EU/UK Treaty on Gibraltar

Treaty and implications for alignment with EU Standards 

The EU UK Treaty on Gibraltar sets a clear direction of travel for Gibraltar firms. Gibraltar will need to align with EU AML CFT CPF and targeted financial sanctions standards in a way that is durable, testable, and capable of being supervised to the same outcomes expected across the EU.

A key Treaty obligation is non regression. Article 198 frames this as a commitment that the UK in respect of Gibraltar does not weaken or reduce AML and CFT measures below the levels in place in the Union at the entry into force of the Agreement, including by failing to effectively enforce laws and standards. It also signals a continuing expectation to raise protection levels over time. For compliance frameworks, that shifts the baseline. It becomes harder to justify local deviation, informal practice, or a reliance on guidance where the EU framework is prescriptive.

Annex 17 lists the EU instruments that sit behind this alignment, including the fourth AMLD as amended and extended, the sixth AML Directive, the AML Regulation as the Single Rule Book, the AMLA Regulation, and the recast Transfer of Funds Regulation including crypto asset transfers. Taken together, these instruments reset what a good compliance framework looks like. They also introduce more direct rule content that is designed to be applied consistently, rather than interpreted differently market by market.

Three practical points that should shape planning inside firms:

1. EU Regulations do not automatically apply to Gibraltar post Brexit. That means Gibraltar will need to transpose the key Regulations and update local law that currently reflects earlier EU Directives. Firms should plan for new Gibraltar legislation that is more detailed, more process driven, and more data specific.

2. An AMLA Single Rule Book approach replaces current Gibraltar regulator guidance as the primary reference point for how the preventive framework is meant to operate. That does not mean AMLA supervises Gibraltar firms directly.  AMLA does not supervise Gibraltar firms directly, but Gibraltar regulators are expected to follow the same approach as National Competent Authorities across the EU. For firms, the outcome is similar to operating in an EU Member State: the supervisor will expect a framework that maps cleanly to the Single Rule Book and to the implementing technical standards and guidance.

3. Impact is not limited to policy wording. The headline items include a revamp of UBO requirements and UBO Register operation, new non public registers of bank, securities and crypto accounts and safe deposit boxes, a single access point to real estate information, cash usage restrictions at EUR 10,000, and additional transaction based reporting triggers including transactions over EUR 10,000 and certain luxury items even where there is no suspicion of money laundering. These are changes that reach into onboarding, periodic review, data management, transaction monitoring, and FIU engagement.

Changes to UBO Requirements, UBO Register and CDD Obligations  

A central UBO register with stronger powers and stronger data quality duties

The starting point is structural. Beneficial ownership information, and information on nominee arrangements, must be held in a central register in the Member State where the legal entity is created, or where the trustee of an express trust is established or resides, or from where the arrangement is administered. Where trustees are in different Member States, a certificate of proof of registration or an excerpt from one Member State register is sufficient to meet the registration obligation.

The register operator is not passive. The entity in charge of the register is empowered to request any information necessary to identify and verify beneficial owners, including board minutes, partnership agreements, trust deeds, powers of attorney, and other contractual documentation. It is also empowered to carry out checks including on site inspections at business premises or registered offices, and that right cannot be obstructed.

Where no beneficial owner is identified, the register must include a statement that there is no beneficial owner or that beneficial owners could not be determined, with justification, plus details of all senior managing officials. Competent authorities, AMLA, and obliged entities can access the statement, but obliged entities only access the justification if they have reported a discrepancy or can prove the steps they took to determine beneficial owners.

The register must be adequate, accurate, and up to date. The register operator must verify information within a reasonable time on submission and regularly thereafter. Changes to beneficial ownership and to nominee arrangements must be recorded.

A targeted financial sanctions overlay is built in. The register operator must verify whether beneficial ownership information concerns designated persons or entities. The register must include an indication that a legal entity or arrangement is associated with targeted financial sanctions where the entity is designated, controlled by a designated person or entity, or has a beneficial owner who is designated. That indication must be visible to anyone granted access and remain until sanctions are lifted.

Discrepancy handling is time bound. Within 30 working days of a discrepancy report, the register operator must take appropriate actions to resolve it, including amending register information where verification is possible. A visible marker that discrepancies have been reported must remain until resolved. Complex discrepancies can be recorded with steps taken, but still require resolution as soon as possible.

Access model and what it changes for firms

Access to the register is explicitly broadened for public authorities and law enforcement bodies, including competent authorities, self regulatory bodies acting as supervisors, tax authorities, national sanctions authorities, AMLA for joint analyses, and EU bodies such as Europol and Eurojust when supporting competent authorities.

Persons with legitimate interest in preventing and combating money laundering, predicate offences, and terrorist financing must be able to access specific beneficial ownership data without alerting the entity. The accessible data includes the beneficial owner name, month and year of birth, country of residence and nationality, and the nature and extent of the beneficial interest. Legitimate interest access also extends to historical information for dissolved or ceased entities in the preceding five years, and a description of the ownership or control structure.

• Specific access rules under Article 12(2) and Article 13, illustrated by categories such as transaction participants, journalists, civil society organisations, and third country entities or authorities. In practice, that signals a tighter governance expectation around who can access what, and how the register operator tests the basis for access.

For obliged entities, the operational implication is simple: you should treat the register as a live control, not as a static reference point. Your CDD process needs an explicit step for register consultation, recording what you relied on, and dealing with discrepancies quickly.

Discrepancy reporting becomes a core CDD control

Obliged entities must report discrepancies without undue delay and in any case within 14 calendar days of detection. The report must include the information obtained indicating the discrepancy, who the firm considers to be the beneficial owners, and where applicable nominee shareholders and nominee directors, and why. Where the firm concludes the register is incorrect, it must invite the customer to submit the correct information to the central register without undue delay and in any case within 14 calendar days.

To make this work, firms will need:

• A defined trigger for what counts as a discrepancy, linked to your beneficial ownership determination methodology.

• A case workflow with a 14 day clock.

• A standard communication to customers that requests they correct the register entry.

• Evidence standards so you can justify your view if challenged by the register operator or supervisor.

Beneficial ownership identification rules become more explicit and more demanding

The beneficial ownership rules under the AML Regulation sharpen how you identify beneficial owners.

Ownership interest is defined as direct or indirect ownership of 25 percent or more of shares, voting rights, or other ownership interest, including rights to profits, internal resources, or liquidation balance. Indirect ownership is calculated by multiplying interests through the chain and adding results across chains unless the multi layer coexistence rule applies. All shareholdings at every level must be taken into account.

A lower threshold can apply for categories of corporate entities associated with higher money laundering and terrorist financing risks, with a maximum lower threshold of 15 percent unless a higher but still sub 25 percent threshold is deemed more proportionate. For firms, that means you must be ready for sector specific or entity type specific threshold shifts and reflect them in your beneficial ownership logic.

Control is defined broadly. It includes the possibility to exercise significant influence and impose relevant decisions, direct or indirect. Control through ownership interest is set at 50 percent plus one. Control via other means includes majority voting rights, appointment or removal rights over boards or equivalent bodies, veto or decision rights attached to shares, and decisions on profit distribution or asset shifts. It may also include formal or informal agreements, family relationships, and nominee arrangements. A formal nominee arrangement is a contract or equivalent arrangement where a nominator issues instructions to a nominee to act on their behalf in a capacity such as director, shareholder, or settlor.

Where ownership interest and control coexist at different layers of a multi layered structure, beneficial owners include those who control entities that hold a direct ownership interest, and those who have an ownership interest in an entity that controls the target entity. This is a direct instruction to avoid single track ownership analysis and to run parallel ownership and control testing.

Rules for special cases:

• In defined low risk contexts, only the class of beneficiaries and its characteristics are identified, including certain pension schemes, employee participation schemes where low risk is assessed, and certain low risk non profit trust like arrangements.

• For collective investment undertakings, beneficial owners are those holding 25 percent or more of units, those able to define or influence investment policy, or those controlling activities through other means.

Beneficial ownership data fields, timelines, and who must do what

The required beneficial ownership information is granular. It includes full names, place and full date of birth, residential address, country of residence, nationality, identity document number, and where it exists a unique personal identification number and a general description of its source. It must also include the nature and extent of the beneficial interest, the date from which it is held, and where structures include multiple entities, a description of the structure and relationships including names and identification numbers.

Legal entities and trustees must obtain adequate, accurate, and up to date beneficial ownership information within 28 calendar days of creation or setting up, update it promptly and in any case within 28 calendar days of any change, and update it on an annual basis.

Legal entities must provide beneficial ownership information to obliged entities when CDD is applied. They must report beneficial ownership information to the central register without undue delay after creation, and report changes without undue delay and in any case within 28 calendar days. They must verify they hold up to date information at least annually.

Where no beneficial owner is identified or there is justified uncertainty, legal entities must keep records of the actions taken and provide the statement and senior managing official details. The definition of senior managing officials is given in functional terms, capturing executive management body members and those responsible for day to day management and accountable to the management body.

Trustees have parallel obligations. They must obtain and hold basic information on the arrangement, beneficial ownership information, beneficial ownership information on any participating entities, and information on agents authorised to act and the obliged entities with which the trustee enters into relationships. Information must be maintained for five years after involvement ceases. Trustees must report to the central register within 28 calendar days of setting up and within 28 calendar days of changes, and verify at least annually.

Foreign legal entities and arrangements created or administered outside the Union must submit beneficial ownership information to the central register of the Member State where they enter into a business relationship with an obliged entity, acquire real estate, acquire certain high value goods for non commercial purposes above set thresholds, or are awarded a public contract.

For Gibraltar compliance frameworks, the practical impact is a stronger expectation that your files show:

• A repeatable methodology for ownership and control testing, including nominee arrangements and family links where relevant.

• A documented approach to thresholds, including potential lowering for higher risk entity categories.

• Evidence that you consulted the register and handled discrepancies within deadlines.

• Clear customer outreach steps where register correction is needed.

• A data model that captures the full set of required UBO attributes and keeps them current.

The establishment and operation of Registers of Bank Accounts, Securities Accounts, Crypto Accounts 

Member States must implement centralised automated mechanisms, such as central registers or central electronic data retrieval systems, that allow timely identification of any natural or legal persons holding or controlling payment accounts or bank accounts identified by IBAN, including virtual IBANs, and securities accounts.

Access is designed for speed and completeness. FIUs must have direct access in an immediate and unfiltered manner, and AMLA must also have access for joint analyses. Supervisory authorities must be able to access the information in a timely manner to fulfil their obligations.

The required content is specific and date stamped:

• For customer account holders and persons purporting to act on their behalf, the name plus other identification data or a unique identification number, and where applicable the dates they started and ceased to have power to act.

• For beneficial owners of customer account holders, the name or a unique identification number, plus the dates they became and ceased to be beneficial owner.

• For bank and payment accounts, the IBAN or unique account identifier, plus opening and closing dates.

• For virtual IBANs, the virtual IBAN number, the unique account identifier of the underlying account to which payments are redirected, and opening and closing dates. The customer account holder is the holder of the underlying account.

• For securities accounts and crypto asset accounts, the unique identifier and opening and closing dates.

• For safe deposit boxes, the lessee name or unique identification number and lease start and end dates.

Names are defined: for natural persons all names and surnames, and for entities or arrangements the registered name.

For Gibraltar firms, you do not operate the register, but you will operate within the ecosystem it creates. That changes expectations in three areas:

1. Data quality and identifiers. Your systems need to store and retrieve the identifiers referenced above, and keep dates and authority to act data current. If you issue or service virtual IBANs, you need a controlled process to link virtual IBANs to underlying accounts and to obtain identity information as required.

2. Interplay with FIU work. Expect faster FIU information requests because the FIU will be able to identify accounts quickly and will focus on analysis and follow up.

3. Transaction monitoring context. Your monitoring and investigations should assume that account linkage data will be available to authorities and can be compared against your own file. That increases the cost of weak record keeping.

Establishment of a land register

Competent authorities must have immediate and direct access free of charge to information that allows timely identification of real estate and the persons or entities owning it, and information allowing identification and analysis of real estate transactions. Access must be via a single access point, by electronic means, in digital format, and where possible machine readable.

The minimum dataset includes:

• Property data: cadastral parcel and reference, geographic location including address, area or size, property type including built or non built and destination of use.

• Ownership data: owner name and any person purporting to act on behalf of the owner; for legal entity owners the name and legal form plus company unique identification number and tax identification number; for legal arrangement owners the arrangement name and tax identification number; acquisition price; and where applicable entitlements or restrictions.

• Encumbrances: mortgages, judicial restrictions, property rights, and other guarantees.

• History: property ownership, price and related encumbrances.

• Relevant documents.

Where a cadastral parcel includes multiple properties, the information must be provided per property. Historical information must cover at least the period from 8 July 2019.

For compliance professionals in Gibraltar, this matters even where your firm does not finance property directly. Real estate is a common source of wealth and a common channel for layering. A single access point increases the likelihood that property links will be identified quickly in investigations. Your framework should therefore ensure that when property is relevant to source of wealth, collateral, or transaction purpose, your file contains consistent references to the assets and to ownership structures.

Changes CDD Measures - Single Rule Book Requirements 

Effective date and what changes in practice

The EU Regulation in this area comes into force on 10 July 2027. That timing matters because it is late enough to encourage deferral, but close enough that firms should begin designing changes now so implementation is not rushed.

Definitions and scope expand and get more detailed

The definitions to review, including money laundering and terrorist financing aligned to EU criminal law instruments, and an expanded set of operational definitions such as crypto asset concepts, self hosted address, virtual IBAN, Legal Entity Identifier, basic information, cash, and other sector terms. This points to a tighter drafting and interpretation discipline. When definitions change, control testing changes with them.

The list of obliged entities is revised and broadened in specific areas, including real estate letting at EUR 10,000 monthly rent thresholds, cultural goods transactions at EUR 10,000, free zone and customs warehouse activity, investment migration operators, non financial mixed activity holding companies, and later inclusion of football agents and professional football clubs for specified transaction types with an effective date noted in the deck. Firms should treat this as an ecosystem change. Even if you are already an obliged entity, your customer base may include newly obliged counterparties who will change what they ask of you and what they report.

Internal policies, procedures, controls become explicitly specified

The required scope of internal policies, procedures, and controls is set out in detail. It covers business wide risk assessment, the risk management framework, CDD including PEP and associate identification, suspicious transaction reporting, outsourcing and reliance, record retention and personal data processing, monitoring and management of compliance and deficiencies, recruitment and assignment checks for good repute, internal communication to agents and service providers, and training policies including for Regulation (EU) 2023/1113 and administrative acts issued by supervisors. Policies must be recorded in writing. Internal policies must be approved by the management body in its management function. Internal procedures and controls must be approved at least at the level of the compliance manager.

This drives a practical change for Gibraltar firms. Many frameworks rely on a mix of policy, guidance, and working practice. Under the Single Rule Book framing, you should tighten the policy architecture:

1. Define what is policy, what is procedure, and what is control.

2. Map each requirement to an owner and an approval level.

3. Build a controlled document set for agents, distributors, and service providers involved in AML controls.

Business wide risk assessment includes sanctions evasion risk

The business wide risk assessment must cover money laundering and terrorist financing risk, and also the risks of non implementation and evasion of targeted financial sanctions. It must consider Annex I variables and Annex II and III risk factors, Union level risk assessments, national and sector risk assessments, publications by international standard setters and by the Commission or AMLA, information from competent authorities, and information on the customer base.

The core risk variable structure includes customer risk variables, geographical risk variables, and product, service, transaction, and delivery channel variables. That reinforces the expectation that risk assessment is multi dimensional and structured, not a narrative exercise.

The risk assessment must be documented, kept up to date, and reviewed when internal or external events materially affect risks. It must be available to supervisors on request. The compliance officer draws it up, the management body approves it, and where a supervisory function exists it is communicated to that body.

Governance roles are defined: compliance manager and compliance officer

The framework introduces explicit governance roles.

A compliance manager is a member of the management body in its management function and is responsible for ensuring compliance with the Regulation, Regulation (EU) 2023/1113, and supervisory administrative acts. The compliance manager ensures policies and controls match risk exposure, ensures resources are allocated, receives information on significant weaknesses, and assists the management body with decisions.

A compliance officer is appointed by the management body with sufficiently high hierarchical standing. The compliance officer runs day to day AML CFT operations including targeted financial sanctions implementation and serves as contact point for competent authorities. The compliance officer is responsible for suspicious transaction reporting to the FIU. Removal triggers notification obligations and the compliance officer can provide information to the supervisor about their removal.

There are also independence expectations. The compliance officer and audit function must be able to report directly to the management body and raise concerns independently. The compliance manager must report regularly and at least annually submit a report drawn up by the compliance officer on the implementation of policies and controls, and take actions to remedy deficiencies. Roles can be combined where justified by nature, risks, complexity, and size.

For firms, this is not just job titles. It requires you to review:

• Terms of reference for the board and management committees.

• Delegated authorities for policy approval and exception sign off.

• How the annual AML report is structured and evidenced.

Staff integrity controls and conflicts of interest become explicit

Any employee, including agents and distributors, who participates directly in AML compliance must undergo an assessment approved by the compliance officer. The assessment covers skills, knowledge and expertise, and good repute, honesty and integrity. It must be done before taking up activities and repeated regularly, with intensity based on task risk.

Employees with AML tasks must disclose close private or professional relationships with customers or prospective customers and must be prevented from undertaking AML tasks related to those customers. Firms must have procedures to prevent and manage conflicts of interest affecting AML tasks.

Customer due diligence changes: when you must apply CDD and what you must do

CDD must be applied in specified circumstances, including when participating in the creation of a legal entity or setting up a legal arrangement, and when there are doubts about whether the person is the customer or authorised. For credit and financial institutions excluding crypto asset service providers, CDD is required when initiating or executing an occasional transfer of funds of at least EUR 1,000, including linked transactions.

Crypto asset service providers must apply CDD for occasional transactions of at least EUR 1,000 and must apply at least the identification measure for transactions below EUR 1,000. Obliged entities must apply at least identification measures for occasional cash transactions of at least EUR 3,000. Gambling providers apply CDD at EUR 2,000 thresholds for winnings or stakes.

The definition of who is the customer is expanded in specific sectors. For example, for persons trading in certain goods, the supplier of goods can be treated as a customer in addition to the direct customer. For lawyers and notaries intermediating a transaction, both parties can be customers in certain circumstances. Real estate agents treat both parties as customers. Payment initiation services treat the merchant as the customer. Crowdfunding contexts treat both fund seeker and fund provider as customers.

CDD measures include, among other items, verifying targeted financial sanctions exposure of customers and beneficial owners, and for legal entity customers checking whether designated persons control the entity or have more than 50 percent of proprietary rights or majority interest, whether individually or collectively. It also includes identifying and verifying other natural persons where a transaction is conducted on behalf of or for the benefit of persons other than the customer, and verifying authority to act.

The extent of CDD measures must be set through individual risk analysis, taking account of the business wide risk assessment, Annex I variables, and Annex II and III risk factors.

Identity and beneficial ownership verification become more data rich

For natural persons, identification data includes full names, place and full date of birth, nationalities or relevant status, national identification number where applicable, usual residence or postal address where no fixed address, and where available the tax identification number.

For legal entities, it includes legal form, name, registered office and principal place of business, country of creation, names of legal representatives, and where available registration number, tax identification number, and Legal Entity Identifier. It also requires names of persons holding shares or a directorship position in nominee form, with reference to their nominee status.

For trustees, it requires basic information on the arrangement, identification of relevant assets in scope, trustee addresses and administration location, the powers regulating and binding the arrangement, and where available tax identification number and Legal Entity Identifier.

Virtual IBANs get specific treatment. Credit and financial institutions must obtain information to identify and verify the persons using virtual IBANs they issue and the associated bank or payment account. The institution servicing the underlying account must be able to obtain identity information from the institution issuing the virtual IBAN.

Verification can be by identity documents and reliable independent sources, or by electronic identification means meeting eIDAS assurance levels substantial or high and qualified trust services. Beneficial ownership verification must include consulting the central registers.

Real estate agents have a timing rule: verify identity after an offer is accepted and before funds or property transfer. When entering a new relationship with a legal entity or trustee, obliged entities must collect proof of registration or a recent excerpt from the beneficial ownership register confirming valid registration.

Purpose, intended nature, and ongoing monitoring become more explicitly timed

Before entering a relationship or performing an occasional transaction, the firm must understand purpose and intended nature and may need to obtain information such as estimated amount of envisaged activity, destination of funds, and the customer’s business activity or occupation. There is a specific expectation to collect information to determine whether intended use of high value goods is commercial or non commercial.

Ongoing monitoring must keep documents, data, and information up to date. The maximum period between updates is capped: one year for higher risk customers and five years for all other customers. For credit and financial institutions, sanctions verification must also be carried out upon any new designation related to targeted financial sanctions.

 UN sanctions temporary measures

Where customers are subject to UN financial sanctions, or controlled by sanctioned persons, or have sanctioned persons with more than 50 percent proprietary rights or majority interest, obliged entities must keep records of funds and other assets managed at the time sanctions are made public, transactions attempted, and transactions carried out. The measures apply between publication of UN sanctions and application of the relevant targeted financial sanctions in the Union.

Third country threats and countermeasures

Where the EU identifies third countries with significant strategic deficiencies, obliged entities must apply enhanced due diligence to relationships or transactions involving persons from those countries. Countermeasures can include additional elements of enhanced due diligence, enhanced reporting or systematic transaction reporting, and limitations on relationships or transactions. Member State level countermeasures can include restrictions on branches and subsidiaries and increased audit or supervisory examination, and review or termination of correspondent relationships in relevant cases.

Simplified due diligence is bounded and evidence based

Simplified due diligence is allowed where the relationship presents a low degree of risk, taking account of Annex II and III risk factors.

Annex II lower risk factors include effective AML CFT systems, public companies, low corruption public administrations, low risk residents, credible AML CFT requirements, low premium life insurance, pension schemes, financial inclusion products, and electronic money.

Permitted simplified measures include delayed verification up to 60 days, reduced update frequency, reduced purpose and intended nature information, reduced monitoring frequency or degree, and other simplified measures identified by AMLA. Firms must document decisions to take account of lower risk factors and adopt procedures to manage risk when services are provided before verification, including transaction limits and monitoring. Firms must verify regularly that conditions for simplified due diligence still exist.

Simplified due diligence must not be applied where lower risk factors are no longer present, monitoring excludes a lower risk scenario, or there is a suspicion of attempted sanctions circumvention or evasion.

Enhanced due diligence becomes more structured and includes high net worth service triggers

Enhanced due diligence starts with transaction scrutiny. Firms must examine origin and destination of funds and purpose for transactions that are complex, unusually large, conducted in an unusual pattern, or lack apparent economic or lawful purpose. Risk assessment must consider Annex III higher risk factors and AMLA guidelines, FIU notifications, and the firm’s business wide risk assessment.

Annex III higher risk themes such as private banking, anonymity favoured products, unknown third party, delivery channel risk, new products and technologies, high risk transactions, FATF monitoring context, weak AML CFT geographical risk, and corruption and criminal activity.

Article 34(4) is supported by regulatory technical standards to be issued. The expected EDD coverage areas, including deeper work on customer and beneficial owners, intended nature of the relationship, additional information gathering, source of funds and wealth, senior management approval, ongoing relationship controls, reasons for enhanced due diligence, transaction scrutiny, enhanced monitoring and transaction pattern examination, and controls aligned to credit institution standards including increased number and timing of controls and a first payment requirement concept.

There is also a specific high asset trigger. Where a higher risk relationship involves handling assets of at least EUR 5,000,000 through personalised services for a customer holding total assets of at least EUR 50,000,000 excluding the private residence, credit and financial institutions and TCSPs must apply additional EDD. This includes procedures to mitigate risks associated with personalised services and products, obtaining additional source of funds information, and preventing and managing conflicts of interest between the customer and senior management or employees undertaking compliance tasks related to that customer.

Crypto specific enhanced due diligence

For cross border correspondent relationships involving crypto asset services with a respondent entity not established in the Union, crypto asset service providers must conduct specific EDD steps, including licensing or registration checks, understanding business nature and reputation and quality of supervision, assessing AML controls, senior management approval, documenting responsibilities, and payable through account assurance including the respondent’s ability to provide CDD data on request.

For transfers involving self hosted addresses, crypto asset service providers must assess ML and TF risk and apply mitigating measures such as identifying and verifying originators or beneficiaries, requiring additional information on origin and destination of crypto assets, enhanced monitoring, and other measures to mitigate AML and sanctions evasion risks.

PEP management becomes more explicitly time bound

Member States must keep an up to date list of prominent public functions. Firms must apply measures for persons who cease to be PEPs for at least 12 months after they cease to hold a prominent public function, and longer if the risk continues. The measures are linked to the enhanced due diligence measures under Article 34(4). The same approach applies where a firm deals with a person who previously held a prominent public function in the Union, a Member State, a third country, or an international organisation. Measures also apply to family members and close associates.

Reporting Requirements in respect of large transactions, and cash reporting for over Euro10,000

Two reporting related changes that affect how firms resource FIU engagement and how they handle non suspicion based thresholds.

1. FIU responsiveness becomes time bound. Obliged entities must reply to FIU requests for information within five working days. In justified and urgent cases, FIUs may shorten that deadline, including to less than 24 hours. The FIU may extend beyond five working days where justified and where the extension does not undermine analysis. This should drive a practical review of your FIU request handling process, including escalation, coverage, and the ability to retrieve records quickly.

2. There are threshold based reports for transactions in certain high value goods, even in the absence of suspicion. Persons trading in high value goods must report to the FIU all transactions involving the sale for non commercial purposes of motor vehicles priced at least EUR 250,000, watercraft priced at least EUR 7,500,000, and aircraft priced at least EUR 7,500,000. Credit institutions and financial institutions providing services in relation to the purchase or transfer of ownership must also report the transactions they carry out for customers in relation to those goods. Reporting is within deadlines imposed by the FIU.

A cash control that links directly to FIU reporting and that ties to the headline item on a EUR 10,000 cash restriction. Persons trading in goods or providing services may accept or make a payment in cash only up to EUR 10,000, whether as a single operation or linked operations. The limit does not apply to payments between natural persons not acting professionally, or to deposits made at the premises of credit institutions and certain other regulated payment sector firms, but deposits above the limit must be reported to the FIU within FIU deadlines.

For Gibraltar financial sector compliance teams, the combined impact is operational:

• You should plan for faster FIU turnaround expectations, supported by case management and retrieval capability.

• You should ensure your monitoring and escalation logic can capture threshold based reporting triggers where your firm provides services connected to high value goods purchases or transfers.

• You should ensure front line and operations understand the EUR 10,000 cash limit context and the reporting expectation for deposits above the limit where applicable in your business model.

Conclusions and getting ready

Firms should treat July 2027 as a hard operational deadline and work back from it. Start with a structured gap assessment against the Single Rule Book requirements and the supporting changes in UBO rules, account and real estate information access, cash limits, and transaction based reporting. Translate the gaps into a delivery plan with clear owners, board oversight, and evidence that shows how the framework meets each requirement in practice, not just on paper.

Build governance and accountability early. Put in place the compliance manager and compliance officer responsibilities, update management body terms of reference, and reset your policy architecture so approvals, delegated authorities, and reporting lines match the new model. Align the business wide risk assessment to include targeted financial sanctions evasion risk, and make it the control document that drives CDD depth, monitoring intensity, and review cycles.

Invest in data and workflow because the regime is time bound and data rich. Your systems and procedures need to capture the expanded identity and beneficial ownership datasets, evidence register consultation, and run discrepancy handling to the 14 day reporting deadline. You also need reliable periodic review scheduling so higher risk customers are refreshed at least annually and all other customers within five years, with clear triggers for earlier review where risk changes.

Prepare for a faster, more connected information environment. Central registers for bank, securities and crypto accounts, and a single access point for real estate information, will make authorities quicker at identifying links and testing your file. Match that reality by tightening record keeping, ensuring you can respond to FIU requests within five working days and, where required, within hours, and by embedding threshold based reporting triggers where your services touch high value goods transactions.

Finally, run implementation as a change programme, not a policy refresh. Train staff and relevant third parties on the new definitions, customer scope rules, sanctions related checks, conflict of interest controls, and the cash restriction and reporting expectations. Test the controls with file reviews and scenario exercises that prove you can meet the deadlines and produce the required evidence consistently, before July 2027 arrives.

If you need help in getting ready feel free to get in contact with me :  david.parody@gmail.com or via LinkedIn https://www.linkedin.com/in/dparody/