GFSC Guidance Note on the Scope of the DLT Framework

Version 3 26 March 2026 www.gfsc.gi GFSC Guidance Note Scope of the DLT Framework

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 2 Table of Contents

1. Introduction..................................................................................................................................... 4 2 Overview of Approach..................................................................................................................... 4 Outcomes-focused, principles-based.............................................................................................. 4 3 Regulatory Objectives...................................................................................................................... 4 4 International Developments ........................................................................................................... 5 5 Overview of Gibraltar’s Legislation ................................................................................................. 5 The DLT regulated activity............................................................................................................... 5 Exclusions from the DLT regulated activity ..................................................................................... 5 The VAA regulated activity .............................................................................................................. 6 Virtual Assets................................................................................................................................... 6 Exclusions from the VAA regulated activity .................................................................................... 6 The Regulatory Principles ............................................................................................................... 6 6 Carrying on Regulated Activities by way of business in or from within Gibraltar........................... 7 7 Using Distributed Ledger Technology (DLT).................................................................................... 7 8 Value................................................................................................................................................ 8 9 Storage and Transmission of Value Belonging to Another.............................................................. 8 Storage............................................................................................................................................. 8 Transmission.................................................................................................................................... 9 Relevant Factors.............................................................................................................................. 9 10 Examples of In-Scope Activities..................................................................................................... 10 Custodial Virtual Asset wallet providers. ...................................................................................... 10 Virtual Asset ATM Operators......................................................................................................... 10 Spot Virtual Asset Exchanges (Custodial and Non-Custodial) ....................................................... 11 Virtual Asset Derivatives Exchanges.............................................................................................. 11 Over-the-Counter (‘OTC’)/Brokerage Desks.................................................................................. 11 Escrow Service Providers............................................................................................................... 11 Virtual Asset Borrowing and Lending Platforms ........................................................................... 11 Virtual Asset Managed Investment Services................................................................................. 11 Operators and Administrators of Smart Contracts ....................................................................... 12 Operators and Administrators of Decentralised Applications (‘DApps’) and Decentralised Exchanges (‘DEXs’)......................................................................................................................... 12 Stablecoin Offerings...................................................................................................................... 12 Non-custodial over-the-counter/brokerage desks........................................................................ 13 Peer to peer platforms.................................................................................................................. 13

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 3 11 Examples of Out-of-Scope Activities ............................................................................................. 13 Proprietary trading or activities .................................................................................................... 13 Non-custodial wallet services........................................................................................................ 14 Investment advice ......................................................................................................................... 14 Research, development and outsourcing...................................................................................... 14 Validating transactions.................................................................................................................. 14 Virtual asset account signatories................................................................................................... 14 Information publishers, bulletin boards and software vendors.................................................... 14

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 4

1. Introduction 1.1 The purpose of this document is to provide guidance as to the scope of the ‘Distributed Ledger Technology Framework’ (the ‘DLT Framework’), which is composed of the Financial Services Act 2019 (the ‘FSA’) as it relates and applies to providing distributed ledger technology (‘DLT’) services1 and providing virtual asset arrangements2 , and the Financial Services (DLT Providers and VAA Providers) Regulations 2020 (the ‘DLT Regulations’). 2 Overview of Approach Outcomes-focused, principles-based 2.1 Prescriptive regulation works well for mature business activities, where products, processes, business models and risks are all established. However, there are different challenges in regulating activities centred on rapidly evolving technology like DLT, as businesses are continually adapting to technological advances in various aspects of their operations. In such environments, rigid rules can quickly become outdated and not fit for purpose. 2.2 Recognising this, Gibraltar has adopted a flexible, adaptive approach to the regulation of businesses operating in the DLT sector, where regulatory outcomes remain central but are achieved through the application of statutory core principles designed to remain relevant and applicable even as the industry’s landscape, technology and best practices shift. 3 Regulatory Objectives 3.1 Section 23 of the FSA sets out the GFSC’s regulatory objectives: ● The promotion of market confidence ● The reduction of systemic risk ● The promotion of public awareness ● The protection of the good reputation of Gibraltar ● The protection of consumers ● The reduction of financial crime 3.2 The DLT Framework has established within Gibraltar a progressive, well-regulated and safe environment in which DLT Providers and Virtual Asset Arrangement Providers (‘VAA Providers’) can innovate and succeed, whilst preserving the good reputation of the jurisdiction. 3.3 It is also intended that consumers are able to understand the benefits and risks associated with DLT Providers’ and VAA Providers’ products and services, that they have confidence in the integrity of the owners and management of these firms, and that they are afforded the appropriate protection. 1 See paragraph 5.2 of this Guidance Note. 2 See paragraph 5.4 of this Guidance Note.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 5 4 International Developments 4.1 The GFSC continues to monitor international regulatory developments in the DLT space in order to understand their impact on DLT Providers and VAA Providers and to ensure that these firms are aware of, and reactive to, the risks and challenges emerging internationally. 4.2 The GFSC has conducted a thorough review of the Financial Action Task Force’s (‘FATF’s’) Updated Guidance for a Risk Based Approach to Virtual Assets and Virtual Asset Service Providers (‘VASPs’), as well as its subsequent related publications, in order to ensure that the DLT Framework maintains regulatory standards which, as a minimum, meet the requirements of a registration regime defined by the FATF Guidance3 . 4.3 This review has concluded that whilst all DLT Providers and VAA Providers fall within the definition of Virtual Asset Service Providers, not all Virtual Asset Service Providers are necessarily within scope of the DLT Framework. Those individuals or firms that fall within the definition of a VASP, but not within that of a DLT Provider or VAA Provider, are regulated under the Proceeds of Crime Act 2015, as discussed further below. 5 Overview of Gibraltar’s Legislation 5.1 Section 4 of the FSA prohibits any person from carrying on regulated activities by way of business in Gibraltar unless the person is either an authorised person or an exempt person. The DLT regulated activity 5.2 Under paragraph 139 of Schedule 2 to the FSA, ’using DLT for storage or transmission of value belonging to another‘, which is also referred to as ‘providing distributed ledger technology services’ (‘DLT services’), is a regulated activity (the ‘DLT regulated activity’). 5.3 Therefore, subject to the exclusions below, any firm carrying on by way of business, in or from Gibraltar, the use of DLT for storing or transmitting value belonging to others, needs to be authorised by the GFSC as a DLT Provider, and falls within scope of the DLT Framework. Exclusions from the DLT regulated activity 5.4 The DLT Framework is intended to apply to individuals and firms that engage in the activity outlined above, unless this activity is incidental to carrying on any of the other regulated activities set out in Schedule 2 to the FSA. Any such activities will continue to be regulated under the relevant sections of the FSA, together with any other relevant legislation. 5.5 Firms with permission under Part 7 of the FSA to conduct other regulated activities, 4 which use DLT in order to improve their controls, procedures and processes, or otherwise in the course of conducting those regulated activities, will not need to obtain separate authorisation to provide DLT services.5 The requirement for separate authorisation will only be triggered when a firm provides DLT services in the manner prescribed by the FSA and discussed in this Guidance Note. By way of 3 See the following link for a full list of the FATF’s VASP-related publications: https://www.fatf￾gafi.org/en/publications.html. 4 As well as those subject to other forms of statutory regulation under Part 18, 24 or 25 of the FSA, the Gambling Act 2005, the Insolvency Act 2011, or any other enactments prescribed by the Minister by regulations. 5 See paragraphs 141 and 142 of Schedule 2 to the Act.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 6 example, a bank using DLT as part of its back-end processes is unlikely to require separate authorisation, whilst if it intends to provide virtual asset wallets and/or other services listed in section 10 of this Guidance Note, it is likely to be required to obtain authorisation as a DLT Provider. The VAA regulated activity 5.6 Under paragraph 139A(1) of Schedule 2 to the FSA, ‘providing virtual asset arrangements’ is a regulated activity (the ‘VAA regulated activity’). As subparagraph (2) of the same provision sets out, ‘a person provides virtual asset arrangements if the person, by way of business, exchanges or makes arrangements with a view to the exchange of (a) virtual assets for money; (b) money for virtual assets; or (c) one virtual asset for another virtual asset’6 . Subject to the exclusions below, any firm providing virtual asset arrangements needs to be authorised by the GFSC as a VAA Provider, and also falls within scope of the DLT Framework. Virtual Assets 5.7 ‘Virtual asset’ is defined in section 7(1) of the Proceeds of Crime Act 2015 as a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes, but does not include- (a) digital representations of fiat currencies; or (b) financial instruments specified in paragraph 46 of Schedule 2 to the Financial Services Act. 5.8 For the avoidance of doubt, the GFSC does not consider prepaid digital cards or vouchers that represent fiat currencies, securities and other financial assets that are covered in any FATF Recommendations7 to fall within scope of the definition of virtual asset. Exclusions from the VAA regulated activity 5.9 Collective investment schemes and pension funds, and the depositaries and managers of these entities, are not required to obtain authorisation as VAA Providers where, in the course of conducting their regulated activity, they exchange, or make arrangements with a view to the exchange of virtual assets for money, money for virtual assets, or one virtual asset for another.8 The Regulatory Principles 5.10 Under regulation 5(1) of the DLT Regulations, relevant providers (i.e. DLT Providers and VAA Providers) are obliged to comply, at all times, with the regulatory principles set out in the Schedule to those regulations (the ‘Regulatory Principles’). The GFSC expects firms to do so in a manner that is commensurate with the nature, scale and complexity of their activities. 5.11 It should also be noted that some of the Regulatory Principles are not applicable to VAA Providers. Principle 5 requires a relevant provider to ‘have effective arrangements in place for the protection of customer assets and money when it is responsible for them’. VAA Providers arrange virtual asset transactions for clients, but do not, at any time, take custody of client virtual assets 6 For the purposes of the VAA regulated activity, ‘money’ means (a) money in sterling or any other fiat currency; or (b) money in any other medium of exchange, but does not include a virtual asset. 7 https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html 8 See paragraph 139B of Schedule 2 to the FSA.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 7 (otherwise they would be ‘using DLT for storage or transmission of value belonging to another’, and therefore require authorisation as a DLT Provider). As such, Principle 5 does not apply to VAA Providers to the extent that it relates to the protection of client virtual assets. (However, this Principle will apply to any client money that a VAA Provider becomes responsible for in the course of providing its services.) 5.12 Similarly, Principle 10, which stipulates that a relevant provider ‘must conduct itself in a manner which maintains or enhances the integrity of any markets in which is participates’, is unlikely to apply to VAA Providers, as they are unlikely to participate in any markets in the course of conducting their business. 6 Carrying on Regulated Activities by way of business in or from within Gibraltar 6.1 In order for a firm to be authorised to carry on regulated activities in Gibraltar, it must be registered and have an office in the jurisdiction. The firm must also ensure that the Mind and Management of its business is conducted from its Gibraltar office, and that the firm can evidence this. 6.2 The GFSC will also take into account the nature and scale of the activity being conducted in Gibraltar, the degree of continuity, and the existence of a commercial element to the activity. 6.3 A firm that provides DLT services or virtual asset arrangements outside Gibraltar that is incorporated or registered in Gibraltar will be considered to be carrying on that activity from within Gibraltar. 6.4 The DLT Framework is designed to capture the relevant activities being conducted by way of business. It should be emphasised that the DLT Framework is not intended to capture individuals or entities who: ● obtain virtual assets and use them to purchase goods or services on their own behalf; ● purchase goods and services with virtual assets; ● invest in virtual assets for private purposes; ● pay salaries or wages in virtual assets; or ● make a one-off exchange or transfer for a third party. 9 7 Using Distributed Ledger Technology (DLT) 7.1 Paragraph 138(2) of Schedule 2 to the FSA defines DLT as ‘a database system in which– a) information is recorded and consensually shared and synchronised across a network of multiple nodes; and b) all copies of the database are regarded as equally authentic’. 7.2 A distributed ledger can be shared across a network of multiple sites, jurisdictions or institutions, and does not have a single authoritative copy. Instead, network participants have identical copies of 9 See also Section 11 of this Guidance Note (‘Examples of out-of-scope activities’).

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 8 the ledger. A distributed ledger may employ a blockchain or other method of storing records in a continuous tamper-resistant way. 7.3 The GFSC will interpret ‘DLT’ broadly in order to allow the DLT Framework to capture businesses that adopt emerging applications of DLT/blockchain technology, thereby enabling it to meet its regulatory objectives. 7.4 It should be noted that the DLT Framework does not seek to regulate the technology itself, or the individuals or entities that develop open-source software or protocols using DLT, but rather those developing and using the technology for commercial purposes. The GFSC will focus in particular on the provision of financial services or services akin to these that carry similar risks for customers. 8 Value 8.1 ‘Value’ for the purposes of the DLT regulated activity, is defined in paragraph 138(2) of Schedule 2 to the FSA as including ‘assets, holdings and other forms of ownership, rights or interests, with or without related information, such as agreements or transactions for the transfer of value or its payment, clearing or settlement’. 8.2 The definition of ‘value’ under Gibraltar law is therefore wider than the definition of virtual assets (see paragraphs 5.7-5.8). 10 8.3 Digital representations of fiat currencies and other forms of price-stabilised virtual assets may fall within the scope of other regulated activities, for example where they are deemed to fall within the definitions of electronic money (‘e-money’) or financial instruments. However, where they do not, they are still likely to fall within the definition of ‘value’ for the purposes of the DLT Framework. 9 Storage and Transmission of Value Belonging to Another 9.1 DLT Providers may fall in scope of one or both of the storage and transmission elements of the DLT regulated activity. Storage 9.2 ‘Storage’ traditionally refers to the holding or safekeeping of a physical asset, to be returned to its owner in the same condition as it is received. In a digital world, where assets are dematerialised, safekeeping is not physically observable. In this context, the GFSC interprets storage as the ability for one party to exercise control over access to another’s value to the extent that the value could be compromised as a result of the former’s actions. 9.3 Holding or having direct access to private keys enabling control over a virtual asset, on behalf of a client, during the course of any business activity, clearly meets the definition of storage, in the context of the DLT regulated activity and the DLT Framework. 9.4 The GFSC also considers activities in which a firm or individual is essential to the process of transferring a client’s value in a multi-signature arrangement to fall in-scope of the DLT Framework, even in cases where they cannot complete transactions without a key held by another party. In￾10 For the avoidance of doubt, non-fungible tokens, commonly referred to as ‘NFTs’ are likely to fall within the definition of ‘value’ under Gibraltar law.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 9 scope examples include situations where there is an expectation that the firm/individual will initiate a transfer of the value at a particular time, and those where the loss of a private key held by the firm/individual would result in the irrecoverable loss of a client’s value. Transmission 9.5 The transmission of an asset is generally considered to be the passing or sending (i.e. transfer) of that asset to a different person or place. In the context of the DLT regulated activity, individuals or firms who can control or have an element of control over the passing or sending of a client’s value to a different wallet or address, or who have the ability to change its ownership by another means, or to destroy it, will be considered to be transmitting value belonging to another, and consequently within scope of the DLT Framework. 9.6 Where a developer or group of developers deploys a smart contract, demonstrably retains no element of control over it, and derives no commercial benefit from it, their activity is likely to fall outside the scope of the DLT Framework. However, developers, owners, operators and administrators of smart contracts, decentralised applications (‘DApps’), decentralised exchanges (‘DEXs’) and stablecoins may be considered to be conducting the DLT regulated activity, and therefore to fall within scope of the DLT Framework, even if other parties play a role in the service(s) provided, or elements of the process or operation are automated or decentralised. The question of whether a decentralised structure involves some degree of centralised control that brings certain parties within scope of the DLT Framework needs to be assessed on a case-by-case basis, having regard to the content under the ‘Relevant Factors’ heading below. 9.7 The nature and extent of the relevant party’s control and the economic substance of the arrangements in place will be important considerations when assessing such cases. Relevant Factors 9.8 When assessing whether an individual or firm should be deemed to be conducting the DLT regulated activity, and therefore to fall within scope of the DLT Framework, the GFSC will consider whether the level of control or influence that the individual or firm in question exerts over the storage or transmission of value belonging to others is sufficient to bring it within scope. 9.9 The broad approach to the assessment that the GFSC will make in this context can be summarised as follows: ● From a technological point of view, the GFSC will assess (where necessary, with suitable third party technological expertise) the level of automation and autonomy of the protocol, the existence of administrator rights or keys (or rights or privileges of a similar nature), and the level of transparency of the code used. ● From an operational point of view, the GFSC will focus on the characteristics of the activity, identifying whether it is provided in an ‘open’ manner (e.g. via a permissionless blockchain protocol that is accessible to the public) and whether any custodial activity is provided via the protocol. ● From a governance point of view, the GFSC will assess whether there is any ‘de facto’ or ‘de jure’ control over the protocol by developers or users. The level of decentralisation of a protocol’s governance could vary on the basis of several factors, such as the levels of distribution in governance tokens held, as well as the effective level of participation of holders in the decision-making process.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 10 9.10 In general, the GFSC will seek to determine the level of control exercised over a protocol (for example, whether certain parties have access to its administrator keys, thereby allowing them to modify the code, independently of any governance process). 9.11 The following are examples of the factors that will be considered in this context: ● Whether an identifiable individual or firm is deriving economic benefit from the use of a given smart contract, DApp, DEX or stablecoin. ● The extent of an individual or firm’s (or any party directly or indirectly linked to the firm’s) influence and/or control over a given smart contract, DApp, DEX or stablecoin, for example by holding an administrative key through which it is possible to set or adjust parameters. ● Whether there is a legal requirement for an individual or firm to effect the transmission of value. ● Whether there is a legal requirement for an individual or firm to deploy or administer a given smart contract, DApp, DEX or stablecoin. ● Whether there are any external inputs to a given smart contract (e.g. an oracle function) that are controlled, or significantly influenced by an individual or firm (or any party directly or indirectly linked to the individual or firm). ● Whether there is a requirement to use a particular virtual asset associated with an individual or firm within a given smart contract, DApp or DEX. In the case of any consensus mechanism used, whether the majority of the given network (as defined by the consensus mechanism in question) is controlled by an individual or firm. ● Whether a failure or error of any kind on behalf of an individual or firm will result in customer value being compromised. 9.12 For the avoidance of doubt, non-fungible tokens, commonly referred to as ‘NFTs’ are likely to fall within the definition of ‘value’ under Gibraltar law. 10 Examples of In-Scope Activities 10.1 This section sets out a non-exhaustive list of activities which fall within-scope of the DLT Framework, whether by virtue of falling within the definition of the DLT regulated activity, or falling within the definition of the VAA regulated activity. Firms and individuals will be required to evidence the particular circumstances of their business where they are seeking to demonstrate they are not in-scope prior to the carrying out of any such activity. The DLT regulated activity Custodial Virtual Asset wallet providers. 10.2 Firms providing virtual asset wallets where clients can store their virtual assets, and where the firm is responsible for the storage of such virtual assets and the transmission of virtual assets out of the wallet (at the request of the owner of the virtual assets). Virtual Asset ATM Operators

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 11 10.3 Also referred to commonly as ‘kiosks’, ‘Bitcoin teller machines’, ‘Bitcoin ATMs’, or ‘vending machines’. These physical electronic terminals enable the owner/operator to actively facilitate the exchange of virtual assets for fiat currency or other virtual assets. Spot Virtual Asset Exchanges (Custodial and Non-Custodial) 10.4 Exchanges or exchangers can exist in various forms and business models and generally provide third-party services that enable their customers to buy and sell virtual assets in exchange for traditional fiat currency or another virtual asset. Exchange and/or transfer business models can include ‘traditional’ virtual asset exchanges or virtual asset transfer services that actively facilitate the exchange of virtual assets for fiat currency or other forms of virtual asset. These models typically accept a wide range of payment methods, including cash, wires, credit/debit cards, and virtual assets. Virtual Asset Derivatives Exchanges 10.5 These more advanced trading services may allow users to access more sophisticated trading products and services, generally collectively categorised as derivate contracts. Exchanges offering virtual asset-denominated derivative contracts that do not constitute financial instruments for the purposes of other, ‘traditional’ financial services regulations are still likely to be captured by the DLT Framework. Over-the-Counter (‘OTC’)/Brokerage Desks 10.6 These firms tend to arrange for the buying and selling of virtual assets for other virtual assets or fiat, between clients or between clients and the firm/liquidity providers. Where these firms use DLT in the storage or transmission of value belonging to another in arranging transactions, they are likely to require authorisation as a DLT Provider. Where DLT is not used in the storage or transmission of value belonging to another in making such arrangements, these firms are likely to require authorisation as a VAA Provider. In either case, the DLT Framework will apply. Escrow Service Providers 10.7 Escrow service providers arrange for the buying and selling of virtual assets for other virtual assets or fiat, whilst acting as a central counterparty to the trade, holding the virtual assets or both the virtual assets and the fiat, in order to enhance trust between the counterparties of the trade. Where DLT is not used in the storage or transmission of value belonging to another in making such arrangements, these firms are likely to require authorisation as a VAA Provider. In either case, the DLT Framework will apply. Virtual Asset Borrowing and Lending Platforms 10.8 These firms actively facilitate virtual asset loans between their clients via their platforms. Typically, borrowers will post virtual assets as collateral, which the firm will take custody of during the loan term. Virtual Asset Managed Investment Services 10.9 These service providers make buying and selling decisions for their clients, in return for a fixed fee or performance-based return. These providers typically also take custody of clients’ virtual assets, by virtue of which they will likely fall within scope of the DLT Framework.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 12 Operators and Administrators of Smart Contracts 10.10 Services or business models that combine the function of safeguarding the value of a customer’s virtual assets with the power to manage or transmit the virtual assets independently from the owner, under the assumption that such management and transmission will only be done according to the owner’s/customer’s instructions, will fall within scope of the DLT Framework. 10.11 Operators providing safekeeping and administration services include persons that have exclusive or independent control of the private key associated with virtual assets belonging to another person or exclusive and independent control of smart contracts to which they are not a party that involve virtual assets belonging to another person. Operators and Administrators of Decentralised Applications (‘DApps’) and Decentralised Exchanges (‘DEXs’) 10.12 Decentralised or distributed applications (or DApps) are software programs that operate on a peer-to-peer network of computers running a blockchain-based platform designed such that they are not controlled by a single person or group of persons. DApps may be deployed in order to perform a wide variety of functions, including acting as a decentralised exchange (sometimes called a DEX) or another form of unincorporated organisation, such as software agency, to provide virtual asset activities. Where a DApp does not have an identifiable administrator or single authority capable of or responsible for making changes to data, moderating, intermediating or validating transactions that take place within the DApp, it is unlikely to be captured by the DLT Framework. 10.13 However, DApps may not be fully decentralised, and may retain elements of centralisation by virtue of which they fall in scope of the DLT Framework, so it remains for the GFSC to determine whether any identifiable owners/ operators/ administrators exert control or sufficient influence to bring them within scope of the DLT Framework. When considering each case, the GFSC will take the approach and consider the factors set out in the ‘Relevant Factors’ section above. 10.14 The DLT Framework is not intended to capture pure research and development work, or the deployment of open-source software, but rather individuals or firms that have continued control or significant influence over, and/or continue to derive (or have the potential to derive) commercial benefit from, DApps and DEXs following their launch. Stablecoin Offerings 10.15 Price-stabilised virtual assets, commonly referred to as stablecoins, can be structured in various ways. For example, they can be fiat-backed (by one or a basket of fiat currencies), asset-backed (e.g. by exchange-traded, physical commodities, such as gold or oil), virtual asset-backed (by one or a basket of virtual assets), or backed by a mixture of these types of assets. They can also be algorithmically controlled (e.g. with mechanisms to adjust token supply in response to market movements), or ‘free-floating’. Stablecoins may have a central developer or a governance body that consists of one or more natural or legal persons who establish, or participate in the establishment of, the rules governing the stablecoin arrangement, for example by determining the functions of the stablecoin, who can access it, and what, if any, AML/CFT preventive measures are built into the arrangement. They may also carry out the basic functions of the stablecoin (such as managing the stabilisation function) or have decision-making authority over structures that affect the inherent value of the stablecoin, such as changing reserve requirements or the stablecoin’s supply. Whilst the application of the DLT Framework to each proposal will be assessed on a case-by-case basis, the extent of the role played by a given entity in any of the functions outlined above will be a key

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 13 consideration for the GFSC. As mentioned in the context of DApps and DEXs, when considering each case, the GFSC will take into account the factors set out in the ‘Relevant Factors’ section above. The VAA regulated activity Non-custodial over-the-counter/brokerage desks 10.16 The primary business model that falls within the definition of the VAA regulated activity is an over-the-counter (OTC) exchange or brokerage desk. Firms carrying out this activity will typically arrange for the buying and selling of virtual assets for other virtual assets or fiat, between different clients, between clients and third party liquidity providers, or between clients and the firms themselves. The key difference between the activity carried out by this kind of VAA Provider and a DLT Provider that provides OTC/brokerage services, is that the VAA Provider will not at any point take custody of, or otherwise store or transmit virtual assets belonging to other transacting parties. Instead, the VAA Provider will act as an intermediary and use third party service providers for the storage and transmission of the virtual assets being traded. Peer to peer platforms 10.17 Peer-to-peer exchange platforms, where buyers and sellers might locate one another and then go to a different location, platform or service to effect trades between themselves, may also be considered to be providing virtual asset arrangements and therefore within scope of the DLT Framework. However, the mere provision of information, advertising, or software that does not consist of arranging transactions will fall outside the scope of the VAA regulated activity. 11 Examples of Out-of-Scope Activities 11.1 This section sets out a non-exhaustive list of activities which fall, or are likely to fall, outside the scope of the DLT Framework. Where a firm or individual intends to carry on any of the activities listed by way of business in or from within Gibraltar, they should be prepared to demonstrate, prior to commencing that activity, that no aspect of it will fall within the DLT Framework. 11.2 Whether a natural or legal person engaged in any activity relating to virtual assets requires authorisation as a DLT Provider or VAA Provider depends on how the person conducts the activity and for whose benefit. A person not engaging as a business for or on behalf of another natural or legal person will not be conducting a regulated activity. Proprietary trading or activities 11.3 Natural or legal persons who obtain11 virtual assets and use them to purchase goods or services on their own behalf or make a one-off exchange or transfer for a third party, will fall outside of the DLT Framework’s scope, as will users purchasing goods and services with virtual assets, investing in virtual assets for private purposes, and paying salaries or wages in virtual assets. 11.4 Companies that trade virtual assets on their own account, for their own benefit, in a manner that is not linked to the provision of services to clients, will not fall within scope of the DLT Framework. 11 ‘Obtain’ in this context covers any situation in which the natural or legal person in question acquires the legal title to the virtual assets, whether via a purchase, loan arrangement or otherwise.

Gibraltar Financial Services Commission Guidance Note on the Scope of the DLT Framework 14 11.5 Similarly, market makers, to the extent that they carry on market making activity for their own benefit, using their own assets, and without involving a client relationship, do not fall within scope of the DLT Framework. (Note, however, that where market makers use assets belonging to other individuals or entities in the course of carrying on market making activity, they will, in our view, fall within the DLT Framework’s scope.) Non-custodial wallet services 11.6 Natural or legal persons providing ancillary services/products to DLT networks, such as hardware wallet manufacturers and non-custodial wallet providers (to the extent that they do not carry on any other activity captured by the DLT Framework) are likely to fall out-of-scope. Investment advice 11.7 Pure investment advice relating to virtual assets, where the individual or firm providing the investment advice does not at any point store or transmit value belonging to the recipient of the advice, does not currently fall within scope of the DLT Framework. ‘Investment advice’ in this context means the provision of personal recommendations to a client, either upon the client’s request or at the initiative of the individual or firm in question, in respect of one or more transactions relating to virtual assets. Research, development and outsourcing 11.8 The DLT Framework is not intended to capture pure research and development work, or the deployment of open-source software on online repositories. Validating transactions 11.9 Validating transactions on a blockchain (or any other form of DLT), for example through the process commonly referred to as ‘mining’ on a proof-of-work blockchain, or ‘staking’ on a proof-of￾stake blockchain, will fall out of scope of the DLT framework where it is not carried on by way of business and on behalf of others. Virtual asset account signatories 11.10 Under certain circumstances, signatories on a virtual asset account that is held with a virtual asset custodian (similar to signatories on a bank account), who do not control the private keys to the applicable virtual asset wallets (since they are controlled by the virtual asset custodian), may fall outside the scope of the DLT Framework. However, as mentioned under the ‘Storage’ heading above, the GFSC considers activities in which a firm or individual is essential to the transfer of a client’s value in a multi-signature arrangement to fall in-scope of the DLT Framework, even in cases where they cannot complete transactions without a key held by another party. Information publishers, bulletin boards and software vendors 11.11 The mere provision of information, advertising, or software that does not consist of arranging transactions will fall outside scope of the DLT Framework.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2025 Gibraltar Financial Services Commission