Gibraltar Regulatory Development: The GFSC updates its guidance on the DLT Framework

Following a significant update to Gibraltar’s financial regulatory framework on 27 October 2025, which brought Virtual Asset Arrangements (“VAAs”) within the scope of the Financial Services Act 2019 (“FSA”), and after consultation with industry stakeholders, the Gibraltar Financial Services Commission (“GFSC”) has welcomed the release of an updated ‘Guidance Note on the Scope of the DLT Framework’ (“Guidance Note”). Amongst other updates, the Guidance Note reflects the extension of the DLT framework to capture VAA Providers (“VAAPs”).

VAA Regulated Activity

The most significant structural amendment to the Guidance Note regards the incorporation of a second regulated activity into the DLT Framework, namely ‘providing virtual asset arrangements’, defined as exchanging, or arranging the exchange of, virtual assets for money, money for virtual assets, or one virtual asset for another. The GFSC has reclassified such activities, previously out of scope, and brought them firmly within the DLT framework as in-scope VAA regulated activities, which can be broken into non-custodial over-the-counter or brokerage desks and peer to peer platforms. 

Exclusions from VAA Regulated Activity

Moreover, the GFSC has provided further clarity by identifying specific exclusions from VAA regulated activity, such as collective investment schemes, pension funds, and their depositaries and managers, which are not required to obtain VAAP authorisation where they exchange virtual assets in the course of their regulated activity. This position reflects the GFSC’s intention to ensure that firms already subject to regulatory oversight are not hampered with several authorisation requirements.

New Guidance on the Regulatory Principles for VAAPs

Whilst the GFSC’s historical stance has been to take an outcomes-focused, principle-based approach to the regulation of DLT, the updated Guidance Note has iterated that Principle 5 (protection of customer assets) does not apply to VAAPs whilst Principle 10 (market integrity) is unlikely to apply given the nature of the regulated activity, i.e., they are unlikely to participate in any markets in the course of their business.

Dual-Track Authorisation

Ultimately, the updated Guidance Note draws a clear distinction between the two authorisation pathways available under the DLT Framework. Firms that take custody of client virtual assets and use DLT for their storage or transmission will require authorisation as a DLT Provider. Alternatively, those that arrange virtual asset transactions without ever taking custody require authorisation as a VAAP. Critically, the GFSC has emphasised that the DLT Framework applies in full to both categories, and firms should no longer assume that operating on a non-custodial basis places them outside its reach.