Regulatory Sandboxes for Fintechs
Building apps is difficult enough without the need to ensure legal compliance. Fintech apps are a case in point with strict legal requirements from both financial and privacy regulators needing to be adhered to.
Luckily, help is at hand in the UK with the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) offering sandboxes for developers to test their products for regulatory compliance before launching.
This article explains the key benefits of using these sandboxes as well as presenting results from companies that have taken part in sandbox trials.
Reading this article will help you to:
- Make an informed decision about whether taking part in the ICO or FCA sandboxes will help you get your product to market;
- Understand the process for taking part in the ICO or FCA sandboxes;
- Get your app to market more quickly and with a greater likelihood of achieving legal compliance;
- Access the relevant resources for taking part in one of these sandboxes.
What are Sandboxes?
The ICO defines their sandbox as “a service developed by the ICO, to support organisations who are creating products and services which utilise personal data in innovative and safe ways.” Sandboxes are a well-established tool for testing software in a safe, controlled environment where bugs and issues can be ironed out before going live.
The ICO’s regulatory sandbox was announced in 2018 with the first participants being selected in 2019. The FCA launched their sandbox in 2016 and have seen a number of companies go through their programme of testing and analysis.
The UK has been a pioneer in this area with Norway and France now also having their own fintech regulatory sandboxes and other countries expected to follow soon.
Benefits of Using a Sandbox
There are a number of benefits for developers of using regulatory sandboxes:
- Access to the expertise and support of the regulatory body running the sandbox;
- Providing developers with greater confidence that their app will be compliant and achieve regulatory approval once it has been through the sandbox programme;
- Inspire confidence from customers, suppliers and other connected third parties that your company takes privacy and legal issues seriously;
- Reducing the time and costs of getting your product to market by baking in relevant legal features at the beginning;
- Increase chances of securing funding through a reduction in legal uncertainty;
- Ability to modify applications at an earlier stage so saving money from revisions later in development cycle;
- Opportunity to test ideas and concepts in a safe and confidential environment;
- Ability to kill a project before too much time and money has been put into it;
- Access to experts with first-hand knowledge of legal issues relating to compliance.
According to the FCA, the first cohort of companies that went though their sandbox programme realised a number of advantages. Of the 50 companies in this cohort:
- 75% of the firms successfully completed their testing in the sandbox;
- 90% of those that completed testing went on to a market launch;
The products from this cohort included digital ledger technology (DLT) software, online platforms for managing financial transactions, APIs for extending financial information to consumers as well as biometrics for authenticating payments and robo-advice apps.
As shown in the charts below, most participants were start-ups in the retail banking and insurance sectors.
Sandbox Case Study – FutureFlow
FutureFlow Research Inc “provides an analytics platform which monitors the flow of funds in the financial system with the potential to combat financial crime. The platform enables financial institutions to contribute pseudonymised transactional data in bulk, enabling multiple financial institutions, Regulators, and agencies to work together to detect and ultimately tackle electronic financial crime.”
FutureFlow took part in the ICO’s first sandbox programme and used its participation to answer 3 key questions:
- Ascertain who is doing what role (explain what this means from a DP perspective) – they determined that depending on what the activity was that there would be 2 different controllers. In one case FutureFlow would be the Processor acting on behalf of the client who would be the controller and in the other case the Trusted Third party would also be a Processor.
- Could the data being processed by FutureFlow be considered anonymous? On balance, it was devided that it would probably not be considered anaonymous as, “despite being heavily pseudonymised (particularly when utilising the services of a Trusted Third Party in FutureFlow’s Indirect Mode of operation), the risk of re-identification by a motivated intruder would still be regarded as reasonably likely if such an intruder gained access to the pseudonymised data.”
- How could FF become compliant in the future? ICO offered advice on this as the project progressed.
Speaking on the Privacy Paths podcast, FutureFlow’s co-founder, Vadim Sobolevski was enthusiastic about the benefits his company got from their time in the ICO sandbox. He was keen that they tried to answer the above questions and ensure compliance with the new General Data Protection Regulations (GDPR) coming into force across Europe.
In terms of addressing these questions, FutureFlow realised the following benefits from their participation:
- they were reassured that most of their assumptions which were built into their system were validated by the process. However, they did have to make some adjustments to their product from what they learned. eg. the way some activities are logged;
- the rigorous approach by the ICO made them realise that some features were not up to the standards required to be “ICO Ready”;
- the most significant impact was in changing how they thought about the data they were working with. They had been a little naieve in thinking that their obfuscation and pseudonimation of their data meant it would not be considered as “personal data” in terms of the GDPR. However, the ICO quickly pointed out that this data was still “personal”. This more rigorous way of thinking about data led to their 2 tier conceptual framework in the way they managed data sharing between and across financial institutions so they could work at a national level even though the data was still personal. Sobolevski says “This is something they could not have imagined prior to their experience in the Sandbox”.
Evaluating their product against core GDPR provisions, FutureFlow mapped the data flows in their product as seen in the illustration below.
Next Steps on your Sandbox Journey
If taking part in either the FCA or ICO (or both) sandbox programmes is something you are interested in then the following resources will be useful.
Financial Conduct Authority (FCA) resources:
How to apply to the FCA regulatory sandbox (calls are made throughout the year) – https://www.fca.org.uk/firms/innovation/regulatory-sandbox-prepare-application
Participants in the FCA’s sixth cohort of innovators. This will give you an idea of the types of companies taking part in the programme – https://www.fca.org.uk/firms/regulatory-sandbox/regulatory-sandbox-cohort-6
Information Commissioner’s Office (ICO) resources:
How to apply to the ICO regulatory sandbox (numbers are limited each year) – https://ico.org.uk/for-organisations/regulatory-sandbox/the-guide-to-the-sandbox/how-can-we-apply-to-the-sandbox/
Case studies of ICO sandbox participants. From this page you can access detailed reports from a variety of participating companies and how they used the sandbox – https://ico.org.uk/for-organisations/regulatory-sandbox/previous-participants/