Distributed Ledger Technology Regulatory Framework (DLT framework)
As from the 1st January 2018, any firm carrying out by way of business, in or from within Gibraltar, the use of distributed ledger technology (DLT) for storing or transmitting value belonging to others (DLT activities), will need to be authorised by the Gibraltar Financial Services Commission (GFSC) as a DLT provider.
Firms seeking to apply are encouraged to speak to one of the local advisors as soon as possible.
Overview of the DLT Framework
The DLT framework positions Gibraltar as a jurisdiction which facilitates innovation, whilst ensuring it continues to meet its regulatory and strategic objectives, and understands the modern need for robust and speedy interaction with regulators in this fast moving area of business. The DLT framework will apply to activities, not subject to regulation under any other regulatory framework, that use DLT for the transmission or storage of value belonging to others. Firms and activities that are subject to another regulatory framework will continue to be regulated under that framework.
A flexible, adaptive approach is required in the case of novel business activities, products, and business models. We consider that regulatory outcomes remain central but are better achieved through the application of principles rather than rigid rules. This is because for businesses based on rapidly-evolving technology such hard and fast rules can quickly become outdated and unfit for purpose.
Application of The Regulatory Principles
The DLT framework adopts an outcome-focused, principles-based approach to regulating DLT providers. It is not a light or soft option. All DLT providers will need to operate to the same high standards and expectations as firms who are currently licensed under existing financial services legislation. The principles will be applied proportionately and on a risk based approach. Their application will be objective and targeted, measurable and verifiable, and appropriate to activities performed, product, business model and risk factors.
Since each DLT provider and its activities may be unique, the DLT principles have been designed to be flexible enough to be adapted to each firm’s characteristics and to its use of DLT.
The Regulatory Principles
The nine principles set out below will be applied to DLT providers will ensure that the GFSC’s regulatory outcomes are achieved.
1. A DLT provider must conduct its business with honesty and integrity.
The GFSC will need to be satisfied that the applicant, including the persons associated with it, are fit and proper to undertake the DLT activity. The basic elements which are relevant to such an assessment include:
- honesty, integrity and reputation;
- skill, competence, care and experience; and
- financial position.
2. A DLT provider must pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way which is fair, clear and not misleading.
DLT providers will be expected to devote as much time and consideration to protecting consumers' interests as to their own, and dedicate sufficient resources necessary to protect consumers.
There will be a need to use best endeavours to mitigate the risks associated with use of DLT and employ best practice in the operation of their business.
DLT providers must make appropriate disclosures regarding:
- the use of DLT in the business;
- the risks associated with the technology and its use by firm; and
- the products and services supplied and associated risks.
Providers will need to make initial and per-transaction disclosure of risks, terms and conditions, as well as employing ethical advertising and marketing standards.
They must have adequate complaint policies and disclosures and be able to manage and disclose any conflicts of interest.
DLT providers need to ensure that the information is presented in a way that is likely to be understood by the target customer and does not disguise, diminish or obscure important items, statements or warnings.
3. A DLT provider must maintain adequate financial and non-financial resources.
DLT providers will be expected to maintain sufficient financial resources to ensure that it can be run in a sound and safe manner. Capital levels will be monitored to ensure that sufficient capital is held to support business objectives. Capital level will be commensurate with the prudential risks. As a minimum, DLT providers will be expected to hold sufficient capital to ensure an orderly, solvent wind-down of its business. Where appropriate, DLT providers will be required to hold professional indemnity insurance cover.
Consideration will therefore be given to the following:
- adequacy of financial resources;
- sustainability of business model;
- maintenance and retention of books and records; and
- audit and reporting standards.
In terms of non-financial resources, a DLT providers must ensure that it will be able to comply with the requirements imposed by the GFSC in the exercise of its functions.
4. A DLT provider must manage and control its business effectively, and conduct its business with due skill, care and diligence; including having proper regard to risks to its business and customers.
DLT providers will be expected to apply good, forward-looking risk management practices. This will help provide assurance to all stakeholders that the core processes and systems are effectively controlled, are fit for purpose and that risk is being managed in the right way.
Strong risk management practices will make DLT providers better equipped to act on risks and control in a timely manner, therefore reducing the likelihood of significant risks emerging that have not already been identified and managed effectively.
5. A DLT provider must have effective arrangements in place for the protection of client assets and money when it is responsible for them.
DLT providers will be expected to take all reasonable precautions to protect customer assets in their custody or control against unexpected eventualities and threats. Custodial assets will need to be segregated from the DLT provider’s own assets.
DLT firms need to ensure that they maintain robust and accurate records of transactions.
6. A DLT provider must have effective corporate governance arrangements.
DLT providers will need to implement good corporate governance. This is crucial as it will establish the system by which firms will be run and business overseen, including its structure, processes, culture and strategies. It will establish the rules by which authority is exercised and decisions taken and implemented to manage all risk types and exposures.
DLT providers will need to deliver and maintain a corporate culture consistent with the secure and confident delivery of these principles. They will need to have an open, cooperative and transparent relationship with the GFSC and other regulators and must disclose to them any matter of which the regulator would reasonably expect notice.
Areas of focus will include:
- board structure, including composition to ensure that there is a good balance and mix of skills and experience to complement the business;
- adequate application of the four eyes principle; and
- application of mind and management from Gibraltar.
7. A DLT provider must ensure that all systems and security access protocols are maintained to appropriate high standards.
All systems used should ensure the right level of access to authorised personnel with up to date monitoring systems. On-going and proactive security assessments should be conducted on DLT technologies to keep up to date with any new threats and potential vulnerabilities.
- risk assessment of applications, underlying technology, and cybersecurity;
- policies, procedures and controls to ensure the delivery of this principle;
- skilled and experienced staffing;
- continuous vulnerability and threat analysis and assessment;
- continuous monitoring and response provisions; and
- independent compliance audit and reporting.
8. A DLT provider must have systems in place to prevent, detect and disclose financial crime risks such as anti-money laundering and countering terrorist financing (AML/CFT).
DLT providers must adequately apply anti-money laundering and counter terrorist financing preventive measures which are commensurate with their risks, and report suspicious transactions. DLT providers need to be aware of the vulnerabilities of its products and services to financial crime risks and ensure that they implement measures to mitigate the risks.
DLT providers will need to comply with the Proceeds of Crime Act and any guidance issued by the GFSC.
9. A DLT provider must be resilient and must develop contingency plans for the orderly and solvent wind down of its business.
DLT providers will need to develop, test and maintain adequate business continuity, disaster recovery and crisis management plans.
Preparedness for any potential threats or loss should form part of the disaster recovery plans as well as a well-managed and structured business continuity management process. Testing of the plans and its embedded processes should form part of the business model.
The GFSC will be issuing guidance to supplement each of the nine regulatory principles. The guidance will be published before the end of 2017 and will assist firms in understanding the GFSC’s expectations on the application of the principles.
The new regulated activity comes into force on the 1st January 2018. Any firm wanting to carry out DLT activities as from that date will need to apply for authorisation to the GFSC and only once and if the licence to operate as a DLT provider is granted, will the firm be allowed to carry out the activities.
However, any firm that is carrying out DLT activities in or from within Gibraltar, on or before the 31st December 2017 will be able to make use of the transitional arrangements. Firms will need to submit a complete application to the GFSC by the 31st March 2018. Failure to do so will require the firm to cease carrying out DLT activities immediately. During the period in which the GFSC is considering the application, the firm will be allowed to continue to operate pending the determination of the application.
Any firms carrying our DLT activities on or before the 31st December 2017, who wish to make use of the transitional arrangements is strongly encouraged to contact the Risk and Innovation team at the GFSC.
Panel of Experts
A non-statutory advisory panel that will consist of a number of subject matter experts will be established to assist the GFSC.
This panel will be set up to advise on developments in DLT that may affect the DLT framework, the GFSC, a licensee, or that may have an adverse or beneficial impact on the protection of consumers or the reputation of Gibraltar.
The advisory panel will also assist the GFSC in developing the content of the DLT guidance as well as advise on matters that may affect policy. The panel will be available to the GFSC, on request, to answer specific questions in relation to individual licence applications as well as advising on the application of the DLT principles.
Applying for Authorisations
We are committed to delivering a streamlined authorisation process which is consistent, fair and efficient. It will also which support speed to market for the industry whilst, at the same time, providing confidence that key risks are identified and mitigated in order to protect the public and the reputation of Gibraltar. As with all other regulated sectors, we will take a risk based approach to all aspects of the authorisation process.
We are committed to the delivery of service level standards of 3 months for the assessment of an application for a DLT provider.
Due to the varied nature of potential applicants and the wide scope of the framework, firms are strongly encouraged to seek advice from one of the local professional advisors in order to determine if the proposed business model would fall within the scope of the DLT framework. Early engagement with the GFSC’s Risk & Innovations team is also recommended. At least at the initial stages of the framework becoming operational, the Risk and Innovation team will lead on the assessment of applications for authorisation.
Given the nascent and innovative nature of DLT, we have incorporated some changes to the authorisations process, namely, the introduction of an initial application assessment and a comprehensive presentation.
As with all other activities and licence types, the GFSC welcomes, as a first step, for applicants to contact the Risk and Innovation team to discuss the application proposal, business model and type of activity and/or services the firm wishes to provide in, or from within Gibraltar. This pre-application engagement will provide an opportunity for the GFSC to give applicants any appropriate guidance on the application process, licensing regime, but more importantly, to discuss whether the proposed activity will fall within the scope of the DLT framework i.e. will the firm be using DLT for the transmission or storage of value belonging to others.
Initial Application Assessment
Once it is established that the proposed activities would fall within the scope of the DLT framework, firms will be required to follow our initial application assessment process.
As part of the initial application assessment, the GFSC will carry out an initial assessment of the inherent risks and complexity of the applicant’s proposed activity and business model. The initial application assessment will help us process applications expeditiously as well as provide us with a better understanding of the activities and services the firm proposes to conduct.
A non-refundable initial application assessment fee of £2,000 will be payable to the GFSC.
Within 2 weeks of receiving a request for an initial application assessment, the Risk and Innovation team will carry out the initial assessment and categorise the firm according to the inherent risks and complexity of the applicant’s business model and activities.
Although not an exhaustive list, the following factors will be taken into account when determining the inherent risk and complexity of an applicant’s business model and activities:
- how the firm will be applying the distributed ledger technology and its maturity;
- any added complexity due to the use of smart contracts;
- whether the firm will hold or control client assets;
- the type of customers the firm will be engaging with, such as retail, experienced or professional investors, or institutional;
- number and variety of products and services offered to customers;
- level of interaction and interplay with other types of regulatory regimes, and or the provision of other regulated or unregulated activities;
- whether the firm will be offering its customers investment-related products and services and the risks and complexity associated with such products and services;
- any functions outsourced to third parties and the materiality of such functions;
- the complexity of the firm’s organisational structure;
- exposure and vulnerability to money laundering and terrorist financing;
- whether the business model, products and or services have been successfully tried and tested; and
- the scale and size of the proposed operation.
The GFSC will exercise judgment when carrying out its assessment and in deciding the assessed category. The assessed full application fee and expected annual fee will be communicated to the firm. At this point, the GFSC will also communicate our expectation with regards to the application of the principles and highlight any specific controls we expect the firm to incorporate.
The full application fee and annual fee will depend on the assessed complexity category.
Any material interim changes to a DLT provider’s business model will need prior approval from the GFSC at which point consideration will be given to whether the complexity categorisation of the firm needs to be amended.
Full Application and Presentation
The application process at this stage, will largely mirror the application process applied to all other activities authorised and supervised by the GFSC.
One exception is that once the firm has submitted a complete application and paid the balance of the assessed application fee, applicants will be invited to deliver a presentation to the GFSC. Any specific requirements based on the nature and complexity of the proposed business will be communicated at the time of the initial application assessment.
Generally, the presentation is expected to cover the following areas:
- background on the key individuals driving the business including relevant skills and experience;
- business plan, including structure of the company/group, products and services, target market, strategy, etc.;
- financial projections; and
- evidence how the firm will meet the 9 regulatory outcomes/principles.
It is expected that GFSC staff present will include members from the Risk and Innovation team, any individuals required from the Panel of Experts, and any key GFSC decision makers.
The presentation will be an integral part of the authorisations process and will give the applicant an opportunity to demonstrate how they will meet the GFSC’s regulatory outcomes/principles. We believe that this approach will help reduce the time taken to understand the business, assess the firm’s compliance with the principles and deliver an overall more effective authorisations process.
Once a licence has been granted, an onsite visit will be completed. This will give the firm the opportunity to evidence to the GFSC that the processes and controls implemented and communicated during the presentation are effective and work in practice.
Unlike other sectors authorised by the GFSC, the wide scope of this regime means that the business models of DLT providers may vary substantially in terms of complexity, size and risk.
Initial Application Assessment Fee
As part of the initial application assessment, the GFSC will carry out an initial assessment of the inherent risks and complexity of the applicant’s proposed activity and business model. An initial application assessment fee of £2,000 will be payable to the GFSC on the submission of the relevant information specified by the GFSC.
The full application fee that will become payable and the subsequent annual fee will be dependent on the complexity and category assigned to the DLT Provider. The criteria that will be used to assess the complexity of DLT providers has been set out above.
The application fee that will become payable on submission of a full application will be as follows and in accordance with the complexity categorisation:
DLT Provider Category
Balance payable on submitting full application
Complexity Cat 1
Complexity Cat 2
Complexity Cat 3
The GFSC has the ability under the fees regulations to charge supplementary fees which may be used to cover the direct costs of the use of the Panel of Experts at authorisation stage. This would be disclosed and agreed with the applicant at the initial application assessment stage.
Application fees will be non-refundable.
The annual fees also take account of the complexity of the DLT provider:
DLT Provider Category
Complexity Cat 1
Complexity Cat 2
Complexity Cat 3
Further fees will be charged based on the size and activity of the DLT provider. The further fees will be developed and set during the second half of 2018. The GFSC will communicate and engage with the industry at this point.
The further fee will be calculated retrospectively from previous year’s audited financial statements. Accordingly, further fees will not be payable until the second year of operation.
Useful Documents and Links
The published Regulations can be found here
May 2017 Government of Gibraltar Consultation document
Seminar slides - 20th October 2017
GFSC Statement on ICOs
DLT Application Process and Fees document
Frequently Asked Questions
1. Do Initial Coin Offerings (ICOs) or token sales fall within the DLT framework?
Generally, ICOs or token sales will not be caught under the DLT framework. However, there may be instances where, depending on what the token will be used for and how the token issue is structured, the token may fall within existing financial services legislation (for example, could be deemed as a Collective Investment Scheme, Alternative Investment Fund, etc.).
We would recommend that you seek independent legal advice to determine whether your ICO may be caught within existing financial services legislation.
The Government of Gibraltar and the GFSC are working on developing a legal and regulatory framework which will be aligned to the DLT framework, for the sale, promotion or distribution of tokens.
For further information on ICO or token sales please read the GFSC statement which can be found here.
2. Will firms currently licensed under existing financial services legislation require an additional licence? If so, what will be the process?
Firms who are currently licensed under existing financial services legislation, but use DLT in order to improve their controls, procedures and processes, will not need to obtain a separate licence under the DLT framework, unless the activities are not currently caught within the scope of the licence they hold (for example if you are licensed as a bank, and wish to use DLT as part of your process, a separate licence will not be required).
However, if you are licensed as a bank, but intend to provide virtual currency wallets and/or services you will be required to obtain a licence under the DLT regime).
3. Will DLT providers need to comply with Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) requirements?
DLT providers will be required, at the very minimum, to comply with local AML/CFT requirements – the Proceeds of Crime Act (POCA) and any AML/CFT requirements of any jurisdiction they may be operating in.