“We have VAR in Mauritius, where four regulators are watching the same game!”

Mathew Beale, Chief Executive Officer of Comsure Compliance Ltd 

Six years after being placed on the Financial Action Task Force (FATF) grey list and five years after securing its removal, Mauritius is once again approaching a critical test of its Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) framework. With the 2027 Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG) mutual evaluation on the horizon, the focus has shifted from adopting laws to demonstrating their effectiveness in practice. In this interview with Bizweek, Mathew Beale, Chief Executive Officer of Comsure Compliance Ltd, argues that Mauritius must guard against complacency, move beyond a “tick-box” compliance culture and strengthen collaboration across the financial crime ecosystem. Warning that fragmented oversight risks undermining the country’s FATF ambitions, he calls for a more coordinated approach to regulation, greater use of technology under proper controls, and strong leadership to preserve Mauritius’ credibility as an international financial centre. 

You have repeatedly stressed the importance of ensuring that Mauritius never faces another FATF (Financial Action Task Force) grey listing. How serious is the challenge today compared to previous years?

The main challenge facing Mauritius, as with all jurisdictions undergoing a FATF assessment, is demonstrating effectiveness. That is what we call the “effectiveness test.” There are essentially two tests. The first is the technical compliance test, which is the easier one because it just says “let us write the laws.” However, laws alone do not prevent financial crime. What matters is whether those laws are being effectively implemented and enforced. 

The assessment visit by assessors scheduled for next year will therefore focus on whether the legal framework, including the 2026 Miscellaneous Provisions, is producing tangible results and whether the measures adopted are fit for purpose.

“This FATF assessment is the kite mark for us to continue being prosperous as a financial services jurisdiction, hence why it is so important.” 

The key question for assessors will be whether these measures are being used effectively or, in the case of newly enacted laws, whether they are likely to have a meaningful impact in the near future. Ultimately, the objective is to ensure that wrongdoing is detected, investigated and sanctioned, creating real consequences for those involved in financial crime.

At the Comsure Financial Crime Conference, you spoke about moving from “mere compliance to collaboration.” What exactly do you mean by that?

That is a very good question. When I talk about moving from mere compliance to collaboration, I mean that combating financial crime cannot be achieved by individual agencies working in isolation.

During the workshop I conducted with around 40 professionals, one of the key themes that emerged was the number of authorities involved in the financial crime framework. Mauritius has got so many agencies. In Mauritius alone, we have the Financial Services Commission (FSC), the Bank of Mauritius (BOM), the Financial Intelligence Unit (FIU), and now the Financial Crimes Commission (FCC), just to name four. While they are all working towards the same objective, they often approach these challenges from different perspectives and with different priorities. That is what gives us problems! Why is it so? It is because none of us is collaborating. 

What we are seeing around the world is a growing emphasis on greater cooperation between agencies and, in some cases, consolidation. In the United Kingdom, for example, regulatory responsibilities are increasingly being streamlined, while in the European Union, a single Anti-Money Laundering Authority has been established to provide a more coordinated approach across member states.

Yet in Mauritius, you have a minimum of four agencies. So, there are just too many people! And if you have too many people, there are going to be mistakes!

You warned against a growing “tick-box approach” to compliance. How can institutions move towards a more effective and meaningful compliance culture?

The “tick-box” approach to compliance is, unfortunately, endemic across many regulated industries. Whenever organisations are faced with increasing numbers of rules and obligations, there is a natural temptation to focus on completing checklists and demonstrating formal compliance rather than asking a more important question: are the controls actually effective?

“The greatest weakness is not a lack of rules; it is the risk of relying on yesterday’s solutions to solve tomorrow’s problems.”

Unfortunately, in today’s world, compliance should not be about simply confirming that a process exists. It should be about testing whether that process is working, whether risks are being identified and mitigated, and whether the organisation is genuinely protected against financial crime. We have got the FATF requiring us to write more legislation. This means that firms have got more regulation to follow, yet they are not increasing their capacity of compliance. That same human being who had to check  100 rules last year now has to check maybe 200 rules this year. So, more rules but not more staff. 

We have to understand how to deal with that. We are lucky because we are moving into an age of technology where we have AI, and I believe that AI can help in compliance. But it comes with a huge risk. It has to be managed. AI, at the moment, is like giving your baby a knife, a very sharp knife, and asking the baby not to stab itself or anybody else. Well, if you leave that baby alone for about three minutes, the baby will not only stab himself but also somebody else! So that is AI. 

So, if you are going to use AI to deal with all these rules, to help you know if you are compliant, you have to control it. You have to have systems and controls around that technology. 

In your view, what are the biggest weaknesses that still exist within global AML and financial crime compliance frameworks?

In my view, it is the assumption that compliance with established rules automatically translates into effective prevention of financial crime. Financial crime exists like the stars exist in the sky. It is not going to go away simply by collecting passports and utility bills and other customer due diligence documents. 

Following the processes that were given, with the rules we have had for over 20 years now, has not stopped financial crime! In fact, financial crime is probably growing exponentially. So, what we need is a restart. And, I think we need a jurisdiction that is brave enough to start thinking about prevention and detection in a slightly different way.

Because of the FATF, we are not encouraged to think that way as we need to follow their 40 requirement rules together with their 11-effectiveness rules. This means that all we are doing is just the same thing again. As the expression goes, there is “insanity is doing the same thing over and over again and expecting different results.” 

But that is where we are! So, I think the biggest problem is that the fact an individual can provide a valid passport and proof of address does not, in itself, demonstrate that they are not involved in criminal activity. Criminals also possess legitimate identification documents. Effective compliance therefore requires looking beyond documentation and developing a deeper understanding of behaviour, risk and intent.

Unfortunately, the rules are just out of date. If we think about the crypto world now, it sounds dangerous. But the reality is that crypto is going to be a stable coin in the next five years and will make a lot of our banks redundant because most of the transactions, globally, will be done on a stable coin platform, which is a blockchain crypto concept. Crypto is being used now, and it is cheaper than using the banks.

The question is whether our regulatory frameworks are evolving quickly enough to keep pace. Are we ready for that? Are the rules ready for that? I do not think we are! 

How long does it take for Mauritius to draft, approve and implement a law? Legislative reform often takes years to design, approve and implement, while technological innovation can reshape markets in a matter of months. 

Ultimately, the greatest weakness is not a lack of rules; it is the risk of relying on yesterday’s solutions to solve tomorrow’s problems.

How important is collaboration between regulators, law enforcement agencies and the private sector in strengthening financial integrity?

Collaboration is absolutely critical. As I mentioned earlier, financial crime cannot be effectively tackled when regulators, law enforcement agencies and private sector institutions operate in silos. Each stakeholder has access to different information, perspectives and capabilities, and the most effective outcomes are achieved when those resources are brought together.

Financial criminals do not respect organisational boundaries, so our response cannot be fragmented. Strong information-sharing, coordinated supervision, joint investigations and a common understanding of risk are essential to protecting the integrity of the financial system. Collaboration strengthens effectiveness, reduces duplication and helps ensure that risks are identified and addressed more quickly.

Mauritius is preparing for the 2027 ESAAMLG mutual evaluation. What lessons should the country draw from its previous FATF grey-listing experience?

Mauritius went through the pain of being grey listed in 2020, and was removed from the list in 2021 after implementing a comprehensive programme of reforms.

The country’s response was highly commendable. Government authorities, regulators, financial institutions and industry professionals came together during an exceptionally difficult period, marked by the COVID-19 pandemic, to address the identified deficiencies and restore international confidence. You did what was necessary to get yourself off the grey list. However, getting off the grey list did not mean that you were technically compliant, that you had put in place additional laws or that you created different regulators. 

One area that you were not regulating was the Designated Non-Financial Businesses and Professions (DNFBPs), for example lawyers, accountants and estate agents, which are not traditional finance, but are susceptible to money laundering risk. Those guys are now in the regulation arena, but I’m guessing lawyers haven’t had many visits since the rules came in. That gives me a problem, because next year, you are going to be asked how many lawyers have had visits. If the answer is “not many,” that is going to be a cross in the box, not a tick. 

I think you have done a lot, but I think you could do a lot more. It comes back to the word collaboration. I would so dearly love you to have one single AML regulator. It could have business units under it which deal with the different sectors, but at least you would have one head, with one direction, one leadership, which means that less mistakes would be made.

From your international experience, what distinguishes jurisdictions that succeed in AML/CFT effectiveness from those that struggle?

This whole assessment is like an examination. I often compare the process to a job interview. Two candidates may have similar qualifications, but the one who can demonstrate competence, experience and results is usually the one who earns trust. Jurisdictions are assessed in much the same way. Having laws and regulations is important, but what ultimately matters is whether those measures are effective and whether they produce tangible outcomes.

You then have this kite mark that says that you can be trusted, which enables you to be an international finance centre, which Mauritius is. I know we are in the middle of the Indian Ocean, but we are doing commerce with everybody. The world is borderless when it comes to transactions, and the only way that we can be part of the international community is by having a kite mark. For an international financial centre such as Mauritius, that reputation is essential. 

This FATF assessment is the kite mark for us to continue being prosperous as a financial services jurisdiction, hence why it is important. 

How do emerging technologies, artificial intelligence and digital assets complicate the fight against financial crime?

AI, I think, is a godsend to businesses, as it offers significant benefits for compliance function by improving efficiency and processing of large data. But I am very worried about its application, because AI is still a baby. We know that it needs human control and oversight. 

If you are going to let AI run your business, it is running in a black box, making it difficult to understand or explain how conclusions are reached. This creates problems for regulatory compliance. Regulators require organizations to demonstrate and document processes used in decision-making.

AI has got no methodology. Therefore, you can’t rely on AI. What you can do is tell AI what your methodology is for whatever job you are looking for and, as long as it is following those steps consistently like an employee would, AI would do the work a lot quicker than an employee would. 

As you have that trust between you and the AI agent, you can then have that relationship. I am sorry if it sounds a bit weird to talk about having a relationship with technology, but that is the way we have to treat this. AI is not a benign actor now. It is like a living human being, albeit it is a technology agent. AI should be managed similarly to a new employee or apprentice requiring supervision, regular review, and gradual trust-building based on performance. 

AI has to be managed properly. We can use it but it is going to be used against us also. Maybe in 10 years, we will have this conversation and it will be different, but at this moment in time, it has to be controlled. 

Are compliance professionals and boards of directors sufficiently prepared for the evolving risks linked to virtual assets, cybercrime and cross-border financial flows?

Compliance professionals and boards of directors are generally not yet sufficiently prepared to address the evolving risks associated with virtual assets, cybercrime, and cross-border financial flows. They are all singular risks to which some firms have more exposure than others. Although many professionals have received training in data protection and privacy regulations, cybercrime extends far beyond data protection compliance. It represents a complex and rapidly evolving threat that affects virtually all organizations. Given the frequency of cyber breaches globally, it is no longer a question of whether organizations will face cyber threats, but rather how effectively they can manage and respond to them.

Many boards lack dedicated cybercrime expertise. While organizations may engage external specialists, cyber risk should receive the same level of attention and strategic oversight as financial crime. Looking ahead, cybercrime may become an even greater concern than traditional financial crime, as investor confidence could be severely undermined if organizations fail to protect sensitive data and financial assets from cyberattacks.

Going forward, there has to be as much emphasis on cybercrime as there is on financial crime. I anticipate that in the next five to ten years, I will not be coming to talk about financial crime. The big topic will be how we manage the cybercrime risk. If we’re going to fail as a jurisdiction, I think it will be because investors will not trust us because their investments and their data is being hacked. So, cybercrime is an important standalone crime. 

On the other hand, crypto covers everything from some strange things that we have never heard of, like dogecoins, to stable coins. Stable coins, in particular, are likely to become increasingly important in commercial transactions over the next five years due to their efficiency and speed. 

But when it comes to financial transactions in the commercial world, I think there will be risks with stable coins because those transactions happen more quickly than in traditional banking systems, which often have procedural delays and controls that provide compliance teams with time to identify suspicious activity and assess risk. In contrast, cryptocurrency transactions can occur almost instantaneously, reducing the opportunity for effective monitoring and intervention.

In regard to money laundering, slowing things down is a good thing because it gives us time to breathe and see what the risk is. Crypto does not give us that luxury because crypto is giving us what the world wants, which is speed. Speed means that we do not have time to breathe, and therefore, mistakes will happen. 

So, I don’t think that we are ready for that yet. As I mentioned earlier, I don’t think our laws, rules and regulators are ready for all this. Although regulatory initiatives such as innovation sandboxes are being explored, there remains uncertainty about how effectively existing supervisory frameworks can govern emerging technologies and digital financial systems.

How important are whistleblowing systems, beneficial ownership transparency and intelligence sharing in strengthening governance and accountability?

We have just been talking about that in the workshop. Whistleblowing systems, beneficial ownership transparency, and intelligence sharing play a critical role in strengthening governance, accountability, and the overall effectiveness of financial crime prevention frameworks. Among these mechanisms, whistleblowing systems are particularly important because they provide individuals with a secure and protected channel to report suspected wrongdoing.

For reporting persons and those regulated by the FSC or the BOM, they have this thing called the money laundering report or the sanctions report, which has been enshrined for years. But whistleblowing is actually opening up the ability for anybody to report anything that gives them cause for concern that sits outside of those areas. 

The whistleblowing process is a good one because it can give somebody the confidence to report to anybody and be protected. It also helps businesses stop financial crime. So, every business on this island should have a whistleblowing process. Employees should be confident that they can report criminality, which is good because we do not like criminality. We do not want criminals to benefit. But it has to be done. It has to be overseen and it has to be appropriately implemented. For smaller firms, I am not convinced they are doing it to the extent that possibly the rules expect.

What role should leadership and corporate culture play in preventing financial crime within institutions?

This leads into the previous question. How do I stop tick-boxing? Well, stand up and be a leader! Stopping any type of failure of a business starts at the board level. Well, the board is about leadership. The board should be encouraging everybody to do the right thing at all times. They should not be abdicating, delegating and saying that this is run by somebody called a compliance officer or a money laundering reporting officer. We need to have leadership throughout an organisation encouraging us to do the right thing, ensuring that we all know that ticking a box does not mean that we have done the right thing. 

So, leadership has to happen from the top and it has to then permeate through the organisation to the business unit leaders. And everyone should feel confident that if they see something wrong, they can report it.

What message would you like to send to Mauritius as it seeks to strengthen its credibility, governance and resilience ahead of the next international evaluations?

Well, my message to Mauritius is simple: Do not stop, do not become complacent, and do not think that you have done it. 

The removal of Mauritius from the FATF grey list was a significant achievement, but it should not be viewed as the end of the journey. Rather, it represents an important milestone in a continuous process of improvement. I have seen many commentators and even some people in the government saying that “we have passed.” 

Well, I would say to them that you did not pass! You were only 50% into the exam. The other 50% is next year. And next year, you will pass the second 50%, but it will be with a 70 out of 100, or maybe 80 out of 100, but it will not be a 100 out of 100. The more important objective is maintaining effectiveness over time. If stakeholders assume that the work is finished, there is a risk that momentum will be lost, standards will decline, and previous weaknesses may re-emerge.

Mauritius should therefore continue implementing the commitments made to international assessors and remain focused on strengthening its legal, regulatory, and supervisory frameworks. This includes ensuring that laws and regulations are regularly reviewed and updated to address emerging risks such as virtual assets, stablecoins, cybercrime, and other technological developments that are reshaping the global financial landscape.

We have talked about crypto, stable coins and cybercrime. I do not think that we are prepared for all of those things. We need to constantly be on top of the risk, like businesses are. Using football analogy, I think that we should not be like the VAR (Video Assistant Referee) system. As we all know, VAR is a mess! The issue is not the technology itself but the consistency of the rules, processes, and decision-making framework applied by those operating it. VAR, as a concept, is brilliant, but the execution of VAR is atrocious. 

The trouble with Mauritius is that it has VAR, because you have the BOM, FSC, FIU, and now the FCC. They are all VAR referees. They are all looking at the game. The trouble is that we have four referees all looking at the same game. And, as we know from VAR, no human being comes to the same conclusion in regards to the same piece of action. Even when we watch a game, we all argue whether or not there was a foul. How do we manage that? So, we have got to be really careful.