On 5 September 2022, and in line with its policy of enabling responsible innovation to promote the development of an inclusive digital financial ecosystem, the Bangko Sentral ng Pilipinas (“BSP”) issued Circular No. 1153 and approved a Regulatory Sandbox Framework to be incorporated as Section 115 of the Manual of Regulations for Banks (“MORB”) and Sections 112-Q/115-S/115-P/113-T/103-N/141-CC of the Manual of Regulations for Non-Bank Financial Institutions (“MORNBFI”). In broad terms, the new rules allow fintech developers to test the use of new or emerging technology to deliver financial products and services in a controlled environment.
1. What is the Regulatory Sandbox?
The Regulatory Sandbox is a controlled, time-bound, live testing environment which may feature regulatory waivers at the regulators’ discretion in order to promote the development of transformative technologies under the “test-and-learn” approach. Applicants that are assessed as eligible to participate in the regulatory sandbox (“Participants”) must operate within testing parameters agreed upon by the BSP and the Participants. Testing parameters include metrics to assess the viability of the solution being offered.
2. What is the scope and coverage of the FPSCPA and the FCP Framework?
The Regulatory Sandbox Framework applies to all BSP-Supervised Financial Institutions (each a “BSFI”), third party-service providers of BSFIs, other BSP-registered institutions, and other entities that intend to offer or use any emerging or new technology to deliver financial products/services within the regulatory authority of the BSP.
3. What are the eligibility standards that applicants should meet in order to participate in the regulatory sandbox?
Under the Regulatory Sandbox Framework, applicants must meet the following criteria to participate in the regulatory sandbox:
a. the financial solution offered by the applicant either: (i) uses new or emerging technology or utilizes existing technology in an innovative manner, or (ii) bridges a market gap in the delivery of financial products/services;
b. the applicant must show that it has the capability to deploy the proposed solution through a roll-out strategy;
c. the applicant must provide an initial test plan demonstrating scenarios and expected outcomes of the experimentation;
d. the applicant must have identified significant risks relevant to the innovation and the proposed safeguards and mitigation strategies to address these risks;
e. the applicant must have specified Key Performance Indicators (“KPI”) in monitoring the progress of the implementation of the solution; and
f. the applicant must provide an acceptable exit and transition strategy to be implemented upon the completion of the experimentation.
4. Are there continuing conditions that must be complied with by the Participants that have been granted approval to perform sandbox activities?
Yes, under the Regulatory Sandbox Framework, Participants must comply with certain conditions in the performance of sandbox activities.
Among these conditions, Participants in a regulatory sandbox must ensure that an appropriate top-level committee oversees sandbox activities and that the sandbox is integrated in the overall strategic plan of the entity to ensure that the entity’s systems, financial performance and risk management capability are capable of handling the new product/service.
Further, Participants must guarantee that sandbox activities satisfy legal and regulatory requirements for Anti-Money Laundering/Combating Terrorism and Proliferation Financing, together with relevant regulations on payments, IT risk management and Electronic Products and Financial Services (“EPFS”).
Note that under the Regulatory Sandbox Framework, the sandbox must be implemented for a period no longer than 12 months. After such period, a report must be submitted by participants summarizing the outcome of the experimentation and the viability of the product offered, supplemented by recommended action plans for the offered product/service.
5. What is the process followed in a regulatory sandbox?
The Regulatory Sandbox Framework contemplates that each regulatory sandbox shall undergo a four-stage process: the Application, Evaluation, Testing and Exit Stages. These are discussed briefly below.
a. Application Stage – Under this stage, applicants are mandated to submit certain minimum documentary requirements. These include a letter of intent, application form, eligibility self-assessment checklist, and exit plan (using the forms annexed to Circular No. 1153), and copies, certified by the corporate secretary of the applicant, of the resolutions of its board of directors approving the application for regulatory sandbox authority.
b. Evaluation Stage – The BSP evaluates the completeness of the documentary requirements submitted based on the eligibility standards outlined in item 3(a) above.
c. Testing Stage – The testing stage is divided into two phases: (i) a testing design phase; and (ii) testing implementation. These determine the viability of the proposed solution.
During the testing design phase, Participants are required to present the proposed innovation to the BSP. If it finds everything in order, the BSP shall approve the test plan to be utilized during the experimentation period and issue a Letter to Proceed with the next phase. The test plan should, at a minimum, contain the following: (a) overall timeline and budget, (b) testing performance metrics, (c) testing methodologies and/or scripts, (d) customer acquisition plan, (e) customer communications, (f) Minimum safeguards (such information security, consumer dispute resolution/redress mechanism, and anti-money laundering/and terrorist financing safeguards), (9) identification of the regulatory requirements to be relaxed during the testing period, (h) exit plan upon completion of the sandbox activity or in case there is any serious concern on the continued implementation of the sandbox activity, and (i) testing deliverables.
The test implementation phase may range from three to 12 months in duration, depending on the complexity of the proposed solution. Note that any proposed adjustments in the duration of the sandbox activity must be submitted to the BSP for evaluation at least 30 calendar days before the expiration of the sandbox testing period.
d. Exit Stage – After the testing stage, a final report shall be prepared by the Participants providing a comprehensive evaluation of the entire sandbox activity.
6. When are participants deemed fit to operate with their proposed product/service?
Participants whose products or services are deemed fit for public consumption after having completed the testing and exit stages referred to above may submit to the BSP an application for authority to operate and to offer the proposed product to the public.
Note that despite successful sandbox testing, the approving authorities reserve the right to approve or disapprove the proposed product or service.
7. What are the conditions that will trigger the revocation/termination of the Regulatory Sandbox Approval?
The BSP may revoke the authority of entities to participate in the sandbox based on (i) sandbox implementation-related conditions and (ii) entity-related conditions.
Sandbox implementation-related conditions consist of the failure of Participants to deliver the approved product/service features, or failure to develop and implement the required safeguards appropriate for the proposed solution. Further, significant breaches on data protection and the inability of the participants to effectively address technical defects or vulnerabilities in the proposed solution also fall under the foregoing conditions.
Entity-related conditions, on the other hand, pertain to issues in the operational and/or business conditions of the Participant.
8. What are the conditions that will trigger the revocation/termination of the Regulatory Sandbox Approval?
Participants are mandated by the Regulatory Sandbox Framework to submit interim and final reports to the BSP to facilitate monitoring of the regulatory sandbox activities. Interim reports must describe the status of the sandbox activities including key issues encountered and actions undertaken to address emerging risks. The final report shall thereafter contain the final results of the experimentation presenting complete information on the key outcome of the activity. Note that the final report must be submitted by participants to the BSP within 60 calendar days from the end of the sandbox activity.
9. How are consumers who are subject to sandbox experimentation protected?
Under the Regulatory Sandbox Framework, participants in the sandbox activity must adopt measures to protect the rights and interests of consumers. Customers must be informed that the product/service offered by the participants is under the regulatory sandbox platform and must be informed of the possible risks associated with the product.
Further, all regulatory sandbox experimentation shall follow the rules and regulations on data sharing, data privacy, and data protection in all implementation phases. The use of customer data should be limited to the consent provided by the customer in availing the product or service.