Distributed Ledger Technology Providers

Applying for Authorisation

We are committed to delivering a streamlined authorisation process which is consistent, fair and efficient. It supports speed to market for the industry whilst, at the same time, provides confidence that key risks are identified and mitigated in order to protect the public and the reputation of Gibraltar. As with all other regulated sectors, we take a risk based approach to all aspects of the authorisation process.

Authorisations Process

Due to the varied nature of potential applicants and the wide scope of the framework, firms are strongly encouraged to seek advice from one of the local professional advisors in order to determine if the proposed business model would fall within the scope of the DLT framework. Early engagement with the GFSC’s DLT team is also recommended. Initially, the DLT team will lead on the assessment of applications for authorisation. 

Given the nascent and innovative nature of DLT, we have incorporated some changes to the authorisations process, namely, the introduction of an initial application assessment and a comprehensive presentation. 

Pre-Application Engagement

As with all other activities and permission types, the GFSC welcomes, as a first step, applicants to contact the DLT team to discuss the application proposal, business model and type of activity and/or services the firm wishes to provide in, or from within Gibraltar. This pre-application engagement will provide an opportunity for the GFSC to give applicants any appropriate guidance on the application process, and more importantly, to discuss whether the proposed activity will fall within the scope of the DLT framework i.e. will the firm be using DLT for the transmission or storage of value belonging to others.  

Initial Application Assessment

Once it is established that the proposed activities would fall within the scope of the DLT framework, firms will be required to follow our initial application assessment process. In order to do so, applicants will need to send an email to [email protected] setting out the following information:

  • name of the firm;
  • brief note on the type of business and products and services the firm intends to offer;
  • the firm's address; and
  • name and email address of the main contact for the application.

Once this has been submitted, you will receive credentials in order to submit your application via the Cloud. 

As part of the initial application assessment, the GFSC will carry out an initial assessment of the inherent risks and complexity of the applicant’s proposed activity and business model. The initial application assessment will help us process applications expeditiously as well as provide us with a better understanding of the activities and services the firm proposes to conduct. 

A non-refundable initial application assessment fee of £2,000 will be payable to the GFSC. 

Within 2 weeks of receiving a request for an initial application assessment, the DLT team will carry out the initial assessment and categorise the firm according to the inherent risks and complexity of the applicant’s business model and activities. 

Although not an exhaustive list, the following factors will be taken into account when determining the inherent risk and complexity of an applicant’s business model and activities:

  • how the firm will be applying DLT and its maturity;
  • any added complexity due to the use of smart contracts;  
  • whether the firm will hold or control client assets; 
  • the type of customers the firm will be engaging with, such as retail, experienced or professional investors, or institutional;
  • number and variety of products and services offered to customers;
  • level of interaction and interplay with other types of regulatory regimes, and or the provision of other regulated or unregulated activities;
  • whether the firm will be offering its customers investment-related products and services and the risks and complexity associated with such products and services;
  • any functions outsourced to third parties and the materiality of such functions; 
  • the complexity of the firm’s organisational structure;
  • exposure and vulnerability to money laundering and terrorist financing;
  • whether the business model, products and or services have been successfully tried and tested; and
  • the scale and size of the proposed operation.

The GFSC will exercise judgment when carrying out its assessment and in deciding the assessed category. The assessed full application fee and expected annual fee will be communicated to the firm. At this point, the GFSC will also communicate our expectation with regards to the application of the principles and highlight any specific controls we expect the firm to incorporate. 

The full application fee and annual fee will depend on the assessed complexity category. 

Any material interim changes to a DLT Provider’s business model will need prior approval from the GFSC at which point consideration will be given to whether the complexity categorisation of the firm needs to be amended. 

Full Application and Presentation 

The application process at this stage, will mirror the staged application process applied to other activities authorised and supervised by the GFSC. 

One exception is that once the firm has submitted an application and paid the balance of the assessed application fee, applicants will be invited to deliver a presentation to the GFSC. Any specific requirements based on the nature and complexity of the proposed business will be communicated at the time of the initial application assessment.  

Generally, the presentation is expected to cover the following areas:

  • background on the key individuals driving the business including relevant skills and experience;
  • business plan, including structure of the company/group, products and services, target market, strategy, etc.;
  • financial projections; and
  • evidence how the firm will meet the 9 regulatory outcomes/principles.

It is expected that GFSC staff present will include members from the DLT team and any key GFSC decision makers. 

The presentation will be an integral part of the authorisations process and will give the applicant an opportunity to demonstrate how they will meet the GFSC’s regulatory outcomes/principles. We believe that this approach will help reduce the time taken to understand the business, assess the firm’s compliance with the principles and deliver an overall more effective authorisations process.

Application Process

Applicants should submit an application in line with the Staged Application for Authorisation Approach.

Initially, the applicant will only submit the Stage 1 application information - it is important that only Stage 1 information is provided at the outset of the application process.

The GFSC will communicate to the applicant that the application can progress to the next stage once the GFSC is satisfied with the content provided at the current stage. The applicant will then be invited to submit the further information required at the next stage of the application process.  

Stage 1 - Business Model, Capital & Key Individuals

The following is to be submitted for Stage 1: 

  • Application Fee (in full);
  • Application Form;
  • Stage 1 of the DLT Comprehensive Business Plan (not including Stages 2 and 3).  To note that the applicant’s business plan should be bespoke and tailored to the business of the applicant;
  • Controller Form (for each Controller);
  • Source of wealth/funds for each shareholder with evidence to support it;
  • Where products/services are shared across the Group, evidence that an independent and transfer pricing exercise has been carried out.

On receipt of the application fee and Stage 1 documents, the GFSC will confirm the GFSC Supervisor who has been assigned to assess the application for authorisation.

Any missing or additional sector-specific documents and/or information required by the GFSC to complete Stage 1 will be communicated to the applicant during Stage 1.

When the GFSC is satisfied with all the responses and information/documentation received, the GFSC will inform the applicant that its application can progress to Stage 2.  

Stage 2 - Risk Management, IT Systems, Corporate Governance & Financial Crime

The following is to be submitted for Stage 2: 

  • Stage 2 of the DLT Comprehensive Business Plan (not including Stage 3);
  • Documentation and information including, but not limited to:
    • Corporate Governance and control
    • Business Continuity Management Plan
    • IT infrastructure, Cyber and systems including outsourcing arrangements
    • Operational & Outsourcing Risk including material outsourcing arrangements
    • Outsourcing Register
    • Systems controls & Risk Management
    • Financial Crime controls, compliance with Anti-Money Laundering/Combating the Financing of Terrorism requirements (as applicable)
    • Risk Methodology and framework policy documents
    • Risk Register & controls
    • Disaster Recovery Plan
    • Safeguarding of customer assets policies and procedures - including but not limited to private key management, distribution of client assets between hot and cold storage and details of third parties and risk assessment performed by the applicant in choosing provider.   
    • Updated business plan, if required.

Any missing or additional sector-specific documents and/or information required by the GFSC to complete Stage 2 will be communicated to the applicant during Stage 2.

When the GFSC is satisfied with all the responses and information/documentation received from an applicant, the GFSC will inform the applicant that its application can progress to Stage 3.

Stage 3 - Conduct of Business, Non-Financial Resource, Policies & Procedures

The following is to be submitted for Stage 3: 

  • Stage 3 of the DLT Comprehensive Business Plan;
  • Documentation and information including, but not limited to:
    • The applicant's Terms and Conditions
    • The applicant's Risk Warning and/or Disclosure Statement
    • Proposed fee schedule
    • Non-financial resources
    • Compliance structure
    • Conduct of Business (Full Conduct Risk Framework documents)
    • Detail of KPIs
    • Consumer Duty compliance (as applicable)
    • Operational Resilience compliance (as applicable)
    • Remuneration Policy 
    • Conflict of Interest Policy
    • Conflict of Interest Register
    • Liquidity/solvency policies 
    • Internal Audit Plan 
    • Complaints Handling Policy 
    • Market Abuse/Insider Trading Policies
    • Terms of Reference of the Board, Board sub-committees, Risk Committee and/or Audit Committee, Underwriting/Pricing committees, as applicable 
    • Audit, accounting, and banking arrangements 
    • Professional Indemnity Insurance 
    • Contracts with parties to whom material operational functions are outsourced 
    • Completed and signed Regulated Individual Forms and Non-Executive Director Forms
    • Mobilisation Plan (if applicable).

When the GFSC is satisfied with the Stage 3 responses and information, the application will move to a GFSC decision for authorisation. 

Once a permission has been granted, an onsite visit will be completed. This will give the firm the opportunity to evidence to the GFSC that the processes and controls implemented and communicated during the presentation are effective and work in practice. 

The Regulatory Principles

The ten principles set out below applied to DLT Providers will ensure that the GFSC’s regulatory outcomes are achieved.

1. A DLT Provider must conduct its business with honesty and integrity. 

The GFSC must be satisfied that the applicant, including the persons associated with it, are fit and proper to undertake the DLT activity. The basic elements which are relevant to such an assessment include: 

  • honesty, integrity and reputation; 
  • skill, competence, care and experience; and 
  • financial position. 

2. A DLT Provider must pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way which is fair, clear and not misleading.  

DLT Providers are expected to devote as much time and consideration to protecting consumers' interests as to their own, and dedicate sufficient resources necessary to protect consumers.  

There is a need to use best endeavours to mitigate the risks associated with use of DLT and employ best practice in the operation of their business.  

DLT Providers must make appropriate disclosures regarding:  

  • the use of DLT in the business; 
  • the risks associated with the technology and its use by firm; and  
  • the products and services supplied and associated risks. 

DLT Providers need to make initial and per-transaction disclosure of risks, terms and conditions, as well as employing ethical advertising and marketing standards. 

They must have adequate complaint policies and disclosures and be able to manage and disclose any conflicts of interest. 

DLT Providers need to ensure that the information is presented in a way that is likely to be understood by the target customer and does not disguise, diminish or obscure important items, statements or warnings. 

3. A DLT Provider must maintain adequate financial and non-financial resources. 

DLT Providers are expected to maintain sufficient financial resources to ensure that it can be run in a sound and safe manner. Capital levels must be monitored to ensure that sufficient capital is held to support business objectives. Capital level must be commensurate with the prudential risks. As a minimum, DLT Providers are expected to hold sufficient capital to ensure an orderly, solvent wind-down of its business. Where appropriate, DLT Providers are required to hold professional indemnity insurance cover.  

Consideration will therefore be given to the following: 

  • adequacy of financial resources; 
  • sustainability of business model; 
  • maintenance and retention of books and records; and 
  • audit and reporting standards. 

In terms of non-financial resources, DLT Providers must ensure that it will be able to comply with the requirements imposed by the GFSC in the exercise of its functions. 

4. A DLT Provider must manage and control its business effectively, and conduct its business with due skill, care and diligence; including having proper regard to risks to its business and customers. 

DLT Providers are expected to apply good, forward-looking risk management practices. This will help provide assurance to all stakeholders that the core processes and systems are effectively controlled, are fit for purpose and that risk is being managed in the right way.  

Strong risk management practices will make DLT Providers better equipped to act on risks and control in a timely manner, therefore reducing the likelihood of significant risks emerging that have not already been identified and managed effectively. 

5. A DLT Provider must have effective arrangements in place for the protection of client assets and money when it is responsible for them. 

DLT Providers are expected to take all reasonable precautions to protect customer assets in their custody or control against unexpected eventualities and threats. Custodial assets will need to be segregated from the DLT Provider’s own assets.  

DLT firms need to ensure that they maintain robust and accurate records of transactions.  

6. A DLT Provider must have effective corporate governance arrangements.  

DLT Providers need to implement good corporate governance. This is crucial as it will establish the system by which firms will be run and business overseen, including its structure, processes, culture and strategies. It will establish the rules by which authority is exercised and decisions taken and implemented to manage all risk types and exposures.  

DLT Providers need to deliver and maintain a corporate culture consistent with the secure and confident delivery of these principles. They need to have an open, cooperative and transparent relationship with the GFSC and other regulators and must disclose to them any matter of which the regulator would reasonably expect notice.  

Areas of focus will include:  

  • board structure, including composition to ensure that there is a good balance and mix of skills and experience to complement the business;  
  • adequate application of the four eyes principle; and 
  • application of mind and management from Gibraltar. 

7. A DLT Provider must ensure that all systems and security access protocols are maintained to appropriate high standards. 

All systems used should ensure the right level of access to authorised personnel with up to date monitoring systems. On-going and proactive security assessments should be conducted on DLT technologies to keep up to date with any new threats and potential vulnerabilities.  

These include: 

  • risk assessment of applications, underlying technology, and cybersecurity; 
  • policies, procedures and controls to ensure the delivery of this principle; 
  • skilled and experienced staffing; 
  • continuous vulnerability and threat analysis and assessment; 
  • continuous monitoring and response provisions; and  
  • independent compliance audit and reporting. 

8. A DLT Provider must have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing. 

DLT Providers must adequately apply anti-money laundering and counter terrorist financing preventive measures which are commensurate with their risks, and report suspicious transactions. DLT Providers need to be aware of the vulnerabilities of its products and services to financial crime risks and ensure that they implement measures to mitigate the risks.  

DLT Providers need to comply with the Proceeds of Crime Act and any guidance issued by the GFSC.   

9. A DLT Provider must be resilient and must develop contingency plans for the orderly and solvent wind down of its business. 

DLT Providers need to develop, test and maintain adequate business continuity, disaster recovery and crisis management plans. 

Preparedness for any potential threats or loss should form part of the disaster recovery plans as well as a well-managed and structured business continuity management process. Testing of the plans and its embedded processes should form part of the business model.

10. A DLT Provider must conduct itself in a manner which maintains or enhances the integrity of any markets in which it participates.

DLT Providers should conduct themselves in a manner that fosters transparency, efficiency, fairness, liquidity and resilience within the markets in which they operate on an ongoing basis. This encompasses a number of key responsibilities, such as monitoring for manipulative trading and other forms of market abuse, fostering non-discriminatory market access, ensuring transparency in price formation and fair trading practices, maintaining high disclosure standards and providing robust consumer protection.

Market integrity is continuous in nature and generally cannot be judged by isolated events, although such events, and/or patterns of events can indicate the existence of issues that need to be addressed.

DLT Providers will need to implement measures commensurate with their activities in order to prevent, or mitigate the effects of, any type of manipulation or improper influencing of prices, liquidity or market information, or any other behaviour which is inimical to market integrity.

Frequently Asked Questions

1. Do Initial Coin Offerings (ICOs) or token sales fall within the DLT framework?

Generally, ICOs or token sales will not be caught under the DLT framework. However, there may be instances where, depending on what the token will be used for and how the token issue is structured, the token may fall within existing financial services legislation (for example, could be deemed as a Collective Investment Scheme, Alternative Investment Fund, etc.). 

We would recommend that you seek independent legal advice to determine whether your ICO may be caught within existing financial services legislation.

The Government of Gibraltar and the GFSC are working on developing a legal and regulatory framework which will be aligned to the DLT framework, for the sale, promotion or distribution of tokens.  

For further information on ICO or token sales please read the GFSC statement which can be found here.

2. Will firms currently licensed under existing financial services legislation require an additional licence? If so, what will be the process?

Firms who are currently licensed under existing financial services legislation, but use DLT in order to improve their controls, procedures and processes, will not need to obtain a separate licence under the DLT framework, unless the activities are not currently caught within the scope of the licence they hold (for example if you are licensed as a bank, and wish to use DLT as part of your process, a separate licence will not be required). 

However, if you are licensed as a bank, but intend to provide virtual currency wallets and/or services you will be required to obtain a licence under the DLT regime).

3. Will DLT providers need to comply with Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) requirements?

DLT providers will be required, at the very minimum, to comply with local AML/CFT requirements – the Proceeds of Crime Act (POCA) and any AML/CFT requirements of any jurisdiction they may be operating in.

4. During what period is a token sale considered a relevant financial business?

The AML/CFT obligations commence the moment the ICO firm invites expressions of interest. This means that KYC documentation requirements starts at the pre-qualification public offering.
The AML/CFT obligations, other than record keeping, end upon distribution of the tokens.

5.What customer due diligence is expected to be conducted by ICO's?

The KYC obligations commence the moment the ICO firm invites expressions of interest from the public and must be completed before receipt of proceeds from the token sale.
The KYC requirements under POCA would include;

  • Verification if person is a PEP, family member or close associate; determining that the applicant is not a designated person for TF, etc, or whether there are linked transactions with previous ICO.
  • Determining that the applicant is not a designated person for TF, etc,or;
  • whether there are linked transactions within the same ICO, regardless if this is during pre-sale or public sale stage. 

It is generally accepted by the GFSC, that unless tokens can be withheld, due diligence is required to be collected on potential contributors before a public token sale takes place (a ‘white listing’ process).The extent of the captured due diligence would then be reviewed and adjusted under a risk based approach to ensure appropriateness on an offering by offering basis. Nonetheless, the FSC will consider alternative arrangements as long as the KYC obligations are met before receipt of proceeds.

6. Are firms offering token sales required to appoint a money laundering reporting officer (MLRO) based in Gibraltar?

Yes, the appointment of a MLRO is a requirement.
In the interim, and until the full development of the token regulations, the FSC would be satisfied for the MLRO function and AML/CFT procedural work to be outsourced to 3rd parties, in line with the GFSC’s Outsourcing Guidance Note. This also applies even if the MLRO is located outside of Gibraltar provided 1) it complies with local requirements and the individual is based within an EEA state with equivalent AML/CFT requirements.

Please be advised that the outsourcing of the function does not exempt the firm’s and its senior management’s, responsibility to ensure compliance with POCA.The FSC will consider how best to address this as part of the development of the token regulations.

7. What policies and procedures are required to be documented by firms offering token sales?

These should largely focus on the firm’s AML/CFT procedural policy under a risk based approach, such as the responsibilities of the MLRO, risk-based approach to KYC and actual KYC processes.

8. For firms offering token sales, what are the GFSC’s expectations with respect to compliance with the independent audit requirement?

The requirement and appropriateness of an audit for a firm conducting a token sale would be determined by the captured firm, but would not likely always be deemed necessary due to the short period of time it will be in existence as a “relevant financial business.” RFB.
If the FSC needs to seek reassurances of a firm’s system of controls, it would do so under its existing powers under POCA.

9. For firms offering token sales, what are the record keeping requirements?
The record keeping requirements apply to all one-off transactions over €15,000 and business relationships.
As a signpost to future requirements, the FSC will be seeking to introduce the same “traceability“ elements as those currently in existence for DLT providers (e.g. IP address, wallet address, Mac Address, etc.) to form part of the KYC documents once the full regulatory framework comes into play.

Professional advisors may want to start gearing up for this as soon as possible to account for all subscriptions to a token issue and linking this to the ID documentation provided in the pre-qualification stage.

The FSC is also considering/seeking views as to whether the one-off transaction limit should be reduced to €150 as per DLT transactions, or some other threshold.

10. Are ongoing monitoring requirements applicable for firms offering token sales?

There is no requirement for ongoing monitoring (i.e. after the sale has been concluded) in respect of a pure token sale.Should there be a secondary token market the due diligence requirements will sit with the relevant entities not the initial token issuing firm.