Applying for Authorisation
We are committed to delivering a streamlined authorisation process which is consistent, fair and efficient. It also supports speed to market for the industry whilst, at the same time, providing confidence that key risks are identified and mitigated in order to protect the public and the reputation of Gibraltar. As with all other regulated sectors, we take a risk based approach to all aspects of the authorisation process.
We are committed to the delivery of service level standards of 3 months for the assessment of an application for a DLT Provider.
Due to the varied nature of potential applicants and the wide scope of the framework, firms are strongly encouraged to seek advice from one of the local professional advisors in order to determine if the proposed business model would fall within the scope of the DLT framework. Early engagement with the GFSC’s Risk and Innovation team is also recommended. Initally, the Risk and Innovation team will lead on the assessment of applications for authorisation.
Given the nascent and innovative nature of DLT, we have incorporated some changes to the authorisations process, namely, the introduction of an initial application assessment and a comprehensive presentation.
As with all other activities and licence types, the GFSC welcomes, as a first step, applicants to contact the Risk and Innovation team to discuss the application proposal, business model and type of activity and/or services the firm wishes to provide in, or from within Gibraltar. This pre-application engagement will provide an opportunity for the GFSC to give applicants any appropriate guidance on the application process, licensing regime, but more importantly, to discuss whether the proposed activity will fall within the scope of the DLT framework i.e. will the firm be using DLT for the transmission or storage of value belonging to others.
Initial Application Assessment
Once it is established that the proposed activities would fall within the scope of the DLT framework, firms will be required to follow our initial application assessment process. In order to do so, applicants will need to send an email to firstname.lastname@example.org setting out the following information:
- name of the firm;
- brief note on the type of business and products and services the firm intends to offer;
- the firm's address; and
- name and email address of the main contact for the application.
Once this has been submitted, you will receive credentials in order to submit your application via the Cloud.
As part of the initial application assessment, the GFSC will carry out an initial assessment of the inherent risks and complexity of the applicant’s proposed activity and business model. The initial application assessment will help us process applications expeditiously as well as provide us with a better understanding of the activities and services the firm proposes to conduct.
A non-refundable initial application assessment fee of £2,000 will be payable to the GFSC.
Within 2 weeks of receiving a request for an initial application assessment, the Risk and Innovation team will carry out the initial assessment and categorise the firm according to the inherent risks and complexity of the applicant’s business model and activities.
Although not an exhaustive list, the following factors will be taken into account when determining the inherent risk and complexity of an applicant’s business model and activities:
- how the firm will be applying DLT and its maturity;
- any added complexity due to the use of smart contracts;
- whether the firm will hold or control client assets;
- the type of customers the firm will be engaging with, such as retail, experienced or professional investors, or institutional;
- number and variety of products and services offered to customers;
- level of interaction and interplay with other types of regulatory regimes, and or the provision of other regulated or unregulated activities;
- whether the firm will be offering its customers investment-related products and services and the risks and complexity associated with such products and services;
- any functions outsourced to third parties and the materiality of such functions;
- the complexity of the firm’s organisational structure;
- exposure and vulnerability to money laundering and terrorist financing;
- whether the business model, products and or services have been successfully tried and tested; and
- the scale and size of the proposed operation.
The GFSC will exercise judgment when carrying out its assessment and in deciding the assessed category. The assessed full application fee and expected annual fee will be communicated to the firm. At this point, the GFSC will also communicate our expectation with regards to the application of the principles and highlight any specific controls we expect the firm to incorporate.
The full application fee and annual fee will depend on the assessed complexity category.
Any material interim changes to a DLT Provider’s business model will need prior approval from the GFSC at which point consideration will be given to whether the complexity categorisation of the firm needs to be amended.
Full Application and Presentation
The application process at this stage, will largely mirror the application process applied to all other activities authorised and supervised by the GFSC.
One exception is that once the firm has submitted a complete application and paid the balance of the assessed application fee, applicants will be invited to deliver a presentation to the GFSC. Any specific requirements based on the nature and complexity of the proposed business will be communicated at the time of the initial application assessment.
Generally, the presentation is expected to cover the following areas:
- background on the key individuals driving the business including relevant skills and experience;
- business plan, including structure of the company/group, products and services, target market, strategy, etc.;
- financial projections; and
- evidence how the firm will meet the 9 regulatory outcomes/principles.
It is expected that GFSC staff present will include members from the Risk and Innovation team, any individuals required from the Panel of Experts, and any key GFSC decision makers.
The presentation will be an integral part of the authorisations process and will give the applicant an opportunity to demonstrate how they will meet the GFSC’s regulatory outcomes/principles. We believe that this approach will help reduce the time taken to understand the business, assess the firm’s compliance with the principles and deliver an overall more effective authorisations process.
Once a licence has been granted, an onsite visit will be completed. This will give the firm the opportunity to evidence to the GFSC that the processes and controls implemented and communicated during the presentation are effective and work in practice.
The Regulatory Principles
The nine principles set out below applied to DLT Providers will ensure that the GFSC’s regulatory outcomes are achieved.
1. A DLT Provider must conduct its business with honesty and integrity.
The GFSC must be satisfied that the applicant, including the persons associated with it, are fit and proper to undertake the DLT activity. The basic elements which are relevant to such an assessment include:
- honesty, integrity and reputation;
- skill, competence, care and experience; and
- financial position.
2. A DLT Provider must pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way which is fair, clear and not misleading.
DLT Providers are expected to devote as much time and consideration to protecting consumers' interests as to their own, and dedicate sufficient resources necessary to protect consumers.
There is a need to use best endeavours to mitigate the risks associated with use of DLT and employ best practice in the operation of their business.
DLT Providers must make appropriate disclosures regarding:
- the use of DLT in the business;
- the risks associated with the technology and its use by firm; and
- the products and services supplied and associated risks.
DLT Providers need to make initial and per-transaction disclosure of risks, terms and conditions, as well as employing ethical advertising and marketing standards.
They must have adequate complaint policies and disclosures and be able to manage and disclose any conflicts of interest.
DLT Providers need to ensure that the information is presented in a way that is likely to be understood by the target customer and does not disguise, diminish or obscure important items, statements or warnings.
3. A DLT Provider must maintain adequate financial and non-financial resources.
DLT Providers are expected to maintain sufficient financial resources to ensure that it can be run in a sound and safe manner. Capital levels must be monitored to ensure that sufficient capital is held to support business objectives. Capital level must be commensurate with the prudential risks. As a minimum, DLT Providers are expected to hold sufficient capital to ensure an orderly, solvent wind-down of its business. Where appropriate, DLT Providers are required to hold professional indemnity insurance cover.
Consideration will therefore be given to the following:
- adequacy of financial resources;
- sustainability of business model;
- maintenance and retention of books and records; and
- audit and reporting standards.
In terms of non-financial resources, DLT Providers must ensure that it will be able to comply with the requirements imposed by the GFSC in the exercise of its functions.
4. A DLT Provider must manage and control its business effectively, and conduct its business with due skill, care and diligence; including having proper regard to risks to its business and customers.
DLT Providers are expected to apply good, forward-looking risk management practices. This will help provide assurance to all stakeholders that the core processes and systems are effectively controlled, are fit for purpose and that risk is being managed in the right way.
Strong risk management practices will make DLT Providers better equipped to act on risks and control in a timely manner, therefore reducing the likelihood of significant risks emerging that have not already been identified and managed effectively.
5. A DLT Provider must have effective arrangements in place for the protection of client assets and money when it is responsible for them.
DLT Providers are expected to take all reasonable precautions to protect customer assets in their custody or control against unexpected eventualities and threats. Custodial assets will need to be segregated from the DLT Provider’s own assets.
DLT firms need to ensure that they maintain robust and accurate records of transactions.
6. A DLT Provider must have effective corporate governance arrangements.
DLT Providers need to implement good corporate governance. This is crucial as it will establish the system by which firms will be run and business overseen, including its structure, processes, culture and strategies. It will establish the rules by which authority is exercised and decisions taken and implemented to manage all risk types and exposures.
DLT Providers need to deliver and maintain a corporate culture consistent with the secure and confident delivery of these principles. They need to have an open, cooperative and transparent relationship with the GFSC and other regulators and must disclose to them any matter of which the regulator would reasonably expect notice.
Areas of focus will include:
- board structure, including composition to ensure that there is a good balance and mix of skills and experience to complement the business;
- adequate application of the four eyes principle; and
- application of mind and management from Gibraltar.
7. A DLT Provider must ensure that all systems and security access protocols are maintained to appropriate high standards.
All systems used should ensure the right level of access to authorised personnel with up to date monitoring systems. On-going and proactive security assessments should be conducted on DLT technologies to keep up to date with any new threats and potential vulnerabilities.
- risk assessment of applications, underlying technology, and cybersecurity;
- policies, procedures and controls to ensure the delivery of this principle;
- skilled and experienced staffing;
- continuous vulnerability and threat analysis and assessment;
- continuous monitoring and response provisions; and
- independent compliance audit and reporting.
8. A DLT Provider must have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing.
DLT Providers must adequately apply anti-money laundering and counter terrorist financing preventive measures which are commensurate with their risks, and report suspicious transactions. DLT Providers need to be aware of the vulnerabilities of its products and services to financial crime risks and ensure that they implement measures to mitigate the risks.
DLT Providers need to comply with the Proceeds of Crime Act and any guidance issued by the GFSC.
9. A DLT Provider must be resilient and must develop contingency plans for the orderly and solvent wind down of its business.
DLT Providers need to develop, test and maintain adequate business continuity, disaster recovery and crisis management plans.
Preparedness for any potential threats or loss should form part of the disaster recovery plans as well as a well-managed and structured business continuity management process. Testing of the plans and its embedded processes should form part of the business model.
Unlike other sectors authorised by the GFSC, the wide scope of this regime means that the business models of DLT Providers may vary substantially in terms of complexity, size and risk.
Initial Application Assessment Fee
As part of the initial application assessment, the GFSC will carry out an initial assessment of the inherent risks and complexity of the applicant’s proposed activity and business model. An initial application assessment fee of £2,000 will be payable to the GFSC on the submission of the relevant information specified by the GFSC.
The full application fee that will become payable and the subsequent annual fee will be dependent on the complexity and category assigned to the DLT Provider. The criteria that will be used to assess the complexity of DLT Providers has been set out above.
The application fee that will become payable on submission of a full application will be as follows and in accordance with the complexity categorisation:
DLT Provider Category
Balance payable on submitting full application
Complexity Cat 1
Complexity Cat 2
Complexity Cat 3
The GFSC has the ability under the fees regulations to charge supplementary fees which may be used to cover the direct costs of the use of the Panel of Experts at authorisation stage. This would be disclosed and agreed with the applicant at the initial application assessment stage.
Application fees will be non-refundable.
The annual fees also take account of the complexity of the DLT Provider:
DLT Provider Category
Complexity Cat 1
Complexity Cat 2
Complexity Cat 3
Within 2 weeks of receiving a request for an initial application assessment, the Risk and Innovation team will carry out the initial assessment and categorise the firm according to the inherent risks and complexity of the applicant’s business model and activities
We are committed to the delivery of service level standards of 3 months for the assessment of an application for a DLT Provider.
Please be advised that the above service level standards refer to the period of time in which the GFSC holds applications for consideration. Where we require further information or documents from an applicant the service level standards will be suspended until we receive the requested information. The period of time an application is pending because of factors outside the control of the GFSC will not be accounted for under the service level standards.
Please note that should we be unlikely to meet our SLS’s, we will advise you as soon as possible
Frequently Asked Questions
1. Do Initial Coin Offerings (ICOs) or token sales fall within the DLT framework?
Generally, ICOs or token sales will not be caught under the DLT framework. However, there may be instances where, depending on what the token will be used for and how the token issue is structured, the token may fall within existing financial services legislation (for example, could be deemed as a Collective Investment Scheme, Alternative Investment Fund, etc.).
We would recommend that you seek independent legal advice to determine whether your ICO may be caught within existing financial services legislation.
The Government of Gibraltar and the GFSC are working on developing a legal and regulatory framework which will be aligned to the DLT framework, for the sale, promotion or distribution of tokens.
For further information on ICO or token sales please read the GFSC statement which can be found here.
2. Will firms currently licensed under existing financial services legislation require an additional licence? If so, what will be the process?
Firms who are currently licensed under existing financial services legislation, but use DLT in order to improve their controls, procedures and processes, will not need to obtain a separate licence under the DLT framework, unless the activities are not currently caught within the scope of the licence they hold (for example if you are licensed as a bank, and wish to use DLT as part of your process, a separate licence will not be required).
However, if you are licensed as a bank, but intend to provide virtual currency wallets and/or services you will be required to obtain a licence under the DLT regime).
3. Will DLT providers need to comply with Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) requirements?
DLT providers will be required, at the very minimum, to comply with local AML/CFT requirements – the Proceeds of Crime Act (POCA) and any AML/CFT requirements of any jurisdiction they may be operating in.
4. During what period is a token sale considered a relevant financial business?
The AML/CFT obligations commence the moment the ICO firm invites expressions of interest. This means that KYC documentation requirements starts at the pre-qualification public offering.
The AML/CFT obligations, other than record keeping, end upon distribution of the tokens.
5.What customer due diligence is expected to be conducted by ICO's?
The KYC obligations commence the moment the ICO firm invites expressions of interest from the public and must be completed before receipt of proceeds from the token sale.
The KYC requirements under POCA would include;
- Verification if person is a PEP, family member or close associate; determining that the applicant is not a designated person for TF, etc, or whether there are linked transactions with previous ICO.
- Determining that the applicant is not a designated person for TF, etc,or;
- whether there are linked transactions within the same ICO, regardless if this is during pre-sale or public sale stage.
It is generally accepted by the GFSC, that unless tokens can be withheld, due diligence is required to be collected on potential contributors before a public token sale takes place (a ‘white listing’ process).The extent of the captured due diligence would then be reviewed and adjusted under a risk based approach to ensure appropriateness on an offering by offering basis. Nonetheless, the FSC will consider alternative arrangements as long as the KYC obligations are met before receipt of proceeds.
6. Are firms offering token sales required to appoint a money laundering reporting officer (MLRO) based in Gibraltar?
Yes, the appointment of a MLRO is a requirement.
In the interim, and until the full development of the token regulations, the FSC would be satisfied for the MLRO function and AML/CFT procedural work to be outsourced to 3rd parties, in line with the GFSC’s Outsourcing Guidance Note. This also applies even if the MLRO is located outside of Gibraltar provided 1) it complies with local requirements and the individual is based within an EEA state with equivalent AML/CFT requirements.
Please be advised that the outsourcing of the function does not exempt the firm’s and its senior management’s, responsibility to ensure compliance with POCA.The FSC will consider how best to address this as part of the development of the token regulations.
7. What policies and procedures are required to be documented by firms offering token sales?
These should largely focus on the firm’s AML/CFT procedural policy under a risk based approach, such as the responsibilities of the MLRO, risk-based approach to KYC and actual KYC processes.
8. For firms offering token sales, what are the GFSC’s expectations with respect to compliance with the independent audit requirement?
The requirement and appropriateness of an audit for a firm conducting a token sale would be determined by the captured firm, but would not likely always be deemed necessary due to the short period of time it will be in existence as a “relevant financial business.” RFB.
If the FSC needs to seek reassurances of a firm’s system of controls, it would do so under its existing powers under POCA.
9. For firms offering token sales, what are the record keeping requirements?
The record keeping requirements apply to all one-off transactions over €15,000 and business relationships.
As a signpost to future requirements, the FSC will be seeking to introduce the same “traceability“ elements as those currently in existence for DLT providers (e.g. IP address, wallet address, Mac Address, etc.) to form part of the KYC documents once the full regulatory framework comes into play.
Professional advisors may want to start gearing up for this as soon as possible to account for all subscriptions to a token issue and linking this to the ID documentation provided in the pre-qualification stage.
The FSC is also considering/seeking views as to whether the one-off transaction limit should be reduced to €150 as per DLT transactions, or some other threshold.
10. Are ongoing monitoring requirements applicable for firms offering token sales?
There is no requirement for ongoing monitoring (i.e. after the sale has been concluded) in respect of a pure token sale.Should there be a secondary token market the due diligence requirements will sit with the relevant entities not the initial token issuing firm.