Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

The Gibraltarian government and the Gibraltar Financial Services Commission have taken a mindful approach to the various fintech sectors – they are supportive of innovation while recognising the need for suitable regulation in many key areas in order to:

  • encourage good operators (that are looking for a suitable regulatory framework);
  • deter bad operators and practices;
  • protect consumers and the clients of fintech firms;
  • and mitigate the risks of money laundering and crime.

Gibraltar is willing to tackle regulation at the cutting edge of technological developments in order to ensure that it remains a leading fintech jurisdiction as witnessed by the DLT provider regime. It has also advanced proposals for a new regulatory regime for the promotion and sale of crypto-tokens.

The government recently stated its intention to create a new regime that will provide important minimum standards and good practice for the promotion and sale of crypto-tokens (sometimes known as ‘initial coin offerings’ (ICOs)). In its recent Token Regulation proposal document, the Gibraltarian government outlines its approach as follows:

Crowd funding is a perfectly legitimate method of raising finance as is seeking public subscription for new ventures. It is therefore desirable to establish a regulatory regime that helps firms in Gibraltar to develop new products and services and maintain competitiveness whilst, at the same time, protecting consumers and Gibraltar’s reputation.

A token sale is a means by which an organisation can raise funds through crowd financing by issuing and selling tokens.

Presently, if the token is not a security offering and is essentially a utility token, it is unregulated under Gibraltarian and EU law.

In circumstances where a token is not a security, it has been recognised that there is some risk posed to the general public (ie, inexperienced investors) through investment in tokens, and that a suitable regulatory environment could support this new sector while putting in place much-needed standards and controls.

When not a security, a token provides the holder or investor with access to a developed product or service. An ICO is a means of early-stage project funding, and as such, subscribers or investors are often investing in a product or service that is yet to be developed.

The proposed token sale regulations are intended to cover:

  • the promotion, sale and distribution of tokens; 
  • operating secondary market platforms trading in tokens; and 
  • providing investment and ancillary services relating to tokens.

The government has made the following statement regarding the purpose of the regulations:

It is… desirable to establish a regulatory regime that mitigates such risks and provides appropriate and adequate safeguards by: requiring full and accurate disclosure of information; imposing rules for the orderly and proper conduct of secondary market platforms; and requiring competent professional investment services.

The new token sale regime is intended to bring into scope all token sales that fall outside existing financial services regimes so that there are minimum standards in place for the sale of so called ‘utility tokens’ that are otherwise outside of the scope of the DLT Regulations and existing financial services and securities law. The new regime is likely to require that any token sale be conducted and promoted by a regulated sponsor firm.

This regime will not impact the offer and promotion of tokenised securities, as these are already subject to existing Gibraltar and EU law (eg, the Markets in Financial Instruments Directive (MiFID) II, the prospectus regime and the AIFMD).

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

In January 2018 the Financial Services (Distributed Ledger Technology Providers) Regulations 2017 (DLT Regulations) came into force. The DLT framework applies to activities by providers, not subject to regulation under any other regulatory framework, that use DLT for the transmission or storage of value belonging to others. Firms and activities that are subject to another regulatory framework continue to be regulated under that framework (eg, MiFID, payment services or electronic money).

Regulated DLT providers (eg, exchanges, brokers, remitters and custodians) must apply for authorisation from the Gibraltar Financial Services Commission and comply with the DLT Regulations.

Any DLT provider that facilitates the exchange of virtual currency into fiat currency should also be mindful of the wider financial services regime, especially the potential impact of the payment services and electronic money regimes.  Facilitating payment transactions (eg, in exchange for virtual currency) will not normally constitute regulated payment service activities. However, depending on the structure of the offering and any additional value-added payment services, it may, in limited cases, involve the carrying out of a regulated payment service activity in Gibraltar, the United Kingdom and the European Union under European payment services law.

In order to carry out a regulated activity, a firm must either be authorised for that activity or work with a provider which is – otherwise, it will be committing a criminal offence.

The DLT Regulations define DLT provider activities as follows:

Providing distributed ledger technology services.

  1. Carrying on by way of business, in or from Gibraltar, the use of distributed ledger technology for storing or transmitting value belonging to others.
  2. For the purposes of sub-paragraph (1)–

“distributed ledger technology” or “DLT” means a database system in which–

  1. information is recorded and consensually shared and synchronised across a network of multiple nodes; and

(b) all copies of the database are regarded as equally authentic; and

“value” includes assets, holdings and other forms of ownership, rights or interests, with or without related information, such as agreements or transactions for the transfer of value or its payment, clearing or settlement.

Gibraltar is willing to tackle regulation at the cutting edge of technological developments in order to ensure that it remains a leading fintech jurisdiction as witnessed by the DLT provider regime. It has also advanced proposals for a new regulatory regime for the promotion and sale of crypto-tokens.

The government recently stated its intention to create a new regime that will provide important minimum standards and good practice for the promotion and sale of crypto-tokens (sometimes known as ‘initial coin offerings’ (ICOs)). In its recent Token Regulation proposal document, the Gibraltarian government outlines its approach as follows:

Crowd funding is a perfectly legitimate method of raising finance as is seeking public subscription for new ventures. It is therefore desirable to establish a regulatory regime that helps firms in Gibraltar to develop new products and services and maintain competitiveness whilst, at the same time, protecting consumers and Gibraltar’s reputation.

A token sale is a means by which an organisation can raise funds through crowd financing by issuing and selling tokens.

Presently, if the token is not a security offering and is essentially a utility token, it is unregulated under Gibraltarian and EU law.

In circumstances where a token is not a security, it has been recognised that there is some risk posed to the general public (ie, inexperienced investors) through investment in tokens, and that a suitable regulatory environment could support this new sector while putting in place much-needed standards and controls.

When not a security, a token provides the holder or investor with access to a developed product or service. An ICO is a means of early-stage project funding, and as such, subscribers or investors are often investing in a product or service that is yet to be developed.

The proposed token sale regulations are intended to cover:

  • the promotion, sale and distribution of tokens; 
  • operating secondary market platforms trading in tokens; and 
  • providing investment and ancillary services relating to tokens.

The government has made the following statement regarding the purpose of the regulations:

It is… desirable to establish a regulatory regime that mitigates such risks and provides appropriate and adequate safeguards by: requiring full and accurate disclosure of information; imposing rules for the orderly and proper conduct of secondary market platforms; and requiring competent professional investment services.

The new token sale regime is intended to bring into scope all token sales that fall outside existing financial services regimes. This way, there will be minimum standards in place for the sale of so-called ‘utility tokens’ that are otherwise outside the scope of the DLT Regulations and existing financial services and securities law. The new regime is likely to require that any token sale be conducted and promoted by a regulated sponsor firm.

This regime will not impact the offer and promotion of tokenised securities, as these are already subject to existing Gibraltar and EU law (eg, MiFID II, the prospectus regime and the AIFMD).

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

The Gibraltar Financial Services Commission.

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

All existing laws that relate to regulated financial and investment services, including:

  • MiFID II;
  • the Proceeds of Crime Act;
  • alternative investment schemes and collective investment schemes (including the AIFMD);
  • the offer of transferable securities under the prospectus regime;
  • banking;
  • consumer credit and insurance;
  • trust and fiduciary services;
  • e-money and payments; and
  • custodians.

As with other commercial operators, the starting point for any regulatory analysis is the extent to which the fintech operator is conducting regulated financial service activities. The fact that they are conducting such services using more advanced technological tools than the existing sector operators is not normally the material issue for ascertaining the applicability of regulation to such activities, as most financial service and investment service regimes are intended to be technologically neutral.

However, in some cases, fintech operators will be using new business models and technologies that do not fit neatly within existing regulatory frameworks. This is the case with DLT operators storing or transmitting crypto-value on behalf of others, and with the rise of ICOs.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

It depends on the nature of the activities and sector. It is not possible to list all of the different regulatory regimes and applicable exemptions as they vary and are specific to each type of business.

While the term ‘fintech’ is catchy and captures the spirit of these new innovative businesses, it has little real significance for regulatory purposes.

Are any fintech products or services prohibited in your jurisdiction?

Only those products and services that are prohibited under existing financial services regimes (irrespective of the medium and technology used) – for example, the offer of transferable securities to the public without a suitable prospectus.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The Data Protection Act 2004, the Communications (Personal Data and Privacy) Regulations 2006 and the EU General Data Protection Regulation (see www.lexology.com/library/detail.aspx?g=9fea5eea-5e35-4101-b64c-e5ab72878c6f).

What cybersecurity regulations or standards apply to fintech businesses?

In addition to its data protection laws, Gibraltar has a range of laws that govern cybersecurity, including laws implementing EU directives and territory-specific laws. These include the:

  • Crimes Act 2011;
  • Proceeds of Crime Act 2015;
  • Crimes Act (Amendment) Regulations 2015, implementing the EU Directive on Attacks Against Information Systems (2013/40/EU);
  • Communications (Combating Child Pornography) Regulations 2013, implementing the EU Directive on Combating the Sexual Exploitation of Children Online and Child Pornography (2011/92/EU);
  • Criminal Offences Ordinance 2005, implementing the Council Framework Decision on Combating Fraud and Counterfeiting;
  • Communications Act 2006;
  • Communications (Personal Data and Privacy) Regulations 2006;
  • Data Protection Act 2004;
  • Financial Services (EEA) (Payment Services) Regulations 2010; and
  • Civil Contingencies Act 2007.

For a fuller review of this area of law, see  www.lexology.com/library/detail.aspx?g=9fea5eea-5e35-4101-b64c-e5ab72878c6f.

In addition, as part of its regulatory principles, the Financial Services (Distributed Ledger Technology Providers) Regulations 2017 provide that DLT providers must:

  • have effective arrangements in place for the protection of customer assets and money, when they are responsible for them; and
  • ensure that all of their systems and security access protocols are maintained to appropriately high standards.

The Gibraltar Regulatory Authority is responsible and is the designated authority for regulating, supervising and enforcing compliance for the security of network and information systems for designated operators of essential services and digital services.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

     The Crimes Act 2011, the Proceeds of Crime Act 2015 and the Terrorism Act 2005.

What precautions should fintech businesses take to ensure compliance with these provisions?

A fintech business is subject to the regulatory requirements of Part III of the Gibraltar Proceeds of Crime Act 2015 (POCA) and must ensure that all services provided are not used for the purposes of financial crime including money laundering, financing terrorism, evading sanctions or otherwise facilitating criminal activity.

A fintech business must develop and implement anti-money laundering and combating the financing of terrorism (AML/CFT) policy controls to identify, assess, report and monitor AML/CFT risks across customers, products, services and geographical locations relevant to their business activity. These controls must consist of a number of policies and procedures to address and mitigate the inherent AML/CFT risks identified, the appointment of a money laundering reporting officer, AML/CFT employee training and – when deemed appropriate relative to the size and identified risks of the business – undertake an independent audit for the purpose of testing the systems and controls.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

There are sector-specific protections for consumers in various applicable financial and investment services regimes, including:

  • the Financial Services (EEA) (Payment Services) Regulations 2018;
  • the Financial Services (Electronic Payment) Regulations 2011;
  • the Gibraltar Financial Services Commission; and
  • the Financial Services (Distributed Ledger Technology Providers) Regulations 2017.

In addition, there are a number of general regimes that apply to protect consumers when trading with operators in Gibraltar, including:

  • the EU distance selling regime, as implemented by the Financial Services (Distance Marketing) Act 2006;
  • the EU unfair contract terms regime for consumers, as implemented by the Unfair Terms in Consumer Contracts Act 1989; and
  • the Fair Trading Act 2015.

Competition

Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

This is unlikely to happen as in most cases, the operators do not have a material dominant position in the market.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

For EU citizens, EU law governs the rules for online dispute resolution with regard to consumers, choice of law and jurisdiction in consumer contracts. In all other cases, there is the potential for conflict of laws between the home jurisdiction of the operator and the laws of the country where the customer resides. For e-commerce businesses, this is always an area to consider carefully.

Click here to view the full article.