Background and Introduction

The Gibraltar Financial Services Commission (“GFSC”) has today published the updated DLT Provider Guidance notes which was first issued in December 2017.

The DLT guidance notes support a principle-based Regulatory Regime. This allows firms a flexible approach when meeting the regulatory outcomes, proportionate to the nature, size and risks associated with their business model. For consumers, principles-based regulation will be of benefit by fostering a more innovative and competitive financial services industry.

All DLT provider already operating in Gibraltar should seek to review their policies and procedures arising out of the changes. For any queries, contact us here.

Below we explore each Regulatory Principle and the changes that have arisen.

Honesty and Integrity

“A DLT Provider must conduct its business with honesty and integrity.”

Key Changes:

No changes noted.

For the updated DLT Guidance Notes, click here.

2. Customer Care

“A DLT Provider must pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way which is fair, clear and not misleading.”

Key Changes:

1. Customer care: There is now enhanced guidance on how to protect customers and to ensure that the products and services offered, as well as the risks associated, are fully understood by them.
2. Customer Protection measures: A DLT Provider will need to implement adequate customer protection measures commensurate to the risk and complexity of its products and services and relative to the experience and vulnerability of its customers. Specific focus, guidance and examples are now provided under the following areas:
   1. Risk and Complexity
   2. Experience and Vulnerability
3. Risk warnings: A DLT Provider must give a fair and prominent indication of any relevant risks relating products or service it offers. In addition, it must be clearly visible.
   Examples of Best practice are provided.
4. Marketing and Advertising: More guidance issued on how the advertisements should be made. For instance, so that its contents and that presentation are demonstrably fair and not misleading.

For the updated DLT Guidance Notes, click here.

3. Financial & Non-financial Resources

“A DLT Provider must maintain adequate financial and non-financial resources.”

Key Changes:

1. Regulatory Capital: There is now clearer guidance on this area.
   Minimum Regulatory capital = wind down capital + Risk-based capital
2. Wind down Capital: See below under “wind down analysis”.
3. Risk based capital: Enough to absorb the crystallisation of material risks and still have sufficient capital remaining to trigger an orderly wind-down if necessary.
4. Working Capital: Capital over and above the minimum regulatory capital needed for the day to day running of the business.
5. Wind down analysis: A DLT Provider is required to maintain a formal wind-down plan which forms the basis behind the wind-down costs. Above all, the three-month industry-used default position will not be accepted by the GFSC without justification.
6. Using virtual assets as regulatory capital: A DLT Provider will be expected to include further risk-based capital should it intend on holding virtual assets as part of the firm’s regulatory capital requirement. Application of stress testing and sensitivity analysis will also be expected in order to adequately consider the risks associated.
7. Public token offerings: Internally generated tokens will not be accepted as regulatory capital. In contrast, funds raised out of a token offering will be allowed to do so. However, consideration will need to be made on whether a liability exists on the balance sheet and if so, removed from the regulatory capital calculation.
8. Stablecoins: A brief definition of stable coins and how they may be used for regulatory capital is explained. Consideration however, as above, should be made to the risks associated with holding stablecoins and factored into the regulatory capital calculation.
9. Company funding: Whilst alternative methods of funding may be allowed in certain circumstances, the GFSC expects capitalisation to be by way of fully paid up and issued share capital.
10. DLT Provider Financial Return: Financial returns will be required to be completed and used as part of the supervisory process.
11. Recovery Plan: Firms should consider scenarios that could lead to a breach in the regulatory capital requirement. They should also establish a clear link between these scenarios and what aspects of the recovery plan should be invoked. Financial & non-financial triggers will need to be in place. Recovery options are described in the guidance note.
12. Projections & Stress testing: 3-5 year financial forecasts together with stress testing will be required as part of the application and as part of the regulatory capital calculation. A “base case” scenario and stress scenarios of the most significant assumptions will need to be considered. Typical example scenarios are described in the guidance note. A worse-case scenario should also be factored in.
13. Insurance: Additional clarification and guidance is provided.
14. Non-financial resources: Additional clarification and guidance is provided.

For the updated DLT Guidance Notes, click here.

4. Risk Management

“A DLT Provider must manage and control its business effectively, and conduct its business with due skill, care and diligence; including having proper regard to risks to its business and customers.”

Key Changes:

1. Risk Management framework:  Enhanced guidance on the creation and application of a Risk Management Framework. This is now comparable to those seen in other industries such as banking and insurance. Particular focus is made on the establishment of governance arrangements and forward-looking risk management practices, there to protect customers and the reputation of Gibraltar.
2. Risk Identification & Assessment: A newly created section dedicated to Risk identification & assessment. The same methodology and criteria should be applied throughout when considering likelihood and impact of risks. Crystallised risks with material impact should be communicated to the GFSC immediately.
3. Risk Reporting: Additional guidance on the minimum risk information that should be reported to the DLT Provider’s board, senior management and internal risk committee.
4. Risk Policies and Standards:  Risk policies should set out minimum standards to be followed to ensure risks are managed in line with agreed tolerance levels. An accountable executive and policy owner should be nominated who will develop the guidelines for reporting and escalation in instances of non-compliance. Mitigating actions to address breaches should be agreed and tracked through to completion.
5. Risk appetite and tolerance: The board should agree and set the risk appetite and ensure it is aligned with its strategic objectives.
6. Risk culture: A culture should be established to encourage good behaviours at all levels in the organisation. The board and senior management should lead by example.

For the updated DLT Guidance Notes, click here.

5. Protection of Client assets

“A DLT Provider must have effective arrangements in place for the protection of client assets and money when it is responsible for them.”

Key Changes:

1. Safeguard and segregation: DLT Providers should obtain formal acknowledgement that all fiat and virtual assets held by the custodian are held in trust. In addition, that the custodian is not entitled to combine the amounts with any others or to exercise any right of set-off or counterclaim against such assets in respect of any debt owed to the custodian by the DLT Provider.
2. Frequency of reconciliation: Reconciliation required between customer and own virtual assets minimum once a day. Fiat assets at least on a monthly basis. Virtual asset movements should be agreed to the blockchain.
3. Private Key management: This replaces and significantly expands on the previous guidance note section on Cold storage. Private Keys relating to value stored on behalf of customers should be stored and secured in a manner that minimises the risk of loss or theft. A number of examples to be considered are listed in the guidance note.
   Like in the previous guidance note, most of the virtual assets should be held in cold storage. Virtual assets should only be held in hot wallets to meet current liquidity need.

For the Updated Guidance Notes, click here.

6. Corporate Governance

“A DLT Provider must have effective corporate governance arrangements.”

Key Changes:

1. Culture: There is a new section on Culture with emphasis on “tone from the top”.
2. Oversight of Executive Management: Additional guidance is provided for a DLT Providers board so that all function holders are accountable to the board as a whole.
3. Independence: Independence and conflicts of interest is a new key theme. In particular, reference is made to Independent Non-executive Directors and the criteria necessary for consideration when assessing independence of these individuals.
4. Performance reviews and succession planning: A DLT Provider’s board should consider its performance and that of its committees and members on an annual basis, assessing the contribution of individual directors and the ability to interact and work as a team. Succession planning should be considered well in advance. Following on, it should allow for periodic refreshment of the Board to avoid independence issues arising and to allow new skills and experience to be brought in where needed.
5. Supervisory Information Capture Return: A Supervisory Information Capture Return (SICR) will need to be submitted on an annual basis. SICR will seek confirmation and/or further details on certain functions, operations, products and services carried out by the DLT Provider.

For the updated DLT Guidance Notes, click here.

7. Systems and Security Access

“DLT Provider must ensure that all systems and security access protocols are maintained to appropriate high standards.”

Key Changes:

1. Cyber security and vulnerabilities: Updated guidance on management of risks, updating systems, using 2FA and disaster recovery plans.
2. Information Security: Additional guidance on responsibilities for the nominated individual as well as on industry best practice.
3. ICT Governance: Reference is now being made to ISO standards.
4. Independent assessment & tests: Additional guidance on what a penetration test entails.
5. Cloud Computing: Use of the GFSC Outsourcing guidance note should be considered when outsourcing this function.

For the updated DLT Guidance notes, click here.

8. Financial Crime

“A DLT Provider must have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing.”

Key Changes:

1. AMLGN’s: The GFSC’s Guidance Notes on ‘Systems of control to prevent the financial system from being used for Money Laundering or Terrorist Financing activities’ (AMLGNs) also apply to DLT firms. There are 6 overarching statements of principle (see chapter 4).
2. Plausible Verifiability: Guidance on the area of the requirement to satisfy the nature of income or wealth to “Plausible Verifiability”
3. Independent Verification: Where the risk profile increases, obtaining “independent verification”.
4. Removal of €150 EUR threshold for Simplified Due Diligence “SDD”: Anyone wishing to avail themselves of performing SDD need to make representations to the GFSC on a case by case basis.  
5. Enhanced Due Diligence “EDD”: Additional guidance on the circumstances to apply EDD.
6. Appointment of MLRO: Specific reference to the need to employ an MLRO.
7. Outsourcing: Additional guidance on outsourcing compliance, however, noting that outsourcing the function does not exempt the DLT provider of its statutory obligations.
8. Training: DLT Providers must establish and maintain an effective training regime for all of its officers and employees, including senior management and Directors. The obligations set out in Section 27 of POCA are expanded and clarified in the Chapter 9 of the AMLGNs.
9. Internal Audit (Independent AM Audit): An independent audit is now required over the AML/CFT policies, controls & procedures. Independence in this regard is key.

For the updated DLT Guidance Notes, click here.

9. Resilience

“A DLT Provider must be resilient and must develop contingency plans for the orderly and solvent wind down of its business.”

Key Changes:

• Business Impact Assessment & Crisis Management teams: Clarified guidance in this area in order to minimise any disruptions of services to customers. Reference to ISO again is made.
• Regular testing: Regular testing required on Business Continuity Plans and Disaster Recovery arrangements. At least annually.
• Change Management Processes: Adequate change management processes need to be taken into account on migration plans, rollback processes, etc. See guidance note for the full list.

For the updated DLT Guidance Notes, click here.

Should you have any queries on any of the DLT Guidance Notes mentioned, or require an Independent AML Audit, please don’t hesitate to get in contact with us here.

For more information on our DLT Licensing Services, see here.