Gibraltar was the first country in the world to provide a purpose-built regulatory framework for businesses using blockchains or distributed ledger technology in 2017. The Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021 (POCA) implemented the crypto Travel Rule and has been in force since March 22, 2021. Gibraltar VASPs had an 18-month grace period, bringing the enforcement date to September 22, 2022.

Timeline of regulatory action:

Download the Gibraltar Cryptocurrency Regulation Guide

Get the PDF

1. Is cryptocurrency legal in Gibraltar?

Yes. Gibraltar adopted a proactive and progressive approach to regulating the crypto industry by implementing the DLT Framework as early as 2018. This framework governs firms carrying out by way of business, in or from Gibraltar, the use of DLT for storing or transmitting value belonging to others.

2. Are there any AML crypto regulations in Gibraltar?

Yes. Gibraltar's DLT Framework was founded on nine fundamental principles–one of which requires DLT providers to "have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing." 

The Gibraltar Financial Services Commission (GFSC) issued a Guidance Note to help DLT providers translate this principle into appropriate practices. DLT providers in Gibraltar are subject to the obligations foreseen in POCA and to the Guidance Notes issued under POCA on systems of control to prevent the financial system from being used for money laundering and terrorism financing.

3. Is the Crypto Travel Rule mandated in Gibraltar?

Yes, the enactment of POCA implemented the crypto Travel Rule in Gibraltar.

4. Who regulates cryptocurrency in Gibraltar?

As part of its mandate to regulate and supervise distributed ledger technology activities in Gibraltar, the GFSC is responsible for monitoring compliance with the crypto Travel Rule. However, the Gibraltar Financial Intelligence Unit (GFIU) is the entity responsible for facilitating the receipt, analysis, and dissemination of suspicious transaction reports (STRs) filed by virtual asset service providers (VASPs) under POCA.

View VASPs registered in Gibraltar on the Notabene Network

Explore the Network

FATF Travel Rule requirements in Gibraltar

1. Are there licensing or registration requirements for VASPs in Gibraltar?

Yes, "DLT Providers" in Gibraltar are required to apply with the GFSC for a DLT Provider License (see Financial Services (Distributed Ledger Technology Providers) Regulations 2017).

Moreover, under the Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 2021 (RFBR Regs), in effect since March 22, 2021, the following financial businesses must register with the GFSC for anti-money laundering and counter-terrorism financing (AML/CTF) supervision if they are not yet under the oversight of a relevant supervisory authority. 

The following types of financial businesses are among those required to register:

  1. "undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of DLT or a similar means of recording a digital representation of an asset; or
  2. persons who, by way of business, use DLT to exchange units of value, or arrange, or make arrangements with a view to, the exchange of units of value using DLT".

2. When does the Crypto Travel Rule go into effect in Gibraltar?  

The crypto Travel Rule entered into force in Gibraltar on March 22, 2021. The GFSC granted an 18-months grace period to comply, which brought the effective date to September 22, 2022. 

3. Does Gibraltar permit a grace period to comply with the Crypto Travel Rule? 

Although POCA does not explicitly grant any grace period for compliance with the crypto Travel Rule, a grace period of 18 months was communicated from the GFSC to the industry. The grace period was announced on March 22, 2021, and ended on September 22, 2022.

Complying with the FATF Crypto Travel Rule in Gibraltar

1. What is the minimum threshold for the Crypto Travel Rule in Gibraltar?

In Gibraltar, crypto Travel Rule requirements only apply to transactions with a value equal to or above EUR 1,000 - defined as "material transactions." (POCA 2021. pg 2, para. 3.(1)

However, it is worth noting that POCA explicitly foresees that this threshold may be modified by government order.

2. What personally identifiable information is required to be shared for the Crypto Travel Rule in Gibraltar?‍

In Gibraltar, the Originator VASP must collect and share the following Originator and Beneficiary Customer personally identifiable information (PII) with the Beneficiary VASP:

Source: POCA 2021. pg. 3, para. 4.(2). Illustrated by Notabene

3. What are the non-custodial or self-hosted wallet requirements in Gibraltar?

When sending transfers to self-hosted wallets, VASPs are not subject to crypto Travel Rule requirements. 

However, when receiving transactions from self-hosted wallets, Gibraltar requires Beneficiary VASPs to obtain from their own customer (i.e., the beneficiary of the transfer) the following PII of the transfer originator:

(Source: POCA 2021. pg. 4, para. 5.(2) POCA. Illustrated by Notabene)

4. Are there differences in customer PII requirements for cross-border transfers versus transfers within Gibraltar?

The scope of PII sharing between VASPs in Gibraltar for compliance with the crypto Travel Rule is the same for both cross-border and internal transfers.

Why choose Notabene for Crypto Travel Rule compliance in Gibraltar?

Notabene's market-leading Travel Rule compliance solution is used by VASPs to comply with Travel Rule requirements across all jurisdictions. Our clients can identify whether the counterparty wallet is custodial or self-hosted and take the measures appropriate to each scenario. Complying with the Travel Rule requires significant changes to VASPs' existing UX and data flows. Bearing this in mind, we allow for a staggered implementation of our solution and promote testnets for VASPs to take their first steps toward compliance in a simulated environment.

Relevant Links: