Gibraltar DLT Provider Licence: Requirements, Timeline, and Suitability for Crypto Businesses

Gibraltar became the world's first jurisdiction to introduce a bespoke regulatory framework for distributed ledger technology (DLT) businesses when the Distributed Ledger Technology Regulatory Framework came into force in January 2018 under the Financial Services (Distributed Ledger Technology Providers) Regulations 2017. This first-mover status attracted significant crypto business to the Rock and created a regulatory precedent that influenced subsequent frameworks in other jurisdictions. In 2026, the Gibraltar DLT framework has matured significantly since its launch — with updated regulations, enhanced AML expectations, and a GFSC that has become considerably more demanding in its supervisory approach.

The DLT Regulatory Framework

The Gibraltar DLT framework applies to firms "carrying on or purporting to carry on by way of business in or from Gibraltar the use of DLT for storing or transmitting value belonging to others." This is a deliberately broad definition — it covers crypto exchanges, custodians, crypto payment processors, and DLT-based clearing and settlement firms. Firms that merely use DLT internally (for their own operations, not to store or transmit others' value) are not in scope.

Licensed DLT providers must comply with nine "regulatory principles" that the GFSC treats as the equivalent of Threshold Conditions — they are ongoing obligations, not one-time requirements. These principles require DLT providers to: conduct business with honesty and integrity; pay due regard to the interests of customers; maintain adequate financial and non-financial resources; manage and control business effectively with proper risk management systems; have effective arrangements for the protection of client assets; have effective corporate governance; ensure systems and security access protocols meet appropriate standards; prevent, detect, and disclose financial crime; and be resilient and maintain contingency arrangements.

Application Requirements

The GFSC application for a DLT provider licence requires a detailed application pack covering: the business model description; governance structure and fitness and propriety evidence for all directors, UBOs, and key function holders; AML/CFT policies and controls; cybersecurity framework; financial projections and evidence of adequate capitalisation; and an assessment against each of the nine regulatory principles. There is no prescribed minimum capital — the GFSC assesses capital adequacy relative to the specific business model and risk profile.

Pre-licensing consultation with the GFSC is strongly recommended, particularly for novel business models. The GFSC operates an Innovation Hub for businesses exploring new approaches, and early engagement can significantly streamline the formal application. The GFSC has historically been pragmatic in its pre-application dialogue compared to, for example, the FCA — it has engaged more openly with novel business models and been willing to discuss licensing approaches before formal submission.

Timeline

The GFSC's published target timeline for DLT licence applications is six to twelve months from submission of a complete application. In practice, applications for complex business models — multi-service crypto platforms, novel DeFi-adjacent applications, or businesses with complex ownership structures — have sometimes extended beyond twelve months. Applications that are well-prepared, with a clear regulatory analysis and complete documentation, consistently achieve faster determinations.

AML/CFT Obligations

Gibraltar's AML/CFT framework for DLT providers is set out in the Proceeds of Crime Act 2015 (as amended) and the Criminal Justice (Proceeds of Crime) (Legal Professionals, Accountants and Estate Agents) Regulations 2007 as updated. The framework is broadly aligned with FATF Recommendations, including the Travel Rule obligation for crypto asset transfers. The GFSC has issued guidance notes on AML/CFT specifically for DLT providers, covering customer due diligence standards, transaction monitoring, SAR filing with the Gibraltar Financial Intelligence Unit (GFIU), and Travel Rule implementation.

Since 2022, the GFSC has conducted thematic reviews of AML/CFT compliance among DLT-licensed firms and has issued public findings identifying systemic weaknesses. Common themes include: inadequate transaction monitoring rule calibration for crypto-specific typologies; insufficient blockchain analytics integration; and weakness in unhosted wallet due diligence. Firms applying or already licensed should ensure their AML framework explicitly addresses these identified areas.

Banking Access from Gibraltar

Despite GFSC licensing, Gibraltar-based DLT providers face significant challenges in accessing banking. The combination of Gibraltar jurisdiction (a British Overseas Territory not in the EU, with its own regulatory regime) and crypto activities is a concentration of de-risking triggers for Tier 1 banks. In practice, Gibraltar-licensed DLT providers typically rely on specialist EMIs and neobanks for their banking infrastructure, supplemented where possible by relationships with Crypto-friendly banks in specific jurisdictions. CCYFX and similar specialist providers have become important infrastructure partners for Gibraltar-licensed firms that cannot access conventional banking relationships.

DLT Framework vs FCA Registration for UK-Connected Businesses

For businesses with material UK operations or client bases, the Gibraltar DLT licence is not a substitute for FCA crypto asset firm registration — UK-facing activities require separate UK regulatory treatment. Gibraltar-licensed firms serving UK retail customers may be providing regulated activities in the UK that require either FCA registration or an appointed representative arrangement. Legal analysis of whether UK activities fall within the scope of UK regulation is essential before relying solely on the Gibraltar licence for UK-connected business.