Gibraltar Corporate Compliance: The Essentials

Overview of the Compliance Framework

Gibraltar has built a robust regulatory and compliance architecture aligned with international standards set by the Financial Action Task Force (FATF), the OECD and the European Union. As a British Overseas Territory with direct access to EU frameworks under historical arrangements and its own bilateral agreements, Gibraltar occupies a distinctive position: common-law governed, English-language, with a mature supervisory authority in the Gibraltar Financial Services Commission (GFSC).

Corporate compliance in Gibraltar is not simply a box-ticking exercise. It spans anti-money laundering and counter-terrorist financing (AML/CFT) obligations, automatic tax information exchange under CRS and FATCA, beneficial ownership transparency, and ongoing KYC and monitoring duties. Each regulated firm and, to varying degrees, each corporate entity operating in Gibraltar must understand where these obligations apply and how they interlock.

This pillar guide sets out the complete compliance landscape for Gibraltar companies and the regulated firms that service them. It draws on the primary legislation and GFSC guidance as of 2026 and is intended for directors, compliance officers, legal advisers and international clients seeking a single authoritative reference point.

AML/CFT: The Proceeds of Crime Act

The primary AML/CFT legislation in Gibraltar is the Proceeds of Crime Act 2015 (POCA), which consolidates and modernises earlier statutes. POCA creates the principal money laundering offences — concealing, arranging, acquiring or using criminal property — and the tipping-off and failure-to-disclose offences. It applies to all persons in Gibraltar, not merely regulated firms.

The Proceeds of Crime Act 2015 (Anti-Money Laundering and Terrorist Financing) Regulations 2019 (the AML Regulations), as subsequently amended, transpose the EU's Fourth and Fifth Anti-Money Laundering Directives into Gibraltar law and set out the detailed obligations imposed on relevant persons — broadly, regulated financial services businesses, auditors, accountants, tax advisers, lawyers handling client funds, estate agents, trust and company service providers, and dealers in high-value goods.

Key AML offences under POCA

• Principal offences (sections 6-9): concealing, disguising, converting, transferring or removing criminal property from Gibraltar; entering into or becoming concerned in an arrangement facilitating the acquisition, retention, use or control of criminal property; acquiring, using or possessing criminal property.
• Failure to disclose (section 12): a person in the regulated sector who knows or suspects, or has reasonable grounds to know or suspect, that another person is engaged in money laundering and fails to make a disclosure commits an offence.
• Tipping off (section 15): disclosing to a customer or third party that a suspicious activity report has been made, or that an investigation is being contemplated, where this is likely to prejudice any investigation.

Terrorist financing is addressed principally by the Terrorism (United Nations Measures) (Gibraltar) Order 2001 and related UN sanctions regulations, which impose asset-freezing and dealing prohibitions. The GFSC issues regular updates to the list of designated persons and expects regulated firms to screen against relevant lists in real time.

Risk-Based Approach

Both POCA and the AML Regulations require regulated persons to adopt a risk-based approach (RBA) to AML/CFT. This means identifying, assessing and understanding the money laundering and terrorist financing risks to which the business is exposed, and calibrating its controls proportionately.

The Gibraltar National Risk Assessment, maintained by HM Government of Gibraltar, identifies the territory's principal ML/TF risk factors — including its role as a financial centre, cross-border flows, and the use of corporate structures. Regulated firms must consider this assessment alongside their own business-specific risk assessments.

Risk assessment documentation

A compliant RBA requires written documentation of:

• The firm's overall ML/TF risk profile, considering its products, services, customers, delivery channels and geographic exposure.
• Individual customer risk ratings, updated periodically and upon material change.
• The policies, controls and procedures (PCPs) adopted to mitigate identified risks.
• Staff training programmes and records.
• Senior management sign-off on the risk assessment and PCPs.

The GFSC reviews risk assessments as part of its supervisory cycle. Firms that cannot demonstrate a coherent, documented RBA face regulatory findings and, increasingly, financial penalties.

KYC Requirements

Know Your Customer (KYC) obligations arise at the outset of a business relationship and are ongoing. The AML Regulations prescribe customer due diligence (CDD) measures that must be applied when establishing a business relationship, carrying out an occasional transaction above EUR 15,000 (or EUR 10,000 for cash), or when there is suspicion of ML/TF or doubt about previously obtained identification.

Standard CDD

Standard CDD requires:

• Identification of the customer and verification using reliable, independent source documents, data or information.
• Identification of the beneficial owner (any natural person owning or controlling more than 25% of a corporate entity, or who otherwise exercises ultimate effective control) and taking reasonable measures to verify their identity.
• Understanding the nature and purpose of the business relationship.
• For corporate customers: company documents (certificate of incorporation, memorandum and articles, register of directors and shareholders) plus identity documents for all beneficial owners.

Enhanced Due Diligence

Enhanced due diligence (EDD) applies to higher-risk situations, including:

• Politically Exposed Persons (PEPs) and their family members and close associates.
• Customers or transactions involving high-risk jurisdictions identified by the FATF.
• Complex, unusual or large transactions with no apparent economic purpose.
• Non-face-to-face business relationships where additional verification steps are required.
• Correspondent banking relationships.

EDD requires senior management approval for establishing or continuing the relationship, and more intensive scrutiny of the source of funds and wealth.

Simplified Due Diligence

Simplified due diligence (SDD) may be applied where a customer is assessed as lower risk — for example, listed companies on regulated markets, EU member state public authorities, or certain regulated financial institutions. SDD still requires basic identification; it merely permits a lighter verification process.

Ongoing Monitoring

CDD is not a one-time event. The AML Regulations require regulated persons to conduct ongoing monitoring of business relationships, including:

• Scrutiny of transactions throughout the relationship to ensure they are consistent with the firm's knowledge of the customer, their business and risk profile.
• Keeping documents, data and information up to date and relevant by undertaking reviews of existing records.
• Re-running CDD when trigger events occur: a change in beneficial ownership, a new product or service, geographic expansion, or where ML/TF suspicion arises.

In practice, firms are expected to operate periodic review cycles — typically annual for high-risk customers, every two to three years for standard-risk customers, and less frequently for low-risk relationships — alongside event-driven reviews. Transaction monitoring systems, whether manual (for smaller firms) or automated (for larger ones), should flag anomalous patterns such as unusual payment counterparties, round-number transactions, rapid fund movements and jurisdictional inconsistencies.

SAR Filing Obligations

Where a regulated person knows, suspects or has reasonable grounds to suspect ML/TF activity, they are obliged to submit a Suspicious Activity Report (SAR) to the Gibraltar Financial Intelligence Unit (GFIU), the territory's financial intelligence unit. The obligation exists both under POCA (the primary offence of failure to disclose) and the AML Regulations.

SARs must be submitted promptly. A firm may seek a defence against money laundering (DAML) — formerly known as a consent request — from the GFIU before proceeding with a transaction it suspects may constitute money laundering. The GFIU has seven days to refuse consent (with a further 31-day moratorium period if refused), after which the firm may proceed.

Nominated Officers (Money Laundering Reporting Officers, MLROs) within regulated firms are responsible for receiving internal disclosures from staff and making the decision whether to file externally with the GFIU. The MLRO must be of sufficient seniority and independence to fulfil this role effectively. GFSC-regulated firms are required to register the MLRO with the Commission.

Beneficial Ownership Registers

Gibraltar introduced a central Beneficial Ownership Register maintained by Gibraltar Companies House under the Companies (Beneficial Ownership) Regulations 2017, subsequently updated to reflect the requirements of the EU's Fifth Anti-Money Laundering Directive and FATF Recommendation 24.

All Gibraltar companies must maintain an accurate and current register of persons with significant control (PSC), defined as any individual holding more than 25% of shares or voting rights, holding the right to appoint or remove a majority of directors, or otherwise exercising significant influence or control. This register must be filed with Companies House and kept up to date. Changes must be notified within 14 days.

For regulated entities and certain corporate service provider clients, the GFSC may also require disclosure of ultimate beneficial ownership as part of its licensing and supervisory processes. Trust and company service providers (TCSPs) are required to maintain records of the beneficial ownership of all companies they administer, and to make these available to the GFSC and law enforcement authorities on request.

The register is not fully public for all entity types, but is accessible to competent authorities and, under certain conditions, to persons with a legitimate interest. The Gibraltar government has indicated its intention to keep access provisions under review in light of evolving EU and FATF guidance.

CRS and FATCA Reporting

Gibraltar participates fully in the OECD's Common Reporting Standard (CRS), the global automatic exchange of tax information framework, under the Tax Information Exchange (OECD Common Reporting Standard) Regulations 2016. Gibraltar financial institutions (broadly: custodial institutions, depository institutions, investment entities and specified insurance companies) must identify the tax residency of their account holders and report information on financial accounts held by non-Gibraltar tax residents to HM Government of Gibraltar Revenue & Customs, which then exchanges that data with partner jurisdictions automatically each year.

Reportable information includes account balances, gross interest, dividends and other income, gross proceeds from asset sales, and account holder identification. For entity accounts, the relevant controlling persons (beneficial owners) must also be identified and reported if they are tax-resident outside Gibraltar.

FATCA (the US Foreign Account Tax Compliance Act) is addressed through Gibraltar's intergovernmental agreement (IGA) with the United States, operated on a Model 1 basis. Gibraltar financial institutions report US reportable accounts to Gibraltar Revenue & Customs, which then passes the data to the IRS. Registration with the IRS as a participating or registered-deemed-compliant FFI is also required in most cases.

Compliance requires Gibraltar financial institutions to implement documented FATCA/CRS policies and procedures, perform due diligence on account holder populations, and file annual reports by the prescribed deadline (typically 31 July for the preceding calendar year). Failure to comply exposes institutions to regulatory sanction and, under FATCA, a 30% withholding on US-source payments.

GFSC Supervisory Expectations

The GFSC has published a suite of AML/CFT guidance notes and thematic review findings that elaborate its supervisory expectations beyond the bare legislative requirements. Key themes from recent GFSC communications include:

• Governance: The board of a regulated firm bears ultimate responsibility for compliance culture. The GFSC expects documented board-level engagement with AML/CFT risk, including regular reporting from the MLRO and periodic board review of the firm's risk appetite statement.
• Quality over quantity: The GFSC has observed that some firms file large volumes of SARs of poor quality. It expects MLROs to exercise genuine judgement and to ensure that SARs contain sufficient detail to be of value to the GFIU.
• Technology and data: For larger firms, the GFSC increasingly expects automated transaction monitoring and screening systems, with documented calibration, testing and override procedures.
• Third-party reliance: Where firms rely on introduced business or third-party CDD, they must satisfy themselves that the introducer operates to an equivalent standard and must retain ultimate responsibility for compliance.
• Training: All relevant staff must receive AML/CFT training appropriate to their role at induction and at least annually thereafter, with written records retained.

The GFSC conducts both scheduled and unannounced supervisory visits and thematic reviews. It has demonstrated a willingness to use its powers — including public censures, financial penalties and licence revocations — where firms fall materially short of its expectations.

Penalties for Non-Compliance

The consequences of AML/CFT non-compliance in Gibraltar are significant at both the criminal and regulatory levels.

Criminal penalties

Conviction for a principal money laundering offence under POCA carries imprisonment of up to 14 years, an unlimited fine, or both. Conviction for failure to disclose (section 12) or tipping off (section 15) carries imprisonment of up to five years, a fine, or both. These are not merely theoretical — Gibraltar has seen successful prosecutions and is committed to active enforcement.

Regulatory sanctions

The GFSC has a broad range of supervisory powers under the Financial Services (Enforcement Powers) Act 2020 and sector-specific legislation. These include:

• Public censure (statement of misconduct published on the GFSC website).
• Financial penalties — the GFSC has imposed six-figure fines on regulated firms for AML/CFT failures in recent years.
• Suspension or revocation of authorisation.
• Prohibitions on individuals from performing controlled functions.
• Directions requiring firms to take or refrain from specified actions.

CRS/FATCA penalties

Under the Tax Information Exchange legislation, failure to report or deliberate mis-reporting can result in fines and, under FATCA, exposure to 30% US withholding. Gibraltar Revenue & Customs operates its own penalty regime for CRS breaches, separate from GFSC sanctions.

The reputational consequences of compliance failures — adverse GFSC findings, public censures, and the associated loss of client confidence — often exceed the direct financial penalties. Investing in robust compliance infrastructure is not merely a regulatory obligation; it is a commercial imperative for any firm operating in Gibraltar's financial services sector.