DLT Framework — Guidance Note 2 Customer Care

DLT Provider Guidance Notes Customer Care

Gibraltar Financial Services Commission Guidance Note 2 2 Introduction The purpose of this guidance note is to provide a DLT Provider, as defined in the Financial Services (Distributed Ledger Technology Providers) Regulations 2020 (the DLT Regulations), with guidance as to the operational, technical and organisational standards expected and in some circumstances required by the GFSC. This guidance note is specifically in respect of regulatory principle 2 of the DLT Regulations (the Regulatory Principle). The Regulatory Principle states that “A DLT provider must pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way which is fair, clear and not misleading”. This document should be read as interpretative guidance for a DLT Provider and the examples contained in this document should be noted as indicative of good practice by a DLT Provider in connection with the Regulatory Principle. A DLT Provider should note that the GFSC will take this document into account when reviewing a DLT Provider’s practices. The operational standards expected and required by the GFSC of a DLT Provider will vary depending on the size, particular nature, scale or complexity of the DLT Provider’s business. Customer Care A DLT Provider is required to act in the best interest of its customers. It must apply its best endeavours to mitigate any risks to its customers associated with the use of its products and services, including any risks relating to the use and application of DLT. A DLT Provider will need to implement measures to protect its customers, and seek to ensure that its products and services, and any risks associated with them, are fully understood by every customer to whom they are offered. In order to do so, it should take into account the relative risk and complexity of each of its products and services, as well as the experience of the customers to whom they are offered. Where a DLT Provider offers higher risk products, such as derivatives trading or other leveraged products, it should additionally seek to ensure that the customers to whom they are offered can bear the potential financial losses they will be exposed to. It will need to evidence to the GFSC that this has all been adequately considered by senior management and the board, and reflected in the firm’s internal controls, policies, procedures and communications with customers. A DLT Provider must make appropriate, timely and prominent disclosuresto its customersregarding risks, in order to ensure that customers can make well-informed decisions regarding the products and services it offers. It will need to ensure that any information presented to customers can be easily understood by the target audience and does not disguise, diminish or obscure important items, statements or warnings. A DLT Provider must ensure that its marketing and advertising is clear, fair and not misleading. It must have adequate complaint handling policies and be able to manage and disclose any conflicts of interest.

Gibraltar Financial Services Commission Guidance Note 2 3 Customer Protection Measures A DLT Provider will need to implement adequate customer protection measures commensurate to the risk and complexity of its products and services and relative to the experience and vulnerability of its customers. Risk and Complexity A DLT Provider will be expected to assess the relative risk and complexity of each product and service it provides to its customers. Although not an exhaustive list, when assessing the risk and complexity of any product or service, the DLT Provider should consider the following factors:  to what extent customer assets/monies are at risk;  whether the risk of financial loss is limited to any assets/monies held by the customer with the DLT Provider;  whether any features of the product or service and the risks associated with them are easy to understand;  the novelty of any product or service and whether they have been tried and tested; and  the effectiveness of any controls implemented by the DLT Provider. For example, custodianship services will generally be considered less complex and entail fewer risks than spot trading of virtual assets. Spot trading, in turn, will generally be considered less complex than trading derivatives of virtual assets or other leveraged products. In the latter cases, customers could lose more than the capital they have on account, whilst losses, both realized or unrealized, can materialize at a significantly faster rate. Experience and vulnerability A DLT Provider will need to consider the type and experience of its customers. Although not an exhaustive list, when assessing the experience and vulnerability of a customer, firms should consider the following factors:  the customer's ability to understand how the products and services work and the risks associated with them;  the customer’s prior experience and exposure to the products and services;  the customer’s level of education and profession; and  for higher risk and more complex products, especially those where a client may lose more than their account balance, whether the customer can afford the potential additional losses that they may be exposed to. For example, customers with experience in the trading of virtual and/or financial assets, through doing so in a professional or non-professional capacity for a significant amount of time, can be expected to better analyse and manage the risks involved in investing in or trading virtual assets. A customer could also be deemed to be experienced if they have sufficient technical understanding of the underlying technology and risks associated with it, for example, if a customer is a developer with experience in cryptography and/or distributed ledger technology. Customers such as regulated entities and large entities whose main undertaking is to invest and trade in higher risk financial instruments, will also ordinarily be considered experienced for these purposes.

Gibraltar Financial Services Commission Guidance Note 2 4 Conflicts of Interest A DLT Provider should take all reasonable steps to identify, avoid where possible or manage potential conflicts of interest that may arise within its business. For the purposes of identifying the types of conflicts of interest, DLT Providers may take into account whether a person is directly or indirectly linked by way of control to the DLT Provider. Such examples include situations where a person:  is likely to make a financial gain, or avoid a financial loss, at the expense of the DLT Provider’s customers; or  has an interest in the outcome of a service or an activity provided by the DLT Provider. Examples of potential conflicts of interest include:  the employment of an individual or company that provides a specific service to the DLT Provider;  providing a service to a connected person;  acceptance or giving of gifts; and  situations where value (as defined in the DLT Regulations) can be controlled or fixed by the DLT Provider by restricting its supply to the market. A DLT Provider should maintain and operate effective organisational and administrative arrangements with a view to preventing, managing and monitoring conflicts of interest. Examples of ways in which a DLT Provider can maintain good conflicts of interest processes include:  the preparation of a conflicts of interest policy which clearly sets out to all directors, officers, managers and key members of staff where potential conflicts of interest may arise and how they should be managed;  the appointment of an individual director/manager (or committee depending on the size of the DLT Provider) with specific responsibility for assessing the nature and risk of a conflict (as it arises) and thereafter ultimately ensuring that suitable steps are taken to avoid such a conflict or, where not possible to avoid the conflict, that it be managed appropriately so as to not be detrimental to the customers of the firm;  the segregation of responsibilities with key management staff. This would be indicative of maintaining effective technical and operating standards for the preventing, managing and monitoring of conflicts of interest;  the removal of any direct link between the remuneration of a relevant person engaged in one particular activity and their ability to carry out that activity in a fair and unbiased manner; and  preventing individuals from exercising inappropriate influence. Disclosure & Communication A DLT Provider must disclose information to its customers that may affect and/or be of material significance to its customers within a reasonable timeframe.

Gibraltar Financial Services Commission Guidance Note 2 5 All communications made by a DLT Provider to its customers shall be:  clear, fair, and not misleading;  prominently displayed; and  sufficient for, and presented in a way that can be understood by, the group to which it is directed. Examples of best practice and information that a DLT Provider should make clear to its customers include:  the DLT Provider’s standard terms and conditions;  what part of the DLT Provider’s services are regulated and the standards applicable to the regulated activity;  when a DLT Provider is providing an ancillary unregulated service to that which it is licensed to provide, to inform customers that that particular service is not regulated;  when a DLT Provider has partnered up with a third party provider (for example, a Payment Service Provider or an affiliate provider), it must disclose and make clear to customers who they are transacting with and at what point;  when a DLT Provider is part of a larger group structure, it must disclose and make clear to customers which entity they are transacting with and at what point;  the DLT Provider’s fees (including any changes to those fees, the manner in which fees can be varied and any associated or indirect costs);  the timeframes for the completion of fiat and virtual asset withdrawals;  the process of transfer of the DLT Provider (or the DLT Provider’s business) as a going concern to a third party (and provide details of that third party);  potential and actual conflicts of interest (where any arrangements made by the DLT Provider cannot ensure, with reasonable confidence, that the risks of damage to the interests of the customer will be sufficiently mitigated);  information on the actual DLT system/network used, its nature and any inherent risks involved in the technology generally and in the specific system/network used (e.g. in the dependency on third party or open source software and networks, or on protocols subject to independent consensus mechanisms); and  material changes in connection with the actual service provided by the DLT Provider that may affect customers (including instances where the DLT element of its services has been compromised).

Gibraltar Financial Services Commission Guidance Note 2 6 Risk Warnings A DLT Provider must give a fair and prominent indication of any relevant risks relating to a product or service that it offers. The risk warning must be clearly visible and in a font size at least equal to the predominant font size used in its communications more generally. Particularly with regards to higher risk and more complex products, DLT Providers should provide customers with sufficient information to allow them to fully understand the risks involved, and to make well-informed decisions. Examples of best practice include:  disclosure on the volatility of virtual assets; and  disclosure on the transfer and storage risks, should a customer wish to withdraw their virtual asset(s) from the DLT Provider, if applicable. Additionally, examples of best practice for DLT Providers offering higher risk/more complex products include:  disclosure on the enhanced risks of trading derivatives or other leveraged products, if applicable, including, but not limited to the enhanced risk of loss (which could be greater than the customer’s initial investment or account balance), margin calls and position liquidations, and the risks of imperfect correlation between a derivative and the underlying asset and the resultant hedging risk;  statistics and statements on the percentage of customers that lose money when trading with the firm; and  clear illustrations/examples of worst case scenarios. Complaints Handling A complaint is an expression of dissatisfaction from a customer, irrespective of whether it is justified or not, in respect of, specifically, the services provided to it by the DLT Provider. A DLT Provider should establish a procedure to ensure that any complaints are resolved as quickly as possible and, where necessary, trigger an internal review into the quality of service being provided and whether or not it can be improved. A DLT Provider will be expected to establish a written complaints procedure, which is to be communicated to all staff. Examples of ways in which a DLT Provider can maintain good complaints handling processes include:  the assignment of responsibility of complaints handling to a director/manager (or committee depending on the size of the DLT Provider);  the establishment of means by which customers may make a complaint. This should be user friendly and easily accessible to all customers;  the review and action of complaints promptly upon receipt;  clearly stating how to log a complaint and how to escalate a complaint;  notifying customers of the timeline within which their complaint will be processed; and  regularly advising complainants of the progress and outcome of any complaint.

Gibraltar Financial Services Commission Guidance Note 2 7 Record Keeping In accordance with Gibraltar law, a DLT Provider shall:  keep and maintain records of all customer information and data in a secure manner;  record all transfers and receipts made by its customers; and  keep a record of all interactions with its customers including all agreements entered into. Marketing and Advertising A DLT Provider that issues an advertisement concerning its business or the products and services it provides should ensure that:  the advertisement makes clear that it has been issued on behalf of the DLT Provider; and  the contents and presentation of the advertisement are demonstrably fair and not misleading. A DLT Provider that becomes aware of any marketing or advertising material issued on behalf of, or in relation to any products or services provided by, the DLT Provider that may be misleading and/or detrimental to Gibraltar’s reputation as a financial centre should report the matter to the GFSC immediately. The firm should also take reasonable steps to mitigate the detrimental effects of the marketing or advertising material in question, rectify any inaccuracies and remove any misleading content.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2020 Gibraltar Financial Services Commission