RBI’s paper on FinTech Regulatory Sandbox: relaxed regulations, liabilities remain; data security a primary concern

The RBI last week released a draft document “Enabling Framework for Regulatory Sandbox”. Comments on the draft document are invited by the RBI until May 08, 2019. The notification can be accessed here, and the paper is available for download here. The paper describes regulatory sandbox thus:

“…live testing of new products or services in a controlled/test regulatory environment for which regulators may (or may not) permit certain regulatory relaxations for the limited purpose of the testing.”

Discussed below are the key features of the paper.

Objectives of the framework

The objective of the development of the sandbox is to allow startups to test innovative models in a controlled environment. It is used to “collect evidence on the benefits and risks of new financial innovations, while carefully monitoring and containing their risks”. The testing allows fintech companies to test products and business models “subject to certain oversight”. This in turn is intended to help in evidence-based policymaking. The target area of the sandbox is primarily areas where there is an absence of governing regulations, or a need for greater clarity on regulations. Providing the closed environment in these situations is intended to increase flexibility in innovation for these companies.

The sandbox however does not completely erase liability from companies for the services they offer even within its limits. These issues will be handled on a case-by-case basis, and sought to be minimised by clear entry and exit frameworks. “Upfront clarity that liability for customer or business risks shall devolve on the entity entering the Regulatory Sandbox will be important in this context.”

Eligibility Criteria for participation

The criteria applicable for entry into the sandbox will be those prescribed by the government for startups. Innovations in the following to be encouraged where:

• there is absence of governing regulations;
• there is a need to temporarily ease regulations for enabling the proposed innovation;
• the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way.

Services to be developed in the Sandbox

The sandbox will be designed to run around 12 services (called a ‘cohort’) through an end-to-end environment to test different aspects of these services. Each cohort will be themed around one of financial inclusion, payments and lending, KYC, etc, and shall run for a maximum period of six months. Companies may apply for extension through an application to the RBI a month before expiry. The following products are listed as suitable for the sandbox:

• Retail payments
• Money transfer services
• Marketplace lending
• Digital KYC
• Financial advisory services
• Wealth management services
• Digital identification services
• Smart contracts
• Financial inclusion products
• Cyber security products
• Mobile technology applications (payments, digital identity, etc.)
• Data Analytics
• Application Program Interface (APIs) services
• Applications under block chain technologies
• Artificial Intelligence and Machine Learning applications

Selection Criteria

The paper sets out some parameters for selection of participants through the Regulatory Sandbox for further large scale expansion. Applicants should:

• Incorporation: The entity should be a company incorporated and registered in India and shall meet the criteria of a start-up as per Govt. of India, DIPP Notification No. G.S.R. 364(E) dated April 11, 2018.
• Net worth: The entity shall have a minimum net worth of Rs.50 lakh as per its latest audited balance sheet.
• Directors/promoters: The promoter(s)/director(s) of the entity are fit and proper as per the criteria enumerated in Annex I. A declaration and undertaking shall be obtained to this effect as per Annex II.
• Satisfactory balance sheets: The conduct of the bank accounts of the entity as well its promoters/directors should be satisfactory.
• CIBIL score: A satisfactory CIBIL or equivalent credit score of the promoter(s)/director(s)/ entity is required.
• Proven products: The entity must demonstrate that their products/services are technologically ready for deployment in the broader market.
• Compliance with existing laws: Applicants should demonstrate arrangements to ensure compliance with the existing regulations/laws on consumer data protection and privacy.
• Inbuilt safeguards: Theres should be adequate safeguards built in its IT systems to ensure that it is protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.
• IT capacity: The entity should have robust IT infrastructure and managerial resources. The IT systems used for end-to-end sandbox processing will be checked by the RBI to ensure end-to-end integrity of information processing by the entities concerned.

Required regulatory compliance

The paper states that the regulatory sandbox will nonetheless require services to maintain the following security features without any relaxation:

• Customer privacy and data protection
• Secure storage of and access to payment data of stakeholders
• Security of transactions
• KYC/AML/CFT requirements
• Statutory restrictions

Termination of the Sandbox Testing process

• RBI may terminate: “The sandbox testing will be discontinued any time at the discretion of the RBI if the entity does not achieve its intended purpose, based on the latest test scenarios, expected outcomes and schedule mutually agreed by the sandbox entity with the RBI.”
• In case of non compliance: “The RS may also be discontinued if the entity is unable to fully comply with the relevant regulatory requirements and other conditions specified at any stage during the sandbox process.”
• On discretion of participant: “The sandbox entity may also exit from the RS at its own discretion by informing the RBI one week in advance. The sandbox entity should ensure that any existing obligation to its customers of the financial service under experimentation is fully addressed before exiting the RS or discontinuing the RS.”

Consumer Protection

• No pending obligations: Participants are “required to ensure that any existing obligations to the customers of the financial service under experimentation is fulfilled or addressed before exiting or discontinuing the regulatory sandbox.”
• No limitation of liability: Participants’ liability towards their customers is not limited by their participation in the regulatory sandbox.
• Notice to customers: Participants “must be upfront and, in a transparent way, notify test customers of potential risks and the available compensation and obtain their explicit consent in this regard.”

Stages of the Regulatory Sandbox process

• Preliminary Screening (4 weeks): The FTU shall ensure that the applicant clearly understands the objective and principles of the sandbox and conforms to it. This phase shall last for 4 weeks from the launch of the sandbox, where the applications shall be received by the FTU and evaluated to shortlist applicants meeting the eligibility criteria.
• Test Design (3 weeks): This phase may last for 3 weeks. The FTU shall finalize the test design through an iterative engagement with the applicants and identify outcome metrics for evaluating evidence of benefits and risks.
• Application Assessment (3 weeks): This phase may last for 3 weeks. The FTU shall vet the test design and propose regulatory modifications, if any.
• Testing (12 weeks): This phase may last for a maximum of 12 weeks. The FTU shall generate empirical evidence to assess the tests by close monitoring.Evaluation (4 weeks): This phase may last for 4 weeks. The final outcome of the testing of products/services/technology as per the expected parameters including viability/acceptability under the RS shall be confirmed by the RBI. The FTU shall assess the outcome reports on the test and decide on whether the product/service is viable and acceptable under the RS.

Legal Liability

While regulatory requirements will be relaxed for entities participating int he sandbox, the paper states that “the RBI shall bear no liability arising from RS process and any liability arising from the experiment will be borne by the applicant as a sandbox entity… Upon successful experimentation and on exiting the RS, the sandbox entity must fully comply with the relevant regulatory requirements.”