This article is written by G S Sreenidhi pursuing BA.LLB (Hons) from Maharashtra National Law University.
Table of Contents
Introduction
The concept of a regulatory sandbox is a fairly recent development in the wake of technological innovations disrupting traditional structures and practices across various sectors. The most popular and oft cited disruption is in the financial sectors with the emergence of “fintech”, i.e., financial technology, in the capital markets, insurance and banking sectors. Such fintech can include blockchain technology, cryptocurrencies, crowdfunding platforms, etc. Even mobile payment technology like paytm, mobikwik, freecharge etc. fall within the ambit of fintech.
With the advent of fintech, the traditional systems in place to regulate various entities in each of these sectors are disrupted. Such disruption causes a problem not only to the existing big players in any of these sectors but also to the regulators as the existing regulatory regime is found wanting in front of the innovations that spring up at an exponential rate. It is common knowledge that laws, across the world, more often tend to be reactive rather than proactive. This is true even with respect to regulatory bodies, especially India.
In this context, the concept of sandbox is an attempt to analyse and gauge the innovative products and services so that the regulators may come up with effective ways to regulate/supervise such companies. A regulatory sandbox is a framework where innovations by companies/firms are tested live in a controlled environment. Such entities operating in a sandbox may be provided certain exemptions from eligibility criteria, norms, etc. Such a mechanism is expected to pave the way for regulators to keep a check while also enabling and facilitating innovation in their respective spheres.
Such a mechanism was initially set up in the USA where the consumer financial protection bureau set up ‘project catalyst’ in 2012 to encourage consumer-friendly innovation. The term ‘regulatory sandbox’ however, was coined by the UK Markets regulator, the Financial Conduct Authority (FCA) in 2015. Since then over 29 countries have set up sandboxes in different sectors and there is also a global fintech sandbox in the works.
In India, the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) have come up with proposals and enabling frameworks for a regulatory sandbox. While all these regulators came up with their proposals and frameworks for a sandbox, the IRDA has taken the lead in the country and has already opened applications for testing products under the sandbox.
Another important sector where a sandbox will benefit greatly is the Telecom Sector. The Telecom Regulatory Authority of India (TRAI) TRAI released the Telecom Commercial Communications Customer Preference Regulations 2018 one of whose features included enabling compliance through innovation in technology solutions demonstrated in a regulatory sandbox. This move follows a technology driven solution opted by TRAI which aims to make such solutions demonstrable to everyone before deploying them.
International scenario
The United Kingdom is the first country to implement a regulatory sandbox back in 2016. The sandbox was open to authorised firms, unauthorised firms that require authorisation and technology businesses. In 2016, Australian Securities and Investment Commission introduced a regulatory sandbox regime for FinTech products, allowing eligible businesses to test particular financial services or credit activities in a less onerous regulatory environment. The regulatory sandbox allows eligible fintech companies to test certain products or services for up to 12 months without an Australian financial services (AFS) licence or credit licence.
To encourage innovation in the financial sector, the Monetary Authority of Singapore (MAS) allows firms to test their products in the market within a clearly defined space. The rules are that they can do so only for a limited period, and with a limited number of customers or transactions.
Hong Kong is an example of a region with three different setups of sandboxes with one each in the Banking Sector, Capital Markets and the Insurance sector. Banks authorized by the Hong Kong Monetary Authority (HKMA) can apply to be in the sandbox operated by the HKMA. Firms licensed by the Hong Kong Securities and Futures Commission (SFC) and start-up firms that intend to be licensed by the SFC can apply to be in the sandbox operated by the SFC. Insurers authorized by the Hong Kong Insurance Authority (IA) can make applications to the IA under the IA’s insurtech sandbox.
Some of the other countries with a sandbox setup include Indonesia, Philippines and Kenya. Recently, UK Financial Conduct Authority (FCA), in collaboration with 11 financial regulators and related organisations, on 7 August 2018 proposed the creation of the Global Financial Innovation Network (GFIN) in a consultation paper. This build on the FCA’s proposal in early 2018 to create a ‘global sandbox’. GFIN has expanded to a network of 29 organisations and GFIN’s members include Australian Securities & Investments Commission (ASIC), Hong Kong Monetary Authority (HKMA), Monetary Authority of Singapore (MAS), Consumer Financial Protection Bureau (CFPB) in the US, Bank of Lithuania, South African Reserve Bank (SARB), Abu Dhabi Global Market (ADGM) in the UAE, International Monetary Fund (IMF), and World Bank Group.
Modus operandi in India
India’s financial technology (fintech) sector may be young but is growing rapidly, fueled by a large market base, an innovation-driven startup landscape, and friendly government policies and regulations. There are two broad areas that merit attention in the Indian context: the first is regarding improving the accessibility of financial platforms using FinTech; and the second is about analysing potential risks that may arise out of FinTech adoption.
Reserve bank of India
The RBI’s working group on fintech and digital banking suggested the introduction of a “regulatory sandbox or innovation hub” within a well-defined space and duration to experiment with fintech solutions. The Draft Enabling Framework for regulatory sandbox released by RBI lays down the objectives and benefits of the sandbox while stressing that the focus of the sandbox will be to encourage innovation. The framework also lays down the eligibility, the kind of companies that may be selected and limits the number of entities to 10-12 for the moment. The framework proposes the timelines involving 5 stages and the whole process lasting about 26 weeks where the testing will be for 12 weeks. In November 2019, the RBI announced the opening of the first cohort under the Regulatory Sandbox with ‘Retail Payments’ as its theme.
Securities and exchange board of India
In May 2019, SEBI floated a discussion paper on “Regulatory Sandbox” to boost the development and adoption of fintech solutions. SEBI had proposed “Innovation Sandbox” – a testing environment where fintech firms can experiment innovations in a closed environment, with historical data.
Under the current proposal – the regulatory sandbox—financial institutions will be granted certain facilities and flexibilities to experiment with fintech solutions in live environment and on real customers, and these features will be fortified with necessary safeguards for investor protection and risk mitigation. The focus is on encouraging adoption and usage of fintech would have a profound impact on the development of securities market, and can act as an instrument to further develop and maintain an efficient, fair and transparent securities market ecosystem.
Similar to RBI, the SEBI also provides the eligibility, benefits, risks and limitations. Similar to some other sandbox regimes internationally, SEBI also proposes exemptions for sandbox entities. The framework also includes the process, approval, testing, exit or extension along with revocation of approval.
Following a proposal for amendments to SEBI Regulations in order to enable cross-domain testing of FinTech solutions and enabling departments of SEBI to grant limited certificates of registrations to applicants, in its board meeting on February 17, 2020 SEBI approved amendments to various regulations to insert a common chapter to allow entities to operate in a regulatory sandbox without being subject to the entire set of regulatory requirements. Subsequently, SEBI vide a gazette notification SEBI/LAD-NRO/GN/2020/10 dated April 17, 2020 amended various regulations to include a chapter to include an exemption for a period not exceeding 12 months for furthering innovation in technological aspects relating to testing new products, processes, services, business models, etc. in live environment of regulatory sandbox in the securities markets. Following the amendment, SEBI introduced a circular in June 2020 containing the framework for the Regulatory Sandbox, the eligibility, timelines, processes and exemptions.
Insurance and regulatory development authority of India
IRDA has decided to develop a ‘regulatory sandbox’ to enable testing of products in a controlled environment so that the industry could keep pace with the fast-evolving financial technology. The objective of Regulatory Sandbox is to facilitate innovations in the insurance sector, make the insurance products more affordable and relevant for the insured and to give a fillip to insurance penetration. IRDAI in February 2019, recommended setting up a regulatory sandbox to test new digital and tech-based innovations, before launching them in the market and came out with the IRDA (Regulatory Sandbox) Regulations, 2019 and Guidelines on operational issues pertaining to regulatory sandbox in August 2019. In September 2019, the IRDA has invited applications for entities willing to participate and test their products in the sandbox. Subsequently, in January 2020 the IRDA granted approvals to proposals of various applicants from Health, Motor and Intermediaries Department,on March 2020 released the second tranche of approvals under its sandbox regulationsand the third tranche of approvals in June 2020.
Telecom sector’s sandbox
Privacy, security and ownership of data in the telecom sector
The TRAIN released a consultation paper dated 09.08.2017 on ‘Privacy, Security and Ownership of the Data in the Telecom Sector’ (Consultation Paper) and invited recommendations from the public to the same. One of the issues recognised and raised by TRAI in the paper was ‘Should the government or its authorized authority set up a data sandbox, which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?’
After receiving various responses from the public, TRAI released its recommendations on Privacy, Security and Ownership of Data in the Telecom Sector (Recommendations) on 16.07.2018. In the backdrop of data privacy and possible threats to such privacy of consumers in the telecom sector, TRAI has focussed on a sandbox to develop services with an emphasis on data privacy. TRAI terms it the ‘data sandbox’ and describes it as ‘an entity that anonymises data sets which can be utilised by the service provider / business to design new products and services for the benefit of customers and growth of their businesses.’ TRAI received responses from 53 different stakeholders. The response to setting up of a sandbox in the telecom sector, however, appears to have largely been met with opposition. As TRAI notes in its report, there were some reasons why many respondents to the consultation paper were against the idea of a sandbox allowing companies to create anonymous data sets. These include:
- Creation of roadblock to emerging dynamic business models by choking investments and innovation incentives.
- Vulnerability due to aggregation of information in the form of freely available data sets.
- Lack of strong incentives with the government in investing in cutting edge technologies.
- Article 300A of the Constitution prohibits the state from depriving a person of their private property and a sandbox may result in violation of this constitutional right.
- Difficulty in implementation of notice, choice, limiting purpose and collection and right to object.
Other views of respondents to the Consultation Paper were that such a sandbox may be set up only if the participation is voluntary and the data that is being shared with such entities is raw and not analysed or processed. They have stressed on ensuring privacy of the personal information of the users and consequently the data sets used in the sandbox must be anonymised. However, with respect to anonymised data sets, there was a view that there is possibility of re-identification of such anonymised data and therefore it may not help in data protection.
There was also a view that such a sandbox will benefit both businesses in that they will generate revenue by offering services to consumers and the consumers in that they are now exposed to better services and products. Having taken into consideration all these views, TRAI’s analysis stressed on the importance of testing goods and services before their commercial launch. TRAI took the view that testing algorithms on such anonymised datasets could be an economic way to test such products and services as they can be carried out with minimal computer resources. However, TRAI did note that re-identification of anonymised data must be curbed and suitable standards will have to be set up to avoid such mishaps. However, TRAI while noting that the data production framework for the country is under development and establishing a sandbox will entail substantial investments in IT infrastructure, has refrained from making any recommendations related to data sandbox.
Customer preference regulations
While a sandbox specifically for data privacy was being discussed, TRAI in the meanwhile also released the draft Telecom Commercial Communication Customer Preference Regulations on 29.05.2018 and opened the same upto public comments. Subsequently, through an Information Note to the Press on 01.06.2018, announced that TRAI will hold presentations and discussion on these draft regulations. The Press Note identified some new features of these draft regulations which included ‘enabling compliance through innovation in technology solutions that are demonstrated in a regulatory sandbox’. TRAI received about 23 responses from various stakeholders to these regulations.Three days after releasing the Recommendations, on 19.07.2018, parallely TRAI released the Telecom Commercial Communications Customer Preference Regulations, 2019 (TC3PR / Customer Preference Regulations) which provided for a regulatory sandbox. Now, while the Recommendations specifically used the term ‘data sandbox’, the TC3PR go with a wider definition and go with a ‘regulatory sandbox’.
The definition of regulatory sandbox, as given in Regulation 2(ba) means a ‘specifically constructed experimental space, with a safe environment, within which various stakeholders can use Regulatory Technology solutions to develop and refine Code(s) of Practice to comply with new regulatory requirements’. Further, both the draft and the final regulations provide for a sandbox under the miscellaneous chapter vide Regulation 36 which says that ‘Authority may set up or permit to set up a Regulatory Sandbox for testing implementation of regulatory checks using DLT networks and other technological solutions complementing DLT network(s) and to operationalize such regulatory sandbox, the Authority may, by order or direction, specify the requisite processes.’
So far the TC3PR merely grants power to TRAI to set up the sandbox without specifying the modalities of the same. However, the regulations have an Explanatory Memorandum to explain the objects and reasons behind these Regulations. The Regulatory Sandbox in the TC3PR is viewed by TRAI in the context of Distributed Ledger Technologies (DLTs) which is defined in Regulation 2(w) to mean ‘a set of technological solutions that enables a single, sequenced, standardized and cryptographically-secured record of activities to be safely distributed to, and acted upon, by a network of varied participants and their – (i) database can be spread across multiple sites or institutions; (ii) records are stored one after the other in a continuous ledger and can only be added when the participants reach a consensus;’
When analysing issues related to registration systems under the regulations, TRAI takes note of the multiple DLT system operators and the constant evolution of both the solutions and requirements and in this context seeks to establish a test environment which would serve to test the new functions/processes or refine the existing functions/processes. Similar to sandboxes proposed by other jurisdictions and other regulators in India, TRAI acknowledges that as a regulator, TRAI will provide exemption from certain regulatory actions when access providers and other participants are operating in the sandbox. Further, in a nod to data privacy, TRAI states that due to uncertainties in the testing of these solutions, specific consent from customers will be required and participation in such testing will be strictly voluntary.
In terms of modalities of the sandbox to be set up, apart from the consent of customers and certain exemptions, TRA proposes some other characteristics. This includes a mechanism to be developed to contain the impact of the testing within the live system and if at all any deviation is observed in the system’s behaviour or the application under the trial, such deviation in behaviour must be contained within the system. Further, TRAI also recognised the importance and use of such sandbox in finalising APIs (Application Programme Interfaces) and the specific details of its implementation. TRAI has decided to set up ‘or permit to set up a Regulatory Sandbox for testing implementation of regulatory checks using DLT networks and other technological solutions complementing DLT network(s) and to operationalize such regulatory sandbox, the Authority may, by order or direction, specify the requisite processes’.
In looking at the issues relating to Customer Preference Registration System, TRAI analysed the issue of Robo Calls and Auto Dialler calls. TRAI noted that Telecom Regulators in other jurisdictions such as IFCOM and Information Commissioner’s Office (ICO) of the United Kingdom and the Federal Trade Commission (FTC) of the United States of America. TRAI recognised the need for curbing the menace of unsolicited commercial communications (UCC) through Robo Calls, the industry will need to develop new solutions for ways and means to control such UCC and in this regard TRAI proposes to test solutions for Robocalls within the sandbox.
In looking at the impact of the TC3PR on Access providers and the ecosystem, TRAI has taken the view that access providers will be benefited by the TC3PR inter alia due to the fact that the sandbox provides these access providers an opportunity to test and develop new processes which intern will help them introduce new and innovative business models along with introducing ways to ensure regulatory compliances in a more economical way.
Status in foreign countries
The TRAI, while framing the TC3PR, has looked at the regulatory sandbox set up in various other regulators. TRAI looks at some financial regulators who have adopted the concept of regulatory sandbox for the purpose of beta testing of the DLTs, apart from other FinTech applications. Some of the jurisdictions which TRAI has looked at for sandboxes which are either already created and running or in the making include the USA, Singapore, UK, Australia and Abu Dhabi. TRAI takes the specific example of the UK FCA noting that it allows limited launch of FinTech applications, products and services. Further, in the US federal support has been sought through a bill for FinTech sandboxes. TRAI also looked at the regulatory sandbox guidelines published by the Monetary Authority of Singapore (MAS). According to TRAI ‘Regulatory sandboxes that allow DLTs to be tested in markets may be embraced in a familiar form to that of the ‘test and learn’’.
It is interesting to note that TRAI has looked at sandboxes by regulators including the financial sector regulators. The Telecom Regulator has adopted the model from other financial sector regulators.
Conclusion
In terms of regulatory action and the time governments and regulators take for implementation of their policies, frameworks, etc., the concept of a regulatory sandbox is a fairly recent one. It is one of the less-frequent instances where the regulators act proactively instead of reactively. Regulators around the world have started to implement sandboxes, these include countries like Indonesia and Kenya, and India in that sense is lagging behind as the sandbox is largely in the policy stages, except for the insurance sector, and there doesn’t appear to be much action beyond the papers.
It is important not only to have a sandbox, but to frame the regulations, restrictions and frame of operation in such a way as to facilitate and incentivise the makers of innovative products to willingly register in the sandbox. The sandbox, if too restrictive, will be seen as a mode of stifling innovation and will discourage players from taking part in the testing process.
At this point, a thought that can be brought about is that of a unified regulator. This was an idea proposed by the Financial Sector Legislative Law Reforms Commission back in March 2013 however that idea, it is safe to say, is no more in discussion. However, having seen the models of functioning of the sandbox of each of RBI, SEBI and IRDAI, there are substantial similarities. This maybe opens up a possibility of these regulators unifying for the purposes of setting up a regulatory sandbox. The benefits of it would be obvious in that it has lesser procedural hurdles across the board, and fintech being the disruptive phenomenon it is, innovations often will tend to go across sectors and the questions of registering with the regulator each time for the same product won’t arise. However, a downside to this would be the fact that in the practical scheme of things within the government, bringing into effect such a unification will take far longer and the need for sandboxes and regulation of innovative products is now urgent.
References
- Future of Fintech in India – Opportunities and Challenges https://www.india-briefing.com/news/future-fintech-india-opportunities-challenges-12477.html/
- Opportunities and Challenges of FinTech – Shri Shaktikanta Das, Governor, Reserve Bank of India – 25.04.2019 – Keynote Address Delivered at the NITI Aayog’s FinTech Conclave https://www.rbi.org.in/commonman/english/Scripts/speeches.aspx?Id=2920
- Abhijit Bhatlekar: RBI to set up regulatory sandbox for fintech firms 06.04.2019 https://www.livemint.com/industry/banking/rbi-to-set-up-regulatory-sandbox-for-fintech-firms-1554525234668.html
- Draft Enabling Framework for Regulatory Sandbox 18.042019 https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?UrlPage=&ID=920
- https://rbidocs.rbi.org.in/rdocs/PressRelease/PDFs/PR1098E74EFB3B9CE242DBB2B6BEE89F02BD0B.PDF https://www.irdai.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo4082&flag=1
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: