Since the launch of the UK’s regulatory sandbox in May 2016, regulators across the globe have adopted similar frameworks. There are now regulatory sandboxes in Abu Dhabi, Australia, Canada, Hong Kong, Lithuania, Singapore, Switzerland and Thailand, to name a few, and the European Union recently set out proposals for a possible EU-wide regulatory sandbox.
The “sandbox” is a concept that regulators have adopted from the world of software development. A sandbox is a tool that allows developers to test a technological proof of concept prior to a full-scale public release. This gives a firm the ability to amend and improve a product iteratively based on feedback before path dependency and network effects set in and before it has invested significant sunk costs in the project.
In a regulated sector such as financial services, this iterative approach can be difficult for firms to replicate, particularly for startups, which typically lack the regulatory permissions that are needed to conduct real-world tests. By allowing new firms to experiment with real customers in a regulatory sandbox, regulators hope to remove some of the temptation for firms to rely on loopholes, regulatory arbitrage or an aggressive reading of financial services rules, in order to try to fall outside the scope of regulation in their testing phase. The sandbox is designed to create a “safe space” in which firms can enter the financial services market and experiment with new ideas with a degree of regulatory oversight and support.
Such regulatory sandboxes are not only of interest to startup firms. They also have potential benefits for more established market players that are looking to launch innovative new products that do not fit easily within the mold of existing financial services regulation. This could include larger firms in the banking, payment services and asset management sectors. Indeed, in the UK’s first round of sandbox applications around one-third of all applications were from larger financial institutions such as banks.
This Update discusses the regulatory sandboxes in the UK, Hong Kong and Singapore and identifies points for firms thinking of using such sandboxes to consider.
The UK Financial Conduct Authority (FCA) launched its regulatory sandbox program in May 2016. So far 55 applicants have been accepted, with more expected to follow in the months ahead. Twenty-four applicants were accepted in the first cohort, 18 of which had their product testing plans approved in October 2016. A second cohort of 31 applicants were accepted on June 15, 2017. The FCA recently accepted applications for a third cohort and plans for a fourth cohort are anticipated. The firms accepted into the sandbox to date represent a range of market participants, both in terms of size and product types.
The sandbox aims to deliver more effective competition in the interests of consumers by:
- Reducing the time and, potentially, the cost of getting innovative ideas to market;
- Enabling greater access to funding for innovators;
- Enabling more products to be tested and, thus, potentially introduced to the market; and
- Allowing the FCA to work with innovators to ensure that appropriate consumer protection safeguards are built in to their new products and services.
The sandbox program is part of a broader initiative, “Project Innovate,” developed by the FCA to foster competition and growth in financial services by supporting businesses that are developing products and services that could “genuinely improve consumers’ experience and outcomes.” In addition to the regulatory sandbox, the FCA offers tailored regulatory support services to firms that it considers to be innovative and provides feedback to firms developing automated advice and guidance models.
To conduct a regulated activity in the UK, a firm must be authorized by or registered with the FCA, unless certain exemptions apply. Successful firms will need to apply for the relevant authorization or registration in order to test their products or services if these involve a regulated activity. However, the FCA has a tailored authorization process for firms accepted into the sandbox. Any authorization or registration is restricted and permits firms to test only the proposals agreed with the FCA. The FCA has stated that this tailored authorization process should make it easier for firms to meet its requirements and reduce the cost and time to get the test up and running.
The FCA has stated that the sandbox may be useful for the following types of firms:
a. Firms that need to become FCA authorized before testing their innovation in a live environment;
b. FCA authorized firms looking for clarity about rules before testing an idea that does not easily fit into the existing regulatory framework; and
c. Technology businesses that want to provide services to FCA regulated firms (e.g., through outsourcing agreements) and need clarity about rules before testing their services.
The sandbox is selective. The FCA is only able to monitor a small number of firms in each cohort and they are only interested in firms which they consider to be “genuinely innovative.” The box on the following page sets out the criteria and positive indicators that the FCA will consider when assessing applications. The positive indicators are not exhaustive and fulfilling each of them is not a condition of meeting the relevant criterion.
FCA Sandbox – Criteria and Positive Indicators
3. Consumer benefit: Does the innovation offer a good prospect of identifiable benefit to consumers (either directly or via heightened competition)?
4. Need for a sandbox: Do you have a genuine need to test the innovation in our sandbox?
5. Ready for testing: Are you ready to test the innovation in the real market with real consumers?
Firms considering applying for the FCA sandbox should think carefully about whether using the sandbox gives the firm an advantage over an application for full authorization (or a variation of permission) for the relevant activity. While the sandbox can provide firms with greater flexibility, it may also bring greater regulatory scrutiny of the relevant business and could lead to the business having to be discontinued if the FCA is not satisfied with the way in which the firm is running it. Another point to consider is that firms using the sandbox must have sufficient capital to compensate clients in the event of loss resulting from the service offered. This could potentially mean having a higher level of capital than the firm would be required to maintain under a full regulatory authorization (e.g., as a payment institution).
EU FinTech Developments
In September 2016, the Hong Kong Monetary Authority (the HKMA) announced the launch of its Fintech Supervisory Sandbox (the HKMA Sandbox).
The HKMA Sandbox initiative aims to allow banks to conduct pilot trials of FinTech and other technology initiatives within a controlled environment, without the need to fully comply with the HKMA’s usual regulatory requirements during the trial. The HKMA’s model is only available to banks regulated by the HKMA and excludes start-ups, stored value facility operators and other non-bank institutions. However, such entities may collaborate with a bank under this initiative and participate indirectly in the HKMA Sandbox with bank sponsorship.
There is no limit to the number of participants that may conduct tests in the HKMA Sandbox. From September 2016 to May 2017, 15 pilot trials of FinTech products were conducted by six banks, and some of these initiatives have since been rolled out to the market. The trials included FinTech products that relate to authentication options involving biometric features, application programming interfaces, soft tokens, chatbots, and securities trading and blockchain technology for use in mortgage valuation. Early assessments by participating banks have indicated that participation in the HKMA Sandbox helped accelerate the launching process for certain products by two to three months.
The HKMA does not currently publish a full list of supervisory requirements that may be relaxed during the FinTech product’s trial period. However, it has indicated that it will hold individual discussions with banks wishing to utilize the HKMA Sandbox regarding the appropriate supervisory flexibility. With the HKMA’s approval, banks can therefore test FinTech products without incurring the usual regulatory consequences during their development stage, such as certain security-related e-banking requirements and the requirement to conduct a pre-launch independent assessment for new technologies by third-party consultants.
HKMA Sandbox Controls
Banks interested in participating in the HKMA Sandbox are required to contact the HKMA. The HKMA has stated that it will continue to refine the HKMA Sandbox over time in light of its implementation experience and industry developments in this area.
The HKMA Sandbox is part of a broader regulatory policy to promote FinTech in Hong Kong’s banking sector. In March 2016, the HKMA established the Fintech Facilitation Office to support these efforts. The HKMA has also introduced several other initiatives, including the Cybersecurity Fortification Initiative in May 2016, which is a new platform comprising three pillars — cybersecurity risk assessment, intelligence sharing, and talent development — to enhance the cyber resilience of the banking system. Further, in collaboration with the Hong Kong Applied Science and Technology Research Institute (ASTRI), the HKMA embarked on a specialized research project on distributed ledger technology to explore its potential for application to the local banking industry and established the Fintech Innovation Hub at ASTRI’s premises to provide technical support for the banking and FinTech sectors. Finally, on a wider scale, the HKMA and the FCA have entered into a cooperation agreement to foster collaboration between the two regulators on FinTech.
Outside of the banking industry, lawmakers have urged regulators, such as the Securities and Futures Commission (SFC) and the Insurance Authority, to clone the HKMA’s Sandbox in order to progress FinTech initiatives for brokers, insurance companies and other non-bank organizations. For example, there have been calls to promote equity crowd funding, which is currently banned in Hong Kong. However, at present the SFC does not see a need to introduce a sandbox for the purposes of developing FinTech initiatives, while the Insurance Authority noted that its dedicated FinTech liaison platform would work to enhance greater communication with the FinTech industry in Hong Kong. Therefore, it remains to be seen whether Hong Kong will follow in the footsteps of the UK and Singapore in allowing financial institutions (other than banks) to conduct pilot trials of their FinTech solutions. It is clear, however, that the HKMA is committed to raising Hong Kong’s profile as a FinTech hub by taking active steps to provide the necessary regulatory environment conducive to the testing of new and innovative products and initiatives.
In November 2016, the Monetary Authority of Singapore (MAS) issued the FinTech Regulatory Sandbox Guidelines together with an application template form for applicants seeking entry into its regulatory sandbox.
There is no limit on the number of firms that may participate in the MAS’ sandbox. A successful sandbox applicant will have its name and the start and expiry dates of the sandbox period published on the MAS’ website. As of July 2017, there was one active participant in the sandbox.
The MAS aims to transform Singapore into a smart financial center by encouraging the adoption of innovative and safe technology in the financial sector. The objective of the sandbox is to encourage more FinTech experimentation within a well-defined space and duration where the MAS will provide the requisite regulatory support, so as to:
- Increase efficiency;
- Manage risks better;
- Create new opportunities; and
- Improve people’s lives.
To conduct an MAS-regulated activity in Singapore, a firm must be licensed by the MAS, unless it is able to utilize an applicable licensing exemption. With the introduction of the regulatory sandbox, the MAS may relax specific legal and regulatory requirements for conducting MAS-regulated activities on a case-by-case basis. Examples of legal and regulatory requirements that the MAS may consider relaxing for the duration of the sandbox experimentation period include asset maintenance and capital adequacy requirements, board composition and management experience, while examples of the requirements that the MAS intends to maintain include customer confidentiality and rules relating to anti-money laundering and countering terrorist financing.
MAS Evaluation Criteria
The sandbox is open to all firms, including financial institutions, technology firms and professional services firms partnering with or providing support to such businesses.
Interested applicants are encouraged to contact the MAS before submitting their applications, in order to clarify any questions regarding the sandbox. The MAS has indicated that it will inform applicants on the potential suitability of their proposed financial service to be in the sandbox within 21 working days of receipt of a properly completed application. If a proposed financial service is found to be potentially suitable, the MAS will then proceed to the next evaluation stage, at the end of which the MAS will either approve the application (in which case the applicant may proceed to the sandbox experimentation stage) or reject the application. At the end of the sandbox period, the legal and regulatory requirements relaxed by the MAS will expire, and the sandbox entity must exit from the sandbox. Upon exiting, the sandbox entity can proceed to deploy the financial service under experimentation on a broader scale, provided that the MAS and the sandbox entity are satisfied that the sandbox has achieved its intended test outcomes, and the sandbox entity can fully comply with the relevant legal and regulatory requirements.
The sandbox is part of the MAS’ vision for Singapore to be a Smart Financial Centre where innovation is pervasive and technology is widely used. In August 2015, the MAS formed a Financial Technology & Innovation Group (FTIG) within the MAS to drive the Smart Financial Centre initiatives. An MAS FinTech Office, established on May 3, 2016, serves as a one-stop virtual center for all FinTech-related matters and aims to promote Singapore as a FinTech hub. The MAS is working on a number of other technological initiatives within this broader regulatory policy, including in relation to activity-based regulation for payments, blockchain infrastructure for cross-border inter-bank payments, a national “know-your-customer” utility, and an open application programming interface (API) infrastructure.
Conclusion: To Play or Not to Play
Regulatory sandboxes may be a useful option for firms of all sizes to consider when launching innovative new products and services that do not fit easily within existing regulatory frameworks. However, firms should consider carefully whether testing the product in a regulatory sandbox is the best route to market. On that note, we leave sandbox hopefuls with a few tips . . .
- Don’t bring your bucket and spade until you’re ready to play
Firms should assess whether the product in question is likely to fulfil the criteria of the relevant sandbox. If the regulator does not think the firm has fulfilled the criteria, or the product is not ready for testing, you might find that you are not allowed in the sandbox.
- Don’t bother with the sandbox if you’re ready for the playground
If a firm is relatively certain of the regulatory authorization it requires for a full rollout of the product, applying to a regulatory sandbox may simply delay the go-to-market timeframe. Firms should consider whether restrictions or ambiguity under existing rules make applying for full authorization from the regulator problematic and whether further testing with an ongoing regulatory dialogue could be helpful. If so, the sandbox may be for you. If not, you may be better off just seeking authorization in the normal way.
- Remember you are being supervised
Unlike children playing in a sandbox, who may be blissfully unaware of a parent’s watchful eye (until they start throwing sand at one another), it will be very clear to firms testing products in a regulatory sandbox that they are subject to oversight. That may be no bad thing from the firm’s perspective, as it will have the benefit of continual feedback from the regulator as the product is developed and tested. It may also give the firm the opportunity to build a constructive working relationship with the regulator and learn more about the regulator’s supervisory culture and expectations. However, firms should also be mindful that the sandbox is as much about the regulator testing the firm as about the firm testing the product. As such, you had better be on your best behavior if you do not want a parent to take away your toys.
- Don’t get stuck in quicksand
If the regulator concludes that the firm is not ready to roll out the product beyond the sandbox, the firm’s legal and compliance function may have to tell the business that their planned go-to-market date was a pipe dream. As such, firms in the sandbox need to be flexible and take on board feedback from the regulator throughout the process. This means the business needs to keep an open ear to the regulator and those internal functions liaising with it. Firms should also have a “plan B” in case the regulatory approval they ultimately require is not forthcoming. This could be a cut-down version of the product or an alternative structure that fits more easily within the existing regulatory framework or an exemption from the relevant authorization requirement.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP