DLT Framework — Guidance Note 3 Resources

DLT Provider Guidance Notes Financial and Non-Financial Resources

Gibraltar Financial Services Commission Guidance Note 3 2 Introduction The purpose of this guidance note is to provide a DLT Provider, as defined in the Financial Services (Distributed Ledger Technology Providers) Regulations 2020 (the DLT Regulations), with guidance as to the operational, technical and organisational standards expected and in some circumstances required by the GFSC. This guidance note is specifically in respect of regulatory principle 3 of the DLT Regulations (the Regulatory Principle). The Regulatory Principle states that “A DLT provider must maintain adequate financial and non-financial resources”. This document should be read as interpretative guidance for a DLT Provider and the examples contained in this document should be noted as indicative of good practice by a DLT Provider in connection with the Regulatory Principle. A DLT Provider should note that the GFSC will take this document into account when reviewing a DLT Provider’s practices. The operational standards expected and required by the GFSC of a DLT Provider will vary depending on the size, particular nature, scale or complexity of the DLT Provider’s business. Regulatory Capital Overview A DLT Provider will be expected to maintain sufficient financial resources to ensure that the business can be run in a sound and safe manner. The GFSC does not apply a ‘one-size-fits-all’ regulatory capital requirement calculation. A DLT Provider will need to consider the inherent risks associated with their business in order to arrive at a satisfactory regulatory capital figure. A DLT Provider will be expected to hold sufficient regulatory capital to ensure an orderly, solvent wind￾down of its business. Additionally, a DLT provider will need to hold risk-based capital in order to be able to absorb the crystallisation of material risks and still have sufficient capital remaining to trigger an orderly wind-down if necessary. The GFSC will expect firms to maintain at all times sufficient working capital, over and above the agreed regulatory capital. As an example (see illustration below), DLT Limited arrived at a regulatory capital requirement of £1.5M, which represents £1M of wind-down costs, as well as £0.5M of risk-based capital. After considering projections for the next year, in which the firm forecasts that it will incur losses initially as the business attracts new users, the firm was funded with £2M of share capital from the parent company,which provides for a working capital buffer of £0.5M.

Gibraltar Financial Services Commission Guidance Note 3 3 In summary: WIND DOWN CAPITAL + RISK-BASED CAPITAL = MINIMUM REGULATORY CAPITAL A DLT Provider will need to notify the GFSC of the ongoing regulatory capital it proposes to hold, and include any considerations and calculations. The GFSC will consider whether the proposed regulatory capital is sufficient to enable the firm to meet its operational and regulatory obligations. Firms will be required to monitor and reassess regulatory capital levels on an ongoing basis and as a minimum, on an annual basis. Any material changes to a firm’s business model or adverse changes in a firm’s operating environment will also trigger a requirement to reassess its regulatory capital adequacy and notify the GFSC. Any reduction to a DLT Provider’s ongoing regulatory capital requirement will need to be approved by the GFSC in advance. Wind-down Analysis The wind-down analysis is a key element of the DLT Provider’s regulatory capital requirement. There is an expectation that a DLT Provider will always hold sufficient capital in order to execute an orderly wind￾down if required. Consideration should be given to the amount of time it would take for the firm to be wound down, including the time it would take its customers to find an alternative service provider, where relevant. A DLT Provider is required to maintain a formal wind-down plan, which would be the basis behind the wind￾0 200000 400000 600000 800000 1000000 1200000 1400000 1600000 1800000 2000000 Own Funds Regulatory Capital Calculation Example Wind-down Capital Risk-based Capital Working Capital

Gibraltar Financial Services Commission Guidance Note 3 4 down cost analysis to be performed. The wind-down plan should justify and explain the length of time and procedures required to wind-down the business in an orderly manner. For the avoidance of doubt, defaulting to a three-month wind-down period without justification will not be deemed sufficient by the GFSC. Once a wind-down plan is formulated, a DLT Provider will be in a position to analyse the costs associated with winding down. This should take account of realistic costs of winding down the business such as:  redundancy costs;  notice periods for staff;  lease commitments;  one-off costs associated with the wind-down, such as insolvency costs; and  any other fixed costs required until the business is wound-down. A DLT Provider is expected to revise the wind-down plan and associated costs when regulatory capital is reassessed. As a DLT Provider grows in size, it is expected that the wind-down costs also increase accordingly. A DLT Provider should have processes and controls in place that will inform it of the need to trigger the winding down of the business operations. Risk Based Capital The second part of the regulatory capital calculation requires a DLT Provider to formulate risk-based capital. In accordance with the fourth regulatory principle, a DLT Provider is expected to develop sound risk management processes that properly identify, measure, aggregate and monitor its risks. Firms should therefore have an adequate assessment process that covers all the key elements of capital planning and management and generates an appropriate amount of capital to assign against those risks. In order to arrive at the risk-based capital, firms are expected to consider all material risks facing the business and arrive at a suitable risk based capital amount. There should be a clear link between the DLT Provider’s risk based capital calculation and its risk register. Types of risks to consider include:  credit risk;  market risk (including fiat-currency and virtual currency risk);  operational risk;  liquidity risk;  insurance risk;  concentration risk;  securitisation risk;  business risk;  interest rate risk;  IT risk;  legal and compliance risk;

Gibraltar Financial Services Commission Guidance Note 3 5  reputational risk;  settlement risk;  strategic risk; and  any other firm-specific risks identified. In calculating its regulatory capital requirements, a DLT Provider will be expected to take account of:  the historical context of the business;  the firm’s current and future business strategy; and  stress-testing scenarios and conditions as well as the triggers needed to identify such situations; and  key risks identified. Where relevant, a DLT Provider will need to assign adequate capital to cover potential financial losses. The regulatory capital requirement calculation should be challenged and approved by the DLT Provider’s board and senior management. Some firms may find it useful to have external parties challenge the calculation prior to finalisation. A copy of any report obtained from an external reviewer or internal auditor should be provided to the GFSC. Using Virtual Assets as Regulatory Capital The GFSC will expect a DLT Provider to consider its ongoing regulatory capital requirement from both a fiat currency position as well as from a virtual assets position. Should a DLT Provider wish to hold virtual assets as part of its regulatory capital, it will need to satisfy the GFSC that:  there is sufficient liquidity in the virtual assets held;  the proportion of virtual assets held relative to the total regulatory capital is reasonable;  there is sufficient margin to allow for potential volatility of the virtual assets held; and  the risks associated with holding virtual assets are adequately managed. Due to the highly volatile nature of most virtual assets and the potential risk of cyber-attacks leading to financial losses, a DLT Provider will be expected to include further risk based capital should it intend on holding virtual assets as part of the firm’s regulatory capital requirement. A DLT Provider will be expected to apply stress testing and sensitivity analysis in order to adequately consider the risks associated with holding virtual assets on its own behalf, and provide for further risk based capital as required. A DLT Provider’s controls associated with managing virtual asset exposure should be considered when arriving at such an assessment. This may include controls such as:  real-time monitoring of the value of the virtual assets and the overall regulatory capital position;  use of triggers and or margin calls at which point the regulatory capital position will be strengthened if necessary; and  consideration of security arrangements, including whether the virtual assets are held in hot or cold storage.

Gibraltar Financial Services Commission Guidance Note 3 6 There will be an expectation that the firm holds sufficient capital to cover future commitments whether in fiat or virtual assets. Public Token Offerings A DLT Provider that has undertaken a public token offering and has a reserve of internally generated tokens will not be allowed to use these tokens as part of its regulatory capital requirement. This is because the tokens have been internally generated and there is no guarantee that the firm will be able to sell these tokens without adversely affecting the market price of circulating tokens on secondary markets. A DLT Provider that has raised funds via a public token offering will be allowed to utilise the funds raised as part of regulatory capital. However, the firm should consider whether the issue of such tokens has created a liability on the balance sheet that would be deducted from the calculation of available funds when computing the firm’s capital position. Essentially, if a contractual liability exists, entitling token holders to a payment in the event of a wind down, these funds should not be used by the firm in order to fulfill the regulatory capital requirement. Stablecoins A number of virtual assets have been designed in order to maintain price stability by various means, these virtual assets are commonly referred to as “stablecoins”. As with other virtual assets, a DLT Provider may utilise these virtual assets as part of its regulatory capital. However, as with other virtual assets, there is an expectation that the risks associated with holding these assets are considered and factored into the risk-based capital calculation. This may include risks such as:  risk of cyber-attack, or theft of these assets;  liquidity risk – i.e: is there sufficient liquidity on secondary markets which would allow efficient conversion into fiat?;  counterparty risk – i.e: does the counterparty have effective means to stabilise the price going forward? For example, if the tokens are pegged to a particular currency, does the counterparty have sufficient ring-fenced funds in order to liquidate the issued tokens? Amounts Allowed and Disallowed The GFSC will consider to what extent certain assets are allowable in the calculation of a DLT Provider’s regulatory capital. Unless approved by the GFSC, the following should be excluded from the calculation:  intangible assets (for these purposes, subject to guidance on the use of virtual assets as regulatory capital, virtual assets are not considered intangible assets);  tangible fixed assets;  capitalised costs with respect to software platform development;

Gibraltar Financial Services Commission Guidance Note 3 7  related party receivables; and  unaudited profits. A DLT Provider will need to assess the above items, and any other items it deems to be applicable, and arrive at suitable deductions from regulatory capital that are proportionate, reasonable and relevant to the firm’s business model and inherent risks. Generally, DLT Providers should look to hold the majority of the required regulatory capital in highly liquid assets, which would be available to absorb future losses. The GFSC will expect firms to be initially capitalised by way of fully paid up and issued share capital. In limited circumstances, the GFSC will allow alternate means of funding and capitalisation, however in all instances this should result in loss absorbing capital which is subordinated to all other debts of a firm, and fully available to be utilised by the firm in the case of a wind-down. Ongoing Monitoring A DLT Provider should implement adequate processes and controls to ensure that capital exposures and risks are monitored on a real-time basis. Should firms hold significant exposures to virtual assets, this monitoring should be accelerated and monitored on a regular basis to ensure that any adverse fluctuations are identified, managed and acted upon promptly. DLT Provider Financial Return A DLT Provider will be required to submit financial returns to the GFSC, which will incorporate the regulatory capital position, as well as the financial results of the reporting period, and additional financial metrics that will be used as part of the supervisory process. The frequency of the reporting will be determined based on the nature, size and complexity of the DLT Provider’s operations. Recovery Plan Firms should consider scenarios that could lead to a breach in the regulatory capital requirement and establish a clear link between these scenarios and what aspects of the recovery plan should be invoked. A DLT Provider should have set financial and non-financial triggers in place to inform the firm of a need to execute the recovery plan. The recovery plan should seek to ensure continuity of the firm’s critical functions while also aiming for the recovery to a healthy capital position. The firm should consider a number of recovery options, such as:  cost optimisation;  raising further capital;  sale of assets;

Gibraltar Financial Services Commission Guidance Note 3 8  restructuring; and  sale of the business. The recovery plan should be subject to a high level of scrutiny and consideration from a DLT Provider’s board of directors and should be reconsidered, as a minimum, on an annual basis. Projections and Stress Testing A DLT Provider will be required to prepare projections both as part of its business plan during the application process and for the basis of arriving at a satisfactory capital requirement calculation. The GFSC will normally expect three to five year financial forecasts to be provided as part of a capital requirement calculation. A DLT Provider should establish a “base case”, which the firm considers the most likely achievable financial forecast. Once a base case has been formulated, a firm will be required to stress the more significant assumptions used to prepare the base case financial forecasts. This is required in order to understand how changes in the key assumptions will affect the firm’s financial results. A DLT Provider will also be expected to undertake scenario analysis in order to assist the firm in the quantification of risk based capital. Typical scenarios could include:  how changes in price, and volumes, of virtual assets will affect the firm’s future earnings;  how a cyber-attack, resulting in the loss of the virtual assets held in “hot wallets”, will affect the firm, including both the immediate financial impact as well as a loss of reputation which could affect future earnings; and  the sharp decrease in value of a particular virtual asset, which the firm is holding on its balance sheet and was utilising towards regulatory capital. A DLT Provider should also produce a worst-case scenario, in which multiple risks materialise at once, and assess the financial impact and likelihood of this scenario occurring. Insurance A DLT Provider will be required to have adequate professional indemnity insurance, insofar as such insurance is reasonably available, or be covered by some other arrangement, agreed in writing by the GFSC, which has a similar effect. Where professional indemnity insurance has not been obtained, the GFSC will require the firm to provide suitable justification as to how the relevant risks will be mitigated, as well as consider providing for further risk-based capital in the capital requirement calculation. The level of cover should be determined by the DLT Provider taking into account its business, products and services. This should be communicated to and agreed with the GFSC. The policy should cover the following areas:  breach of duty in respect of any negligent act, error or omission or dishonest or fraudulent act or omission;  libel or slander;

Gibraltar Financial Services Commission Guidance Note 3 9  loss of customers’ assets arising from fraud or dishonesty by any employee, former employee, director or former director; and  legal liability resulting from the loss of data and or information. The excess or deductible under such an insurance policy should not be greater than can be reasonably borne by the financial resources of the DLT Provider. A DLT Provider should also consider obtaining additional insurance as part of its risk mitigation strategies. Examples of such insurance policies could include:  insurance with respect to virtual assets held on behalf of customers;  kidnap and ransom insurance for key members of staff; and  cyber insurance. Audit Requirements The GFSC will require a DLT Provider to arrange an external financial statement audit at least annually. Should a DLT provider be unable to appoint an external auditor for whatever reason the firm should discuss this with the GFSC. The GFSC will liaise with a DLT Provider to identify ways the GFSC can receive assurance that the company is being run in a sound and prudent manner (i.e. on a going concern basis) and balances, including customer balances, are accurately accounted for. Other Considerations A DLT Provider will be expected to maintain adequate non-financial resources to allow it to run the business operations smoothly without undue cause for concern to the business, directors and its customers. Non-financial resources should be commensurate to the size and nature of the firm and the underlying products and/or services being offered. Staff numbers and composition should be proportionate to the size and activities of the DLT Provider and should take account of any plans for growth/expansion of the business.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2020 Gibraltar Financial Services Commission