Get Messy, but not dirty!

A Framework for an Omani Regulatory Sandbox 

July 21st, 2020 | 15 min. read

By Saleh Al Tamami | Co-Founder & CEO

Having just launched , I reflect on some of the regulatory challenges we may face ahead. I know we are not alone.

Startups or established businesses entering a new domain of a non regulated area – or areas where the laws are a bit murky – face a tremendous amount of risk. 

The first knee jerk reaction to a new, unregulated development is usually:

fintech sandbox oman
The case for a regulatory fintech sandbox

Well if it’s not regulated, forget about it, it’s illegal!

Yet there are beautiful cases, such as here in Oman (Remember OTaxi?), where the knee jerk reaction was invoked, but then the regulator and the startup came to an understanding and voila, all were happy and OTaxi was confidently able to operate legally.


Gently Down the Stream

Laws are fluid and dynamic. They can never foresee all scenarios or all possibilities, and that’s why they change and evolve over time. But more often, they are reactive than proactive.

In the fintech context, we have seen this happen time and time again. Central banks were always a step behind the fast pace of innovation and it took them decades to catch up. In most parts of the world, financial regulators are almost always catching up.

And hey, it’s not easy for a regulator to constantly think of new scenarios, create new laws or policies, whilst at the same time monitor those that are not abiding by the existing laws. My hat tips to all those who work day in day out, with this difficult and important responsibility.

If you can’t measure it, you can’t manage it. If this old saying speaks volumes for innovation, what does it say for the regulation of innovation?


Regulation in Facilitation

So, how can a regulator be pro-active, and through an engaging framework, be accommodating of hard regulatory questions that the regulator and society, may not necessarily know the answers to?

When dealing with sensitive and high risk information and transactions, such as in FinTech, this becomes even more important to consider.

Like kids who are curious and want to test, play and experiment with new ideas or models, a Regulatory Sandbox is the environment that allows for startups or companies or individuals, to do exactly that; test, play and experiment with ideas that are not necessarily straightforward.

Apart from Open Banking, regulatory sandboxes in my opinion, are one of, if not the only real, tangible and legally mandated innovation framework for driving fintech growth and adoption.


A Regulatory Sandbox for Oman

Within the context of the Central Bank of Oman (CBO), this paper discusses in detail what a regulatory sandbox could look like, and some of the questions the CBO and other stakeholders could consider. 

  • FAQs – on what a central bank’s regulatory sandbox is, why and who is it for?
  • Potential Risks
  • Things to consider
  • Suggested guidelines for launching a regulatory sandbox
  • Typical sandbox application and licensing road-map
  • Links to regulatory sandboxes from around the region

Note, the same could also be said for other regulatory bodies like the Capital Markets Authority (CMA), or the Telecom Regulatory Authority (TRA).

There are definitely strides towards this direction that are being sponsored by quasi-government bodies like the Blockchain sandbox by the Information Technology Authority (ITA) or ASYAD Group’s Tech Try, or other more hands-on technical and industrial oriented workshops and labs. But when the regulator is involved, or leads the framework, the pathway to answer hard regulatory sensitive questions, makes the process, and its outcomes, more concrete.



Frequently Asked Questions

What is a Regulatory Sandbox?

A Regulatory Sandbox is a controlled environment where businesses can test their innovative financial products, services, business models, and delivery mechanisms, in a live environment, while being closely monitored by regulators, that does not jeopardize the stability of the financial and banking system.

What is the purpose and key benefits of a Regulatory Sandbox?

A Regulatory Sandbox allows regulators to gain a better understanding of the product or service and to determine what, if any, regulation is necessary to protect consumers.

For businesses, a Sandbox presents an opportunity to test the viability of their product, service, etc. on a small scale, and allows them to find and address any issues before the product or service is offered on a large scale.

Most significant benefits include enhancing efficiency in understanding and complying with regulatory requirements, improving risk management skills, and finally, ensuring the participants’ competitiveness by:

  • Having a standardized and publicized framework for dealing with innovations that promote open and transparent communication between regulator and the sandbox entities to facilitate learning from each other.
  • A clear signal to the market and among the regulatory staff that innovation is on the regulator’s agenda and for the betterment of the national economy.
  • Reducing both the time-cycle needed to launch the proposed product or service in the local market and the associated cost.
  • Facilitating the testing of the proposed product or service before deploying it in the local market.
  • Enabling cooperation between innovators and regulator in order to facilitate complete compliance with all regulations relevant to deployment of the proposed product or service.

How does the Regulatory Sandbox work?

Businesses offer their innovative products and services to the public on a small scale, while being closely monitored by Regulators. Regulators monitor the activity and determine if the product or service should be regulated, and how to regulate it.

Why would a regulator like CBO consider introducing this?

FinTech innovations can differ significantly from traditional financial services, so there can be some uncertainty on how they should be regulated. By allowing businesses to test their products and services within the controlled live environment of a Regulatory Sandbox, CBO will be able to determine whether existing regulations are sufficient to protect consumers, or if new legislation is needed.

What type of businesses is the Sandbox for?

The Regulatory Sandbox is intended for businesses testing technology-based financial products and services. The business can be any size or level; a startup or large conglomerate, interested in some aspect of FinTech. 

How long does the Sandbox last?

The duration will vary based on the nature of the product or service being offered by the business, however, the process should be time-bound with a clear pathway to application, testing, deploying, and license approval/disapproval.



There are several worth considering, and really, others that may only be identified after starting one. These are the most prominent in my view: 

Establishment of a regulatory sandbox by one authority (as opposed to multiple) may disadvantage innovators in other areas (e.g., insurance, if the sandbox is established by CBO) unless a coordination mechanism is put in place.

Potential competition issues that stem from advantages sandbox companies may gain. First to market advantages for a business may be unfair if the selection criteria are not defined clearly or there is a lack of transparency leading to selection preference or the appearance of selection preference.

Discrediting sandbox applicants because of the limited capacity of the regulator to assess the business model or technology underlying the innovation.

Liability issues in case of failed testing that resulted in harm to customers or other market participants, which may threaten the reputation of the regulator and trust of customers in the financial system. Potential legal liability too under administrative laws?

Where staff capacity is stretched, stretching it further with regulatory sandboxes may have a negative impact on other areas of the regulator’ responsibilities (e.g., regulation, monitoring, supervision, and enforcement).

Loss in opportunity and resources to make the best of a sandbox trial by not delivering actual tangible support to galvanize the rest of the ecosystem; financial institutions, customers, other stakeholders. 


Things to Consider

Legal and regulatory framework. The legal and regulatory framework determines two important things:

  1. The ability of a regulator to set up a sandbox—the statutory mandate to set up a sandbox.
  2. The flexibility of a sandbox—i.e., the discretion the regulator can exercise regarding the issuance of waivers and temporary exemptions to sandbox companies.

Stakeholder ecosystem. All except a few of the sandboxes in the world have been established by one regulator (as opposed to multiple regulators working in collaboration). Where multiple sandboxes exist within a single jurisdiction, a coordination mechanism such as joint selection committee, should be put in place. i.e., involvement with the Blockchain sandbox developed by ITA, CMA, TRA. Not to mention, other GCC regulatory sandboxes. The borderless nature of digital technology adds further complexity.

Capacity and resources. Operating a regulatory sandbox requires adequate resources (staff and funding).  CBO may need to consider less costly alternatives. For example, establish a mechanism for enabling better and easier communication between CBO and innovators without setting up a full-fledged sandbox; CBO can mandate and allow existing banks and financial institutions to provide independent sandbox programs from within their internal systems, which in turn is connected to the central real-time settlement networks. While CBO serves as registration custodian and supervisory/oversight role. 

Market conditions. Factors that are important in assessing market conditions include the quality and quantity of innovation in the market, the number and types of financial services providers and their offerings, the level of competition, state of market growth, the quality of innovation, and the level of development of financial market infrastructure.

Transparency.  Would there be a window for the public and other aspiring applicants, to be able to view basic information and data on the ongoing sandbox participants? How much information is too much, when trying to safeguard a participant’s business plans?



A Suggested Guideline for Launching a Regulatory Sandbox

Develop and nurture the ecosystem. The key element to a successful sandbox is the ecosystem developed around it. There are three groups of stakeholders that need to be involved in the sandbox: FinTech Startups/Innovators/Businesses, Regulators, and Investors (VCs & Accelerators). Identifying the right members of these groups is the first step to building the sandbox.

Identify the areas of banking/finance. Areas that would benefit the most from innovation (i.e. Open Banking, Online Payments, eKYC, Blockchain, Credit Scoring, etc.). Then, provide startups with the resources necessary to experiment in those areas under regulatory watch, leveraging members of the ecosystem as partners and mentors.

Identify ways to fund the sandbox. Since the sandbox is a not for profit entity/department it should find funding for its operations without causing a burden on CBO, such as:

  • License Fees: Corporates, startups and Venture Capital firms backing the startups, can be charged for the right to become part of the sandbox. However, this could be a deterrent for startup innovation if fees are not kept free or near-free for startups.
  • Corporate Sponsorship: Leveraging financial institutions in the ecosystem to sponsor the sandbox as part of their innovation programs. This would give them early access to innovative startups, and engagement with the technologies being tested and developed.
  • Special Programs Funding: Leverage funding available to support innovation in general.

Choose the organizational structure and governing members of the sandbox. The sandbox is suggested to have: An Advisory Boarda Technical Committee and a Management Team. Most of the members of these bodies should come from partner organizations, specifically CBO (and perhaps in coordination with other regulators such as CMA, TRA, The Public Authority for Consumer Protection) Financial Institutions, and Government (e.g. Ministry of Technology & Communications) Technical expertise is required, and it is suggested to hire a full-fledged consulting and technical implementation partner to ensure system readiness and integration with existing CBO real-time settlement systems.

Get inspired from other programs. Inspiration can be drawn from other FinTech sandboxes in the region and abroad. Successful cases can be found in the UAE (AbuDhabi and Dubai), Bahrain, Singapore, and Malaysia. See the end of the article for a list of examples around the region.

Determine the Applicant Evaluation Criteria to approve companies into the sandbox and measure their performance.


There is an opportunity to re-write the rules too. For example, why not have the regulator take a slight step back, and allow (or mandate) established FIs to experiment and launch their own mini-sandboxes in partnership with fintechs, with a defined sandbox framework, overseen by the regulator? 


Typical Sandbox Application and Licensing Road-Map

The Regulatory Sandbox can be in the form of:

  1. Cohorts (groups) of applicants for one seasons/time duration joining together; or
  2. Rolling (i.e. have different companies apply at any time and go through the program independently, a continuous stream of companies going through the sandbox).

Regardless of the application format, it is suggested to be time-bound i.e. maximum of 1 year from application date, to reaching a licensing decision. 

The entire lifecycle is split into 4x stages: Application, Evaluation, Experimentation and finally Accreditation.

Stage 1: Application

An application form is filled and judged against certain criteria including:

  • Local deployment and Innovation. Innovation factor should be high, and considered within benefits to the local economy in line with CBO’s policy priorities.
  • Product/Service Applicability. Should be applicable and where it may slightly contravene with very established laws and regulations, the risks should not be high. 
  • Value Proposition.  Should have benefits to both customer (e.g. speed, efficiency, security, lowered costs) and to the market (e.g. market growth, financial inclusion, effective competition).
  • Readiness to test. May be a ready solution with a clear testing plan, or if in an idea stage only (for a pre-approval) to nonetheless have the following considerations:
    • Testing Plan with clear objectives, parameters, standards for successful implementation.
    • Customer Protection Plan to have necessary guarantees and appropriate compensation plans if necessary.
    • Risk Assessment Report of potential risks and how to mitigate them.
  • Deployment plan. Implementation time frame in case of approval, and general strategies for go-to-market.

Stage 2: Evaluation

Technical and regulatory evaluation of the application will be time-bound, and the applicant will be informed of approval or not.

Stage 3: Experimentation

Deploy the product/service in a controlled environment with dummy data/simulations, against the application criteria. Scope of testing to be determined on a case-to-case basis. Thereafter experimentation can be with live data with a controlled pool of live customers. Results to be carefully measured. New or amended regulations to be considered if needed.

Stage 4: Accreditation

CBO to grant either final approval, initial approval with further recommendations/suggested amendments, or reject the proposal. If any other licenses are required from other governing bodies (e.g. CMA, TRA) the advisory board shall recommend/guide on the same. In case of final approval, a license is issued to the applicant.


Examples of Regulatory Sandboxes in the Region

Just look at how young some of these are! Note the first sandbox in the world was in the UK launched just 2015, followed shortly by Singapore, Hong Kong and a few others. 

Abu Dhabi Global Market RegLab – 2016

Dubai Innovation Testing License – 2017

Bahrain FinTech Regulatory Sandbox – 2017

Egypt FinTech Application Lab – 2019

KSA SAMA Regulatory Sandbox – 2019

Kuwait Regulatory Sandbox – 2018

Jordan FinTech Regulatory Sandbox – 2018

Stay up to date with more Ma’mun insights and product updates