Gibraltar

The regime is principles-based, with 10 core principles covering governance, risk management, financial stability, data security, and customer protection; applicants must demonstrate compliance, including "mind and management" in Gibraltar (e.g., local office and employees).1 2 6

Post-licensing, firms must adhere to AML/CFT/CPF under the Proceeds of Crime Act 2015 ("POCA") and subsidiary rules, including customer due diligence (CDD), transaction monitoring, risk assessments, staff training, and appointing a compliance officer.1 2 6

No separate "crypto-only" license exists; the DLT license covers broader blockchain activities.2

The **DLT Provider Licence** is mandatory for any business using blockchain or DLT to store, transmit, or trade digital assets, including crypto exchanges, wallet providers, trading platforms, and custodial services; it falls under Section 8 of the FSA and ensures compliance with 9-10 DLT principles focused on transparency, risk management, AML/CFT, and governance.[1][2][3][4][7]

No separate registration regime exists beyond this licensing; firms must be incorporated under the Companies Act 2014 (updated 2022) and comply with Proceeds of Crime Act 2015 (POCA) for AML/CFT/CPF, plus consumer protection and intellectual property rules.[2][6][7]

Activities like ICOs and non-security token sales may require additional Virtual Asset Service Provider (VASP) registration if applicable.[8]

**Authorized capital** varies by project specifics and is not fixed; applicants must demonstrate financial stability, often via business plans showing sufficient resources for operations, risk management, and substance in Gibraltar (e.g., real office, local employees, manager).[1][5]

Substance mandates: Local office, local hires (including a manager), and proof of domestic operations; GFSC verifies the firm is genuinely run from Gibraltar.[1][5]

**Stage 1 (Initial Application)**: Submit form, business plan (detailing name, services, address, contact, founders/key persons), and pay non-refundable assessment fee; GFSC reviews viability against DLT principles.[7]

**Stage 2 (Full Application)**: Pay full fee, submit pack with policy manuals on risk management, IT/security, governance, financial crime (AML/CFT), and compliance procedures.[3][7]

**Stage 3 (Final Submissions)**: Provide conduct-of-business policies, non-financial resources info, and individual application forms for directors, shareholders, and key personnel; GFSC assesses business model, security, and substance.[3][7]

**Approval**: GFSC grants license if criteria met, including AML/CFT protocols and financial soundness; ongoing supervision follows.[3]

Financial Services Act 2019: https://www.gfsc.gg/legislation (core licensing framework).[3][7]

Companies Act 2014 (updated 2022): https://www.gibraltarlaws.gov.gi/legislations/companies-act-2014-389 (company setup).[2]

GFSC DLT Guidance: https://www.fsc.gi/ (application details, principles, fees).[1][2][3][4]

**Proceeds of Crime Act 2015 (POCA)**: Core law mandating AML/CFT/CPF obligations for DLT Firms and VASPs, including registration of the Money Laundering Reporting Officer (MLRO) with GFSC.[1][2][5][6]

**Financial Services Act 2019 (FSA)**: Regulates DLT activities (e.g., storing/transmitting value via DLT) as requiring GFSC authorization; non-DLT crypto activities fall under POCA AML regime.[1][5]

**RFBR Regs 2021**: Requires registration for AML/CFT supervision of VASPs not otherwise regulated.[3]

**Sanctions Act 2019**: Expected compliance for counter-proliferation.[1][2]

GFSC issues comprehensive AML/CFT/CPF guidance; VASPs must submit policies/manuals during application.[1][2][5]

GFSC website: https://www.fsc.gi/ (regulatory body for oversight).[1][2][5][6]