Gibraltar introduces a legal framework for cryptocurrency businesses


Regulation, use, and taxation of cryptocurrencies, such as Bitcoin, are topics that receive an increasing interest among businesses and regulatory authorities. Despite their speculative and risky nature, the number of cryptocurrencies steadily increases. To illustrate the extent of the cryptocurrency buzz, it is sufficient to note that, in August 2017, investors invested more than USD 186 million in a new cryptocurrency called Filecoin.Although cryptocurrencies are substantially regulated only by a small number of jurisdictions, more and more regulatory bodies discuss new frameworks designed specifically for cryptocurrencies which aim to address the challenges and utilise the benefits of the current “cyber gold rush”. Gibraltar will become the first area in Europe and one of the first in the world that will start regulating businesses engaged in Distributed Ledger Technology (DLT), which includes also the Block-chain technology.

Gibraltar – a pioneer in regulating cryptocurrency businesses

The Gibraltar Financial Services Commission (GFSC) addressed the increasing use of tokens and coins based on Distributed Ledger Technology (DLT), which underpins decentralised virtual currencies, and introduced a new regulatory framework that will come into force in January 2018. It will regulate the activities of Gibraltar-based companies that use DLT for virtual currency exchanges. The regulatory framework will be introduced as an amendment of the Gibraltarian Financial Services (Investment and Fiduciary Services) Act 1989.Such a bold regulatory framework aims to promote DLT-based operations and present Gibraltar as a sound, safe, and well-regulated place to do business in the field. The framework will contribute to the economic development of the region and assist companies to create new DLT-based products and maintain their competitive edge, without posing threats to the integrity of the Gibraltarian economy.Since 2016, Gibraltar has been making consistent moves towards the regulation of cryptocurrencies by conducting research on the DLT, outlining proposals for the new regulatory framework, and attracting investments from a number of cryptocurrency-engaged companies (e.g., Xapo and Coinsilium). 

Scope of the DLT framework

The Gibraltarian DLT framework will apply to natural and legal persons that use the DLT for business activities engaged in “the transmission or storage of value belonging to others” and which are not subject to other existing legal regulations. Such business activities include, for example, centralised virtual currency (VC) administrators, VC wallet providers, trading platforms, VC exchanges, payment service providers, issuers of asset-backed tokens, pre-loaded VC, vouchers and wallets, and peer-to-peer gaming platform operators.It is important to note that some types of businesses related to VC fall outside the scope of the new regulatory frameworks, such as decentralised VC schemes (e.g. Bitcoin), DLT software developers, users purchasing goods and services with VC, and investment in VC for private purposes. It is also proposed that investment advice about VC will not fall within scope of the new DLT framework.

Main principles of the DLT framework

Although the exact licensing requirements for DLT businesses are still to be introduced, the new DLT legal framework will be based on 9 pillars that are briefly discussed below.
  1. Honesty and integrity. In order to be fit and proper to undertake a DLT activity, companies will be required to conduct business in an integral, honest, skilled, and competent manner.
  2. Fairness and clarity. For the purpose of protecting customer’s interests, companies engaged in DLT should mitigate the risks associated with use of DLT and employ the best practices in informing their clients in a clear, fair, ethical, and non-misleading way. Also, the clients of DLT companies should be notified about per-transaction risks and terms and conditions in an understandable language.
  3. Maintenance of adequate financial and non-financial resources. DLT companies will be required to hold sufficient capital and monitor its sufficiency for business objectives. Moreover, in some cases, DLT companies will have to obtain professional indemnity insurance coverage. The requirements regarding non-financial resources will be imposed by the GFSC.
  4. Risk management practices. The management and control practices of DLT companies should include skill, care, and diligence, in order to reduce and timely control any risks emerging from the DLT.
  5. Protection of clients’ assets. DLT companies will be required to place effective arrangements, precautions, and records of transactions for protecting customers’ money from any DLT-related threats. Such custodial assets should be segregated from the company’s assets.
  6. Corporate governance arrangements. DLT companies will be required to establish and clearly define their corporate systems, including board structure, business processes, culture and strategies. Also, DLT companies are required to maintain “open, cooperative and transparent relationship with the GFSC and other regulators”.
  7. Secure systems and protocols. High security standards should be applied to company’s computer infrastructure, including proactive security assessments, mitigation of technological threats and vulnerabilities, as well as conducting and reporting independent compliance audits.
  8. Prevention of financial crime risks. DLT companies have to ensure that they will take preventive measures and disclose any anti-money laundering, terrorist financing, and other suspicious transactions that may take place using the DLT.
  9. Contingency plans for winding down of business. DLT companies should have clear and well-managed strategies to maintain action plans in cases of disaster recovery and crisis management.


The GFSC will be the body to authorise and supervise DLT companies and to ensure that the DLT framework principles are properly applied to the business operations of such companies.