A general introduction to the regulation of virtual currencies in Gibraltar

All questions

Introduction to the legal and regulatory framework

Gibraltar has been one of the most notable early adopters and supporters of virtual currencies, ensuring that appropriate, proportionate and practical regulatory regimes are in place to manage the risks involved in such activities.

The sector has a wide range of operators, including:

1. exchanges and custodians;
2. over-the-counter providers;
3. token sale issuers; and
4. crypto funds.

Gibraltar is one the most popular crypto fund jurisdictions in the world: ‘Funds tend to be domiciled in the same jurisdictions as traditional hedge funds, with the top three being the Cayman Islands (34%), the United States (33%) and Gibraltar (9%)’.²

Gibraltar has two primary legislative frameworks that specifically apply to cryptoassets (this term is the preferred term used herein and applies to cryptographic coins, tokens or other technologies that represent some unit of value or property on a distributed database).

One is the Distributed Ledger Technology (DLT) Provider regime (see below) that requires full authorisation for certain custodians and remitters of cryptoassets. The other is a requirement for all ‘virtual asset service providers’ to register and comply with the Proceeds of Crime Act 2015 and various anti-money laundering (AML) and counter-terrorist financing (CTF) obligations (this, inter alia, implements Financial Action Task Force (FATF) guidance in respect of Virtual Asset Service Provider (VASPs)).

The DLT Provider regime is separate to other legislation that applies if the cryptoasset activity is pursuant to other regulated, licensable or registrable activities that the commercial operator is permitted to undertake (e.g., banking, insurance and e-money). The DLT Provider regime is contained within the Financial Services Act 2019 (FSA).

Section 139 provides that certain DLT provider activities are regulated activities requiring authorisation by the Gibraltar Financial Services Commission (GFSC). Regulated activity is considered as any firm using DLT for storing or transmitting value belonging to others, in or from Gibraltar.

Under Section 138, DLT and value are respectively defined as:

A database system in which–information is recorded and consensually shared and synchronised across a network of multiple nodes; andall copies of the database are regarded as equally authentic;value includes assets, holdings and other forms of ownership, rights or interests, with or without related information, such as agreements or transactions for the transfer of value or its payment, clearing or settlement.

The DLT Provider regime is meant to capture persons who are not otherwise authorised to conduct a regulated DLT provider activity. Persons who are authorised to conduct a range of financial services activities and who use DLT to perform that regulated activity do so within the scope of their primary authorisation (e.g., banking, insurance) and not as a separately authorised DLT provider (see Section 141 of the FSA) unless the DLT activities that they undertake are not directly related to their regulated supplies of the separately authorised financial services.

The DLT provider is remarkably widely drafted, which means that it can be difficult to ascertain how the law will be interpreted in each case: particularly cases in which one might expect that it could not have been envisaged by the legislator that it was intended to include such activity within the scope (and that in respect of other regulated financial activities would often benefit from a negative scope exemption, such as for certain intra-group supplies). For this reason, it is essential to discuss business proposals that may include DLT provider activities with local advisers and the GFSC at the earliest stage (to ascertain whether the GFSC believes that the proposed activity is within the scope or not).

In short, the DLT Provider regime is intended to require persons who engage in business activities involving storage (custody) and remittance (transfer) of cryptoassets on behalf of clients with authority to do so. In some cases, commercial operators will be involved in dealing with DLT assets but not as custodian or remitter on behalf of others (in those cases the wider AML regime – specified below – will, however, often be applicable). The general expectation in respect of custodians and remitters of a requirement for authorisation is understandable, given that such activities could give rise to significant loss of value to clients if there are any issues with the provider of those services.

At the time that the DLT Provider regime was first introduced (January 2018), the ability for suitable businesses to become authorised by a financial regulator was seen as of great benefit, particularly given the perception of a general lack of clarity on the authorisation of these providers in many other jurisdictions. The intention was to encourage good practice and good crypto operators to set up in Gibraltar under a suitable, proportionate and effective authorisation regime. Successful completion of the authorisation process also made it easier for these businesses to deal with financial services counterparties, banking partners, major corporate clients and investors, and also retail clients.

Applications for authorisation are expected to take between nine and 12 months, and the initial and ongoing annual authorisation fees are between £10,000 and £30,000 (depending on the complexity of regulating the DLT provider).

DLT providers are required to undertake the following three-stage process of application.³

i Pre-application engagement

The GFSC suggests that applicants should contact the DLT team to discuss the application proposal, business model and type of activity or services (or both) that the firm wishes to provide in, or from within, Gibraltar. This pre-application engagement will provide an opportunity for the GFSC to give applicants any appropriate guidance on the application process, and more importantly, to discuss whether the proposed activity will fall within the scope of the DLT framework; that is, will the firm be using DLT for the transmission or storage of value belonging to others.

ii Initial application assessment

Firms will be required to follow the initial application assessment process. To do so, applicants will need to send an email to [email protected] setting out the following information:

1. the name of the firm;
2. a brief note on the type of business and products and services the firm intends to offer;
3. the firm’s address; and
4. the name and email address of the main contact for the application.

As part of the initial application assessment, the GFSC will carry out an initial assessment of the inherent risks and complexity of the applicant’s proposed activity and business model. The initial application assessment will help the GFSC process applications expeditiously as well as provide them with a better understanding of the activities and services the firm proposes to conduct.

A non-refundable initial application assessment fee of £2,000 will be payable to the GFSC.

Within two weeks of receiving a request for an initial application assessment, the DLT team carry out the initial assessment and categorise the firm according to the inherent risks and complexity of the applicant’s business model and activities.

iii Full application and presentation

The application process at this stage largely mirrors the application process applied to all other activities authorised and supervised by the GFSC for financial services or fiduciary businesses. This requires submission of a full business plan, approval of controllers, operational overview, financial analysis, including in respect of the firm’s appropriate level of prudential strength, and how the firm will comply with the key principles (set out below).

One exception is that once the firm has submitted a complete application and paid the balance of the assessed application fee, applicants will be invited to deliver a presentation to the GFSC. Any specific requirements based on the nature and complexity of the proposed business will be communicated at the time of the initial application assessment.

Generally, the presentation is expected to cover the following areas:

1. background on the key individuals driving the business, including relevant skills and experience;
2. business plan, including structure of the company or group, products and services, target market and strategy;
3. financial projections; and
4. evidence detailing how the firm will meet the regulatory outcomes or principles.

GFSC staff who are present are expected to include members from the DLT team and any key GFSC decision makers. The presentation will be an integral part of the authorisations process and will give the applicant an opportunity to demonstrate how they will meet the GFSC’s 10 regulatory outcomes or principles. The GFSC believes that this approach helps reduce the time taken to understand the business, assess the firm’s compliance with the principles and deliver an overall more effective authorisations process. Guidance Notes on each of the Principles are available at the GFSC website.⁴ Once permission has been granted, an onsite visit will be completed.

The regulatory principles for authorised DLT providers are as follows:

1. honesty and integrity;
2. interests and needs of customers are foremost with fair, clear and non-misleading communication;
3. provision of adequate financial and non-financial resources;
4. effective management and control of business and business conducted with due skill, care and diligence;
5. effective arrangements in place for the protection of client assets and money;
6. provision of effective corporate governance arrangements;
7. maintenance of all systems and security access protocols to appropriate high standards;
8. systems to be put in place to prevent, detect and disclose financial crime risks;
9. development, testing and maintenance of contingency plans for the orderly and solvent wind down of business; and
10. maintenance and enhancement of the integrity of certain markets.

Securities and investment laws

The primary areas of law are similar to those within the United Kingdom and the European Union (notwithstanding that the United Kingdom and Gibraltar exited the European Union in 2020). Over time we may see more regulatory divergence between, on the one hand, the European Union and, on the other hand, the United Kingdom and Gibraltar. Gibraltar is also able to diverge from the United Kingdom to some extent; however, the ability to continue to passport financial services from Gibraltar to the United Kingdom makes significant divergences unlikely in key areas of regulation and supervision.

Similarly to the United Kingdom, the Gibraltar financial services regime operates with a general prohibition against undertaking specified regulated financial service activities unless authorised or exempt (Section 4 of the FSA). The list of specified activities is contained in Schedule 2 of the FSA and includes various activities such as banking, e-money and payment services, as well as insurance. The more specific securities related laws are as follows.

1. a MiFID covers much of the regulated investment activities related to ‘financial instruments’ and is still largely applicable in Gibraltar pursuant to the FSA and associated legislation. This area of law is the closest equivalent to the US concept of a ‘security’ and includes transferable securities (tradable on capital markets), money market instruments, units in collective investment undertakings and other specified regulated instruments (including a range of derivatives products). Activities related to such financial instruments include:
   • brokerage;
   • investment advice; dealing for others; and
   • provision of derivatives and operating organised trading facility (OTF) or multilateral trading facility (MTF) platforms.
2. Most funds (including crypto-related funds) are primarily covered by the local implementing regulations of the Alternative Investment Fund Manager (AIFM) Directive, which applies to fund managers (other than in respect of UCITS or publicly tradable closed-ended collective investment schemes; these are also within the prospectus regime for public or listed offerings of transferable securities). Gibraltar recently implemented a dual funds regime⁵ that enables fund managers to opt out of some of the requirements of AIFMD when targeting a global investor base. This is particularly helpful for crypto fund managers where many of the requirements of AIFMD are not fit for purpose in the crypto asset space (such as the depositary obligations).
3. A prospectus regime (as implemented by local regulation) covers listed or publicly offered transferable securities.

Currently in Gibraltar, in most cases, the provision of virtual currency services is being carried out by businesses that are not already regulated for financial services and securities-related activities. In addition, the current e-money and payment regulations could conceivably be applicable for very specific virtual currency offerings (such as, for example, a GBP stablecoin offering backed by funds) but, as yet, this has not been taken up by local e-money issuers.

To the extent that a token represents a financial instrument, including a transferable security (such as shares or debt instruments negotiable on capital markets), a unit in an Undertakings for Collective Investment in Transferable Securities (UCITS) or a collective investment scheme, a deposit, an insurance contract or electronic money, then the same laws that apply to activities by any commercial operators in those fields apply to that activity mediated with a token. Notably, in some cases, the laws applicable to such activities (including wider laws such as companies’ laws) are drafted in a manner that does not envisage a cryptographic token as the medium of contract, exchange, value or ownership and this can give rise to issues requiring workarounds in meeting the applicable obligations for these activities.

Given the close legal and regulatory relationship between the United Kingdom and Gibraltar, guidance from UK regulators and decisions of UK courts are very influential when considering whether a cryptoasset falls within the definition of e-money or of a financial instrument.

The most significant and difficult question to answer about the application of financial services laws to cryptoasset products often arises with respect to the regulation of derivatives. The definition of derivatives within the EU Markets in Financial Instruments Directive (MiFID) regime (which is still largely implemented in the United Kingdom and Gibraltar) is conceivably wide enough to definitely cover some cash-settled cryptoasset derivative products; however, in practice, most cryptoasset derivative products are not cash-settled (being settled in cryptoassets). The MiFID regime wording taken from the EU directive is now hopelessly out of date as well as being notoriously difficult to interpret and apply to cryptoasset products. If the Gibraltar regulator considers a crypto derivative product to be structured in a way that is within its scope, then the issuer and various other intermediaries could be subject to authorisation and compliance requirements.

Banking and money transmission

The offering of virtual currency services would not normally fall within deposit-taking (banking) as that applies to conversion of ‘money’. The definitions of money under common law and statute do not extend to non-monetary value such as virtual currencies.

It is possible that a stablecoin product could fall within the definition of e-money to the extent that it represents a claim against an issuer in respect of a token that is issued on receipt of funds and is accepted by others to make payment transactions. The definition of e-money (derived from EU law) is as follows:

…electronically (including magnetically) stored monetary value as represented by a claim on the electronic money issuer which–is issued on receipt of funds for the purpose of making payment transactions within the meaning of paragraph 15;is accepted by a person other than the electronic money issuer; and is not excluded by sub-paragraph (2)’ . . . funds’ means banknotes, coins, scriptural money or electronic money;. . . payment transaction’ means an act, initiated by or on behalf of the payer or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee.⁶

The European Union is currently consulting on changes to e-money and payments directives that would bring stablecoins more clearly within the scope of EU e-money legislation (and with additional obligations) under the proposed Markets in Crypto Assets Regulation. At the same time, the United Kingdom and Gibraltar continue to consider the applicability of a wide range of existing financial services law to cryptoassets, including virtual currencies.

Anti-money laundering

The Proceeds of Crime (Relevant Financial Business) (Registration) Regulations 2021 (AML Business Registration) requires the registration of all:

• undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of DLT or a similar means of recording a digital representation of an asset; or• persons that, by way of business, exchange, or arrange to make arrangements with a view to the exchange of –a. virtual assets for money;b. money for virtual assets; or,c. one virtual asset for another,. . . and [that] are not subject to supervision by a relevant supervisory authority.

Registrants must ensure that they can meet the legal obligations in Proceeds of Crime Act 2015 (POCA) and any other applicable legislation and that they can provide confidence to the GFSC that they have adequate policies and procedures to fulfil local anti-money laundering and counter terrorist financing obligations, including, inter alia, appointing a locally resident Money Laundering Reporting Officer (MLRO), meeting the local requirements including know your customer/know your business (KYC/KYB), source of wealth, sanctions checks, adverse publicity monitoring of clients and suspicious activity monitoring and reporting.

Controllers of applicants and the MLRO must be approved by the GFSC as being fit and proper persons to carry out their functions and obligations.

This regime applies to token issuers, other VASPs and any other person who is undertaking cryptoasset sale or exchange activities that is not authorised under Gibraltar financial services laws (including DLT Provider regime) pursuant to the FSA and associated legislation or otherwise regulated by a specified regulator.

Gibraltar has also implemented the ‘travel rule’ in the Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021 that require VASPs to obtain additional specific information on their customers transactions when there is a transaction value equal or in excess of €1,000.

Notably, the generally applicable AML and CTF obligations in Gibraltar are substantially the same as in the United Kingdom and the European Union because the laws in the United Kingdom and the European Union still derive from the various EU AML Directives notwithstanding that both jurisdictions (and other EU jurisdictions) do not always transpose directives in an identical manner.

The Gibraltar AML regime represents a high standard of compliance while reflecting the jurisdiction’s significant experience in the practical application of AML and CTF principles and obligations to the cryptoasset sector. The use of automated electronic onboarding, monitoring and reporting tools are a recognised and accepted part of the various procedures that are needed to protect operators and the jurisdiction from financial crime, terrorist financing and money laundering.

In October 2022, the GFSC issued a Scope Guidance Note on the VASP Registration Framework.⁷ The VASP Guidance Note confirmed that in order for a firm to be registered, it must:

1. Carry on the activity by way of business (i.e. providing products and/or services to clients in return for remuneration); 2. Have a registered office in Gibraltar; and 3. Appoint a locally based Money Laundering Reporting Officer (MLRO).As with all other regulated sectors in Gibraltar, the MLRO must be a permanent, full-time employee of the firm seeking registration. The exception to this is in the case of firms that are solely carrying on activities under Regulation 4(c) (token sales, discussed below), where some flexibility can be afforded in respect of individuals who are in other full-time employment.

In respect of OTC operators, the Guidance Note confirms that they do not need to be authorised as DLT Provider is they do not act as custodians:

The primary business model that falls within scope of Regulation 4(d) is an over-the-counter (OTC) exchange or brokerage desk. Firms carrying out this activity will typically arrange for the buying and selling of virtual assets for other virtual assets or fiat, between clients or between clients and the firm itself or third party liquidity providers. It is important to note that in order for a firm undertaking this activity to fall within the definition of a VAAP, rather than that of a DLT Provider, and therefore be subject to the VASP Registration Framework, rather than the DLT Framework, it must not at any point take custody of, or otherwise store or transmit virtual assets belonging to other transacting parties.

The Guidance Note also makes clear that the GFSC will refuse to register the following businesses on the basis of the higher AML and CTF risk involved with them:

Privacy-enhancing assets or protocols – These assets or protocols allow for the concealment of information typically present in a transaction which facilitates the non-disclosure of user identity. This allows for the obfuscation of the identity of the sender, recipient, holder and/or beneficial owner of the virtual assets in question. Mixing/tumbling services – These services are used to pool together various transactions in order to obfuscate the origin of particular virtual assets, allowing for increased anonymity. These techniques are typically associated with obscuring the identification of “tainted” assets associated with illicit flows or services.

Also of note is the reference to non-fungible tokens (NFTs) and whether they are in scope as ‘virtual assets’, where a case-by-case approach will be taken by the GFSC and legal advice should be sought:

Virtual assets may have a variety of utilities and functionalities, but as long as they are captured by the above definition, they will fall within scope of the Regulations. It should also be noted that, in line with the FATF Guidance, non-fungible tokens (NFTs) are likely to be considered virtual assets for the purposes of the Regulations if they are used for payment or investment purposes. This extends to any form of NFT which may be used for these purposes, including those tokens which represent digital art or collectibles. The GFSC will consider sales of NFTs on a case-by-case basis.

Regulation of exchanges

Virtual currency exchanges fall within the DLT Provider regime as they inevitably will be storing clients’ cryptoassets for some period prior to and following matching of trade orders. The situation for decentralised platforms and applications is much more complex but an entity, individual or group of individuals could be within scope of the DLT Provider regime if such persons are considered to have sufficient control of the platform and application and the cryptoassets mediated through that platform or application. However, in practice the lack of custody of cryptoassets by decentralised platforms and applications, and the often decentralised nature of ownership or control of such platforms means that it will often be difficult to ascribe a regulated control activity to a local person.

Regulation of miners

There is no specific regulation applicable to virtual currency miners unless they are involved in exchanging crypto and crypto-fiat assets with clients, in which case they will be within the POCA AML Business Registration regime (see Section IV).

Regulation of issuers and sponsors

The financial promotions regime and restrictions only apply to relevant financial services activities and the prospectus regime requirements only apply for offers of listed or public transferable securities. In addition, the MiFID regime applicable in Gibraltar only applies to financial instruments and operators that undertake certain activities (including dealing, brokering, advisory and platform operation) in respect of the same.

This means that unless the offering of a cryptoasset falls within the definition of a financial instrument, of e-money or some other regulated financial services instrument (see Sections II and III) then token issuers and sponsors will normally only be subject to the POCA AML obligations for VASPs and no additional regulatory oversight of the issuer or sponsor applies.

Criminal and civil fraud and enforcement

i Regulatory enforcement and the powers of the GFSC

In the event of a breach of regulatory principles, the GFSC has various information-gathering and investigatory powers (Part 10, FSA) as well as sanctioning powers (Part 11, FSA), including administrative penalties.

Under Part 10, the GFSC can in respect of persons carrying out authorised activities:

1. require them to provide the GFSC with certain information, produce particular documents and answer questions before the GFSC. The GFSC also has the power to carry out onsite inspections, where they can not only inspect any part of the premises but also question any person and request any document therein;
2. seek a warrant from the magistrate to enter premises. A magistrate may only issue such a warrant if satisfied that there are reasonable grounds for believing particular conditions (set out at Section 135 of the FSA) are satisfied. If a warrant is issued, the Royal Gibraltar Police together with a person acting under the authority of the GFSC may enter and search the premises and take possession of documents or information for which the warrant was issued or take steps to preserve or prevent interference with the same;
3. appoint a person to prepare a skilled person’s report on any matter about which the GFSC may reasonably require information in connection with the exercise of its functions as a regulator; and
4. appoint an inspector to investigate the affairs of any person in Gibraltar who carries on (or is suspected of carrying on) a regulated activity in or from Gibraltar. Inspectors have the power to, inter alia, examine on oath the person under investigation, any of its employees, officers, agents, auditors, bankers, barristers or solicitors (subject to the provisions of the FSA).

An offence will also be committed if a person:

1. without reasonable excuse fails or refuses to comply with a requirement imposed under Part 10;
2. omits to disclose material that should have been disclosed;
3. gives information or makes false or misleading statements or recklessly gives information; and
4. suspects that an investigation is or is likely to be conducted and falsifies, conceals, destroys or disposes of a document that is suspected to be relevant to the investigation or if they cause or permit the same to take place.

Under Part 11 of the FSA, the GFSC can exercise sanctioning powers (one or more) against a person if the person contravened a regulatory requirement and, at the relevant time, was an authorised or regulated individual. Sanctioning powers include:

1. administrative penalties;
2. public statements;
3. a cease and desist order;
4. a temporary suspension of permission order; or
5. a prohibition order, prohibiting the individual from exercising regulated functions.

Additionally, further to Part 13 of the FSA, the GFSC can apply to the Supreme Court and seek:

1. an injunction restraining a contravention or the disposal of or the dealing with particular assets; and
2. an order for restitution.

With respect to collective investment schemes (which may involve cryptoassets), the GFSC has further powers under Part 18 of the FSA if certain grounds apply. These powers include:

1. the power to revoke or suspend a scheme’s authorisation or recognition;
2. applying to the Supreme Court for a protection order;
3. issuing directions to or with respect to a scheme;
4. appointing an examiner to conduct an investigation into the affairs of a scheme or persons connected with it; and
5. publishing statements about steps taken in connection with a scheme in exercise of a power listed above or the operation or promotion of a scheme in contravention of the FSA.

ii Liability and enforcement issues regarding virtual currencies

Gibraltar’s statutory laws include acts passed by the Gibraltar Parliament, statutory laws passed in England and Wales and extended to Gibraltar by the Gibraltar Parliament and Orders in Council extended to Gibraltar. The common law and rules of equity of England and Wales apply insofar as they are applicable to the circumstances in Gibraltar (further to Section 2 of the English Law Application Act).

Any judgments dealing with cryptoassets as property in England and Wales would be highly persuasive.

In AA v. Persons Unknown, Re Bitcoin,⁸ the High Court held that Bitcoin constitutes ‘property’ but in a new category, outside of the two traditional forms of property in English law (choses in possession and choses in action). It was therefore found that a proprietary injunction could be obtained in respect of it. It was held that there was at least one serious issue to be tried and the balance of convenience lay in favour of granting relief in support of A’s claimed proprietary rights.

Though this was not a statement of law, it has been deemed relevant and compelling on the question of whether Bitcoin, and thus arguably other cryptocurrencies, can be considered property. In that case, the Court took into account Vorotyntseva v. Money-4 Limited t/a Nebeus.com (unreported – freezing injunction over Bitcoin and ether).

In Ion Science Ltd v. Persons Unknown and (1) Persons Unknown, (2) Miriam Core, (3) Binance Holdings Ltd and Payward Ventures Ltd (as a third party) (an unreported case that is reportedly considered the first ICO fraud case to be heard by the High Court), orders were made for a proprietary injunction, worldwide freezing order, ancillary disclosure against persons unknown, Bankers Trust orders and a Norwich Pharmacal order against companies connected with a cryptocurrency trading exchange. It is reported that the judge in that case expressly made clear that the judgment should not be considered authority (in line with the practice direction that gives guidance on the status of judgments given on applications made without notice). It is, however, likely that future courts will follow the same approach. In that case, on 5 October 2021, an interim third-party debt order was made against Payward Ventures Limited in the sum of just under £3 million. On 28 January 2021, that order was made final.

In an even more recent case, Danisz v. Persons Unknown & Huobi Global Limited,⁹ the High Court affirmed the availability of existing interim and final remedies in the context of cryptocurrency. The facts of that case were that the applicant was encouraged by unknown persons to buy Bitcoins. The Bitcoins were transferred to Matic Markets Limited and she was led to understand that the Bitcoins had grown in value. However, she was unable to withdraw the cryptocurrency. The Bitcoins were traced to an e-wallet held with the cryptocurrency exchange Huobi Global Ltd. The applicant sought various orders, including an interim prohibitory injunction against those unknown persons who had encouraged her to make the investment as well as against the exchange. The High Court ordered the prohibitory injunction following AA, the freezing injunction on the basis that the court had jurisdiction to hear the substantive claim based on the place where the person who owns it was domiciled (following Ion Science) and that the definition of an ‘asset’ included all assets that are held or controlled by a third party, such as an exchange.

In April 2023, in an as yet unreported judgment, a court injunction was issued in Gibraltar ordered, inter alia, a freeze over a failed crypto trading entity’s crypto assets and for Binance and others to halt attempts to move assets from several Globix-linked crypto wallets.¹⁰ Globix (a platform operated by a BVI company Miracle World Ventures Limited) is an insolvent cryptocurrency trading company which is subject to various legal actions involving a search for over US$43 million in missing funds. It was not registered in Gibraltar or regulated by the GFSC but did have local investors and a local director.¹¹

As above, it is likely that should similar matters be brought before the Supreme Court of Gibraltar, the above case law would be persuasive. What remains to be dealt with is the question of enforcement and whether restitution is possible.

iii Criminal liability

Virtual currencies fall within the definition of ‘property’ contained in Section 394(1) of the Crimes Act 2011. This states that ‘property’ includes money and all other property, real or personal, including things in action and other intangible property. Property is regarded as ‘belonging to another’ where it belongs to any person having possession or control of it, or, most importantly in this particular context, having in it any proprietary right or interest, although it must be noted that this cannot be an equitable interest arising only from an agreement to transfer or grant an interest. Misappropriating cryptocurrency could result in a person meeting the requirements of the offence of theft (see Section 391(1) of the Crimes Act 2011), which makes it clear that a person commits theft if they dishonestly appropriate property belonging to another with the intention of permanently depriving the other of it.

Cryptocurrency fraud can be prosecuted further to Sections 415–418 of the Crimes Act. For example, a person who dishonestly makes false representations with the intention of causing a loss to another or exposing another to a risk of loss could be prosecuted.

Tax

The tax system is primarily specified in the Income Tax Act 2010. Gibraltar applies income tax on individuals and entities for various activities and transactions subject to a range of exceptions (for example, in respect of income receipts from owning listed securities). Stamp duty is also applicable on certain property transactions. There is no capital gains tax or value-added tax. The base rate of corporation tax is currently set at 12.5 per cent.

Individual taxation is variable (the effective rate is usually around 25 per cent for middle income earners) but it goes up to a top marginal rate of 28 per cent for high earners. Individuals with gross assessable income exceeding £25,000 are taxed (under the gross income based system) as follows:

1. the first £17,000 of assessable income at 16 per cent;
2. the next £8,000 at 19 per cent;
3. the next £15,000 at 25 per cent;
4. the next £65,000 at 28 per cent;
5. the next £395,000 at 25 per cent;
6. the next £200,000 at 18 per cent; and
7. balance at 5 per cent.

Gibraltar has signed two international double tax agreements (tax treaties): one with the United Kingdom and one between Gibraltar, the United Kingdom and Spain that deals with certain cross-border conflict issues and double tax avoidance.

Gibraltar has also implemented the Organisation for Economic Co-operation and Development requirements in respect of the automatic sharing of information with other tax authorities (Common Reporting Standards or CRS) and also in respect of the Mandatory Disclosure Regime of transactions having certain hallmarks (Category D).

The Category D hallmark comprises two types of arrangements:

1. D (1) Arrangements that have the effect of undermining reporting requirements under agreements for the automatic exchange of information; and
2. D (2) Arrangements that obscure beneficial ownership and involve the use of offshore entities and structures with no real substance.

Category D hallmarks are not subject to a main benefit test and are still reportable by a wide range of local professional services providers and financial services firms even if the arrangements in question are not expected to generate a tax benefit.

Other issues

i Data protection

EU General Data Protection Regulation 2016/679 (the EU GDPR) governed data protection law in Gibraltar from 25 May 2018 to 31 December 2020. The EU GDPR was superseded by the Gibraltar General Data Protection Regulation (the Gibraltar GDPR) following the United Kingdom’s and Gibraltar’s exit from the European Union and the end of the Brexit transition period.

Gibraltar implemented the Gibraltar GDPR in accordance with Section 6 of the European Union (Withdrawal) Act 2019 (the Withdrawal Act). The Withdrawal Act, in effect, made the previously applied EU GDPR applicable to local law with some minor amendments, as set out in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020. Alongside the Gibraltar GDPR, the Data Protection Act 2004 (the 2004 Act) still applies and both should be read in conjunction. They govern how organisations process information about individuals, including but not confined to the collection, recording, structuring, storage, use and disclosure of transfer of personal data to third parties.

Furthermore, the Communications (Personal Data and Privacy) Regulations 2006 apply to electronic communications that contain or make use of personal data, and the Data Protection (Search and Seizure) Regulations govern the rules pertaining to search and seizure by the Information Commissioner. The Gibraltar Regulatory Authority is an independent statutory body responsible for the enforcement of the 2004 Act and the Gibraltar GDPR.

ii Other

There are many other legal and regulatory issues applicable to doing business in Gibraltar, including, inter alia: mandatory consumer protection laws, advertising standards, local business licensing obligations (for trading purposes) and registration of business names when used as local marks.

Looking ahead

The main areas of focus over the next few years are likely to be in respect of:

1. whether a specific wide-ranging issuer and promoter regime will be implemented for token sales (this has previously been mooted in 2018);¹²
2. whether Gibraltar will follow the United Kingdom in implementing a specific cryptoasset financial promotion regime (adapted from the existing general financial promotion restrictions);
3. whether revised definitions of derivatives under MiFID will be issued to bring more cryptoasset derivative products in scope;
4. increased monitoring and potential supervision of decentralised applications, platforms and controllers of the same – particularly for AML purposes (in line with the 2021 FATF VASP Guidance);
5. to what extent the United Kingdom and Gibraltar will adapt and adopt EU legislation in respect of cryptoassets as per the proposed Markets in Crypto Assets Regulation (MiCA); and
6. the political impact of supporting the cryptoasset industry given the risk of continuing and increased concerns by some central banks and authorities about the cryptoasset sector becoming larger and (to some extent) challenging elements of the existing financial system and infrastructure (including the role of central banks, commercial banks and regulators).