GFSC Guidance Note on Scope of the DLT Framework

Version: 2 Publication Date: 28/03/2025 www.gfsc.gi GFSC Guidance Note Scope of the DLT Framework

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 2 Table of Contents

1. Introduction..................................................................................................................................... 4 2 Overview of Approach..................................................................................................................... 4 Outcomes-focused, principles-based.............................................................................................. 4 3 Regulatory Objectives...................................................................................................................... 4 4 International Developments ........................................................................................................... 4 5 Overview of Gibraltar’s Legislation ................................................................................................. 5 6 Carrying on Regulated Activities by way of business in or from within Gibraltar........................... 5 7 Using Distributed Ledger Technology (DLT).................................................................................... 6 8 Value................................................................................................................................................ 6 9 Storage and Transmission of Value Belonging to Another.............................................................. 7 Storage............................................................................................................................................. 7 Transmission.................................................................................................................................... 7 Relevant Factors.............................................................................................................................. 8 10 Examples of In-Scope Activities....................................................................................................... 9 Custodial Virtual Asset wallet providers. ........................................................................................ 9 Virtual Asset ATM Operators........................................................................................................... 9 Spot Virtual Asset Exchanges (Custodial and Non-Custodial) ......................................................... 9 Virtual Asset Derivatives Exchanges................................................................................................ 9 Over-the-Counter (‘OTC’)/Brokerage Desks.................................................................................... 9 Escrow Service Providers............................................................................................................... 10 Virtual Asset Borrowing and Lending Platforms ........................................................................... 10 Virtual Asset Managed Investment Services................................................................................. 10 Operators and Administrators of Smart Contracts ....................................................................... 10 Operators and Administrators of Decentralised Applications (‘DApps’) and Decentralised Exchanges (‘DEXs’)......................................................................................................................... 10 Stablecoin Offerings...................................................................................................................... 11 11 Examples of Out-of-Scope Activities ............................................................................................. 11 Proprietary trading or activities .................................................................................................... 11 Non-custodial wallet services........................................................................................................ 12 Peer to peer platforms.................................................................................................................. 12 Investment advice ......................................................................................................................... 12 Non-custodial arrangers................................................................................................................ 12 Research, development and outsourcing...................................................................................... 12 Validating transactions.................................................................................................................. 12

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 3 Over-The-Counter (OTC)/brokerage desks (non-custodial) .......................................................... 12 Virtual asset account signatories................................................................................................... 13

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 4

1. Introduction 1.1 The purpose of this document is to provide guidance as to the scope of the ‘Distributed Ledger Technology Framework’ (the ‘DLT Framework’), which is composed of the Financial Services Act 2019 (the ‘FSA’) as it relates and applies to providing DLT services1 , and the Financial Services (Distributed Ledger Technology Providers) Regulations 2020 (the ‘DLT Regulations’). 2 Overview of Approach Outcomes-focused, principles-based 2.1 Prescriptive regulation works well for mature business activities, where products, processes, business models and risks are all established. However, there are different challenges in regulating activities centred on rapidly evolving technology like DLT, as businesses are continually adapting to technological advances in various aspects of their operations. In such environments, rigid rules can quickly become outdated and not fit for purpose. 2.2 Recognising this, Gibraltar has adopted a flexible, adaptive approach to the regulation of businesses operating in the DLT sector, where regulatory outcomes remain central but are achieved through the application of statutory core principles designed to remain relevant and applicable even as the industry’s landscape, technology and best practices shift. 3 Regulatory Objectives 3.1 Section 23 of Part 3 of the FSA sets out the GFSC’s regulatory objectives: ● The promotion of market confidence ● The reduction of systemic risk ● The promotion of public awareness ● The protection of the good reputation of Gibraltar ● The protection of consumers ● The reduction of financial crime 3.2 The DLT Framework has established within Gibraltar a progressive, well-regulated and safe environment in which DLT Providers can innovate and succeed, whilst preserving the good reputation of the jurisdiction. 3.3 It is also intended that consumers are able to understand the benefits and risks associated with DLT Providers’ products and services, that they have confidence in the integrity of the owners and management of these firms, and that they are afforded the appropriate protection. 4 International Developments 4.1 The GFSC continues to monitor international regulatory developments in the DLT space in order to understand their impact on DLT Providers and to ensure that these firms are aware of, and reactive to, the risks and challenges emerging internationally. 1 See paragraph 5.2

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 5 4.2 The GFSC has conducted a thorough review of the Financial Action Task Force’s (‘FATF’s’) Updated Guidance for a Risk Based Approach to Virtual Assets and Virtual Asset Service Providers (‘VASPs’), as well as its subsequent related publications, in order to ensure that the DLT Framework maintains regulatory standards which as a minimum meet the requirements of a registration regime defined by the FATF Guidance2 . 4.3 This review has concluded that whilst all DLT Providers fall within the definition of Virtual Asset Service Providers, not all Virtual Asset Service Providers are necessarily within scope of the DLT Framework. Those individuals or firms that fall within the definition of a VASP, but not within that of a DLT Provider, are regulated under the Proceeds of Crime Act 2015, as discussed further below. 5 Overview of Gibraltar’s Legislation 5.1 Section 4 of Part 2 of the FSA prohibits any person from carrying on regulated activities by way of business in Gibraltar unless the person is either an authorised person or an exempt person. 5.2 Under Schedule 2, Part 16, Paragraph 139 of the FSA, “using DLT for storage or transmission of value belonging to another”, which is also referred to as “providing distributed ledger technology services” (‘DLT services’), is a regulated activity. 5.3 Therefore, any firm carrying on by way of business, in or from Gibraltar, the use of distributed ledger technology (‘DLT’) for storing or transmitting value belonging to others, needs to be authorised by the GFSC as a DLT Provider. 5.4 The DLT Framework is intended to apply to individuals and firms that engage in the activities outlined above, unless these activities fall within scope of any of the other regulated activities set out in Schedule 2 of the FSA. Any such activities will continue to be regulated under the relevant sections of the FSA, together with any other relevant legislation. 5.5 Firms with permission to conduct other regulated activities, that use DLT in order to improve their controls, procedures and processes, or otherwise in the course of conducting those regulated activities, will not need to obtain separate authorisation to provide DLT services. The requirement for separate authorisation will only be triggered when a firm provides DLT services in the manner prescribed by the FSA and discussed in this Guidance Note. By way of example, a bank using DLT as part of its back-end processes is unlikely to require separate authorisation, whilst if it intends to provide virtual asset wallets and/or other services listed in section 10 of this Guidance Note, it likely will be required to obtain authorisation as a DLT Provider. 6 Carrying on Regulated Activities by way of business in or from within Gibraltar 6.1 In order for a firm to be authorised to carry on regulated activities in Gibraltar, it must be registered and have an office in the jurisdiction. The firm must also ensure that the Mind and Management of its business is conducted from its Gibraltar office, and that the firm can evidence this. 6.2 The GFSC will also take into account the nature and scale of the activity being conducted in Gibraltar, the degree of continuity, and the existence of a commercial element to the activity. 2 See the following link for a full list of the FATF’s VASP-related publications: https://www.fatf￾gafi.org/en/publications.html

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 6 6.3 A firm that provides DLT services outside Gibraltar that is incorporated or registered in Gibraltar will be considered to be carrying on that activity from within Gibraltar. 6.4 It should be emphasised that the FSA and DLT Regulations are not intended to capture individual users of DLT. Individuals or entities who obtain virtual assets and use them to purchase goods or services on their own behalf or make a one-off exchange or transfer for a third party, and those purchasing goods and services with virtual assets, investing in virtual assets for private purposes, and paying salaries or wages in virtual assets are not intended to fall in-scope. The DLT Framework is designed to capture the relevant activities being conducted by way of business. 7 Using Distributed Ledger Technology (DLT) 7.1 Schedule 2, Part 16, Paragraph 138(2) of the FSA defines DLT as “a database system in which– a) information is recorded and consensually shared and synchronised across a network of multiple nodes; and b) all copies of the database are regarded as equally authentic.” 7.2 A distributed ledger can be shared across a network of multiple sites, jurisdictions or institutions, and does not have a single authoritative copy. Instead, network participants have identical copies of the ledger. A distributed ledger may employ a blockchain or other method of storing records in a continuous tamper-resistant way. 7.3 The GFSC will interpret ‘DLT’ broadly in order to allow the FSA and DLT Regulations to capture businesses that adopt emerging applications of DLT/blockchain technology, thereby enabling it to meet its regulatory objectives. 7.4 It should be noted that the legislation does not seek to regulate the technology itself, or the individuals or entities that develop open-source software or protocols using DLT, but rather those developing and using the technology for commercial purposes. The GFSC will focus in particular on the provision of financial services or services akin to these that carry similar risks for customers. 8 Value 8.1 “Value” for the purposes of the DLT Framework, is defined in Schedule 2, Part 16, Paragraph 138(2) of the FSA as including “assets, holdings and other forms of ownership, rights or interests, with or without related information, such as agreements or transactions for the transfer of value or its payment, clearing or settlement.” 8.2 The FATF defines virtual assets “as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations”.3 8.3 The definition of “value” under Gibraltar law is therefore consistent with, and wider than, the FATF definition of virtual assets.4 3 Updated Guidance for a Risk Based Approach to Virtual Assets and Virtual Asset Service Providers 4 For the avoidance of doubt, non-fungible tokens, commonly referred to as “NFTs” are likely to fall within the definition of “value” under Gibraltar law.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 7 8.4 Digital representations of fiat currencies and other forms of price-stabilised virtual assets may fall within the scope of other regulated activities, for example where they are deemed to fall within the definitions of electronic money (‘e-money’) or financial instruments. However, where they do not, they are still likely to fall within the definition of “value” for the purposes of the DLT Framework. 9 Storage and Transmission of Value Belonging to Another 9.1 DLT Providers may fall in scope of one or both of the storage and transmission elements of this regulated activity. Storage 9.2 “Storage” traditionally refers to the holding or safekeeping of a physical asset, to be returned to its owner in the same condition as it is received. In a digital world, where assets are dematerialised, safekeeping is not physically observable. In this context, the GFSC interprets storage as the ability for one party to exercise control over access to another’s value to the extent that the value could be compromised as a result of the former’s actions. 9.3 Holding or having direct access to private keys enabling control over a virtual asset, on behalf of a client, during the course of any business activity, clearly meets the definition of storage, in the context of the DLT regulated activity and the DLT Framework. 9.4 The GFSC also considers activities in which a firm or individual is essential to the process of transferring a client’s value in a multi-signature arrangement to fall in-scope of the DLT Framework, even in cases where they cannot complete transactions without a key held by another party. In￾scope examples include situations where there is an expectation that the firm/individual will initiate a transfer of the value at a particular time, and those where the loss of a private key held by the firm/individual would result in the irrecoverable loss of a client’s value. Transmission 9.5 The transmission of an asset is generally considered to be the passing or sending (i.e. transfer) of that asset to a different person or place. In the context of the DLT Framework, individuals or firms who can control or have an element of control over the passing or sending of a client’s value to a different wallet or address, or who have the ability to change its ownership by another means, or to destroy it, will be considered to be transmitting value belonging to another for the purposes of the DLT Framework. 9.6 Where a developer or group of developers deploy a smart contract, demonstrably retains no element of control over it, and derive no commercial benefit from it, their activity is likely to fall outside the scope of the DLT Framework. However, developers, owners, operators and administrators of smart contracts, decentralised applications (‘DApps’), decentralised exchanges (‘DEXs’) and stablecoins may fall within scope of the DLT Framework even if other parties play a role in the service(s) provided, or elements of the process or operation are automated or decentralised. The question of whether a decentralised structure involves some degree of centralised control that brings certain parties within scope of the DLT Framework needs to be assessed on a case-by-case basis, having regard to the “Relevant Factors” section below.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 8 9.7 The nature and extent of the relevant party’s control and the economic substance of the arrangements in place will be important considerations when assessing such cases. Relevant Factors 9.8 When assessing the applicability of the DLT Framework, the GFSC will consider whether the level of control or influence that the individual or firm in question exerts over the storage or transmission of value belonging to others is sufficient to bring it within scope. 9.9 The broad approach to the assessment that the GFSC will make in this context can be summarised as follows: • From a technological point of view, the GFSC will assess (where necessary, with suitable third party technological expertise) the level of automation and autonomy of the protocol, the existence of administrator rights or keys (or rights or privileges of a similar nature), and the level of transparency of the code used. • From an operational point of view, the GFSC will focus on the characteristics of the activity, identifying whether it is provided in an ‘open’ manner (e.g. via a permissionless blockchain protocol that is accessible to the public) and whether any custodial activity is provided via the protocol. • From a governance point of view, the GFSC will assess whether there is any ‘de facto’ or ‘de jure’ control over the protocol by developers or users. The level of decentralisation of a protocol’s governance could vary on the basis of several factors, such as the levels of distribution in governance tokens held, as well as the effective level of participation of holders in the decision-making process. 9.10 In general, the GFSC will seek to determine the level of control exercised over a protocol (for example, whether certain parties have access to its administrator keys, thereby allowing them to modify the code, independently of any governance process). 9.11 The following are examples of the factors that will be considered in this context: ● Whether an identifiable individual or firm is deriving economic benefit from the use of a given smart contract, DApp, DEX or stablecoin. ● The extent of an individual or firm’s (or any party directly or indirectly linked to the firm’s) influence and/or control over a given smart contract, DApp, DEX or stablecoin, for example by holding an administrative key through which it is possible to set or adjust parameters. ● Whether there is a legal requirement for an individual or firm to effect the transmission of value. ● Whether there is a legal requirement for an individual or firm to deploy or administer a given smart contract, DApp, DEX or stablecoin. ● Whether there are any external inputs to a given smart contract (e.g. an oracle function) that are controlled, or significantly influenced by an individual or firm (or any party directly or indirectly linked to the individual or firm). ● Whether there is a requirement to use a particular virtual asset associated with an individual or firm within a given smart contract, DApp or DEX. In the case of any consensus

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 9 mechanism used, whether the majority of the given network (as defined by the consensus mechanism in question) is controlled by an individual or firm. ● Whether a failure or error of any kind on behalf of an individual or firm will result in customer value being compromised. 9.12 For the avoidance of doubt, non-fungible tokens, commonly referred to as “NFTs” are likely to fall within the definition of “value” under Gibraltar law. 10 Examples of In-Scope Activities 10.1 This section sets out a non-exhaustive list of activities which fall within-scope of the DLT Framework. Firms and Individuals will be required to evidence the particular circumstances of their business where they are seeking to demonstrate they are not in scope prior to the carrying out of any such activity. Custodial Virtual Asset wallet providers. 10.2 Firms providing virtual asset wallets where clients can store their virtual assets, and where the firm is responsible for the storage of such virtual assets and the transmission of virtual assets out of the wallet (at the request of the owner of the virtual assets). Virtual Asset ATM Operators 10.3 Also referred to commonly as “kiosks”, “Bitcoin teller machines,” “Bitcoin ATMs,” or “vending machines”. These physical electronic terminals enable the owner/operator to actively facilitate the exchange of virtual assets for fiat currency or other virtual assets. Spot Virtual Asset Exchanges (Custodial and Non-Custodial) 10.4 Exchanges or exchangers can exist in various forms and business models and generally provide third-party services that enable their customers to buy and sell virtual assets in exchange for traditional fiat currency or another virtual asset. Exchange and/or transfer business models can include “traditional” virtual asset exchanges or virtual asset transfer services that actively facilitate the exchange of virtual assets for fiat currency or other forms of virtual asset. These models typically accept a wide range of payment methods, including cash, wires, credit/debit cards, and virtual assets. Virtual Asset Derivatives Exchanges 10.5 These more advanced trading services may allow users to access more sophisticated trading products and services, generally collectively categorised as derivate contracts. Exchanges offering virtual asset-denominated derivative contracts that do not constitute financial instruments for the purposes of other existing financial services regulations are still likely to be captured by the DLT Framework. Over-the-Counter (‘OTC’)/Brokerage Desks 10.6 These firms tend to arrange for the buying and selling of virtual assets for other virtual assets or fiat, between clients or between clients and the firm/liquidity providers. Where these firms use DLT in the storage or transmission of value belonging to another in arranging transactions, they are likely

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 10 to fall within scope of the DLT Framework. Where DLT is not used in the storage or transmission of value belonging to another in making such arrangements, the DLT Framework is unlikely to apply, but they may still be subject to registration requirements under the Proceeds of Crime Act 2015. Escrow Service Providers 10.7 Escrow service providers arrange for the buying and selling of virtual assets for other virtual assets or fiat, whilst acting as a central counterparty to the trade, holding the virtual assets or both the virtual assets and the fiat, in order to enhance trust between the counterparties of the trade. Where DLT is not used in the storage or transmission of value belonging to another in making such arrangements, the DLT Framework is unlikely to apply, but they may still be subject to registration requirements under the Proceeds of Crime Act 2015. Virtual Asset Borrowing and Lending Platforms 10.8 These firms actively facilitate virtual asset loans between their clients via their platforms. Typically, borrowers will post virtual assets as collateral, which the firm will take custody of during the loan term. Virtual Asset Managed Investment Services 10.9 These service providers make buying and selling decisions for their clients, in return for a fixed fee or performance-based return. These providers typically also take custody of clients’ virtual assets, by virtue of which they will likely fall within scope of the DLT Framework. Operators and Administrators of Smart Contracts 10.10 Services or business models that combine the function of safeguarding the value of a customer’s virtual assets with the power to manage or transmit the virtual assets independently from the owner, under the assumption that such management and transmission will only be done according to the owner’s/customer’s instructions, will fall within scope of the DLT Framework. 10.11 Operators providing safekeeping and administration services include persons that have exclusive or independent control of the private key associated with virtual assets belonging to another person or exclusive and independent control of smart contracts to which they are not a party that involve virtual assets belonging to another person. Operators and Administrators of Decentralised Applications (‘DApps’) and Decentralised Exchanges (‘DEXs’) 10.12 Decentralised or distributed applications (or DApps) are software programs that operate on a peer-to-peer network of computers running a blockchain-based platform designed such that they are not controlled by a single person or group of persons. DApps may be deployed in order to perform a wide variety of functions, including acting as a decentralised exchange (sometimes called a DEX) or another form of unincorporated organisation, such as software agency, to provide virtual asset activities. Where a DApp does not have an identifiable administrator or single authority capable of or responsible for making changes to data, moderating, intermediating or validating transactions that take place within the DApp, it is unlikely to be captured by the DLT Framework. 10.13 However, DApps may not be fully decentralised, and may retain elements of centralisation by virtue of which they fall in scope of the DLT Framework, so it remains for the GFSC to determine

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 11 whether any identifiable owners/ operators/ administrators exert control or sufficient influence to bring them within scope of the DLT Framework. When considering each case, the GFSC will take the approach and consider the factors set out in the ‘Relevant Factors’ section above. 10.14 The DLT Framework is not intended to capture pure research and development work, or the deployment of open-source software, but rather individuals or firms that have continued control or significant influence over, and/or continue to derive (or have the potential to derive) commercial benefit from, DApps and DEXs following their launch. Stablecoin Offerings 10.15 Price-stabilised virtual assets, commonly referred to as stablecoins, can be structured in various ways. For example, they can be fiat-backed (by one or a basket of fiat currencies), asset-backed (e.g. by exchange-traded, physical commodities, such as gold or oil), virtual asset-backed (by one or a basket of virtual assets), or backed by a mixture of these types of assets. They can also be algorithmically controlled (e.g. with mechanisms to adjust token supply in response to market movements), or ‘free-floating’. Stablecoins may have a central developer or a governance body that consists of one or more natural or legal persons who establish, or participate in the establishment of, the rules governing the stablecoin arrangement, for example by determining the functions of the stablecoin, who can access it, and what, if any, AML/CFT preventive measures are built into the arrangement. They may also carry out the basic functions of the stablecoin (such as managing the stabilisation function) or have decision-making authority over structures that affect the inherent value of the stablecoin, such as changing reserve requirements or the stablecoin’s supply. Whilst the application of the DLT Framework to each proposal will be assessed on a case-by-case basis, the extent of the role played by a given entity in any of the functions outlined above will be a key consideration for the GFSC. As mentioned in the context of DApps and DEXs, when considering each case, the GFSC will take into account the factors set out in the ‘Relevant Factors’ section above. 11 Examples of Out-of-Scope Activities 11.1 This section sets out a non-exhaustive list of activities which fall, or are likely to fall, outside the scope of the DLT Framework. Where a firm or individual intends to carry on any of the activities listed by way of business in or from within Gibraltar, they should be prepared to demonstrate, prior to commencing that activity, that no aspect of it will fall within the DLT Framework. 11.2 Whether a natural or legal person engaged in any activities relating to virtual assets requires authorisation as a DLT Provider depends on how the person uses the virtual assets and for whose benefit. A person not engaging as a business for or on behalf of another natural or legal person will not be conducting a regulated activity. Proprietary trading or activities 11.3 Natural or legal persons who obtain5 virtual assets and use them to purchase goods or services on their own behalf or make a one-off exchange or transfer for a third party, will fall outside of the DLT Framework’s scope, as will users purchasing goods and services with virtual assets, investing in virtual assets for private purposes, and paying salaries or wages in virtual assets. 5 ‘Obtain’ in this context covers any situation in which the natural or legal person in question acquires the legal title to the virtual assets, whether via a purchase, loan arrangement or otherwise.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 12 Non-custodial wallet services 11.4 Natural or legal persons providing ancillary services/products to DLT networks, such as hardware wallet manufacturers and non-custodial wallet providers (to the extent that they do not carry on any other activity captured by the DLT Framework) are likely to fall out-of-scope. Peer to peer platforms 11.5 Peer-to-peer exchange platforms that are more akin to bulletin boards, where buyers and sellers might locate one another and then go to a different location, platform or service to effect trades between themselves, are likely to fall out-of-scope of the DLT Framework. This activity is captured by the registration regime under the Proceeds of Crime Act 2015 (Section 9(1)(q)). Investment advice 11.6 Pure investment advice relating to virtual assets, where the individual or firm providing the investment advice does not at any point store or transmit value belonging to the recipient of the advice, does not currently fall within scope of the DLT Framework. ‘Investment advice’ in this context means the provision of personal recommendations to a client, either upon the client’s request or at the initiative of the individual or firm in question, in respect of one or more transactions relating to virtual assets. Non-custodial arrangers 11.7 Making arrangements with a view to the exchange of virtual assets for other virtual assets or for money, on behalf of clients, is unlikely to fall within scope of the DLT Framework where the providers of this service do not use DLT for the storage or transmission of value belonging to others or where the providers do not use DLT themselves but, rather, only act as an intermediary and use third party service providers for the transmission of value. This activity is captured by the registration regime under the Proceeds of Crime Act 2015 (Section 9(1)(q)). Research, development and outsourcing 11.8 The DLT Framework is not intended to capture pure research and development work, or the deployment of open-source software on online repositories. Validating transactions 11.9 Validating transactions on a blockchain (or any other form of DLT), for example through the process commonly referred to as ‘mining’ on a proof-of-work blockchain, or ‘staking’ on a proof-of￾stake blockchain, will fall out of scope of the DLT framework where it is not carried on by way of business and on behalf of others. Over-The-Counter (OTC)/brokerage desks (non-custodial) 11.10 These firms tend to arrange for the buying and selling of virtual assets for other virtual assets or fiat, between clients or between clients and the firm/liquidity providers. Where DLT is not used in the storage or transmission of value belonging to another in making such arrangements, the DLT Framework is unlikely to apply. However, this activity is captured by the registration regime under Proceeds of Crime Act 2015 (Section 9(1)(q)).

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 13 Virtual asset account signatories 11.11 Under certain circumstances, signatories on a virtual asset account that is held with a virtual asset custodian (similar to signatories on a bank account), who do not control the private keys to the applicable virtual asset wallets (since they are controlled by the virtual asset custodian), may fall outside the scope of the DLT Framework. However, as mentioned in the “Storage” section above, the GFSC considers activities in which a firm or individual is essential to the transfer of a client’s value in a multi-signature arrangement to fall in-scope of the DLT Framework, even in cases where they cannot complete transactions without a key held by another party.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2025 Gibraltar Financial Services Commission