William Gracia, head of DLT and markets at Gibraltar Financial Services Commission (GFSC) underscores its crucial role in promoting good business, protecting consumers, and maintaining Gibraltar’s reputation as a quality financial services hub.
Introduction – principles vs rules
The Gibraltar Financial Services Commission (GFSC) plays a pivotal role in safeguarding consumer interests, enhancing Gibraltar’s reputation as a quality financial services hub, and creating an environment conducive to business growth. The GFSC’s mission is to promote good business, protect consumers and preserve Gibraltar’s good reputation as a financial centre.
The DLT Provider Framework provided much sought-after regulatory certainty to firms operating in the virtual assets space and to their supporting financial supply chain (for example banks, lawyers, accountants, professional services firms, etc.).
The DLT Provider Framework covers a broad scope of financially-based, DLT-related activities. The broad and innovative approach of the principles-based, outcomes-focussed regulation avoided the pitfalls of introducing narrow-focused, highly-prescriptive regulation to a nascent technology in which new use cases and business models are still being developed. Regulatory outcomes remain central but are better achieved through the application of principles rather than rigid rules.
DLT Provider Regulatory Framework:
The Distributed Ledger Technology Provider Regulations (DLTPR) came into effect on 1 January 2018, making it one of the first jurisdictions to capture virtual asset-related businesses.
The DLTPR applies to individuals and firms that engage in activities not subject to regulation under another framework and that, for business purposes, use DLT for the transmission or storage of value belonging to others. Activities that are subject to another regulatory framework will continue to be regulated under that framework.
The DLTPR sets out 10 Principles which firms are required to comply with on an ongoing basis. The principles set standards in relation to conduct, prudential, market integrity and financial crime expectations and requirements.
The 10 Regulatory Principles are supplemented by Guidance Notes which set out operational, technical and organisational standards expected and in some circumstances required by the GFSC. The operational standards expected and required by the GFSC of a DLT Provider will vary depending on the size, particular nature, scale or complexity of the DLT Provider’s business.
The 10 Principles largely mirror the core rules that underpin any financial services regulatory framework – that the firm and individuals involved act with honest and integrity, with the best interests of customers and have sufficient financial and non-financial resources to meet the demands on the firm. The Regulations also set out the requirement that firms need to have good corporate governance arrangements, appropriate risk management frameworks, strong AML/CFT/PF tools and systems, adequate cybersecurity arrangements and are offering fair and efficient markets.
An outcomes-focused, principles-based regime is as effective in regulating novel businesses as a conventional rule-based approach is to mature, traditional businesses. It is not a light or soft touch approach.
The application of DLT Principles are objective and targeted, measurable and verifiable, and appropriate to activities performed, product, business model and risk factors. At the same time, it is designed to help foster a fintech culture that uniquely harnesses Gibraltar’s legal, regulatory and other advantages.
VASP regime
In 2021, the GFSC conducted a thorough review of the Financial Action Task Force’s (FATF’s) Guidance for a Risk Based Approach to Virtual Assets and Virtual Asset Service Providers (VASP) in order to ensure that the DLT Framework maintains regulatory standards which as a minimum meet the requirements of a registration regime defined by the FATF Guidance.
The review concluded that whilst the definition of a DLT Provider falls entirely within the FATF’s definition of a Virtual Asset Service Provider (and that the DLT Framework as a minimum complies with the FATF’s AML/CFT/CPF Recommendations), not all VASPs are necessarily within scope of the DLT Framework.
Those individuals or firms that fall within the definition of a VASP, but not within that of a DLT Provider, are registered for AML/CFT/CPF supervision purposes under the Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 2021. The only activity which was identified as falling outside of the DLT Framework and are therefore subject to registration were Virtual Asset Arrangement Providers (VAAPs).
To be registered, firms must demonstrate that they have robust controls in place to adequately mitigate AML/CFT/PF risks associated with their business operations, appoint a locally-based Money Laundering Reporting Officer (MLRO), and identify a Director or senior manager with ultimate responsibility for its AML/CFT/CPF controls.
The VASP Registration & DLT regimes both oblige firms to comply with the stringent AML/CFT/CPF requirements set out under the Proceeds of Crime Act 2015. The differentiating factor between both regimes is that those which fall under VASP registration are subject to supervision by the GFSC against AML/CFT/CPF requirements only, whereas DLT Providers also need to comply with conduct, prudential and market integrity requirements.
In addition to the above, in order to grant a registration and/or permission the GFSC is obliged to assess the fitness and propriety of each applicant.
Supervision
Supervision is a fundamental aspect of Gibraltar’s regulatory framework, ensuring the effective implementation of regulatory outcomes and measures by firms. The GFSC adopts a risk-based supervisory approach, allocating resources efficiently and providing targeted oversight. This approach allows the GFSC to concentrate its efforts on higher-risk areas while fostering a conducive environment for businesses with lower-risk profiles.
For DLT Providers, especially during the early stages of a firm’s supervisory lifecycle, monthly reporting obligations and regular catch ups play a crucial role in the supervisory process, enabling the GFSC to monitor and assess regulated entities’ compliance effectively.
Furthermore, the GFSC conducts on-site inspections to gain firsthand insights into the operations, risk management practices, systems and controls of regulated entities. This comprehensive supervisory approach upholds the integrity of Gibraltar’s financial ecosystem and promotes market confidence.
International regulatory developments
Gibraltar remains highly attuned to international regulatory developments, aiming to harmonize its standards with best practices and global recommendations. The GFSC is closely following the International Organization of Securities Commissions (IOSCO) 28 draft Recommendations and consultation process and will be fully supporting and implementing once these have been finalised.
The GFSC welcomes this initiative and considers that this is a step in the right direction to ensure consistency across jurisdictions by promoting investor protections and a level playing field for businesses.
By keeping abreast of other international regulatory developments (for example in Europe MiCA, and in the UK the FCA’s MLR and Financial Promotions regime), Gibraltar continues to further solidify its position as a forward-thinking jurisdiction, attracting businesses that are seeking regulatory clarity and consumer trust.
Gibraltar’s success in establishing a robust regulatory framework lies in its commitment to innovation, consumer protection, and regulatory integrity. Through ongoing collaboration with local and international stakeholders Gibraltar’s regulatory framework will undoubtedly evolve, strengthening the jurisdiction’s reputation as a reputable and innovative financial services centre.
With a strong focus on establishing a comprehensive regulatory framework, Gibraltar has emerged as a pioneer in the field by carefully considering risks and opportunities, engaging with both public and private sectors, and adopting a principles-based, outcomes-focused approach.
