GFSC Principle 7 and what it actually requires from your DLT staff
gfscdltcryptocompliance

GFSC Principle 7 and what it actually requires from your DLT staff

Conply|18 March 2026|3 min read

The GFSC's nine DLT Regulatory Principles form the supervisory backbone for every DLT Provider Licence holder in Gibraltar. Principle 7, which requires firms to have adequate financial and non-financial resources, including systems and security, is the one most likely to feature in a supervisory visit focused on operational resilience.

What Principle 7 says

The DLT Provider Regulations 2020 elaborate on Principle 7 as follows: a DLT provider must ensure that its systems, controls, and human resources are fit for purpose given the nature, scale, and complexity of its business. Staff must be competent to discharge their responsibilities, and the firm must be able to demonstrate this competence to the GFSC on request.

The GFSC's 2024 Guidance Note on DLT Supervisory Expectations made this more concrete, noting that competence assessments for key personnel, including evidence of ongoing training, will be considered during the SREP (Supervisory Review and Evaluation Process) conducted annually for Category 2 and above licence holders.

Where training fits

Principle 7 is not exclusively about technical infrastructure. The GFSC has been explicit that human error remains the leading cause of security incidents in DLT firms, and that training is therefore a control in its own right, not a supplement to technical controls.

The training competencies the GFSC expects DLT staff to hold include:

  • Understanding of the firm's specific regulatory obligations under the DLT Provider Regulations 2020
  • Awareness of the VASP Travel Rule and the firm's implementation obligations
  • Recognition of social engineering and phishing attacks targeting crypto-asset businesses
  • Custody and key management responsibilities relevant to the individual's role
  • Market integrity obligations, including prohibition on wash trading and front-running

The MLRO dimension

For the nominated MLRO of a DLT firm, Principle 7 training requirements overlap significantly with AML/CFT competency obligations. The GFSC expects the MLRO to maintain current knowledge of the DLT-specific typologies published by the FATF, including NFT-related money laundering, DeFi protocol exploitation, and cross-chain layering techniques.

Generic AML training that does not address crypto-asset typologies is not adequate for this purpose. This is an area where several smaller DLT firms have been found wanting during supervisory visits.

What the GFSC looks for in an audit

During a Principle 7 review, GFSC supervisors typically request:

  1. A training log for all staff in regulated roles, covering the past 24 months
  2. Evidence that training content maps to the firm's specific business model and risk profile
  3. Records of how training comprehension was assessed (not merely attendance)
  4. A training plan for the coming 12 months, approved at board level

The absence of documented, role-specific training is treated as a control weakness under Principle 7, which can trigger a recommendation or, in repeated cases, a formal supervisory measure.

Practical steps

DLT firms approaching their annual SREP should audit their training records before the GFSC does. The questions to ask: Can we produce a complete training log for every staff member in a regulated function? Does that training specifically reference the DLT Provider Regulations, the nine Principles, and the crypto-specific AML typologies? Has it been completed in the last 12 months?

If the answer to any of these is no, the gap needs to be closed before the supervisor asks.

Back to blog