Operating a digital-asset business without proper authorisation in Gibraltar carries real consequences. Enforcement action, terminated banking relationships and frozen payment rails are not theoretical outcomes – they are documented results that have ended otherwise sound businesses. Gibraltar's Distributed Ledger Technology (DLT) Provider regime, administered by the Gibraltar Financial Services Commission (GFSC), was among the first purpose-built crypto licensing regimes globally and remains a credible entry point for exchanges, custodians and token issuers seeking a regulated common-law base close to EU markets. This page explains who needs a licence, what the GFSC requires, how the process works, and where the cross-border complications live.
What Is the Regulated Basis for Crypto in Gibraltar?
Gibraltar regulates digital-asset businesses through its DLT Provider authorisation, which captures any firm using distributed ledger technology to store or transmit value belonging to others – a definition wide enough to cover spot exchanges, custodians, OTC desks, payment processors and, increasingly, lending and staking platforms. The GFSC is the sole licensing authority. Its regime predates MiCA and was specifically designed for the asset class, rather than adapted from legacy financial-services rules.
The regime is principles-based. The GFSC publishes nine regulatory principles covering governance, systems and controls, financial crime, custody, client protection and market integrity. Applicants are expected to demonstrate compliance with each principle in operational terms – not simply by citing policies. In our licensing practice, we have seen applications stall precisely because businesses submitted policy documents without the operational substance to back them up. The GFSC conducts substantive reviews, not box-ticking exercises.
Gibraltar is a British Overseas Territory. Its courts apply English common law. The GFSC cooperates with the FCA and with EU supervisors. That common-law base matters for structuring: contracts, dispute resolution and enforcement all operate within a recognisable framework for counterparties and institutional investors. For a business wanting a regulated common-law seat that is not subject to full UK MLR requirements or MiCA's EU passport architecture, Gibraltar offers a distinct position.
The regulatory perimeter also extends to financial promotions directed at Gibraltar residents. A business with offshore authorisation that targets Gibraltar-based users without a local licence is not exempt. The GFSC has made this point explicitly in its guidance, and the risk of informal enforcement – including requiring a business to cease Gibraltarian operations – is real. Any inbound operator should map its user base before assuming its home-jurisdiction licence covers the position.
For a scoped assessment of your regulatory position under the GFSC DLT regime, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity structure, the user base and the banking setup – change the analysis materially. Map your options
Who Needs a DLT Provider Licence in Gibraltar?
Any firm using DLT to store or transmit value on behalf of third parties in or from Gibraltar requires a GFSC DLT Provider licence. The trigger is functional, not definitional: the GFSC looks at what the business does, not what it calls itself. Exchanges, custodians, OTC brokers, crypto payment processors, yield-bearing custody arrangements and transfer platforms all fall within scope. Software-only firms that do not hold client assets or process client transactions are generally outside the perimeter, but that boundary is assessed on the facts.
Token issuers do not automatically require a DLT Provider licence, but a public token offering may engage Gibraltar's prospectus requirements or, depending on the token's characteristics, securities regulation. The GFSC has published guidance on token classification. Operators we advise regularly seek pre-application clarity from the GFSC on classification before committing to a Gibraltar structure – a step that costs weeks at the front end but prevents the far more expensive consequence of a redesign mid-application.
Non-Gibraltarian businesses serving Gibraltar residents from offshore should assume a nexus analysis is required. The GFSC applies a connection test that considers where users are located, where the server infrastructure sits and where marketing is directed. A business incorporated in, say, the British Virgin Islands but actively acquiring Gibraltar-resident customers may be operating unlicensed in Gibraltar regardless of its BVI status under the BVI VASP Act 2022.
How Does the Gibraltar DLT Licence Application Work?
The GFSC application process for DLT Provider authorisation is structured around a pre-application meeting, a formal submission and a substantive review phase. Pre-application engagement is not optional in practice – the GFSC expects it, and submitting a cold application without prior dialogue with the regulator generally extends review timelines significantly.
The application package typically includes a detailed business plan, an AML/CFT framework aligned to Gibraltar's financial crime legislation and FATF Recommendation 15 standards, governance documentation covering the board and senior management, individual questionnaires for all principals and beneficial owners, a technology and cybersecurity assessment, a client asset protection framework and financial projections. The nine regulatory principles function as a compliance map: each section of the submission should address a principle explicitly.
Timelines vary by complexity and the completeness of the submission. Simple structures with clean ownership, experienced management and well-documented controls move faster than multi-layered groups or businesses with novel product features. The GFSC is a proportionately resourced regulator – substantive engagement from a senior case officer is standard, but review queues exist. In our cross-border practice, we prepare clients for a process measured in several months rather than weeks, and we front-load the work to compress that window.
A practical point on management: the GFSC expects a physical presence in Gibraltar. This means more than a registered office. Directors with day-to-day oversight, compliance officers and, for larger operations, a locally present senior management function are expected. Remote or nominee arrangements that provide the appearance of presence without substance have attracted regulatory scrutiny, and the GFSC has moved to revoke or restrict licences where the substance test was not met.
AML, CFT and the Travel Rule in Gibraltar
Gibraltar aligns its anti-money laundering regime to FATF Recommendation 15, which treats DLT providers as virtual asset service providers subject to the same CDD, transaction monitoring and record-keeping standards as traditional financial institutions. The Travel Rule – the obligation to transmit originator and beneficiary information alongside a transfer – applies to DLT Providers in Gibraltar. The specific data threshold and technical implementation standard are set in Gibraltar's Proceeds of Crime Act and related guidance; applicants must demonstrate a live Travel Rule solution as part of the authorisation process.
Source of funds and source of wealth verification requirements are applied rigorously by GFSC-authorised firms. In our practice, we have seen Gibraltar-licensed businesses face informal queries from the GFSC where their CDD procedures failed to differentiate between low-risk retail customers and high-value OTC counterparties. A tiered AML framework, with documented risk appetite, is not optional.
The financial crime posture required in Gibraltar is substantively equivalent to that required under MiCA by ESMA and the national competent authorities. Businesses considering a Gibraltar licence as an alternative to EU CASP authorisation should treat the AML build as equally demanding – Gibraltar's proportionality may appear attractive, but the GFSC does not license businesses with thin financial crime controls.
How Does Gibraltar Interact With Tax, Banking and Cross-Border Structure?
Gibraltar's tax regime is territorial: income arising in Gibraltar is taxable in Gibraltar; income arising outside Gibraltar is not, subject to the applicable rules. For a DLT Provider, this requires a careful analysis of where trading, custody or processing activity legally occurs. A business that books all revenue to an offshore entity while directing operations from Gibraltar may face characterisation risk – the GFSC and Gibraltar's tax authority are alert to arrangements that separate the regulated function from the economic substance.
Corporate tax in Gibraltar applies at a rate that makes it competitive relative to major EU jurisdictions, but the headline rate is less significant than the substance question. In our cross-border practice, we structure the operating entity, the intellectual property holding and the management layer as a coherent package – not as separate optimisations that pull in different directions under regulatory and tax scrutiny simultaneously.
Banking is consistently the hardest operational problem for Gibraltar-licensed businesses. Gibraltar has a small domestic banking sector. Most DLT Providers bank offshore – typically in the UK, EU member states or the Channel Islands. UK banks apply their own risk appetite frameworks under FCA oversight, and a Gibraltar DLT licence does not guarantee acceptance. Operators we advise typically approach banking conversations in parallel with the licence application, not after it, because banking timelines are independent of the GFSC process and often longer.
The EU dimension is important. Gibraltar is not in the EU and does not benefit from MiCA passporting. A Gibraltar-licensed DLT Provider serving EU-resident customers must assess whether it requires additional authorisation in the relevant EU member states or whether it can rely on reverse solicitation – a narrow, fact-specific exemption under MiCA that the European Securities and Markets Authority has emphasised is not a broad carve-out. Businesses that want to actively market to EU retail customers from Gibraltar should assume that a MiCA-compliant CASP authorisation is also needed in at least one EU member state.
If your structure sits across Gibraltar and an EU market, the licence, banking and tax stack need to be mapped together before you commit. Write to info@oboluslaw.com or message us via t.me/oboluslaw. Map your options
A Gibraltar Licensing Matter in Practice
In a recent cross-border licensing matter, a digital-asset exchange group with a holding company domiciled in a common-law offshore centre approached us after its initial GFSC pre-application meeting raised concerns about management substance. The group's proposed Gibraltar entity had an experienced compliance officer but no resident director with operational authority over the exchange business. We restructured the governance layer, documented the decision-making chain between Gibraltar and the offshore parent, and prepared a revised business plan that addressed each of the nine regulatory principles with operational evidence rather than generic policy statements. The revised submission moved to formal review without further preliminary queries. The group obtained its DLT Provider licence within the expected timeline and subsequently established its EU-facing operations through an affiliated CASP-authorised entity in an EU member state.
Which Operator Profile Is a Good Fit for Gibraltar?
Gibraltar is not the right structure for every digital-asset business. The decision turns on the operator's target markets, its institutional counterparty base, its management capacity and its timeline. The following profile analysis is based on the patterns we see in practice.
Profile A – Exchange or OTC desk targeting non-EU, non-US markets: Gibraltar offers a credible regulated common-law seat, straightforward corporate law and a principles-based regime that permits product development with regulatory dialogue. The timeline is moderate; the substance requirement is manageable for an operator with experienced management. Key risk: banking access requires early parallel work.
Profile B – Exchange seeking EU retail access: Gibraltar alone is insufficient. MiCA passporting does not apply. This profile needs Gibraltar for its operating infrastructure but also needs a MiCA CASP authorisation – typically in Lithuania, Malta or another EU member state with a functioning CASP transition process. The combined licence-banking-tax stack is more complex. Key risk: underestimating the EU authorisation timeline while relying on reverse solicitation.
Profile C – Custody or institutional prime-broker targeting UK-connected institutions: Gibraltar's common-law base and GFSC pedigree are well-regarded by institutional counterparties. The GFSC's approach to custody – segregation, safeguarding, insurance – is substantively rigorous. UK banks can be more receptive to Gibraltar-licensed custody businesses than to less established regimes. Key risk: FCA financial-promotions rules apply if the business markets to UK persons; separate UK MLR registration may be required.
Profile D – Token issuer planning a public offering: Gibraltar requires careful classification analysis before the DLT Provider question arises. If the token has security characteristics, Gibraltar's financial services legislation applies. If not, a DLT Provider licence may not be required, but financial-promotion rules still apply. Key risk: proceeding without a written classification opinion from Gibraltar counsel before the offering begins.
What Are the Most Common Mistakes in Gibraltar Licence Applications?
The most consistent failure point in Gibraltar DLT applications is inadequate substance – a governance structure that looks right on paper but cannot withstand the GFSC's operational questions. The GFSC expects to meet the people who run the business, not the people retained to present it. A compliance officer or director who can answer detailed questions about the platform's transaction monitoring logic, its liquidity risk management and its incident response protocols is the baseline, not the ceiling.
The second most common mistake is treating the AML build as a documentation exercise. The GFSC reviews financial crime frameworks for operational credibility. Policies that describe generic procedures but cannot be mapped to the business's actual customer journey, product architecture and risk exposure are a reliable source of information requests that extend the review timeline by months.
Third, businesses often underestimate the interaction between the GFSC process and banking. A licence is not a banking guarantee. Starting banking conversations only after receiving a licence can add six to twelve months to the operational launch timeline. The two tracks must run in parallel.
A common assumption we encounter is that a single offshore licence – Gibraltar or otherwise – is sufficient to serve clients globally without additional local authorisations. This is incorrect. MiCA applies to EU-resident clients regardless of where the operator is licensed. US persons are subject to CFTC, SEC and FinCEN oversight of their service providers. Singapore's MAS Payment Services Act applies to DPT services used by Singapore residents. A Gibraltar DLT licence is a regulated seat, not a global passport.
Related at OBOLUS
- Licensing and registration for digital-asset businesses – the full cross-jurisdictional licensing practice at OBOLUS, covering 70+ regimes.
- Crypto regulation and licensing in the United Kingdom – FCA MLR registration, financial-promotions rules and the UK-Gibraltar interaction.
- Founder relocation and tax for early-stage founders – Gibraltar's territorial tax regime in the context of founder and management structuring.
FAQ
How long does a crypto licence take to obtain?
In Gibraltar, the GFSC process from pre-application engagement to licence issuance typically spans several months. The timeline depends on the complexity of the business, the quality of the submission and the GFSC's review queue at the time of application. Complete, well-prepared applications with experienced management and clear AML frameworks move faster. Applications requiring multiple rounds of information requests can take considerably longer. Parallel EU authorisation adds a separate, independent timeline.
Which jurisdiction is best for licensing my crypto business?
There is no universal answer. The right jurisdiction depends on your target markets, product type, institutional counterparty base, management location, banking access and tax objectives. Gibraltar suits operators seeking a principles-based common-law seat outside the EU but close to EU markets. It is not appropriate as a sole licence for businesses actively serving EU retail customers, which require MiCA CASP authorisation in addition. A full licence-banking-tax stack analysis is the correct starting point.
Do I need a separate custody licence?
In Gibraltar, custody of client digital assets is regulated under the DLT Provider regime rather than through a separate custody-specific licence. The GFSC's regulatory principles include explicit expectations on safeguarding, segregation and client asset protection. Operators who provide both exchange and custody services are assessed against those custody principles as part of their DLT Provider authorisation. In other jurisdictions – including the EU under MiCA and Hong Kong under the SFC regime – custody may be a separately authorised activity; a multi-jurisdiction structure requires a layered analysis.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We map the licence stack across operating, custody and payment layers before you commit – so that the structure you build holds under regulatory scrutiny, not just on paper. Our disputes team coordinates freezing relief and on-chain tracing across leading common-law forums, including England and Wales and the DIFC Courts. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com.
By Aisha Tan, Licensing & Jurisdictions Analyst – specialising in GFSC DLT authorisations, Gibraltar-EU licence stacks and inbound operator structuring across common-law crypto regimes.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.