Scribd
Upload
69 views21 pages

Guideline For Digital Banks 06.12.2021

Read

Uploaded by

radikhadookhy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views21 pages

Guideline For Digital Banks 06.12.2021

Read

Uploaded by

radikhadookhy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

BOM / BSD 43 / December 2021

BANK OF MAURITIUS

Guideline for Digital Banks

December 2021
This page is intentionally left blank.
TABLE OF CONTENTS

INTRODUCTION .............................................................................................................................. 1
Purpose ............................................................................................................................................ 1
Authority .......................................................................................................................................... 1
Scope of Application........................................................................................................................ 1
Relation to other guidelines issued by the Bank of Mauritius....................................................... 2
Effective date ................................................................................................................................... 2
Interpretation ................................................................................................................................... 2
Section 1: Application Process for Digital Banking Licence........................................................... 4
Section 2: Licensing stages ................................................................................................................. 6
Mobilisation Period ......................................................................................................................... 6
Transitional Period.......................................................................................................................... 7
Section 3: Prudential and Regulatory Requirements for Restricted Digital Banks .................. 10
Shareholding Structure ................................................................................................................. 10
Mobilisation Period ....................................................................................................................... 10
Transitional Period........................................................................................................................ 11
Section 4: Exemptions applicable to Restricted Digital Banks ..................................................... 12
Capital requirements ..................................................................................................................... 12
Significant ownership.................................................................................................................... 12
Corporate Governance .................................................................................................................. 12
Regulatory Reporting .................................................................................................................... 13
Section 5: Business Plan ................................................................................................................... 13
Section 6: Exit Plan........................................................................................................................... 14
Section 7: Exit from Banking Industry........................................................................................... 15
Section 8: Risk Management ........................................................................................................... 15
Section 9: Anti-Money Laundering and Combating the Financing of Terrorism and
Proliferation ............................................................................................................................. 15
Section 10: Physical office in Mauritius.......................................................................................... 16
Section 11: Record Keeping ............................................................................................................. 16
Section 12: Customer Protection and Data Protection.................................................................. 16
Section 13: Reporting Requirement ................................................................................................ 17

i
This page is intentionally left blank.
INTRODUCTION
Section 5(1) of the Banking Act 2004 provides that no person shall engage in, inter alia, digital
banking business in Mauritius without a banking licence issued by the Bank of Mauritius.

Digital banking business is defined in the Banking Act 2004 as ‘banking business carried on
exclusively through digital means or electronically’.

Further, section 7(7E) of the Banking Act 2004 states that ‘a bank which has been granted a
banking licence to carry on exclusively digital banking business by the central bank may be
exempted from such provisions of the Banking Act 2004 and be subject to such terms and
conditions and guidelines as the central bank may determine’.

Pursuant to section 52(1) of the Banking Act 2004, a bank licensed under section 7(5) of the
Banking Act 2004 to carry on exclusively private banking business or exclusively Islamic
banking business, may, with the approval of the Bank of Mauritius, carry on its licensed
activities solely through digital means or through electronic delivery channels.

Purpose

The purpose of this Guideline for Digital Banks (Guideline) is to give effect to the
abovementioned provisions of the Banking Act 2004 and to set out the regulatory and
supervisory framework for operating a digital bank in Mauritius. A digital bank refers to a
bank carrying on banking business exclusively through digital means or electronically.

The Guideline specifies additional requirements to, or exemptions from the legal, regulatory
and supervisory framework applicable to traditional banks and the terms and conditions under
which the Bank of Mauritius shall consider these exemptions under section 7(7E) of the
Banking Act 2004.

The Guideline shall also apply to a bank licensed to carry on exclusively private banking
business or exclusively Islamic banking business solely through digital means or through
electronic delivery channels under section 52(1) of the Banking Act 2004.

Authority

This Guideline is issued under the authority of section 50 of the Bank of Mauritius Act 2004 and
sections 7(7E) and 100 of the Banking Act 2004.

Scope of Application

This Guideline shall apply to banks licensed under section 7(5) of the Banking Act 2004 to
carry on exclusively:

(i) digital banking business (digital bank); and

(ii) private banking business or Islamic banking business solely through digital means or
through electronic delivery channels under section 52(1) of the Banking Act 2004
(digital private bank or digital Islamic bank).

1
Relation to other guidelines issued by the Bank of Mauritius

A bank licensed under section 7(5) of the Banking Act 2004 to carry on exclusively –

(i) digital banking business;

(ii) private banking business or Islamic banking business solely through digital means
or through electronic delivery channels,

shall be subject to the prudential and regulatory requirements applicable to banks unless where
explicitly otherwise stated by the Bank of Mauritius in this Guideline or in the Guideline on
Private Banking or Guideline for Institutions Conducting Islamic Banking Business, as the
case may be.

Effective date

This Guideline shall come into effect on 6 December 2021.

Interpretation

In this Guideline,

“Act” means the Banking Act 2004;

“Bank” means the Bank of Mauritius established under section 3 of Bank of Mauritius Act
2004;

“bank” has the same meaning as in the Act;

“banking business” has the same meaning as in the Act;

“banking laws” has the same meaning as in the Act1;

“digital bank” means a bank licensed under section 7(5) of the Act to carry on exclusively
digital banking business and shall include a digital private bank and a digital Islamic bank;

“digital banking business” has the same meaning as in the Act, and refers to banking business
carried on exclusively through digital means or electronically;

“digital banking licence” refers to the licence granted to a digital bank;

“digital Islamic bank” refers to a bank licensed under section 7(5) of the Banking Act 2004 to
carry on exclusively Islamic banking business solely through digital means or through
electronic delivery channels;

“digital on-boarding” refers to the process of establishing a business relationship with a


customer solely through digital means or electronically;

1
The banking laws are accessible at https://www.bom.mu/about-the-bank/legislation.

2
“digital private bank” refers to a bank licensed under section 7(5) of the Banking Act 2004 to
carry on exclusively private banking business solely through digital means or through
electronic delivery channels;

“capital adequacy ratio” is as set out under the Guideline on Scope of Application of Basel III
and Eligible Capital;

“liquidity coverage ratio” is as set out under the Guideline on Liquidity Risk Management;

“mobilisation period” refers to the first two years following the issue of the digital banking
licence;

“physical presence” has the same meaning as in the Act;

“private banking business” has the same meaning as in the Act;

“prudential or regulatory requirements” refer to guidelines, instructions or directives issued to


banks by the Bank2;

“related party” has the same meaning as in the Act;

“restricted digital bank” means a digital bank operating in the restricted phase;

“restricted phase” refers to the mobilisation period and the subsequent transitional period;

“senior officer” has the same meaning as in the Act;

“significant interest” has the same meaning as in the Act;

“significant shareholder” refers to a shareholder who has significant interest in a digital bank;

“transitional period” refers to the subsequent period of three years following the end of the
mobilisation period.

2
The guidelines issued by the Bank are accessible at:
https://www.bom.mu/financial-stability/supervision/guideline.

3
Section 1: Application Process for Digital Banking Licence

1.1 Applications from body corporates for a digital banking licence shall be made by
submitting to the Bank the duly filled application form as available on the website of
the Bank. An applicant shall also comply with section 5 of the Act.

1.2 The application for a digital banking licence shall be determined in accordance with
section 6 of the Act.

1.3 The Bank may, following its determination of the application, grant or refuse the
application.

1.4 In accordance with section 7 of the Act, no licence shall be granted by the Bank unless
it is satisfied:

i. that the applicant has:

a. demonstrated that the directors or senior officers of the applicant have


technical knowledge, experience in banking or finance and are fit and
proper persons to carry on the proposed banking business;

b. sufficient financial resources and an adequate capital structure to serve as


a continuing source of financial support for the proposed bank;

c. demonstrated the soundness and feasibility of the applicant’s plans for the
future conduct and development of the business of the proposed bank,
including accounting and internal control systems;

d. the ability and willingness to comply with such other conditions as the
central bank may impose under the banking laws; and

ii. as to the history and character of the business and management of the applicant;

iii. as to the convenience and needs of the community or market to be served;

iv. as to the fitness and suitability of the applicant’s shareholders, particularly


shareholders holding a significant interest; and

v. where the applicant forms part of a group predominantly engaged in banking


activities, that the corporate structure of the group or its geographical location
or the banking law in the home country of the group does not hinder effective
consolidated supervision.

1.5 Additionally, the applicant must be able to demonstrate to the satisfaction of the Bank
that:

i. at least one of its significant shareholders shall have relevant track record in
operating an existing business in a banking, financial technology, e-commerce,
communications or related fields;

4
ii. its board of directors collectively possess requisite expertise and experience in
the fields of technology and related risks, digital banking business as well as in
credit, liquidity, interest rate risks and other banking risks relevant to the
activities of the digital bank;

iii. it will meet the requirements for substantial activities, that is, it shall have a
principal place of business in Mauritius, at least ten suitably qualified full-time
officers, including the Chief Executive Officer (CEO), Deputy CEO and other
key functional heads, and its annual operating costs should not be less than
25 million Mauritian rupees; and

iv. it will meet the applicable minimum capital requirement at the onset and on an
ongoing basis.

1.6 Where the applicant is a branch or a subsidiary of a bank incorporated abroad and is
making an application either singly or in joint venture with a bank incorporated in
Mauritius, section 7(3) of the Act requires that the bank incorporated abroad is a
reputable international bank, having operated as a bank in the jurisdiction of its head
office for at least 5 years, and is subject to consolidated supervision by competent
foreign regulatory authorities.

1.7 Where the bank incorporated abroad has operated for less than five years, the Bank may
consider the application if:

a. the applicant is able to, inter alia, demonstrate, to the satisfaction of the Bank,
the adequate experience and track record of its shareholders, board members (as
applicable) and senior officers including those to be assigned to the bank in
Mauritius, in the field of banking, financial technology, e-commerce or other
related fields; and

b. the applicant is subject to consolidated supervision by competent foreign


regulatory authorities and these authorities have no objection to its proposal to
carry on digital banking business in Mauritius.

1.8 The board of directors of a digital bank shall consist of at least one Mauritian citizen
residing in Mauritius.

1.9 The applicant shall also ensure that the name under which it intends to operate complies
with the requirements of sections 4 and 7(4) of the Act as well as section 61 of the
Bank of Mauritius Act.

5
Section 2: Licensing stages

Mobilisation Transitional
Restricted Period Period Digital Bank
Digital bank
(2 years) (3 years)

2.1 Successful applicants shall commence business as a restricted digital bank.

2.2 A restricted digital bank shall develop its governance, internal control and risk
management frameworks during the restricted phase. Accordingly, it shall conduct
limited banking business and shall ensure that the frameworks remain commensurate
with the risks associated with these activities during the restricted phase. It shall be
subject to prudential and regulatory requirements as detailed under section 3 of this
Guideline during the restricted phase.

2.3 The restricted phase shall comprise a mobilisation period of not more than two years
and a subsequent transitional period of not more than three years. There is no minimum
period for exiting the restricted phase as long as the restricted digital bank meets all the
requirements to the satisfaction of the Bank.

2.4 Applicants shall communicate their proposed mobilisation and transitional periods at
the time of application.

2.5 A restricted digital bank shall submit to the Bank a plan detailing the timelines and
milestones for the deployment of the requisite governance, internal control and risk
management frameworks, the relevant policies, processes, and systems, and other
activities planned during the mobilisation and transitional periods.

Mobilisation Period

2.6 During the mobilisation period and before proceeding to the transitional period, a
restricted digital bank is required to have:

i. tested and deployed its technology infrastructure and systems;

ii. developed its policies and procedures;

iii. recruited the required senior officers and other staff;

iv. implemented the requisite governance, internal control and risk management
framework; and

v. developed its business model including its products and services and target
market.

6
2.7 A restricted digital bank shall seek the authorisation of the Bank to move to the
transitional period at least 90 days before the expiry of the mobilisation period.
The Bank may, following consideration of the application for authorisation, either grant
or refuse to grant the authorisation.

2.8 In determining whether to grant the authorisation, the Bank shall consider whether the
restricted digital bank has demonstrated to the satisfaction of the Bank, that it has been
able to deploy the requisite technologies and the relevant internal control, risk
management and governance frameworks and as well as the other planned activities to
move to the next phase, that is, the transitional period.

2.9 The Bank shall, within 60 days of receipt of a request for authorisation, inform the
restricted digital bank of its decision to grant or refuse to grant the authorisation. The
request shall be duly accompanied with all such information and documents as may be
required to determine the application.

2.10 Where the Bank grants the authorisation, the restricted digital bank shall immediately
proceed to the transitional period.

2.11 Where the Bank refuses to grant the authorisation, it shall inform the restricted digital
bank of the reasons for which its request has been refused and afford the restricted
digital bank with an opportunity to make representations against its decision. Any
representation shall be made within 7 days of the decision of the Bank. The Bank shall,
after considering the representations, communicate its final decision to the restricted
digital bank within 14 days of receipt of its representations.

2.12 Where the Bank maintains its decision to refuse to grant the authorisation or where no
request for authorisation or representation is received within the prescribed period, the
Bank shall require the restricted digital bank to immediately cease operation.

2.13 The restricted digital bank shall, within 7 days of the communication of the decision of
the Bank under paragraph 2.12, inform the Bank that it will surrender its licence
pursuant to section 11(7) of the Act and proceed with the voluntary liquidation of the
bank under section 70 of the Act.

2.14 If the restricted digital bank fails to communicate its decision to surrender its licence
within the prescribed period, the Bank shall proceed to revoke same pursuant to section
17 of the Act and the bank shall be placed under receivership pursuant to section 75 of
the Act.

2.15 Where the licence is revoked by the Bank, the directors and management of the
restricted digital bank shall not act, or continue to act, as a director of, or be directly or
indirectly concerned, in the management of a financial institution, without the approval
of the Bank under section 47 of the Act.

Transitional Period

2.16 During the transitional period, a restricted digital bank shall further enhance its
information systems, internal control, corporate governance and risk management
framework to meet prudential and regulatory requirements applicable to banks

7
(excluding those which are explicitly exempted) at the end of the restricted phase.

2.17 A restricted digital bank shall seek the authorisation of the Bank to operate as a digital
bank at least 90 days before the expiry of the transitional period. In this connection, the
restricted digital bank shall submit:

i. a written confirmation from its board of directors that it meets all the prudential
and regulatory requirements applicable to a bank, including the minimum
capital requirement of 400 million Mauritian rupees or an equivalent amount in
any freely convertible currency (or such other capital requirement as may be
prescribed) together with all relevant documentation to support this
confirmation;

ii. an external audit confirmation on its capital position; and

iii. a report on the adequacy, appropriateness and effectiveness of its cyber and
technology risk management framework and of its governance, internal control
and risk management framework from an independent reputable firm. The Bank
may, where deemed relevant, appoint an independent firm that will conduct
such assessment. The cost of the assessment shall be borne by the restricted
digital bank.

2.18 The Bank shall determine the request taking into consideration, inter alia, the
performance and viability of the business of the restricted digital bank, the
appropriateness of its governance, internal controls and risk management framework
and its compliance with the prudential and regulatory requirements.

2.19 The Bank shall, within 60 days of receipt of a request for authorisation, inform the
restricted bank of its decision to grant or refuse to grant the authorisation. The request
shall be duly accompanied with all such information and documents as may be required
to determine the application.

2.20 Where the Bank grants the authorisation, the restricted digital bank shall have 30 days
to start operating as a digital bank.

2.21 Where the Bank refuses to grant the authorisation, it shall inform the restricted digital
bank of the reasons for which its request has been refused and afford the restricted
digital bank with an opportunity to make representations against its decision. Any
representation shall be made within 7 days of the decision of the Bank. The Bank shall,
after considering the representations, communicate its final decision to the restricted
digital bank within 14 days of receipt of its representations.

2.22 Where the Bank maintains its decision to refuse to grant the authorisation or where no
request for authorisation or no representation is received within the prescribed period,
the Bank shall require the restricted digital bank to immediately cease operation.

2.23 The restricted digital bank shall, within 7 days of the communication of the decision of
the Bank under paragraph 2.22, inform the Bank that it will surrender its licence
pursuant to section 11(7) of the Act and proceed with the voluntary liquidation of the
bank under section 70 of the Act.

8
2.24 If the restricted digital bank fails to communicate its decision to surrender its licence
within the prescribed period, the Bank shall proceed to revoke same pursuant to section
17 of the Act and the bank shall be placed under receivership pursuant to section 75 of
the Act.

2.25 Where the licence is revoked by the Bank, the directors and management of the
restricted digital bank shall not act, or continue to act, as a director of, or be directly or
indirectly concerned, in the management of a financial institution, without the approval
of the Bank under section 47 of the Act.

2.26 The restricted digital bank shall cease to conduct banking business during the
mobilisation period and/or during the transitional period where the Bank deems that:

i. the business model of the restricted digital bank is no longer viable;

ii. the restricted digital bank is not able to meet the objectives set out in its business
plan; or

iii. the restricted digital bank fails to comply with the terms and conditions of the
Bank to transition to a digital bank.

2.27 In the above circumstances, the Bank shall issue a written notice to the restricted digital
bank requiring it to immediately cease business. The restricted digital bank may within
7 days of the written notice make its representations to the Bank. The final decision of
the Bank on the representations shall be communicated to the restricted digital bank
within 14 days of the receipt of the representations.

2.28 The restricted digital bank shall communicate to the Bank its decision to surrender its
licence pursuant to section 11(7) of the Act and proceed with the voluntary liquidation
of the bank under section 70 of the Act:

i. within 7 days of the notice to cease business where no representation is made


within the prescribed period; or

ii. within 7 days of the Bank’s decision where a representation is made and the
Bank maintains its decision.

2.29 If the restricted digital bank fails to communicate its decision to surrender its licence
within the specified period mentioned above, the Bank shall proceed to revoke same
pursuant to section 17 of the Act and the bank shall be placed under receivership
pursuant to section 75 of the Act.

2.30 Where the licence is revoked by the Bank, the directors and management of the
restricted digital bank shall not act, or continue to act, as a director of, or be directly or
indirectly concerned, in the management of a financial institution, without the approval
of the Bank under section 47 of the Act.

9
Section 3: Prudential and Regulatory Requirements for
Restricted Digital Banks

3.1 Besides other laws applicable to a company, a restricted digital bank shall comply with
banking laws, the Guideline on Fit and Proper Person Criteria, the Guideline on Related
Party Transactions, the Guideline on Corporate Governance, the Guideline on Credit
Concentration Risk, Guideline on Credit Risk Management, Guidelines on Outsourcing
by Financial Institutions, Guideline on Liquidity Risk Management, Guideline on
Maintenance of Accounting and Other Records and Internal Control Systems, the
Guideline on the Computation of Debt-to-Income Ratio for Residential Property Loans,
Guidelines for Calculation and Reporting of Foreign Exchange Exposures of Banks,
the minimum capital requirements prescribed in this Guideline and the prudential limits
set out under this section. The requirements pertaining to Anti-Money Laundering and
Combating the Financing of Terrorism and Proliferation (AML/CFT) are laid down in
section 9 of this Guideline.

3.2 A restricted digital bank shall implement an appropriate governance, internal control
and risk management framework and apply other prudential and regulatory
requirements in a proportionate manner taking into consideration the nature, size and
complexity of its business operations.

Shareholding Structure

3.3 There shall generally be no change in shareholding of the restricted digital bank during
the mobilisation and transitional periods, except with the approval of the Bank.

Mobilisation Period

3.4 During the mobilisation period, a restricted digital bank shall:

i. solicit deposits solely from its shareholders, employees and related parties;

ii. operate with an asset size not exceeding 1 billion Mauritian rupees or an
equivalent amount in any freely convertible currency;

iii. offer only simple credit and deposit products;

iv. deal only with resident customers, with the exception of its shareholders,
employees and related parties;

v. maintain, at all times, a capital adequacy ratio of 15 per cent3;

vi. maintain the minimum cash reserve ratio prescribed by the Bank;

3
The capital adequacy ratio shall be calculated taking into consideration the requirements under the Guideline on
Scope of Application of Basel III and Eligible Capital, Guidelines on Operational Risk Management and Capital
Adequacy Determination, Guideline on Measurement and Management of Market Risk and Guideline on
Standardised Approach to Credit Risk.

10
vii. hold, at all times, a reserve fund equivalent to three months of operating
expenses in addition to the minimum capital requirements;

viii. maintain a minimum liquidity coverage ratio of 120 per cent4 on a


consolidated basis, for assets and liabilities denominated in Mauritian rupees
and for assets and liabilities denominated in each significant foreign
currency; and

ix. any other prudential limits/prudential or regulatory requirements prescribed


by the Bank.

Transitional Period

3.5 During the transitional period, a restricted digital bank shall:

i. operate with an asset size not exceeding 2 billion Mauritian rupees or an


equivalent amount in any freely convertible currency;

ii. offer only simple credit and deposit products;

iii. maintain, at all times, a minimum capital adequacy ratio3 of 12.5 per cent;

iv. maintain the minimum cash reserve ratio prescribed by the Bank;

v. maintain a minimum liquidity coverage ratio4 above of 100 per cent on a


consolidated basis, for assets and liabilities denominated in Mauritian rupees
and for assets and liabilities denominated in each significant foreign
currency;

vi. any other prudential limits/prudential or regulatory requirements prescribed


by the Bank.

3.6 The cap on the asset size may, subject to approval by the Bank, be increased during the
transitional period provided that:

i. the minimum capital and the cap on the asset size increase in tandem by a ratio
of not more than 1:10; and

ii. the governance, internal control and risk management frameworks remain
commensurate with the asset size, complexity and nature of the business.

4
The liquidity coverage ratio shall be computed as set out in the Guideline on Liquidity Risk Management.

11
Section 4: Exemptions applicable to Restricted Digital Banks

4.1 The exemptions under this section shall be subject to the approval of the Bank.

Capital requirements

4.2 A restricted digital bank shall commence operations with an amount paid as stated
capital or an amount of assigned capital, as the case may be, of not less than 200 million
Mauritian rupees or an equivalent amount in any freely convertible currency held in
assets in or outside Mauritius, as may be approved by the Bank.

4.3 During the restricted phase, the bank will be required to maintain, at all times, a
minimum amount of stated or assigned capital of not less than 200 million Mauritian
rupees or an equivalent amount in any freely convertible currency, after deduction of
the accumulated losses of the bank.

4.4 At the end of the restricted phase, the minimum capital requirement applicable shall be
400 million Mauritian rupees or an equivalent amount in any freely convertible
currency held in assets in or outside Mauritius, as may be approved by the Bank, after
deduction of the accumulated losses of the bank.

Significant ownership

4.5 During the restricted phase, the shareholders of the restricted digital bank may own a
significant interest of 10% or more* of the bank’s capital or voting rights provided that:

i. the shareholders undertake in writing to the Bank not to influence or impede the
prudent management and functioning of the restricted digital bank in
accordance with sound banking practices;

ii. the restricted digital bank has in place a board of directors chaired by an
independent director and which is composed of a majority of independent
directors*;

iii. the board of directors collectively have proven experience in matters of


regulatory compliance, risk management and audit; and

iv. the restricted digital bank demonstrates at any point in time that all business
transactions with shareholders are conducted at arms-length.

* Conditions of significant interest will not apply to subsidiaries and branches of


foreign banks.

Corporate Governance

4.6 The Guideline on Corporate Governance requires banks to establish an Audit


committee, a Conduct Review committee, a Risk Management committee, and a
Nomination and Remuneration committee. A restricted digital bank may only
establish an Audit Committee and an executive-level Risk Management Committee.
In such instances, the board of directors of the restricted digital bank shall be

12
responsible for the tasks assigned to the other board sub-committees and for laying
down the risk management strategy, risk appetite and key risk policies.

4.7 A restricted digital bank may share selected senior officers with its parent entity
provided that these senior officers are able to demonstrate that they have relevant
banking experience and that there is a dedicated team of officers working at the bank.

Regulatory Reporting

4.8 A restricted digital bank shall, upon request, be exempted from the requirement to
submit regulatory returns which may not be applicable to its business model.

Section 5: Business Plan

5.1 Section 5(1)(f) of the Act requires an applicant to submit, at the time of application, a
business plan giving the nature of the planned business, organisational structure and
internal control, projected financial statements including cash flow statements for each of
the next 3 financial years.

5.2 In addition to the requirements specified in paragraph 5.1, the business plan shall, inter
alia, include:

i. the projected financial statements for additional 2 financial years to cover a


period of 5 financial years.

ii. the business model, including the products and services to be offered, the
channels to be used to offer the product and services and the target market;

iii. the sources of funding and its capital and liquidity strategy;

iv. the proposed governance, internal control, and risk management (including the
cyber/technology risk management) frameworks;

v. the proposed staffing requirement including the areas related to technology and
risk management and how these would be met;

vi. the business strategy that demonstrates a sustainable business model from the
restricted phase to a digital bank. The business strategy shall be documented
and shall, as a minimum, include:

a. clear timelines and milestones to enable the Bank and the applicant to
track the progress against the proposed plan;

b. measures required to comply with all prudential requirements applicable


throughout the restricted phase and thereafter; and

c. measures to meet the minimum capital requirement at the end of the


restricted phase;

13
vii. measures to address customers’ queries or complaints;

viii. details of any outsourcing arrangements and other reliance on third-party


service providers; and

ix. a description of the plans in respect of its cyber and technology risk management
framework and infrastructure, which shall, as a minimum, cover:

a. an overview of system architecture diagram and network architecture


diagram;

b. the cloud strategy (if any) and its deployment model;

c. the technologies and digital innovations tools to be used;

d. planned IT/cyber risk governance framework;

e. the business continuity plan and disaster recovery plan;

f. the measures (technology, people and process) to manage cybersecurity


threats; and

g. risk assessment reports on third parties that would be providing critical


services (as applicable).

Section 6: Exit Plan

6.1 The applicant shall submit, at the time of application, an exit plan, which demonstrates that
it can go into voluntary liquidation under section 70 of the Act in an orderly manner during
the restricted phase under the circumstances stipulated in section 7 of the Guideline, taking
into consideration the interests of depositors. The exit plan shall, as a minimum, cover:

i. the circumstances under which the voluntary liquidation will be triggered;

ii. the channels to be used to repay depositors and the source of funding for making
the payments; and

iii. the communication and engagement strategy detailing the means and timeline
for keeping relevant stakeholders (such as the Bank, customers, investors)
informed.

6.2 The exit plan shall be accompanied by a written undertaking from its significant
shareholders to make up for any shortage of assets to cover the digital bank’s outstanding
deposit liabilities.

14
Section 7: Exit from Banking Industry

7.1 In addition to the circumstances laid down under paragraphs 2.13, 2.23 and 2.28, a
restricted digital bank may go into voluntary liquidation where it is of the view that its
business model is no longer viable and/or it will not be able to meet the objectives set out
in its business plan to transition to a digital bank.

Section 8: Risk Management

8.1 The board of directors and the senior management of a digital bank shall, among others,
ensure that:

i. they understand the types of risk to which it is exposed, and put in place
appropriate systems to identify, measure, monitor and control these risks;

ii. they are fully aware of cyber and technology-related risk and implement an
appropriate and robust cyber and technology risk management framework; and

iii. appropriate controls and safeguards (including multifactor authentication, as


relevant) are implemented to support identity proofing and authenticate digital
instructions and digital signatures.

Section 9: Anti-Money Laundering and


Combating the Financing of Terrorism and Proliferation

9.1 A digital bank shall comply with the relevant statutory and regulatory requirements relating
to AML/CFT, namely the relevant AML/CFT Legislations and guidelines issued by the
Bank, such as the Guideline on Anti-Money Laundering and Combating the Financing of
Terrorism and Proliferation, the Guideline on the implementation of Targeted Financial
Sanctions under the United Nations (Financial Prohibitions, Arms Embargo and Travel
Ban) Sanctions Act 2019 and any other relevant guidelines/legislations, including those in
respect of digital onboarding of customers applicable to banks.

9.2 A digital bank shall take appropriate steps to identify, assess and understand the money
laundering and terrorism financing and proliferation financing (ML/TF/PF) risks of
customers, countries or geographic areas and products, services, transactions or delivery
channels.

9.3 In complying with the relevant statutory requirements and the provisions of guidelines, a
digital bank shall implement programmes against money laundering and the financing of
terrorism and proliferation which are commensurate with the ML/TF/PF risks identified,
and which shall include the following internal policies, procedures and controls – (i)
compliance management arrangements, including the appointment of a compliance officer
at management level; (ii) screening procedures to ensure high standards when hiring
officers; (iii) ongoing training programmes for its directors and officers; and (iv) an
independent audit function to test the programmes.

15
9.4 In so doing, a digital bank should as far as possible adopt an appropriate and intelligent
risk-based approach and always consider additional measures that could be necessary to
mitigate its identified ML/TF/PF risks.

9.5 A digital bank shall ensure that its customer due diligence measures are commensurate with
the associated ML/TF/PF and cyber/technology risks.

9.6 A digital bank shall apply appropriate measures to authenticate and verify the identity of
the customers through reliable and independent means at on-boarding stage and to
authenticate documents provided by customers.

9.7 In addition to demonstrating compliance with the requirements of the Anti-Money


Laundering and Combating the Financing of Terrorism and Proliferation regulatory
framework, applicants should be able to demonstrate compliance with the requirements in
a fully digitalised environment.

Section 10: Physical office in Mauritius

10.1 In line with paragraph 1.5(iii) of this Guideline, a digital bank shall have a principal
place of business in Mauritius. This physical office shall be used solely for administrative
purposes, to deal with customer complaints or to interact with the Bank. Such office shall
not be used to conduct banking business with customers and shall, at all times, be made
accessible to the Bank for on-site examinations.

Section 11: Record Keeping

11.1 A digital bank shall comply with the requirement of section 33 of the Act on records and
ensure that its records are, at all times, readily accessible to the Bank.

11.2 Due to the nature of the business operations, most if not all of the data of the digital bank
are expected to be in an electronic format. The design of technology solutions in a digital
bank should allow for easy and quick access to complete and accurate information
required by the Bank to perform its supervisory duties.

Section 12: Customer Protection and Data Protection

12.1 A restricted digital bank shall take all reasonable steps to ensure that all customers are
made aware that it is operating as a restricted digital bank that is subject to a pre-defined
restricted phase.

12.2 A digital bank shall duly inform and educate its customers of the financial products and
financial services and the appropriate security measures to be taken in this respect.

12.3 A digital bank shall ensure compliance with the relevant data protection laws and
regulations.

16
Section 13: Reporting Requirement

13.1 A digital bank shall comply with all the statutory reporting requirements and submit the
regulatory returns and any other reporting requirements as communicated by the Bank.

13.2 During the restricted phase, a restricted digital bank shall also submit to the Bank
half-yearly progress updates on the implementation of its business plan.

Bank of Mauritius
6 December 2021

17

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy