Gibraltar DLT Provider Licence: The World's First Blockchain Regulatory Framework

Gibraltar's Pioneering DLT Framework

On 1 January 2018, Gibraltar became the first jurisdiction in the world to introduce a purpose-built regulatory framework for businesses using distributed ledger technology. The Financial Services (Distributed Ledger Technology Providers) Regulations 2017, which amended the Financial Services (Investment and Fiduciary Services) Act, established a licensing regime specifically designed for firms that use DLT to store or transmit value belonging to others.

This was a landmark regulatory moment. While other jurisdictions were still debating whether crypto-assets were securities, commodities, or currencies, Gibraltar created a regime that focused on the technology and the activity rather than attempting to classify the assets themselves.

Scope of the DLT Provider Licence

The Gibraltar Financial Services Commission (GFSC) issues DLT Provider licences to firms that carry on, by way of business in or from Gibraltar, the activity of using distributed ledger technology for storing or transmitting value belonging to others.

The key elements of this definition are:

• "By way of business": The activity must be conducted on a commercial, for-profit basis. Personal or hobby use of DLT is not captured
• "In or from Gibraltar": The firm must be incorporated in Gibraltar or conduct the regulated activity from Gibraltar
• "Using distributed ledger technology": The firm must use DLT as a core part of its business model, not merely as an ancillary tool
• "Storing or transmitting value belonging to others": This captures custodial activities and payment/transfer services involving DLT-based assets

Activities covered include:

• Crypto exchanges (facilitating the exchange of DLT-based assets)
• Crypto custodians (holding DLT-based assets on behalf of clients)
• Payment processors using blockchain technology
• Token platforms and marketplaces
• Wallet providers that hold customer assets

Activities not covered:

• Purely technology companies that develop DLT software but do not store or transmit customer value
• Firms that only provide information or advice about DLT-based assets
• Mining or validation activities (unless the miner also stores or transmits third-party value)

The Nine Regulatory Principles

Rather than prescribing detailed rules, the GFSC's DLT framework is built around nine regulatory principles that licensees must uphold. This principles-based approach gives the regulator flexibility while providing licensees with clear expectations:

Principle 1: Honesty and integrity A DLT Provider must conduct its business with honesty and integrity.

Principle 2: Customer care A DLT Provider must pay due regard to the interests and needs of each customer and must communicate with customers in a fair, clear, and not misleading manner.

Principle 3: Financial resources A DLT Provider must maintain adequate financial resources and have effective arrangements for the management of those resources.

Principle 4: Risk management A DLT Provider must manage and control its business effectively, with proper risk management and internal controls.

Principle 5: Protection of client assets A DLT Provider must safeguard client assets and money, ensuring proper segregation and appropriate custody arrangements.

Principle 6: Corporate governance A DLT Provider must have effective corporate governance, including clear organisational structure, defined responsibilities, and adequate oversight.

Principle 7: Cyber security A DLT Provider must maintain systems and security arrangements that meet appropriate standards for the nature and scale of its business.

Principle 8: Financial crime prevention A DLT Provider must have effective systems and procedures to prevent, detect, and disclose financial crime, including money laundering, terrorist financing, and sanctions evasion.

Principle 9: Resilience A DLT Provider must have systems and procedures that are resilient and capable of being maintained, including business continuity and disaster recovery arrangements.

Application Process

The GFSC application process for a DLT Provider licence follows a structured pathway:

Pre-Application

Prospective applicants are encouraged to engage with the GFSC before formal submission. The GFSC operates an open-door policy for pre-application discussions, which can help identify potential issues and accelerate the formal process.

Formal Application

The application must include:

• Company details: Certificate of incorporation, memorandum and articles of association, and corporate structure chart
• Business plan: Comprehensive description of the DLT-based business model, target markets, product suite, and financial projections
• Key individuals: Fit-and-proper documentation for all directors, senior management, and persons with significant control (10%+ shareholders)
• Compliance framework: AML/CFT policies and procedures, including customer due diligence, transaction monitoring, and suspicious activity reporting
• Financial resources: Evidence of adequate capitalisation and financial projections demonstrating ongoing viability
• Technology documentation: Description of the DLT infrastructure, cybersecurity measures, data protection arrangements, and business continuity plans
• Client asset arrangements: Details of how client assets will be safeguarded, segregated, and custodied
• Insurance: Evidence of professional indemnity insurance or equivalent coverage

Assessment

The GFSC assesses the application against the nine regulatory principles. The assessment typically involves:

• Desktop review of documentation
• Interviews with key individuals
• Technical assessment of the DLT infrastructure
• AML/CFT framework review
• Financial resources assessment

Timeline: The GFSC aims to process applications within three to six months from receipt of a complete application. In practice, first applications (where the GFSC needs to understand a novel business model) may take six to nine months.

Licence Grant

Upon approval, the GFSC issues the DLT Provider licence, which is published on the GFSC's public register. The licence specifies the permitted activities and any conditions.

Capital and Financial Requirements

The GFSC does not prescribe a fixed minimum capital requirement for DLT Providers. Instead, Principle 3 requires "adequate financial resources," which the GFSC assesses on a case-by-case basis considering:

• The nature and scale of the business
• The volume and value of client assets held
• The operational costs and projected revenue
• The risk profile of the business model

In practice, the GFSC typically expects DLT Providers to maintain:

• Minimum capital: £25,000-£100,000, depending on the business model
• Ongoing reserves: Sufficient to cover at least six months' operating expenses
• Client asset segregation: Full segregation of client assets from the firm's own assets

AML/CFT Requirements

Gibraltar's Proceeds of Crime Act 2015 and the Financial Services (Distributed Ledger Technology Providers) Regulations establish AML/CFT obligations for DLT Providers:

• Risk assessment: A documented business-wide risk assessment identifying ML/TF risks
• Customer due diligence: Identity verification, beneficial ownership identification, and ongoing monitoring
• Transaction monitoring: Systematic monitoring of transactions for suspicious patterns
• Suspicious activity reporting: Reporting obligations to the Gibraltar Financial Intelligence Unit (GFIU)
• Record keeping: Retention of CDD and transaction records for at least five years
• Staff training: Regular AML/CFT training for all relevant staff

Gibraltar is a member of Moneyval (the Council of Europe's AML evaluation body) and has undergone peer review of its AML/CFT framework.

Gibraltar's Position Post-MiCA

The introduction of MiCA in the EU raises important questions for Gibraltar's DLT framework:

• Gibraltar is not an EU member state and is not subject to MiCA
• However, Gibraltar is closely aligned with the UK regulatory framework through its relationship as a British Overseas Territory
• DLT Provider-licensed firms cannot passport into the EU under MiCA — separate CASP authorisation would be required for EU market access
• For UK market access, Gibraltar-licensed firms benefit from the UK-Gibraltar regulatory gateway for financial services

The GFSC has indicated that it will continue to develop its DLT framework in parallel with, but distinct from, MiCA, maintaining Gibraltar's principles-based approach while ensuring international alignment.

Cost Structure

Component	Cost
Company formation in Gibraltar	£3,000-£8,000
DLT licence application (advisory fees)	£50,000-£120,000
GFSC application fee	£10,000
Annual GFSC supervisory fee	£10,000-£25,000
AML/CFT framework development	£15,000-£30,000
Office and substance requirements	£20,000-£50,000 per annum
Ongoing compliance and reporting	£30,000-£70,000 per annum
Total first-year cost	£128,000-£303,000

Advantages and Limitations

Advantages:

• First-mover framework with significant institutional knowledge at the GFSC
• Principles-based regulation that adapts to novel business models
• English-speaking jurisdiction with common law legal system
• Competitive cost structure compared to larger financial centres
• Strong relationship with the UK financial system
• Small jurisdiction enabling direct engagement with the regulator

Limitations:

• No EU passporting (MiCA authorisation required separately for EU markets)
• Small local talent pool — most staff must be recruited internationally
• Limited local banking options (most firms bank through UK or EU relationships)
• Market perception as a niche jurisdiction compared to Singapore or Switzerland
• The framework's scope (storing or transmitting value) may not capture all crypto business models

Key Takeaways

• Gibraltar's DLT Provider licence, introduced in January 2018, was the world's first purpose-built regulatory framework for blockchain businesses
• The framework is principles-based, built around nine regulatory principles rather than prescriptive rules, giving the GFSC flexibility to assess novel business models
• The licence covers firms that use DLT to store or transmit value belonging to others, capturing exchanges, custodians, and payment processors
• Application processing takes three to nine months, with total first-year costs of approximately £128,000 to £303,000
• Gibraltar does not provide EU market access post-MiCA — firms targeting EU customers need separate CASP authorisation
• The GFSC's direct, accessible approach to regulation and its institutional familiarity with DLT business models remain significant advantages for businesses that fit within the framework's scope
• Gibraltar is best suited for businesses targeting UK or non-EU markets, or as one component of a multi-jurisdictional licensing strategy