VASP Registration Scope Guidance Note

www.gfsc.gi Virtual Asset Service Provider Registration Framework Scope Guidance Note 12 October 2022

Gibraltar Financial Services Commission VASP Registration Scope Guidance Note 1 Introduction The purpose of this document is to provide guidance as to the scope of the Virtual Asset Service Provider (“VASP”) activities caught under the Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 20211 (the Regulations). Applicable Requirements Regulation 4 of the Regulations requires that certain “relevant financial businesses” register with the GFSC. In order for a firm to obtain this registration, it must comply with the requirements set out within the Regulations, as well as the Proceeds of Crime Act 20152 (the Act), which the Regulations sit under. This guidance will focus on the activities of “relevant financial businesses” under the Act and the Regulations that also fall within the definition of a Virtual Asset Service Provider (VASP) under the Financial Action Task Force’s (FATF’s) Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (“Guidance”). Further guidance in respect of the systems of control that these firms must have in place in order to prevent the misuse of their products and services for money laundering, terrorist financing or proliferation financing activities, can be found within the relevant GFSC Guidance Notes. Carrying on Registered Activities by way of Business in or from Gibraltar In order for a firm to be registered, it must:

1. Carry on the activity by way of business (i.e. providing products and/or services to clients in return for remuneration);
2. Have a registered office in Gibraltar; and
3. Appoint a locally based Money Laundering Reporting Officer (MLRO). As with all other regulated sectors in Gibraltar, the MLRO must be a permanent, full-time employee of the firm seeking registration. The exception to this is in the case of firms that are solely carrying on activities under Regulation 4(c) (token sales, discussed below), where some flexibility can be afforded in respect of individuals who are in other full-time employment. The GFSC will consider, on a case by case basis, whether an employee or director of an unrelated firm or entity has the necessary skills, experience, capacity and independence from their other role(s) to also carry out the MLRO function for the applicant firm. In order to reach a decision in such cases, the GFSC may request information on: • The applicant firm’s expected number of customers/token sales; and/or • The controls put in place by the applicant firm to preclude the existence of significant conflicts of interest (e.g. preventing the MLRO’s remuneration from being linked to the number of tokens sold). Where an individual is not a permanent full-time employee of the firm seeking registration, they must be appointed as an officer of the entity (e.g. as an Executive Director).

---

1 Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 2021 2 Proceeds of Crime Act 2015

Gibraltar Financial Services Commission VASP Registration Scope Guidance Note 2 Overview of Gibraltar’s Legislation & International Standards Gibraltar has an established regulatory framework for Distributed Ledger Technology (DLT) Providers. Prior to the implementation of the Regulations, the GFSC conducted a gap analysis between the DLT Framework and the FATF Guidance3 . The review concluded that the definition of a DLT Provider falls entirely within the FATF’s definition of a VASP, and that the DLT Framework (as a minimum) complies with the Guidance’s recommendations around Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT) and Counter-Proliferation Financing (CPF). However, the definition of a VASP is slightly wider than that of a DLT Provider, such that certain VASP activities do not fall within scope of the DLT Framework. These activities are captured by the Regulations. Regulations 4(c) and 4(d) define the VASP activities which fall outside the DLT Framework and within scope of the VASP Registration Framework as: (c) undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of DLT or a similar means of recording a digital representation of an asset; or (d) Persons that, by way of business, exchange, or arrange or make arrangements with a view to the exchange of￾a) virtual assets for money; b) money for virtual assets; or c) one virtual asset for another. Using DLT or Similar Means Schedule 2, Part 16, Paragraph 138(2) of the Financial Services Act4 (FSA) defines DLT as: a database system in which- (a) Information is recorded and consensually shared and synchronized across a network of multiple nodes; and (b) All copies of the database are regarded as equally authentic. A distributed ledger can be shared across a network of multiple sites, jurisdictions or institutions and does not have a single authoritative copy. Instead, network participants have identical copies of the ledger. A distributed ledger may employ a blockchain or other method of storing records in a continuous tamper￾resistant way. The scope of the Regulations has been widened to include the use of “similar means” to capture businesses that adopt emerging forms of technology similar in nature to DLT when undertaking the activity set out in Regulation 4(c).

---

3 FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers 4 Financial Services Act 2019

Gibraltar Financial Services Commission VASP Registration Scope Guidance Note 3 Tokenised Digital/Virtual Assets The FATF defines virtual assets as “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations”. Virtual assets may have a variety of utilities and functionalities, but as long as they are captured by the above definition, they will fall within scope of the Regulations. It should also be noted that, in line with the FATF Guidance, non-fungible tokens (NFTs) are likely to be considered virtual assets for the purposes of the Regulations if they are used for payment or investment purposes. This extends to any form of NFT which may be used for these purposes, including those tokens which represent digital art or collectibles. The GFSC will consider sales of NFTs on a case-by-case basis. Token Sales The primary business model which falls within Regulation 4(c) is that of a token sale, which can also be referred to as an initial coin offering (ICO) or initial token offering (ITO), as well as other variations. During token sales, firms typically issue a pre-defined number of virtual assets in exchange for fiat currency or another virtual asset, to either the public at large or a set of private investors during a limited period of time. It should be noted that the requirement to register does not extend to any service provider(s) receiving remuneration/fees originating from the token sale, in exchange for services provided to the token issuer (such as a firm providing compliance services or IT support). The receipt of funds in exchange for any legal representations of a tokenised digital/virtual asset, such as those dictating the obligation to sell, is also considered to fall within Regulation 4(c). This is regardless of the expected purchase amount, which may or may not fall below the 1,000 EUR threshold set out under Section 11(1)(g) of the Act. Following issuance, the tokens may be re-sold to others via secondary markets. The re-selling of tokens on one’s own account will generally not be considered to fall within scope of sub-regulation 4(c), but may be conducted by or through a firm that falls within the scope of the Regulations or the DLT Framework. In cases where the token sale firm will continue to receive passive income as a result of sales on a secondary market, the GFSC considers it to be best practice for the firm to continue to apply virtual asset screening controls to identify any association with illicit activity. Virtual Asset Arrangement Providers Firms caught within scope of Regulation 4(d) are referred to by the GFSC as Virtual Asset Arrangement Providers (VAAPs). The VAAP activities that fall within scope of this Regulation include the exchange of “one virtual asset for another”. It should be noted that the GFSC interprets this provision as including exchanges of the same form of virtual currency. The primary business model that falls within scope of Regulation 4(d) is an over-the-counter (OTC) exchange or brokerage desk. Firms carrying out this activity will typically arrange for the buying and selling of virtual assets for other virtual assets or fiat, between clients or between clients and the firm itself or third party liquidity providers. It is important to note that in order for a firm undertaking this activity to fall within the definition of a VAAP, rather than that of a DLT Provider, and therefore be subject to the VASP Registration Framework, rather than the DLT Framework, it must not at any point take custody of, or otherwise store or transmit virtual assets belonging to other transacting parties.

Gibraltar Financial Services Commission VASP Registration Scope Guidance Note 4 Out-of-Scope Activities The purpose of the VASP Registration Framework is to capture for AML/CFT/CPF supervision purposes firms undertaking VASP activities that do not fall within scope of the DLT Framework. Given the fact that the DLT Framework requires firms to meet (and exceed) the requirements set out in the FATF Guidance (under Principle 8), firms that fall within scope of the DLT Framework, and are regulated as such, are not required to also register under the Regulations. Similarly, entities holding existing Part 7 permissions under the FSA are not required to register under the Regulations on the basis that they are already subject to AML/CFT/CPF requirements that meet or exceed those set out in the FATF Guidance. Such entities are required, however, to notify the GFSC prior to engaging in the provision of any activities that fall within scope of the Regulations. As stated above, the requirement to register only applies to those firms engaging in the specified activities by way of business. The Regulations do not capture, for example, individuals or corporates who have bought virtual currencies or other DLT-based tokens from a third party on their own account and who subsequently seek to trade them. With respect to token sales, the requirement to register does not apply to those firms who issue tokens free of charge (i.e. an “airdrop”). As stated above, however, the GFSC considers it to be best practice for such firms to apply virtual asset screening controls to identify any association between the selected wallet addresses and any potentially illicit activity. High Risk Activities Under Regulation 7, the GFSC must refuse to register an applicant firm if it is satisfied that the firm’s MLRO or any of its directors, officers or beneficial owners is not a fit and proper person. When assessing fitness and propriety, the GFSC must take into account a number of factors, including the risk that the applicant firm’s business may be used to facilitate money laundering, terrorist financing or proliferation financing. The GFSC also considers that certain products and services pose a high level of AML/CFT/CPF risk and that they therefore fall outside of its risk appetite. These products and services include (but are not limited to): • Privacy-enhancing assets or protocols o These assets or protocols allow for the concealment of information typically present in a transaction which facilitates the non-disclosure of user identity. This allows for the obfuscation of the identity of the sender, recipient, holder and/or beneficial owner of the virtual assets in question. • Mixing/tumbling services o These services are used to pool together various transactions in order to obfuscate the origin of particular virtual assets, allowing for increased anonymity. These techniques are typically associated with obscuring the identification of “tainted” assets associated with illicit flows or services. Given the risks posed in using these business models to facilitate financial crime, the GFSC will not register any entities that propose to provide such services.

Gibraltar Financial Services Commission VASP Registration Scope Guidance Note 5 Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission