Mauritius's Virtual Asset Rules, Explained: What VAITOS Means for Compliance Teams
A plain-English guide to the VAITOS Act — the law that brought crypto and digital assets under FSC oversight, and what it actually requires of compliance teams.
If your compliance team touches anything crypto-adjacent in Mauritius, one piece of legislation matters more than any other: the Virtual Asset and Initial Token Offering Services Act 2021, known as VAITOS. It's been in force since February 2022, and it's the reason Mauritius was among the first jurisdictions in Eastern and Southern Africa to bring digital assets under a comprehensive, FATF-aligned regulatory regime.
What VAITOS actually covers
VAITOS gives the Financial Services Commission (FSC) authority to license and supervise two types of entities: Virtual Asset Service Providers (VASPs) — exchanges, custodians, brokers, and wallet services — and issuers of Initial Token Offerings (ITOs), who must register and submit a white paper before offering tokens to the public.
Not everything digital falls under the Act. VAITOS specifically excludes digital versions of fiat currency (including any future Bank of Mauritius digital rupee), securities already regulated under the Securities Act 2005, and closed-loop items like loyalty points or gift cards that can't be traded or transferred.
The five license classes
VASPs are licensed under five categories — informally referred to by the letters M, O, R, I, S — covering activities from exchange services to custody to advisory work. Capital requirements scale with the license type, ranging from roughly MUR 2 million up to MUR 6.5 million. A single VASP can hold multiple license classes if its business spans several activities, but must meet the combined capital requirement for all of them.
What compliance teams actually need to do
A few obligations come up repeatedly for VASPs operating under VAITOS:
- Physical presence in Mauritius. A VASP needs a real office here, with business activities genuinely directed and managed from Mauritius — not just a registered address. The FSC looks at where board meetings happen and where risk decisions are actually made.
- Resident officers. VASPs must appoint resident directors, a Compliance Officer, and a Money Laundering Reporting Officer (MLRO), all subject to the FSC's "fit and proper" test.
- The Travel Rule. Cross-border virtual asset transfers must carry originator and beneficiary information, mirroring the standard already familiar from traditional wire transfers.
- AML/CFT controls. VASPs fall under the same Financial Intelligence and Anti-Money Laundering Act obligations as other regulated entities, with FSC guidance flagging red flags specific to virtual assets — anonymity-seeking customers, rapid high-value transactions, and similar patterns.
Recent developments worth knowing
The framework hasn't stood still. In early 2024, the FSC issued guidance clarifying that staking services and DAOsoperating in or targeting Mauritius residents now need to apply for the appropriate VASP license — closing a gap that had let some activities operate in a grey zone. And more recently, enhanced AML/CFT obligations have been phased in for VASPs, including mandatory transaction monitoring systems and real-time reporting for cross-border transfers above set thresholds.
Why this matters beyond crypto firms
Even if your organization isn't a VASP, VAITOS is a useful signal of how Mauritius regulates emerging risk generally: fast-moving guidance notes (published without needing ministerial approval), a clear license-by-activity structure, and consistent alignment with FATF standards. It's a template worth watching as the FSC extends similar thinking to other emerging areas of financial services.
For the full legislative text, the FSC has published VAITOS and its accompanying rules at fscmauritius.org.