As distributed ledger technologies (DLT; being the umbrella term that includes blockchains) and cryptocurrencies (also known as “digital currencies”, “virtual currencies”, “virtual assets”, “coins” and “tokens”) continue to develop and endeavour to become mainstream, many jurisdictions have been prompted to consider beginning to regulate this growing sector – at least in respect of anti-money laundering and counter funding of terrorism (AML/CFT) aspects. In Europe, cryptocurrency exchanges and custodian wallet providers have been brought within the scope of anti-money laundering regulation at EU law level in the form of the Fifth Money Laundering Directive, which had an implementation deadline of 10 January 2020, whilst the Financial Action Task Force (FATF) clarified that its Recommendations apply to activities relating to virtual assets and virtual asset service providers (VASPs), and in June 2019 they provided guidance on how to apply them. Any country that is desirous of meeting the FATF’s AML/CFT standards needs to develop a regime for the registration or supervision of the sector. Apart from AML/CFT legislation and guidelines, the absence of clear rules from regulators globally has made it much harder for the DLT industry to grow, and this absence continues to generate uncertainty amongst professional advisers and DLT service providers.
Gibraltar among the Leading Jurisdictions in the Regulation of DLT Businesses
Notwithstanding the above, Gibraltar has fast become one of the few jurisdictions of choice for DLT businesses. Gibraltar is one of the select jurisdictions in the world where it is possible to regulate DLT businesses in a bespoke manner to high internationally recognised standards. It is also possible for DLT businesses to open a bank account, subject to full compliance with AML/CFT legislation. The close partnership between Her Majesty’s Government of Gibraltar, the Gibraltar Financial Services Commission (GFSC) as the jurisdiction’s financial services regulator, and the private sector in Gibraltar, as well as the speed and agility with which Gibraltarian stakeholders are able to meet and advance jurisdictional strategic positioning, has given rise to the implementation of a comprehensive regulatory framework that encourages the development of fintech and DLT-related businesses on the Rock. This agility is much harder for larger jurisdictions to realise, and together with Gibraltar's longstanding reputation for high standards of regulations, has given rise to a credible regulatory framework for DLT businesses in Gibraltar.
The introduction by HM Government of Gibraltar of a specific DLT regulatory framework gave Gibraltar a first-mover advantage globally. It demonstrated Gibraltar’s desire to continue to lead the way in establishing a responsible but business-friendly environment that seeks to protect consumers, as well as safeguarding the jurisdiction’s economy and excellent reputation, whilst providing the required flexibility to encourage established businesses and start-ups alike in progressing their DLT business ventures.
The result is a set of DLT regulations that is outcomes-focused and principles-based, and perfectly strikes the balance between achieving regulatory outcomes and fostering innovation. The Financial Services (Distributed Ledger Technology Providers) Regulations 2017 of Gibraltar largely came into force on 1 January 2018, and it represented one of the first regulatory frameworks in the world to regulate DLT business providers.
As a consequence of the business and regulatory certainty provided by the DLT regulatory framework in Gibraltar, a number of high-profile and international businesses, as well as some great start-ups, have chosen Gibraltar as their home to establish their DLT businesses and apply for DLT Providers Licences.
All DLT providers need to operate to the same high standards and expectations as firms that are currently licensed under existing financial services legislation. The principles are to be applied proportionately and on a risk-based approach. Their application is objective and targeted, measurable and verifiable, and appropriate to activities performed, the product, the business model and risk factors. Since each DLT provider and its activities may be unique, the DLT principles have been designed to be flexible enough to be adapted to each firm’s characteristics and to its use of DLT.
Education Helps to Drive Improvement in DLT-Related Skills
In addition to the creation of the DLT regulatory framework, the University of Gibraltar has collaborated with HM Government of Gibraltar and a few of the private sector DLT firms and professional firms in Gibraltar to deliver technology-related education courses. These courses aim to address the growing demand for DLT-related skills as the sector continues to grow in Gibraltar. In addition, Gibraltar banks, legal firms, accounting firms, insurance firms and other professional service providers have all invested a significant amount of time and resource in order to train their employees so that a high degree of knowledge and experience in the DLT sector prevails amongst the private sector, which enables a first-class delivery of experienced service to those DLT businesses established in Gibraltar and internationally.
HM Government of Gibraltar has also created the Gibraltar Association for New Technologies (GANT). The principal objective of GANT is to promote the development of new technologies in Gibraltar and represent the interests of emerging new technology businesses established in Gibraltar. As an industry-representative body, GANT interfaces with HM Government of Gibraltar, the GFSC and other representative bodies to provide advice on new technology issues and to contribute to the discussion relating to client and investor protection, and promoting jurisdictional interests.
In addition to GANT, other key industry associations such as the Gibraltar Association of Compliance Officers, the Gibraltar Electronic Money Association and the Gibraltar Bankers Association operate as formal lines of communication between policy makers and the private sector in Gibraltar’s fintech and blockchain industries, facilitating the exchange of information and ideas, with a view to enhancing knowledge and awareness within the sectors.
Further, industry organisations have similarly embraced blockchain offerings. An example is the Gibraltar Funds and Investments Association, which has published a Code of Conduct for Crypto Funds in Gibraltar.
On the matter of regulating tokens, the Gibraltar government has long since publicised its intention to introduce regulations relating to the promotion and sale of tokens in and from Gibraltar. The proposals have included:
The scope and terms of the proposed token regulations remain under discussion between the government, the GFSC and private sector participants. In the interim, considerations relating to the issue and sale of security tokens and non-security tokens (also known as utility tokens) would, if applicable, come within the scope of existing legislation (such as the Proceeds of Crime Act 2015, the Financial Services Act 2019 and all its subsidiary legislation covering prospectuses, electronic money, Markets in Financial Instruments Directive (MiFID) considerations and collective investment schemes).
Preparations Leave Gibraltar Well Placed to Deal with Brexit
Brexit remains the featured upcoming challenge facing Gibraltar’s DLT sector (and in fact all economic sectors) following the COVID-19 public health crisis. Gibraltar has been a part of the European Union by virtue of the United Kingdom’s membership of the same. Gibraltar is presently set to leave the European Union with the United Kingdom at the end of 2020, unless an extension is agreed. In the interim, the transitional provisions that apply to the United Kingdom’s membership of the European Union apply to Gibraltar until the end of 2020. The government of Gibraltar has, however, worked hard to prepare Gibraltar for Brexit. A double taxation treaty between the United Kingdom and Gibraltar is now in place, as is an agreement between the United Kingdom and Gibraltar to allow financial services businesses established in Gibraltar to passport their services into the United Kingdom.
Whilst approximately 96% of all financial services providers and gaming operators established in Gibraltar deal primarily with the UK market, and continued access for these firms to the UK market is guaranteed to continue post-Brexit, the future of some financial services providers that rely on passporting their services into EU member states remains unclear and will be dependent on any deal reached between the United Kingdom and the European Union as may be applied to Gibraltar. In any event, licensed and regulated Gibraltar DLT businesses that provide their services across the globe, adhering to local legal and regulatory requirements (where these exist), are not expected to be significantly impacted by Brexit.
Since the introduction of the specific DLT regulatory framework in Gibraltar, several DLT businesses have established an operational presence in Gibraltar and have sought to become licensed and regulated. The principal business models centre around cryptocurrency exchanges, cryptocurrency custodians, lending platforms, asset management businesses and payment providers. In addition, a number of cryptocurrency Experienced Investor Funds have established a presence in Gibraltar because of the DLT business-friendly environment, the high calibre of professional advisers and sound, knowledgeable regulation. The ability to open bank accounts, undertake audits and deal with the tax authorities in a pragmatic manner all assist in continuing to attract these types of DLT business to the Rock to provide consumer-facing and B2B DLT services locally and internationally.
More recently, Gibraltar has been extremely fortunate to play host to, and work with, many innovative projects and businesses. Particularly current and garnering interest locally are regtech solutions for compliance with the application of FATF Recommendation 16 to VASPs (otherwise known as the "travel rule").
Gibraltar has created a specific DLT regulatory framework that is outcomes-focused and principles-based. The Financial Services (Distributed Ledger Technology Providers) Regulations 2017 of Gibraltar largely came into force on 1 January 2018, and it represented one of the first regulatory frameworks in the world to regulate DLT business providers.
Any DLT provider that, by way of business in or from Gibraltar, uses distributed ledger technology to store or transmit value belonging to others must be licensed and regulated and is required to abide by the following nine regulatory principles:
DLT service providers are regulated by the GFSC, which is the regulator of the financial services industry in Gibraltar.
With regard to the regulation of the sale and issuances of tokens, the regulation of secondary markets in tokens and other ancillary services relating to tokens, existing laws and regulations in Gibraltar, which are based on EU law, may be applicable.
The EU Anti-Money Laundering Directive (MLD4) has been transposed in Gibraltar by the Proceeds of Crime Act 2015 (POCA). The local legislation is applicable to businesses that receive proceeds from cryptocurrencies, and they must therefore comply with the Act. These obligations are akin to the obligations on other financial services providers. The local legislation sets out that a “relevant financial business” must apply different levels of due diligence measures based on a risk-based approach, which are customer due diligence, simplified due diligence or enhanced due diligence.
POCA was further amended on 18 March 2018 to include financial undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of distributed ledger technology or a similar means of recording a digital representation of an asset.
Readers should also be wary of cryptocurrency exchanges and custodian wallet providers being brought within the scope of anti-money laundering regulation at EU law level in the form of the Fifth Money Laundering Directive.
Gibraltar is currently developing a technology solution to address the FATF Recommendation 16 as applicable to VASPs and other financial institutions. The technology stack will be designed to automatically collect information as Gibraltar-based firms make financial transfers. Gibraltar’s licensed and regulated blockchain firms are subject to the same supervisory regimes as banks or financial services firms in the jurisdiction.
The GFSC is the regulator for financial services firms and DLT businesses in Gibraltar. In some instances, the function of the GFSC may overlap with that of other regulators. For example, gaming operators in Gibraltar that provide spread betting services are regulated by the Gambling Commission as well as by the GFSC due to the fact that spread betting comprises a contract for difference, which falls within the scope of a “financial instrument” (as such term is defined in the Financial Services Act 2019).
The GFSC’s approach to supervision is risk-based and outcome-focused, allowing it to act proportionally on the basis of the prevailing circumstances of the licensee. The GFSC periodically reviews the level and type of supervision to identify new or emerging material risks or where the nature and scale of a regulated entity’s business changes.
The Gibraltar DLT ecosystem was bolstered with the launch of GANT. The aim of GANT is to encourage co-operation between the members of the association and to stimulate the participation of new technologies in Gibraltar’s financial industry. It also aims to establish a recognised medium for communication between the association and stakeholders in the new technologies space. GANT also works closely with the government of Gibraltar, the Gibraltar Financial Services Commission and the University of Gibraltar to ensure the development of a strong and sustainable industry, including the delivery of educational programmes that will help advance a core understanding of the underlying technologies supporting the sector.
There has not yet been any notable litigation in Gibraltar relating to the interpretation of the local legal regime applicable to the use of blockchain in Gibraltar. However, English law is persuasive in Gibraltar and there have been a number of English law judgments (eg, in the case of AA v Persons Unknown  EWHC 3556 (Comm), where the English Commercial Court granted an interim proprietary injunction over Bitcoin, thereby confirming its status as property) that would be regarded by the Gibraltarian courts in any local litigation.
The author is not aware of any enforcement actions against any DLT providers in Gibraltar that have been published, but does understand that the Gibraltar Financial Services Commission has historically issued warnings against token issuers and token sellers undertaking such activity in or from Gibraltar.
Gibraltar has adopted a novel approach towards regulating blockchain businesses. No regulatory sandbox exists in Gibraltar – instead, Gibraltar has built a purposeful bespoke regulatory framework designed specifically for DLT business that allows DLT businesses that store or transmit value belonging to others to become fully licensed and regulated to the high standards of regulation that Gibraltar is internationally renowned for. This approach allows regulatory objectives (such as orderly market, financial stability and consumer protection) to be achieved whilst allowing the regulator to promote business activity by taking a proportional approach having regard to factors such as the size, scale, risk and business activity of the DLT business.
The GFSC has also established an "Innovate and Create Team" that seeks to encourage innovation by supporting those businesses looking to develop innovative ideas for financial products, and introduce new services into the market.
Gibraltar taxation law makes no special provision for crypto-assets. They are, therefore, to be taxed in accordance with the general underlying principles of Gibraltar tax as contained in the Income Tax Act 2010. This means that when answering any question as to the treatment of crypto-assets for taxation purposes, one should merely consider the treatment of any similar asset. The fact an asset is a digital asset has no influence on its tax treatment.
Under the general principles of Gibraltar taxation law relating to the profits or gains arising from the disposal of any asset, the relevant matter is the nature of the activity that gives rise to the profit or gain, not the nature of the assets in themselves. If the disposal giving rise to the profit or gain is by way of trade, then such profit or gain will be taxable as income; if the profit or gain is not generated by a disposal by way of trade, then the profit or gain will be treated as a capital gain. It is pertinent to point out that no capital gains tax is levied under Gibraltar law. It is also worthy of note that income generated by a company that is not accrued in or derived from Gibraltar is not subject to tax in Gibraltar.
HM Government of Gibraltar established GANT. Please refer to 1.1 Evolution of the Blockchain Market and 2.4 Self-Regulatory Organisations for details.
There is no Gibraltar law, interpretative provision or judicial decision that specifically governs the determination of when transfer of ownership takes place in respect of a digital asset whose transfer is determined based on an instruction given to a blockchain network using a private cryptographic key. From a technological perspective, the answer will depend on the number of transaction confirmations deemed necessary by the crypto-asset custodians (or wallet service providers) in order to confirm a transaction.
One should, however, consider the role of contract law and equitable principles (as well as equitable relief) in circumstances where parties to a transaction agree to a transfer of a digital asset and consideration for that transfer passes from one party to another, but the actual transfer of the digital asset effected by way of an instruction given to a blockchain network using a private cryptographic key is not undertaken or is undertaken incorrectly.
There is no categorisation of the different types of digital assets under Gibraltar law.
A legal analysis of the categorisation of a digital asset will usually first be undertaken to determine whether it comes within the scope of a “financial instrument” (as such term is defined in the Financial Services Act 2019, which together with its subsidiary legislation transposes MiFID II into Gibraltar law).
A “financial instrument” would generally include:
The proposed activity relating to the digital asset (ie, whether there is a public offering or other sale, or whether investment or advisory services are being provided) may be a regulated activity depending on whether the digital asset is classified as a “financial instrument”.
The tax treatment of the digital asset may also depend on its classification.
Digital assets are not considered legal tender in Gibraltar. They are not issued or guaranteed by the Gibraltar government. However, it is possible, depending on structure, usability and how widely accepted it is, that a digital asset whose value is intended to be pegged to a fiat currency (or to another digital asset that is itself pegged to a fiat currency) could come within the scope of the Financial Services (Electronic Money) Regulations 2020. Electronic money is defined as an electronically, including magnetically, stored monetary value as represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making a payment transaction, and accepted by a natural or legal person other than the electronic money-issuer. There would usually be an issuer of e-money and it would be necessary for e-money to be widely accepted for retail purposes and not restricted to a particular platform. In addition, it would be necessary for a digital asset to be redeemed by a third party for fiat currency at par value in order to qualify as e-money.
Apart from the above possibility, no distinction is made for Gibraltar legal purposes between stablecoins backed by deposits of fiat currency and “algorithmic” stablecoins that use a formula to maintain their peg.
Certain private businesses in the retail sector and some professional services firms in Gibraltar, as well as DLT-related businesses in Gibraltar, accept payment for goods and services in cryptocurrencies.
As stated in 2.2 International Standards, there is a requirement for financial businesses to undertake due diligence (including source of wealth and source of funds checks) under POCA.
Gibraltar has no specific laws or regulations relating to the sale of non-fungible tokens.
If non-fungible tokens being offered for sale in Gibraltar come within the scope of “financial instrument” (as such term is defined in the Financial Services Act 2019), then Gibraltar laws relating to the sale or promotion of these financial instruments in or from Gibraltar will apply. (See 3.2 Categorisation for further details of what a “financial instrument” might comprise.)
As at the end of April 2020, Gibraltar has 13 fully licensed and regulated DLT providers. All of those DLT providers that operate as markets for digital assets are custodial exchanges, and all have internationally based customers. No non-custodial exchanges or decentralised exchanges (DEXes) are currently registered or operating in or from Gibraltar.
Retail consumers in Gibraltar will usually either use Gibraltar-regulated cryptocurrency exchanges or internationally based cryptocurrency exchanges that allow fiat currency and cryptocurrency deposits and withdrawals, in order to convert fiat currency into cryptocurrencies and vice versa.
Individuals or businesses undertaking large trades will usually avail themselves of OTC desks operated by cryptocurrency exchanges or cryptocurrency brokers. Cryptocurrency exchanges or brokers operating in or from Gibraltar must have a DLT Provider's Licence issued by the Gibraltar Financial Services Commission.
In addition, such businesses operating in or from Gibraltar will be subject to KYC and AML/CFT statutory obligations under POCA. Please see 4.3 KYC/AML for further details of the statutory obligations with regard to AML/CFT.
POCA provides that a “relevant financial business” must apply different levels of due diligence measures based on a risk-based approach, which are customer due diligence, simplified due diligence or enhanced due diligence to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing. POCA was amended on 18 March 2018 to include financial undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of distributed ledger technology or a similar means of recording a digital representation of an asset.
Readers should also be wary of cryptocurrency exchanges and custodian wallet providers being brought within the scope of anti-money laundering regulation at EU law level in the form of the Fifth Money Laundering Directive.
Relevant financial businesses (that come within the scope of POCA) are also required to appoint money laundering reporting officers (MLROs). MLROs are responsible for overseeing an organisation’s AML/CFT internal and external reporting obligations, establishing organisational systems and procedures and providing training to enable personnel in the organisation to detect financial crimes and prevent the organisation being involved in these. They are also responsible for undertaking independent audits, risk assessment and risk management, compliance management, record-keeping and tests of customer due diligence measures.
Any business operating in or from Gibraltar may also use DLT (in the form of chain analysis tools) to assist with AML/CFT checks in respect of cryptocurrencies that they receive from their customers.
It should also be noted that Gibraltar is positioning itself to comply with the FATF’s Recommendation 16 as it applies to virtual assets and virtual asset service providers.
The GFSC is the single regulator in Gibraltar that oversees the regulation of all financial services providers, including markets for digital assets.
Gibraltar has transposed MiFID II into local legislation and, as such, multilateral trading facilities, organised trading facilities and other exchange-related activities (including those dealing with digital assets) will come within the scope of MiFID II requirements and under the purview of the GFSC.
There have as yet been no significant enforcement actions under the DLT regulatory framework or MiFID II rules in respect of any markets for digital assets operating in or from Gibraltar.
The DLT regulatory framework will apply to all DLT providers operating by way of business in or from Gibraltar that store or transmit value (which includes digital assets) that belongs to others. Please refer to 2.1 Regulatory Overview for further details of the DLT regulatory framework.
A licensed and regulated Gibraltarian DLT provider that operates a business involving the re-hypothecation of their customers’ digital assets will be subject to the conditions and limits (if any) that may be imposed by the GFSC on their business operating model in order to mitigate risks to customers. Apart from any such conditions and limitations that may be imposed on such businesses on a case-by-case basis, general principles of contract law and unfair contract terms will apply to any contractual arrangements between businesses and their customers in this regard.
The DLT regulatory framework will apply to all DLT providers operating by way of business in or from Gibraltar that store or transmit value (which includes digital assets) that belongs to others. Please refer to 2.1 Regulatory Overview for further details of the DLT regulatory framework.
The classification of a token is an important preliminary consideration in determining the applicable legislative framework (if any) that applies to an offer for sale of such tokens. The determination of whether a token is classified as a “financial instrument” will assist in determining whether the activity of fundraising through the creation and sale of tokens is a regulated activity. (See 3.2 Categorisation for further details of what a “financial instrument” might comprise.)
If a token is classified as a “financial instrument” (which includes a “transferable security” as defined in point (44) of Article 4(1) of Directive 2014/65/EU), the applicable EU legislative frameworks (as transposed into Gibraltar law) will apply.
In the event that the token could be classified as a “transferable security”, the sale and promotion of such tokens in or from Gibraltar would trigger legislative and regulatory compliance requirements. For example, a requirement to issue a prospectus would arise under the Prospectus Regulation (Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC, as amended from time to time).
Similarly, if the token comes within the broader statutory definition of a “financial instrument”, other requirements arising under the Financial Services Act 2019 and its secondary legislation may apply. In addition and in particular, business activities that involve financial instruments (such as providing investment services or dealing with financial instruments for and on behalf of clients) would also come within the scope of these legislative measures.
The determination of whether the promotion and sale of digital assets comprises securities activity or commercial activity will therefore be driven by the determination of the nature of the token.
Please refer to 5.1 Initial Coin Offerings.
In addition, where a digital asset exchange that operates in or from Gibraltar is used as an intermediary for the promotion or sale of digital assets, that digital asset exchange must itself be licensed and regulated under the DLT regulatory framework. If the token being promoted and sold through such a digital asset exchange falls within the scope of a “financial instrument”, then it is possible that the activities of the digital asset exchange operating in or from Gibraltar in connection with the promotion and sale of such a token qualify as investment services and therefore the digital asset exchange would likely need to be licensed under MiFID II in addition to the DLT regulatory framework.
The Financial Services Act 2019 defines a “collective investment scheme” as “any arrangement with respect to property of any description, the purpose or effect of which is to enable persons taking part in the arrangement (whether by becoming owners of the property or any part of it or otherwise) to participate in or receive profits or income arising from the acquisition, holding, management or disposal of the property or sums paid out of such profits or income.”
The arrangement must be such that the investors do not have day-to-day control over the management of the property, whether or not they have the right to be consulted or to give directions. In addition, the contributions of the participants and the profits/income out of which payments are to be made to them should be pooled, and the property must be managed as a whole by or on behalf of the operator of the scheme.
It is common for either an Experience Investor Fund (EIF) or a Private Scheme (PS) structure to be used for cryptocurrency funds established in Gibraltar.
A PS structure may be more appropriate where a CIS is established by or for a small group of persons already known to each other, and where there will be no promotion of the CIS.
Where there will be promotion to experienced investors, the EIF will generally be more suitable. Experienced investors are deemed to be persons who invest at least EUR100,000 (or currency equivalent) in the EIF, or prove a net worth of at least EUR1 million excluding their personal residence. The EIF regime required EIF-licensed directors and other licensed service providers to be in place. It is possible that an EIF may come within the definition of an alternative investment fund (AIF). Accordingly, there may be other considerations that are applicable, both in terms of the sale, promotion and management of the AIF, as well as the depositary arrangements for AIF units.
The Gibraltar Funds and Investment Association has published a draft code of conduct for Gibraltar cryptocurrency funds. The code of conduct deals with the custody of digital assets, valuation considerations, corporate governance and security.
EU legislation as transposed into Gibraltar law and that relates to broker dealers and financial intermediaries exists in relation to “financial instruments” – see 3.2 Categorisation for further details of what a “financial instrument” might comprise. As such, where a digital asset comprises a “financial instrument”, then such legislative provisions will apply.
In addition, the provisions of the DLT regulatory framework will bite if broker dealers and financial intermediaries, by way of business in or from Gibraltar, use distributed ledger technology to store or transmit value belonging to others.
Providing investment and ancillary services relating to digital assets that do not comprise “financial instruments” is not currently regulated in Gibraltar. The government of Gibraltar has proposed to regulate the provision of investment and ancillary services in or from Gibraltar and to the extent not otherwise caught by existing legislation. This new regulation is intended to cover advice on investment in tokens, virtual currencies, and central bank-issued digital currencies, including:
This will be proportionately modelled on provisions that currently exist under MiFID II with the aim of ensuring that such services are provided fairly, transparently and professionally.
There are no specific laws, regulations or binding judicial decisions addressing the legal enforceability of private contractual arrangements made in whole or in part utilising smart contracts.
The generally accepted view is that normal principles of contract law will apply to the enforceability of smart contracts. However, there are open issues that remain to be addressed with regard to smart contracts, including jurisdiction and governing law, representations and warranties, and general boiler plate clause provisions. These issues are usually addressed where the parties to a smart contract also have a formally executed written contract that sets out the terms and conditions that would not (or could not) be incorporated into the code of a smart contract. However, the issue of whether a developer who codes a smart contract does so faithfully and correctly to give intention to the parties’ wishes is another matter.
There is no legislation or case law in Gibraltar to suggest that developers of blockchain-based networks or the code that runs on these networks are held to the standards of, or considered to be, fiduciaries. It could be the case that a Gibraltar court in time does reach such a decision, but until such time the contractual terms and conditions between developers and those that engage them will prevail as to the nature and quantum of liability of developers and the remedies available.
The Financial Services (Moneylending) Act and subsidiary legislation would apply to decentralised financial (DeFi) businesses operating in or from Gibraltar where such businesses actually provide credit facilities, rather than simply matching lenders and borrowers. In the case of DeFi platforms simply matching lenders and borrowers, it is likely that the Financial Services Act 2019 may apply depending on the specifics of the business activities. If the DeFi platform also stores or transmits digital assets belonging to others, the DLT regulatory framework would also apply (see 2.1 Regulatory Overview for further details).
A lender would ordinarily take security over digital assets pledged as collateral for a loan through a smart contract that facilitates the lending transaction. Where no smart contract exists, it is possible for an escrow agent or custodian to hold the digital assets as security for the lender pursuant to the terms and conditions of an escrow agreement or similar contractual arrangement. These security arrangements would not normally be capable of being pledged or registered against the borrower where the borrower is a corporate entity, unless the borrower enters into a formal security agreement (which would be unlikely).
Depending on the nature of the investment activity, professional investors may be required to transfer digital assets to a custodian. Regulated entities will usually consider risk management and risk mitigation practices and either have adequate and suitable arrangements in place to custody digital assets themselves or reduce their exposure and outsource the custody function to a professional digital asset custodian.
Digital asset custodians operating in or from Gibraltar would be required to be licensed and regulated under the DLT regulatory framework. (See 2.1 Regulatory Overview for further details.)
At present, the European Union’s General Data Protection Regulation (GDPR) applies in its entirety in Gibraltar.
Article 4(1) of the GDPR defines "personal data" as "any information relating to an identified or identifiable natural person". An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The six principles of data privacy established in the GDPR are as follows:
Lawfulness refers to the six lawful bases that businesses have to process an EU citizen’s personal data, which are as follows:
The limitation principle demands that data is only processed in the manner disclosed.
The data minimisation principle provides that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must also be kept accurate and up to date, and identification of data subjects must be possible only for as long as is necessary for the purposes for which personal data is processed. Personal data should also be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
As such, DLT businesses will usually develop privacy policies and cookie policies and website usage policies as well as terms and conditions that comply with the foregoing.
Following on from 8.1 Data Privacy, data (such as payment data) relating to the object of the transaction will be unlikely to contain any information relating to an identifiable person, and will likely therefore fall outside the scope of the GDPR. Data relating to a transaction that contains the sender’s and recipient’s addresses and other such details about a data subject may come within the scope of the GDPR if it is not fully and irreversibly anonymised. Encrypted data that can be accessed with the correct private keys is not irreversibly anonymised. Further, where encrypted data can be combined with additional information to identify the data subject, that may also be deemed to be personal data.
As such, care needs to be taken in the design of the structure of blockchains and the data that is stored on them. The considerations between decentralised, permissionless blockchains and more private permissioned blockchains will also vary, particularly with regard to identifying who the data controllers and data processors are, and their obligations.
GDPR confers many rights on data subjects, including:
The enforcement of all of these rights can give rise to challenges in the context of blockchain technology. However, structural solutions (eg, linking off-chain data to on-chain data) and technological solutions (such as the use of ring signatures and zero-knowledge proofs) exist that may assist in overcoming these challenges.
The mining of digital assets on blockchain networks that operate on a “Proof of Work” consensus protocol is permitted in Gibraltar. This activity of itself is not covered by any specific legal regulatory framework. However, one needs to look at how the mining activity is conducted – if the mining activities involve a collective group of people and shared infrastructure, it could be possible that the arrangement qualifies as a collective investment scheme. Similarly, some arrangements require the mining business to accept investments from investors for the deployment of hardware, and investors are paid in mining rewards. It could be that where the business transmits value belonging to others then the DLT regulatory framework is triggered.
The mining of digital assets on blockchain networks that operate on a “Proof of Stake” consensus protocol is permitted in Gibraltar. This activity of itself is not covered by any specific legal regulatory framework.
However, one needs to consider whether the activity of staking comes within the legal definition of a “game of chance” as defined in the Gambling Act 2005. It is acknowledged that the Gambling Act 2005 never envisaged Proof of Stake mining, and therefore it remains open for the Gambling Commissioner to take a view in respect of this activity and whether it falls within the scope of the said Act.
Gibraltar’s regulatory standards and framework for the regulation of virtual asset service providers (VASPs) in the fast-paced and dynamic world of distributed ledger technology (DLT) has been central to the success of Gibraltar’s developed DLT industry.
While DLT is still a relatively nascent technology, Gibraltar understood the need for proactive and purpose-built regulation for operators in the space, with the government of Gibraltar approaching this emerging industry with a receptive and innovative attitude as far back as 2014. It is this progressive approach that has allowed Gibraltar to position itself as a global standard-setting jurisdiction for reputable DLT firms that want to take advantage of the numerous benefits this technology offers, but that want to do so in a safe and (appropriately) regulated environment.
The jurisdiction has taken, and continues to take, the steps required to maintain its position. Its regulatory approach allows DLT firms to grow whilst ensuring that they are regulated to a higher standard than is currently required by EU standards and also keeping up-to-date with Financial Action Task Force (FATF) recommendations.
Gibraltar’s DLT Regime
Gibraltar’s DLT regime was fully enacted in January 2018 through the Financial Services (Distributed Ledger Technology Providers) Regulations 2017, now the Financial Services (Distributed Ledger Technology Providers) Regulations 2020 (the “DLT Regulations”). The introduction of the DLT Regulations meant that any firm using DLT for storing or transmitting value belonging to others, in or from Gibraltar, needs to be authorised by the Gibraltar Financial Services Commission (GFSC) as a DLT provider.
Gibraltar’s DLT framework was the world’s first purpose-built regulatory framework for businesses using DLT. By operating through a risk-based nine-principle approach, rather than rigid rules, the framework is able to evolve with the fast-moving industry. It further enables firms to use innovative solutions, provided that they are able to satisfy the GFSC that they meet the regulatory obligations. The effect of such an innovative approach has meant that, whilst other jurisdictions are lagging behind, and struggling to legislate at the rate that technology is developing, Gibraltar remains ahead of the pack and for the most part is anticipating and legislating far in advance of FATF recommendations and worldwide threshold requirements.
Gibraltar’s risk-based principled approach has enabled the GFSC to maintain an added layer of supervisory oversight that permits it to take a view on the adequacy of new technologies used to support its customer due diligence (CDD) and/or know your customer (KYC) requirements as well as building in requirements around the traceability of transactions relating to any customer. This includes records and identifiers of devices and network connections, transaction monitoring processes and transaction history analysis.
All of this was facilitated through the requirements imposed on DLT firms in Gibraltar to have specific systems designed to detect and disclose financial crime risks. The effect was that Gibraltar’s DLT firms and DLT Regulations remained largely unaffected by the enactment of the Fifth Anti-Money Laundering Directive (5AMLD) earlier in 2020.
Upon releasing 5AMLD, the European Commission issued the following statement: “we are today marking an important step in fighting against financial crime.” Upon first reading this quote, one may think that 5AMLD had dramatically moved the goalposts. Indeed, in relation to the DLT sphere, 5AMLD has introduced requirements for digital wallet providers and crypto-asset/cryptocurrency exchanges to be subject to registration and supervision for AML compliance.
Many authorities will dramatically increase the regulatory control and supervision of DLT firms operating from their jurisdictions. In fact, most authorities that regulate DLT do so specifically and solely in relation to AML/CFT, so falling in line with 5AMLD. This includes financial services hubs such as the United Kingdom, which is often regarded as operating one of the most tightly regulated financial services markets in the world.
Many jurisdictions may have been forced to react and introduce legislation or regulations that encompass the requirements of 5AMLD in respect of virtual assets only this year. In contrast, Gibraltar’s regulatory approach has meant that, in this context, Gibraltar has been 5AMLD compliant since 2017 – two years before the 5AMLD was transposed and given effect. Similarly, the activity captured within the DLT framework is wider and captured certain activity in the space that is carved out of 5AMLD. The reason these businesses have been required to operate within these compliance standards for so long is because under the DLT Regulations, DLT firms became “Relevant Financial Businesses” within the context of Gibraltar’s Proceeds of Crime Act 2015 (POCA), and accompanying Anti Money Laundering Guidance notes. In essence, DLT firms were subject to exactly the same standard as all existing financial services businesses, with additional requirements within the guidelines specific to DLT businesses.
Thus, the registration and supervision that is now faced by DLT firms in jurisdictions such as the United Kingdom has been in place in Gibraltar since 2017. This affirms that Gibraltar’s stance strikes the right balance between enabling DLT firms in Gibraltar to grow in a far more secure and more regulated environment.
Indeed, this is also the case with the 2019 Financial Action Task Force recommendations, which has caused the legislation of many jurisdictions (only recently enacted) to arguably become outdated or inconsistent with the Financial Action Task Force’s recommendations.
Financial Action Task Force
In October 2018 the Financial Action Task Force adopted changes to its recommendations to explicitly clarify that they apply to Financial Activities involving "virtual assets" and added two new definitions relating to "Virtual Assets" and "Virtual Asset Service Providers". The FATF adopted its interpretative note at its June Plenary last year to clarify how the FATF requirements should apply, in particular in respect of the application of a risk-based approach to virtual asset activities and VASP operations, with supervision or monitoring for AML/CFT purposes, licensing or registration, preventative measures such as CDD, record-keeping, suspicious transaction reporting and other sanctions and enforcement measures. Gibraltar has had the regulation and licensing of VASPs in place for a few years and continues to work on the adoption and interpretation of Recommendation 16, better known as the Travel Rule, upon which Gibraltar’s Minister for Digital and Financial Services, Albert Isola, has already announced Gibraltar is intending on acting.
Gibraltar continues to position itself ahead of the curve and whilst many jurisdictions are now commencing steps to tackle their lack of regulations, and introduce simple-level VASP regulation that relates mostly to compliance, Gibraltar has had a far more detailed licensing regime in place since 2018.
One example of this is the suggestion from FATF that VASPs should be required to meet "registration criteria set by relevant authorities." The wording in the recommendations cites the fact that authorities should "impose such conditions on licensed or registered VASPs to be able to effectively supervise the VASPs. Such conditions should allow for sufficient supervisory hold and could potentially include, depending on the size, nature of the VASP activities, requiring a resident executive director, substantive management presence or specific financial requirements." Gibraltar-authorised VASPs are required to comply with principles relating to customer care and communication, adequate risk disclosure, specific suitability analysis in certain cases, regulatory capital adequacy requirements and financial and non-financial resources, business continuity, contingency and insurance requirements, specific governance arrangements, requirements around systems and security access protocols, including cybersecurity and IT vulnerability penetration testing, risk management, client asset protection and segregation, and, as mentioned previously, specific financial crime provisions.
One of the commonly referred-to risks within DLT and virtual assets revolves around the integrity of those markets. The International Organization of Securities Commissions (IOSCO) has identified several issues that merit consideration and that relate to transparency, custody, clearing and settlement, trading, security and systems integrity. It is also recognised that the fostering of innovation needs to be balanced with the appropriate level of regulatory oversight, especially in the context of a market that ultimately requires consumer confidence in this emerging market.
Of course, principles relating to all regulated secondary and other markets are well defined and relate in part to the integrity of trading through fair and equitable rules, regulation that promotes transparency of trading, which is designed to detect and deter manipulation and unfair trading and the management of large exposures, default risk and market disruption. Foreign exchange markets, stock markets and commodity brokers face or have faced market risks in the past but fall squarely within these rules and frameworks now. Whilst still possible on these traditional markets, such activity is certainly less prevalent than in the crypto markets, which by and large remain unregulated.
Market manipulation exists in the crypto sphere for a variety of reasons. Primarily, an exchange may wish to manipulate its trading volume in order to receive referrals from popular crypto websites, thus ensuring that more users who are new or entering into the crypto space decide to do business with themselves. The result is that these exchanges may increase their listing fees for users to list their tokens on an exchange. The effect of which is less liquidity on these exchanges, making the prices more volatile, which facilitates whaling, in which those traders with large capital or those holding a large amount of a specific coin are able to push the market in their favoured direction. This will ordinarily entail raising the coin's price and then selling off all of their coins once the price reaches its peak, causing a drastic fall in the value of the currency.
Other key ways that exchanges may manipulate the markets include freezing assets on their platform, staging system breakdowns that prevent investors from withdrawing their assets, and wash trading, which involves traders buying and selling the same security to mislead other traders. Whilst all these tactics may well have been utilised in the past in forex, commodity exchanges or the stock market in general, the fact is that they are now prevented from doing so under regulation.
Therefore, it is vital that DLT exchanges are adequately regulated in order to bring the DLT sphere into the mainstream and increase consumer confidence that their money is being traded fairly and not subject to any form of manipulation. As it stands, no jurisdiction in the world has properly defined market rules and frameworks for virtual asset exchanges.
However, as is becoming common practice in the market, Gibraltar is once again leading the way in this sector, with Minister Isola confirming in an interview with financial news outlet “The Banker” that, within the coming months Gibraltar is planning to introduce a tenth core principle to its DLT Regulations to develop market integrity standards for exchanges in this space. In so doing, Gibraltar will once again be leading the way in the crypto market and undoubtedly be setting an example for other jurisdictions to follow in its footsteps, as was the case in 2017 when Gibraltar’s DLT Regulations were first introduced.
Additionally, Minister Isola’s announcement shows that Gibraltar’s pioneering approach to regulate this sector by setting principles emphasises how modern problems require modern solutions. It should further instil confidence in the market, not only crypto but all emerging technologies, that Gibraltar is a good home, combining regulation with flexibility to innovate.
Gibraltar’s innovative approach to its DLT Regulations has most certainly enabled Gibraltar’s DLT industry to flourish whilst maintaining regulatory oversight and ensuring consumer protection. This has been facilitated through a novel approach of adopting principles in its regulation as opposed to a set of fixed rules that the DLT firms need to abide by.
The effect is that Gibraltar is two years ahead of international regulatory requirements and indeed regulates far beyond what the international community requires, as seen from Minister Isola’s statement on market integrity. The success Gibraltar has been able to achieve in its developed DLT industry serves as an example of how new markets require a novel approach to regulation, as opposed to "packaging" modern and innovative business activities within traditional frameworks that were not designed with these types of businesses in mind, and further demonstrates how Gibraltar is not only a pioneer in this space, but a leader in respect of DLT regulation and international standards.