1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
- The Payment Services Directive (2015/2366), which is transposed into Gibraltar law via the Financial Services (Payment Services) Regulations 2018;
- The Electronic Money Institutions Directive (2009/110/EC), which is transposed into Gibraltar law via the Financial Services (Electronic Money) Regulations 2011;
- The Financial Services (Banking) Act 1992 (as amended);
- The Financial Services (Distributed Ledger Technology Providers) Regulations 2017;
- The Financial Services (Investment and Fiduciary Services) Act 1989;
- The Financial Services (Markets in Financial Instruments) Act 2018;
- The Financial Services (Collective Investment Schemes) Act 2011;
- The Financial Services (Alternative Investment Fund Managers) Regulations 2013;
- The EU Prospectus Regulation (2017/1129);
- The Financial Services (Moneylending) Act 1917;
- The Financial Services (Insurance Companies) Act 1987 (as amended); and
- The Prospectuses Act 2005.
1.2 Do any special regimes apply to specific areas of the fintech space?
The abovementioned domestic and EU legacy frameworks (eg, the EU Market in Financial Instruments Directive and the Payment Services Directive) serve as the principal legislative regimes underpinning fintech in Gibraltar. However, with the enactment of the Financial Services (Distributed Ledger Technology Providers) Regulations 2017, Gibraltar has distinguished itself from other jurisdictions globally at the forefront of fintech by establishing a principles-based legislative framework that brings into regulatory scope any firm carrying out by way of business, in or from Gibraltar, the use of distributed ledger technology for storing or transmitting value belonging to others.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The Financial Services Commission (FSC) in Gibraltar is the primary competent authority, whose mandate is to regulate the financial services industry by ensuring the promotion of good business, consumer protection and enhancement of Gibraltar's reputation as a quality financial services centre. The FSC's main role and regulatory powers encompass the authorisation, supervision and enforcement of regulated entities under the abovementioned legislative frameworks.
The above applies, save for the business of money lending, which is licensed and falls under the regulatory remit of the government of Gibraltar.
1.4 What is the regulators' general approach to fintech?
The FSC operates a risk-based approach, underpinned by a Risk Governance Framework (RGF), to innovative offerings and businesses within the Gibraltar finance industry. The RGF prescribes a set of processes, policies, standards and disciplines that safeguard a consistent understanding of risk, as well as the adequate resource allocation in those areas which are outside the FSC's risk appetite and tolerance. This approach ensures a focus on how best to support the safe growth of the jurisdiction while not stifling innovation within the industry.
1.5 Are there any trade associations for the fintech sector?
Key industry associations such as the Gibraltar Association of Compliance Officers, the Gibraltar Electronic Money Association, the Gibraltar Bankers Association and the newly formed Gibraltar Association for New Technologies operate as formal lines of communication between policy makers and the private sector in Gibraltar's fintech industry, facilitating the exchange of information and ideas, with a view to enhancing knowledge and awareness within the industry. Further industry organisations have similarly embraced fintech offerings – an example is the Gibraltar Funds and Investments Association's publication of a Code of Conduct for Crypto Funds in October 2018.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
Gibraltar's acceptance of fintech has paved the way for innovation within Market in Financial Instruments Directive (MiFID) institutions, e-money firms and insurance businesses, with substantial fintech growth and development evident within each of these sectors.
Undoubtedly, the Distributed Ledger Technology Regulations have resulted in an increased amount of global attention, with the pool of licensed firms increasing and the industry maturing. Established companies in the electronic money and payment services sectors have similarly looked to make inroads into the fintech industry and capitalise from Gibraltar's economic growth.
2.2 What products and services are offered?
The types of businesses and products currently existing in Gibraltar are varied and wide ranging, with offerings that include the custodianship of virtual assets, secondary market providers (eg, virtual asset exchanges), e-money institutions, payment service providers, MiFID firms offering alternative investment products, insurance providers and crypto-funds. All of the above are further incentivised by the government of Gibraltar's pro-financial services innovation stance and intentions to expand the activities that would fall within the scope of the fintech regulatory landscape, opening the door to increased business opportunities.
2.3 How are fintech players generally structured?
Often as private limited companies in accordance with the Gibraltar Companies Act 2014 or as protected cell companies established under the Protected Cell Company Act 2001, common in the funds and insurance industries.
2.4 How are they generally financed?
The financing of fintech firms varies substantially. Many firms within the industry have benefited from investment by both domestic and international investors, profited due to their holdings of virtual assets as they gained popularity or used their existing business to finance their expansion into the fintech sector.
Although currently unregulated by the Financial Services Commission (FSC), many firms have conducted initial coin offerings as a means of funding or developing their business platforms. In recent times security token offerings – which are regulated under legacy frameworks such as MiFID, which was transposed in Gibraltar via the Financial Services (Markets in Financial Instruments) Act 2006 and the recently implemented EU Prospectus Regulation (2017/1129) – serve as additional avenues for fintech companies seeking to raise capital.
2.5 How are they positioned within the broader financial services landscape?
Firms of varying size, scale, complexity and business phase – including globally recognised, more traditional financial services businesses – are now in the process of expanding their services into the fintech industry.
Gibraltar was the first jurisdiction in Europe to create regulations specifically designed for distributed ledger technology (DLT) service providers and as highlighted above, this has already attracted established, high-profile cryptocurrency exchanges and wallet service providers. Start-up businesses have also benefited from this environment, with financial service providers across the fintech industry similarly being drawn to the jurisdiction.
The government of Gibraltar has been very supportive in the development of the DLT industry and the FSC's DLT team has shown advanced technical knowledge of DLT, as well as the wider fintech industry, while remaining extremely approachable and willing to engage in open dialogue with applicants throughout the application process for DLT providers or any other regulated activities.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
This will often depend on each business case but, it is not uncommon for start-ups to outsource back office functions. The FSC has published a guidance note on outsourcing arrangements, setting out the guiding principles for licensed firms that may look to outsource any business functions.
Any licensed firm, in accordance with the FSC's corporate governance requirements, must adhere to ‘mind and management' criteria which include ensuring decision making pertaining to the running of business on a day-to-day basis and various approvals (eg, operational policies and key contracts) being conducted from Gibraltar.
Broadly, this means that fintech businesses that are regulated by the FSC must have ‘fit and proper' persons approved by the FSC undertaking key roles within the business. However, not all of these individuals need be based in Gibraltar; the overriding requirements are that the ‘four eyes' (two individuals) criterion met on a continual basis, and that individuals assigned to fulfil these roles do so over the entire operations of the firm.
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
Internet (e-commerce) falls under regulatory remit of the Gibraltar Regulatory Authority (GRA), which acts as the national supervisory and regulatory authority for telecommunications (including in data protection) in accordance with EU law.
(b) Mobile (m-commerce)
Mobile (m-commerce) similarly falls within the GRA's regulatory scope (see 3.1).
(c) Big data (mining)
Although there are no specific regulatory frameworks governing big data in Gibraltar, data mining may fall within the scope of the EU General Data Protection Regulation (2016/679) (GDPR) if data is processed, due to the processing of data being governed by the GDPR. The Data Protection Commissioner (which is the statutory body responsible for the enforcement of data protection laws including the GDPR) is the GRA.
(d) Cloud computing –
Depending on the proposed activity, cloud computing may fall under Gibraltar's Communications Act 2006; if this is the case, as in questions 3.1 and 3.2 the activity will fall within the regulatory remit of the GRA.
(e) Artificial intelligence
There are no specific regulatory frameworks governing artificial intelligence in Gibraltar.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
See question 1.2.
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
Currently, no legislation or regulation specifically relates to crowdfunding in Gibraltar. However, the Financial Services Commission (FSC) has expressed that it is monitoring developments in the crowdfunding market. In March 2019 the European Parliament approved the European Commission's proposals for common rules for crowdfunding platforms across Europe, with the crowdfunding regulation forming part of the European Commission's FinTech Action Plan.
Any crowdfunding platforms should be wary of the newly implemented EU Prospectus Regulation (2017/1129), the domestic Prospectuses Act 2005 and the funds regime, as certain platforms may be conducting regulated activity under these frameworks. Similarly, peer-to-peer platforms which have gained popularity in recent times should consider whether their activity falls under ‘money lending' in accordance with Financial Services (Moneylending) Act 1917.
(b) Online lending and other forms of alternative finance
See questions 4(a) and 2.4 (notably coin offerings or security token sales).
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
The Payment Services Directive (2015/2366), which is transposed into Gibraltar law via the Financial Services (Payment Services) Regulations 2018, governs payments services activities in or from Gibraltar.
Activities which may involve foreign exchange could require a licence under the Financial Services (Investment and Fiduciary Services) Act 1989 as a bureau de change.
This will often depend on the product and/or activity. The trading of financial instruments will fall under the Markets in Financial Instruments Directive, while the trading of virtual assets will fall under the Distributed Ledger Technology Regulations.
(f) Investment and asset management
Gibraltar's investment and asset management fintech sectors are primarily governed through the EU Alternative Investment Fund Managers Directive and undertakings for collective investment in transferable securities legislative regimes, with Gibraltar's Financial Services (Experienced Investor Funds) Regulations 2018 providing a further route for innovate fund products.
(g) Risk management
There are no specific regulatory frameworks governing risk management in Gibraltar. However, the FSC sets out prescriptively in guidance notes and reports the standards and requirements of licensed entities.
There are no specific regulatory frameworks governing roboadvice in Gibraltar.
Traditional insurance firms in Gibraltar are becoming increasingly receptive to the idea of insuring fintech businesses, particularly in respect of those business seeking authorisation from the FSC.
However, although supportive of the industry, insurers in Gibraltar are not currently actively endorsing the adoption and integration of fintech into their businesses.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
As in the other EU member states, the EU General Data Protection Regulation (2016/679) (GDPR) applies to the processing of ‘personal data' and builds upon Gibraltar's Data Protection Act 2004, which was designed to implement the EU Data Protection Directive (95/46/EC). The impact is therefore comparable to that in other EU member states, in that fintech companies that process personal data falling under the scope of the GDPR will be able to process such data only insofar as the processing is done in compliance with the GDPR.
Furthermore, the Communications (Personal Data and Privacy) Regulations 2006 implement into Gibraltar law the provisions set under the EU e-Privacy Directive (2002/58/EC). The regulations:
- afford specific privacy rights in relation to electronic communications such as marketing calls, emails, texts and faxes;
- impose obligations relating to the security of communication services (and data storage); and
- set out specific reporting obligations for security and data breaches.
Fintech businesses are at the forefront of technological development, embedding technology within their financial services offering. Therefore, electronic communications are likely to form a core part of their offering and, as such, fintech business should comply with these regulations.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
Under Principle 7 of the Distributed Ledger Technology (DLT) Regulations, a DLT provider "must ensure that all systems and security access protocols are maintained to appropriate high standards".
Therefore, businesses that are regulated under the DLT Regulations must prove to the regulator, the Financial Services Commission, that their cybersecurity systems are of a high standard before they can obtain the licence that is required to begin operating in Gibraltar. This in turn leads to a more secure fintech industry.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
Businesses operating from within Gibraltar must comply with the Proceeds of Crime Act 2015 (POCA). POCA is designed to prevent the abuse of the financial system for the laundering of illicit money and the financing of terrorism. Therefore, businesses falling under the scope of POCA (also known as ‘relevant financial businesses') must apply due diligence measures, which vary in accordance with the degree of risk and likelihood that funds will be laundered or used for the financing of terrorist activity. Fintech businesses that carry out token sales are specifically brought within the scope of POCA by virtue of a definition which states that "undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of distributed ledger technology or a similar means of recording a digital representation of an asset" are relevant financial businesses.
Moreover, Principle 8 of the DLT Regulations states that a DLT provider "must have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing".
Therefore, business falling within the scope of the DLT Regulations will have to demonstrate compliance with POCA before they can start operating. This pre-approval mechanism brought in by the DLT Regulations creates a robust framework to prevent money laundering and terrorist financing.
The result is that the public perception of the fintech industry in Gibraltar is very positive, and far from the lack of trust that is typical in jurisdictions where companies deploying or utilising DLT as part of their business are not yet regulated under a dedicated regulatory framework.
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
No, currently no specific domestic competition rules or legislation exists. As such, the area is pre-dominantly regulated in accordance with EU competition measures.
8.1 How is innovation in the fintech space protected in your jurisdiction?
As part of its ongoing effort to stimulate healthy innovation, the Financial Services Commission (FSC) has established the Innovate and Create Team. The team is made up of experts from a number of organisations involved in the financial industry, and its core purpose is to assist businesses with both the implementation of innovative ideas and the introduction of new products and services into the market.
Along with regular talks, seminars and events geared around fintech, additional initiatives and programmes such as the Professional Certificate of Competence in Blockchain & Smart Contracts given at the University of Gibraltar further safeguard the development of fintech within Gibraltar.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
No specific government grants or corporate incentives exist for fintech businesses. However, corporation tax in Gibraltar is set at 10% of profits which accrue or derive from Gibraltar and no capital gains tax, inheritance tax, wealth tax, gift tax, value added tax, withholding tax or tax on interest or gains made on monetary investments exists in Gibraltar.
Gibraltar also offers encouraging tax benefits for highly skilled workers under the Higher Executive Possessing Specialist Skills regime (see question 9.2).
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
Gibraltar employment law, under the principle statute the Employment Act 1932 (as amended) and Employment Regulations 1994, applies to all employees working in Gibraltar, regardless of their nationality. A foreign professional who is not an entitled worker will need a work permit and, potentially, a visa according to his or her nationality. Entitled workers are:
- European Economic Area (EEA) nationals;
- family members of EEA nationals;
- persons entitled to seek and take up employment in Gibraltar; and
- Swiss nationals.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
Access to talent has not been an issue with regard to novel industries such as fintech and remote gaming, particularly due to Gibraltar's welcoming attitude to personnel with uncommon and specific skills and experience. Section 7(3) of the Employment Regulations, which regards the provision of work permits, showcase Gibraltar's attitude towards immigration, whereby employers should first seek talent within the jurisdiction before outsourcing it from outside. Therefore, Gibraltar encourages access to talent from abroad while at the same time protecting the internal job market.
Gibraltar is also attractive to new businesses due to schemes such as Higher Executive Possessing Specialist Skills (HEPPS) regime. Those individuals who are granted HEPPS status have a special fiscal status in Gibraltar whereby their gross assessable income is capped at £120,000 per annum, which would result in a total tax liability of approximately £30,000.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
With Gibraltar's expanding financial services industry paving the way for domestic and global fintech businesses alike, the jurisdiction has positioned itself as a receptive, globally recognised jurisdiction for fintech players, and particularly distributed ledger technology firms, promoting innovation within the industry while ensuring consumer protection. Undoubtedly, the outlook is positive.
When considering future developments, the government of Gibraltar has been open regarding its intentions to expand regulated activities within the jurisdiction, more specifically by enacting Token Offering Regulations which would focus on three key aspects:
- the promotion, sale and distribution of tokens;
- the operation of secondary market platforms trading in tokens; and
- the provision of investment and ancillary services relating to tokens.
With the Token Offering Regulations operating as a set of standards for initial coin offerings and initial token sales to be better tailored to issuers' needs in terms of structure, investor confidence should be boosted through the implementation of robust standards, which should help to maintain the credibility of the jurisdiction.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
The key recommendations for any businesses looking to develop their fintech offering, whether they are established fintech firms or start-ups, are to plan effectively and not cut corners, and always to seek advice and guidance at the earliest juncture. Gibraltar is fortunate to have a regulator in the Financial Services Commission and local advisers are open to dialogue and willing to offer expert assistance wherever needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.