Skip to main content

Blockchain & Cryptocurrency Laws and Regulations 2024 | Gibraltar

01.11.2023 | Publications

This article was first published in Global Legal Insights – Blockchain & Cryptocurrency Regulation 2024. Click Here for the original publication. 

Gibraltar has a positive and welcoming attitude towards cryptocurrencies and blockchain technology.  Gibraltar has been proactive in creating a favourable regulatory environment for crypto-related businesses.  This is illustrated by the enactment of the Financial Services (Distributed Ledger Technology) Regulations (“DLT Regs”).  Gibraltar became the first jurisdiction to provide a clear and comprehensive regulatory framework for blockchain and cryptocurrency businesses.  The framework provided regulatory certainty when none could be found and seeks to ensure consumer protection and protect market integrity and financial stability without inhibiting innovation, thereby making it an attractive destination for companies operating in the blockchain and digital currency space.

The Gibraltar Financial Services Commission (“GFSC”) regulates distributed ledger technology providers (“DLT Firms”), which include cryptocurrency exchanges and wallet providers.  Firms operating within this space are also required to comply with anti-money laundering (“AML”) and counter-terrorist financing (“CFT”) regulations, as well with the Proceeds of Crime Act 2015 (“POCA”).

By establishing a clear regulatory framework, Gibraltar has signalled its commitment to the space and to fostering a secure, well-regulated environment for DLT Firms to operate in.  This approach has attracted various blockchain companies to set up operations in Gibraltar, which, in turn, has boosted the territory’s economy and technological development.

It should be noted that cryptocurrencies themselves are not regulated.  The Government has sought fit to regulate access points to the markets as opposed to regulating cryptocurrency, specifically.  This approach has been welcomed by the industry.

While the Government has taken a positive stance towards cryptocurrencies and blockchain technology regulations, it has not issued its own cryptocurrency or backed any specific digital asset.  The Government, however, engaged two providers to assist with the creation of a private government blockchain that would attempt to integrate blockchain technology into the eGov system in a bid to cut costs and red tape.  The initial focus was to enable citizens to securely interact with government departments using their digital identity.

 

Cryptocurrency regulation

Gibraltar has experienced significant growth in the DLT industry and has solidified its status as a blockchain-friendly jurisdiction.  The DLT Regs seek to regulate firms that store or transmit value (i.e. cryptocurrencies) belonging to others using blockchain technology (i.e. DLT) from Gibraltar.  In its rawest form, the DLT Regs seek to capture entities that are providing exchange services and/or custodian services.  Several blue chips have now set up operations in Gibraltar.  These include Xapo, Tap Global, LMAX, Huobi, and eToro.  While token sales are not captured by the DLT Regs, they are now required to register with the GFSC and must undertake AML/CFT due diligence checks on all participants in line with POCA (more information below).

The GFSC regulates DLT Firms.  The GFSC encourages DLT Firms wishing to operate in Gibraltar to adopt a proactive and transparent communicative relationship with the GFSC so that the GFSC can quickly get to grips with the underlying business during the application process.  This assists with speed to market, something that the jurisdiction prides itself on.

The DLT Regs and the regulatory regime created by them is principles-based, with 10 core principles as follows:

  1. A DLT Firm must conduct its business with honesty and integrity.
  2. A DLT Firm must pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way that is fair, clear and not misleading.
  3. A DLT Firm must maintain adequate financial and non-financial resources.While there are no specific requirements, the GFSC will want to be satisfied that DLT Firms have in place both financial and non-financial resources.  As each case is different, a DLT Firm’s resources are evaluated on a case-by-case basis having regard to the forecasts and risk.
  4. A DLT Firm must manage and control its business effectively, and conduct its business with due skill, care and diligence, including having proper regard to risks to its business and customers.
  5. A DLT Firm must have effective arrangements in place for the protection of client assets and money when it is responsible for them.
  6. A DLT Firm must have effective corporate governance arrangements.
  7. A DLT Firm must ensure that all systems and security access protocols are maintained to appropriate high standards.
  8. A DLT Firm must have systems in place to prevent, detect and disclose financial crime risks, such as money laundering and terrorist financing.
  9. A DLT Firm must be resilient and must develop contingency plans for the orderly and solvent wind-down of its business.
  10. A DLT Firm must conduct itself in a manner that maintains or enhances the integrity of any markets in which it participates.

The GFSC states that the primary purpose of the DLT Regs is to create a safe environment for DLT Firms to operate and innovate, while simultaneously protecting consumers and safeguarding Gibraltar’s reputation as a trusted and stable global business hub.  The principles-based approach was designed to provide a robust framework with an optimum level of flexibility that is required in such a fast-moving industry.  Five years on since its enactment, the jurisdiction has evolved and the licensing process has become more streamlined.

When a prospective DLT Firm is considering making an application to the GFSC, it is encouraged to arrange a pre-application meeting with the GFSC.  The prospect will have an opportunity to discuss its business model and the exact nature of services to be offered.  Once satisfied, the prospect is required to submit an initial application to the GFSC.  The prospect shall submit an initial application form and business plan, which shall provide the GFSC with details of its prospective name, the type of business, products and services it intends to offer, the proposed operating address and the name and email of the main contact person for the application, along with a non-refundable initial application assessment fee.  Details of the founders and key individuals should also be identified at this stage.

The GFSC will at this point determine the category that the firm falls into.  This process usually takes approximately two weeks.  There are a number of aspects considered when categorising the prospect, which include the risks associated with the proposed business model.  Once categorised, this will then dictate the respective application and annual fees payable to the GFSC.

Following this determination, the prospect is then able to pay the full application fee and submit an application pack to the GFSC along with all the relevant policy manuals and procedures, including application forms for each and every individual fulfilling a regulated function (this includes Directors, Shareholders and key management personnel).

Despite being at the forefront of the DLT revolution, Gibraltar’s traditional fintech businesses are still growing, and Brexit has given Gibraltar the chance to offer a unique gateway on the European continent to offer services into the United Kingdom (“UK”).  The common market that continues to exist between Gibraltar and the UK exists because of the historic and special relationship between Gibraltar and the UK.  Gibraltar remains the only jurisdiction in a post-Brexit world to have direct access into the UK.  Up until Brexit, all EU financial services legislation had been transposed into Gibraltar law and continues to apply irrespective of Brexit.  Given Gibraltar’s already highly regarded DLT Regs, it remains to be seen whether or not the Markets in Crypto-Assets Regulation (or “MiCA” as was adopted by the EU Council in October 2022) will be adopted (either in its entirety, partly, or not at all).

 

Sales regulation

Gibraltar has also sought to restrict Gibraltar firms or persons from selling digital assets, whether that be initial token offerings or over-the-counter (“OTC”) offerings.  Through subsidiary legislation of POCA, a person is now required to register with the GFSC before selling digital assets by virtue of the fact that they are considered to be undertaking a relevant financial business (“RFB”).

The definition of an RFB includes:

  • “[U]ndertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of distributed ledger technology or a similar means of recording a digital representation of an asset”; and
  • “persons that, by way of business, exchange, or arrange or make arrangements with a view to the exchange of− (a) virtual assets for money; (b) money for virtual assets; or (c) one virtual asset for another.”

In order to register, it is necessary to go through an application process with the GFSC, which requires the firm to submit an AML/CFT policy and manuals and application forms for each and every individual fulfilling a regulated function (Directors, Shareholders and Money Laundering Reporting Officers (“MLROs”) (who must be Gibraltar based)).

Gibraltar law does not distinguish or categorise cryptocurrencies, but rather utilises the very broad terms of “virtual asset”.  Virtual asset means a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes, but does not include digital representations of fiat currencies or financial instruments specified in paragraph 46 of Schedule 2 to the Financial Services Act 2019 (“FSA”).  Should a token be considered a financial instrument, then one would need to consider the provisions of the FSA.

 

Taxation

Gibraltar does not levy capital gains tax, value-added tax, or withholding tax.  Furthermore, there are certain personal tax statuses that can apply to individuals whereby one’s individual income tax position is capped.

Gibraltar operates a territorial corporation tax model.  Consequently, companies shall pay 12.5% corporation tax on all profits that are accrued in or derived from Gibraltar.  In other words, if the profits do not accrue in or derive from Gibraltar, then they shall not be taxable in Gibraltar.  A licensed entity is, by virtue of its licence, deemed to be operating in Gibraltar and consequently, all income that it accrues is deemed to accrue in and derive from Gibraltar.

It should be noted that neither Gibraltar’s generally accepted accounting standards nor its current tax laws specifically address how cryptocurrencies should be treated.  As a result, general principles implied by Gibraltar’s existing laws and accounting standards that are deemed appropriate are applied.

 

Money transmission laws and anti-money laundering requirements

The Anti-Money Laundering Directives have been transposed into Gibraltar legislation and apply to all RFBs, which, for the avoidance of doubt, include DLT Firms and token-selling companies.  RFBs are required to carry out customer due diligence (“CDD”) and ongoing monitoring and risk assessments of their clients.  Each RFB must appoint an MLRO to oversee and ultimately be responsible for the firm’s checks and balances in this respect.

DLT Firms are required to establish and maintain appropriate and risk-sensitive policies, controls and procedures relating to: CDD measures and ongoing monitoring; reporting; recordkeeping; internal control; risk assessment and management; compliance management, including the allocation of overall responsibility for the establishment and maintenance of effective systems of control to a compliance officer at management level; and employee screening.

POCA states that CDD measures shall include identifying the customer and all beneficial owners, and understanding the ownership and control structure, obtaining information on the purpose and intended nature of the business relationship or occasional transaction, and taking a risk-based approach to the verification of the identity of the customer, all beneficial owners and the source of funds and wealth of the same.

In the case of a corporate or legal entity, CDD measures shall include obtaining its name, legal form and proof of existence, the powers that regulate and bind the corporate or legal entity, the names of the relevant persons in a senior management position, the address of its registered office and, if different, its principal place of business.

The “travel rule” applies to transfers of virtual assets (i.e. crypto assets) where the transaction has a value equal to or in excess of €1,000 and requires virtual asset service providers (“VASPs”), including cryptocurrency exchanges, digital wallet providers, OTC trading desks, and other companies dealing with crypto assets, to make sure that specific customer information is obtained, disclosed, and transferred between counterparties in a crypto asset transaction (more on this below).

Businesses in the fintech industry are now obligated to take the necessary steps to account for these regulations.  For the purposes of AML/CFT, POCA also mandates that all pertinent financial businesses register with the GFSC.  Registration of the MLRO and payment of a fee are part of this process.

 

Promotion and testing

There is no “sandbox” in Gibraltar.  Instead, the GFSC may require DLT Firms to undertake a testing phase and a restricted operation phase in a controlled environment with regulatory oversight to prove the DLT Firm’s concept.  By doing so, DLT Firms can gain valuable insights, receive feedback from regulators, and potentially launch their services to the market in a compliant manner.  This fosters an environment of responsible innovation and helps Gibraltar to stay at the forefront of fintech and blockchain developments.

Additionally, Gibraltar’s favourable regulatory environment for DLT Firms, as provided by the DLT Regs, also contributes to promoting research and investment in cryptocurrency and blockchain projects within the territory.  Gibraltar acknowledges that this is a young industry, and while Gibraltar has demonstrated leadership in this area, development is undoubtedly a continuous process.  Gibraltar is aware of the importance of investing in supporting knowledge and skill development, along with producing economic results, as it continues to strive for excellence in an effort to emulate that mindset in the blockchain realm.

 

Ownership and licensing requirements

A firm must be authorised by the GFSC under the DLT Regs if it is carrying out an activity for commercial gain that involves the storage or transmission of digital assets belonging to third parties.

Collective Investment Scheme (“CIS”) legislation is another important legal factor to take into account if the objective is to create a structure that allows a number of investors to pool their assets and have them professionally managed by an independent manager rather than buying investments directly as individuals, and it must be noted that the participants of such an arrangement cannot have the day-to-day control over the management of the assets, with any property managed as a whole, and any profits or income must be pooled.  A CIS is defined in the FSA as “any arrangement with respect to property, the purpose or effect of which is to enable persons taking part in the arrangement, whether by becoming owners of the property or any part of it or otherwise, to participate in or receive profits or income arising from the acquisition, holding, management or disposal of the property or sums paid out of such profits or income”.

The most common fund structures in Gibraltar are Experienced Investor Funds (“EIFs”) and Private Funds, and both vehicles can be used to invest in crypto assets.  EIFs, in particular, are designed for high-net-worth and experienced investors.  An EIF is required to appoint EIF Directors and licensed service providers.  Furthermore, they can be structured as a Protected Cell Company (“PCC”) or a Protected Cell Limited Partnership (“PCLP”).  PCCs and PCLPs are vehicles that can establish numerous segregated cells and operate differing strategies, thereby segregating the assets and liabilities into separate cells.  In addition, consideration must be made to the Financial Services (Alternative Investment Fund Managers) Regulations 2020.  Gibraltar has enacted a dual regime that allows EIFs to safely opt out of the provisions of such Regulations.

 

Mining

There is no particular legislative or regulatory structure that specifically addresses the mining of Bitcoin and other cryptocurrencies; therefore, it is not generally a licensable activity.  The manner in which the mining activity is carried out will need to be analysed to ensure that no licensing issues arise.  Consideration will need to be given to the control that the miner has over the network/protocol and whether they are exercising control, therefore indirectly storing and transmitting valued by carrying out the act of mining.

 

Border restrictions and declaration

Other than the requirement that the DLT Firm must have its “mind and management” in Gibraltar, there are no specific border restrictions or obligations to declare cryptocurrency holdings when entering or leaving the country.  Gibraltar has been proactive in creating a regulatory framework for cryptocurrency businesses, aiming to attract companies in the blockchain and digital asset space.

 

Reporting requirements

The Government has implemented regulations to combat money laundering and terrorist financing, which include reporting obligations for certain transactions involving cryptocurrencies.

DLT Firms are required to comply with AML/CFT obligations, which includes conducting CDD, monitoring transactions, and reporting suspicious activities.

In order to deal with the enactment of the “travel rule” outlined in the updated Recommendation 15 (read in conjunction with Recommendation 16) of the Financial Action Task Force (“FATF”) Recommendations, Gibraltar has additionally introduced a number of pieces of legislation.  RFBs as defined in s.9 POCA, which includes persons who send (on behalf of a “payer”) or receive (on behalf of a “payee”) virtual assets to or from VASPs, are now subject to the “travel rule” responsibilities.  The RFB acting on behalf of the payer in a virtual asset transaction that has been covered by the regulations is required to collect and submit specific information regarding the payer and the payee, which the RFB will already have as part of its due diligence unless the payee is not one of its clients, with the RFB being obligated to obtain the payee’s information from the originator RFB and confirm this with their internal records in respect of their name and, in some instances, their account number.  However, when the RFB transmits a virtual asset transfer to someone other than a VASP, the travel rule does not apply.  Other than the standard CDD measures that an RFB must satisfy under POCA, there are no information collection requirements in this circumstance.  The regulations make it clear that any requirement under the regulations for an RFB to obtain the information, or any part of it, shall constitute a CDD measure, given the overlap between travel rule information and CDD information obtained during the normal course of an RFB’s activities.  Information gathered when sending or receiving virtual asset transfers is subject to the recordkeeping obligations under POCA as well.

Depending on whether an RFB is operating on behalf of a payer, a payee, or both (as well as on its own behalf), the information gathering needs to change slightly.  When RFBs receive virtual asset transfers from someone other than a VASP (such as virtual assets acquired through an unhosted wallet), they must additionally take into account their obligations as well.

 

Estate planning and testamentary succession

For the purposes of estate planning and testamentary succession regarding cryptocurrency, there is no guidance as of yet.  Gibraltar’s succession law derives from the UK Wills Act 1837 and was enacted as the Wills Act, with the administration of estates enacted as the Administration of Estates Act 1948 (which consolidated the original 1933 Act).

In Gibraltar, people may establish trusts or include cryptocurrency in their wills as part of their estate planning in order to ensure the orderly transfer of their digital assets after death.  To make the transfer procedure easier, it is crucial to precisely identify and specify the cryptocurrencies possessed, along with their wallet addresses and any other access details, and ensure the value is maintained.  In addition, Gibraltar does not impose any duties payable upon death.

 

Download Article


  SHARE

Contact a Lawyer