N/A

The Distributed Ledger Technology (DLT) Framework was introduced in January 2018. It introduced the licensing and supervision of  businesses that use distributed ledger technology to store or transmit value.

The DLT framework is based on ten core principles that ensure flexibility for innovating businesses while safeguarding consumer protection and financial stability. These core principles are:

• Honesty and Integrity: Conduct business with honesty and transparency.
• Customer Care: Prioritise fair treatment of customers.
• Resources: Maintain adequate financial and non-financial resources.
• Risk Management: Ensure the business is managed and controlled effectively, having regard to risks to the business and its customers.
• Protection of Client Assets: Safeguard customer assets from risk.
• Corporate Governance: Ensure effective corporate governance arrangements.
• Systems and Securities Access: Ensure systems are secure and robust against cyber threats.
• Financial Crime: Prevent financial crime, including money laundering and terrorist financing.
• Resilience: Ensure resilience, including contingency plans for the orderly and solvent wind down of the business.
• Market Integrity: Ensure high standards of market behaviour.

Businesses wishing to operate in Gibraltar using DLT must apply for a DLT permission from the Gibraltar Financial Services Commission (GFSC). The application process involves several stages, starting with pre-application engagement with the GFSC to assessing the firm’s fit within the DLT framework. The process includes an initial application assessment, followed by a comprehensive submission in three stages. Firms must present their business model, risk management systems and corporate governance, among other details and the process assesses adherence to the ten principles.

Separately, the Virtual Asset Service Provider (VASP) Registration Framework was established in Gibraltar to comply with the Financial Action Task Force (FATF) recommendations for combating money laundering (AML) and terrorist financing (CFT) in the digital assets space.  This applies to individuals or businesses that:

1. Receive proceeds from the sale of tokenized digital assets using DLT or similar.
2. Engage in the exchange, or arrange exchanges, of:

• Virtual assets for money,
• Money for virtual assets, or
• One virtual asset for another.

These activities require registration to ensure compliance with AML and CFT legislation.

The Government of Gibraltar has approached the growing blockchain and DLT related sector with a uniquely receptive and progressive attitude. Financial regulators and policy makers in Gibraltar have understood the need for regulation in this sector, responding rapidly to such demand as far back as 2014, with the creation of the Cryptocurrency Working Group. This private sector initiative led to the development of the DLT framework (see above) making Gibraltar the first jurisdiction in the world to deliver a framework of its kind that regulates businesses that use DLT for the defined purposes relating to a “storage” or “transfer” of “value”, which is a wider concept than pure virtual assets. The DLT core principles are substantiated by detailed guidelines constructed in a way that allows them to evolve at the same pace as the technology and its application, while always maintaining the core regulatory and legislative principles. The response to this approach has been global and truly significant. Those who know nothing about Gibraltar may be surprised, but those who know the history of the small jurisdiction, with a joined-up partnership between lawmakers, regulators and industry that is able to adapt and evolve to attract the right opportunities at the right level with the speed and flexibility needed to accomplish such goals, will not be surprised at all.

The Government of Gibraltar also launched an advisory group that focuses on the creation of new technology-related educational courses, such as blockchain. The New Technologies in Education (“NTiE”) group, which is a well-established initiative since its inauguration in 2018, is a joint initiative between the Government and the University of Gibraltar in collaboration with some of the leading new technology companies based in Gibraltar. The advisory group’s aim is to address the growing demand for related skills as the sector continues to expand in Gibraltar.

The Government of Gibraltar also created the Gibraltar Association for New Technologies (“GANT”) in 2018, an association formed together with the private sector, including Gibraltar’s leading law firms, accounting firms and technology companies all forming part of its membership. GANT serves several purposes, primarily enhancing the development in Gibraltar of the use of blockchain and DLT and other future developments (collectively referred to as “New Technology”), with a view to enhancing the reputation, integrity and public trust in this sector. GANT has been tasked to raise the profile of “New Technology” in Gibraltar across a spectrum not necessarily limited to financial services. This includes encouraging respective organisations to emphasise the high value of their reputation and interest in contributing to enhanced client and investor protection and remaining committed to safeguarding customer and jurisdictional interests. GANT also provides a forum for discussion on “New Technology” issues within the membership and to assist other sectors of the wider Gibraltar Finance Centre, whilst also assisting and advising the Government of Gibraltar on all aspects of this sector.

The GFSC often states that the primary purpose of the DLT framework is to create a safe environment for DLT firms to operate and innovate, while simultaneously protecting consumers and safeguarding Gibraltar’s reputation. The DLT framework provides legal certainty and allows businesses to operate within a purpose-built legislative framework. In doing so, it considers that a flexible, adaptive approach is required in the case of novel business activities, products and business models and that whilst regulatory outcomes remain central, these are better achieved through the application of principles rather than rigid rules.

As of now, Gibraltar has not launched a Central Bank Digital Currency (CBDC) project. The jurisdiction is known for its progressive stance on blockchain and cryptocurrency regulations, but there has not been any official announcement regarding the development or implementation of a CBDC.

Even though Gibraltar’s regulatory framework for blockchain and virtual assets is designed to be adaptable and stay current with technological advancements, the Government of Gibraltar and the GFSC continuously innovate to ensure the framework remains appropriate and effective. They regularly review and adjust regulations to maintain a balance between fostering innovation and ensuring compliance with key areas such as AML and CFT, consumer protection and market integrity, allowing Gibraltar to remain a leading jurisdiction in the blockchain space.

Gibraltar’s approach to decentralised finance (DeFi) is centred on ensuring that DeFi platforms operating within Gibraltar comply with existing laws. Gibraltar recognises the innovative potential of DeFi but emphasises that entities involved in DeFi must adhere to regulatory standards. This includes identifying key actors in decentralised systems who exercise control or influence, ensuring that they are subject to the same level of oversight as centralised DLT businesses.

A DLT firm in Gibraltar is classified as a relevant financial business (RFB) under the Proceeds of Crime Act (POCA), making it subject to know-your-customer (KYC) and anti-money laundering (AML) obligations. Under the DLT framework, firms must have systems to prevent, detect, and report financial crimes like money laundering and terrorist financing.

DLT firms must establish procedures for customer due diligence (CDD), appoint a Money Laundering Reporting Officer, prevent money laundering, train employees, screen staff, and conduct independent audits. These audits must be proportional to the firm’s size and nature.

Firms can use customer verification tools and blockchain technology, provided they meet GFSC regulatory obligations. Gibraltar’s AML regime for DLT firms is seen as a precursor to the EU’s Fifth AML Directive (AMLD5), but its introduction has not significantly impacted Gibraltar-based firms already compliant with DLT framework.

VASP registration framework requires four categories of RFBs to register with the GFSC for AML, counter-terrorism, and counter-proliferation financing supervision, unless already supervised. This applies to businesses receiving proceeds from tokenised digital assets or exchanging virtual assets. Registration is unnecessary if a business is already under supervision, but the GFSC will evaluate fitness and propriety criteria when processing or revoking registrations. Gibraltar’s definition of VASPs and virtual assets aligns with FATF standards, defining transactions between RFBs in Gibraltar and VASPs outside it.

DeFi platforms in Gibraltar must comply with existing laws where applicable.

Gibraltar does not have any differential tax treatment that are specific to cryptoassets and DeFi. However, Gibraltar offers an extremely competitive overall tax package for companies and individuals wishing to conduct business from Gibraltar.

There are no capital gains tax, value-added tax, death duties, inheritance, wealth, capital transfer, gifts or withholding tax levied in Gibraltar at present. For companies, corporation tax is generally 15%, payable on profits that derive from income accrued in or derived from Gibraltar; that is to say, by reference to the location of the activities that give rise to the profits. Under tax legislation, the location of the activities that give rise to the profits of a business whose underlying activity results in income, and requires a licence and regulation under any law of Gibraltar, shall automatically be considered to derive from Gibraltar.

Favourable tax packages are also available for High-Net-Worth Individuals and High Executives Possessing Specialist Skills (“HEPSS”) who want to establish residence in Gibraltar and can benefit from tax payable on income being resected to a capped amount, which encourages talent towards Gibraltar.

There are no prohibitions on the use or trading of crypto assets in Gibraltar. Cryptoassets trading is common in Gibraltar.

From a regulatory perspective, whether a natural or legal person qualifies as a DLT Provider depends on how they use virtual assets and whose benefit they serve. A person acting on their own behalf and not conducting business for others is not engaging in a regulated activity. For instance, individuals or entities investing in virtual assets for personal purposes do not require regulation.

Yes, ICOs have taken place in Gibraltar, which has become a hub for blockchain and cryptocurrency projects due to its supportive and well-defined regulatory environment and wider ecosystem.

Generally, ICOs or token sales will not be caught under the DLT framework. However, there may be instances where, depending on what the token will be used for and how the token issue is structured, the token may fall within existing financial services legislation.

It may be the case that tokens do qualify as securities or financial instruments under Gibraltar’s EU-retained legislation. In the event that the token or assets do constitute securities, there is currently an EU-retained framework dealing with this. Accordingly, Gibraltar is not looking to introduce a framework that will modify, in any way, securities law or the EU Prospectus Regulation requirements. That is to say, the public offering of tokens that constitute securities does not require further regulation from a Gibraltar perspective and will continue to fall under current frameworks governing the issuance of securities. It should also be noted that entities issuing tokens may separately have to comply with classic consumer protection law, depending on the design of the digital token.

Gibraltar also does not maintain separate classifications of virtual asset categories and even if  the issuance of any token may not be captured within financial services legislation, from a compliance and risk perspective, any such creation and issuance will always be caught by the POCA in Gibraltar, which requires the ICO to register with the GFSC.

Under Gibratlar law, the transfer of title and granting of security over cryptoassets present several legal and regulatory challenges due to the unique nature of these assets. The main issues revolve around the legal classification of cryptoassets — whether they are considered property — and how existing frameworks for security, such as charges or mortgages, apply to intangible digital assets. Steps have not been taken to clarify that cryptoassets are considered property under Gibraltar law. Therefore, practical challenges remain in enforcing rights and granting security due to their decentralised and anonymous nature.

In order for smart contracts to be compliant and enforceable in Gibraltar follow similar requirements to traditional contracts, it must demonstrate offer, acceptance, consideration, certainty and intention to create legal relations, with these terms encapsulating their various forms and means. There are currently no specific guidelines or regulatory requirements specific to smart contracts. Conditional events of a specific nature which can be written into code could replace similar provisions within any traditional contract.

There is no specific legislation or regulation related to DAOs. However, an attempt to incorporate or register a DAO would contradict the purpose of a DAO as it would jeopardise the centralisation.

A support vehicle could be registered in Gibraltar in order to assist the DAO in the form of a “DAO wrapper”. These vehicles could be in the following form:

–          Private Foundation

–          Purpose Trust

–          Company Limited by Guarantee

The abovementioned vehicles can act as self-governing vehicles, which can be run to carry out key functions, such as development activities and treasury management, on its own account, and importantly independently of community members whilst ensuring that any activities they carry out are scrutinised from a regulatory perspective and documented.

In July 2024, the Supreme Court of Gibraltar ordered a freeze injection of crypto wallets belonging to a company with wallets being held in Binance, Kraken and Coinbase. This injunction was the first of its kind in Gibraltar.

In December 2023, a regulated firm did not meet 2 of the 10 DLT Principles set out within the Financial Services (Distributed Ledger Technology Providers) Regulations 2020. As a result, and by way of Regulatory Settlement, the firm agreed to pay a financial penalty amounting to £21,000.

In Gibraltar, the overarching national law on data protection is the Data Protection Act 2004 (“DPA 2004”). The DPA 2004 was amended on 25 May 2018 to:

• implement the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”);
• transpose the Law Enforcement Directive (Directive (EU) 2016/680);
• implement a data protection framework under the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data of 1981 (“Convention 108”); and
• implement Articles 126–130 of the Convention of 19 June 1990 applying the Schengen Agreement of 14 June 1985.

The changes made to the DPA 2004 took Brexit into account, as well as the Data Protection Act 2018 of England and Wales (“DPA 2018”). Both statutes share a similar structure, but with notable differences, such as the repeal of Part IV of the DPA 2004, which related to intelligence service processing and was similar in structure and content to Part 4 of the DPA 2018.

Following the end of the Brexit transition period, the DPA 2004 was further amended, and the EU GDPR now forms part of Gibraltar law by virtue of Section 6 of the European Union (Withdrawal) Act 2019, as read with (i) Section 2(1B)(a) of DPA 2004, and (ii) the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This is now referred to as the “Gibraltar GDPR”, which is essentially the EU GDPR read with certain modifications. It is, therefore, important to read the Gibraltar GDPR and the DPA 2004 side-by-side.

Both the EU GDPR and Gibraltar GDPR have what is referred to as “extra-territorial effect”, in that, respectively, the EU GDPR can apply outside of the EU, and the Gibraltar GDPR can apply outside of Gibraltar. This is achieved in a similar manner in both pieces of legislation. Focusing on Gibraltar, the territorial scope of the Gibraltar GDPR can extend to any of the following situations:

• Where a controller/processor has an “establishment” in Gibraltar and processing occurs “in the context of the activities” of that establishment. This applies regardless of whether the processing occurs in Gibraltar or not.
• Where goods or services are offered to data subjects in Gibraltar, irrespective of whether payment is required by a non-Gibraltar controller/processor. There should be an element of targeting and other evidence will be considered, such as whether consumers are able to pay in their local currency, or whether a marketing campaign has taken place. This test is also not limited by citizenship or residency of the data subjects.
• Where the monitoring of behaviour of data subjects in Gibraltar is carried out by a non-Gibraltar controller/processor. Examples of monitoring would be predicting trends, or use of geo-location.
• Where a controller is not established in Gibraltar, but in a place where domestic law applies by virtue of public international law.

Under Article 27 of the Gibraltar GDPR, controllers and processors established outside of Gibraltar would need to consider the appointment of a local representative in Gibraltar, if they are offering blockchain technology services or monitoring the behaviour of data subjects in Gibraltar.

Controllers and processors based in Gibraltar offering goods or services or monitoring the behaviour of data subjects in the EU are subject to the EU GDPR, and will need to consider their obligations in that context. In particular, until the issue of adequacy is decided by the European Commission in respect of Gibraltar, appropriate safeguards (e.g., such as standard contractual clauses) would need to be considered prior to a data transfer from Gibraltar to the EU or vice versa, given that, at the time of writing, Gibraltar is considered as a “third country” for the purposes of Chapter V of the EU GDPR.

The DPA 2004 designates the Gibraltar Regulatory Authority (“GRA”) as the Information Commissioner.

The GRA have identified areas where there may be issues related to the data protection when using blockchain, these are as follows:

1. Identifying the data controller; and

2. The anonymisation of personal data

1. Identifying the data controller

As blockchain relies on a decentralised model, individuals and entities transact directly with each other, and there are often many contributing parties, blurring the certainty of an identifiable controller. For example, ‘permission-less’ blockchain networks, make it much more difficult to identify the data controller, as these are open networks and are predominantly widely distributed.

Alternatively, ‘permissioned’ blockchain, it can be argued that the participant entering into the transaction is themselves the data controller given that they submit the respective data and determine the purpose and means of the processing.

Further, blockchain transactions require validation by miners, miners are potentially receiving personal data of participants. Miners who simply validate transactions sent by participants, but do not have control over what is contained within such transactions, would not generally be considered controllers. However, in the event that they make any decisions on the personal data and how it is processed, they would then become a controller, or perhaps a joint controller.

2. Anonymisation of personal data

The GDPR applies to all personal data, as defined in Article 4 of the GDPR “any information relating to an identified or identifiable natural person” unless it has been anonymised. In the classification of data as anonymous, it must be impossible to identify a natural person through “all the means reasonably likely to be used” as stated in Recital 26 of the GDPR. When personal data is added to the blockchain, it cannot be altered or removed on the blockchain. It can be encrypted to protect the personal data but there are risks such as reversibility which are of concern. The issue related to what it takes to fully anonymise personal data to such a standard whereby it can be stored on the blockchain whilst remaining anonymous remains open.

No.