Regulation of Cryptocurrency and Initial Coin Offerings (ICOs) in Gibraltar
Gibraltar is an example of a jurisdiction which has introduced regulations aimed at attracting blockchain and crypto companies. Gibraltar’s approach has been dubbed “progressive” and “right touch” and as a result, the territory has emerged as a jurisdiction of choice for many crypto firms.
DLT Regulatory Framework
Gibraltar has developed a bespoke regime, known as the DLT regulatory framework, which took effect on 1 January 2018 and applies to firms that carry on DLT activities – that is activities that are not subject to regulation under any other regulatory framework that use distributed ledger technology (DLT) for the transmission or storage of value belonging to others. The types of activities that require a DLT licence include operating a crypto exchange, custodian service providers and asset storage service providers, crypto wallet providers and operating DLT-based marketplaces that facilitate the buying and selling of goods and services. Firms and activities that are subject to another regulatory framework continue to be regulated under that framework. Firms carrying on a business in DLT Activities, including crypto trading exchanges and custodians, need to be authorised and licensed as DLT Providers by Gibraltar’s Financial Services Commission (the GFSC). There are currently 12 licensed DLT Providers including eToro, Huobi and Xapo.
Gibraltar’s regulatory approach to DLT is outcome-focused, not prescriptive, requiring DLT Providers to comply with nine principles designed to ensure achievement of desired regulatory outcomes, including investor protection.
In their licensing applications, applicants must demonstrate how they will comply with the nine principles:
- conducting the business with honesty and integrity – the GFSC must be satisfied that the applicant and people associated with the applicant, are fit and proper to undertake the relevant DLT activity. The basic elements that the GFSC has set out are (i) honesty, integrity and reputation; (ii) skill, competence, care and experience; and (iii) financial position;
- pay due regard to customers’ interests and needs and to communicate with its customers in a way which is fair, clear and not misleading. The DLT provider must among other things use its best endeavours to mitigate the risks associated with use of DLT and employ best practices in operating its business;
- maintaining adequate financial and non-financial resources – the DLT provider must ensure that it has sufficient financial resources and capital levels which must both be monitored and be sufficient to support the business objectives;
- manage and control the business effectively and conduct its business with due skill, care and diligence; including having proper regard to risks to its business and customers – which includes adopting appropriate forward-looking risk management practices;
- have effective arrangements in place for the protection of client assets and money when it is responsible for them – DLT providers are expected to take the necessary precautions to protect customer assets and custodial assets will need to be segregated from the DLT Provider’s own assets;
- effective corporate governance arrangements put in place – DLT providers must adopt strong corporate governance procedures which should include (a) board structure, including composition to ensure that there is a good balance and mix of skills and experience to complement the business; (b) adequate application of the ‘four eyes’ principle (segregation of various functions, cross-checking, double signatures, dual control of assets etc.) and (c) application of mind and management from Gibraltar;
- ensure that all systems and security access protocols are maintained to appropriate high standards;
- prevention of financial crime – DLT providers are required to have systems in place to prevent, detect and disclose financial crime risks such as anti-money laundering and countering terrorist financing (AML/CFT). DLT providers must adopt and apply adequate anti-money laundering and counter terrorist financing preventative measures which are commensurate with their risks and the DLT providers must also report suspicious transactions when applicable; and
- be resilient and develop contingency plans for the orderly and solvent wind down of its business.
On 12 January 2021, it was announced that Gibraltar is looking to add a 10th principle to the DLT framework, following the convening of a working group in late 2020. The latest principle will be aimed at defining the appropriate market standards for exchanges operating in the digital asset space and is on track for “a prompt delivery”.
These principles are similar in some ways to the Terms and Conditions which are imposed on virtual asset trading platform operators in Hong Kong under the SFC’s current “opt-in” regime, which covers the safe custody of assets, KYC, AML/CFT, preventing market manipulative and abusive activities, accounting and auditing, risk management and conflicts of interest. These Terms and Conditions are also likely to be applied under the proposed regime for licensing exchanges that only trade non-security virtual assets. Gibraltar’s principles for licensing are however less prescriptive and less restrictive than Hong Kong’s terms and conditions. For example, there is no restriction to providing services only to professional investors.
Following the implementation of the DLT Framework, Gibraltar’s Financial Services Commission (the GFSC) entered into a co-operation agreement with the Hong Kong Insurance Authority to promote information sharing on innovation and referrals of innovative firms seeking to enter the counterpart’s market.
According to PwC, Gibraltar ranked third in terms of the number of crypto hedge fund managers (behind the US and the UK, with Hong Kong coming in as joint 4th). Gibraltar is also the fourth most popular domicile for crypto hedge funds. Of course, it is still early days, but Gibraltar has emerged as a leader in this space, not only through its progressive legislative efforts, but also the continued support and development of knowledge and skills relevant to this sector. An example is the establishment of the Gibraltar Association for New Technologies (GANT) comprised of Gibraltar’s leading law firms, accountancy firms and tech companies. GANT is tasked with not only enhancing the development of blockchain and DLT, but also raising the profile of “new tech”. In Hong Kong, we have the Fintech Association of Hong Kong, which has similar goals, however the association is independent, compared to Gibraltar’s association which was launched by the Government of Gibraltar.
Gibraltar’s Proceeds of Crime Act 2015 was amended in 2018 to extend AML/CTF obligations to undertakings that receive proceeds in any form from the sale of tokenised digital assets whether on their own account or on behalf of another person. Licensed DLT Providers are also specifically required to comply with the Proceeds of Crime Act and related guidance issued by the Gibraltar Financial Services Commission.
The EU Fifth Anti-Money Laundering Directive (5AMLD) applies to Gibraltar and was transposed into the laws of Gibraltar via The Proceeds of Crime Act 2015 (Amendment) Regulations 2020. The 5AMLD brought service providers engaged in exchange services between virtual currencies and fiat currencies as well as custodian wallet providers into the AML/CTF regulatory regime. However, in 2017, Gibraltar had already regulated these activities. Under the laws of Gibraltar, everyone using DLT to store or transmit value belonging to another person was already within the regulatory scope of the Fourth Anti-Money Laundering Directive. Gibraltar has not incorporated the provisions of 5AMLD relating to providers of crypto exchange services and providers of crypto custodian wallets since the providers of these activities are already subject to AML and CTF obligations as DLT Providers. This is demonstrative of how Gibraltar continues to stay ahead, as while a number of jurisdictions are now developing and enhancing crypto regulatory regimes and imposing / strengthening AML/CFT obligations (as is the case in Hong Kong, with the November 2020 FSTB proposal), Gibraltar has had a prescriptive regime in place since 2018. The DLT Provider’s licensing process takes between a few months to one year and includes checks on internal AML/CFT procedures and controls and a risk assessment of the products offered, together with checks on individuals.
The DLT Regulations do not specifically provide for the regulation of ICOs, although they may fall within the scope of existing regulation of securities. Gibraltar issued proposals to regulate ICOs in March 2018. The proposed regulations would cover the promotion and sale of crypto tokens, secondary market platforms and investment services relating to tokens and would regulate certain crypto-related activities conducted in or from Gibraltar. The proposed regime would cover virtual assets that fall outside the scope of the DLT Regulations and Gibraltar’s financial services and securities laws.
Importantly, the GFSC has indicated that they do not want to and do not see a place for them as a regulator to prescribe what “good” looks like in token sales. The GFSC would rather allow the market of authorised sponsors to come up with different options of what a good ICO looks like.
In Hong Kong, a bespoke regulatory regime is not on the cards yet. Instead, regulators have taken a pragmatic approach, whereby the SFC determines the regulatory status of ICOs on a case-by-case basis depending on whether it has features of a traditional security. Where the tokens are considered “securities”, any party dealing in or advising on the tokens, must be licensed by or registered with the SFC. This is of course a clear divergence from the regulatory position in Mainland China, yet is not anywhere near as progressive and proactive as efforts in Gibraltar, which places Hong Kong very much in the middle of the spectrum of regulatory approaches.
Activities which would be regulated under the proposals (if conducted in or from Gibraltar) include:
- the promotion, sale and distribution of tokens;
- operating secondary market platforms trading in tokens; and
- providing investment and ancillary services relating to tokens.
The proposals would also introduce a requirement for an “authorised sponsor” of all publicly offered ICOs and would regulate the conduct of and impose obligations on authorised sponsors, secondary token market operators (i.e. virtual asset exchanges) and token investment and ancillary service providers.
The proposals would not however regulate token issuers or promoters, nor the tokens or technology underlying them. Instead, regulation will be effected by requiring authorised sponsors, crypto exchanges and service providers to comply with new regulations.
The aim of the proposed regulatory regime would be to mitigate the risks associated with the relevant activity. In the case of token-based crowd financing, this would require full and accurate disclosure of information, while secondary market platforms would be made subject to rules providing for orderly and proper conduct. Providers of investment services would be subject to competence requirements. GFSC will be the relevant supervisory authority for AML/CFT regulation, and the provisions of the DLT regulations will apply to firms covered by the new token regulations.
Promotion, Sale and Distribution of Tokens
The first limb of the proposed regulations would regulate the primary market promotion, sale and distribution of tokens that are not securities (which are already covered under existing securities legislation, as is the case in Hong Kong), outright gifts or donations, with the regulations extending to activities
which purport to be or imply that they are made from Gibraltar;
are intended to come to the attention of or be accessed by any person in Gibraltar;
are conducted by overseas subsidiaries of Gibraltar-registered legal persons (in such cases, the Gibraltar person will be liable); or
are conducted by overseas agents and proxies acting on behalf of Gibraltar-registered legal persons, or on behalf of natural persons ordinarily resident in Gibraltar (in such cases, the Gibraltar person will be liable).
According to the proposals, these tokens are typically those referred to as utility or access tokens which offer commercial products or services (which may not exist at the time of the token sale). Tokens that function solely as decentralised virtual currency (e.g., Bitcoin) or as central bank-issued digital currency (CBDCs) will be excluded from this limb of the regulations. However, hybrid tokens (which have an underlying economic function that is both virtual currency and something else) will be caught.
Unless further specifics are included in the proposed legislation or guidance, the current proposals do little to create clarity as to which tokens will be covered by the new legislation and existing securities laws, respectively and which will remain unregulated. The regulatory treatment of an ICO offering will thus still require an analysis of the nature of the rights attached to the tokens and their intended use. From a European perspective, the closest equivalent to the US concept of a security, is probably a unit in a collective investment scheme. To date, there is no guidance as to how that concept applies to an ICO. It is not clear from the Gibraltan proposals whether they will cover all “utility tokens” irrespective of whether they can be traded in the secondary market. We can compare this to Hong Kong where currently virtual assets are regulated to the extent they fall within the definition of a “security”, but there has been little guidance from the regulators on the characteristics that are likely to make a token issued in an ICO, for example, an interest in a collective scheme.
The proposed regulations on the promotion, sale and distribution of tokens will require adequate, accurate and balanced disclosure of information to enable anyone considering purchasing tokens in the primary market to make an informed decision. The regulations may prescribe what, as a minimum, constitutes adequate disclosure, and in what form disclosures are made (e.g., in a key facts document not exceeding 2 pages). The Gibraltan FSC may publish guidance on the disclosure rules from time to time.
Financial Crime Provisions
Undertakings that receive, whether on their own account or that of another person, proceeds in any form from the sale of tokens were brought within the scope of the Proceeds of Crimes Act 2015 (POCA) by an amendment which took effect in March 2018. Token issuers are thus already under a statutory obligation to perform AML and CTF checks on token purchasers.
The proposed regulations will establish a regime for the authorisation and supervision of token sale sponsors (authorised sponsors) who will be responsible for ensuring compliance with this limb of the regulations. An authorised sponsor will need to be appointed in respect of every public token offering promoted, sold or distributed in or from Gibraltar. Authorised sponsors may be appointed by the Gibraltar promoter or by organisers of the offering, wherever located.
Authorised sponsors will be required to have knowledge and experience of ICOs and mind and management in Gibraltar. They will be allowed to delegate some of their work to others, including offshore parties, but will remain directly accountable to GFSC for the actions of their delegates.
Codes of Practice
Under the proposed regime, authorised sponsors will be required to have in place one or more codes of practice relating to offerings they sponsor. Authorised sponsors are considered to be in the best position to determine best practice for the offerings they sponsor and will be free to apply different codes to different categories of tokens and offerings. Codes of practice may cover matters such as methods for applying and distributing sale proceeds.
A code of practice will have to be incorporated in authorised sponsors’ agreements with their ICO clients. Submission of codes of practice will form part of the application process for an authorised sponsor licence. Prior reporting of amendments to codes of practice will be required and will be treated in the same way as other major business changes.
It is proposed that regulations would specify principles governing the content of codes of practice. Authorised sponsors will be free, subject to approval, to set their own methodologies for implementing the principles.
Registers of Authorised Sponsors, Codes of Practice, Sponsors’ Clients and Tokens
GFSC will establish and maintain a public register of authorised sponsors and their codes of practice (past and present).
GFSC will add to the public register the following details of public offerings provided by authorised sponsors of public offerings they are engaged in:
the client(s) for whom they act;
the token(s) included in the offering;
the code of practice applicable to the offering; and
any interest they, and connected persons, have in the tokens offered.
New Controlled Activity and Offence
A new controlled activity of being an authorised sponsor is proposed and it will be an offence to promote, sell or distribute tokens in or from Gibraltar without compliance with:
the requirement for an authorised sponsor;
the requirement for a current entry on the public register;
specified disclosure obligations; and
relevant provisions of POCA, where applicable.
The promotion, sale and distribution of a public token offering may only be conducted once, and while, the offering appears on the register.
Secondary Market Activities
The proposals include regulation of secondary market platforms operated in or from Gibraltar that are used for trading tokens and, to the extent not covered by other regulations, their derivatives. The regulations aim to ensure that the activities of these markets are fair, transparent and efficient and that organised trading occurs only on regulated platforms.
The proposed regulations will set out requirements for:
disclosure to the public of data on trading activity;
disclosure of transaction data to GFSC; and
specific supervisory actions concerning tokens and positions on token derivatives.
These regulations will cover secondary market trading of all tokenised digital assets including virtual currencies and will be modelled, to the extent appropriate, on market platform provisions under MiFID 2 and the Markets in Financial Instruments and Amending Regulation (MiFIR).
Authorised Secondary Token Markets
The proposals include adding a new controlled activity of operating a secondary market platform used for trading tokens and their derivatives. GFSC will authorise and supervise secondary token market operators and maintain a public register of such operators.
Investment and Ancillary Services relating to Tokens
The proposed legislation would include a new controlled activity of providing investment and ancillary services relating to tokens in or from Gibraltar and, to the extent not covered by other regulations, their derivatives.
This limb of the regulations is intended to cover advice on investments in tokens, virtual currencies and central bank-issued digital currencies, including:
generic advice (setting out fairly and in a neutral manner the facts relating to token investments and services);
product-related advice (setting out in a selective and judgemental manner the advantages and disadvantages of a particular token investment and service);
and personal recommendation (based on the particular needs and circumstances of the individual investor).
This limb of the regulations will be modelled on similar provisions under the MiFID.
The proposals are planned to be implemented through amendments to Gibraltar’s Financial Services (Investment and Fiduciary Services) Act 1989.