ASK MAT – In Mauritius, MUST all PEP customers (incl.BO/UBO/Controllers) be treated as high risk, and their score weighted up accordingly

ASK MAT – In Mauritius, MUST all PEP customers (incl.BO/UBO/Controllers)  be treated as HIGH RISK, and their score weighted up accordingly

Thank you for this question, it's one that, for 20+ years of Comsure advising Mauritian firms, the answer remains the same:- 

• No, there are no rulebooks, guidelines, or official documents from the Financial Intelligence Unit (FIU) Mauritius or any other Mauritius authority that state that all PEP customers must be treated as high risk or that their scores must be weighted up automatically.
• If your institution's policy differs, it's likely a voluntary conservative firm-wide policy choice, not a legal mandate.

The problem is:-

• Many institutions adopt conservative internal policies (e.g., PEP = default high risk for simplicity) because of misdirection from auditors, consultants, and even regulators (!!), but this is not required by law, FIU guidelines, FSC Handbook, or BOM rules.
• If an auditor, compliance advisor or regulator claims otherwise, request the exact paragraph; they won't find one mandating it.

The Mauritius framework (aligned with FATF standards and followed in Section 17 of the FIAMLA). ) follows a risk-based approach throughout.

• PEPs are recognised as presenting elevated risk due to potential exposure to corruption, bribery, and misuse of influence, but this does not translate into a blanket "all PEPs = high risk" rule or forced high-risk weighting/scoring for every PEP.
• Instead, requirements focus on identification, enhanced due diligence (EDD) in specified cases, and proportionate controls based on assessed risk.

Key points to consider:-

• FATF Recommendation 12 (which Mauritius implements) requires risk management systems to identify PEPs and apply EDD (especially for foreign PEPs), but domestic PEPs get full measures only for higher-risk relationships.
• FATF guidance stresses preventive measures without assuming criminality.
• Mauritius documents mirror FATF:
• Elevated risk potential for PEPs, but proportionate and risk-calibrated response. Automatically applying high-risk treatment to all would contradict the risk-based philosophy (FIAMLA s.17, FIAML Reg 3, FSC Handbook Chapters 1 & 4).
• Recent FIU materials (2026) explicitly warn against misinterpreting PEP status as criminal labelling and reinforce risk-based calibration.
• https://www.comsuregroup.com/news/the-mauritius-fiu-has-reiterated-and-updated-its-guidance-on-pep-identification-and-risk-management

Key references

1. FIAML Regulations 2018 (the core law)

• Definition of PEP (Reg 2): Covers foreign, domestic, and international organisation PEPs, with no automatic high-risk label.
• EDD trigger (Regulation 12(1)(e)): Enhanced CDD is required "subject to regulation 15" where the customer/applicant is a PEP.
• Regulation 15 (the detailed PEP rules) makes a clear distinction:
• Foreign PEPs (customer or beneficial owner): Must apply full measures, senior management approval, reasonable steps to establish source of wealth and source of funds, and enhanced ongoing monitoring (Reg 15(1)).
• Domestic PEPs or international organisation PEPs: Only determine status (Reg 15(2)(a)). The full extra measures apply only "in cases when there is a higher risk business relationship" with them (Reg 15(2)(b)).
• Family members/close associates (Reg 15(3)) follow the same logic as above (Reg 15(2)(a)).

Key point:

• The Regulations do not state that "all PEPs = high risk".
• Domestic PEPs only get the full PEP package if the institution has already identified a higher-risk relationship.
• There is zero requirement to force every PEP into a high-risk scoring bucket.

2. FSC AML/CFT Handbook (2020, still the main guidance)

• PEPs appear as one example risk factor in customer risk assessment (Section 4.5.1(e)): "Does the customer … have political connections, for example, are they a PEP? … In line with Regulation 12(1) … shall apply EDD measures."
• Weighting/scoring section (4.2.4) explicitly allows institutions to assign different weights/scores to different risk factors and to override automated scores:
• "the financial institution may decide to weigh risk factors differently … allocating varying ‘scores’ …"
• The only restriction is that weighting cannot be used to avoid the EDD obligation that Regulation 12(1) triggers for PEPs (or suspicious activity, etc.).
• "It is for the financial institution to assess and decide what is appropriate…"
• Holistic assessment is required: consider mitigating factors, not a tick-box approach (Sections 4.2, 4.2.3, 4.4).
• No sentence anywhere says,
• "all PEPs must be scored high risk" or
• "scoring must be weighted to treat every PEP as high risk".

3. BOM AML/CFT Guideline (January 2020)

• PEPs are listed in Annex 1 – Higher Risk Situations under "Customer Risk" as "May Include: Politically exposed persons", not "must" or "always".
• Institutions must conduct customer risk assessments (paras 4.28–4.29) and can group customers into risk categories, but the guidance is risk-based and proportional.
• NRA 2019 notes PEPs as a higher-threat category for banks, but this is for national-level awareness, not a mandate to auto-classify every individual PEP customer as high risk in internal scoring.
• The Guideline repeats the distinction in Regulation 15 (foreign vs domestic) and emphasises case-by-case assessment.

Why the "all PEPs = high risk + forced weighting" claim is wrong

• The documents repeatedly stress a risk-based, holistic, proportionate approach (FIAMLA s.17, Reg 3, FSC Sections 1.8 & 4.2, BOM paras 4.11 & 4.22+).
• Domestic PEPs only trigger the full extra measures if a higher risk is identified, the exact opposite of "all must be high risk".
• Scoring/weighting flexibility is explicitly permitted (FSC 4.2.4) as long as you cannot dodge the EDD obligation when a PEP is present.
• Recent FIU guidance (updated 2026) reinforces this: PEP measures are preventive, not a label that all PEPs are criminals, and must follow a risk-based approach (you cannot refuse business solely because someone is a PEP).

Why No Such Blanket Rule Exists

• FATF Recommendation 12 (which Mauritius implements) requires risk management systems to identify PEPs and apply EDD (especially for foreign PEPs), but domestic PEPs get full measures only for higher-risk relationships. FATF guidance stresses preventive measures without assuming criminality.
• Mauritius documents mirror this: Elevated risk potential for PEPs, but proportionate and risk-calibrated response. Automatically applying high-risk treatment to all would contradict the risk-based philosophy (FIAMLA s.17, FIAML Reg 3, FSC Handbook Chapters 1 & 4).
• Recent FIU materials (2026) explicitly warn against misinterpreting PEP status as criminal labelling and reinforce risk-based calibration.
• Many institutions adopt conservative internal policies (e.g., PEP = default high risk for simplicity), but this is not required by law, FIU guidelines, FSC Handbook, or BOM rules. If an auditor or compliance advisor claims otherwise, request the exact paragraph; they can't find that mandates it.

Final word

• PEPs present elevated risk potential (due to corruption/bribery exposure), requiring identification and EDD (with foreign/domestic nuances), but not automatic high-risk treatment or forced weighting in internal scoring systems.
• In short, you must apply EDD (with the foreign/domestic distinction) whenever a PEP is identified. You cannot design a scoring model that deliberately avoids this obligation, and you should allow for flexibility and holistic, risk-calibrated decisions.
• But you are not required to treat every PEP customer as high risk in your risk-rating system, or to hard-code an automatic high-risk weighting for all of them.
• Many institutions choose a conservative "PEP = high risk" policy for simplicity, but the law and handbooks do not mandate it.
• If your compliance team or auditor insists on the blanket rule, ask them to point to the exact paragraph in the FIAML Regulations, FSC Handbook, or BOM Guideline that states it; they will not be able to.
• The documents are publicly available and state that it's risk-based, not automatic. See sources below

Conclusion

• The article is factually correct and up-to-date as of March 2026. Mauritius follows a risk-based philosophy (FIAMLA s.17, FIAML Reg 3, FSC Handbook Chapters 1 & 4, BOM guidance):
• For verification, refer to the official sources cited (e.g., FIAML Regulations 2018 PDF on FSC site, FSC Handbook 2022, BOM Guideline 2020, and FIU announcements via fiumauritius.org).

SOURCES

Key Official Sources and What They Actually Say

Recent FIU updates (as of January 2026) and longstanding documents reinforce this:

• FIU Mauritius Guidance on PEPs (updated/reiterated January 2026): The FIU issued updated guidelines on Politically Exposed Persons (linked via fiumauritius.org announcements around p=5603 and related posts). These emphasise:
• PEP measures are preventive (not accusatory).
• Robust CDD, EDD, and ongoing monitoring are required.
• Do not interpret as labelling all PEPs as criminals.
• A risk-based approach is foundational for calibrating controls.
• Refusing business solely because someone is a PEP is contrary to FATF Recommendation 12. No mention of mandatory high-risk classification or forced weighting for all PEPs.
• FIAML Regulations 2018 (core law, still in force):
• Defines PEPs (Reg 2) and requires EDD for foreign PEPs (Reg 15(1)).
• For domestic or international organisation PEPs: Full EDD only applies "in cases when there is a higher risk business relationship" (Reg 15(2)(b)).
• This explicitly distinguishes and avoids automatic high risk for all (especially domestic). No provision mandates treating every PEP as high risk or weighting scores to force it.
• FSC AML/CFT Handbook (updated September 2022, latest consolidated version):
• PEPs are listed as one risk factor in customer risk assessment (Section 4.5.1(e)).
• Triggers EDD per Regulation 12(1), but allows holistic assessment and weighting flexibility (Section 4.2.4): Institutions "may decide to weigh risk factors differently" and allocate varying scores.
• The only restriction: Weighting cannot avoid EDD obligations triggered by PEPs.
• No rule says "all PEPs must be high risk" or "scores must be weighted up accordingly." It promotes proportionate, risk-based decisions rather than automatic high-risk labelling.
• Bank of Mauritius AML/CFT Guideline (January 2020, still referenced):
• PEPs listed in Annex 1 – Higher Risk Situations under "May Include: Politically exposed persons" (not "must" or "always high risk").
• Emphasises case-by-case, risk-based assessment (paras 4.28–4.29).
• NRA 2019/2025 notes PEPs as higher-threat in some sectors (e.g., banking), but this informs national awareness, not mandatory auto-classification of every individual PEP customer.

Here are the key official web sources for the main documents referenced in the discussion on Politically Exposed Persons (PEPs), risk classification, and related AML/CFT requirements in Mauritius.

These are publicly available PDFs from the Financial Services Commission (FSC) Mauritius and the Bank of Mauritius (BOM) websites.  

• For the full FIAMLA Act itself (which references the risk-based framework), see:
• https://www.fiumauritius.org/fiu/wp-content/uploads/2025/05/FIAMLA-Updated-as-at-2024.pdf
• FIAML Regulations 2018 (core legal text on PEPs, including Regulation 15 distinctions for foreign vs domestic PEPs)
• The primary source is the amendment regulations document (which incorporates and amends the 2018 Regulations):
• https://www.fscmauritius.org/media/211685/financial-intelligence-and-anti-money-laundering-amendment-regulations-2018.pdf (Published October 2018; this is the official gazetted version on the FSC site.)
• FSC AML/CFT Handbook (updated version, September 2022 – the latest consolidated guidance)
• This is the main FSC handbook covering risk-based approach, customer risk assessment (including PEPs as a factor, not automatic high risk), weighting/scoring flexibility (e.g., Section 4.2.4), and EDD for PEPs:
• https://www.fscmauritius.org/media/131386/updated-aml-cft-handbook.pdf (Updated 21 September 2022; explicitly states PEPs trigger EDD but allows holistic/risk-based assessment and weighting without mandating automatic high-risk scoring for all.)
• Earlier version (March 2021, for reference if needed):
• https://www.fscmauritius.org/media/99188/aml-cft-handbook.pdf
• Bank of Mauritius (BOM) AML/CFT Guideline (January 2020)
• Full guideline for banks/financial institutions, listing PEPs under "Higher Risk Situations" (Annex 1) as "May Include" (not mandatory high risk for all), with emphasis on risk-based/proportional approach:
• https://www.bom.mu/sites/default/files/guideline_on_aml-cft_jan_2020_15.01.2020_0.pdf (Direct PDF from BOM site, dated 15 January 2020.)

These are the authoritative primary sources. No official document under these mandates states that all PEP customers must be treated as high risk or that scoring must be weighted to force high-risk classification automatically. They consistently promote a risk-based approach (e.g., FIAMLA Section 17, FIAML Regulations, FSC Handbook Chapter 4, BOM Guideline).

If you have any questions about the above or would like training on AML/CTF/CPF matters, please get in touch with Mathew. mathew@comsuregroup.com