Regulatory sandboxes are becoming a global trend, providing plenty of opportunities for innovative businesses. Pioneered in the UK as part of the Financial Conduct Authority’s (FCA) “Project Innovate”, a regulatory sandbox is a “safe space” in which businesses can test innovative products, services, business models, and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question. Regulatory sandboxes are helpful for innovative businesses seeking to navigate regulatory regimes that seemingly only cater for more traditional business models. Since its inception in the UK, regulators around the world have adopted the sandbox concept in various forms. Most incarnations bear fairly close resemblance to the FCA’s model, albeit with some important variations, as discussed further below. Sandboxes aim to foster innovation and competition, and to help ensure that regulators understand how innovative firms are evolving and can adapt regulatory rules, if necessary and appropriate, to better suit the evolving landscape. Global sandboxes The FCA’s regulatory sandbox, created in November 2015, opened for applications in June 2016. The FCA takes on two small cohorts each year and has recently selected a third cohort, which will begin testing this month. The UK sandbox is available to new businesses that need to become authorised (which can benefit from a tailored authorisation process before they begin testing), authorised firms, and non-authorised technology firms seeking to provide outsourced services to authorised firms. Sandboxes now appear in many jurisdictions, with Asia taking the lead. There are sandboxes in jurisdictions including Australia, the United States, Canada, Switzerland, Malaysia, South Korea, the United Arab Emirates, Hong Kong, Singapore, and Thailand. Each sandbox is different, with varying rules and eligibility criteria. In Hong Kong, for example, the Hong Kong Monetary Authority’s (HKMA) sandbox is only open to “Authorised Institutions” (principally banks). Whereas in Australia, firms are permitted to carry on certain activities within the sandbox without requiring authorisation, relying on a sandbox licensing exemption. Australia also operates a less formal model, whereby firms do not need to apply for the sandbox, but rather just need to notify the regulator that they intend to test under the exemption. Latham & Watkins 13 November 2017 | Number 2232 | Page 2 There have been recent suggestions that in Singapore Initial Coin Offerings (ICOs) could be “ringfenced” using the Monetary Authority of Singapore’s (MAS) sandbox, in order to keep tighter checks on these innovative methods of financing. ICOs have come under scrutiny in recent months as it is not always clear how they fit into existing regulatory frameworks, and there are concerns about the varying quality of documentation and risk presentation. Therefore, “babysitting” ICOs in the sandbox may be a way of helping raise confidence in them. Although sandboxes have been set up successfully across the globe, they have not seen so much success in Europe. Key European jurisdictions such as France and Germany have not been as supportive of the concept; the German BaFin in particular has been critical of relaxing standards for some firms. Although European-wide regulatory authorities (such as the European Banking Authority and the European Securities and Markets Authority) have been pushing to do more to promote innovation and to build a fintech agenda across Europe, political hurdles are likely to mean that it will be some time before we could expect to see a pan-European sandbox emerge. Similarly, it has also been challenging to establish sandboxes in the US and Canada, due to fragmented regulation and the division of power between state/provincial and federal authorities. The table below provides further information on the key global sandboxes. Jurisdiction Launch date Target firms Key benefits Australia December 2016 Fintech businesses seeking to test products and services before they obtain an Australian financial services licence or Australian credit licence • Fintech licensing exemption • Waiver or rule modifications Canada February 2017 Open to all firms with innovative business models from a Canadian market perspective, whether startups or incumbents May obtain exemptive relief from securities laws requirements, under a faster and more flexible process than through a standard application Hong Kong (HKMA sandbox) The HKMA’s sandbox originally launched in September 2016. An enhanced version of the sandbox, the Fintech Supervisory Sandbox (FSS 2.0), is scheduled to go live before “Authorised Institutions” (principally banks) and fintech/tech companies collaborating with those institutions Under the original version of the sandbox, some of the usual regulatory standards may be relaxed, on a case-by-case basis (e.g., security-related requirements for electronic banking services). The new features of the FSS 2.0 will include: • A “Fintech supervisory chatroom”, aimed to provide quick responses to questions Latham & Watkins 13 November 2017 | Number 2232 | Page 3 Jurisdiction Launch date Target firms Key benefits the end of 2017 • Tech firms may have direct access to FSS 2.0 by seeking feedback from the chatroom without having to rely on an authorised institution’s participation in the sandbox • Linking the FSS 2.0 with sandboxes run by the other Hong Kong regulators (i.e., the Securities and Futures Commission (SFC) and the Insurance Authority (IA)) so that there will be a single point of entry for pilot trials of crosssector fintech products Hong Kong (SFC regulatory sandbox) September 2017 Open to existing SFClicensed corporations and start-up firms that intend to carry on a regulated activity under the Securities and Futures Ordinance (SFO) Provides a confined regulatory environment for firms to operate regulated activities under the SFO before deploying their fintech on a fuller scale. Firms may, through close dialogue with and supervision by the SFC, readily identify and address risks or concerns relevant to their regulated activities. Hong Kong (IA’s Insurtech sandbox) September 2017 Available to authorised insurers in Hong Kong who intend to launch Insurtech products/services (i.e., the development and application of technology in the insurance industry) and other technology initiatives Insurers testing new Insurtech initiatives in the sandbox can gain real market data and information of user experience in a controlled environment. The IA may relax certain supervisory requirements on a case-by-case basis. Malaysia Launched in October 2016; first participants licensed in May 2017 • Financial institutions • Fintech companies collaborating with financial institutions • Fintech companies intending to carry on authorised or registered business Review and adaptation of regulatory requirements or procedures that may unintentionally inhibit innovation Latham & Watkins 13 November 2017 | Number 2232 | Page 4 Jurisdiction Launch date Target firms Key benefits Singapore November 2016 All financial institutions and fintech firms Usual regulatory standards may be relaxed, on a case-by-case basis. For example, those relating to: • Asset maintenance • Board composition • Cash balances • Credit rating • Financial soundness • Solvency and capital adequacy requirements • Management experience • MAS Guidelines, such as technology risk management and outsourcing Switzerland August 2017 Fintech firms that are not authorised but are looking to use a business model that involves the acceptance of funds from the public Exemption from the requirement to obtain a banking licence for companies holding deposits below the CHF1 million threshold Thailand December 2016 The sandbox is open to: • Licensed financial institutions (and their group companies that conduct financial business) • Non-financial institutions under the supervision of the Bank of Thailand • Fintech firms • Technology firms Participants in the sandbox may test their financial products or services in a live but limited environment, without being fully subject to all licensing/ supervision requirements that normally would be applicable Latham & Watkins 13 November 2017 | Number 2232 | Page 5 Jurisdiction Launch date Target firms Key benefits The fintech initiatives proposed by sandbox applicants must relate to: • Lending • Payments and fund transfers • Other financial transactions that have similar characteristics to loans, payments and fund transfers UAE November 2016 Fintech firms Temporary exemption from usual regulatory requirements UK Announced in November 2015, and opened for applications in June 2016 • Authorised firms seeking to test new ideas • Unauthorised firms that need to become authorised before testing • Technology businesses supporting authorised firms • Tailored authorisation process for unauthorised firms • Individual guidance from supervisors • Waivers or rule modifications • No enforcement action letters US May 2017 “Innovators” working on technology initiatives being implemented in a new activity, service, or entity that may be regulated or supervised by the US Commodity Futures Trading Commission (CFTC) GuidePoint – a dedicated point of contact for fintech firms to engage with the CFTC, learn about the CFTC’s regulatory framework, and obtain feedback and information on the implementation of innovative technology ideas for the market What are the benefits? The ultimate aim is for sandboxes to foster innovation, allowing new products and services to come to market — ideally benefitting consumers by increasing choice and reducing costs. Sandboxes can be mutually beneficial for both regulators and firms. Sandbox participants often benefit from certain concessions (such as rule modifications) and regular contact with the regulator. This helps participants to understand how the regulatory framework applies to them, and allows them to come to market much more quickly and at a lower cost than if they had gone through traditional channels. Latham & Watkins 13 November 2017 | Number 2232 | Page 6 For regulators, the sandbox affords a valuable learning experience, allowing them to keep pace with technological advancements and new business models that may not conveniently fit into the existing regulatory framework. For example, the FCA has stated how experiences in the sandbox have allowed it to see first-hand how distributed ledger technology (DLT) might be used in the financial services sector. One key benefit for regulators and firms is that regulators receive a clearer picture of areas in which existing regulation might stifle innovation, and therefore are able to consider what they can do to prevent this. Sandboxes come with safeguards and so they allow some potentially riskier products and services to be trialled without fear of harming consumers. This means there is more scope for new ideas to be trialled, which might not otherwise proceed to market. It is also beneficial for firms to be able to carry out smallscale testing in order to gauge potential consumer interest in their offerings. What are the challenges? While some sandboxes allow unlimited participants (provided they meet the eligibility criteria), others have limited capacity, meaning competition for spaces. Many sandboxes also are either aimed at existing regulated businesses, or require authorisation to participate, meaning reasonably high barriers to entry still exist for small start-ups. In some cases, the eligibility criteria can be prohibitive or the business may not be sufficiently progressed to begin testing. Regulators will also be limited in what they can do in terms of rule waivers. Further, a number of sandboxes restrict participation to firms that are incorporated in the jurisdiction of the relevant sandbox, or where the product offering has some level of nexus to that jurisdiction. Some particular findings from the UK sandbox are discussed further, below. It is also important that sandboxes, while conducive to innovation, are not seen as a panacea. If innovation truly is the goal, a sandbox must be part of a much broader strategy by regulators. For example, regulators actively need to think about whether elements of the regulatory framework remain fit for purpose, or whether they need to be adapted in light of experiences in the sandbox. Regulators may also need to offer additional support to businesses transitioning out of the sandbox, and businesses that do not meet the sandbox criteria but are nevertheless trying to navigate a challenging regulatory framework to bring new products and services to market. Lessons from the UK On 20 October 2017, the FCA published a “lessons learned report” on its regulatory sandbox, reflecting on how the sandbox has met its objectives over its first year of operation. Although these lessons are specific to the UK market, there is some read across to other sandbox initiatives and the outcomes are certainly of broader interest to the fintech community. Because of the level of supervision required under the UK model, the sandbox accepts only two small cohorts each year. The report focuses mainly on the outcomes relating to the first cohort of 18 sandbox firms, which tested during the first year of operation. The second cohort of 24 firms began testing this summer and so the full results from this cohort are not yet known, although data regarding the demographics of the second cohort are used to inform the FCA’s report. The sandbox has helped new products and services get to market, often more quickly and at a lower cost than without the support of the sandbox. The FCA reports that 75% of the first cohort successfully Latham & Watkins 13 November 2017 | Number 2232 | Page 7 completed their testing, and around 90% of these firms are progressing towards a wider market launch. Interestingly, around a third of these firms have significantly changed their business model ahead of a wider launch, in light of findings from the testing period. Most firms that used the restricted authorisation route have successfully secured full authorisation following their time in the sandbox. Participation in the sandbox has also helped many firms access financing. The FCA reports that at least 40% of firms in the first cohort received investment either during or following their sandbox tests. What has worked well? The FCA has seen many firms apply new technologies to traditional products or services. Unsurprisingly, distributed ledger technology (DLT) has been the most popular technology used by the first two cohorts. The FCA has found in particular that small-scale testing has helped firms reveal potential benefits, better understand the risks involved, and improve their risk management processes. The FCA also reports that sandbox firms have been using online platforms to help streamline existing processes. Another use of technology has been services integrating with the application programme interfaces (APIs) of other financial services firms, to offer consumers access to a range of financial information. A further benefit of testing is that it has allowed firms to assess both consumer uptake and commercial viability whilst operating on a limited scale. Such testing has also enabled firms to test technology solutions on a small scale, with appropriate safeguards in place. For instance, the FCA imposed additional safeguarding requirements (such as the requirement to guarantee the funds being transferred) on a number of firms testing DLT-based digital currency payment services. From the FCA’s perspective, it has had the opportunity to look closely at new business models at an early stage of development, and consider how they might benefit, or cause harm to, consumers. What has not worked so well? The report also pinpoints areas of difficulty for sandbox firms. The report flags the lack of access to banking services (often as a result of banks de-risking due to perceived greater money laundering and terrorist financing risks) as a real barrier. These difficulties have been more common amongst sandbox firms looking to use DLT, or to become payment or e-money institutions. Whilst the FCA’s report acknowledges that limited access to banking services poses a threat to innovation, it offers little reassurance that regulators will address the issue. In relation to firms using DLT in particular, the FCA has seen that execution time uncertainty, volatility in the value of digital currencies, liquidity requirements, transaction fees, and the availability of exchanges have all affected the success of firms carrying out testing. More generally, some firms in the sandbox have experienced difficulty in acquiring customers, particularly in the case of small start-ups. The FCA highlights that partnerships between existing firms and start-ups can be beneficial in this context, creating a symbiotic relationship. Lack of access to customer data has also proved to be problematic for start-ups. This is particularly acute when the firm’s business model depends on being able to use customer data to offer better-suited Latham & Watkins 13 November 2017 | Number 2232 | Page 8 products or services. Although the drive towards open banking and open APIs should help to alleviate this problem in the future, for now lack of access to customer data remains a hurdle that firms must overcome. Another issue flagged by the report, albeit more limited in scale, is businesses wanting to undertake activities that make their model too risky, so as to make testing prohibitive. For example, some suggested business models would involve the firm in writing insurance or operating a multilateral trading facility, both of which come with an extremely burdensome regulatory framework, not to mention hefty capital requirements. One solution may be to pair up with an established firm that already has the necessary permissions to avoid the start-up taking on operations that are too complex for its size and capabilities. What next? Many of the global sandboxes are still in their early stages, and so although there has been success, more time is needed before outcomes can be judged properly. The FCA’s report highlights that much progress can be made, but also shows that there remain many challenges that need to be overcome before the sandbox can operate to its full effect. Potential sandbox applicants should think carefully about where they are applying, the structure of the sandbox scheme in that jurisdiction and the challenges that have been encountered by participants so far. Also, given the global/borderless nature of many fintech initiatives, there is an argument for removing jurisdictional restrictions that apply to a number of sandboxes, to allow innovative firms the flexibility to choose where to test their products. However, with limited resources allocated to sandbox testing, this may not be realistic, as regulators will likely prioritise the needs of national firms. Latham & Watkins 13 November 2017 | Number 2232 | Page 9 If you have questions about this Client Alert, please contact one of the authors listed below or the Latham lawyer with whom you normally consult: Rob Moulton firstname.lastname@example.org +44.20.7710.4523 London Brett Carr email@example.com +44.20.7710.4695 London Andrew C. Moyle firstname.lastname@example.org +44.20.7710.1078 London Stuart Davis email@example.com +44.20.7710.1821 London Simon Hawkins firstname.lastname@example.org +852.2912.2733 Hong Kong Fiona M. Maclean email@example.com +44.20.7710.1822 London Charlotte Collins firstname.lastname@example.org +44.20.7710.1804 London The authors thank Alexander Hendry for his significant assistance with this Client Alert. You Might Also Be Interested In Policing the Robots — Robo-Advice Under MiFID II Bank of England Launches Blueprint on New RTGS Service FCA Launches Discussion on Distributed Ledger Technology Client Alert is published by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. The invitation to contact is not a solicitation for legal work under the laws of any jurisdiction in which Latham lawyers are not authorized to practice. A complete list of Latham’s Client Alerts can be found at www.lw.com. If you wish to update your contact details or customize the information you receive from Latham & Watkins, visit http://events.lw.com/reaction/subscriptionpage.html to subscribe to the firm’s global client mailings program.