Technology Governance for Regulated Fintech Entities

Overview

The FSC Mauritius ICT guidelines apply to all licensed entities and set out explicit expectations for IT governance, cybersecurity, business continuity, and third-party risk management. Technology risk has become a priority supervisory focus, the FSC is increasingly likely to assess technology governance during licence examinations, and weaknesses in this area can result in licence conditions, enhanced reporting requirements, or enforcement action.

Cyber risk is now characterised as a systemic concern in financial services globally. The FSC expects licensed fintech entities to have a documented technology risk appetite, board-level oversight of technology risk, and a cybersecurity framework that is proportionate to the nature and scale of the business. This includes controls for access management, network security, endpoint protection, data encryption, and vulnerability management, as well as a tested incident response plan.

Cloud computing governance is a particular focus for fintech businesses, which rely heavily on cloud infrastructure. The FSC requires that licensed entities assess the risks of cloud usage, maintain appropriate contractual protections with cloud providers, ensure data residency and sovereignty requirements are met, and have plans for cloud provider failure or service disruption.

The Mauritius Data Protection Act 2017 adds a further layer of obligation, requiring licensed entities to implement appropriate technical and organisational measures to protect personal data, appoint a Data Protection Officer where required, and notify the Data Protection Office of significant breaches. Aurevya integrates data protection compliance into the broader technology governance framework.

All

Licensed Entities Subject to FSC ICT Guidelines

The FSC ICT guidelines apply to all FSC-licensed entities, making technology governance a universal compliance obligation across the Mauritius financial services sector.

Increasing

FSC Technology Risk Focus

The FSC has significantly increased its focus on technology risk in supervisory examinations, reflecting the growing systemic importance of technology in financial services.

2017

Data Protection Act Compliance Required

The Mauritius Data Protection Act 2017 imposes data protection obligations on all entities processing personal data, a near-universal requirement for fintech businesses.

What We Do

Key Features of Our Technology Governance Service

01

IT Governance Framework Design

We design a comprehensive IT governance framework, including IT governance policy, technology risk appetite, board technology reporting, IT committee terms of reference, and technology risk register, aligned to FSC ICT guidelines.

02

Cybersecurity Policy and Controls

We design the cybersecurity policy framework, covering access management, network security, endpoint protection, data encryption, vulnerability management, and security monitoring, proportionate to your technology risk profile.

03

Cloud Computing Governance

We design cloud governance frameworks, including cloud risk assessment, provider due diligence, contractual protections, data residency requirements, exit planning, and monitoring of cloud provider performance and security.

04

Business Continuity and Disaster Recovery

We design BCP/DR frameworks, including business impact analysis, recovery time and recovery point objectives, disaster recovery plans, testing protocols, and crisis management procedures, that meet FSC expectations and protect operational continuity.

05

Third-Party and Vendor Risk Management

We design third-party risk management frameworks, covering vendor due diligence, contractual requirements, ongoing monitoring, and FSC outsourcing notification requirements, for all material technology and service providers.

06

Data Protection Act Compliance Integration

We integrate Mauritius Data Protection Act 2017 compliance into the technology governance framework, including privacy by design, DPIA processes, data breach notification procedures, and DPO appointment where required.

Process

How We Build Your Technology Governance Framework

01

Technology Risk Assessment

We conduct a technology risk assessment, evaluating your IT infrastructure, applications, cloud usage, third-party dependencies, and cybersecurity posture, to establish the risk baseline and prioritise governance investments.

02

Framework Gap Analysis

We review existing technology governance documentation against FSC ICT guidelines and Data Protection Act requirements, identifying gaps and prioritising remediation based on regulatory risk.

03

Governance Document Design

We design the full suite of technology governance documentation, IT governance policy, cybersecurity policy, cloud governance framework, BCP/DR plan, third-party risk policy, and data protection documentation.

04

Control Implementation and BCP/DR Testing

We support implementation of governance controls and BCP/DR arrangements, including testing of the disaster recovery plan, tabletop exercises for incident response, and penetration testing programme design.

05

Board Reporting and FSC Examination Preparation

We design technology risk reporting for the board, establish ongoing monitoring processes, and prepare the business for FSC technology risk examinations, including pre-examination gap reviews and examination support.

Ideal Clients

Who This Service Is For

01

FSC Licence Applicants

Businesses applying for FSC licences that need a compliant IT governance framework as part of their application, demonstrating to the FSC that technology risk is appropriately managed.

02

Cloud-Native Fintech Businesses

Businesses operating on cloud infrastructure requiring a governance framework that satisfies FSC cloud computing requirements, including provider due diligence, contractual protections, and exit planning.

03

Licensed Entities Preparing for Examination

FSC-licensed entities approaching a supervisory examination that includes a technology risk component, requiring a pre-examination gap analysis, remediation, and examination preparation.

04

Businesses Processing Personal Data

Fintech businesses processing client personal data requiring Data Protection Act 2017 compliance integration, including privacy by design, DPIA processes, and data breach notification procedures.

FAQ

Frequently Asked Questions

What IT governance does the FSC require?

The FSC ICT guidelines require licensed entities to have a documented IT governance framework covering technology risk management, cybersecurity, business continuity, third-party risk, and incident response. The board must have oversight of technology risk, and there must be a designated technology risk owner. The framework must be documented, regularly reviewed, and tested, particularly for BCP/DR arrangements.

Does the FSC examine cybersecurity during licence examinations?

Yes. Technology risk has become a significant component of FSC supervisory examinations. Examiners review the cybersecurity policy, access management controls, patch management, incident response plan, and records of security incidents and breaches. Businesses without documented cybersecurity frameworks are likely to receive adverse examination findings and remediation requirements.

What are the cloud computing requirements for FSC-licensed entities?

The FSC requires that licensed entities using cloud services conduct appropriate due diligence on cloud providers, maintain contractual protections (including audit rights, data return provisions, and security standards requirements), ensure personal data is processed in accordance with the Data Protection Act, and have exit plans for cloud provider failure or contract termination. Certain types of cloud usage may require FSC notification.

What must a business continuity plan cover?

An FSC-compliant BCP must cover the identification of critical business functions, business impact analysis, recovery time and recovery point objectives, disaster recovery procedures for all critical systems, crisis management and communication procedures, staff responsibilities during an incident, and testing requirements. The BCP must be tested at least annually and updated following material changes to the business or its technology infrastructure.

How is outsourcing regulated by the FSC?

Material outsourcing arrangements by FSC-licensed entities require prior FSC notification. The FSC expects that outsourcing does not absolve the licensed entity of its regulatory responsibilities, the entity remains accountable for the outsourced function. Contracts with material service providers must include appropriate protections, and the licensed entity must maintain oversight of the provider's performance and compliance.

What are the data protection obligations for fintech companies in Mauritius?

The Mauritius Data Protection Act 2017 requires fintech companies to process personal data lawfully, fairly, and transparently; collect data for specified, explicit purposes; implement appropriate technical and organisational security measures; respect data subject rights (access, rectification, erasure); and notify the Data Protection Office of significant breaches within specified timeframes. A DPO must be appointed where required by the Act.

Related Services

Sound Technology Governance as a Regulatory Imperative

Key Features of Our Technology Governance Service

How We Build Your Technology Governance Framework

Who This Service Is For

Frequently Asked Questions

Explore Related Fintech Services

Ready to Build Sound Technology Governance?