ISOLAS Partners Adrian Pilcher and Joey Garcia, and Associate Michael Adamberry have assisted Her Majesty’s Government of Gibraltar (“HMGoG”), the National Coordinator for Anti-Money Laundering and the Combatting of Terrorist Financing (“National Coordinator”) and the Gibraltar Financial Services Commission (“GFSC”) in the drafting of the following pieces of legislation:

  • Proceeds of Crime Act 2015 (Amendment) Regulations 2021 (“POCA Amending Regs”)
  • Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) Regulations 2021 (“RFBR Regs”)
  • Financial Services (Specified Regulatory Decisions) (Amendment) Regulations 2021 (“SRD Amending Regs”)
  • Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021 (“TR Regs”)


This work follows from Adrian and Michael’s recent involvement with drafting the Proceeds of Crime (Miscellaneous Amendments) Act 2021 passed by the Gibraltar Parliament on 5 February 2021 (and which came into force on 9 February 2021). The drafting team has had a further opportunity to work as part of a dedicated taskforce guided by the National Coordinator and the GFSC, making further amendments to Gibraltar’s legislation related to anti-money laundering (“AML”), combatting financing of terrorism (“CFT”), and counter-proliferation financing (“CPF”) otherwise known as AML/CFT and CPF. Additionally, ISOLAS Partner Joey Garcia was also called upon for his expertise in the Fintech and distributed ledger technology (“DLT”) space. Joey Garcia was involved following the gap analysis he had been instructed to conduct in relation to Gibraltar’s DLT Framework and the FATF Recommendations, and VASP definitions.

The changes brought about by the above pieces of legislation, in part, deal with the implementation of the so-called ‘travel rule’ prescribed under the revised Recommendation 15 (as read with Recommendation 16) of the Financial Action Task Force’s (FATF) Recommendations [1] on the International Standards on combatting money laundering and the financing of terrorism and proliferation, adopted by the FATF plenary in February 2012, as amended.


Travel Rule

The travel rule is essentially a requirement (derived from the FATF Recommendations) to collect and submit, immediately and by secure means, certain information along with transfers of virtual assets. In Gibraltar, these obligations are now placed on relevant financial businesses (RFBs), as defined in s.9 of the Proceeds of Crime Act 2015 (“POCA”), who send (on behalf of a “payer”) or receive (on behalf of a “payee”) virtual assets to or from “virtual asset service providers” or “VASPs”.

The TR Regs operate by obligating the RFB acting for the payer in a virtual asset transaction (which we can refer to as the “originator RFB” for simplicity) which has been captured by the TR, to obtain and submit certain information on the payer and on the payee. In many cases the RFB may already have information on the payer, as part of its customer due diligence (“CDD”) obligations under POCA which apply to regulated DLT firms in Gibraltar, as well as other RFBs. However, unless the payee is also one of its clients, the originator RFB is unlikely to have information relating to the payee and will therefore need to have the relevant industry systems in place which allow this information to be securely provided.

The RFB receiving the virtual assets on behalf of the payee (which we can refer to as the “beneficiary RFB” for simplicity) has the obligation to ensure it receives the required information from the originator RFB and then corroborate this with its own records in respect of the payee’s name and, where applicable, the payee’s account number.

The information-gathering requirements shift slightly depending on whether the RFB is acting on behalf or a payer, a payee, or both (as well as on its own behalf). However, regardless on whom the onus is to obtain, submit, or corroborate the information with their own records, virtual asset transfers covered by the TR Regs will be accompanied by the following specified information:

  • the payee’s name;
  • the payee’s virtual asset account number;
  • the payer’s name;
  • the payer’s virtual asset account number;
  • where the payee or the payer does not have a virtual asset account number, a unique transaction identifier; and
  • one of the following:
    • the payer’s address;
    • the payer’s national identity number;
    • the payer’s customer identification number; or
    • the payer’s date and place of birth.


RFBs also have to consider the obligations when they receive virtual asset transfers from a person other than a VASP (e.g. virtual assets received from an unhosted wallet). In such cases, the information they are expected to obtain from the payee is limited to:

  • the payer’s name; and
  • one of the following:
    • the payer’s address;
    • the payer’s national identity number;
    • the payer’s customer identification number; or
    • the payer’s date and place of birth.

However, the travel rule does not apply where the RFB sends a virtual asset transfer to a person other than a VASP. In this case there are no information gathering requirements, other than the usual CDD requirements that an RFB has to meet under POCA.

Given the overlap of travel rule information and CDD information obtained during the normal course of an RFB’s activities, the TR Regs make clear (r.6) that any requirement, under the TR Regs, for a RFB to obtain the information specified in r.4(2), or any part of it, shall constitute a CDD measure as if the requirement to obtain that information was listed in s.10 POCA. The record-keeping requirements under s.25 POCA are also applicable to information obtained when sending or receiving virtual asset transfers.


Virtual Assets and VASPs

Gibraltar has included a VASP definition which replicates the FATF definition of the same – this is contained in r.3 of the TR Regs. The only purpose of this definition is to define transactions between RFBs operating in Gibraltar and VASPs operating outside Gibraltar (and not therefore RFBs). Likewise, a definition of “virtual asset” is also used, which aligns with the FATF definition of the same – this concept is now defined in s.7 POCA and used in the TR Regs.

The concepts of VASP and virtual asset are intended to be self-contained to a large extent, and thereby do not substitute Gibraltar’s existing DLT framework, prescribed under the Financial Services Act 2019 (“FSA19”) and its subsidiary legislation and guidance (the “DLT Framework”). Gibraltar’s DLT Framework, in place since 2017, already captured most of the activity falling into the FATF’s classification of VASP activity. As a result of recent changes to POCA [2], a new s.9(1)(q) POCA now brings the following within the scope of that Act:

(q) persons that, by way of business, exchange, or arrange or make arrangements with a view to the exchange of:

(a)          virtual assets for money;
(b)          money for virtual assets; or
(c)          one virtual asset for another.

For the purposes of paragraph (q) above, “virtual assets” has the meaning given to in s.7 POCA as amended, and “money” has also been defined in a self-contained definition that applies for the purposes of s.9(1)(q). Under the revised s.9(1A) POCA, “money” means: “(a) money in sterling; (b) money in any other currency, or (c) money in any other medium of exchange, but does not include a virtual asset”.

As a result of these changes, VASP activity as classified by FATF now falls within s.9(1)(j), (p) and (q) POCA.


Other notable amendments

The occasional transactions threshold under which CDD needs to be carried out is reduced from 15,000 euro to 1,000 euro in the case of in the case of virtual asset transactions (newly inserted s.11(g) POCA), whether these are carried out as a single transaction or as several transactions which appear to be linked.

As a result of changes to s.30(3) POCA, persons convicted of a relevant offence under POCA (or their associates) will be prevented from holding a management function in, or being a beneficial owner of a broader category of RFBs in s.9 POCA, which now includes estate agents and letting agents (s.9(1)(h)), all controlled activities (s.9(1)(j), as read with FSA19), DLT firms involved in tokenised assets (s.9(1)(p)) and those persons that, by way of business, exchange, or arrange or make arrangements with a view to the exchange of− (a) virtual assets for money; (b) money for virtual assets; or (c) one virtual asset for another (s.9(1)(q)).

Under changes to s.25A POCA, RFBs must now factor in the impact of developing technologies (e.g.  virtual assets and DLT) for both new and existing products when they assess the risks of money laundering, terrorist financing and proliferation financing.


New registration requirements for four classes of RFB

The RFBR Regs impose an obligation on four classes of RFB, who are now required to register with the Gibraltar Financial Services Commission (“GFSC”) for the purposes of AML/CFT and CPF supervision, to the extent they are not already supervised.

The following RFBs must now apply for registration (with transitional arrangements for existing RFBs to apply within 3 months of the legislation coming into force):

  • external accountants;
  • tax advisors;
  • undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of DLT or a similar means of recording a digital representation of an asset; and
  • persons that, by way of business, exchange, or arrange or make arrangements with a view to the exchange of− (a) virtual assets for money; (b) money for virtual assets; or (c) one virtual asset for another [3].

Failure to register is a criminal offence punishable with up to 2 years’ imprisonment and/or a fine.

The registration regime should not to be confused with any application for regulatory permissions required under FSA19, in respect of regulated activity defined under that Act. Such permissions would need to be sought if the RFB intends to carry out regulated activity.

Additionally, the registration requirements are not applicable where a person carrying out any of the above RFB activities is already subject to supervision by a supervisory authority, whether that supervisory authority is the GFSC, or any other supervisory authority specified in paragraphs (a) to (d) or (h) of Schedule 2 to POCA. As an example, an audit firm that is subject to GFSC oversight will not need to seek a separate registration for its accountancy practice.

The RFBR Regs also provide fitness and propriety criteria that the GFSC will need to consider when accepting or refusing registration (including the withdrawal of registration after it is granted).

Notably, these Regulations are only intended to make the GFSC responsible for supervision of the four classes of RFB within the context of AML/CFT and CPF systems and controls required under POCA, and do not therefore task the GFSC with the regulation and supervision of those RFBs in respect of their conduct of business, nor impose prudential and other regulatory requirements outside of this scope, as is the case with regulated activity under the FSA19.


New Specified Regulatory Decisions

The Financial Services (Specified Regulatory Decisions) Regulations 2020, which came into force last year, provided for certain decisions taken by the GFSC to be “specified regulatory decisions” within the meaning of s.24 FSA19. The SRD Amending Regs expand these further to include certain decisions made under the RFBR Regs as follows:

  • the decision to issue a decision notice under R8(5) RFBR Regs, where the GFSC decides to refuse an application;
  • the decision to issue a decision notice under R9(3) RFBR Regs, where the GFSC decides to suspend or cancel a person’s registration;
  • the decision to suspend or cancel a person’s registration with immediate effect under R9(5) RFBR Regs; and
  • the decision to publish information under R9(7) RFBR Regs in respect of any action taken under R9(3) or R9(5) of those Regulations.


The practical effect is that these decisions are now subject to the GFSC’s Decision Making Committee (“DMC”) processes. Notably, the DMC process is not invoked for positive registration considerations under the RFBR Regs.


Further guidance on the above changes has also provided by the National Coordinator [4].


Partner Adrian Pilcher commented: “We are pleased to have worked with industry and lawmakers once again on these latest developments in a dynamic space. The travel rule has been the subject of some controversy in many jurisdictions, given the limited amount technological solutions to facilitate the collection and submission of information, securely and immediately. We are particularly grateful to the Finance Centre, the National Coordinator, the GFSC and Government Law Offices, as well as Joey Garcia, whose previous work with industry and HMGoG in assessing the travel rule issues and its practical implementation has been pivotal to the drafting”.

Partner Joey Garcia commented: “Although most DLT businesses will have been aware of the original FATF recommendations relating to the Travel Rule, their transposition into law has been very fast. What needs to be understood is that a lot of work has gone into the requirements being introduced in the right way to meet the Recommendations, but to do so in as practical and industry conscious a way as possible. The practical transposition of the FATF Recommendations has in reality varied significantly from jurisdiction to jurisdiction and Gibraltar’s approach to this has been excellent. The GFSC have also been very open with the industry around the introduction of the requirements and the local GANT association has also already taken the training around the practical introduction of the systems required forward with the industry so I would see this as being as positive and constructive an approach as possible.”

ISOLAS LLP Partner, Adrian Pilcher, who specialises in private client, tax and financial services law, and Associate, Michael Adamberry, who specialises in Banking & Regulatory Services, AML and Data Protection, are available to advise further on AML/CFT and CPF matters. Contact Adrian on or Michael on Additionally, for specific queries on DLT, Fintech and travel rule implementation, contact Partner Joey Garcia, who is a recognised expert in this space:



[1] Find the FATF Recommendations here:

[2] Note that s.9(1)(q) and s.9(1A) POCA introduced by the POCA Amending Regs (defined above) have since seen further amendment via the Proceeds of Crime Act 2015 (Amendment No.2) Regulations 2021, published on 29 March 2021. The wording in this article reflects the latest wording as at 31 March 2021.

[3] Note that r.4 RFBR Regs (defined above) has been amended via the Proceeds of Crime Act 2015 (Relevant Financial Business) (Registration) (Amendment) Regulations 2021, published on 30 March 2021, so this aligns with the wording in s.9(1)(q) POCA, as amended. The wording in this article reflects the latest wording as at 31 March 2021.

[4] Find the National Coordinator Guidance here: