[ AUTHORS’ NOTE: By a communique dated 15 July 2022, the Financial Services Commission announced that the series of rules issued under the Virtual Assets and Initial Token Offerings Rules came into effect on 01 July 2022. Please refer to the updated note below for substantial differences between the draft and the final published rules.]

The general obligations of a virtual asset service providers (the ‘VASP’) under the VAITOS (Statutory Returns) Rules 2022 (the ‘Statutory Returns Rules’) and the VAITOS (Cybersecurity) Rules 2022 (the ‘Cybersecurity Rules’), as well as the obligations specific to custodians under the VAITOS (Custody of Client Assets) Rules 2022 (the ‘Custody Rules’) are summarised in this final part of our series exploring the rules relating to virtual assets and initial token offerings (the ‘VAITOS Rules’).

Obligations under the Statutory Returns Rules applicable to all VASPs

A VASP must, in accordance with rule 4 of the Statutory Returns Rules, promptly notify the Financial Services Commission (the ‘FSC’) of the occurrence of certain events such as (i) an actual or potential breach of the Virtual Assets and Initial Token Offerings Act 2021 (the ‘VAITOS Act’) or the FSC rules, (ii) any changes in relation to its licence or registration, (iii) any actual, suspected or likely failure to ensure confidentiality and reliability of a client’s information, (iv) any material changes[1] to its business continuity plan (in which case FSC’s prior written approval is also required pursuant to rule 5), or (v) any material change to its outsourcing arrangements.

Under rule 6 of the Statutory Returns Rules, a VASP should, within four (4) months after its financial year end, provide a list of prescribed information to the FSC pertaining to a number of matters, including on (i) its activities (such as the group structure, the number of board meetings held, an overview of any shareholder involvement in day-to-day operations etc), (ii) relevant KYC considerations (such as the number of clients where enhanced due diligence was applied or originating from high-risk jurisdictions, the number of clients onboarded on a face-to-face basis, the number of prospective clients who were rejected, a description of changes to the client onboarding process and so on), and (iii) its statutory obligations under the VAITOS Rules (for example on the results of the review of its cybersecurity strategy and framework, any material changes to the assessment of major sources of risks and mitigation measures, any unplanned downtime of critical IT systems etc).

Obligations under the Statutory Returns Rules applicable to all VASPs

A VASP must, in accordance with rule 4 of the Statutory Returns Rules, promptly notify the Financial Services Commission (the ‘FSC’) of the occurrence of certain events such as (i) an actual or potential breach of the Virtual Assets and Initial Token Offerings Act 2021 (the ‘VAITOS Act’) or the FSC rules, (ii) any changes in relation to its licence or registration, (iii) any actual, suspected or likely failure to ensure confidentiality and reliability of a client’s information, (iv) any material changes[1] to its business continuity plan (in which case FSC’s prior written approval is also required pursuant to rule 5), or (v) any material change to its outsourcing arrangements.

Under rule 6 of the Statutory Returns Rules, a VASP should, within four (4) months after its financial year end, provide a list of prescribed information to the FSC pertaining to a number of matters, including on (i) its activities (such as the group structure, the number of board meetings held, an overview of any shareholder involvement in day-to-day operations etc), (ii) relevant KYC considerations (such as the number of clients where enhanced due diligence was applied or originating from high-risk jurisdictions, the number of clients onboarded on a face-to-face basis, the number of prospective clients who were rejected, a description of changes to the client onboarding process and so on), and (iii) its statutory obligations under the VAITOS Rules (for example on the results of the review of its cybersecurity strategy and framework, any material changes to the assessment of major sources of risks and mitigation measures, any unplanned downtime of critical IT systems etc).

Obligations under the Cybersecurity Rules applicable to all VASPs

The Cybersecurity Rules, as the name indicates, relate to a VASP’s obligation to implement and maintain appropriate systems and controls for the purposes of managing any cybersecurity and data risks, having regard to (i) confidentiality, safe storage, safe transmission and integrity of data, (ii) availability and authentication (i.e. authorising only identified persons or system to such information), (iii) proper maintenance, updating, troubleshooting and testing of systems and infrastructure, and (iv) annual or more frequent external testing and audits depending on the nature and size of the VASP’s business.

In addition to the general obligations set out above, a VASP should in particular ensure business continuity by:

  • Implementing appropriate arrangements and reducing the likelihood and impact of any disruptions (for example by succession planning, systems resilience, dual processing, taking out contingency arrangements and insurance) (rule 6(1));
  • Considering the likelihood and impact of any unexpected disruption to its business continuity including assessing the likely timescale of any disruptions (rule 6(2));
  • Regularly updating and testing any arrangements in place (rule 6(3));
  • Documenting a business continuity plan outlining arrangements to reduce the impact of short, medium or long-term disruption (including the use of alternative sites), escalation and invocation of such plans, processes to validate the integrity of information affected by any disruption, and processes to review and update the aforementioned measures. The business continuity plan should be regularly tested to ensure the adequacy and effectiveness of its strategy (rule 7); and
  • Considering how operating processes and systems at separate geographic locations may alter the VASP’s risk profile (rule 8); and
  • Taking out adequate insurance cover in respect of any monetary and non-monetary impact, although the Cybersecurity Rules explicitly mention that insurance alone cannot replace robust systems and controls (rule 9).

Obligations under the Custody Rules applicable to custodians

Over and above the general requirements applicable to all VASPs under the Cybersecurity and Statutory Returns Rules, specific obligations are placed on custodians under the Custody Rules due to the nature of their functions and we note that adequate recordkeeping appears to be a recurring theme.

Safekeeping 

The primordial obligation of a custodian relates to its role in continuously safekeeping clients’ ownership rights to virtual assets, preventing the use of a client’s virtual assets (the ‘Client Assets’) held in the custodian’s own account except with the client’s express consent, and maintaining adequate organisational arrangements to minimise and mitigate the risk of loss or diminution of Client Assets or rights thereunder (rule 4). 

The custodian must ensure the appropriate registration or recording of the legal titleholder of any Client Assets and rights of access thereto (rule 5(1)). Client Assets can be held by the custodian itself, an undertaking forming part of the same group of companies as the custodian, or with a Third Party Custodian (i.e. a custodian duly licensed under the VAITOS Act or a foreign custodian holding an equivalent licence) (rule 5(2)).

The custody agreement should specify whether Client Assets are held (rule 5(3)) on:

  • A segregated basis, the details and restrictions of which are expatiated in rule 5(3); or
  • An omnibus basis, whereby the custodian is subject to further restrictions under rule 8(2) on the use of Client Assets and must have adequate safeguards in place.

A custodian must not only refrain from using Client Assets for its own account, but must also refrain from using Client Assets of a client for another client’s account or the account of any third party (rule 8). Such alternative uses are only permitted where the relevant client has expressly given its consent in accordance in a manner prescribed under rules 8(2) to 8(5) and the custodian’s use of any Client Assets is restricted to specified instances (rule 8(1)).

Unclaimed Client Assets may either (a) be liquidated at market value and the proceeds thereof can be paid away pursuant to rule 13(1)(i), or (b) directly paid away under rule 13(1)(ii) to the Curator of Vacant Estates (the ‘Curator’) provided that certain pre-conditions (including taking reasonable steps to trace the client) in rules 13(1)(ii)(a) to13(1)(ii)(d) and 14 are met. According to our analysis, it goes without saying that the liquidation proceeds should be paid to the Curator even if rule 13(1)(i) does not expressly refer to a recipient. [**See the Updated Note below**]

Rule 9 provides that no security interest, lien or right of set-off (an ‘Encumbrance’) in favour of a third party ought to encumber Client Assets unless:

  • Such Encumbrance concerns debts relating to one or more clients or the provision of services by that third party to one or more clients; or
  • Client Assets have been deposited with a Third Party Custodian and the Encumbrance is warranted by the law of the foreign jurisdiction where the Client Assets are held, the custodian has duly disclosed all relevant information (including of risks associated with such arrangements) to the client, and all reasonable steps were taken by the custodian to determine if the Encumbrance in question is in the client’s best interests.

In any event, rule 9(3) emphasizes again on the importance of proper recordkeeping in respect of certain prescribed information.

Rule 10 confers a discretion on the custodian to appoint a Third Party Custodian to open one or more accounts, provided that the selection of such Third Party Custodian is made with all due skill, care and diligence and that the custodian has verified the expertise, market reputation, service level, capital or financial resources, and creditworthiness of the Third Party Custodian amongst other factors. The appointment and all contractual arrangements (which should comply with the requirements under rule 11) must be reviewed annually, and the Third Party Custodian should also be subject to appropriate segregation requirements similar to the ones applicable to the custodian under rule 5. Any review conducted by the custodian with regards to the appointment of, and its relationship with the Third Party Custodian must be recorded in writing pursuant to rule 12.

Record-keeping

Proper record-keeping and regular updates and evaluations (rules 18 to 21) are key: in that respect Part VI generally refers to the custodian’s obligation to enable the identification and discernment of each Client Assets and corresponding owner (rule 16). Moreover, an internal custody record check (the ‘Internal Check’) must be conducted at regular intervals of not more than two (2) months and evaluated to mitigate the occurrence of any discrepancies (rules 17 and 18). Similarly, an external custody reconciliation (the ‘External Reconciliation’) at the same frequency by a person (the ‘Independent Person’) independent of the production or maintenance of records so checked or reconciled (rules 19 and 20). All records must be kept for seven (7) years in the same manner as generally prescribed by similar laws[2].

Moreover, the custodian must inter alia maintain records including on the details of the clients consenting to the use of their respective Client Assets and the number of Client Assets belonging to each such client. The rationale for maintaining those records is to ensure that the custodian and the relevant client(s) are able to determine the allocation, in case of losses incurred through the utilisation by the custodian of Client Assets. Although the Custody Rules do not explicitly mention the consequences borne by the custodian due to that loss, we assume that this type of loss would be treated as a discrepancy under rule 23 and consequently as a shortfall under rule 24.

Treatment of discrepancies and shortfalls

Where discrepancies are identified by the custodian when carrying out an Internal Check or an External Reconciliation, reasonable and appropriate steps must be taken promptly under rule 23 to fully and correctly investigate the underlying reason, resolve it without undue delay, and take any steps to avoid any reoccurrence.

If a shortfall (which has not yet been resolved) arises as a consequence of such investigation, the custodian must resolve it by either:

  • Allocating a sufficient number of its own applicable assets to cover the value of the shortfall (the ‘Shortfall Value’) calculated in accordance with rule 24(3), and holding them for clients such that the Client Assets themselves or any proceeds of their liquidation are available for distribution to the clients, in the event of the custodian’s Failure[3]. In that case, proper identification and segregation of Client Assets and the custodian’s own property is imperative (rule 24(2)(a)); or
  • Appropriating and holding for the benefit of the affected clients a sufficient amount of the custodian’s own money to cover the Shortfall Value (rule 24(2)(b)).

In either case, the VASP must (a) keep a record of actions taken under rule 24(2)(a) or rule 24(2)(b) as appropriate (including a description of the shortfall, identifying affected clients, and applicable virtual assets appropriated by the VASP to make good the shortfall), (b) update such record when the discrepancy is fully resolved and the appropriated virtual assets are re-allocated accordingly, and (c) notify and apprise affected clients of any updated situation, whilst at all times act honestly, fairly and professionally in their best interests (rules 24(5) to 24(6)).

Steps taken after a Failure of the custodian

However, it would appear that an exemption exists as rule 24(7) mentions that a custodian who “has failed is not required” to take any of the aforementioned steps. Although the rule in question does not capitalise the term “failed”, we understand according to the context that it can only refer to a custodian who is subject to insolvency proceedings and has accordingly ‘Failed’ (in which the relevant insolvency laws will apply).

It is also interesting to note that upon a custodian’s Failure, the Custody Rules specify that the provisions relative to unclaimed Client Assets and records and accounts are disapplied (rule 25)). [**See the Updated Note below**]

A custodian must perform either an Internal Check or an External Reconciliation by an Independent Person as soon as reasonably practicable after the Failure, and pursuant to the manner prescribed by rule 26.

Client Assets should not be disposed of if the act of disposal breaches the VAITOS Act, any foreign applicable laws, or agreement entered into by the custodian. Instead, the VASP should:

  • Attempt to return the Client Assets to the relevant client (rule 27) or transfer to another person (defined as ‘Alternative Provider’ in the Custody Rules) where the custodian Fails, for safekeeping on behalf of the client (rules 27 and 30); and
  • Take all reasonable steps to notify the affected clients of the proposed course of action in accordance with the steps in rule 28.

Once more, the importance of proper recordkeeping is highlighted as the custodian’s records must reflect certain details prescribed under rule 29 for an indefinite period of time.

Other ancillary measures

Any software and hardware used by a VASP must be reliable, resilient and compatible with the virtual assets so held and, in its assessment, the VASP should consider the impact of software architecture of the wallets utilised and the ability to ensure security using cryptographic keys, hard and cold wallet storage, and password protection and encryption (rule 6).

Independent technology audits by qualified and experienced third parties must be conducted within forty-five (45) days after the close of a financial year, following which the third party expert should prepare a written report (rule 7).

Notice must be sent to the FSC where (i) a custodian Fails and is subject to insolvency proceedings, (ii) the custodian’s records and accounts are materially out of date, inaccurate or invalid, thereby preventing it from complying with the requirements of the Custody Rules, (iii) the custodian is “unable, or materially Fails” to take the prescribed steps for the treatment of shortfalls or to conduct the Internal Check or the External Reconciliation. The use of “Fails” in that particular context is rather curious in that the term relates to the commencement of insolvency proceedings – we can only assume that the finalised version of the Custody Rules will incorporate the appropriate rectification.

Updated note

 The published version of the Custody Rules refer a number of changes compared to the draft version:

  • Extended timeframe concerning independent technology audits: The timeframe in the Custody Rules to conduct independent technology audits is amended from forty-five (45) days to three (3) months after the close of a financial year.
  • New record-keeping obligation concerning independent technology audits: Custodians must keep for, at least seven (7) years from the date of the relevant audit, a record of the basis on which it determined that the third party auditor was independent, suitably qualified and sufficiently experienced to conduct the technology audit.
  • Requirement to change independent auditors: Custodians must change the independent technology auditor at least every seven (7) years.
  • New obligation concerning assessing Third Party Custodians and notifications to the FSC: The Custody Rules refers to a new obligation under rule 10(3), whereby custodians must, before depositing the Client Assets with a Third Party Custodian, present their assessment to the FSC concerning the basis on which the proposed Third Party Custodian is indeed subject to equivalent regulations. The FSC can publish a list of jurisdictions whose regulations are deemed to be equivalent to Mauritian regulations.
  • New rules relating to treatment of unclaimed client assets held in custody: The Custody Rules initially provided for specific provisions concerning the treatment of unclaimed Client Assets in the event of the custodian’s Failure (i.e. insolvency). Those provisions have been deleted in the published version of the Custody Rules and have been replaced by the custodian’s entitlement to transfer Client Assets to an Alternative Provider.
  • New obligation concerning appointment of Alternative Providers: A custodian may transfer Client Assets to an Alternative Provider only if it exercises all due skill, care and diligence in such appointment. Factors which the custodian ought to take into account are similar to the criteria for appointing Third Party Custodians.

[1] According to section 13 of the VAITOS Act, material changes in respect of a VASP include modifying the scope of its business activities, reorganising its legal structure, merging with another entity, changing its name or changing its external auditor.

[2] Such the Companies Act 2001 and the Financial Intelligence and Anti-money Laundering Act 2002.

[3] The terms “Failure”, “Fails” and “Failed” refer to the appointment of a liquidator in respect of the VASP (or any equivalent procedure in any relevant jurisdiction).