New Mauritius FSC CDD Review Frequency Rules: What Your Risk Rating Methodology Must Now Deliver

The Financial Services Commission (FSC) of Mauritius has released a new Guidelines Communique, issued on or around 2 June 2026, on the:-

• Frequency of Customer Due Diligence.

This update provides

• Clarity on expectations for periodic CDD reviews for relevant FSC licensees and
• Reinforces Mauritius's commitment to a robust, proactive, risk-based AML/CFT framework.

What Remains Unchanged

The core obligation to keep Customer Due Diligence (CDD) information accurate and up to date is not new. It has long been required under:

• The Financial Intelligence and Anti-Money Laundering Act (FIAMLA)
• The FIAML Regulations 2018
• The FSC AML/CFT Handbook [21 September 2022]
• FSC "Effective Customer Risk Assessment" guidance paper (30 December 2013)

These instruments already mandated ongoing monitoring and risk-based reviews of existing customers.

What Has Changed – Clear Minimum Timelines Introduced

• The key development is the prescription of explicit minimum review frequencies tied to customer risk rating.
• A purely trigger-based (event-driven) approach is now explicitly insufficient.

Prescribed minimum periodic review timelines:

• High-risk customers: At least annually
• Medium-risk customers: At least every 3 years
• Low-risk customers: At least every 4 years

Periodic reviews

• Must now be conducted on a scheduled (calendar-driven) basis, even when no specific trigger event has occurred (such as a material change in circumstances, unusual transactions, or a risk profile update).
• This marks a clear shift from reactive to proactive compliance.

Important Clarification: Risk Rating vs Due Diligence Measures (SDD / EDD)

• Compliance officers should note a critical distinction that underpins the new guidelines and the broader FSC framework:

Separate processes. – ML/M/H risk and SDD, standard CDD, or EDD

• The following are related but separate processes.
• Customer risk rating (High / Medium / Low) and
• Due diligence measures (Simplified Due Diligence – SDD, standard CDD, or Enhanced Due Diligence – EDD)

• The risk rating is the outcome of a holistic customer risk assessment. It considers
• The combination of all risk factors (customer profile, geography, products, delivery channels, behaviour, etc.)
• Together with mitigating controls.
• SDD or EDD are mitigation measures applied to manage identified risks.
• They can be triggered independently of the overall risk rating.

Key practical points:

• Specific situations mandate EDD (e.g., the customer or beneficial owner is a PEP, or there is a connection to a high-risk third country).
• These triggers apply regardless of the overall risk rating.
• However, an EDD trigger does not automatically mean the customer must be rated "high risk".
• A PEP, for example, requires EDD but may still be rated medium risk overall if other factors are favourable and mitigations are strong.
• Similarly, a customer may be rated higher than low risk overall
• Yet still qualify for SDD measures in appropriate circumstances.
• "Higher risk" (situations requiring enhanced attention or EDD)
• Is not the same as "high risk" (the top category in an institution's risk rating scale).

The FSC AML/CFT Handbook emphasises a proportionate, case-by-case, holistic risk-based approach.

• PEP status is listed as one risk factor that triggers EDD, but institutions may assign different weights to factors and document overrides of automated scores.
• The overall risk rating must reflect the full profile, not a single trigger.

This nuance directly affects how firms apply the new CDD review frequency guidelines. The timelines (annually / every 3 years / every 4 years) are based on the customer's overall risk rating, not solely on whether EDD is required.

Implementation Deadline

Relevant FSC licensees must:

• Review their existing customer population against the new risk-based timelines.
• Align internal policies, procedures, systems, and controls with the prescribed minimum review frequencies.
• Compliance deadline: 8 June 2027 (one year from the guidelines' issuance period).

Practical Implications for Compliance Officers

To implement the new guidelines effectively while respecting the risk-rating vs measures distinction, firms should:

• Update policies and procedures to embed both scheduled periodic reviews and event-driven triggers.
• Integrate risk ratings directly into review scheduling, with clear documentation of the rationale (including how EDD triggers such as PEP status were considered without automatically forcing a "high risk" rating).
• Enhance or implement tracking systems that flag upcoming mandatory review dates by risk category and last review date.
• Perform a gap analysis of the current customer base, paying particular attention to customers approaching or exceeding the new minimum frequencies and those requiring EDD (e.g., PEPs) whose overall risk rating may be medium.
• Update staff training to reflect both the shift to proactive periodic reviews and the correct distinction between risk ratings and due diligence measures.
• Strengthen record-keeping to demonstrate that periodic reviews were carried out as required by risk rating, not solely when triggers arose.

Warning

• Firms that continue to rely solely on trigger events risk regulatory findings during FSC inspections or future ESAAMLG-related reviews.

Conclusion

• The new FSC Guidelines on CDD Review Frequency bring greater regulatory certainty and reinforce Mauritius's commitment to robust, risk-based AML/CFT standards.
• Periodic CDD is now clearly a scheduled obligation, not an optional extra.
• Compliance officers are strongly encouraged to download the official Communique directly from the FSC website and conduct an internal impact assessment without delay.
• Early alignment will help avoid last-minute remediation ahead of the 8 June 2027 deadline.

Nest steps

• For tailored implementation support, policy templates, or assistance with risk-rating methodologies that properly distinguish between EDD triggers and overall risk ratings, consult
• Your internal legal/compliance team or
• External AML advisors familiar with FSC expectations – in the first instance pelse drop Mathew an email: mathew@comsuregroupo.com

Official and Key Sources

1. Primary Official Source: FSC Mauritius website – Communique: Guidelines on Frequency of Customer Due Diligence (issued 02 June 2026). Available at: https://www.fscmauritius.org/ (check the News/Communiques section).
   • https://www.fscmauritius.org/media-corner/communiques-press-releases
   • https://www.fscmauritius.org/media/n2ohsg1i/guidelines-on-frequency-of-customer-due-diligence.pdf
2. FSC AML/CFT Handbook (updated 21 September 2022) – Foundational guidance on customer risk assessment, risk factors, and the distinction between risk ratings and due diligence measures: https://www.fscmauritius.org/ (media/publications section).
   • https://www.fscmauritius.org/amlcftcpf/amlcftcpf-frameworks
   • https://www.fscmauritius.org/media/1grh3bcq/updated-aml-cft-handbook.pdf
3. FSC "Effective Customer Risk Assessment" guidance paper (30 December 2013)
   • Official direct PDF link: https://www.fscmauritius.org/media/1334/aml_cft_v4.pdf
   • This is the full 18-page guidance paper titled Effective Customer Risk Assessment, published by the FSC on 30 December 2013. It contains practical examples of risk categorisation into High, Medium, and Low risk, along with factors to consider.
   • (Alternative reference page on Comsure Group that links to the same document: https://www.comsuregroup.com/news/mauritius-effective-customer-risk-assessment-cra-guide/)

Secondary professional summaries and compliance analyses (early June 2026)

Here are the most relevant publicly circulated summaries that reference the new FSC CDD Review Frequency Guidelines and the risk-based nuances:

1. Comsure Group – Mauritius-focused articles (highly referenced for the risk rating vs EDD distinction)
• "PEPs aren't always high risk, but graduated EDD is always required" https://www.comsuregroup.com/news/peps-aren-t-always-high-risk-but-graduated-edd-is-always-required-more-risk-more-edd/ (Explains that PEP status triggers EDD but does not automatically mean a "high risk" rating — holistic assessment applies under the FSC Handbook.)
• Related Comsure article on whether all PEP customers must be treated as high risk: https://www.comsuregroup.com/news/ask-mat-in-mauritius-must-all-pep-customers-inclboubocontrollers-be-treated-as-high-risk-and-their-score-weighted-up-accordingly/

These sources are among the main ones circulating in the Mauritius compliance community in June 2026, covering both the new CDD frequency timelines and the important nuances between risk ratings and due diligence measures.