Explained: What a regulatory sandbox means for fintech companies

The Reserve Bank of India last month released the draft ‘Enabling Framework for Regulatory Sandbox’ for fintech companies. Shilpa Mankar Ahluwalia, partner at law firm Shardul Amarchand Mangaldas, explains what working within a regulatory sandbox means for fintech companies and financial sector entities.  

Why is there a need for a regulatory sandbox for fintech companies?

The fintech sector in India has witnessed rapid innovation in technology and products. There are multiple regulations that could potentially apply to a single fintech product — and it is not always clear how a new product will be regulated.

Arguably, this inhibits innovation on the ground that industry tends to be overcautious and may not roll out a product in its most effective format (to avoid the risk of being non-compliant).

At the same time, a regulator needs to be able to understand the risks of new technologies before it can evolve a framework that protects consumers and control systemic risk without “over-regulating”.

A regulatory sandbox allows fintech players to (i) test new products in a controlled regulatory environment (where the applicability of certain regulations may be relaxed); (ii) reduce costs by limiting testing to a narrow customer group; (iii) engage with regulators.

Further, it also allows the regulator to (i) make regulatory decisions based on evidence from real-time product testing and customer experience; (ii) keep pace with technological innovation.

A fintech regulatory sandbox is particularly useful in India, given that fintech products could potentially face regulation from multiple regulators. Once a digital customer distribution channel has been established, it could be effectively used to deliver not just payment or lending products, but also investment, wealth management, insurance and a whole range of other financial products, each of which may be regulated by a different regulator – the RBI, Sebi and the IRDA.

How does a regulatory sandbox play out among stakeholders – fintech firms, banks, and customers — with regard to their respective responsibilities and liabilities?

The RBI has limited the benefit of the regulatory sandbox to “start-ups”, that is, a fintech player which has been in business for no more than seven years. However, innovation can equally be borne of a more seasoned player and this rule may need to be re-looked at. The three key stakeholders in the regulatory sandbox (at least initially) are start-up fintech players, customers and the RBI. It is unclear whether products developed in partnership with a bank and a fintech start-up will be eligible for the sandbox (although there is a good reason it should be).

What does the regulatory sandbox mean for each stakeholder?

Fintech players: The sandbox will not offer any reduced customer liability and products must adequately disclose risks, features and costs to consumers.

Customers: The framework is surprisingly silent on customer safeguards. Other jurisdictions have used a combination of transaction value caps, risk disclosure requirements and dispute resolution procedures to protect customers over the duration of the sandbox testing. It would certainly be useful for the RBI to, in the final framework, comment on some of these aspects.

Regulator: It is critical for the RBI to evolve a transparent process to select applicants, be actively engaged through the duration of the sandbox, and effectively implement the learning into the fintech regulation. Given the regulatory interplay of many fintech products, the RBI may also consider working with other regulators during this process.

What are the legal dos and don’ts for fintech firms using the sandbox?

Dos: (i) Ensure your personal data protection and KYC frameworks are in place. The RBI has made it clear that fintech participants will have to continue to comply with data protection laws and KYC requirements; (ii) choose a product for testing that seeks to improve the delivery of financial services. Given the changes to the digital KYC framework, innovation in technology allowing for non-face-to-face KYC is an example of one product ideally suited to regulatory sandbox testing.

Don’ts: Seek too many waivers in the applicability of regulations. The product may need one or two relaxations, but cannot operate in a regulatory void.

How does one allay concerns around privacy and data protection?

The RBI has emphasised that compliance with data protection laws is critical through the sandbox testing process. However, until the suggested data protection framework in India becomes law, the RBI may need to specifically detail certain parameters for data protection within the sandbox. Nothing other than derived anonymous customer data should be made public. What will also be critical to the success of the regulatory sandbox is the protection of the intellectual property of fintech players testing the products. While transparency is important, the RBI should make clear that sensitive product-linked information and protected intellectual property will not at any stage be publicly shared.