SEBI now has decided to introduce a framework for Regulatory Sandbox. Under this sandbox framework, entities regulated by SEBI shall be granted certain facilities and flexibilities to experiment with FinTech solutions in a live environment and on limited set of real customers for a limited time frame. These features shall be fortified with necessary safeguards for investor protection and risk mitigation.
Securities and Exchange Board of India
June 05, 2020
All Stock Exchanges, Clearing Corporations and Depositories All Intermediaries
Subject: Framework for Regulatory Sandbox
1. Participants in the capital market in India have been early adopters of technology. SEBI believes that encouraging adoption and usage of financial technologies (‘FinTech’) can act as an instrument to further develop and maintain an efficient, fair and transparent securities market ecosystem.
2. Towards this end, SEBI vide circular SEBI/HO/MRD/2019/P/64 dated May 20, 2019, stipulated a framework for an industry-wide Innovation Sandbox, whereby FinTech startups and entities not regulated by SEBI were permitted to use the Innovation Sandbox for offline testing of their proposed solution.
3. Further, SEBI now has decided to introduce a framework for “Regulatory Sandbox”. Under this sandbox framework, entities regulated by SEBI shall be granted certain facilities and flexibilities to experiment with FinTech solutions in a live environment and on limited set of real customers for a limited time frame. These features shall be fortified with necessary safeguards for investor protection and risk mitigation.
4. The guidelines pertaining to the functioning of the Regulatory Sandbox are provided at Annexure A.
This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 and Section 19 of the Depositories Act, 1996 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
Deputy General Manager
Division of Technology & Cyber Security
Market Regulation Department-1
1. All entities registered with SEBI under section 12 of the SEBI Act 1992, shall be eligible for testing in the regulatory sandbox. The entity may either on its own or engage the services of a FinTech firm. In either scenarios, the registered market participant shall be treated as the principal applicant, and shall be solely responsible for testing of the
ELIGIBILITY CRITERIA FOR THE PROJECT
2. The eligibility criteria shall be as follows:
a) Genuineness of innovation
The solution should be innovative enough to add significant value to the existing offering in the Indian securities market.
b) Genuine need to test
The applicant should have a genuine need for live testing the solution on real customers. Further, the applicant should demonstrate that the solution cannot be developed without relaxing certain regulations, if any, being sought.
c) Limited prior testing
Before applying for testing in sandbox, limited offline testing of the solution should have been carried out by the applicant.
d) Direct benefits to users
The solution should offer identifiable benefits (direct or indirect) to the investors or entities or to the capital market at large.
e) No risks to the financial system
The solution should have proper risk management strategy to incorporate appropriate safeguards to mitigate and control potential risks to any market participants/users that may arise from the testing of the solution and shall propose appropriate safeguards to manage the risks and contain the consequences of failure.
f) Testing readiness of the solution
The applicant should have the necessary resources to support testing in the sandbox and must demonstrate well developed testing plans with clear objectives, parameters and success criteria.
g) Deployment post-testing
The applicant should demonstrate the intention and ability to deploy the solution on a broader scale. To this effect the applicant should share a proposed sandbox exit and transition strategy.
APPLICATION AND APPROVAL PROCESS
3. The applicant shall ensure that the specified eligibility criteria are satisfied while submitting the application as per Annexure-1 to SEBI. The application form shall be signed by the Chief Executive Officer (CEO) of the applicant or officer duly authorized by the CEO or compliance officer. The complete application must be submitted to:
Chief General Manager,
Market Regulation Department-1,
SEBI Bhavan, Plot No. C4-A, G-Block, Bandra Kurla Complex,
Bandra (E), Mumbai – 400051
by email at email@example.com
4. Thereafter, the application shall be forwarded to the relevant department of SEBI for The flowchart for the application and approval process is depicted at Annexure-2. SEBI shall communicate with the applicant during the course of evaluating the sandbox application, and during the testing phase.
5. At the “Application Stage”, SEBI shall review the application and inform of its potential suitability for a sandbox within 30 working days from the submission of the complete application. SEBI may issue guidance to the applicant according to the specific characteristics and risks associated with the proposed solution. SEBI may also consult its Committee on Financial and Regulatory Technologies (CFRT), if necessary, to evaluate the application.
6. At the “Evaluation Stage”, SEBI shall work with the applicant to determine the specific regulatory requirements and conditions (including test parameters and control boundaries) to be applied to the proposed solution in question. The applicant shall then assess if it is able to meet these requirements. If the applicant is able and willing to meet the proposed regulatory requirements and conditions, the applicant shall be granted permission to develop and test the proposed FinTech innovation(s) in the sandbox.
7. Upon approval, the application shall proceed towards the “Testing Stage”. The participant shall disclose to its users that the solution shall operate in a sandbox and the potential key risks associated with the solution. The applicant is also required to obtain the user’s acknowledgement that they have read and understood the risks.
8. During the testing stage, the applicant shall take prior approval from SEBI to effect any material changes to the solution.
9. Each applicant shall assign a contact person to coordinate with a designated officer of
10. The duration of the sandbox testing stage shall be a maximum of twelve months and extendable upon request of the applicant.
11. In case an application is rejected at any stage, the applicant shall be informed accordingly. The reasons for rejection could include failure to meet the objective of the sandbox or any of the eligibility criteria. The applicant may re-apply for the sandbox when it is ready to meet the objective and eligibility criteria of the sandbox, subject to an appropriate cooling off period as decided by the concerned department of SEBI.
12. The applicant may be evaluated using a scoring process by the concerned department, inter alia, based on the parameters given below:
i. Profile of the applicant
ii. Usage of innovative solution including technology and/or processes
iii. Identified benefits to the investors and/or the securities/commodities markets
iv. Compilation of meaningful test scenarios and expected/desired outcomes
v. Risk measured/graded testing conditions and parameters so as to ensure safety and protection of the markets/investors
vi. Risk mitigation for high risk testing conditions and parameters
vii. Appropriate disclosure requirements and protection to their users
viii. Clearly defined grievance redressal mechanism and user rights
ix. Adequate disclosure of the potential risks to participating users
x. Prior confirmation from users that they fully understand and accept the attendant risks
xi. Intent and feasibility to deploy the proposed FinTech solution post testing
xii. The deployment and monitoring strategy post testing (in the event the tests are deemed successful) or the exit strategy (in the event the tests are not successful)
xiii. Any other factors considered relevant by SEBI
13. To encourage innovation with minimal regulatory burden, SEBI shall consider exemptions/ relaxations, if any, which could be either in the form of a comprehensive exemption from certain regulatory requirements or selective exemptions on a case-bycase basis, depending on the FinTech solution to be tested.
14. Within the overarching principles of market integrity and investor protection, no exemptions would be granted from the extant investor protection framework, Know Your-Customer (KYC) and Anti-Money Laundering (AML) rules.
15. Entities desirous of participating in sandbox shall make an application, including exemption / relaxation being sought from relevant provisions of the applicable regulatory framework.
16. The registration granted by SEBI to all entities registered with SEBI under Section 12 of the SEBI Act, 1992 is activity based. An entity which is registered with SEBI for a particular activity is authorized to carry out activity in that domain. In order to enable the cross domain testing of FinTech solutions, an existing registered entity would be required to first obtain a limited certificate of registration for the category of intermediary for which it seeks to test the FinTech solution(s).This concept of limited registration shall facilitate the entities to operate in a Regulatory Sandbox without being subjected to the entire set of regulatory requirements to carry out that activity.
17. Accordingly, regulatory relaxations from various SEBI regulations may be provided after analyzing specific sandbox testing applications. A reference list is given at Annexure-3 with examples of the regulatory requirements that will be mandatory and those for which SEBI may consider granting relaxation during the sandbox testing.
18. SEBI has notified SEBI Regulatory Sandbox (Amendment) Regulations, 2020 so as to enable the respective department(s) to grant relaxation(s)/exemption(s), as may be deemed fit, while granting such limited certificate of registration.
SUBMISSION OF TEST RELATED INFORMATION AND REPORTS
19. During the testing period, SEBI may require the participant to submit information/ interim reports including:
i) Key performance indicators, milestones and statistical information
ii) Key issues arising as observed from fraud or operational incident reports
iii) Actions or steps taken to address the key issues identified above
20. The Sandbox Participants must submit a final report containing the following information to SEBI within 30 calendar days from the expiry of the testing period:
i) Key outcomes, key performance indicators against agreed measures for the success or failure of the test and findings of the test
ii) A full account of all incident reports and resolution of user complaints, if any
iii) Key learnings from the test
21. The interim and final reports must be confirmed by the Chief Executive Officer (CEO) of the applicant or officer duly authorized by the CEO or the compliance officer.
22. The participant must ensure that proper records of the conducted tests are maintained for review by SEBI. Further, the participant shall also maintain such records for a period of five (5) years from the date of completion of testing/ exit from the sandbox.
OBLIGATIONS OF THE APPLICANT TOWARDS THE USER
23. The applicant shall ensure that before signing up, the user has read the full documentation provided by the applicant and confirm that he/she is aware of the risks of using the solution.
24. The applicant shall ensure that users participating in the sandbox have the same protection rights as the ones participating in the live market.
EXTENDING OR EXITING THE SANDBOX
25. At the end of the testing period, the permission granted to the applicant as well as the legal and regulatory requirements relaxed by SEBI, shall expire.
26. Upon completion of testing,
i) SEBI shall decide whether to permit the FinTech innovation to be introduced in the market on a wider scale. Where allowed, participants intending to carry out regulated businesses shall be assessed based on applicable licensing, approval and registration criteria under various SEBI regulations, as the case may be.
ii) The applicant may employ an exit strategy.
iii) The applicant may request for an extension period to continue testing.
27. The applicant may exit the sandbox on its own by giving a prior notice to SEBI, in writing, of its intention to exit the sandbox.
28. The applicant shall ensure that any existing obligation to the users of the FinTech innovation(s) in the sandbox are completely fulfilled or addressed before exiting the sandbox or before discontinuing the sandbox testing.
29. The applicant is required to maintain records of acknowledgement of all its users stating that all the obligations towards the users have been met. These records shall be maintained by the applicant for a period of five years from the date of exit from the sandbox.
REVOCATION OF THE APPROVAL
30. SEBI may revoke an approval, to participate in the sandbox, at any time before the end of the testing period, if the applicant:
i) Fails to carry out risk mitigants.
ii) Submits false, misleading or inaccurate information, or has concealed or failed to disclose material facts in the application
iii) Contravenes any applicable law administered by SEBI or any applicable law in India or abroad
iv) Suffers a loss of reputation
v) Undergoes or has gone into liquidation
vi) Comprises the digital security and integrity of the service or product or elevates the risk of a cyber-security attack
vii) Carries on business in a manner detrimental to users or the public at large
viii) Fails to effectively address any technical defects, flaws or vulnerabilities in the product, service or solution which gives rise to recurring service disruptions or fraudulent activities
ix) Fails to implement any directions given by SEBI
31. In addition to revocation of approval for participating in the sandbox, appropriate actions under relevant regulatory framework may be initiated against the applicant in case Fintech solution facilitates the following:
i) Undermining of Know Your Customer (KYC) principles
ii) Violation of user’s/investor’s privacy
iii) Promotion of sale of fraudulent/illegal products or services
iv) Promotion of mis-selling of products or services
v) Violation of Anti-Money Laundering (AML) norms
vi) Creation of risk to financial stability
vii) Theft of intellectual property
32. Before revoking the approval to participate in the sandbox, SEBI shall:
i. Immediately suspend trials on new users i.e. no new users shall be permitted to sign up for using/testing the solution
ii. Give the applicant a prior notice of its intention to revoke the approval; and
iii. Provide an opportunity to the applicant to respond to SEBI on the grounds for revocation
33. Notwithstanding anything contained in the above para, where SEBI is satisfied that in the interest of the applicant, its users, the financial system or the public in general, it may revoke the approval immediately without prior notice and provide the opportunity to the participant to respond after the effective date of revocation. If the response is satisfactory, SEBI may reinstate the approval to participate in the sandbox.
34. Upon revocation of an approval, the participant must:
i) Immediately implement its exit plan to cease the provision of the product, process, service or solution to new and existing users;
ii) Notify its users about the cessation and their rights to grievance redressal, as applicable;
iii) Comply with obligations imposed by SEBI to dispose of all confidential information including user’s personal information collected over the duration of the testing;
iv) Compensate any users who had suffered financial losses arising from the test in accordance with the safeguards submitted by the participant;
v) Submit a report to SEBI on the actions taken, within 30 days from the revocation;
vi) Comply with any other directions given by SEBI.
REGULATORY SANDBOX APPLICATION FORM
|1. Applicant’s Information|
|1.1||Name of the Organization|
|1.2||SEBI Registration no.|
|1.3||Name of the Authorized Representative|
|2. Details of the FinTech firms involved, if any|
|2.1||Provide a brief description of the FinTech firm and its core businesses including but not limited to:
a. registration with other regulators,
b. affiliation to prominent societies,
d. significant achievements
e. financial standing including avenues for funding
f. Profile of key personnel
|2.2||Does the FinTech firm have a presence in India? If yes then please provide details.|
|2.3||Is the FinTech firm’s business is already active abroad? If yes then please provide details.|
|2.4||Current orders or proceedings against the FinTech firm in India and abroad (if any)|
|3. About the proposed solution|
|3.1||Provide a short summary of the proposed solution to be tested in the sandbox including but not limited to:
a. Objective of the proposed FinTech solution or the
b. Key benefits to the users and markets
c. Business Model, including asset deployment and sources of revenue
d. Target users
e. Compliance obligations
f. Time period for testing
|3.2||Summary of the technical solution including but not limited to:
a. Technical architecture
b. Usage of Artificial Intelligence and Machine Learning, if any
c. Cyber resilience: VAPT results, if any
d. Certification from Common Criteria Recognition Arrangement (CCRA), if any
e. Business Continuity Plan, if any
f. Any other certifications, if any
|3.3||With respect to the genuineness of innovation, please provide an explanation as to how the solution constitutes a significantly different offering in the market place|
|3.4||Awareness of similar offering in other countries or for other than securities/commodities markets|
|3.5||Timelines for pan-India deployment post sandbox testing|
|4. Sandbox readiness|
|4.1||Illustrate the aspect of the FinTech solution that will be tested|
|4.2||The test criteria and expected outcomes|
|4.3||Describe the use case that will be tested in the sandbox|
|4.4||Define success for a test and the Key Performance Indicators that will indicate a successful test|
|4.5||Probable start and end date of sandbox testing|
|4.6||Details of users including but not limited to:
a. Number of participating customers
b. Profile of customers (retail, institutional, etc.)
c. Process for enrollment and acquisition of customers
d. Requirement of KYC
e. User awareness required/conducted
f. Whether consent required /has consent been obtained
g. Arrangements to limit loss if applicable e.g. Margin, stop loss thresholds etc.
h. User compensation if any
i. Value at risk per user
j. Transaction thresholds per user
|4.7||Risk assessment and mitigation options including but not limited to:
a. Failure of sandbox testing
b. Financial loss to the customers
c. Cyber attack
d. AML and terrorism financing
|4.8||Any instance of a legal and regulatory non-compliance for any other regulator during the sandbox testing|
|5. Legal and Regulatory Assessment: other regulators|
|5.1||Legal and regulatory status (registration, licensing, authorization, approval, recognition etc.)|
|5.2||Legal opinion sought on the proposed FinTech solution, if any|
|5.3||Relevant license to deploy the proposed solution in the production environment? Please provide the details|
|6. Deployment post-testing|
|6.1||Describe how the regulatory requirements will be met post successful sandbox testing|
|6.2||Please provide a pan-India deployment strategy, post successful sandbox testing|
|6.3||Please provide a clear strategy to monitor the outcomes in the live scenario|
|6.4||Please provide exit and transition strategy if the deployed solution turns unviable and the tests are unsuccessful|
|7. Relaxation of SEBI regulations and guidelines|
|7.1||Outline the list of rules, regulation, guidelines, circulars etc. of SEBI that, as per the applicant, may act as an impediment to the proposed FinTech solution, along with detailed rationale|
|7.2||Is SEBI to relax any specific regulatory requirements, for the duration of the sandbox? Please provide the details along with detailed rationale|
|7.3||In the event of a successful test and before exit from the sandbox, provide details on how SEBI’s regulatory requirements shall be complied with|
REQUIREMENTS WHICH WILL NOT BE RELAXED AND WHICH MAY MERIT RELAXATION (FOR ILLUSTRATIVE PURPOSE)
a. Requirements for which relaxation will not be considered
i. Confidentiality of customer information
ii. Fit and proper criteria particularly on honesty and integrity
iii. Handling of customer’s moneys and assets by intermediaries
iv. Prevention of money laundering and countering the financing of terrorism
v. Risk checks (like price check, order value check, etc.)
vi. Principles of KYC
b. Requirements that may merit relaxation
i. Net worth
ii. Track record
iii. Registration fees
iv. SEBI Guidelines, such as technology risk management guidelines and outsourcing guidelines
v. Financial soundness