Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2026

www.gfsc.gi

1. Introduction AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 Table of Contents 1.1 Disclaimer........................................................................................................................................ 3 1.2 How to use these Guidance Notes.................................................................................................. 3 1.2.1 Glossary....................................................................................................................................... 3 1.2.2 Legislation ................................................................................................................................... 3 1.2.3 Colour-Coded Key........................................................................................................................ 3 1.2.4 AML/CFT/CPF Requirements....................................................................................................... 4 1.3 Introduction..................................................................................................................................... 4 1.3.1 Overview ..................................................................................................................................... 4 1.3.2 Regulatory Objectives................................................................................................................. 5 1.4 Risk-Based Approach....................................................................................................................... 5 1.5 Key Terms........................................................................................................................................ 5 1.5.1 What is Money Laundering? ....................................................................................................... 5 1.5.2 What is Terrorist Financing? ....................................................................................................... 6 1.5.3 What is Proliferation Financing? ................................................................................................. 7 1.6 Legal Scope and Applicable Legislation........................................................................................... 7 1.6.1 Legal Scope.................................................................................................................................. 7 1.6.2 Legal Framework......................................................................................................................... 8 1.6.3 Financial Action Task Force (FATF).............................................................................................. 9 1.7 GFSC Functions and Powers............................................................................................................ 9 1.7.1 Powers of the GFSC to Issue Guidance ....................................................................................... 9 1.7.2 Functions of the GFSC ............................................................................................................... 10 1.7.3 Enforcement and Sanctioning Powers...................................................................................... 10

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3 1.1 Disclaimer

1. The GFSC has made every effort to ensure the content of these Guidance Notes is as accurate, up to date and precise as possible. Should there be any discrepancies identified between these Guidance Notes and the applicable legislative Acts and Regulations, the latter would take precedence and a regulated entity must ensure it complies with the requirements and obligations as set out in legislation. The GFSC shall not be held responsible for any errors or omissions that may occur. 1.2 How to use these Guidance Notes 1.2.1 Glossary
2. Throughout these Guidance Notes, any terms that have been defined within the Glossary will be displayed in italicised text. To clarify the meaning of these terms, please refer to the Glossary, which explains all abbreviations and defined terms used. 1.2.2 Legislation
3. The legal framework for Gibraltar's AML/CFT/CPF regime is outlined in Section 1.6.2 of this document. This document will provide a thorough explanation of the legal and regulatory requirements under this regime. Any references to legislation can be found in the footnotes to the Guidance Notes. It is recommended that all regulated entities familiarise themselves with the relevant Acts listed in this document, in addition to the requirements set out in these Guidance Notes.
4. To fully understand Gibraltar's AML/CFT/CPF regulatory framework, a regulated entity should read these Guidance Notes alongside the relevant Acts.
5. When statutory requirements are defined within the text of these Guidance Notes, the term ‘must’ will indicate that such provisions are compulsory. In contrast, where the Guidance Notes use the term ‘should’, this will suggest ways in which the statutory and regulatory requirements may be satisfied, providing room for alternative means of meeting the requirements. 1.2.3 Colour-Coded Key Category Explanation Colour AML/CFT/CPF Requirements Applicable to all regulated entities and sets out the requirements that are mandatory under the AML/CFT/CPF regime. General Guidance Guidance for all regulated entities. Sector-Specific Guidance Guidance for specific sectors only. Cases and Examples Case studies and examples setting out different ways of meeting mandatory requirements.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4 6. A practical color-coded key has been created to assist readers in quickly and easily identifying the information within this document. By assigning specific colours to different sections, readers can easily locate and distinguish various topics. A breakdown of the colours associated with each section can be found in the key above. To aid with the accessibility of the document for those individuals with colour vision deficiency, the GFSC has applied the use of the ColorAdd system1 . This system introduces distinct symbols associated with each colour to facilitate colour identification. 1.2.4 AML/CFT/CPF Requirements 7. The Guidance Notes are intended to implement the GFSC's AML/CFT/CPF Requirements, which are fundamental obligations for a regulated entity operating in Gibraltar. The sections that follow will explain how a regulated entity is expected to meet these Requirements. The GFSC’s Guidance Notes on the relevant AML/CFT/CPF expectations and the AML/CFT/CPF legislative requirements should be read in conjunction with one another. 8. A regulated entity must appropriately document and evidence its compliance with each requirement. The term “must” is used throughout the AML/CFT/CPF Requirements to indicate that compliance is mandatory and that all regulated entities are expected to meet them. 1.3 Introduction 1.3.1 Overview 9. These AML/CFT/CPF Guidance Notes have been designed to set out Gibraltar’s legal framework concerning ML, TF and PF. The purpose of these Guidance Notes is to assist regulated entities to comply with their legal requirements through practical interpretation of the law and will set out good industry practices in applying AML/CFT/CPF procedures using a proportionate and risk￾based approach to prevent the abuse of the financial services sector in Gibraltar. 10. While these Guidance Notes will strive to promote the implementation of robust and effective AML/CFT/CPF controls for a regulated entity, it is not intended to provide a complete and exhaustive list of systems and controls to counter ML, TF and PF. A regulated entity should apply its discretion and may implement additional measures other than those set out in these Guidance Notes so long as it demonstrates that such measures are in accordance with the relevant legislation as well as the GFSC’s AML/CFT/CPF Requirements. It must also establish that an appropriate risk-based approach to any measures adopted has been applied. It is a requirement for every regulated entity to implement and maintain its own policies and procedures in accordance with the relevant Acts as well as the requirements set out in these Guidance Notes. 11. These Guidance Notes will further highlight the GFSC’s expectations and standards expected from directors, MLROs and senior managers by defining their respective responsibilities under the AML/CFT/CPF regime. The aim is to provide further guidance to key individuals who are responsible for establishing the regulated entity’s risk management policies and procedures and putting those in place to prevent financial crime. 1 ColorADD colour identification system

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 5 1.3.2 Regulatory Objectives 12. The GFSC has established a set of regulatory objectives to ensure the stability and reliability of the financial system in Gibraltar2 . The first objective is the promotion of market confidence, which involves maintaining trust in the financial system through robust regulation and effective supervision. The GFSC aims to reduce systemic risk by mitigating the impact of the failure of one institution on the entire financial system. 13. In addition, the GFSC is committed to promoting public awareness of the financial system to ensure that consumers can make informed decisions about their financial transactions and activities. To protect the good reputation of Gibraltar, the GFSC works in close consultation with the financial sector to take necessary actions to preserve Gibraltar’s reputation as a reliable and credible financial services centre. 14. Another critical objective of the GFSC is to protect consumers by ensuring that they receive the appropriate degree of protection in their financial dealings. This involves monitoring and regulating financial products and services to prevent abuse and exploitation. Finally, the GFSC aims to reduce financial crime by implementing effective measures to prevent unauthorised financial activities and to deter money laundering, terrorist financing and proliferation financing. 15. Overall, the GFSC's regulatory objectives are designed to promote a secure and reliable financial system in Gibraltar that benefits both consumers and businesses. The GFSC is committed to maintaining a balance between protecting consumers and promoting innovation and competition in the financial sector, thereby ensuring that Gibraltar remains a vibrant and dynamic financial hub3 . 1.4 Risk-Based Approach 16. The concept of a risk-based approach is where a business identifies and assesses where its greatest risks lie and then applies its resources in line with those risks. POCA implements a variety of AML, CFT and CPF controls, some of which can be implemented on a risk sensitive basis. 17. To achieve the overall objective, a risk-based approach has been adopted throughout the entirety of these Notes. ML, TF and PF risks will vary across different customers, countries, services, products and sectors. A regulated entity must be able to assess and distinguish each customer and apply its own approach to systems and controls to mitigate the risks. The way a risk-based approach must be applied will depend on the structure, size and nature of the regulated entity. Therefore, while the requirement to have these controls in place is compulsory under AML/CFT legislation, the nature and extent of any controls implemented would be relative to the size and risks posed by the particular regulated entity. 1.5 Key Terms 1.5.1 What is Money Laundering? 18. Money laundering is the process by which criminals attempt to conceal the origin of the proceeds they have obtained by conducting criminal activity. Their aim is to convert criminal property so that it appears to derive from a legitimate source, and avoiding any suspicions being raised. 2 Schedule 5, Financial Services Act 2019 3 Section 23(2), Financial Services Act 2019

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 6 19. Under POCA, money laundering is defined as: ▪ Entering into or becoming concerned in an arrangement that facilitates the acquisition, retention, use or control of criminal property4 . ▪ Acquiring, possessing, or using criminal property 5 . ▪ Concealing, disguising, converting, transferring, or removing criminal property from Gibraltar6 . 20. Money laundering is also further defined in the Terrorism Act 2018. It is an offence to enter or become concerned in an arrangement that facilitates the retention or control by or on behalf of another person of terrorist property by, concealing, removing from the jurisdiction, transferring to nominees or in any other way7 . 21. There are typically three distinct stages in the money laundering process: ▪ Placement: this is the process of placing criminal proceeds into the financial system. Typically, this is done by splitting up large volumes of cash into smaller amounts using different financial instruments which can then be deposited at different locations. ▪ Layering: this is the process of moving the funds that have now been placed in the financial system in order to disguise its source of origin which usually involves multiple and complex transactions. ▪ Integration: once the origin of the funds has been concealed, the aim is to then integrate it back into the financial system as legitimate funds. This process involves investing the money into legitimate businesses or using other investment instruments such as setting up a trust or purchasing real estate. 22. Despite the three-stage model, it is important to note that a regulated entity and/or a customer of a regulated entity may be committing a ML offence at any stage of the process. In order to be deemed to have committed a ML offence, a criminal actor need not have progressed through each stage in turn. 23. Part II of POCA deals with several money laundering offences, many of which are dealt with by the Royal Gibraltar Police. While the Gibraltar Financial Intelligence Unit (“GFIU”) is not a crime reporting agency, it is responsible for maintaining a database of all the suspicious activity disclosures made to it. The GFIU is also responsible for assessing and disseminating the disclosed information to law enforcement agencies throughout Gibraltar, such as, HM Customs Gibraltar and the Royal Gibraltar Police, and the supervisory authorities for consideration and/or action. 1.5.2 What is Terrorist Financing? 24. Terrorist financing is the collection and use of funds deriving from either legitimate or illegitimate sources with the intention, or in the knowledge, that they will, or may be used, with the purpose to carry out an act of terrorism, whether or not those funds are in fact used for that purpose. 25. As defined under POCA, terrorist financing means8 : 4 Section 2(1), Proceeds of Crime Act 2015 5 Section 3(1), proceeds of Crime Act 2015 6 Section 4(1), Proceeds of Crime Act 2015 7 Section 39, Terrorism Act 2018 8 Section 1ZA, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 7 ▪ The use of funds or other assets, or the making available of funds or assets, by any means, directly or indirectly for the purposes of terrorism. ▪ The acquisition, possession, concealment, conversion, or transfer of funds that are (directly or indirectly) to be used or made available for those purposes. ▪ Any act which constitutes an offence such as raising funds, using funds, arranging funds for terrorism purposes. ▪ Any act which constitutes an offence under any other enactment that applies in Gibraltar and that offence relates to terrorism or the financing of terrorism. 26. The provisions found in POCA closely mirror those within the Terrorism Act 2018 as these go hand in hand. The key difference, is that terrorist funds can originate from a legitimate source, making it more difficult to identify than those funds coming from an illegitimate source as seen in cases of money laundering. 1.5.3 What is Proliferation Financing? 27. As defined in the Terrorism Act 2018, proliferation financing refers to POCA of providing funds or financial services which are used, in whole or in part, for the manufacture, production, possession, acquisition, development, transhipment, brokering, transport, stockpiling or use of nuclear, chemical, or biological weapons and their means of delivery and related materials9 . This includes both technologies and dual-use goods used for non-legitimate purposes. 28. The regulatory framework around counter-proliferation and its financing in Gibraltar involves three key structures – sanctions, export controls and AML/CFT/CPF legislation and regulation. All regulated entities caught under POCA must take appropriate measures to identify and assess the risks of proliferation financing to which they are subject. 29. The Gibraltar Financial Intelligence Unit (GFIU) produced guidance in collaboration with the GFSC on PF. It mainly covers the PF risk posed by the Banking, Distributed Ledger Technology (DLT) service provider, Trust and Company Service Provider (TCSPs) and Insurance sectors10 . The guidance also includes an overview of PF risks, how to carry out a PF risk assessment, typologies, red flags and the relevant reporting processes. 30. As illustrated in the Counter Proliferation Financing Guidance Notes, there are three stages of proliferation financing: ▪ Program fundraising sources. ▪ Disguising the funds. ▪ Materials and technology procurement. 31. For more information and guidance on proliferation financing, refer to these Notes. 1.6 Legal Scope and Applicable Legislation 1.6.1 Legal Scope 32. These Guidance Notes are applicable to the following relevant financial business which fall within the GFSC’s remit: ▪ Banks (Credit Institutions) and Building Societies whether operating in or from Gibraltar as a branch or locally incorporated institution; ▪ Electronic Money Institutions; 9 Section 38A, Terrorism Act 2018 10 Gibraltar Counter Proliferation Financing Guidance Notes

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 8 ▪ Trust and Corporate Service Providers; ▪ Life Assurance Companies; ▪ Life Assurance Intermediaries; ▪ Insurance Managers; ▪ Investment Managers; ▪ Investment Dealers; ▪ Consumer Credit firms; ▪ External Accountants; ▪ Tax Advisors; ▪ Virtual Asset Arrangement Providers; ▪ Token sale firms/Initial Coin Offerings; ▪ Bureaux de Change; ▪ Payment Services Institutions; ▪ Funds (except for Private Funds); ▪ Fund Managers (except for Small Self-Registered Authorised Investment Fund Managers); ▪ Fund Administrators; ▪ Fund Depositaries; ▪ Pension Controllers; ▪ Pension Advisers; ▪ Statutory Auditors and Audit Firms; ▪ Insolvency Practitioners; ▪ Distributed Ledger Technology Providers; ▪ Multilateral trading facilities; and ▪ Organised trading facilities. 1.6.2 Legal Framework 33. There is an extensive legal framework which has established the AML/CFT/CPF regime in Gibraltar. The following legislation will be relevant and applicable to these Notes: ▪ The provisions within the Proceeds of Crime Act 2015 (“POCA”) set out money laundering, terrorist financing and proliferation financing offences. POCA seeks to provide for the confiscation of the proceeds of criminal conduct and provides for measures to prevent the abuse of the financial system. It also, in part, transposes the EU Money Laundering Directives and FATF Recommendations into Gibraltar law. The EU Directives continue to have effect locally despite Gibraltar no longer being a part of the European Union, following Brexit. This is due to these directives being transposed into domestic law via POCA. ▪ The provisions within the Terrorism Act 2018 provide for orders for the freezing and forfeiture of terrorist property and funds. This Act also governs the laws concerning proliferation financing. ▪ The provisions within the Sanctions Act 2019 enable designations to be imposed on people, entities, groups, organisations, states and territories for the purposes of the security of Gibraltar or international peace and security. ▪ The provisions within the Export Control Act 2005 implement various controls to limit the ability of unauthorised users to obtain goods or technology or engage in any activities connected with trade in controlled goods for illicit purposes, such as, terrorism or proliferation activities. ▪ The provisions within the Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 2021. This is subsidiary legislation made under the powers of

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 9 POCA and its purpose is to implement a registration regime for certain activities including, in part, those which fall under Recommendation 15 of the FATF Recommendations on the International Standards on combatting money laundering and the financing of terrorism and proliferation. 1.6.3 Financial Action Task Force (FATF) 34. The FATF strives towards the development and promotion of global policies and standards regarding AML, CFT and CPF controls. The FATF sets international standards and policies with the aim of preventing illegal activities and the harm they cause as a result. In total, more than 200 countries and jurisdictions have committed to implement the FATF’s Standards as part of a co-ordinated global response to preventing organised crime, corruption and terrorism. Under Gibraltar legislation, the GFSC must have regard to any relevant guidance issued by the FATF11 . These Notes will, therefore, seek to reflect the FATF 40+ Recommendations on International Standards on Combating Money Laundering and The Financing of Terrorism and Proliferation. 35. The FATF’s objective is to provide a framework of measures and an infrastructure that connects regulators and authorities on an international scale to facilitate cooperation within the global financial sector. The organisation seeks to encourage member jurisdictions to implement and adapt these standards in accordance with the country’s own needs and financial systems to combat ML, TF and PF. 1.7 GFSC Functions and Powers 1.7.1 Powers of the GFSC to Issue Guidance 36. The GFSC issues these notes by the powers conferred to it under the Supervisory Bodies (Powers Etc.) Regulations 2017 and POCA. 37. In addition to providing guidance on the nature of the responsibilities of regulated functions12 , the GFSC may also issue guidance, with the consent of the Minister, consisting of information and advice as it considers appropriate, with respect: ▪ To the Financial Services Act 2019; ▪ To any matter relating to the functions of the GFSC; ▪ For the purposes of meeting the regulatory objectives of the GFSC; and ▪ For any other matters which appear to the GFSC to be desirable to give information or advice 13 . 38. Under the Supervisory Bodies (Powers Etc.) Regulations 2017 (“SBPR”), the GFSC has the authority to take preventative and corrective measures to ensure that a regulated entity complies with the provisions set out within these Guidance Notes. A regulated entity must also comply with any other relevant legislative requirements to prevent the facilitation of money laundering, terrorist financing or proliferation financing purposes 14 . 39. Under the same Regulations, the GFSC may issue or promulgate such rules, or guidance in respect of the laws concerning AML, CFT and CPF as it considers relevant15 . Under the 11 Section 8, Supervisory Bodies (Powers Etc.) Regulations 2017 12 Section 92, Financial Services Act 2019 13 Section 37, Financial Services Act 2019 14 Section 11(1)(a), Supervisory Bodies (Powers Etc.) Regulations 2017 15 Section 11(3), Supervisory Bodies (Powers Etc.) Regulations 2017

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 10 Supervisory Bodies (Powers Etc.) Regulations 2017, the contents of these Guidance Notes fall within the remit of an "applicable provision". Failing to comply with these Guidance Notes, or disregarding these Guidance Notes, is therefore considered a breach of a regulated entity's AML/CFT/CPF responsibilities. Additionally, under POCA, failing to comply with the relevant sections is considered an offence. In deciding whether a person has committed such an offence, the court must consider whether that person has followed the relevant guidance16 . 1.7.2 Functions of the GFSC 40. Under the FSA, the functions of the GFSC are as follows17: ▪ To supervise regulated persons in accordance with the FSA; ▪ To consider and determine applications for authorisation, permission, licensing, approval, registration, or recognition made under the FSA; ▪ To monitor compliance by regulated persons with the FSA and any regulations, rules, codes, and guidance made under it and, when appropriate, take enforcement action in respect of any non-compliance; and ▪ To monitor compliance by regulated persons with legislation, rules, codes and guidance relating to the prevention of financial crime and, when appropriate, take enforcement action in respect of any non-compliance. 41. Additionally, the GFSC is responsible for the supervision of regulated individuals. An individual may only act as a regulated individual if the GFSC has approved the individual to perform a specified regulated function18 . Where individuals are seeking to perform a specified regulated function in a regulated entity, the GFSC will, in considering whether to approve an individual or not, have regard to whether the individual has the necessary skills, qualifications, experience, competence, capability, fitness and propriety required to perform the regulated function19 . 42. For a full list of functions, please refer to s22(1) of the FSA 2019. 1.7.3 Enforcement and Sanctioning Powers 43. Under the SBPR, the GFSC has various enforcement and sanctioning powers. This includes the ability to impose penalties20 suspend, withdraw, or revoke an authorisation or registration21 or temporarily ban persons from managerial positions22. These enforcement and sanctioning powers may be applied where the GFSC is satisfied that a regulated entity has contravened these Guidance Notes and/or other relevant legislation under the AML/CFT/CPF regime23 . 44. Where the GFSC believes or suspects on reasonable grounds that a regulated entity is contravening or has contravened these Guidance Notes and/or other relevant legislation under the AML/CFT regime, or considers that it is in the public interest to do so, it may, by notice in writing served on the regulated entity, direct it, at its own expense, to take or refrain from 16 Section 33(2), Proceeds of Crime Act 2015 17 Section 22(1), Financial Services Act 2019 18 Section 93, Financial Services Act 2019 19 Section 94(2), Financial Services Act 2019 20 Sections 18(1) & 18(2), Supervisory Bodies (Powers Etc.) Regulations 2017 21 Section 19(1), Supervisory Bodies (Powers Etc.) Regulations 2017 22 Section 20(1), Supervisory Bodies (Powers Etc.) Regulations 2017 23 GFSC Sanctioning Guide – Approach to Sanctioning Action

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 11 taking any course of action in relation to the fulfilment of its obligations under these Guidance Notes and/or other relevant legislation that the GFSC specifies in the notice24 . 45. The GFSC may, from time-to-time, revoke or vary a direction given under the SBPR in the same manner as it was given25 . Further to the above, the GFSC also has a variety of enforcement and sanctioning powers for contraventions available to it under the FSA for non-AML/CFT/CPF related breaches. 24 Section 21(1), Supervisory Bodies (Powers Etc.) Regulations 2017 25 Section 21(2), Supervisory Bodies (Powers Etc.) Regulations 2017

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission