Gibraltar: Blockchain & Cryptocurrency Regulation 2022

1. Government attitude and definition

The Government of Gibraltar has approached the growing cryptocurrency and wider blockchain and distributed ledger technology ("DLT")-related sector with a uniquely receptive and progressive attitude. Financial regulators and policymakers in Gibraltar have understood the need for regulation in this sector, responding rapidly to such demand as far back as 2014, with the creation of the Cryptocurrency Working Group. This private sector initiative led to the development of the Distributed Ledger Technology Framework ("DLT Framework"), which became effective on 1 January 2018, making Gibraltar the first jurisdiction in the world to deliver a framework of its kind that regulates businesses that use DLT for the defined purposes relating to a "storage" or "transfer" of "value", which is a wider concept than pure virtual assets. The DLT Framework currently includes nine principles that apply to DLT businesses operating in Gibraltar and these principles are substantiated by detailed guidelines constructed in a way that allows them to evolve at the same pace as the technology and its application, while always maintaining the core regulatory and legislative principles. The response to this approach has been global and truly significant. Those who know nothing about Gibraltar may be surprised, but those who know the history of the small jurisdiction, with a joined-up partnership between lawmakers, regulators and industry that is able to adapt and evolve to attract the right opportunities at the right level, with the speed and flexibility needed to accomplish such goals, will not be surprised at all.

This success has also been seen in the crypto funds space: pursuant to a 2020 research report into the global crypto hedge fund landscape, commissioned by PwC and Elwood Asset Management, Gibraltar was shown to be the third-highest jurisdiction of choice for crypto hedge fund managers (with 10% of crypto hedge fund managers based in Gibraltar), only behind the UK (15%) and the US (52%). Gibraltar was also listed as having the fourth-highest number of domiciled crypto hedge funds (6%).

More recently, the third annual edition of the report, published in 2021, shows Gibraltar as having strengthened its position as a preferred domicile for crypto hedge funds, with the third-highest number of domiciled crypto hedge funds (9%), overtaking the BVI (8%) and Luxembourg (3%), and pushing down Liechtenstein to less than 5%. Furthermore, the two leading jurisdictions for crypto hedge funds have experienced an overall decline in their market share compared to the 2020 report (the US from 38% to 33% and the Cayman Islands from 42% to 34%), whereas Gibraltar has maintained steady growth (from 6% to 9%).

Since the coming into force of the DLT Framework, the Government of Gibraltar has been delivering on a detailed and strategically formulated activity schedule, created to proactively drive home Gibraltar's very strong DLT message, by researching and identifying key markets and audiences and focusing its marketing in these areas. The Government of Gibraltar also launched an advisory group that focuses on the creation of new technology-related education courses, such as blockchain. The New Technologies in Education ("NTiE") group, which is a well-established initiative since its inauguration in 2018, is a joint initiative between the Government and the University of Gibraltar in collaboration with some of the leading new technology companies based in Gibraltar. The advisory group's aim is to address the growing demand for related skills as the sector continues to expand in Gibraltar. The University of Gibraltar has also successfully been delivering a professional course in this space titled "Professional Certificate of Competence in Blockchain & Smart Contracts".

Whilst Gibraltar has shown leadership in this space, development is clearly an ongoing process and Gibraltar is aware of the importance, as a jurisdiction, for it to invest in supporting the development of knowledge and skills in tandem with generating economic results as it continues to strive for excellence. The Government of Gibraltar created the Gibraltar Association for New Technologies ("GANT") in 2018, an association formed together with the private sector, including Gibraltar's leading law firms, accounting firms and technology companies all forming part of its membership. GANT serves several purposes, primarily enhancing the development in Gibraltar of the use of blockchain and DLT and other future developments (collectively referred to as "New Technology"), with a view to enhancing the reputation, integrity and public trust in this sector.

GANT has also been tasked to raise the profile of "New Technology" in Gibraltar across a spectrum not necessarily limited to financial services. This includes encouraging respective organisations to emphasise the high value of their reputation and interest in contributing to enhanced client and investor protection and remaining committed to safeguarding customer and jurisdictional interests. GANT also provides a forum for discussion on "New Technology" issues within the membership and to assist other sectors of the wider Gibraltar Finance Centre, whilst also assisting and advising the Government of Gibraltar on all aspects of this sector.

2. Cryptocurrency regulation

In terms of the activity of the business in the DLT space, as highlighted above, Gibraltar has developed the first DLT-specific regulatory and principles-based legislative framework for these operators. This detailed framework goes well beyond the basic compliance requirements or registration processes that exist in many jurisdictions. Cryptocurrencies are not considered legal tender in Gibraltar and, accordingly, are not issued or guaranteed by the Government of Gibraltar.

While the United Kingdom and Gibraltar are no longer members of the European Union, subject to certain exceptions, all direct EU legislation and all EU-derived domestic legislation so far as operative immediately before midnight on 31 December 2020, continue to form part of Gibraltar's domestic legislation pursuant to ss5(1) and 6(1) of the European Union (Withdrawal) Act 2019. Accordingly, the provisions of all EU-derived financial services frameworks, as they stood at midnight on 31 December 2020, continue in force and effect in Gibraltar.

Therefore, as in most jurisdictions that operate under European law principles, depending on the construct of the virtual currency, cryptocurrencies may still qualify as electronic money ("E-Money"), as a form of asset-backed security, financial instrument or even unit of a collective investment scheme ("CIS") arrangement. Without being able to go into each of these for the purposes of this chapter, in the context of the recent focus on stablecoins and central bank-issued digital currencies, on a European level, the regulation of E-Money is based on the E-Money Directive, which defines E-Money as an electronically, including magnetically, stored monetary value as represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions, and accepted by a natural or legal person other than the E-Money-issuer. This definition is in line with the definition contained in the Financial Services (Electronic Money) Regulations 2020. E-Money requires an issuer; therefore, a cryptocurrency that comes into existence by way of mining (e.g. Bitcoin) without an issuer, or representing any form of claim on any issuer, should not qualify as E-Money. Conversely, a cryptocurrency that is issued by an issuer at par value against fiat and furnished with the promise of the issuer to be redeemed in exchange for fiat against the issuer of that currency, and therefore being accepted as means of payment by third parties, would qualify as E-Money and trigger a number of considerations around this from a payments services perspective also.

Owing largely to the difficulty of regulating cryptocurrencies themselves, the DLT Framework has attempted not to enforce the regulation of cryptocurrencies, but instead to impose a regulatory regime for firms that carry on by way of business, in or from Gibraltar, the use of DLT for storing or transmitting value belonging to others. Accordingly, regulation will depend on what services a firm is providing customers in respect to their cryptocurrencies and whether this falls under the scope of regulation.

Because cryptocurrencies vary widely in design and purpose, it should be kept in mind that these may represent transferable securities or financial instruments, and their promotion and sale would already be covered by existing securities legislation in Gibraltar such as the Financial Services Act 2019 ("FSA"). Its classification as a security triggers various consequences; in particular, regulatory consequences. The requirement to issue a prospectus when offering securities publicly is only one example of such a requirement. A distinction must be drawn between the concept of a security on the one hand and a financial instrument on the other, with the latter being the broader term.

"Securities" are one of several sub-categories of financial instruments. Regulatory requirements may therefore also arise for non-securities that are classified as financial instruments. This includes the requirements arising under MiFID II, which, in addition to applying to businesses providing certain investment services or engagement in certain activities with clients in relation to financial instruments, also defines "financial instruments" in a wide form, including forms of commodity derivative contracts and arrangements that may apply to any asset or right of a fungible nature (under certain conditions).

If a cryptocurrency meets the MiFID II definition of a financial instrument, then a number of crypto-asset-related activities carried out by an exchange are likely to qualify as investment services/activities for which a licence is required outside of the DLT Framework. This includes multilateral trading facilities, organised trading facilities and other exchange-related activities.

Gibraltar is further looking to expand and extend the obligations to which DLT firms must adhere and is subsequently looking towards adding a 10^th principle to the DLT Regulations with an aim to regulate and develop market integrity standards for crypto exchanges. The International Organization of Securities Commissions ("IOSCO") has identified several issues that merit consideration relating to transparency, custody, clearing and settlement trading, security and systems integrity. Implementing market integrity standards for these exchanges is one of the most pressing issues in the market, with organisations such as Bitwise and BTI estimating that 70–95% of all trading volume on exchanges is potentially manipulative. The effect of which is a reduction in market confidence in this sphere.

It should of course be borne in mind that foreign exchange markets, stock markets and commodity brokers face or have faced market risks in the past, but now fall squarely within developed rules and frameworks that prevent or restrict such manipulation taking place. This is not to say that there is no manipulation taking place in the more mainstream markets, but rather that it is less prevalent due to such regulation. Thus, the introduction of these standards in the regulatory sphere in Gibraltar would serve to restrict manipulation in the same way that this is restricted in traditional markets.

3. Sales regulation

It may be the case that tokens do not qualify as securities or financial instruments under Gibraltar or EU-derived legislation. Gibraltar also does not maintain separate classifications of virtual asset categories but, although the issuance of any token may not be captured within financial services legislation, from a compliance and risk perspective, any such creation and issuance will always be caught by the Proceeds of Crime Act ("POCA") in Gibraltar, which was specifically amended to capture this activity. Similarly, the operation of the actual business relating to such a token or virtual asset could also be captured within the DLT Framework, despite the issuance potentially not being captured. In the event that the token or assets do constitute securities, there is currently an EU-derived framework dealing with this, as has been described above. Accordingly, Gibraltar is not looking to introduce a framework that will modify, in any way, securities law or the EU Prospectus Regulation requirements. That is to say, the public offering of tokens that constitute securities does not require further regulation from a Gibraltar perspective and will continue to fall under current frameworks governing the issuance of securities.

It should also be noted that entities issuing tokens may separately have to comply with classic consumer protection law, depending on the design of the digital token.

4. Taxation

It should be noted that the treatment of cryptocurrencies is not specifically considered in current tax legislation in Gibraltar, nor in accounting standards that are generally accepted in Gibraltar; therefore, where relevant, general principles implicit in current legislation, and accounting standards that are believed to be appropriate, are applied.

In Gibraltar, there is no capital gains tax, value-added tax, death duties, inheritance, wealth, capital transfer, gifts, or withholding tax levied at present. For companies, corporation tax is generally 12.5%, payable on profits that derive from income accrued in or derived from Gibraltar; that is to say, by reference to the location of the activities that give rise to the profits. Under tax legislation, the location of the activities that give rise to the profits of a business whose underlying activity results in income, and requires a licence and regulation under any law of Gibraltar, shall automatically be considered to derive from Gibraltar. Favourable tax packages are also available for High-Net-Worth Individuals and High Executives Possessing Specialist Skills who want to establish residence in Gibraltar and can benefit from tax payable on income being restricted to a capped amount, which encourages talent towards Gibraltar.

5. Money transmission laws and anti-money laundering requirements

A DLT firm is caught as a relevant financial business ("RFB") under POCA in Gibraltar. Accordingly, a DLT firm is subject to know-your-customer and anti-money laundering ("AML") obligations. Furthermore, under the DLT Framework, a DLT firm "must have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing". The requirement is derived from: EU Anti-Money Laundering Directives; POCA 2015; and the FFSC0 Anti-Money Laundering Guidance Notes. There are also additional and specific guidance notes relating to the "Financial Crime" factor, which have been prepared specifically for DLT firms to set out regulatory expectations.

Firms are required to establish procedures to: apply customer due diligence ("CDD") procedures; appoint a Money Laundering Reporting Officer to whom money laundering reports must be made; establish systems and procedures to forestall and prevent money laundering; provide relevant individuals with training on money laundering and awareness of their procedures in relation to money laundering; screen relevant employees; and undertake an independent audit for the purposes of testing CDD measures, ongoing monitoring, reporting, recordkeeping, internal controls, risk assessment and management, compliance management and employee screening. The frequency and extent of the audit shall be proportionate to the size and nature of the business.

It is possible for a DLT firm's compliance programme to use customer verification tools (such as Jumio) as well as blockchain technology (such as Coinfirm). As the DLT Framework is based on the application of principles rather than rigid rules, DLT firms are able to use innovative solutions provided they can satisfy the Gibraltar Financial Services Commission ("GFSC") that they meet its regulatory obligations.

The application of this AML regime to DLT firms has been seen by many as a precursor to the requirements under the EU's Fifth Anti-Money Laundering Directive ("AMLD5"), which has, for the first time, captured exchanges and pure custody wallet providers. Gibraltar-based businesses were already fully regulated and subject to such requirements as implemented by AMLD5 since the introduction of the DLT Framework, and so the introduction of AMLD5 has had no significant effect on those businesses operating from Gibraltar.

Gibraltar has also introduced the Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 2021 ("RFBR Regs"), which impose an obligation on four classes of RFBs to register with the GFSC for the purposes of AML/CFT and counter proliferation financing supervision, to the extent they are not already supervised. In particular, these requirements apply to: (a) undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of DLT or a similar means of recording a digital representation of an asset; and (b) persons that, by way of business, exchange, or arrange or make arrangements with a view to the exchange of (a) virtual assets for money, (b) money for virtual assets, or (c) one virtual asset for another. Failure to register is a criminal offence punishable with up to two years' imprisonment and/or a fine. The registration regime should not be confused with any application for regulatory permissions required under the FSA, in respect of regulated activity defined under that Act. Such permissions would need to be sought if the RFB intends to carry out regulated activity.

Additionally, the registration requirements are not applicable where a person is already subject to supervision by a supervisory authority. The RFBR Regs provide fitness and propriety criteria that the GFSC will need to consider when accepting or refusing registration (including the withdrawal of registration after it is granted).

Gibraltar has included a definition for virtual asset service providers ("VASPs"), which replicates the Financial Action Task Force ("FATF") definition of the same. The only purpose of this definition is to define transactions between RFBs operating in Gibraltar and VASPs operating outside Gibraltar (and not therefore RFBs). Likewise, a definition of "virtual asset" is also used, which aligns with the FATF definition of the same.

6. Promotion and testing

Gibraltar has always maintained itself at the forefront of novel technological development. In fact, for most online gambling businesses around the world, it is found that most are based in Gibraltar, which was also the fastest mover in developing regulation around that space.

Gibraltar is hoping to replicate that philosophy in the blockchain space and follow the success of online gaming, and is doing so by stepping out of the regulatory "sandbox", in the same way as it did back in the gaming days. Rather than creating a "safe space" for businesses to test innovative financial products, services, business models and delivery mechanisms in a live environment without immediately incurring all the normal regulatory consequences of engaging in the activity in question, Gibraltar has instead chosen to provide legal certainty and allow businesses to operate within a purpose-built legislative framework. In doing so, it considers that a flexible, adaptive approach is required in the case of novel business activities, products and business models and that whilst regulatory outcomes remain central, these are better achieved through the application of principles rather than rigid rules. This is because, for businesses based on rapidly evolving technology, such hard and fast rules can quickly become outdated and unfit for purpose. Accordingly, Gibraltar's principles-based framework is based on risk and proportionality, and is outcome-focused yet robust.

The Government of Gibraltar recognises that this is a nascent industry and whilst Gibraltar has shown leadership in this space, development is clearly an ongoing process and Gibraltar is aware of the importance, as a jurisdiction, for it to invest in supporting the development of knowledge and skills, in tandem with generating economic results as Gibraltar continues to strive for excellence.

7. Ownership and licensing requirements

If a firm is engaging in an activity for business purposes, which involves the storage or transmission of cryptocurrencies belonging to third parties, it will need to be authorised under the DLT Framework.

If there is an intention to establish an arrangement that enables a number of investors to pool their assets and have these professionally managed by an independent manager, rather than buying investments directly as individuals, then CIS law is another relevant legal consideration.

The FSA defines a CIS as "any arrangement with respect to property, the purpose or effect of which is to enable persons taking part in the arrangement, whether by becoming owners of the property or any part of it or otherwise, to participate in or receive profits or income arising from the acquisition, holding, management or disposal of the property or sums paid out of such profits or income".

The arrangement referred to above must be such that the participants in the arrangement do not have day-to-day control over the management of the assets. Further, the investments and the profits/income arising from them must be pooled, and/or the property managed as a whole.

There are two popular structures for setting up a CIS in Gibraltar: the Experienced Investor Fund ("EIF"); and the Private Scheme ("PS"). These structures are agnostic to the underlying assets they govern for investors.

Typically, a CIS that is to focus on crypto-assets would be best established as an EIF. Only when such a CIS is set up for a small group of persons previously known to each other, and where there will be no promotion of the CIS, would it be suitable to set up a CIS of this nature as a PS. Indeed, the local Gibraltar Funds and Investments Association has published a draft code of conduct to this effect, which also serves as a reference point of elements that should be kept in mind when establishing funds dealing with crypto-assets. Among other things, the code will cover custody of crypto-assets, valuation, corporate governance and security.

The EIF is designed for professional, high-net-worth or experienced investors. Each investor would need to invest at least €100,000 in the EIF – or its equivalent in an alternative fiat – or prove a net worth of at least €1m, excluding one's personal residence.

The EIF regime is reliant on EIF Directors and other licensed service providers.

A CIS of this nature will fall within the definition of an alternative investment fund ("AIF") under the Financial Services (Alternative Investment Fund Managers) Regulations 2020. Accordingly, there will be multiple considerations that become relevant, both in terms of the sale, promotion and management of that AIF, as well as the depositary arrangements for AIF units.

8. Mining

The mining of Bitcoin and other cryptocurrencies is not covered by any specific legal or regulatory framework. Accordingly, it is permitted. As set out above, a cryptocurrency such as Bitcoin, which comes into existence by way of mining without an issuer, does not qualify as E-Money. However, this will ultimately depend on how the mining activity is conducted. For example, given the definition of an AIF, if the mining activities are conducted in a particular way that involves a collective group of people and shared infrastructure, an argument could certainly be made that the arrangement would qualify as a collective undertaking in the sense of the legal meaning.

9. Border restrictions and declaration

Presently, there are no border restrictions in place on declaring cryptocurrency holdings. Instead, these restrictions are usually in place for issues such as transport of goods. Though there are no restrictions in this sense, several of the above authorisation processes required by the regulations will require "mind and management" to be in Gibraltar, comprising an office with registered employees.

10. Reporting requirements

No specific reporting requirements are triggered for cryptocurrency payments made in excess of a certain value. However, any threshold amounts may determine the recordkeeping requirements that may apply to a business under POCA. Businesses under POCA must report suspicious activity of money laundering.

However, it is worth noting that in October 2018, the FATF amended its Recommendation 15 (New Technologies) of its 2012 Recommendations on International Standards on Combatting Money Laundering and the Financing of Terrorism & Proliferation ("FATF Standards") to explicitly clarify that the FATF Standards apply to financial activities involving "virtual assets" and added two new definitions relating to "virtual assets" and "VASPs". The FATF also began working on an Interpretative Note to Recommendation 15 to clarify the FATF Standards that apply to virtual assets and VASPs ("INR 15"), as well as Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers ("VASP Guidance"), which explains how the FATF Standards apply to virtual assets and VASPs on a Recommendation-by-Recommendation basis.

Both the INR 15 and VASP Guidance were adopted by the FATF in June 2019, and clarified how the FATF Standards should apply, in particular in respect of the application of a risk-based approach to virtual asset activities and VASP operations, with supervision or monitoring for AML and combatting the financing of terrorism ("CFT") purposes, licensing or registration, preventative measures such as CDD, recordkeeping, suspicious transaction reporting and other sanctions and enforcement measures.

Without wishing to go into too much detail, it is important to note that while many jurisdictions took a reactive approach to the VASP Guidance and INR 15, beginning to take steps to comply with them after they were adopted in June 2019, Gibraltar had such measures in place since January 2018, well before the FATF introduced its VASP Guidance. Furthermore, in our view, Gibraltar's DLT Framework goes well beyond the FATF Standards in respect of the licensing and registration of VASPs. As a simple example, the VASP Guidance suggests that VASPs should be required to meet "registration criteria set by relevant authorities". The wording at paragraph 80 cites the fact that authorities should:

Gibraltar has also introduced various pieces of legislation, in part, to deal with the implementation of the "travel rule" prescribed under the revised Recommendation 15 (as read with Recommendation 16) of the FATF Recommendations. The "travel rule" obligations are now placed on RFBs, as defined in s.9 POCA, who send (on behalf of a "payer") or receive (on behalf of a "payee") virtual assets to or from VASPs.

The regulations operate by obligating the RFB acting for the payer in a virtual asset transaction that has been captured by the regulations, to obtain and submit certain information on the payer and on the payee. In many cases, the RFB may already have information on the payer as part of its CDD obligations under POCA, which apply to regulated DLT firms in Gibraltar, as well as other RFBs. However, unless the payee is also one of its clients, the originator RFB is unlikely to have information relating to the payee and will therefore need to have the relevant industry systems in place that allow this information to be securely provided.

The RFB receiving the virtual assets on behalf of the payee (which we can refer to as the "beneficiary RFB" for simplicity) has the obligation to ensure it receives the required information from the originator RFB and then corroborate this with its own records in respect of the payee's name and, where applicable, the payee's account number.

The information-gathering requirements shift slightly depending on whether the RFB is acting on behalf of a payer, a payee, or both (as well as on its own behalf). RFBs also have to consider the obligations when they receive virtual asset transfers from a person other than a VASP (e.g. virtual assets received from an unhosted wallet).

The travel rule does not apply where the RFB sends a virtual asset transfer to a person other than a VASP. In this case there are no information gathering requirements, other than the usual CDD requirements that an RFB has to meet under POCA. Given the overlap of travel rule information and CDD information obtained during the normal course of an RFB's activities, the regulations make clear that any requirement, under the regulations, for an RFB to obtain the information specified in r.4(2), or any part of it, shall constitute a CDD measure as if the requirement to obtain that information was listed in s.10 POCA. The recordkeeping requirements under s.25 POCA are also applicable to information obtained when sending or receiving virtual asset transfers.

11. Estate planning and testamentary succession

The law of succession in Gibraltar is largely based upon the UK Wills Act 1837, which is amended by Gibraltar's Wills Act. Administration of estates is governed by Gibraltar's Administration of Estates Act 1933, consolidated in 1948 (as amended).

The law of Gibraltar, as it relates to a deceased person who dies domiciled, closely resembles the laws of England & Wales. Moveable and immoveable property are treated differently. In the case of moveable property, the law of the country where the deceased died domiciled is applied.

There are no death duties to pay in Gibraltar.

Estate planning for cryptocurrency presents its own unique difficulties. Ordinarily, probate is a public process completed upon the presentation of various legal documents. Both of these concepts are in conflict with cryptocurrency.

Estate practitioners are going to have to be aware of the specific issues of cryptocurrency when drafting testaments, the aim being to ensure that the cryptocurrency property is accurately reflected, can be properly transferred upon the death of the holder, and also to ensure that the value of the property can be maintained.

As yet, there is no specific guidance issued in Gibraltar in relation to cryptocurrency and estate planning or succession.

Originally published by Global Legal Insights– Blockchain & Cryptocurrency Regulation 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.