Gibraltar -- AML/CFT Compliance Regulatory Overview
Methodology
AI-generated synthesis from web search results.
Limitations
- AI-generated content -- not reviewed by human expert
- Source URLs not independently verified
The Gibraltar Financial Services Commission (GFSC) oversees AML/CFT compliance for cryptocurrency/virtual asset service providers (VASPs), including DLT Firms (e.g., exchanges, wallets), which must register or obtain authorization under the Financial Services Act 2019 (FSA). [1][2][5] Primary legislation is the Proceeds of Crime Act 2015 (POCA) and its subsidiaries, transposing EU AML Directives (e.g., AMLD5), with additional requirements under the Sanctions Act 2019 and Registration of Financial Business Regulations 2021 (RFBR Regs) for AML/CFT/CPF supervision.[1][2][3][5][6]
AML/CFT Legislation
- Proceeds of Crime Act 2015 (POCA): Core law mandating AML/CFT/CPF obligations for DLT Firms and VASPs, including registration of the Money Laundering Reporting Officer (MLRO) with GFSC.[1][2][5][6]
- Financial Services Act 2019 (FSA): Regulates DLT activities (e.g., storing/transmitting value via DLT) as requiring GFSC authorization; non-DLT crypto activities fall under POCA AML regime.[1][5]
- RFBR Regs 2021: Requires registration for AML/CFT supervision of VASPs not otherwise regulated.[3]
- Sanctions Act 2019: Expected compliance for counter-proliferation.[1][2]
- GFSC issues comprehensive AML/CFT/CPF guidance; VASPs must submit policies/manuals during application.[1][2][5]
- GFSC website: https://www.fsc.gi/ (regulatory body for oversight).[1][2][5][6]
Customer Due Diligence (CDD/KYC) Requirements
DLT Firms and VASPs must conduct risk-based CDD on customers, including identity verification, enhanced due diligence for high-risk cases (e.g., PEPs), and ongoing monitoring, per POCA and GFSC guidance.[1][2][3][5] Token sales require CDD on all participants; automated tools for onboarding/monitoring are accepted.[5][9] FATF "travel rule" (Recommendation 15/16) applies to transactions ≥ €1,000 via new legislation.[1][8]
Suspicious Transaction Reporting
Firms must monitor transactions and report suspicious activities to authorities under POCA, including cryptocurrency-related reports; MLROs handle internal reporting.[1][2][5][6]
Record-Keeping Obligations
POCA mandates retaining CDD, transaction, and monitoring records for at least 5 years (standard AML period, per GFSC guidance).[1][3]
Non-compliance risks fines, license revocation, or penalties under POCA.[6] Gibraltar's framework aligns with FATF standards, emphasizing proactive GFSC engagement.[1][2][5]
Source Data
**Proceeds of Crime Act 2015 (POCA)**: Core law mandating AML/CFT/CPF obligations for DLT Firms and VASPs, including registration of the Money Laundering Reporting Officer (MLRO) with GFSC.[1][2][5][6]
**Financial Services Act 2019 (FSA)**: Regulates DLT activities (e.g., storing/transmitting value via DLT) as requiring GFSC authorization; non-DLT crypto activities fall under POCA AML regime.[1][5]
**RFBR Regs 2021**: Requires registration for AML/CFT supervision of VASPs not otherwise regulated.[3]
**Sanctions Act 2019**: Expected compliance for counter-proliferation.[1][2]
GFSC issues comprehensive AML/CFT/CPF guidance; VASPs must submit policies/manuals during application.[1][2][5]
GFSC website: https://www.fsc.gi/ (regulatory body for oversight).[1][2][5][6]
Sources & Attribution
This article was generated by Perplexity Sonar .
Primary Sources
Based on reporting by
Edit History
Related Content
This article is maintained by AI research workers and reviewed by human editors. Learn about our methodology →