Frequently Asked Questions

Below are the POCA FAQs, should you have any further questions please contact [email protected] 

Generally, ICOs or token sales will not be caught under the DLT framework. However, there may be instances where, depending on what the token will be used for and how the token issue is structured, the token may fall within existing financial services legislation (for example, could be deemed as a Collective Investment Scheme, Alternative Investment Fund, etc.). 


We would recommend that you seek independent legal advice to determine whether your ICO may be caught within existing financial services legislation.


The Government of Gibraltar and the GFSC are working on developing a legal and regulatory framework which will be aligned to the DLT framework, for the sale, promotion or distribution of tokens.  


For further information on ICO or token sales please read the GFSC statement which can be found here.


Firms who are currently licensed under existing financial services legislation, but use DLT in order to improve their controls, procedures and processes, will not need to obtain a separate licence under the DLT framework, unless the activities are not currently caught within the scope of the licence they hold (for example if you are licensed as a bank, and wish to use DLT as part of your process, a separate licence will not be required). 


However, if you are licensed as a bank, but intend to provide virtual currency wallets and/or services you will be required to obtain a licence under the DLT regime).

DLT providers will be required, at the very minimum, to comply with local AML/CFT requirements – the Proceeds of Crime Act (POCA) and any AML/CFT requirements of any jurisdiction they may be operating in.

The AML/CFT obligations commence the moment the ICO firm invites expressions of interest. This means that KYC documentation requirements starts at the pre-qualification public offering.

The AML/CFT obligations, other than record keeping, end upon distribution of the tokens.

The KYC obligations commence the moment the ICO firm invites expressions of interest from the public and must be completed before receipt of proceeds from the token sale.

The KYC requirements under POCA would include;

 Verification if person is a PEP, family member or close associate; determining that the applicant is not a designated person for TF, etc, or whether there are linked transactions with previous ICO.

Determining that the applicant is not a designated person for TF, etc,or;

whether there are linked transactions within the same ICO, regardless if this is during pre-sale or public sale stage.

It is generally accepted by the GFSC, that unless tokens can be withheld, due diligence is required to be collected on potential contributors before a public token sale takes place (a ‘white listing’ process).The extent of the captured due diligence would then be reviewed and adjusted under a risk based approach to ensure appropriateness on an offering by offering basis. Nonetheless, the FSC will consider alternative arrangements as long as the KYC obligations are met before receipt of proceeds.


Yes, the appointment of a MLRO is a requirement.

In the interim, and until the full development of the token regulations, the FSC would be satisfied for the MLRO function and AML/CFT procedural work to be outsourced to 3rd parties, in line with the GFSC’s Outsourcing Guidance Note. This also applies even if the MLRO is located outside of Gibraltar provided 1) it complies with local requirements and the individual is based within an EEA state with equivalent AML/CFT requirements.


Please be advised that the outsourcing of the function does not exempt the firm’s and its senior management’s, responsibility to ensure compliance with POCA.The FSC will consider how best to address this as part of the development of the token regulations.

These should largely focus on the firm’s AML/CFT procedural policy under a risk based approach, such as the responsibilities of the MLRO, risk-based approach to KYC and actual KYC processes.


The requirement and appropriateness of an audit for a firm conducting a token sale would be determined by the captured firm, but would not likely always be deemed necessary due to the short period of time it will be in existence as a “relevant financial business.” RFB.

If the FSC needs to seek reassurances of a firm’s system of controls, it would do so under its existing powers under POCA.

The record keeping requirements apply to all one-off transactions over €15,000 and business relationships.

As a signpost to future requirements, the FSC will be seeking to introduce the same “traceability“ elements as those currently in existence for DLT providers (e.g. IP address, wallet address, Mac Address, etc.) to form part of the KYC documents once the full regulatory framework comes into play.


Professional advisors may want to start gearing up for this as soon as possible to account for all subscriptions to a token issue and linking this to the ID documentation provided in the pre-qualification stage.


The FSC is also considering/seeking views as to whether the one-off transaction limit should be reduced to €150 as per DLT transactions, or some other threshold.


There is no requirement for ongoing monitoring (i.e. after the sale has been concluded) in respect of a pure token sale.Should there be a secondary token market the due diligence requirements will sit with the relevant entities not the initial token issuing firm.