As in most jurisdictions, banks in Mauritius are bound by a duty of confidentiality owed to their customers. If the existence of the duty is well known, its scope is often misunderstood, and its source has generally been misidentified.
In 2023, the Privy Council seized the opportunity to clear things up in the matter of Stanford Asset Holdings Ltd and another v AfrAsia Bank Ltd [2023] UKPC 35. The Judicial Committee of the Privy Council of the United Kingdom is the final court of appeal for Mauritius.
If you had asked Mauritian lawyers and bankers before the Stanford decision what was the source of a bank’s duty of confidentiality, most would have pointed to the Banking Act 2004, and more specifically to its section 64 titled … «Confidentiality». Some would have also pointed to the Financial Intelligence and Anti-Money Laundering Act 2002 or the Financial Crimes Commission Act 2023, two acts that do indeed contain confidentiality provisions.
Facts
The facts in Stanford were simple and undisputed. Stanford held an account with AfrAsia Bank. An amount of around USD 11M was transferred from Stanford’s account to Key Stone’s account, also held with AfrAsia Bank. The transfer was operated by 2 Stanford signatories who did not in fact have the authority to do so. For the purposes of the case, it was assumed that the money had indeed been stolen and there was reason to believe that the money had been paid out of Key Stone’s account. Stanford did not know the identity of the players and applied to court to have AfrAsia Bank disclose the names of the transferees and the other particulars of the transfer out of Key Stone’s account.
Supreme Court of Mauritius
The Supreme Court of Mauritius rejected Standford’s application because it found that (i) section 64 of the Banking Act 2004 prohibited the disclosure sought, (ii) the exceptions set out in that section did not apply, and (iii) no other law or legal principle allowed the disclosure.
Privy Council
The Privy Council started off by considering the legislative history of section 64 of the Banking Act 2004 and noted that the various amendments brought over the years had « complicated the structure» of section 64.
More importantly, the Privy Council found that section 64 of the Banking Act 2004 does not impose an obligation of confidentiality on banks. The Privy Council accurately observed that the section applies to natural persons only – to employees and to certain third-party service providers – and not to banks. It was also determined that no other section of the Banking Act 2004 imposes a duty of confidentiality on banks.
Ultimately, the Privy Council stated the obvious: Banks’ duty of confidentiality is owed at common law (droit commun), and not as a result of any specific law.
What then is the role of section 64 of the Banking Act 2004? A Mauritian bank is a legal person. A legal person can’t act by itself; it can only act through natural persons. Section 64 therefore applies to natural persons who act on behalf of banks. Section 64 prohibits individuals from disclosing confidential information, while providing certain exceptions that allow employees to disclose some limited information in certain limited circumstances.
Although it ultimately rejects the Supreme Court’s decision in this matter, the Privy Council parses through previous decisions of that court to identify instances where judges have stated the law correctly.
“It has been consistently held in Mauritius that in line with the well-established principles both in English common law and the approach adopted in French jurisprudence and doctrine, that there is an implied term of confidentiality between a banker and his customer (vide for instance State Bank International Ltd. v Pershing Limited [1996 SCJ 331]).
The bank owes a duty of secrecy and confidence to its customer such that the bank is precluded from divulging or disclosing any information concerning the customer’s account to any third party save in certain exceptional circumstances.”
And the Privy Council quotes with approval the following passage from the Supreme Court decision:
“It is therefore an implied term of the contract between the bank and its customer that the bank shall not disclose to any third party, except with the consent of the customer, any information relating to the state of the customer’s account or any of his transactions with the bank unless the bank is compelled to do so by law or a court order or the circumstances give rise to a public duty to disclose.”
Source
A bank’s duty of confidentiality therefore arises automatically at common law. It is not set out in an act, a regulation, or a guideline. It does not need to be set out explicitly in a contract (an account opening agreement, for example). In a sense, it arises out of necessity, common sense, and practicality.
Indeed, the term “common law” is used here in the sense of jus commune in Latin and droit commun in French, and not in the sense of “Common Law” as a body of legal principles and rules that are created, developed, and refined by courts through judgments, which become binding precedents for future similar cases.
As used here, “common law” means the set of legal rules applicable to all situations which are not subject to special or particular rules; “common law” therefore sets out invariant rules and principles.
This being, even if the duty of confidentiality arises at common law, its nature and scope will, as a practical matter, nevertheless be determined by courts and by legal commentary (doctrine, in French).
It is interesting to note that the Privy Council refers to “well-established principles both in English common law and the approach adopted in French jurisprudence and doctrine” to base its decision. It does not look exclusively at French civil law, as it typically does when dealing with Mauritian contractual matters.
Mauritius is a hybrid law jurisdiction as a result of the treaty between France and England, when sovereignty over Mauritius passed from the former to the latter.
In a nutshell, that treaty provided that the law of persons, obligations (including contracts), property, and wills and estate remained French-based, while the remaining areas of law became English-based. In modern, independent Mauritius, the result is that the law of persons, obligations (including contracts), property, and wills and estate is civil law-based, and is essentially found in the Mauritian Civil Code.
A bank’s duty of confidentiality forms part of the contract between a bank and its customers. The matter is therefore contractual in nature. It follows that the rules for interpreting a Mauritian bank’s duty of confidentiality should be civil law based. That is, they should be first sought in the Mauritian Civil Code and case law; and if these sources are silent or insufficient, one can then look at French law – more particularly to French common law rules applicable to bank confidentiality.
The entry point of common law in Mauritian contractual law is article 1135 of the Civil Code, which reads in its original French:
Les conventions obligent non seulement à ce qui y est exprimé, mais encore à toutes les suites que l’équité, l’usage ou la loi donnent à l’obligation d’après sa nature;
which we can translate as follows:
Contracts extend not only to what is expressed in them, but also to all the consequences which, be it by equity, usage or law, are incident to the contract, according to its nature.
Common law is therefore introduced in contractual matters by way of equity (équité), practices (usages), and the type of contract under consideration (nature), as determined by court decisions (jurisprudence) and authors (doctrine).
But as mentioned above, the Privy Council here relied on both French and English common law. This might well be because the substance of the common law of banking confidentiality is essentially the same under the 2 regimes. Or it might be because Mauritian courts themselves have principally looked at English law on the matter, and the Privy Council did not wish to question that approach.
Duty of confidentiality – What is it in the end?
As mentioned above, Mauritian courts have principally looked at section 64 of the Banking Act 2004, an approach which, in light of the Stanford decision, should no longer be adopted. As they have done in the past, Mauritian courts should instead look at the common law on the matter, be it in France or in England. Bank confidentiality in France is in large part dealt with in statutes, which is not transposable in Mauritius. This leaves English law as the main source.
The modern legal framework originates from the landmark English Court of Appeal decision in Tournier v National Provincial and Union Bank of England [1924] 1 KB 461, which established that confidentiality is an implied contractual term in the relationship between a bank and its customer.
Under this principle, a bank must not disclose information relating to a customer’s affairs without consent, except in specifically recognised circumstances. Although decided in 1924, Tournier remains the cornerstone authority governing banking secrecy across common law jurisdictions – and Mauritius for the reasons mentioned above.
Scope of the duty of confidentiality
Entities subject to the duty – Because the duty arises at common law, it applies primarily to institutions meeting the common law definition of a bank (legal definition of a bank as articulated in United Dominions Trust Ltd v Kirkwood [1966] 2 QB 431). A bank typically (i) accepts deposits, (ii) maintains current accounts, and (iii) collects and processes cheques. This corresponds to the definition of “banking business” found in the Banking Act 2004 in Mauritius.
Originally, the duty applied clearly to account-holding customers. However, later judicial developments suggest that courts may extend confidentiality obligations beyond traditional retail banking relationships. For example, in CF Partners (UK) LLP v Barclays Bank plc [2014] EWHC 3049 (Ch), the court indicated willingness to consider applying the duty to investment banking activities.
The duty most likely also applies within banking groups. Disclosure between affiliated companies can still constitute a breach, as illustrated by Bank of Tokyo Ltd v Karoon [1987] AC 45 (see also Primary Group (UK) Ltd v Royal Bank of Scotland plc [2014] EWHC 1082 (Ch) at paragraph 192 (obiter)).. Courts have been cautious about allowing banks to justify intra-group disclosure automatically.
Information covered – The duty protects a broad category of banking information, including (i) the existence of an account, (ii) any debit or credit balances, (iii) any transaction details, and (iv) any security interests or guarantees linked to accounts.
It also extends to information obtained by the bank from other sources in its capacity as banker, provided a customer relationship exists.
However, confidentiality does not cover (i) information obtained before a banking relationship was contemplated, (ii) information acquired after the relationship ended (in certain contexts), or (iii) information already known to the recipient.
Duration of the duty – Confidentiality applies (i) during the active banking relationship, (ii) after the relationship (dormant account, closed account, recovery, insolvency, or liquidation), and (iii) generally after the customer’s death. Thus, the obligation is enduring and not limited to the operational life of an account.
Nature of the duty – As mentioned above, the duty is an implied contractual term between a bank and its customer. And that implied term is considered not to be of public order. Consequently, the bank and its customer can tailor their rights and obligations – and as a practical matter, the duty of confidentiality will often be modified or displaced by express contractual provisions. This underscores the importance of carefully drafted account opening forms.
This contractual foundation distinguishes the Tournier duty from equitable confidentiality (discussed below).
Qualifications (exceptions) to the duty of confidentiality
Tournier identified four recognised exceptions allowing disclosure. These remain central to modern law. Disclosure is permitted where (i) it is compelled by law, (ii) it is required by public duty, (iii) it protects the bank’s interests, or (iv) it occurs with customer consent. If any qualification applies, the duty is legally treated as absent.
Compulsion of law – Banks may disclose confidential information where legally required. This may result from (i) legal or regulatory provisions or (ii) legal proceedings.
Examples of legal or regulatory provisions include the Banking Act 2004, the Financial Crimes Commission Act 2023, the Financial Intelligence and Anti-Money Laundering Regulations 2018, and guidelines or directives issued by the Bank of Mauritius (the regulator of banks in Mauritius).
These provisions commonly require banks to provide documents, report suspicious activity, or cooperate with regulators.
Examples of disclosure may also arise from legal proceedings, including court testimony (and this is a situation where section 64 of the Banking Act 2004 may be useful), civil disclosure obligations and Norwich Pharmacal orders (court orders compelling disclosure to identify wrongdoing following Norwich Pharmacal Co. & Others v Customs and Excise Commissioners [1974] AC 133).
Courts are generally cautious when orders intrude upon banking confidentiality.
Importantly, banks do not need to notify customers when disclosure occurs under legal compulsion. And in certain circumstances, banks are in fact prohibited from notifying customers (such as when filing a suspicious transaction report under the Financial Intelligence and Anti-Money Laundering Act 2002).
Public duty – Disclosure may be justified where broader public interests require it. Examples include (i) threats to national security, (ii) prevention of crime or fraud, and (iii) cooperation with public inquiries.
While historically significant, this exception has diminished in importance because modern legislation now governs most public-interest disclosures explicitly. But the common law duty remains and covers areas not specifically covered by legislation
Interests of the bank – A bank may disclose information when reasonably necessary to protect its own legitimate interests.
Typical examples include disclosures made while (i) suing to recover or collect amounts owed to it, (ii) enforcing security interests over property, and (iii) explaining refusal to honour payment instruments (such as a cheque) due to insufficient funds.
The disclosure must be proportionate and limited to what is necessary.
Modern regulatory commentary has reinforced limits on this exception. For instance, disclosure of customer information to media outlets to defend institutional reputation has been considered a breach of confidentiality.
Similarly, courts remain reluctant to accept that sharing information across corporate groups automatically serves the bank’s interests. A Mauritian bank that is subsidiary of a foreign bank may therefore not automatically disclose customer information to its parent company, for example.
Customer consent – Disclosure is permissible where the customer gives its consent, whether it be express or implied. In any event, the consent here must be a “prior” consent – that is, it must given before the disclosure.
Courts interpret implied consent narrowly. For example, customers are not assumed to consent automatically to banks providing credit references; explicit permission is required.
Remedies for breach
A bank’s duty of confidentiality is an implied term of the contract between a bank and its customer. Where confidentiality is breached, customers may seek standard contractual remedies, including (i) damages for breach of contract and (ii) injunctions preventing anticipated disclosure.
Other relevant duties and legal framework
The contractual duty under Tournier operates alongside broader legal obligations, some but maybe not all of which apply in Mauritius.
Equitable duty of confidence – Banks are also bound by the equitable doctrine of confidentiality developed in cases such as Coco v A.N. Clark (Engineers) Ltd [1969] RPC 41 and Attorney General v Guardian Newspapers Ltd (No 2) [1988] 3 W.L.R. 776.
This equitable duty (i) applies beyond contractual relationships, (ii) covers information received in circumstances importing confidence, (iii) extends to non-customers and third parties, and (iv) applies across wider corporate structures. It is therefore broader than the Tournier duty and may impose liability even where no banking contract exists.
This is the position under English law. It remains to be seen if Mauritian courts would apply this duty wholesale to Mauritian banks.
Data protection law – Banks also function as data controllers under the Data Protection Act 2017 (which is very much aligned with the GDPR frameworks) in Mauritius. Data protection obligations overlap significantly with confidentiality duties, imposing requirements concerning (i) lawful processing, (ii) data security, (iii) limited disclosure, and (iv) accountability.
Compliance with the Data Protection Act 2017 does not replace confidentiality obligations; both regimes operate simultaneously.
Key conceptual themes
Several broader principles emerge from the framework
Confidentiality as a core banking obligation – Trust is central to banking relationships. Confidentiality ensures customers can transact without fear of unjustified disclosure.
Balance between privacy and public interest – The law carefully balances (i) customer privacy, (ii) crime prevention, (iii) regulatory oversight, and (iv) institutional self-protection. Modern financial crime legislation has shifted much disclosure into statutory regimes rather than discretionary judicial principles globally. Mauritius is no exception in this regard.
Narrow interpretation of exceptions – Courts generally interpret disclosure exceptions restrictively, reflecting the importance attached to banking secrecy.
Conclusion
Banks’ duty of confidentiality, founded on Tournier v National Provincial and Union Bank of England, remains a central pillar of banking law in Mauritius. It establishes that confidentiality is an implied contractual obligation preventing disclosure of customer information except under four recognised qualifications: (i) legal compulsion, (ii) public duty, (iii) protection of the bank’s interests, and (iv) customer consent.
The duty applies broadly to banking information, survives account closure, and may extend beyond traditional banking activities. Breach can result in damages or injunctive relief.
Modern developments — including financial crime legislation, data protection law, and regulatory supervision — have expanded and reinforced the confidentiality framework while simultaneously increasing lawful disclosure obligations.
Ultimately, banking confidentiality today represents a carefully calibrated legal regime designed to preserve customer trust while enabling compliance with regulatory, legal, and public interest demands.