🇬🇮Gibraltar

Detailed overview

Gibraltar: DLT Provider and Virtual Asset Arrangement Regulation

Gibraltar regulates cryptoasset and DLT activity through the Financial Services Act 2019, the Financial Services (DLT Providers and VAA Providers) Regulations 2020, the Proceeds of Crime Act 2015, and related GFSC guidance. It is not a single informal “crypto registration” regime. A person must not carry on a regulated activity in or from Gibraltar, or purport to do so, unless authorised or exempt. The relevant regulated activities are providing distributed ledger technology services and providing virtual asset arrangements.

A DLT Provider’s business is the regulated activity in paragraph 139 of Schedule 2 to the Financial Services Act 2019: using DLT for the storage or transmission of value belonging to another. “Value” is defined broadly and includes assets, holdings, ownership, rights or interests, with or without related transfer, payment, clearing or settlement information. A Virtual Asset Arrangement Provider’s business is the regulated activity in paragraph 139A of Schedule 2: by way of business, exchanging or making arrangements with a view to the exchange of virtual assets for money, money for virtual assets, or one virtual asset for another virtual asset.

The Gibraltar Financial Services Commission grants Part 7 permissions for DLT Provider and VAA Provider business. An application must be made in the form and manner directed by the GFSC, include required documents and information, pay the prescribed fee, and satisfy the GFSC that the applicant will comply at all times with the statutory regulatory principles. The principles require honesty and integrity; fair, clear and not misleading customer communications; adequate financial and non-financial resources; effective management and risk control; protection of customer assets and money; corporate governance; high-standard systems and security access protocols; financial-crime controls; resilience and solvent wind-down arrangements; and market integrity.

GFSC guidance states that firms seeking authorisation must be registered and have an office in Gibraltar, and that the “mind and management” of the business must be conducted from the Gibraltar office. A Gibraltar-incorporated or Gibraltar-registered firm providing DLT services or virtual asset arrangements outside Gibraltar is considered to be carrying on the activity from Gibraltar.

The perimeter is fact-sensitive. Holding or having direct access to private keys enabling control over a client’s virtual asset clearly meets GFSC’s interpretation of “storage.” Control over sending a client’s value to another wallet or changing ownership is treated as “transmission.” Non-custodial OTC / brokerage desks may fall under the VAA Provider route where they arrange fiat / virtual asset or virtual asset / virtual asset transactions without custody. Peer-to-peer exchange platforms may also fall within VAA regulation where they arrange transactions, while mere information, advertising or software that does not arrange transactions is outside that specific VAA activity.

Gibraltar stablecoin and DeFi analysis is case-by-case. GFSC guidance states that price-stabilised virtual assets may fall within other regulated activities, including e-money or financial instruments, and, where they do not, they may still be “value” for DLT Framework purposes. Developers, owners, operators or administrators of smart contracts, DApps, DEXs and stablecoins may fall within the DLT Framework where there is control, significant influence or commercial benefit, even if elements of the process are automated or decentralised.

AML/CFT controls are separate and central. The Proceeds of Crime Act defines “virtual asset” as a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes, excluding digital representations of fiat currencies and specified financial instruments. Relevant financial business includes regulated activities under paragraphs 139 and 139A of Schedule 2 to the Financial Services Act, meaning DLT and VAA businesses are within the AML framework. Gibraltar’s virtual asset transfer rules require originator and beneficiary information for material virtual asset transfers of EUR 1,000 or more, secure and immediate submission of required information, beneficiary-side checks, risk-based procedures for missing or inconsistent information, CDD treatment and recordkeeping.

Token issuance and tokenised asset sales require separate analysis. Gibraltar’s relevant financial business registration rules cover undertakings receiving proceeds from the sale of tokenised digital assets involving DLT or a similar digital representation mechanism, where the undertaking is not otherwise supervised by a relevant supervisory authority. If the token is a financial instrument, e-money, collective investment scheme interest, debenture, preference share, fund interest or other regulated product, additional Financial Services Act, prospectus, fund, restricted-promotion, or e-money analysis may be required. For example, Gibraltar’s Restricted Promotions Regulations 2025 restrict regulated firms from communicating or approving financial promotions for speculative illiquid securities to retail clients unless an exemption applies.

Regulator: Gibraltar Financial Services Commission. Core routes: Part 7 permission for DLT Provider business; Part 7 permission for VAA Provider business; POCA relevant financial business registration for certain tokenised digital asset sale proceeds where not otherwise supervised; AML/CFT and Travel Rule compliance; separate e-money, financial instrument, collective investment scheme, securities, prospectus, restricted-promotion and payment-services analysis where the token or business model has those features.

Question presented and assumptions

Question presented: What Gibraltar legal/regulatory entry should be added to the Licentium jurisdiction hub for cryptoasset, virtual-asset, DLT, exchange, custody, brokerage, stablecoin, DeFi and token-issuance market-entry purposes?

Assumptions: The intended hub entry is for firms providing custody, hosted wallets, exchange, OTC brokerage, peer-to-peer exchange, virtual asset transfer, stablecoin, DApp / DEX administration, smart-contract operation, token issuance, tokenised asset sales, tokenised securities, market-making, payment services, staking, or related Gibraltar-facing or Gibraltar-based services. No facts are supplied about Gibraltar incorporation, office, mind and management, customer location, custody / private-key control, fiat rails, token rights, stablecoin reserve design, decentralised control, own-account dealing, fund status, securities status, e-money status, or whether the provider is already GFSC-authorised under another regime.

Jurisdiction profile

Gibraltar’s official legislation repository for this session is the Laws of Gibraltar website. Its current-version pages show legislative title, last update, date, parent Act, amending legislation and version history. The Financial Services Act 2019 page shows “Current Version,” last update 2026-02-01, and lists the DLT Provider / VAA Provider Regulations as subsidiary legislation. The Financial Services (DLT Providers and VAA Providers) Regulations 2020 page shows “Current Version,” last update 2026-03-26, and amending legislation including the 2025 VAA amendment and the 2026 dividend / capital-distribution amendment. The Proceeds of Crime Act 2015 page shows “Current Version,” last update 2025-10-27, and lists the Relevant Financial Business Registration Regulations and Transfer of Virtual Assets Regulations.

Administrative materials are taken from the Gibraltar Financial Services Commission. GFSC’s DLT Provider page gives the authorisation process and application stages. GFSC’s Scope of the DLT Framework guidance states that it explains the Financial Services Act as it applies to DLT services and virtual asset arrangements, and the DLT Regulations.

Court materials are available through the Laws of Gibraltar site’s Judgments link and Gibraltar Courts Services link; no case law is relied on in this session, so no subsequent-history or later-treatment search was required.

Hierarchy used here: Acts and subsidiary legislation are binding law. GFSC guidance is official administrative material and is used for GFSC’s regulatory interpretation and process. GFSC guidance does not override the Financial Services Act, DLT/VAA Regulations, Proceeds of Crime Act or subsidiary regulations.

Executive summary

• Gibraltar’s core gateway is the Financial Services Act 2019 general prohibition: a person may not carry on a regulated activity in or from Gibraltar, or purport to do so, unless authorised or exempt.
• The DLT regulated activity is using DLT for the storage or transmission of value belonging to another.
• The VAA regulated activity is, by way of business, exchanging or arranging exchanges of virtual assets for money, money for virtual assets, or one virtual asset for another virtual asset.
• DLT Providers and VAA Providers require Part 7 permission; the GFSC must not grant permission unless satisfied the applicant will comply at all times with the statutory regulatory principles.
• The regulatory principles cover integrity, fair communications, resources, risk management, customer asset protection, governance, systems/security, financial crime controls, wind-down resilience and market integrity.
• GFSC guidance requires authorisation applicants to be registered and have an office in Gibraltar, with mind and management conducted from that Gibraltar office.
• The 2025 VAA amendment brought virtual asset arrangements into the Financial Services Act regulated-activity perimeter from 2025-10-27; previous POCA-registered VAA providers had to notify GFSC within 14 days and apply for Part 7 permission within six months if they intended to continue.
• All DLT Providers and VAA Providers fall within the FATF VASP definition according to GFSC guidance, but not all VASPs fall within the DLT Framework; those outside DLT/VAA are regulated under the Proceeds of Crime Act framework.
• Virtual asset transfers are subject to Travel Rule-style requirements for material transactions of EUR 1,000 or more, including payer / payee information, secure transmission, beneficiary-side checks, risk-based handling of missing information, CDD and recordkeeping.
• Stablecoins, DApps, DEXs, non-custodial OTC desks, P2P platforms, non-custodial wallets, pure software and own-account activity must be analysed by control, custody, arrangement, commercial benefit and Gibraltar nexus, not by label.

Analysis by issue

Market-entry route: DLT Provider and VAA Provider Part 7 permission

Conclusion: Gibraltar should be presented as a Part 7 permission jurisdiction for DLT Provider and VAA Provider activities, not as an unregulated offshore crypto hub.

Rule: The Financial Services Act states that no person may carry on a regulated activity in or from Gibraltar, or purport to do so, unless the person is authorised or exempt. Contravention is an offence. Schedule 2 specifies DLT services as “Using DLT for storage or transmission of value belonging to another,” and VAA as exchanging or arranging exchanges of virtual assets for money, money for virtual assets, or virtual assets for other virtual assets.

The DLT/VAA Regulations define a DLT Provider as a person with Part 7 permission for DLT Provider business, and a VAA Provider as a person with Part 7 permission for VAA Provider business.

Application: A Gibraltar exchange, hosted wallet, custodian, transfer service, OTC desk, brokerage desk, peer-to-peer platform, DEX operator, DApp administrator, stablecoin operator or other service provider should first be mapped to paragraph 139 or 139A. Custody or control over another person’s virtual asset is likely to be a DLT Provider issue. Non-custodial arranging of trades can be a VAA Provider issue. A business can require both analyses if it arranges trades and also stores or transmits customer value.

Limitations / counterarguments: Pure own-account activity, pure software, non-custodial wallets, pure investment advice, pure R&D, and validation activity can fall outside the DLT Framework depending on facts. Those exclusions are not automatic and turn on control, commercial benefit, client relationship and whether the activity is carried on by way of business.

VAA transition and current status after the 2025 amendment

Conclusion: Virtual asset arrangements moved from POCA registration treatment into the Financial Services Act Part 7 permission route from 2025-10-27. As of this session, new VAA providers should be treated as requiring GFSC Part 7 permission before carrying on the activity, unless exempt.

Rule: LN 2025/254 inserted paragraph 139A into Schedule 2 of the Financial Services Act and made providing virtual asset arrangements a specified regulated activity. It also amended POCA and the RFB Registration Regulations by omitting the earlier POCA registration category for VAA providers. Transitional arrangements applied to persons registered under the POCA RFB Registration Regulations immediately before 2025-10-27 and carrying on VAA activity; such persons had to inform GFSC within 14 days and apply for Part 7 permission within six months of the appointed day. Those who complied could continue until the application was determined; if refused, they could continue only for GFSC-specified orderly-cessation purposes and could not conduct new VAA business.

Application: The hub should state that VAA providers now fall under the GFSC Part 7 permission framework. For an existing Gibraltar VAA provider, check whether it was previously POCA-registered, notified GFSC within 14 days from 2025-10-27, filed the Part 7 application within six months, and received any extension or determination. For a new entrant, the safer website wording is “Part 7 permission required before carrying on VAA business.”

Limitations / counterarguments: A firm might argue it only provides information, advertising or software, or that it only trades on own account. Those arguments must be tested against GFSC’s guidance and the actual client-facing arrangements.

Authorisation standards and ongoing regulatory principles

Conclusion: GFSC authorisation is substantive and principles-based. Applicants must demonstrate that they will comply with all statutory regulatory principles.

Rule: An application must be made in the GFSC-directed form and manner, contain required documents and information, pay the prescribed fee, and comply with applicable requirements. The GFSC must not grant Part 7 permission unless satisfied that the applicant will at all times comply with the regulatory principles. A relevant provider must at all times comply with the principles and promptly inform GFSC of events it knows or reasonably suspects may affect compliance.

The principles require honesty and integrity; fair, clear and non-misleading communications; adequate financial and non-financial resources; effective management, skill, care, diligence and risk regard; effective customer asset / money protection; corporate governance; high-standard systems and security access protocols; financial-crime controls; resilience and orderly solvent wind-down; and market integrity.

GFSC’s application process is staged. Stage 1 includes the application fee, application form, Stage 1 business plan, controller forms and source-of-wealth/funds evidence. Stage 2 covers risk management, IT systems, corporate governance, financial crime, cyber, outsourcing and safeguarding of customer assets, including private-key management and hot/cold storage. Stage 3 covers conduct of business, terms, risk warnings, fee schedule, compliance structure, conflicts, liquidity/solvency, internal audit, complaints, market-abuse / insider-trading policies, audit/accounting/banking and insurance arrangements.

Application: A Gibraltar applicant should prepare a regulatory application comparable to a financial-services authorisation, not a registration form. The application should address ownership, source of funds, business plan, key persons, local mind and management, custody architecture, safeguarding, AML/CFT, blockchain analytics, cyber controls, outsourcing, governance, conflicts, complaints, risk warnings, fees, capital, solvency, wind-down, market abuse and audit.

Limitations / counterarguments: The precise evidence required depends on the business model, token set, client type, custody model, fiat flows, market function, outsourcing, group structure and GFSC pre-application feedback.

Gibraltar substance and “in or from Gibraltar” nexus

Conclusion: Gibraltar authorisation requires substance. GFSC guidance expects a Gibraltar office and mind-and-management from Gibraltar for authorised DLT/VAA activity.

Rule: GFSC guidance states that, for a firm to be authorised to carry on regulated activities in Gibraltar, it must be registered and have an office in Gibraltar. The firm must ensure that the “Mind and Management” of its business is conducted from that Gibraltar office and be able to evidence this. GFSC also states that a Gibraltar-incorporated or Gibraltar-registered firm providing DLT services or virtual asset arrangements outside Gibraltar is considered to be carrying on that activity from Gibraltar.

Application: A group using a Gibraltar company for exchange, custody, brokerage, stablecoin, wallet or DApp operations should assume that substance will be reviewed. Board control, senior management, compliance, risk, operations, outsourced functions, decision-making records, local office, local regulated individuals and Gibraltar governance should be documented.

Limitations / counterarguments: A non-Gibraltar company with no Gibraltar office, customers, infrastructure, management, issuer function or operations may have a different result. Conversely, a Gibraltar company serving only non-Gibraltar customers may still be treated as carrying on the activity from Gibraltar.

Custody, storage, transmission and client asset protection

Conclusion: Custody and control are central to Gibraltar DLT classification. A business with direct or effective control over client value or private keys is likely to fall under DLT Provider analysis.

Rule: GFSC guidance interprets “storage” as the ability for one party to exercise control over access to another’s value so that the value could be compromised by that party’s actions. Holding or directly accessing private keys enabling control over a client’s virtual asset clearly meets the storage concept. GFSC treats control or partial control over sending client value to another wallet or address, changing ownership by another means, or destroying value as transmission. The statutory principles require effective arrangements for protecting customer assets and money when the provider is responsible for them.

Application: Hosted wallets, exchange custody, omnibus wallets, MPC arrangements, multi-signature services, smart-contract administrators with transfer control, settlement agents and custodial staking services should be reviewed as DLT Provider models. Required compliance materials should include private-key governance, access controls, hot/cold storage, wallet segregation, reconciliation, customer asset terms, third-party custody due diligence, cyber controls, incident response, loss scenarios and wind-down.

Limitations / counterarguments: Hardware wallet manufacturers and non-custodial wallet providers are likely outside scope where they carry on no other DLT Framework activity. Signatories without private-key control may also fall outside in certain circumstances, but GFSC views a party essential to a multi-signature transfer as potentially in scope even if it cannot complete the transaction alone.

OTC, brokerage, P2P, DeFi, DApps, DEXs and stablecoins

Conclusion: Gibraltar’s perimeter is functional. Non-custodial intermediation can be VAA business; controlled or economically centralised DeFi / DApp / DEX / stablecoin activity can be DLT business; pure software or genuinely decentralised deployments may be outside scope.

Rule: GFSC guidance states that the primary VAA business model is a non-custodial OTC exchange or brokerage desk that arranges buying and selling of virtual assets for fiat or other virtual assets between clients, third-party liquidity providers or the firm, without taking custody or otherwise storing/transmitting the virtual assets. GFSC also states that peer-to-peer exchange platforms may be VAA business, but mere information, advertising or software that does not arrange transactions falls outside the VAA activity.

For DApps and DEXs, GFSC states that the DLT Framework is not intended to capture pure research and development or open-source deployment, but rather persons with continued control, significant influence, or potential commercial benefit after launch. For smart contracts, DApps, DEXs and stablecoins, GFSC states that developers, owners, operators and administrators may be in scope where there is some centralised control, control over processes, economic substance or commercial benefit. For stablecoins, GFSC says the framework is applied case-by-case and that the entity’s role in stabilisation, access, AML controls, reserve requirements or supply is a key consideration.

Application: An OTC broker should be classified as DLT if it touches customer assets and as VAA if it only arranges execution. A P2P board that only publishes information may be out of VAA, but a platform that introduces, matches, routes, or otherwise arranges exchange is more likely in scope. A DEX administrator, stablecoin governance body, smart-contract operator or treasury controller should be assessed for control, upgrade rights, fee extraction, liquidity/reserve management, validator / oracle control, access control and AML controls.

Limitations / counterarguments: “Decentralised” is not determinative. Conversely, the presence of open-source software or validators is not enough by itself if no person carries on business for or on behalf of another with relevant control or arrangement function.

AML/CFT, POCA registration and Travel Rule

Conclusion: Gibraltar virtual asset businesses must be analysed under both financial-services permission and POCA AML/CFT frameworks.

Rule: The Proceeds of Crime Act defines “virtual asset” as a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes, excluding digital representations of fiat currencies and specified financial instruments. POCA’s relevant financial business definition includes Financial Services Act Schedule 2 paragraphs 139 and 139A, covering DLT services and VAA. GFSC guidance states that all DLT Providers and VAA Providers fall within the FATF VASP definition, but VASPs outside DLT/VAA are regulated under POCA.

The Transfer of Virtual Assets Regulations define a material transaction as EUR 1,000 or more and define a virtual asset transfer as a material transaction on behalf of a payer to make a virtual asset available to a payee. Originating relevant financial businesses must obtain and securely submit payee and payer information immediately. Beneficiary relevant financial businesses must ensure receipt and consistency of required information and apply risk-based procedures to missing, incomplete or inconsistent information.

Separately, the POCA RFB Registration Regulations require GFSC to maintain a register for undertakings receiving proceeds from tokenised digital asset sales involving DLT or similar technology where the undertaking carries on business in or from Gibraltar and is not otherwise supervised by a relevant supervisory authority. Registration requires a risk assessment and fit-and-proper review of the applicant and officers, MLRO, managers and beneficial owners.

Application: DLT/VAA applicants should prepare AML/CFT policies, risk assessment, MLRO, beneficial-owner checks, CDD, sanctions screening, transaction monitoring, blockchain analytics, counterparty VASP diligence, Travel Rule messaging, unhosted-wallet policies, STR escalation, training and recordkeeping. Token issuers receiving proceeds from tokenised digital asset sales should check whether they require POCA RFB registration or are already supervised under another regime.

Limitations / counterarguments: The POCA RFB registration route is not a substitute for Part 7 permission where the activity is DLT or VAA business. Conversely, a token sale that is not a regulated DLT/VAA business may still create POCA registration or AML obligations.

Tokenised securities, e-money, stablecoins, financial promotions and other overlays

Conclusion: DLT/VAA permission does not displace other Gibraltar financial-services regimes. Tokenised securities, e-money, CIS interests, debentures, preference shares, payment instruments and stablecoins can trigger additional analysis.

Rule: The POCA virtual asset definition excludes financial instruments specified in paragraph 46 of Schedule 2 to the Financial Services Act. GFSC guidance states that digital representations of fiat currencies and price-stabilised virtual assets may fall within other regulated activities, including e-money or financial instruments; where they do not, they are still likely to be “value” for DLT Framework purposes. The Financial Services (Restricted Promotions) Regulations 2025 treat speculative illiquid securities as controlled investments and prohibit regulated firms from communicating or approving financial promotions for such securities where addressed to, or likely to be received by, retail clients unless an exemption applies.

Application: A Gibraltar token project should classify the token before selecting the regulatory route. A fiat-backed stablecoin may raise e-money, DLT “value,” AML, custody and reserve-governance questions. A tokenised share, debt, debenture, preference share, fund token, derivatives exposure or profit-sharing token may require financial-instrument, prospectus, investment-services, fund and restricted-promotion analysis. A pure utility token may still be a virtual asset or value if transferable, tradeable, used for payment or investment, or controlled by the provider.

Limitations / counterarguments: The outcome depends on legal rights, redemption, reserve ownership, issuer promises, yield, transferability, investor expectation, marketing, use of proceeds, governance, secondary-market listing, customer type and whether the arrangement is truly outside financial-instrument or e-money definitions.