Startups or established businesses entering a new domain of a non regulated area – or areas where the laws are a bit murky – face a tremendous amount of risk.
The first knee jerk reaction to a new, unregulated development is usually:
Well if it’s not regulated, forget about it, it’s illegal!
Yet there are beautiful cases, such as here in Oman (Remember OTaxi?), where the knee jerk reaction was invoked, but then the regulator and the startup came to an understanding and voila, all were happy and OTaxi was confidently able to operate legally.
Laws are fluid and dynamic. They can never foresee all scenarios or all possibilities, and that’s why they change and evolve over time. But more often, they are reactive than proactive.
In the fintech context, we have seen this happen time and time again. Central banks were always a step behind the fast pace of innovation and it took them decades to catch up. In most parts of the world, financial regulators are almost always catching up.
And hey, it’s not easy for a regulator to constantly think of new scenarios, create new laws or policies, whilst at the same time monitor those that are not abiding by the existing laws. My hat tips to all those who work day in day out, with this difficult and important responsibility.
If you can’t measure it, you can’t manage it. If this old saying speaks volumes for innovation, what does it say for the regulation of innovation?
So, how can a regulator be pro-active, and through an engaging framework, be accommodating of hard regulatory questions that the regulator and society, may not necessarily know the answers to?
When dealing with sensitive and high risk information and transactions, such as in FinTech, this becomes even more important to consider.
Like kids who are curious and want to test, play and experiment with new ideas or models, a Regulatory Sandbox is the environment that allows for startups or companies or individuals, to do exactly that; test, play and experiment with ideas that are not necessarily straightforward.
Apart from Open Banking, regulatory sandboxes in my opinion, are one of, if not the only real, tangible and legally mandated innovation framework for driving fintech growth and adoption.
Within the context of the Central Bank of Oman (CBO), this paper discusses in detail what a regulatory sandbox could look like, and some of the questions the CBO and other stakeholders could consider.
There are definitely strides towards this direction that are being sponsored by quasi-government bodies like the Blockchain sandbox by the Information Technology Authority (ITA) or ASYAD Group’s Tech Try, or other more hands-on technical and industrial oriented workshops and labs. But when the regulator is involved, or leads the framework, the pathway to answer hard regulatory sensitive questions, makes the process, and its outcomes, more concrete.
What is a Regulatory Sandbox?
A Regulatory Sandbox is a controlled environment where businesses can test their innovative financial products, services, business models, and delivery mechanisms, in a live environment, while being closely monitored by regulators, that does not jeopardize the stability of the financial and banking system.
What is the purpose and key benefits of a Regulatory Sandbox?
A Regulatory Sandbox allows regulators to gain a better understanding of the product or service and to determine what, if any, regulation is necessary to protect consumers.
For businesses, a Sandbox presents an opportunity to test the viability of their product, service, etc. on a small scale, and allows them to find and address any issues before the product or service is offered on a large scale.
Most significant benefits include enhancing efficiency in understanding and complying with regulatory requirements, improving risk management skills, and finally, ensuring the participants’ competitiveness by:
How does the Regulatory Sandbox work?
Businesses offer their innovative products and services to the public on a small scale, while being closely monitored by Regulators. Regulators monitor the activity and determine if the product or service should be regulated, and how to regulate it.
Why would a regulator like CBO consider introducing this?
FinTech innovations can differ significantly from traditional financial services, so there can be some uncertainty on how they should be regulated. By allowing businesses to test their products and services within the controlled live environment of a Regulatory Sandbox, CBO will be able to determine whether existing regulations are sufficient to protect consumers, or if new legislation is needed.
What type of businesses is the Sandbox for?
The Regulatory Sandbox is intended for businesses testing technology-based financial products and services. The business can be any size or level; a startup or large conglomerate, interested in some aspect of FinTech.
How long does the Sandbox last?
The duration will vary based on the nature of the product or service being offered by the business, however, the process should be time-bound with a clear pathway to application, testing, deploying, and license approval/disapproval.
There are several worth considering, and really, others that may only be identified after starting one. These are the most prominent in my view:
Establishment of a regulatory sandbox by one authority (as opposed to multiple) may disadvantage innovators in other areas (e.g., insurance, if the sandbox is established by CBO) unless a coordination mechanism is put in place.
Potential competition issues that stem from advantages sandbox companies may gain. First to market advantages for a business may be unfair if the selection criteria are not defined clearly or there is a lack of transparency leading to selection preference or the appearance of selection preference.
Discrediting sandbox applicants because of the limited capacity of the regulator to assess the business model or technology underlying the innovation.
Liability issues in case of failed testing that resulted in harm to customers or other market participants, which may threaten the reputation of the regulator and trust of customers in the financial system. Potential legal liability too under administrative laws?
Where staff capacity is stretched, stretching it further with regulatory sandboxes may have a negative impact on other areas of the regulator’ responsibilities (e.g., regulation, monitoring, supervision, and enforcement).
Loss in opportunity and resources to make the best of a sandbox trial by not delivering actual tangible support to galvanize the rest of the ecosystem; financial institutions, customers, other stakeholders.
Legal and regulatory framework. The legal and regulatory framework determines two important things:
Stakeholder ecosystem. All except a few of the sandboxes in the world have been established by one regulator (as opposed to multiple regulators working in collaboration). Where multiple sandboxes exist within a single jurisdiction, a coordination mechanism such as joint selection committee, should be put in place. i.e., involvement with the Blockchain sandbox developed by ITA, CMA, TRA. Not to mention, other GCC regulatory sandboxes. The borderless nature of digital technology adds further complexity.
Capacity and resources. Operating a regulatory sandbox requires adequate resources (staff and funding). CBO may need to consider less costly alternatives. For example, establish a mechanism for enabling better and easier communication between CBO and innovators without setting up a full-fledged sandbox; CBO can mandate and allow existing banks and financial institutions to provide independent sandbox programs from within their internal systems, which in turn is connected to the central real-time settlement networks. While CBO serves as registration custodian and supervisory/oversight role.
Market conditions. Factors that are important in assessing market conditions include the quality and quantity of innovation in the market, the number and types of financial services providers and their offerings, the level of competition, state of market growth, the quality of innovation, and the level of development of financial market infrastructure.
Transparency. Would there be a window for the public and other aspiring applicants, to be able to view basic information and data on the ongoing sandbox participants? How much information is too much, when trying to safeguard a participant’s business plans?
Develop and nurture the ecosystem. The key element to a successful sandbox is the ecosystem developed around it. There are three groups of stakeholders that need to be involved in the sandbox: FinTech Startups/Innovators/Businesses, Regulators, and Investors (VCs & Accelerators). Identifying the right members of these groups is the first step to building the sandbox.
Identify the areas of banking/finance. Areas that would benefit the most from innovation (i.e. Open Banking, Online Payments, eKYC, Blockchain, Credit Scoring, etc.). Then, provide startups with the resources necessary to experiment in those areas under regulatory watch, leveraging members of the ecosystem as partners and mentors.
Identify ways to fund the sandbox. Since the sandbox is a not for profit entity/department it should find funding for its operations without causing a burden on CBO, such as:
Choose the organizational structure and governing members of the sandbox. The sandbox is suggested to have: An Advisory Board, a Technical Committee and a Management Team. Most of the members of these bodies should come from partner organizations, specifically CBO (and perhaps in coordination with other regulators such as CMA, TRA, The Public Authority for Consumer Protection) Financial Institutions, and Government (e.g. Ministry of Technology & Communications) Technical expertise is required, and it is suggested to hire a full-fledged consulting and technical implementation partner to ensure system readiness and integration with existing CBO real-time settlement systems.
Get inspired from other programs. Inspiration can be drawn from other FinTech sandboxes in the region and abroad. Successful cases can be found in the UAE (AbuDhabi and Dubai), Bahrain, Singapore, and Malaysia. See the end of the article for a list of examples around the region.
Determine the Applicant Evaluation Criteria to approve companies into the sandbox and measure their performance.
There is an opportunity to re-write the rules too. For example, why not have the regulator take a slight step back, and allow (or mandate) established FIs to experiment and launch their own mini-sandboxes in partnership with fintechs, with a defined sandbox framework, overseen by the regulator?
The Regulatory Sandbox can be in the form of:
Regardless of the application format, it is suggested to be time-bound i.e. maximum of 1 year from application date, to reaching a licensing decision.
The entire lifecycle is split into 4x stages: Application, Evaluation, Experimentation and finally Accreditation.
Stage 1: Application
An application form is filled and judged against certain criteria including:
Stage 2: Evaluation
Technical and regulatory evaluation of the application will be time-bound, and the applicant will be informed of approval or not.
Stage 3: Experimentation
Deploy the product/service in a controlled environment with dummy data/simulations, against the application criteria. Scope of testing to be determined on a case-to-case basis. Thereafter experimentation can be with live data with a controlled pool of live customers. Results to be carefully measured. New or amended regulations to be considered if needed.
Stage 4: Accreditation
CBO to grant either final approval, initial approval with further recommendations/suggested amendments, or reject the proposal. If any other licenses are required from other governing bodies (e.g. CMA, TRA) the advisory board shall recommend/guide on the same. In case of final approval, a license is issued to the applicant.
Just look at how young some of these are! Note the first sandbox in the world was in the UK launched just 2015, followed shortly by Singapore, Hong Kong and a few others.
KSA SAMA Regulatory Sandbox – 2019
Kuwait Regulatory Sandbox – 2018