Gibraltar was the first country in the world to provide a purpose-built regulatory framework for businesses using blockchains or distributed ledger technology in 2017. The Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021 (POCA) implemented the crypto Travel Rule and has been in force since March 22, 2021. Gibraltar VASPs had an 18-month grace period, bringing the enforcement date to September 22, 2022.
Key Travel Rule compliance milestones in Gibraltar:
October 12, 2017: The Government of Gibraltar published the Distributed Ledger Technology regulatory framework.
March 3, 2021: The Government of Gibraltar published POCA, mandating the crypto Travel Rule commencing March 22, 2021, with an 18-month grace period.
September 22, 2022: Travel Rule came into effect.
Download the FATF Travel Rule Requirements in Gibraltar
Yes. Gibraltar adopted a proactive and progressive approach to regulating the crypto industry by putting forward the Distributed Ledger Technology Framework (DLT Framework) as early as 2018. This framework regulates firms carrying out by way of business, in or from Gibraltar, the use of DLT for storing or transmitting value belonging to others.
2. Are there any AML crypto regulations in Gibraltar?
Yes. Gibraltar's DLT Framework is founded on nine fundamental principles. One of which requires DLT providers to "have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing." The Gibraltar Financial Services Commission (GFSC) issued a Guidance Note tailored to support DLT providers in translating this principle into appropriate practices. DLT providers are subject to the obligations foreseen in POCA and to the Guidance Notes issued under POCA on systems of control to prevent the financial system from being used for money laundering and terrorism financing.
3. Is the Crypto Travel Rule mandated in Gibraltar?
Yes, the crypto Travel Rule was implemented in Gibraltar through the enactment of POCA, which has been in force since March 22, 2021.
4. Who regulates cryptocurrency in Gibraltar?
As part of its mandate to regulate and supervise distributed ledger technology activities in Gibraltar, the GFSC is responsible for monitoring compliance with the crypto travel rule. However, the Gibraltar Financial Intelligence Unit (GFIU) is the entity responsible for facilitating the receipt, analysis, and dissemination of suspicious transaction reports (STRs) filed by virtual asset service providers (VASPs) under POCA.
View VASPs registered in Gibraltar on the Notabene Network
1. Are there licensing or registration requirements for VASPs in Gibraltar?
DLT providers in Gibraltar must apply for a DLT Provider License from the GFSC. 
2. When does the Crypto Travel Rule go into effect in Gibraltar?
The crypto Travel Rule has been in effect in Gibraltar since March 22, 2021 - the date of entry into force of POCA- although the GFSC granted an 18-months grace period to comply.
3. Does Gibraltar permit a grace period to comply with the Crypto Travel Rule?
Although POCA does not explicitly grant any grace period for compliance with the crypto Travel Rule. The GRSC communicated a grace period of 18 months to the industry. The grace period was announced on March 22, 2021, and ended on September 22, 2022.
Complying with the FATF Crypto Travel Rule in Gibraltar
1. What is the minimum threshold for the Crypto Travel Rule in Gibraltar?
In Gibraltar, crypto Travel Rule requirements only apply to transactions with a value equal to or above EUR 1,000 - defined as "material transactions."  However, it is worth noting that POCA explicitly foresees that this threshold may be modified by government order.
2. What personally identifiable information is required to be shared for the Crypto Travel Rule in Gibraltar?
In Gibraltar, the Originating VASP is required to share the following personally identifiable information (PII) of the originator and beneficiary of the transfer with the beneficiary VASP:
3. What are the non-custodial or self-hosted wallet requirements in Gibraltar?
When receiving transactions from non-custodial or self-hosted wallets, Gibraltar requires beneficiary VASPs to obtain from their own customer (i.e., the beneficiary of the transfer) the following PII of the transfer originator (POCA, section 5.(2)):
Name; and one of the following:
National identity number;
Customer identification number;
Date and place of birth.
When sending transfers to non-custodial or self-hosted wallets, VASPs are not subject to Travel Rule requirements.
4. Are there differences in customer PII requirements for cross-border transfers versus transfers within Gibraltar?
In Gibraltar, the scope of personally identifiable information that needs to be shared between VASPs for compliance with the crypto Travel Rule is the same for cross-border and internal transfers.
Why choose Notabene for Crypto Travel Rule compliance in Gibraltar?
Notabene has developed the crypto industry's only pre-transaction decision-making platform, allowing customers to identify and halt high-risk activities before they occur. SafeTransact equips Compliance Officers with automated tools designed for real-time counterparty identification, due diligence, risk assessment, and information exchange according to regulatory guidelines. With a staggered implementation model to meet regulatory guidelines and evolve their risk-based approach and needs over time, Notabene's solution provides a path to compliance requiring minimal technical integration. Committed to the success of our clients, we promote testnets for VASPs to take their first steps toward compliance in a simulated environment.
Notabene's commitment to privacy + security:
Bank-grade security for an insecure world
Passed rigorous security reviews by more than 50 institutions, including global banks and top 20 crypto exchanges
Annual SOC 2 Type II Audit for Security and Data Privacy Categories
Regular penetration testing by security audit leader Cobalt
Industry’s strongest protection for your customer data
Industry’s only escrowed exchange of encrypted PII
Compliant with EU GDPR, Singapore PDA
Plug-and-play Travel Rule end-user data consent component
Enterprise White Glove features
24h/7 days a week uptime
Configurable enterprise SLA
SOC2 compliant disaster recovery and business continuity plans
This content is provided for general informational purposes only. By using the content, you agree that the information on this content does not constitute legal, financial or any other form of professional advice. No relationship is created with you, nor any duty of care assumed to you, when you use this content. The content is not a substitute for obtaining any legal, financial or any other form of professional advice from a suitably qualified and licensed advisor. The information on this content may be changed without notice and is not guaranteed to be complete, accurate, correct or up-to-date.
Help us keep this page up to date! Any comments, corrections or suggestions on this page can be sent to firstname.lastname@example.org.