Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 10 Training

www.gfsc.gi 10. Training AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 1 Table of Contents 10.1 Training Responsibilities....................................................................................................................... 2 10.2 Local Branches & Subsidiaries.............................................................................................................. 3

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 10.1 Training Responsibilities AML/CFT/CPF Requirements R29 A regulated entity is required to provide continuous and appropriate Gibraltar-specific AML/CFT/CPF training to all staff. The training must align with the respective functions performed within the entity and be relevant to the tasks carried out by each member of staff. Guidance

1. A regulated entity is required to provide staff members with appropriate, regular training on AML/CFT/CPF1 . As per POCA and these Guidance Notes, Gibraltar has an established framework to mitigate the likelihood of money laundering, terrorist financing and proliferation financing activities occurring within the jurisdiction, including through a regulated entity.
2. The provision of regular training ensures that employees are aware of their responsibilities and are well-informed about the risks, threats and vulnerabilities associated with the type of products and services provided by the regulated entity. In doing so, the regulated entity must ensure that each staff member has the appropriate level of knowledge, skills and tools to identify and prevent such illicit activities from occurring.
3. It is the responsibility of each regulated entity to determine the appropriate frequency and nature of its ongoing staff training. This is likely to vary based on a number of factors, including the size and nature of the business, the number of employees, the specific requirements applicable to the products/services provided and the ML, TF & PF risks faced. A regulated entity must ensure its staff are up to date with current AML/CFT/CPF developments and must provide relevant and targeted training as and when necessary. Given the frequency of developments in trends, requirements and risks, it is generally considered appropriate for training to be carried out on, at least, an annual basis, particularly for those members of staff who are directly involved with the regulated entity’s compliance function.
4. As a minimum, the training provided by a regulated entity must include: • The legal and regulatory responsibilities/obligations of the entity and its employees; • The assessment and management of the money laundering, terrorist financing and proliferation financing risks faced by the business operations; • How to recognise red flags and typologies associated with potential money laundering, terrorist financing and proliferation financing; • Relevant data protection requirements2 ; and • The internal processes to be followed should any suspicious activity or criminal property be identified (including the process for making internal suspicious activity reports).
5. Training must be provided both at induction, as well as on an ongoing basis, to ensure that members of staff remain abreast of their obligations. During the induction process for new members of staff, a regulated entity should provide introductory training with the aim of providing clarity and familiarity on the AML/CFT/CPF policies and procedures relevant to the regulated entity, and the regulatory requirements applicable to Gibraltar. 1 Section 27, Proceeds of Crime Act 2015 2 Section 27(1)(a)(ii), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3 c6. Providing regular ongoing training is essential to keep all staff members updated on the evolving AML/CFT/CPF risks, changes to regulatory and legislative requirements, emerging trends in red flags and typologies, and best practices. Regular training sessions help to reinforce knowledge, address any gaps in understanding, and provide employees with the necessary skills to identify and report any potential ML, TF or PF-related activity. Example – Change of Products & Services 7. Staff members should be fully aware of the potential red flags and typologies associated with a particular set of services offered by the regulated entity. The expansion of a regulated entity’s product offering may then introduce the business to new ML, TF and/or PF-related risks that its staff members may not have previously been fully aware of. The red flags and typologies associated with each set of services may also be entirely distinct from one another. Updated training should therefore be provided in advance of the launch of these products, to ensure that each employee’s awareness remains appropriate, relevant and up to date. 8. The nature and complexity of the AML/CFT/CPF training provided to staff members may vary depending on the responsibilities and seniority of the position held within the regulated entity. In the case of the MLRO and any other individuals holding AML/CFT/CPF-related responsibilities, the regulated entity may consider it necessary to seek additional training (including potentially from an external provider) to ensure adequate coverage and understanding of all necessary information. The MLRO, Director with responsibility for AML/CFT/CPF and other employees with AML/CFT/CPF￾related responsibilities should typically undergo more focused training that covers advanced topics related to AML/CFT/CPF. This should encompass an understanding of their reporting obligations, how to conduct thorough investigations, how to identify potentially suspicious activity, how to implement effective internal controls and how to maintain a robust ML/TF/PF framework. 10.2 Local Branches & Subsidiaries 9. Overseas entities with local regulated subsidiaries, or which operate from or within Gibraltar on a freedom of establishment basis, are required to comply fully with local legislative and regulatory requirements, including those set out within POCA and these Guidance Notes. A local branch (or subsidiary) must require its employees to complete Gibraltar-specific AML/CFT/CPF training. This training ensures that employees are fully aware of, and comply with, the specific AML/CFT/CPF regulations and requirements in Gibraltar. 10. It is not sufficient in the case of local branches or subsidiaries which are part of multinational groups, to solely provide training that is relevant to the risks and requirements associated with the group home jurisdiction. Gibraltar-specific training must be provided to all staff members that operate, or deal with, business relationships associated with the Gibraltar entity. 11. The AML/CFT/CPF training should cover various areas, such as:

1. An overview of Gibraltar's AML/CFT/CPF legal and regulatory framework;
2. Identification and verification of customers and beneficial owners as per local requirements;
3. The specific risks faced by the Gibraltar entity in accordance with the local National Risk Assessment;
4. Local suspicious transaction monitoring and reporting obligations;
5. Local record-keeping requirements;
6. Locally-established internal controls, policies, and procedures for AML/CFT/CPF; and

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4 7. The role and responsibilities of local staff members in preventing and detecting financial crime and the relevant reporting lines within the wider group. Example – Group Level Training 12. Where a regulated entity forms part of a group which provides AML/CFT/CPF training, the onus is on the entity in Gibraltar to ensure it aligns with Gibraltar specific legislative and regulatory requirements. 13. Regulated entities are permitted to use group level training, or non-Gibraltar specific AML/CFT/CPF training so long as the nuances within the Gibraltar requirements are also included. This must be provided in addition to the group level training. 14. There are no specific requirements in terms of the formatting of the material provided, so long as the trainee is aware of their obligations under POCA.