General climate and trends

General innovation climate

What is the general state of fintech innovation in your jurisdiction, including any notable trends, innovations, innovators and future prospects?

Gibraltar has taken a lead in the area of e-commerce and fintech innovation and sees the blockchain and distributed ledger technology (DLT) economy ­– which is much wider than cryptocurrency-related activities – as an area where it can be globally competitive as a small jurisdiction.

Gibraltar's strong track record in regulated e-commerce (particularly e-gaming, e-money and payments and other electronically supplied financial services) and its reputation for attracting quality rather than quantity in operators mean that it is well positioned to be a leading global hub. It also has local banks that have chosen to get involved in the sector and can support operators.

Gibraltar’s cosmopolitan culture and history coupled with its existing success in e-commerce make it an attractive hub for investors and entrepreneurs. It is also politically and economically stable, which is important for businesses when considering where to invest capital. Gibraltar also has an attractive tax regime for individuals and businesses.

Over the past 15 years, Gibraltar has developed a large pool of talented people in the areas of advanced online technologies and cross-border finance and marketing. This has also created a large number of experienced e-commerce professional service providers.

E-commerce – particularly cross-border financial services and e-gaming – has become a significant part of the economy: it employs thousands of people (in a population of only 35,000) and is estimated to constitute over 20% of the gross domestic product.

In the present international climate, all of these factors give Gibraltar a significant advantage in the next generation of innovation – that is, the use of DLTs.

Key technologies

Have there been any particular developments – regulatory or commercial – in any of the following fintech sectors?

Distributed ledger technology and digital currencies (eg, blockchain, smart contracts and Bitcoin)?

In January 2018 the Financial Services (Distributed Ledger Technology Providers) Regulations 2017 (DLT Regulations) came into force. The DLT framework applies to activities by providers – not subject to regulation under any other regulatory framework – that use DLT for the transmission or storage of value belonging to others. Firms and activities that are subject to another regulatory framework continue to be regulated under that framework (eg, the Markets in Financial Instruments Directive (MiFID), payment services or electronic money).

Regulated DLT providers (eg, exchanges, brokers, remitters and custodians) must apply for authorisation from the Gibraltar Financial Services Commission and comply with the DLT Regulations.

Any DLT provider that facilitates the exchange of virtual currency into fiat currency should also be mindful of the wider financial services regime, especially the potential impact of the payment services and electronic money regimes.  Facilitating payment transactions (eg, in exchange for virtual currency) will not normally constitute regulated payment service activities. However, depending on the structure of the offering and any additional value-added payment services, it may, in limited cases, involve the carrying out of a regulated payment service activity in Gibraltar, the United Kingdom and the European Union under European payment services law.

In order to carry out a regulated activity, a firm must either be authorised for that activity or work with a provider which is – otherwise, it will be committing a criminal offence.

The DLT Regulations define DLT provider activities as follows:

Providing distributed ledger technology services.

(1)Carrying on by way of business, in or from Gibraltar, the use of distributed ledger technology for storing or transmitting value belonging to others.

(2)For the purposes of sub-paragraph (1)–

“distributed ledger technology” or “DLT” means a database system in which–

(a)information is recorded and consensually shared and synchronised across a network of multiple nodes; and

(b) all copies of the database are regarded as equally authentic; and

“value” includes assets, holdings and other forms of ownership, rights or interests, with or without related information, such as agreements or transactions for the transfer of value or its payment, clearing or settlement.

Alternative lending platforms?

Any person wishing to offer lending platform services must ensure that they comply with MiFID (if applicable) and with local financial services and securities legislation (eg, the Financial Services (Investment and Fiduciary Services) Act 1989) that regulates offering securities and investment services.

Digital payments, remittances and foreign exchange?

The Financial Services (Investment and Fiduciary Services) Act 1989 and – more particularly – the Financial Services (EEA) (Payment Services) Regulations 2018 regulate payment services in Gibraltar. The payment regulations implement the Payment Services Directive and are substantially the same as those in the United Kingdom and elsewhere in the EEA. The Payment Services Directive makes provision for transparency of payment service conditions, information requirements for payment service and the rights of both payment service users and providers in the provision of payment services as a business activity or regular occupation.

Alternative financing (including crowdfunding)?

Unlike the United Kingdom, Gibraltar does not have a specific crowdfunding regime. At present, MiFID does not provide a harmonised crowdfunding regime and so the legislative landscape in Europe is fragmented and largely relies on specific local regimes. This means that operators in Gibraltar and elsewhere within the European Economic Area (EEA) also need to consider the applicability of local regulatory regimes of the jurisdiction of the investor.

Investment, asset and wealth management?

Gibraltar has implemented the EU regimes applicable under MiFID II and the Alternative Investment Fund Managers Directive (AIFMD) in respect of the regulation of investment advisers, arrangers and managers, as well as managers of collective investment schemes.  It also has national legislation that covers a number of other areas outside the scope of EU law, which can largely be found in the Financial Services (Investment and Fiduciary Services) Act 1989 and the Financial Services (Collective Investment Schemes) Act 2011.

MiFID II has been implemented by the Financial Services (Markets in Financial Instruments) Act 2018 and covers persons providing the following specified investment services:

  • investment advice;
  • client portfolio management;
  • execution of clients' orders on financial instruments;
  • reception and transmission of orders on financial instruments;
  • dealing with own accounts;
  • market making;
  • underwriting;
  • placing financial instruments; and
  • operating trading facilities.

The AIFMD has been implemented by way of several legislative changes, including the Financial Services (Alternative Investment Fund Managers) Regulations 2013. The regime applies to fund managers that manage in scope alternative investment funds.

Robo-advice and artificial intelligence?

No.    

Any other technologies?

No.    

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

The Gibraltarian government and the Gibraltar Financial Services Commission have taken a mindful approach to the various fintech sectors – they are supportive of innovation while recognising the need for suitable regulation in many key areas in order to:

  • encourage good operators (that are looking for a suitable regulatory framework);
  • deter bad operators and practices;
  • protect consumers and the clients of fintech firms;
  • and mitigate the risks of money laundering and crime.

Gibraltar is willing to tackle regulation at the cutting edge of technological developments in order to ensure that it remains a leading fintech jurisdiction as witnessed by the DLT provider regime. It has also advanced proposals for a new regulatory regime for the promotion and sale of crypto-tokens.

The government recently stated its intention to create a new regime that will provide important minimum standards and good practice for the promotion and sale of crypto-tokens (sometimes known as ‘initial coin offerings’ (ICOs)). In its recent Token Regulation proposal document, the Gibraltarian government outlines its approach as follows:

Crowd funding is a perfectly legitimate method of raising finance as is seeking public subscription for new ventures. It is therefore desirable to establish a regulatory regime that helps firms in Gibraltar to develop new products and services and maintain competitiveness whilst, at the same time, protecting consumers and Gibraltar’s reputation.

A token sale is a means by which an organisation can raise funds through crowd financing by issuing and selling tokens.

Presently, if the token is not a security offering and is essentially a utility token, it is unregulated under Gibraltarian and EU law.

In circumstances where a token is not a security, it has been recognised that there is some risk posed to the general public (ie, inexperienced investors) through investment in tokens, and that a suitable regulatory environment could support this new sector while putting in place much-needed standards and controls.

When not a security, a token provides the holder or investor with access to a developed product or service. An ICO is a means of early-stage project funding, and as such, subscribers or investors are often investing in a product or service that is yet to be developed.

The proposed token sale regulations are intended to cover:

●the promotion, sale and distribution of tokens; 

●operating secondary market platforms trading in tokens; and 

●providing investment and ancillary services relating to tokens.

The government has made the following statement regarding the purpose of the regulations:

It is… desirable to establish a regulatory regime that mitigates such risks and provides appropriate and adequate safeguards by: requiring full and accurate disclosure of information; imposing rules for the orderly and proper conduct of secondary market platforms; and requiring competent professional investment services.

The new token sale regime is intended to bring into scope all token sales that fall outside existing financial services regimes so that there are minimum standards in place for the sale of so called ‘utility tokens’ that are otherwise outside of the scope of the DLT Regulations and existing financial services and securities law. The new regime is likely to require that any token sale be conducted and promoted by a regulated sponsor firm.

This regime will not impact the offer and promotion of tokenised securities, as these are already subject to existing Gibraltar and EU law (eg, the Markets in Financial Instruments Directive (MiFID) II, the prospectus regime and the AIFMD).

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

In January 2018 the Financial Services (Distributed Ledger Technology Providers) Regulations 2017 (DLT Regulations) came into force. The DLT framework applies to activities by providers, not subject to regulation under any other regulatory framework, that use DLT for the transmission or storage of value belonging to others. Firms and activities that are subject to another regulatory framework continue to be regulated under that framework (eg, MiFID, payment services or electronic money).

Regulated DLT providers (eg, exchanges, brokers, remitters and custodians) must apply for authorisation from the Gibraltar Financial Services Commission and comply with the DLT Regulations.

Any DLT provider that facilitates the exchange of virtual currency into fiat currency should also be mindful of the wider financial services regime, especially the potential impact of the payment services and electronic money regimes.  Facilitating payment transactions (eg, in exchange for virtual currency) will not normally constitute regulated payment service activities. However, depending on the structure of the offering and any additional value-added payment services, it may, in limited cases, involve the carrying out of a regulated payment service activity in Gibraltar, the United Kingdom and the European Union under European payment services law.

In order to carry out a regulated activity, a firm must either be authorised for that activity or work with a provider which is – otherwise, it will be committing a criminal offence.

The DLT Regulations define DLT provider activities as follows:

Providing distributed ledger technology services.

(3)Carrying on by way of business, in or from Gibraltar, the use of distributed ledger technology for storing or transmitting value belonging to others.

(4)For the purposes of sub-paragraph (1)–

“distributed ledger technology” or “DLT” means a database system in which–

(b)information is recorded and consensually shared and synchronised across a network of multiple nodes; and

(b) all copies of the database are regarded as equally authentic; and

“value” includes assets, holdings and other forms of ownership, rights or interests, with or without related information, such as agreements or transactions for the transfer of value or its payment, clearing or settlement.

Gibraltar is willing to tackle regulation at the cutting edge of technological developments in order to ensure that it remains a leading fintech jurisdiction as witnessed by the DLT provider regime. It has also advanced proposals for a new regulatory regime for the promotion and sale of crypto-tokens.

The government recently stated its intention to create a new regime that will provide important minimum standards and good practice for the promotion and sale of crypto-tokens (sometimes known as ‘initial coin offerings’ (ICOs)). In its recent Token Regulation proposal document, the Gibraltarian government outlines its approach as follows:

Crowd funding is a perfectly legitimate method of raising finance as is seeking public subscription for new ventures. It is therefore desirable to establish a regulatory regime that helps firms in Gibraltar to develop new products and services and maintain competitiveness whilst, at the same time, protecting consumers and Gibraltar’s reputation.

A token sale is a means by which an organisation can raise funds through crowd financing by issuing and selling tokens.

Presently, if the token is not a security offering and is essentially a utility token, it is unregulated under Gibraltarian and EU law.

In circumstances where a token is not a security, it has been recognised that there is some risk posed to the general public (ie, inexperienced investors) through investment in tokens, and that a suitable regulatory environment could support this new sector while putting in place much-needed standards and controls.

When not a security, a token provides the holder or investor with access to a developed product or service. An ICO is a means of early-stage project funding, and as such, subscribers or investors are often investing in a product or service that is yet to be developed.

The proposed token sale regulations are intended to cover:

●the promotion, sale and distribution of tokens; 

●operating secondary market platforms trading in tokens; and 

●providing investment and ancillary services relating to tokens.

The government has made the following statement regarding the purpose of the regulations:

It is… desirable to establish a regulatory regime that mitigates such risks and provides appropriate and adequate safeguards by: requiring full and accurate disclosure of information; imposing rules for the orderly and proper conduct of secondary market platforms; and requiring competent professional investment services.

The new token sale regime is intended to bring into scope all token sales that fall outside existing financial services regimes. This way, there will be minimum standards in place for the sale of so-called ‘utility tokens’ that are otherwise outside the scope of the DLT Regulations and existing financial services and securities law. The new regime is likely to require that any token sale be conducted and promoted by a regulated sponsor firm.

This regime will not impact the offer and promotion of tokenised securities, as these are already subject to existing Gibraltar and EU law (eg, MiFID II, the prospectus regime and the AIFMD).

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

The Gibraltar Financial Services Commission.

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

All existing laws that relate to regulated financial and investment services, including:

  • MiFID II;
  • the Proceeds of Crime Act;
  • alternative investment schemes and collective investment schemes (including the AIFMD);
  • the offer of transferable securities under the prospectus regime;
  • banking;
  • consumer credit and insurance;
  • trust and fiduciary services;
  • e-money and payments; and
  • custodians.

As with other commercial operators, the starting point for any regulatory analysis is the extent to which the fintech operator is conducting regulated financial service activities. The fact that they are conducting such services using more advanced technological tools than the existing sector operators is not normally the material issue for ascertaining the applicability of regulation to such activities, as most financial service and investment service regimes are intended to be technologically neutral.

However, in some cases, fintech operators will be using new business models and technologies that do not fit neatly within existing regulatory frameworks. This is the case with DLT operators storing or transmitting crypto-value on behalf of others, and with the rise of ICOs.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

It depends on the nature of the activities and sector. It is not possible to list all of the different regulatory regimes and applicable exemptions as they vary and are specific to each type of business.

While the term ‘fintech’ is catchy and captures the spirit of these new innovative businesses, it has little real significance for regulatory purposes.

Are any fintech products or services prohibited in your jurisdiction?

Only those products and services that are prohibited under existing financial services regimes (irrespective of the medium and technology used) – for example, the offer of transferable securities to the public without a suitable prospectus.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The Data Protection Act 2004, the Communications (Personal Data and Privacy) Regulations 2006 and the EU General Data Protection Regulation (see www.lexology.com/library/detail.aspx?g=9fea5eea-5e35-4101-b64c-e5ab72878c6f).

What cybersecurity regulations or standards apply to fintech businesses?

In addition to its data protection laws, Gibraltar has a range of laws that govern cybersecurity, including laws implementing EU directives and territory-specific laws. These include the:

  • Crimes Act 2011;
  • Proceeds of Crime Act 2015;
  • Crimes Act (Amendment) Regulations 2015, implementing the EU Directive on Attacks Against Information Systems (2013/40/EU);
  • Communications (Combating Child Pornography) Regulations 2013, implementing the EU Directive on Combating the Sexual Exploitation of Children Online and Child Pornography (2011/92/EU);
  • Criminal Offences Ordinance 2005, implementing the Council Framework Decision on Combating Fraud and Counterfeiting;
  • Communications Act 2006;
  • Communications (Personal Data and Privacy) Regulations 2006;
  • Data Protection Act 2004;
  • Financial Services (EEA) (Payment Services) Regulations 2010; and
  • Civil Contingencies Act 2007.

For a fuller review of this area of law, see  www.lexology.com/library/detail.aspx?g=9fea5eea-5e35-4101-b64c-e5ab72878c6f.

In addition, as part of its regulatory principles, the Financial Services (Distributed Ledger Technology Providers) Regulations 2017 provide that DLT providers must:

  • have effective arrangements in place for the protection of customer assets and money, when they are responsible for them; and
  • ensure that all of their systems and security access protocols are maintained to appropriately high standards.

The Gibraltar Regulatory Authority is responsible and is the designated authority for regulating, supervising and enforcing compliance for the security of network and information systems for designated operators of essential services and digital services.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

     The Crimes Act 2011, the Proceeds of Crime Act 2015 and the Terrorism Act 2005.

What precautions should fintech businesses take to ensure compliance with these provisions?

A fintech business is subject to the regulatory requirements of Part III of the Gibraltar Proceeds of Crime Act 2015 (POCA) and must ensure that all services provided are not used for the purposes of financial crime including money laundering, financing terrorism, evading sanctions or otherwise facilitating criminal activity.

A fintech business must develop and implement anti-money laundering and combating the financing of terrorism (AML/CFT) policy controls to identify, assess, report and monitor AML/CFT risks across customers, products, services and geographical locations relevant to their business activity. These controls must consist of a number of policies and procedures to address and mitigate the inherent AML/CFT risks identified, the appointment of a money laundering reporting officer, AML/CFT employee training and – when deemed appropriate relative to the size and identified risks of the business – undertake an independent audit for the purpose of testing the systems and controls.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

There are sector-specific protections for consumers in various applicable financial and investment services regimes, including:

  • the Financial Services (EEA) (Payment Services) Regulations 2018;
  • the Financial Services (Electronic Payment) Regulations 2011;
  • the Gibraltar Financial Services Commission; and
  • the Financial Services (Distributed Ledger Technology Providers) Regulations 2017.

In addition, there are a number of general regimes that apply to protect consumers when trading with operators in Gibraltar, including:

  • the EU distance selling regime, as implemented by the Financial Services (Distance Marketing) Act 2006;
  • the EU unfair contract terms regime for consumers, as implemented by the Unfair Terms in Consumer Contracts Act 1989; and
  • the Fair Trading Act 2015.

Competition

Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

This is unlikely to happen as in most cases, the operators do not have a material dominant position in the market.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

For EU citizens, EU law governs the rules for online dispute resolution with regard to consumers, choice of law and jurisdiction in consumer contracts. In all other cases, there is the potential for conflict of laws between the home jurisdiction of the operator and the laws of the country where the customer resides. For e-commerce businesses, this is always an area to consider carefully.

Financing, investment and government support

Government support

Does the government provide any incentives or support programmes to promote fintech innovation in your jurisdiction (eg, tax incentives, grants and regulatory sandboxes)?

The regulator operates a de facto sandbox approach to new opportunities that require careful consideration of how the proposed activities interact with existing laws. The Gibraltar Financial Services Commission has set up an Innovate and Create team to deal with such queries (see www.fsc.gi/FSC/innovate).

The government previously introduced a start-up business support package:

A start-up incentive scheme was introduced for companies or limited partnerships which were incorporated between 5 July 2016 and 30 June 2017.  Over the first three financial years of trading, the company will be eligible for a tax credit equal to the tax due up to a maximum of £50,000 over each of the first three years.  The government may decide to introduce or extend this scheme in the future.

Has the government concluded any international cooperation agreements to promote and facilitate the cross-border expansion of fintech businesses?

The UK government has provided Gibraltar with a guarantee that any access joined by financial service firms under existing arrangements will be unaffected by Brexit.

Financing and investment

What private financing and investment schemes are available and commonly used for fintech start-ups in your jurisdiction?

Gibraltar has a strong entrepreneurial culture with access to private equity and venture capital for interesting start-ups, particularly in the fintech sector.

Ancillary issues

IP rights

What forms of IP protection are available for fintech innovations?

      Gibraltar mostly follows English law in relation to the registration of IP rights and the protection of registered and unregistered IP rights.

The UK Patents Act 1977 operates in Gibraltar by virtue of the Gibraltar Patents Act. It is not possible to make an original application to register a patent in Gibraltar. The application must be made to the UK Intellectual Property Office and extended to include Gibraltar within three years of the UK patent’s date of issue. Protection will run for as long as the UK patent is valid.

European trademarks may be registered from Gibraltar and a UK registration can be extended to cover Gibraltar.

Designs registered in the UK are automatically protected in Gibraltar by virtue of the Gibraltar Designs Act 1928. There is no design registry and no need for an application to be made in Gibraltar. Designs registered in the European Union (by way of a registered community design) are also automatically protected in Gibraltar under the Treaty on the Functioning of the European Union. Further international protection is available under the World Intellectual Property Office Hague Agreement Concerning the International Deposit of Industrial Designs 1925.

With regard to unregistered designs, protection arises automatically when the design is recorded in a design document or an article is made to the design. Designs made in Gibraltar qualify for reciprocal protection in UK (Design Right (Reciprocal Protection) Order 1989 (No 2) 1989 (SI 1989/1294)).

In Gibraltar, copyright protects the authors of works by preventing others from copying or reproducing the work, with protection arising automatically on creation of the qualifying work. As such, registration is not required.

What rules govern the ownership of IP rights to fintech innovations?

None.   

Immigration

What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the tech or financial sector?

A company can apply to the Finance Centre director to have employees designated as a high executive possessing specialist skills (HEPSS individual). HEPSS individuals must:

  • possess specialist skills of exceptional economic value to Gibraltar;
  • have skills that are not available in Gibraltar; and
  • earn more than £100,000 a year.

Income tax liability is capped to the first £120,000 of taxable earnings. The cap primarily applies to income from the designated employment, but can extend to certain dividends, interest, pensions income and foreign income. A HEPSS individual will be required to have residential accommodation in Gibraltar that is suitable for HEPSS requirements. The Finance Centre director must confirm suitability before a HEPSS individual can enter into any residential property agreements.

What immigration schemes are available for foreign investors and entrepreneurs wishing to invest in or establish a fintech business in your jurisdiction?

Gibraltar affords individuals whose net worth exceeds £2,000,000 a special status known as Category 2. For these purposes, the status limits the individual’s tax liability to their first £80,000 of assessable income.

Assessable income includes all income deemed taxable under the Gibraltar Income Tax Act 2010 but excludes income accrued from abroad, or income received from a trust. While Category 2 status is popular among retirees, it is also available to individuals based in Gibraltar who are shareholders of companies whose activities are carried on outside Gibraltar. Such individuals may also be directors of such companies provided that this is permitted under the conditions of their Category 2 certificate; consent is usually sought from the Finance Centre director in such cases.

Under the provisions of the applicable law, an individual who benefits from Category 2 status will be subject to a maximum tax liability of £27,560 a year and a minimum of £22,000 a year (according to current applicable rates). Spouses can also elect to have their income assessed under their partner’s Category 2 arrangements, with the combined incomes being subject to the aforementioned cap.

For those individuals who wish to obtain Category 2 status, an application for a Category 2 certificate is made to the Finance Centre, along with a non-refundable deposit of £1,000. In order for the application to be successful, the individual must have residential accommodation (rented or purchased) in Gibraltar available to them for their own exclusive use, which must be approved by the Finance Centre.

The Finance Centre director will issue a certificate if he is satisfied that:

  • the applicant meets the above criteria;
  • the applicant is of substantial and sound financial standing and good character; and
  • the issue of the certificate will not be harmful to Gibraltar’s reputation as a well-regulated finance centre.