On June 14, 2021, SEBI issued a circular on ‘Revised Framework for Regulatory Sandbox’ (“Revised Sandbox Policy”), revising the erstwhile framework issued by SEBI through circular dated June 05, 2020. A regulatory sandbox grants regulatory relaxations (ranging from registration fee to track record) for a period of one year, to financial institutions to enable them to experiment with fintech solutions on real customers in a live environment. After one year, the relaxations and limited registrations granted by SEBI are withdrawn.
The key highlights of the Revised Sandbox Policy are discussed hereunder.
Division of sandbox testing
The Revised Sandbox Policy bifurcates testing of the applicants’ proposed solutions into two stages, cumulatively not exceeding a twelve-month period, unless extended. During stage-I, applicants would be utilizing limited and identified set of users, while during stage-II, testing would be extended to a relatively larger set of identified users. The maximum number of users would be capped at both stages, based on the requirements of each applicant and as approved by SEBI on case-by-case basis.
Upon approval to stage-I, applicants are required to apply for one-year limited registration certificate for the particular category of intermediary from SEBI, under which it seeks to test the solution. An applicant would become eligible for stage-II upon completing three months in stage-I. Separate applications are prescribed to be filed at each of the two stages.
The Revised Sandbox Policy has introduced the requirement for applicants to obtain positive consent of users, including their understanding of the risks involved in using the solution, at both stages and in the format prescribed thereunder.
In light of the division of sandbox testing, the Revised Sandbox Policy has prescribed eligibility criteria for each of the two stages. At stage-I, the applicant should be a SEBI registered entity, while it may partner with an unregistered entity and retain its status as the principal applicant. It is also essential that the proposed solution firstly, pertains to securities market, secondly, has identified benefits, and thirdly, is required to either be innovative or enable better performance in existing processes or facilitate inclusion.
Further, at stage-I, the applicant is required to demonstrate a genuine need for relaxations in regulations and prove that the solution cannot be developed without the same. Instead of the requirement to carry out a limited offline testing prescribed under the erstwhile framework, the Revised Sandbox Policy requires the applicant to have necessary resources to support testing and to demonstrate well-developed testing plans with clear objectives and success criteria.
Besides this, the Revised Sandbox Policy emphasizes on the requirement to have proper risk management strategy and incorporation of adequate safeguards to mitigate and control risks that may arise from testing of the solution. The applicant is required to propose adequate safeguards to manage risks and contain the consequences of its failure.
At stage-II, the applicant is required to demonstrate the progress achieved at stage-I, the risks observed during stage-I along with steps taken by the applicant to mitigate the same. The feedback received from the users during stage-I would also be a considering factor for determining the applicant’s eligibility for stage-II. At this stage, the applicant must prove that they are complying with the objectives of the Revised Sandbox Policy, and present their intention and ability to deploy the solution on a broader scale. The applicant is also required to share an exit strategy at this stage.
Rights of users participating in the sandbox
The Revised Sandbox Policy has introduced certain protections for the participating investors. The applicant must ensure that users participating in testing of its solution have the same protection rights as users participating in the live market. The applicant must also take liability / indemnity insurance to safeguard the users participating in the sandbox. Furthermore, in this regard, the applicant is also required to publish clearly defined grievance redressal mechanism to address grievances of participating users. The users are also enabled to use the SEBI Complaint Redressal System (SCORES) for registering their grievances.
The Revised Sandbox Policy prescribes evaluation criteria for both stages of testing, drawing parallels to the eligibility criteria prescribed thereunder. Evaluation at stage-I is based on criteria including the genuine need to test and relaxations sought, identified benefits of the solution, risk measured, defined grievance redressal mechanism, etc.
Evaluation criteria for stage-II are largely based on the outcome of stage-I and include the progress achieved, user feedback received and risks observed during stage-I as well as steps taken by the applicant to mitigate those risks. Other evaluation stage-II includes safeguards in place to manage risks and contain consequences of failure as well as the applicant’s intent and the feasibility to deploy the proposed solution post testing.
In addition to an exit strategy required to be submitted by the applicant, detailing the process to be undertaken upon successful testing, the Revised Sandbox Policy now also requires the submission of a withdrawal strategy, in case the testing fails. The withdrawal strategy is required to provide inter alia, for the process of selling/ transferring, etc. of the current position of the existing users and refunding any dues to them.
The two-staged approach introduced by the Revised Sandbox Policy introduces eligibility criteria better suited for distinct stages of the sandbox life cycle. It also streamlines the testing process by creating a hurdle enabling enhanced assessment and proficient categorization of successful innovation solutions.