Gibraltar Regulatory Bodies

The most relevant regulatory bodies in Gibraltar to businesses or individuals using blockchain and crypto-assets are the GFSC and the Gibraltar Financial Intelligence Unit (GFIU).

The GFSC is the dominant regulator for blockchain and crypto-asset businesses in Gibraltar; it regulates DLT Providers. The GFSC regulates any business engaged in a Regulated Activity, which encompasses any business using DLT for storing or transmitting value belonging to others, in or from Gibraltar.

In comparison to other jurisdictions, Gibraltar applies a principle-based regulatory approach governed by ten mandatory principles, ranging from Honesty and Integrity to Customer Care. Moreover, the GFSC follows a risk-based supervision model where the intensity and occurrence of supervision is dependent upon the associated scale and risk of the relevant operation.

In relation to AML/CFT supervision, the GFSC also enforces compliance with the Proceeds of Crime Act 2015 (POCA).

Furthermore, the GFIU is also relevant: it is responsible for facilitating the receipt and analysis of suspicious transaction reports filed by relevant entities.

Alignment With International Approaches

Gibraltar has implemented a virtual asset service provider regime consistent with FATF recommendations, including registration requirements for the purpose of AML/CFT compliance supervision, and the implementation of the travel rule for crypto-asset transfers. Legislative updates and regulatory guidance have been introduced to ensure ongoing compliance with evolving FATF standards, reflecting Gibraltar’s priority to maintain international AML and CFT standards.

In relation to the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO), Gibraltar has not issued specific guidance or regulatory measures directly implementing their crypto-asset standards. However, the GFSC monitors international developments and has conducted reviews to ensure that the DLT Framework maintains regulatory standards consistent with evolving global expectations.  Where crypto-assets fall within the definition of financial instruments under the FSA, existing securities regulation, which has historically been aligned with EU law transposed into Gibraltar, provides a framework broadly consistent with IOSCO principles.

Classification of Crypto-Assets

Gibraltar does not take a prescriptive approach when defining crypto-assets in the way that other jurisdictions do; instead, it takes a broader approach. It deliberately applies a wider definitional framework by not distinguishing between different types of crypto-assets and instead using the broad term Virtual Assets. Under this framework, Virtual Assets are defined as digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes but do not include digital representations of fiat currencies.

Existing Regulatory Frameworks

In relation to existing regulatory frameworks that apply to Virtual Assets in Gibraltar, the two prominent pieces of legislation are the FSA and the RFB Regulations. The FSA explains that an activity is regulated when it falls within the types listed in Schedule 2, is carried out as part of a business, and relates to any of the matters set out in Section 5(2). One of these matters covers value belonging to another that is stored or transmitted by means of a database system or through virtual asset arrangements.

This means that using DLT to store or transfer value on behalf of others, when done by way of business in or from Gibraltar, is treated as a regulated activity, such as: custodial virtual asset wallet providers, spot virtual asset exchanges, OTC/brokerage desks, and stablecoin offerings.

In relation to POCA, under the RFB Regulations (defined at 1.1.1 Evolution of Uses of Blockchain) the GFSC must maintain a register of relevant financial businesses that receive “proceeds in any form from the sale of tokenised digital assets involving the use of DLT”.

Furthermore, the DLT Regulations made under the FSA, together with the general DLT guidance notes, underpin Gibraltar’s crypto-asset regulatory framework, which is built around ten core principles, ranging from customer care to honesty and integrity.

Whilst there is no general blanket prohibition concerning activities and products in crypto-assets, the FSA prohibits any person from carrying on regulated activities by way of business in Gibraltar unless the person is either authorised or exempt.

New Regulation

In 2026, the GFSC is working to transition firms currently registered under the RFB Regulations to licensing under the DLT Framework. This consolidation is expected to streamline regulatory coverage and bring VASPs that currently sit within the POCA Registration perimeter under the full supervisory scope of the DLT Framework. 

In Gibraltar, the DLT Framework is activity-based. It applies where a person or firm uses DLT to store or transmit value belonging to others. Whilst this could capture an investment fund structure, a fund which invests in crypto-assets on its own account is unlikely to be captured by the DLT Framework. In practice, most crypto funds in Gibraltar do not fall within scope of the DLT Framework.

The requirement to register with the GFSC under the RFB Regulations does not apply to a fund which is subject to supervision by the GFSC. 

There is a viable crypto-asset issuance industry in Gibraltar. In relation to the requirements to launch a crypto-asset from Gibraltar, an issuer will have to register with the GFSC as a VASP under the RFB Regulations.

For a firm to be registered, it must:

• carry on the activity by way of business (ie, providing products and/or services to clients in return for remuneration);
• have a registered office in Gibraltar; and
• appoint a locally based Money Laundering Reporting Officer.

Although there are no formal white paper requirements equivalent to those under the EU’s Markets in Crypto-Assets Regulation, issuers are expected to provide clear and accurate information to purchasers as part of their AML/KYC obligations. In practice, the GFSC expects registered token issuers to demonstrate robust processes for verifying participant identities, assessing suitability, and disclosing material risks. Where a token’s characteristics bring it within the definition of a financial instrument or a transferable security under the FSA, prospectus-related requirements under Part 19 of the FSA may also apply.

In Gibraltar, the market abuse framework, consisting of three prohibited behaviours, is located within the FSA.

Prohibited Behaviours

• Insider dealing ‒ committed by an insider who uses inside information to acquire/dispose of financial instruments, amend/cancel prior orders, submit/modify/withdraw auction bids, or recommend/induce others to do so.
• Unlawful disclosure ‒ committed when an insider reveals such information outside normal employment/profession/duties or passes on known inside-based recommendations.
• Market manipulation ‒ this covers transactions/orders giving false/misleading signals on supply/demand/price, fictitious devices, profit-driven misleading dissemination, or benchmark manipulation.

Traditional market abuse rules under the FSA apply to financial instruments. Most crypto-assets fall outside of this definition, meaning that there is no direct equivalent to a full market abuse regime for crypto markets.

However, the GFSC addresses similar risks through its ten DLT regulatory principles. Licensed firms must uphold market integrity, manage conflicts of interest, and prevent the misuse of information. This creates a conduct-based framework that indirectly targets behaviour akin to insider trading and manipulation.

The GFSC has a comprehensive suite of enforcement tools under the FSA. Under Part 10, the GFSC has extensive information-gathering and investigatory powers, including the ability to require the production of documents, conduct on-site inspections, appoint skilled persons to prepare reports, and appoint inspectors to investigate the affairs of regulated firms. Under Part 11, the GFSC may impose administrative penalties, issue public statements, make cease and desist orders, temporarily suspend permissions, or issue prohibition orders against individuals.

Additionally, the GFSC may apply to the Supreme Court under Part 13 of the FSA for injunctions restraining contraventions or the disposal of assets, and for restitution orders.

Failure to register as a relevant financial business or to comply with AML/CFT obligations under the RFB Regulations may result in enforcement action, including suspension or cancellation of registration. Carrying on DLT services without authorisation is a criminal offence, punishable by imprisonment of up to two years and/or a fine.

Enforcement Approach

The GFSC’s enforcement approach has historically been supervisory and engagement-led rather than punitive, reflecting the collaborative regulatory culture in Gibraltar. The GFSC has issued consumer alerts against unauthorised firms purporting to offer crypto-asset services from Gibraltar, and has taken steps to address firms operating without appropriate authorisation or registration. 

As the market has matured, the GFSC has signalled a more rigorous approach to supervision, with increased scrutiny of governance, AML compliance, and client asset protection. 

Cross-Border Breaches 

Where firms operate on a cross-border basis without appropriate authorisation, the GFSC may deem the firm to be established in Gibraltar and subject to the FSA and DLT Regulations if there is a sufficient nexus to Gibraltar, such as actively marketing services to Gibraltar-resident individuals or institutions. The GFSC co-operates with international regulators and financial intelligence units to address cross-border compliance concerns. 

Regulatory Outlook

The regulatory posture is not expected to change materially in the next 12 months, although the GFSC’s ongoing transition of VASP registrations into the DLT Framework may bring additional firms within the scope of its full supervisory and enforcement powers.

Licensing Triggers

The FSA prohibits any person from carrying on regulated activities as specified in Schedule 2 to the FSA by way of business in Gibraltar unless the person is either authorised or exempt. In this context, the trigger would be satisfying Part 16 of that Schedule, ie, the kind of activity carried on in relation to value belonging to another which is stored or transmitted by means of a database system or the provision of virtual asset arrangements.

Territorial Scope

If a person is neither authorised or exempt and wishes to carry out such regulated activity by way of business in Gibraltar, they will be required to obtain a licence from the GFSC. Ultimately, the key territorial limit on the requirement for firms to obtain a Gibraltar-licence to operate is whether the activity is coming from Gibraltar or targets persons in Gibraltar.

A Gibraltar DLT licence is obtained through a staged GFSC authorisation process that tests the business model, governance, prudential strength, and local substance before permission is granted.

Process

The process begins with a pre-application meeting with the GFSC to confirm that the proposed activity falls within the DLT framework. The GFSC will then provide feedback and allow the applicant to ask any clarifying questions. Following this, the staged approach set out at 1.1.2 Regulatory Sandbox commences. This starts with submitting a business plan, details of key individuals and other information, followed by submitting risk-management protocols and non-financial resources reports.

Substance and Local Presence

The GFSC requires certain threshold conditions to be met; applicants must show a genuine presence in Gibraltar, ie, real operations including directors, a physical office, and employees. The day-to-day management of the firm must be carried out from Gibraltar, ensuring the applicant is complying with the mind and management requirements.

Local Personnel

Firms must satisfy what is known as the “four-eyes” test, which means that at least two suitably senior and experienced individuals must oversee the firm’s activities on a continuous basis.

Prudential and System Requirements

The GFSC requires firms to hold adequate own funds and liquidity for their business and risk profile, backed by projections and an internal capital/risk assessment. In addition, firms also need strong risk, governance and IT frameworks, covering business continuity, AML/CFT, financial crime controls, and client asset safeguarding.

Under the FSA, any person proposing to acquire or increase control over a Gibraltar regulated firm must comply with the statutory change of control regime.

A person will be considered a controller where they acquire, directly, or indirectly, 10% or more of the shares or voting rights in a regulated firm (or its parent undertaking) or otherwise obtain the ability to exercise significant influence over the management of the firm.

Where a proposed transaction would cause a person to acquire such a level of control, prior notification must be made to the GFSC. Typically, this involves submitting a formal change of control notification alongside prescribed forms and supporting information relating to the proposed acquirer, source of funds, business activities, its ownership structure, and the nature of the interest being acquired.

Depending upon the structure of the acquiring entity, certain parent entities, shareholders, or ultimate beneficial owners (UBOs) may also need to supply information as part of the application.

There are currently no licences that allow for passporting in relation to blockchain and crypto-asset services.

Cross-Border Restrictions

Section 8(1) of the FSA prohibits any person from carrying on a regulated activity by way of business “in or from Gibraltar” unless that person is authorised or exempt. This prohibition applies equally to blockchain and crypto-asset services. Accordingly, if a firm based outside Gibraltar intends to provide services on a cross-border basis to customers in Gibraltar, those services could fall within the scope of the FSA and the DLT Regulations where they involve the use of DLT for storing or transmitting value belonging to others. Firms caught within scope must obtain authorisation from the GFSC as a DLT Provider or, where applicable, register under the RFB Regulations.

Reverse Solicitation

Where services are provided exclusively at the initiative of a Gibraltar-based client, the firm providing those services should not fall within the scope of the FSA. This concept, commonly referred to as “reverse solicitation”, is recognised in practice in Gibraltar, although it has not been codified in legislation and no formal guidance has been published by the GFSC.

Based on the authors’ understanding, reverse solicitation requires that the Gibraltar customer, acting entirely of their own volition and exclusive initiative, proactively approaches the cross-border business to request its services. The cross-border business must not at any point approach, or even indirectly solicit, any Gibraltar customer. No marketing of any kind should be directed at Gibraltar. This includes situations where a Gibraltar-based customer makes an enquiry or request for a product or service after viewing a website or general advertising not specifically directed at Gibraltar, or following a referral from an unconnected third party in Gibraltar who receives no remuneration from the cross-border business. The cross-border business must not maintain any physical presence in Gibraltar, nor should it travel to Gibraltar for the purpose of negotiating or concluding agreements with Gibraltar customers.

Cross-border businesses should exercise extreme care in their marketing strategy. If the GFSC considers that a firm has created a sufficient nexus to Gibraltar through marketing, physical presence, or targeting of Gibraltar-resident individuals or institutions, it may deem the firm to be established in Gibraltar and consequently subject to the FSA and DLT Regulations.

Marketing and Advertising Standards

Section 12 (financial promotion restriction) of the FSA broadly prohibits a person from communicating, in the course of business, any invitation or inducement to engage in investment activity unless they are authorised, exempt, or the communication is otherwise approved or falls within an exemption. In practice, this captures marketing, advertising, and unsolicited approaches (eg, calls or meetings) aimed at encouraging a person to enter into a regulated activity.

There is no bespoke advertising or marketing regime for crypto-assets in Gibraltar equivalent to, for example, the FCA’s financial promotion rules in the UK. However, DLT Providers and registered firms are subject to the GFSC’s DLT regulatory principles, including Principle 2 (Customer Care), which requires firms to communicate with customers in a way that is fair, clear and not misleading. In practice, the GFSC expects all marketing materials produced by authorised or registered firms to meet this standard.

White-label arrangements are permitted in Gibraltar, subject to the regulatory framework applicable to DLT Providers. Under the GFSC’s Guidance Notes to the Financial Services (Distributed Ledger Technology Providers) Regulations 2020, a licensed DLT Provider may permit an external firm to offer services to end users using the DLT Provider’s infrastructure and licence. However, regulatory responsibility remains with the licensed entity at all times. The DLT Provider cannot delegate or transfer its regulatory obligations to the white-label partner.

In practice, the GFSC expects the licensed DLT Provider to maintain full operational and compliance oversight of the white-label arrangement. This includes ensuring that all services delivered through the white-label solution comply with the ten DLT regulatory principles, in particular Principle 5 (Client Asset Protection), Principle 2 (Customer Care), and Principle 9 (Corporate Governance). The DLT Provider must conduct appropriate due diligence on the external firm, implement robust contractual arrangements governing the relationship, and ensure that AML/CFT obligations are discharged in respect of all end users onboarded through the white-label channel.

There is no formal notification or approval process specific to white-label arrangements, but firms are expected to notify the GFSC of any material outsourcing or partnership arrangements as part of their ongoing supervisory engagement. The GFSC may request information about the nature of the arrangement, the identity of the white-label partner, and the controls in place to manage associated risks.

Where a Decentralised Application (DApp) does not have an identifiable administrator or single authority responsible for making changes to data or for moderating, intermediating, or validating transactions carried out within the DApp, it is unlikely to fall within scope of the DLT Framework.

However, DApps may not be fully decentralised and may retain aspects of centralisation that bring them within scope. Therefore, it remains for the GFSC to assess whether any identifiable owners, operators, or administrators exercise control or sufficient influence to render the DApp in scope. In making this assessment, the GFSC will adopt the approach and consider the factors set out in the Relevant Factors sections in the DLT Framework Guidance Note.

Ultimately, its aim is to assess whether the level of control or influence that the individual or firms has over the storage or transmission of value belonging to others.

Concerning CeFi firms that wish to utilise DeFi, there are no specific restrictions in Gibraltar. Nevertheless, CeFi firms utilising DeFi protocols must continue to comply with all applicable regulatory obligations, including AML/CFT requirements, client asset protection, and the ten DLT regulatory principles. The use of DeFi by a licensed firm does not diminish its regulatory responsibilities, and the GFSC would expect such firms to conduct appropriate due diligence on the protocols and smart contracts with which they interact.

Gibraltar has no specific-DeFi legislation. Instead, the DLT Guidance Notes provide guidance on how the framework may apply. In essence, as there is no DeFi-specific legislation, operating DeFi is indirectly permitted in Gibraltar to the extent that they do not constitute a regulated or prohibited activity. Consequently, are no associated set-up requirements for the DeFi structure.

However, where the DeFi protocol has an identifiable administrator or single authority responsible for its operations, the activity may be brought into the DLT regulatory framework’s scope. The protocol has to be considered purely decentralised to fall out of scope.

While there is limited operational activity to date, Gibraltar’s legal framework does accommodate structures that may support DeFi operations. Private Foundations established under the Gibraltar Private Foundations Act 2017 have been used in practice to support crypto protocols, including those underpinning Decentralised Autonomous Organisations. These structures provide a legal wrapper through which assets and governance rights can be managed, with the requirement for a professional licensed trustee on the Foundation Council providing an additional layer of accountability. Companies limited by guarantee and limited partnerships are also available options, depending on the governance and liability requirements of the protocol.

Based upon the authors’ understanding, there has been no case law on the concepts of accountability and liability in relation to DeFi, nor anything released, such as guidance, from the regulators.

Payments in crypto-assets are permitted in Gibraltar. There is no prohibition on using crypto-assets as a medium of exchange, and businesses and individuals are free to accept them as payment for goods and services. Where a firm facilitates crypto-asset payments on behalf of others using DLT, the activity is likely to fall within the scope of the DLT Framework and require authorisation from the GFSC. Additionally, where a payment arrangement involves fiat currency conversion or the holding of client funds, the firm may also need to consider whether it requires authorisation as a payment service provider or electronic money institution under the FSA. The regulatory treatment will depend on the specific characteristics of the service and the flow of funds involved.

In Gibraltar, tokenised assets and real-world assets that fall within the definition of “financial instruments” under the FSA are regulated in the same way as their non-blockchain equivalents. This means that existing requirements relating to securities, prospectuses, and investment services apply regardless of whether the asset is represented on a distributed ledger. In addition, where the tokenisation process involves the use of DLT to store or transmit value belonging to others, the DLT Framework will apply and the relevant firm will need to be authorised by the GFSC as a DLT Provider. Similarly, where tokenisation activities fall within the scope of the RFB Regulations, POCA Registration obligations will apply. This dual-perimeter approach ensures that tokenised assets receive regulatory treatment equivalent to their traditional counterparts, while also capturing the technology-specific risks associated with DLT.