FinTech 2019

Last Updated June 06, 2019


Law and Practice


ISOLAS is a full-service firm that is this year celebrating 125 years in Gibraltar, the longest-established law firm in Gibraltar. ISOLAS is leading the charge in Gibraltar in a number of business areas as the opportunities stemming from Brexit emerge and take shape. The FinTech/initial coin offering team has been involved in the development of the space in Gibraltar, attracting key players in the industry as they choose the jurisdiction as their home for a wide range of businesses leveraging the blockchain. ISOLAS is a market leader in the FinTech sector, having worked closely with the government and the Gibraltar Financial Services Commission on niche areas within this space. It has been instrumental, through its participation in government-established working groups, in shaping discussions and regulatory proposals for cryptocurrency, crowdfunding and distributed ledger technology. ISOLAS founded Gibraltar’s only dedicated FinTech think tank,, which brings together local and international financial services and technology professionals to discuss ways in which Gibraltar can position itself as a welcoming and well-regulated environment for FinTech business.

The Gibraltar government has consistently positioned itself as a global leader in the regulation of distributed ledger technology (DLT) space. Following the development of the private initiative driven by the Cryptocurrency Working Group that commenced in 2014, the Gibraltar government brought into effect the DLT regulatory framework (the DLT Framework) on 1 January 2018. The response to this approach has been global and truly significant. Those who know nothing about Gibraltar may be surprised, but those who know the history of the small jurisdiction with a joined-up partnership between law makers, regulators and industry, which is able to adapt and evolve to attract the right opportunities at the right level with the speed and flexibility needed to accomplish such goals, will not be surprised at all. If the introduction of a framework such as the DLT Framework were proposed in other larger jurisdictions, there would have to be such substantial consultation and inbuilt self-interest in certain existing participants that it would take years to achieve the same result. Since the coming into force of the DLT Framework, the Gibraltar government has been delivering on a detailed and strategically formulated activity schedule, created to drive home Gibraltar’s very strong DLT message proactively, by researching and identifying key markets and audiences, and focusing its marketing in these areas. Gibraltar has picked up a reputation for being home to forward-thinking companies, with industry leaders like Xapo and Huobi (to name a few) that have made Gibraltar their home.

The Gibraltar government has announced the launch of a new advisory group that will focus on the creation of new technology-related education courses, such as blockchain. The New Technologies in Education (NTiE) group will be a joint initiative between the government and the University of Gibraltar in collaboration with some of the leading new technology companies based in Gibraltar. The advisory group will aim to address the growing demand for related skills as the sector continues to expand in Gibraltar. Local professional industries have been involved in the education process of the space and the technology. This has had a particular focus on the banking sector, where a number of banks now provide specific services to DLT regulated firms; the insurance sector, where cover is provided to operators in the regulated space; and to the audit community that continues to be involved with local tax authorities in this respect.

The Gibraltar government has created the Gibraltar Association for New Technologies (GANT), an association formed with the private sector. GANT serves several purposes, primarily to enhance the development in Gibraltar of the use of blockchain, DLT and other future developments, as considered appropriate (collectively referred to as 'New Technology'), with a view to enhancing the reputation, integrity and public trust in this sector. GANT is also tasked with raising the profile of New Technology in Gibraltar across a spectrum not necessarily limited to financial services. This includes encouraging respective organisations to emphasise the high value of their reputation and interest in contributing to enhanced client and investor protection, and remaining committed to safeguarding customer and jurisdictional interests. It is also expected to provide a forum for discussion on New Technology issues within the membership and to assist other sectors of the wider Gibraltar Finance Centre whilst also assisting and advising the Gibraltar government on all aspects of this sector.

The Gibraltar government has also announced its intention to introduce regulations relating to, amongst other things, the promotion and sale of tokens in and from Gibraltar. The proposals are set out in a document issued by the Gibraltar government (the Proposed Token Regulations) that describes proposals for the regulation of token sales, secondary token market platforms (which are likely to trigger additional market abuse and market manipulation rules relating to these exchanges specifically), authorised sponsors of public token offerings, and investment and ancillary services relating to tokens. It is expected that utility tokens will fall under the Proposed Token Regulations, once it comes into force. Whilst security tokens are currently captured under the Prospectus Directive, the Proposed Token Regulations is also expected to apply to security tokens, by adding an additional layer of disclosure requirements specifically catered for the tokenised element of the offering.

Undoubtedly, the main issue that will impact the FinTech market in Gibraltar in the next few months is Brexit. Gibraltar is part of the EU by virtue of the UK’s membership and so will be leaving the EU along with the UK’s departure. Consequently, without an EU-UK trade deal covering the Single Market, financial services businesses established in Gibraltar will lose their ability to passport their services into the EU. Although the source of business for the majority of financial services providers and gaming operators established in Gibraltar derives from the UK market, and continued access for these firms to the UK market is guaranteed to continue post-Brexit, the future of the few financial services providers that do rely on passporting their services to other EU member states remains uncertain. As firms licensed under the DLT Framework are currently not able to passport their services to other EU member states, it is anticipated that firms licensed under the DLT Framework will not be significantly impacted by Brexit.

Since the implementation of the DLT Framework, a number of businesses have used tokens as a means of raising finance and developing innovative business models that have tested the parameters of the existing financial services frameworks. These novel business activities, products and business models vary in design but include lending, asset management, exchanges and payments. Gibraltar has also seen existing businesses with clear track records establish a footprint in Gibraltar.

The DLT Framework, defined within the Financial Services (Distributed Ledger Technology Providers) Regulations 2017, was created on a principles basis with the ability to be applied proportionately to the business in question, providing businesses with the regulatory certainty that has been pursued by so many and that currently remains unaddressed at an EU level. A large driver of this principles-based approach (which has to an extent been replicated in a few other jurisdictions) was largely to allow the regulator the flexibility to adapt its accompanying guidelines to the defined principles at a pace that was deemed necessary to maintain appropriate supervision and regulation of a very fast-evolving and developing space. The intention has not been to exclude certain activity from the existing regulatory frameworks but to create a specific framework that captures businesses that use DLT to “store or transmit value belonging to others” by way of business. The DLT Framework covers activity that may not have been subject to regulation under other existing financial services legislation in Gibraltar. DLT service providers are now regulated by the Gibraltar Financial Services Commission (GFSC), the regulator of the financial services industry in Gibraltar.

The DLT Framework applies to activities by providers that are not subject to regulation under any other regulatory framework. Firms that are currently licensed under existing financial services legislation such as electronic money, payment services and the Markets in Financial Instruments Directive (MiFID), but wish to use DLT to improve their procedures and processes, will not require a separate DLT licence unless the activities are not currently caught within the scope of the existing licence they hold. For example, if a licensed entity wishes to use DLT as part of its processes, it would not require a separate DLT licence. However, if it intends on using DLT for other business relating to the transfer or storage of value, it will be required to obtain a licence under the DLT Framework. The most obvious example of this would be a pure cryptocurrency exchange.

Gibraltar has always maintained itself at the forefront of novel technological development. In fact, if you look in the small print for most online gaming businesses around the world, it is found that most are based in Gibraltar.

Gibraltar is striving to replicate that philosophy in the blockchain space and replicate the success of online gaming, and is doing so by stepping out of the regulatory 'sandbox', in the same way as it did back in the gaming days. Rather than creating a 'safe space' for businesses to test innovative financial products, services, business models and delivery mechanisms in a live environment without immediately incurring all the normal regulatory consequences of engaging in the activity in question, Gibraltar has instead chosen to provide legal certainty and allow businesses to operate within a purpose-built legislative framework.

The GFSC has also established an Innovate and Create Team that has been set up to help and encourage innovation by supporting those businesses looking to develop and introduce innovative ideas for financial products and services into the market.

The GFSC is the sole regulator that supervises all regulated firms in the financial services industry in Gibraltar. However, it must be noted that in some instances a crossover can occur with gaming operators. For example, gaming operators that provide spread betting services are regulated by the GFSC as well as the Gambling Commission due to the fact that spread betting is a contract for difference which falls within the definition of a financial instrument under MiFID II. Although the GFSC is the sole regulator, its approach to supervision is based on a risk-based and outcome-focused approach, allowing it to adopt a proportionate approach to supervision depending on various factors. The GFSC continuously reviews the level and type of supervision a minimum of every twelve months or where a new or emerging material risk is identified, or the nature and scale of the firm’s business changes.

A firm may outsource certain activities and, if the firm wishes to do so, it should apply fit and proper procedures in assessing that service provider’s ability to perform the required obligations. The entity that will be undertaking the outsourced functions must be authorised or otherwise legally entitled to carry out the functions in the jurisdiction where it proposes to carry out the functions from.

If a firm outsources, it will retain ultimate responsibility for any outsourced functions; it should also designate a director within the company to have overall responsibility for any outsourced functions. The designated director will need to possess sufficient knowledge and experience regarding the outsourced function to be able to challenge the performance and results of the service provider.

A firm may also outsource certain services to affiliate companies within their group structure. The entity responsible for fulfilling the governance requirements at group level should document which functions relate to which legal entity within the corporate group structure and ensure that the performance of the key functions is not impaired by such arrangements.

The GFSC has set out in Guidance Notes its expectations around outsourcing, which can be found on the GFSC website at:

As the DLT Framework has only recently been introduced, although a number of licences have been granted to date, the majority of the firms seeking to be regulated are still undergoing the strict licensing application process. Therefore, no significant enforcement action has yet been taken by the GFSC against any licensed DLT providers. If the GFSC feels that a firm does not meet the strict licensing criteria, it will simply refuse to grant the applicant a DLT licence.

If in the future the GFSC is required to intervene, it has various powers at its disposal, including the following:

  • the imposition of conditions (including prohibitions and restrictions) on a licence at any time after issue;
  • cancellation, suspension or variation of a licence otherwise than at the request of a licensee;
  • a direction to cease or desist from, or to undertake, specified action;
  • a direction that a person shall not carry out any or specified functions in relation to the business of a licensee on the grounds that they are not fit and proper to do so; and
  • other sanctions specific to one sector of the market and its related legislation; eg, the imposition of financial penalties under the Financial Services (Investment and Fiduciary Services) Act.

Privacy Laws

The local privacy regime is fully aligned with EU laws and is highly sophisticated. Gibraltar implemented the General Data Protection Regulation 2016/678 (GDPR) in full on 25 May 2018 by making changes to its Data Protection Act 2004. The local regulator (the Gibraltar Regulatory Authority) follows the practice and guidance of the UK’s Information Commissioner’s Office.

In terms of who is captured, the GDPR is wide in scope and controllers/processors can be captured on the “material scope” [Article 2] when processing data wholly or partly by automated means, or otherwise if personal data forms part of a filing system, as long as they are also captured on the “territorial scope” [Article 3] in situations where (i) processing of data occurs in the context of the activities of an establishment in the EU (whether or not the processing takes place in the EU or the processing relates to data subjects in the EU); or (ii) where the controller/processor is not established in the EU, but the activities relate to “offering goods or services” (regardless of whether payment is required) or “monitoring of [the] behaviour” of data subjects who are in the EU (regardless of their nationality).

Note that a website that is simply accessible by a global audience in itself would not indicate intention of “offering goods and services” to EU citizens and, on its own, would not necessarily subject an organisation to the GDPR. Further factors would need to be considered, such as the use of different languages and euro currency. Also note that whether an entity has an 'establishment' in the EU depends on a variety of factors. Suitable legal advice should be sought whenever an entity is considering whether the GDPR applies to them.

Anti-money Laundering Laws (AML)

Any firm that is licensed by the GFSC would be caught as a relevant financial services business under the Proceeds of Crime Act 2015 (POCA) in Gibraltar. Accordingly, know your customer (KYC)/AML obligations would apply and this would include having systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing. The requirement is derived from the EU Anti-Money Laundering Directives, POCA and the GFSC Anti-Money Laundering Guidance Notes. There are also additional and specific guidance notes relating to the ‘financial crime’ factor that have been prepared specifically for DLT firms to set out regulatory expectations.

Firms are required to establish procedures to apply customer due diligence procedures; appoint a money laundering reporting officer (MLRO) to whom money laundering reports must be made; establish systems and procedures to forestall and prevent money laundering; provide relevant individuals with training on money laundering and awareness of their procedures in relation to money laundering; screen relevant employees; and undertake an independent audit for the purposes of testing customer due diligence measures, ongoing monitoring, reporting, record-keeping, internal controls, risk assessment and management, compliance management and employee screening. The frequency and extent of the audit shall be proportionate to the size and nature of the business.

It is possible for a firm’s compliance programme to use customer verification tools (such as Jumio) as well as blockchain technology (such as Chainalysis). Because the DLT Framework is based on the application of principles rather than rigid rules, a firm will be able to use innovative solutions provided it can satisfy the GFSC that it can meet its regulatory obligations.

The application of this AML regime to DLT firms has been seen by many as a precursor to the requirements under the fifth EU Anti-Money Laundering Directive (EU) 2018/843 (AMLD5) that will for the first time capture exchanges and pure custody wallet providers. These businesses will already be fully regulated and subject to such requirements if they are operating in Gibraltar.


Gibraltar applies the EU’s current cybersecurity framework, which consists largely of directives relating to data protection, e-privacy and telecommunications. The GDPR and e-privacy directive have been referred to above. It is expected that the current framework will be replaced with the proposed e-Privacy Regulation, which will be supplemented by additional legislation such as the proposed Network and Information Security Directive, and the Cybercrime Directive.

Additional guidelines are applicable to FinTech businesses to the extent that these are issued by the GFSC, which has imposed certain regulatory principles on such businesses via the DLT Framework. Principle 7 of the DLT Framework is particularly relevant as it obliges relevant FinTech businesses to ensure that systems and security access protocols are maintained to appropriate high standards. Additionally, the DLT provider Guidance Notes provide specific guidance on operational, technical and organisational standards expected by the GFSC in this context (see the Guidance Note entitled “Systems and Security Access” on the GFSC website at

The use of social media platforms in itself is not regulated in Gibraltar. However, it depends on what the social media platform is being used for. If a social media platform is being used to promote or broker financial instruments, this would constitute providing an investment service and/or an investment activity, and would be subject to regulation.

Whilst the regulator is strictly speaking the only party responsible for reviewing the activities of regulated entities in Gibraltar, the reality is that reliance and expectation is placed on parties (who in most cases will be regulated by the GFSC) that perform functions in respect of regulated entities, to do so diligently and to the standard expected, although no direct responsibility for reviewing the activities of the regulated entity arises.

Furthermore, the GFSC must approve a person as fit and proper to perform controlled functions for the regulated entity. The controlled functions include governing functions, such as a director, and compliance functions (for example, the roles of compliance officer or MLRO). The GFSC will expect these parties to be very much involved in the running and operation of the firms they are engaged in and will be expected to demonstrate this.

Industry participants can offer unregulated products in conjunction with regulated products and services. Whether they are offered through the same legal entity depends on the individual requirements of the business.

The emergence of fully automated robo-advisers has definitely impacted the traditional human financial adviser market. Robo-advisers are generally better than human advisers in certain respects; however, they lack the flexibility required to create custom investment plans that are suited to clients’ varying financial goals. Consequently, a 'hybrid human-robo advisory model' has emerged that combines the benefits and efficiency provided by automated investment algorithms with human advisers to create a much more efficient and competitive business model.

In terms of regulation, save for the fact that robo-advisers provide automated algorithmic-based investment services, there is nothing particularly different in terms of the financial services legislation governing traditional financial advisers and robo-advisers. The latter are subject to the same technology-neutral regulatory framework as traditional advisers and still need to adhere to MiFID, AML rules, etc. In addition, the European Securities and Markets Authority (ESMA) has published Guidelines that provide clarification on robo-advisers and the 'suitability assessment' in relation to MiFID II.

Furthermore, if a robo-adviser uses DLT, by way of business, for storing or transmitting value belonging to others, consideration must be given as to whether it requires a separate DLT licence, although this should not be the case if the firm is only using DLT for the execution of its investment services.

Legacy players have embraced the technology provided by robo-advisers early on and have realised the potential cost reductions and benefits that can be attained through adopting certain algorithmic processes. Consequently, legacy players are increasingly taking advantage of robo-adviser technology and developing their own robo-adviser products together with their existing processes.

There are significant differences in the regulation of loans to individuals and to businesses. Loans between EUR200 and EUR75,000 (which are not secured by way of mortgage) that are made to natural persons acting outside of their trade, business or profession are regulated in Gibraltar. Lenders who issue loans that satisfy this criteria must be licensed as a 'moneylender' under the Financial Services (Moneylending) Act 1917; the lender must also be regulated for conduct of business purposes by the GFSC under the Financial Services (Consumer Credit) Act 2011 (the Consumer Credit Act) as a 'creditor'. Loans to corporate entities are usually unregulated.

All credit agreements that fall within the scope of the Consumer Credit Act are subject to ‘creditworthiness’ requirements. The Consumer Credit Act requires creditors to assess creditworthiness before concluding a credit agreement and/or before significantly increasing the amount of credit to be provided under an existing agreement. While there is no prescribed method of assessing creditworthiness, this must be based on sufficient information obtained from the borrower, in respect of income, outgoings and personal circumstances.

Over the years, lenders have increasingly automated their underwriting processes. Although automated underwriting (AU) has historically been restricted to credit card underwriting, lenders have increasingly adopted AU for conventional loans as well as mortgages.

The source of funds for loans varies on a case-by-case basis depending upon the individual circumstances.

In Gibraltar there is no bespoke regulation covering peer-to-peer lending (P2P Lending) and, as a result, different forms of P2P Lending will be subject to different rules and regulations under the financial services framework. For example, if a platform operator is actively managing investors’ money and automatically invests that money using its own discretion, it could potentially fall under the Financial Services (Collective Investment Schemes) Act 2011 and be regulated as a collective investment scheme. If a platform operator holds funds received from lenders for varying lengths of time whilst it locates suitable borrowers, it must also consider the implications of these funds being categorised as ‘client money’ and the various safeguards imposed to ensure the protection of consumers. Therefore, the regulations that apply to P2P Lending will depend on how lenders and borrowers are approached, how the platform operator structures itself and how debt security is transferred.

Further, P2P platform users that grant or promise to grant credit in the course of their trade, business or profession would need to consider the Financial Services (Moneylending) Act 1917 and the Financial Services (Consumer Credit) Act 2011 as this is a regulated activity.

Securitisations are regulated under Regulation 2017/2402/EU laying down a general framework for securitisations.

Carrying out payment services is a regulated activity in Gibraltar under the Financial Services (Investment and Fiduciary Services) Act 1989 and the Financial Services (Payment Services) Regulations 2018, and requires a licence.

Payment processors are not required to use traditional payment rails; start-up companies are increasingly capitalising on the benefits offered by DLT and creating payment rails on a blockchain. However, as DLT/blockchain payment rails are generally incompatible with traditional payment rails, the widespread adoption of these innovative payment rails has been incapacitated. Despite this, as the technology develops and proves its capabilities, DLT/blockchain payment rails can be expected to become more common.

Gibraltar-domiciled fund administrators are required to have a Fund Administrators Licence to provide fund administration services. Gibraltar funds may also appoint administrators that are not licensed locally in Gibraltar, provided that the administrator is established in a jurisdiction where it is regulated in accordance with a legislative and regulatory regime that provides at least equivalent protection to the regime in Gibraltar. The appointment of fund administrators established outside Gibraltar requires the GFSC’s consent and is also subject to the consent of the Minister with responsibility for financial services.

The contractual terms that fund advisers impose on fund administrators depend on the type and circumstances of each fund and are dictated by industry custom. Therefore, they vary on a case-by-case basis but often include duties to carry out accounting services, compliance services as well as registrar, transfer agency and client services.

Fund administrators are required to have a service agreement in place with the fund that sets out the agreed scope of services that it will provide to the fund. It is normally the case that the service agreement does include a duty for a fund administrator to review, monitor and ensure compliance with applicable legislation for funds under its administration and to ensure that only fit and proper persons/legal entities are permitted to form, maintain and/or invest in the funds under its administration. Therefore, the extent to which a fund administrator acts as a 'gatekeeper' and what duties they have will depend on what is contained in the services agreement. As a licensed entity, a fund administrator would need to meet Conduct of Business requirements under applicable regulations.

Three types of trading platforms are permissible under the Act: a regulated market (RM) run by a market operator, a multilateral trading facility (MTF) and an organised trading facility (OTF). Different regulatory regimes apply for each trading platform.

An RM is regulated under Part 3 of the Act and is a multilateral system that is operated or managed by a market operator and that brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments within the system. Unlike OTFs, RMs must execute transactions on a non-discretionary basis. Similarly to that of MTFs, RMs provide a form of organised trading functionality; however, unlike MTFs, RMs are neither an investment activity nor an investment service under the Act.

An MTF is a multilateral system that can be operated by an investment firm or a market operator. Like RMs, MTFs bring together multiple third-party buying and selling interests in financial instruments, and transactions at MTFs may not be executed at their operators’ discretion.

Like RMs and MTFs, OTFs may not execute orders against proprietary capital. However, OTF operators may perform the execution of orders on a discretionary basis where compliant with pre-trade transparency requirements and unless acting against the interests of their clients. OTFs are free in placing or retracting orders and also with a view to the extent to which client orders will be matched within their system. OTFs may encourage negotiations between clients where they assume a common level of compatible interests between clients.

Crypto-exchanges are also permitted; however, their regulatory regime is largely dependent on the type of crypto-asset that is being listed and therefore need to be assessed on a case-by-case basis. For example, crypto-exchanges that list tokens that do not qualify as bonds, structured financial products, emission allowances or derivatives cannot be classified as OTFs. Crypto-exchanges that list tokens that do not fall under the definition of a 'financial instrument' would not meet the definition of an MTF. If a crypto-exchange lists tokens that do not fall into the above, it would be regulated under the DLT Framework and the Proposed Token Regulations.

The DLT Framework applies to any company that stores or transmits value belonging to others, using DLT, by way of business. Consequently, cryptocurrency exchanges and wallet service providers are regulated under the DLT Framework as well as the Proposed Token Regulations. The DLT Framework offers a principles-based framework based on proportionality, and on a risk-based and outcome-focused approach.

Gibraltar regulates high-frequency and algorithmic trading under the Act. The Act introduces controls for algorithmic trading activities and in particular for firms using high-frequency trading techniques. Under the Act, an investment firm that engages in algorithmic trading must:

  • have in place effective systems and risk controls suitable to the business it operates to ensure that its trading systems (i) are resilient and have sufficient capacity, (ii) are subject to appropriate trading thresholds and limits, (iii) prevent the sending of erroneous orders or otherwise functioning in a way that may create or contribute to a disorderly market and (iv) cannot be used for any purpose that is contrary to the Market Abuse Regulation or the rules of any trading venue to which it is connected;
  • have in place effective business continuity arrangements to deal with any failures of its trading systems; and
  • ensure its systems are fully tested and properly monitored to ensure that they meet the relevant requirements in the Act.

The Act introduces specific requirements for investment firms engaged in high-frequency and algorithmic trading in pursuance of a market-making strategy. Account must be taken of the liquidity, scale and nature of the specific market, and the characteristics of the instrument traded when the following requirements are applied:

  • other than under exceptional circumstances, the investment firm must carry out this market making continuously during a specified proportion of the trading venue’s trading hours with the result of providing liquidity on a regular and predictable basis to the trading venue;
  • the investment firm must enter into a binding written agreement with the trading venue that specifies the obligations of the investment firm in accordance with the first point above; and
  • the investment firm must have in place effective systems and controls to ensure that it fulfils its obligations under the agreement referred to in the second point above at all times.

The GFSC does not regulate financial research platforms as a 'controlled activity', but providing a financial research platform service as well as providing access to a platform is likely to involve a range of activities that are regulated. These activities are set out in the Financial Services (Investment and Fiduciary Services) Act 1989 and unless an exemption applies, a financial research platform that involves a regulated activity must be registered. Some of the regulated activities most frequently associated with financial research platform providers are:

  • dealing in investments as an agent;
  • arranging deals in investments;
  • safeguarding and administering assets belonging to another;
  • giving or offering investment advice; and
  • sending dematerialised instructions.

Therefore, whether a financial research platform requires registration and what licence it would require will largely depend on the exact service being offered by the platform.

There is currently no legislation regulating the generic spreading of unverified information. However, under EU Regulation 596/2014 on market abuse and the Market Abuse Act 2016 that transposes EU Directive 2014/57, the transmission of false or misleading information can be considered as market manipulation, which is an offence. Further, in the event of rumours, an issuer must assess whether a public disclosure of insider information is necessary to avoid insider dealing and ensure that investors are not misled.

Gibraltar’s regulatory framework is technology neutral. RegTech providers become regulated depending on their activities, not the technology utilised.

Established financial institutions have started to realise the potential of blockchain technology. A number of major financial institutions have begun conducting their own tests to find out the possible use of blockchain for their business processes, as well as partnering with FinTech companies to enhance their existing products.

The local regulator is very supportive of new business innovations that have the potential to transform legacy systems to improve efficiency, reduce costs and provide greater transparency. The local regulator’s approach is not focused on the technical aspects of blockchain technology as such, but rather on how the business intends to use the technology in undertaking their business activities where the activity involves use of the blockchain for storing or transmitting value belonging to others by way of business; such activity would constitute a regulated activity under the DLT Framework.

Under the DLT Framework, anyone carrying on by way of business, in or from Gibraltar, the use of DLT for storing or transmitting value belonging to others requires a licence. DLT is widely defined as a database system in which information is recorded and consensually shared and synchronised across a network of multiple nodes and all copies of the database are equally authentic. The classification of DLT has therefore deliberately been made wide to remain flexible to the fast-moving developments of the wider crypto ecosystem.

Presently, unless a token constitutes a regulated financial instrument or a form of electronic money, it is unregulated in Gibraltar, which is scheduled to introduce token regulations that will create a fully regulated market for token sales, initial coin offerings and other crypto and blockchain-based operators looking to raise finance.

The Proceeds of Crime Act 2015 and AML Regulations apply to token issuers irrespective of whether the token is caught by the definition of 'financial instrument'.

Service providers to a token issuer (eg, sales platform provider/custodian) may also be subject to regulation if the activity they undertake in relation to the token offering involves them storing or transmitting value belonging to others by way of business.

Depending on the nature of the asset and whether it constitutes a financial instrument, a trading platform (including fiat-to-crypto and crypto-to-crypto exchanges) may need to be licensed as a regulated securities market/MTF/OTF. Otherwise the exchange is likely to fall within the scope of the DLT Framework and would need authorisation to undertake its activities.

In relation to secondary market trading platforms, decentralised exchanges, market makers and OTC Providers will potentially fall within the scope of current regulations depending on the activity and provided that they are being operated in or from Gibraltar. Otherwise they will be caught by the Proposed Token Regulations.

The Gibraltar Funds & Investment Association (GFIA) has recommended that all crypto funds dealing with third-party money should be regulated by the GFSC as Experienced Investor Funds unless the fund is created for a small group of persons who are previously known to each other and where there will be no promotion of it, in which case it can be set up as a private scheme. In addition, the GFIA has issued a Corporate Governance Code for Gibraltar Crypto Funds to tackle the specific problems thrown up by crypto funds. Since crypto Experienced Investor Funds (EIFs) are set up under the existing EIF regulations, they do not require a DLT licence.

Virtual currencies are not defined and would be considered a type of blockchain asset that are used as a means of payment and typically represent digitally native assets.

A fundamental principle of the GDPR is that you have the right to have your personal information deleted. The GDPR also ensures that you are protected by regulations on how your personal data can leave the EU. This creates a clear conflict with blockchain technology, as once personal information is written to the blockchain it is immutable and cannot be changed or deleted. Furthermore, a blockchain consists of various nodes that in some cases can exist across the globe. Therefore, in order to ensure GDPR compliance, firms need to find workarounds and avoid storing personal data on the blockchain.

To the best of this firm's knowledge, there are no planned local initiatives to deal with the current debate around certain data within blockchains (in particular cryptographic wallet addresses) being ‘personal data’ and whether the ‘data controller’ is deemed to be the person who writes the smart contract. The debate remains largely academic for the moment, but the French supervisory authority (CNIL) has issued a recent opinion on 6 November 2018 on this topic that may be useful. Although not guaranteed, Gibraltar’s regulator would be highly likely to follow a similar approach when interpreting how personal data is held on blockchains and how individuals can enforce their rights.

In terms of crypto asset-related activity, the practical implications of being caught under GDPR means data controllers, as well as data processors, must ensure they handle all personal data (ie, relating to living, natural persons; not corporate bodies or other entities) in accordance with the principles established under GDPR and have in place “appropriate technical and organisational measures” to ensure data security, etc. Finally, personal data must only be processed in accordance with a valid lawful basis and not openly without restrictions. Compliance with GDPR is usually achieved by having written policies and procedures that tackle the main parts of the GDPR and having a comprehensive privacy policy in place.

Gibraltar has implemented the Second Payment Services Directive (PSD2) by enacting the Financial Services (Payment Services) Regulations 2018. The PSD2 introduces substantial changes, primarily focused at offering increased protection to consumers, reducing costs and hidden charges, and promoting industry innovation within a safe and transparent environment. The PSD2 requires banks to release their data to third parties who can create new products facilitating data sharing and therefore acts as a catalyst, which will connect consumers, third-party applications and banks in a way that leads to greater financial transparency options for account holders. As a result, customers will have vastly improved access to their own data, making it easier to control their finances and managing multiple accounts across different providers.

Law and Practice


ISOLAS is a full-service firm that is this year celebrating 125 years in Gibraltar, the longest-established law firm in Gibraltar. ISOLAS is leading the charge in Gibraltar in a number of business areas as the opportunities stemming from Brexit emerge and take shape. The FinTech/initial coin offering team has been involved in the development of the space in Gibraltar, attracting key players in the industry as they choose the jurisdiction as their home for a wide range of businesses leveraging the blockchain. ISOLAS is a market leader in the FinTech sector, having worked closely with the government and the Gibraltar Financial Services Commission on niche areas within this space. It has been instrumental, through its participation in government-established working groups, in shaping discussions and regulatory proposals for cryptocurrency, crowdfunding and distributed ledger technology. ISOLAS founded Gibraltar’s only dedicated FinTech think tank,, which brings together local and international financial services and technology professionals to discuss ways in which Gibraltar can position itself as a welcoming and well-regulated environment for FinTech business.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.