wordpress blog stats
Connect with us

Hi, what are you looking for?

RBI updates its regulatory sandbox framework

Under the updated regulatory framework, sandbox entities must process all the data, in its possession or under its control, in accordance with the provisions of the Digital Personal Data Protection Act, 2023, among other new provisions.

The Reserve Bank of India (RBI) on February 28 updated the regulatory sandbox framework based on experience gained over the last four years in running four cohorts and feedback received from fintech entities, banking partners, and other stakeholders, the central bank said.

RBI’s regulatory sandbox allows fintech entities to test new financial products and services in a controlled environment, where the central bank may allow certain regulatory relaxation. The sandbox is expected to allow the different stakeholders to study the benefits and risks of a product or service before releasing it more widely.

The first iteration of the Enabling Framework for Regulatory Sandbox was released in August 2019. The framework was subsequently updated in December 2020 and October 2021. RBI accepts entries for the regulatory sandbox program in cohorts, and currently, the fifth cohort is running.

What’s new: You can read a summary of the first iteration of the framework here. The latest, revised framework includes the following new provisions:

  • Compliance with data protection law: Sandbox entities must process all the data, in its possession or under its control, in accordance with the provisions of the Digital Personal Data Protection Act, 2023. The sandbox entity should have appropriate technical and organisational measures to ensure effective compliance with the Act. They should also ensure adequate safeguards to prevent any personal data breach.
  • Theme-neutral cohorts: The earlier framework said that RBI would run cohorts with a limited number of entities, for a stipulated period, and focused on a specific theme (like payments or financial inclusion). The revised framework says that the cohort may also be theme neutral wherein innovative ideas cutting across various functions in RBI’s regulatory domain would be eligible to apply.
  • Increased duration of cohort: Cohorts in the regulatory sandbox process can now run for up to 9 months instead of the earlier 7 months, allowing entities more time to test their products and services. RBI can also provide an exception on a case-by-case basis.
  • Ideas similar to existing ones may not be considered: If the proposed product or service is similar to the one which was already tested under the regulatory sandbox and has no new innovation, the same may not be considered eligible.
  • Disqualification for submitting false information: RBI has the right to discontinue the sandbox testing of an entity if it has submitted false, misleading or inaccurate information, or concealed material facts in its application.
  • Disqualification for data security and technical lapses: RBI can also cancel testing if there is any breach in the data security, failure to address technical defects, failure to develop or implement safeguards, the entity goes into liquidation, or the entity has a regulatory license cancelled.
  • The various stages of the sandbox process: RBI has revised the various stages of the process:
    1. Preliminary screening: The FinTech Department (FTD) of the RBI will evaluate applications received and shortlist them based on the eligibility criteria and the objectives of the sandbox. This stage may last a month.
    2. Application assessment and shortlisting: The shortlisted applications will be evaluated for innovation, technology aspects, security, etc. Any regulatory relaxations requested by the applicant will be considered on a case-by-case basis. The applicants will then present their ideas before the Inter-Departmental Group (IDG) on the regulatory sandbox to move to the testing phase. This stage will last for a month and a half.
    3. Formulation of test design and integration phase: The applicants along with the FTD will finalise the test design and identify outcome metrics for evaluating evidence of benefits and risks. The applicants can also integrate with their partners, if any, and be ready to start the testing of the product or service. This stage will last for a month and a half.
    4. Testing phase: The entities can test their products and services for a maximum of five months. During this time, they will have to report the test results to the FTD on a fortnightly basis.
    5. Evaluation phase: The FTD will assess the outcome reports of the tests and, along with the RBI, decide if the product or service is viable. This phase will last for one month.
  • Notify customers at the end of testing: At the end of the sandbox period, the entity must notify the customers of the completion of the sandbox testing and de-board the customers.
  • In-principle partnerships allowed: Entities can get into in-principle partnership arrangements, if any, with various stakeholders at the time of applying to the regulatory sandbox.

What kind of innovations qualify for the regulatory sandbox: The product or service must be a new or emerging technology or innovatively use existing technology and should address a problem and bring benefits to consumers. It can be in a wide range of areas like payments, money transfer, lending, KYC and identification, financial inclusion, smart contracts, cyber security, mobile apps, APIs, AI applications, etc. For example, an offline retail payment technology by HDFC Bank and Sweden-based Crunchfish recently went live after being tested in the regulatory sandbox. It is an app that allows customers and merchants to make and receive payments from an on-device wallet even when there is no mobile network.

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!

Also Read

Written By

Free Reads


The ‘Reforming Intelligence and Securing America Act’ (RISAA) is a legislation to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA).


In its submission, the Interior Ministry said the decision to impose a ban was "made in the interest of upholding national security, maintaining public...


Among other things, the security requirements include data encryption and regular review and updated access permissions to reflect personnel changes.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ