1. Background

1.1 The Reserve Bank of India (RBI) set up an inter-regulatory Working Group (WG) in July 2016 to look into and report on the granular aspects of FinTech and its implications so as to review the regulatory framework and respond to the dynamics of the rapidly evolving FinTech scenario. The report of the WG was released on February 08, 2018, for public comments. One of the key recommendations of the WG was to introduce an appropriate framework for a Regulatory Sandbox (RS) within a well-defined space and duration where the financial sector regulator will provide the requisite regulatory guidance, so as to increase efficiency, manage risks and create new opportunities for consumers.

1.2 Accordingly, a structured proposal highlighting the clear principles and role of the proposed RS including the reasons for setting up the RS and the expectations of the RBI, are detailed hereunder.

2. The Regulatory Sandbox: Principles and Objectives

2.1 The Regulatory Sandbox

RS usually refers to live testing of new products or services in a controlled/test regulatory environment for which regulators may (or may not) permit certain regulatory relaxations for the limited purpose of the testing. The RS allows the regulator, the innovators, the financial service providers (as potential deployers of the technology) and the customers (as final users) to conduct field tests to collect evidence on the benefits and risks of new financial innovations, while carefully monitoring and containing their risks. It can provide a structured avenue for the regulator to engage with the ecosystem and to develop innovation-enabling or innovation-responsive regulations that facilitate delivery of relevant, low-cost financial products. The RS is an important tool which enables more dynamic, evidence-based regulatory environments which learn from, and evolve with, emerging technologies.

2.2 Objectives

The objective of the RS is to foster responsible innovation in financial services, promote efficiency and bring benefit to consumers.

The RS is, at its core, a formal regulatory programme for market participants to test new products, services or business models with customers in a live environment, subject to certain safeguards and oversight. The proposed financial service to be launched under the RS should include new or emerging technology, or use of existing technology in an innovative way and should address a problem and bring benefits to consumers.

3. Regulatory Sandbox: Benefits

The setting up of an RS can bring several benefits, some of which are significant and are delineated below:

3.1 First and foremost, the RS fosters ‘learning by doing’ on all sides. Regulators obtain first-hand empirical evidence on the benefits and risks of emerging technologies and their implications, enabling them to take a considered view on the regulatory changes or new regulations that may be needed to support useful innovation, while containing the attendant risks. Incumbent financial service providers, including banks, also improve their understanding of how new financial technologies might work, which helps them to appropriately integrate such new technologies with their business plans. Innovators and FinTech companies can improve their understanding of regulations that govern their offerings and shape their products accordingly. Finally, feedback from customers, as end users, educates both the regulator and the innovator as to what costs and benefits might accrue to customers from these innovations.

3.2 Second, users of an RS can test the product’s viability without the need for a larger and more expensive roll-out, if the product appears to have the potential to be successful. If any concerns arise, during the sandbox period, appropriate modifications can be made before the product is launched in the broader market.

3.3 Third, FinTechs provide solutions that can further financial inclusion in a significant way. The RS can go a long way in not only improving the pace of innovation and technology absorption but also in financial inclusion and in improving financial reach. Areas that can potentially get a thrust from the RS include microfinance, innovative small savings, remittances, mobile banking and other digital payments.

3.4 Fourth, by providing a structured and institutionalized environment for evidence-based regulatory decision-making, the dependence of the regulator on industry/stakeholder consultations only is correspondingly reduced.

3.5 Fifth, the RS could lead to better outcomes for consumers through an increased range of products and services, reduced costs and improved access to financial services.

4. Regulatory Sandbox: Risks and Limitations

4.1 Innovators may lose some flexibility and time in going through the sandbox process. However, running the RS in a time-bound manner at each stage can mitigate this risk.

4.2 Case-by-case bespoke authorizations and regulatory relaxations can involve time and discretional judgements. This risk may be addressed by handling applications in a transparent manner and following well-defined principles in decision-making.

4.3 The RBI or its RS cannot provide any legal waivers.

4.4 Post-sandbox testing, a successful experimenter may still require regulatory approvals before the product/services/technology can be permitted for wider application.

4.5 There is potential for some legal issues coming up, such as those relating to consumer losses in case of failed experimentation. Such instances may not have much legal ground if the RS framework and processes are transparent and have clear entry and exit criteria. Upfront clarity that liability for customer or business risks shall devolve on the entity entering the RS will be important in this context.

5. Regulatory Sandbox: Eligibility Criteria

The target applicants for entry to the RS, are FinTech companies including startups, banks, financial institutions and any other company partnering with or providing support to financial services businesses, subject to the sandbox criteria laid down in these guidelines.

The focus of the RS will be to encourage innovations intended for use in the Indian market in areas where:

1. there is absence of governing regulations;

2. there is a need to temporarily ease regulations for enabling the proposed innovation;

3. the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way.

6. Design Aspects of the Regulatory Sandbox

The RBI shall consider the following key design features for the RS:

6.1 Regulatory Sandbox Cohorts and Product/Services/Technology

The RS may run a few cohorts (end-to-end sandbox process), with a limited number of entities in each cohort testing their products during a stipulated period. The RS shall be based on thematic cohorts focussing on financial inclusion, payments and lending, digital KYC, etc. The cohorts may run for varying time periods but should ordinarily be completed within six months.

An indicative list of innovative products/services/technology which could be considered for testing under RS is given below.

6.1.1 Innovative Products/Services

• Retail payments

• Money transfer services

• Marketplace lending

• Digital KYC

• Financial advisory services

• Wealth management services

• Digital identification services

• Smart contracts

• Financial inclusion products

• Cyber security products

6.1.2 Innovative Technology

• Mobile technology applications (payments, digital identity, etc.)

• Data Analytics

• Application Program Interface (APIs) services

• Applications under block chain technologies

• Artificial Intelligence and Machine Learning applications

6.2 Regulatory Requirements/Relaxations for Applicant

The RBI may consider relaxing, if warranted, some of the regulatory requirements for applicants for the duration of the RS on a case-to-case basis. A few of the examples of regulatory relaxation which may be granted are given below:

• Liquidity requirements

• Board composition

• Management experience

• Financial soundness

• Track record

However, the requirements that shall mandatorily be complied with by the applicants are given below:

• Customer privacy and data protection

• Secure storage of and access to payment data of stakeholders

• Security of transactions

• KYC/AML/CFT requirements

• Statutory restrictions

6.3 Exclusion from Sandbox Testing

The entities may not be suitable for the RS if the proposed financial service is similar to those that are already being offered in India unless the applicants can show that either a different technology is being gainfully applied or the same technology is being applied in a more efficient and effective manner.

An indicative negative list of products/services/technology which may not be accepted for testing is given below.

• Credit registry

• Credit information

• Crypto currency/Crypto assets services

• Trading/investing/settling in crypto assets

• Initial Coin Offerings, etc.

• Chain marketing services

• Any product/services which have been banned by the regulators/Government of India.

6.4 Number of FinTech Entities to be part of a Cohort

The focus of the RS shall be narrow in terms of areas of innovation, and limited in terms of intake. The RS shall begin the testing process with a few selected entities through a comprehensive selection process as detailed in the framework under ‘Fit and Proper criteria for selection of participants in RS’. The decision of the RBI on the application shall be final.

6.5 Fit and Proper Criteria for Selection of Participants in RS

6.5.1 Every applicant shall satisfy the following conditions:

1. It should either be a company incorporated and registered in India or banks licensed to operate in India. Further, financial institutions constituted under a statute in India would also be eligible.

2. The entity shall have a minimum net worth of Rs. 25 lakh as per its latest audited balance sheet.

3. The promoter(s)/director(s) of the entity should be fit and proper as per the criteria enumerated in Annex I. A declaration and undertaking shall be obtained to this effect from every director as per Annex II.

4. The conduct of the bank accounts of the entity as well its promoters/directors should be satisfactory.

5. The credit history of the promoter(s)/director(s)/ entity shall be satisfactory.

6. It should demonstrate that the products/services are technologically ready for deployment in the broader market.

7. The entity must demonstrate arrangements to ensure compliance with the existing regulations/laws on consumer data protection and privacy.

8. There should be adequate safeguards built in its IT systems to ensure that it is protected against unauthorized access, alteration, destruction, disclosure or dissemination of records and data.

9. The entity should have robust IT infrastructure and managerial resources. The IT systems used for end-to-end sandbox processing shall provide end-to-end integrity of information processing.

6.5.2 The entities shall additionally satisfy the following conditions:

1. The proposed FinTech solution should highlight an existing gap in the financial ecosystem and the proposal should demonstrate how it would address the problem, and bring benefits to consumers or the industry and/or perform the same work more efficiently. Alternatively, the applicants should demonstrate that there is a relevant regulatory barrier that prevents deployment of the product/service at scale, or a genuinely innovative and significantly important product/service/solution is proposed for which relevant regulation is necessary but absent.

2. The test scenarios and expected outcomes of the RS experimentation should be clearly defined, and the sandbox entity should report to the RBI on the test progress, based on an agreed schedule.

3. The appropriate boundary conditions (refer to section 6.7) should be clearly defined for the RS to be meaningfully executed while sufficiently protecting consumers’ privacy.

4. An acceptable exit and transition strategy should be clearly defined in the event that the proposed FinTech-driven financial service has to be discontinued, or can proceed to be deployed on a broader scale after exiting the RS.

5. The applicants shall be required to share the results of Proof of Concept (PoC)/testing of use cases including any relevant prior experiences before getting admission into RS for testing, wherever applicable.

6. Significant risks arising from the proposed FinTech solution or financial service should be assessed and mitigation plan shall be submitted.

6.5.3 The RS is a new regulatory initiative to foster responsible innovation in financial services, while carefully monitoring and containing their risks. The selection of entities for a cohort shall, inter-alia, be based on conformity to the fit and proper criteria as indicated in para 6.5.1 and 6.5.2 above. In case the number of applicants is large, the compliance with fit and proper criteria shall be a necessary condition and the final selection will be based on novelty of the innovation and the potential benefit which the product/service brings to the consumers/industry.

6.6 Extending or Exiting the RS

a) At the end of the sandbox period, the regulatory relaxations provided to the entities will expire and the sandbox entity must exit the RS. In the event that the sandbox entity requires an extension of the sandbox period, it should apply to the RBI at least one month before the expiration thereof and with valid reasons to support the application for extension. The RBI shall take an informed decision to allow extension or otherwise based on the stage of the testing, the results of the testing till then, justification for its continuance and the expected outcome in the extended period.

b) The sandbox testing will be discontinued any time at the discretion of the RBI:

1. if the sandbox entity does not achieve its intended purpose, based on the latest test scenarios, expected outcomes and schedule mutually agreed by the sandbox entity with the RBI.

2. if the sandbox entity is unable to fully comply with the relevant regulatory requirements and other conditions specified at any stage during the sandbox process.

3. if the sandbox entity has not acted in the best interest of consumers due to negligence or deliberate malicious practices

c) The sandbox entity may also exit from the RS at its own discretion by informing the RBI one month in advance.

d) The sandbox entity shall ensure that any existing obligation to its customers of the financial service under experimentation is fully addressed before exiting the RS or discontinuing the RS.

6.7 Boundary Conditions

When the RS operates in the production environment, it must have a well-defined space and duration for the proposed financial service to be launched, within which the consequences of failure can be contained. The appropriate boundary conditions should be clearly defined for the RS to be meaningfully executed while sufficiently protecting the interests of consumers. The boundary conditions for the RS may include the following:

• Start and end date of the RS

• Target customer type

• Limit on the number of customers involved

• Transaction ceilings or cash holding limits

• Cap on customer losses

6.8 Consumer Protection

6.8.1 The sandbox entity will be required to ensure that any existing obligations to the customers of the financial service under experimentation are fulfilled or addressed before exiting or discontinuing the RS. It may be noted that entering the RS does not limit the sandbox entity’s liability towards its customers.

6.8.2 The entities entering the RS must, in an upfront and transparent way, notify test customers of potential risks and the available compensation and obtain their explicit consent in this regard. There should be an appropriate arrangement for customers to withdraw from the test.

6.8.3 Sandbox entities shall be required to take liability/indemnity insurance of an adequate amount and period to safeguard the interest of the customers. The adequacy of indemnity cover shall depend on determination of the maximum liability based on, among others, (i) maximum exposure to a single customer (ii) the number of claims that could arise from a single event (potential for multiple claims); and (iii) number of claims that might be expected during the policy period. The policy cover shall begin with the start of testing stage and end three months after exit of the sandbox entity from the RS.

7. The Regulatory Sandbox Process and its Stages

7.1 End-to-End Sandbox Process

A detailed end-to-end sandbox process, including the testing of the products/innovations by FinTech entities, shall be overseen by the FinTech Unit (FTU) under overall guidance of the Inter Departmental Group (IDG) of RBI with participation of domain experts.

7.2 The Sandbox Process: Stages and Timelines

Each cohort of the RS shall have the following five stages and timeline:

7.2.1 Preliminary Screening

This phase may last for 4 weeks from the closure of application window. The applications shall be received by the FTU and evaluated to shortlist applicants meeting the eligibility criteria. The FTU shall ensure that the applicant clearly understands the objective and principles of the RS and conforms to them.

7.2.2 Test Design

This phase may last for 4 weeks. The FTU shall finalize the test design through an iterative engagement with the applicants and identify outcome metrics for evaluating evidence of benefits and risks.

7.2.3 Application Assessment

This phase may last for 3 weeks. The FTU shall vet the test design and propose regulatory modifications, if any.

7.2.4 Testing

This phase may last for a maximum of 12 weeks. The FTU shall generate empirical evidence to assess the tests by close monitoring.

7.2.5 Evaluation

This phase may last for 4 weeks. The final outcome of the testing of products/services/technology as per the expected parameters including viability/ acceptability under the RS shall be confirmed by the RBI. The FTU shall assess the outcome reports on the test and decide on whether the product/service is viable and acceptable under the RS.

8. Statutory and Legal Issues

8.1 Upon approval, the applicant becomes the sandbox entity responsible for operating in the RS. The RBI will provide the appropriate regulatory support by relaxing specific regulatory requirements (which the sandbox entity will otherwise be subject to), where necessary, for the duration of the RS. The RBI shall bear no liability arising from sandbox process and any liability arising from the experiment will be borne by the applicant as a sandbox entity.

8.2 Upon successful experimentation and on exiting the RS, the sandbox entity must fully comply with the relevant regulatory requirements. The applicant should clearly understand the objective and principles of the RS. It must be emphasized that the RS is not intended and cannot be used as a means to circumvent legal and regulatory requirements.

8.3 At the end of the sandbox period, the sandbox entity must exit the RS.

9. Transparency and Disclosure

9.1 Outreach with stakeholders and clear and adequate information dissemination on the RS is important. The RBI will communicate the entire sandbox process including its launch, theme of the cohort, successful applicants selected for RS, entry and exit criteria and products/services found viable and acceptable under the RS through its official website.