.1 A digital bank shall comply with all the statutory reporting requirements and submit the regulatory returns and any other reporting requirements as communicated by the Bank. 13.2 During the restricted phase, a restricted digital bank shall also submit to the Bank half-yearly progress updates on the implementation of its business plan. Bank of Mauritius 6 December 2021