January 14, 2019

A sandbox defence

Innovation and consumer protection can co-exist. That’s why regulatory sandboxes are needed.

Carly Minsky

10 min read

There's a widespread view that regulation hinders innovation, especially in the financial services sector. That's often cited as a reason for the lagging technology adoption in financial services, or as an argument against the regulators’ activities and rules.

But there’s another assumption that often goes hand in hand with the view that innovation and regulation are mutually exclusive: the idea that innovation cannot be a core part of the regulator’s remit, since this would amplify the risks posed by new technology and undermine the regulator’s obligation to protect consumers.

And so a catch-22 is born. According to a certain logic, regulators are obliged to hold their hands up in despair at the proliferation of ‘risky’ technologies - like digital currency, artificial intelligence and blockchain - because they can neither engage with and endorse the innovation, nor regulate and manage it. The “light-touch” regulatory approach under which the UK regulator did not intervene to mitigate risks from financial innovation was widely blamed after the 2008 financial crash.


In a Financial Times Alphaville column on regulatory sandboxes in December 2018, Jemima Kelly claimed that as a result of sandbox programmes to trial new products, regulators are unwittingly endorsing and promoting risky technology.

Kelly wrote: “[A sandbox] might sound pretty harmless. In practice, it's not. Regulators' primary role is to protect consumers — often, ironically, precisely from the kind of "financial innovation" the companies in the sandbox are offering — and to safeguard financial stability. It is not regulators' job to provide start-ups with free marketing or any kind of stamp of approval, which is how they are often being used.”

But supporters of regulatory sandboxes for fintech argue that, to the contrary, sandboxes are the best way to ensure consumer protection and mitigate market risks from new technology, while also encouraging innovation which serves the interest of the entire market, including consumers.

Nicole Sandler, Barclays’ vice president for fintech and regtech for EMEA, explains: “I believe that one of the biggest reasons that companies enter a sandbox is because they want to understand if they can put a product out into the market and they want to have a relationship with the regulator to see if their product is actually viable in the real world.”

Barclays participated in the third cohort of the UK’s regulatory sandbox run by the Financial Conduct Authority (FCA). The bank’s test product - translating regulation into machine-readable rules - directly related to interpreting financial regulation, and so it is easy to see how and why a sandbox trial with close supervision by the regulator would benefit all involved. More generally, sandboxes enable regulators to pre-emptively develop their approach to new technology using insights from the trial, and sandbox participants receive direct guidance on how to interpret existing regulation and how their product might be regulated.

“One of the reasons that banks are so heavily regulated is to make sure that we have financial stability,” adds Sandler. “If one wants to play in the innovation space we need to make sure that we understand how that use case fits with regulation. And regulators may really only fully understand [innovation] if they have also explored that space and worked closely with the industry experts.”

Alphaville’s Jemima Kelly claims that the limited testing environment in sandboxes severely restricts the value of any insights that regulators may gain about new technology deployed at scale.

The FCA presents an alternative view. Anna Wallace, FCA’s Head of Innovate, explains: “Although sandbox tests are limited in terms of their overall scale, they provide us with an opportunity to supervise and learn about new areas of the market.” Sandbox insights have also contributed to hematic reviews on automated investment management and automated retail investment advice

Wallace also refers to specific examples of sandbox participants who have used regulatory guidance to deliver consumer benefits: Oval, a mobile app using behavioural insights to encourage consumers to make small savings and repay debts quicker; and a semi-automated advice tool developed by Citizens Advice which helps debt advisors deliver more consistent advice in face-to-face interactions.

Badge of honour

Undeniably, completion of a sandbox product test does give startups a leg-up when it comes to how they are perceived. Kelly’s concerns centre on a wave of press releases she has received from firms accepted onto regulatory sandboxes. But it is hard to imagine individual consumers (as opposed to institutions or investors) paying much attention to this so-called “stamp of approval”. While customers do not tend to look for a product’s testing credentials at this level, investors on the other hand do perform sophisticated evaluations on startups, but among the many different decision factors, press release “boasts” are surely not as dangerous as Kelly claims.


A Deloitte study in 2018 found there were many reasons companies applied to the FCA’s sandbox.

“Unsurprisingly, several firms wanted to use the sandbox primarily to understand how regulatory requirements would apply to their innovative services or products, and/or what type of authorisation they might need, if any. Others thought that testing in the sandbox would speed up the creation of a minimum viable product; and some others wanted to take advantage of the opportunity to test their product live with real customers.”

Race to the bottom

It’s not just Alphaville’s Jemima Kelly who has criticised regulatory sandboxes and their potential impact. One worry is that regulators will compete with each other to offer more attractive environments for startups, which means less heavily regulated environments. Different jurisdictions will end up engaging in a “race to the bottom”, attempting to turn the region into a fintech hub by waiving regulation with sandboxes.

In reality, this is unlikely. The FCA, for example, has yet to use either the regulation-waiver tool or the no-action enforcement letter for any firm across its cohorts. Instead, firms have made use of the individual guidance during their sandbox test to stay within the FCA’s regulation and authorisation limits.

Barclay’s Sandler says: “There is a misconception in some jurisdictions that sandboxes are ‘regulatory light’ (ie light touch) – often the reason noted to me is due to the existence of certain tools such as waivers and no action enforcement letters however it is worth highlighting that these have never been used by the FCA in their cohorts”

Regulators’ powers to waive rules may, in any case, be limited.Sandler argues that the delegated powers regulators have to enforce EU law do not allow them to waive an EU rule, only an FCA-specific regulation. Most regulations would therefore stand firm in all European jurisdictions (ignoring Brexit for the time-being), disempowering individual regulators to throw out regulations in competition with each other.

Lawyer Jacob Turner, author of Robot Rules - Regulating Artificial Intelligence, writes:

“For AI, sandboxes will work particularly well in circumstances where current laws require that a human always be in control of a particular decision or process, such that absent a sandbox, using the AI at all might be illegal. A sandbox could be used to demonstrate the safety and efficiency of the AI system on a small scale, precipitating its wider legalisation for the rest of the jurisdiction (accompanied of course by appropriate safety standards, which the government will have also tested out in the sandbox).”

But exploring this further, it becomes clear that even if the FCA, in agreement with the UK’s Information Commissioner's’ Office (ICO) issued a waiver or no-action letter, it is unlikely that this would safeguard a startup from restrictions under Europe’s GDPR.

Turner clarifies: “The FCA has been delegated rule-making power by FSMA or similar and part of that delegation is the power to waive compliance with aspects of its own rules.I don't believe that allows FCA to waive compliance with things outside its handbook though, i.e. GDPR.”

Last week, the European Supervisory Authorities published a joint report with a comparative analysis of regulatory sandboxes in five EU member states: Denmark, Lithuania, Netherlands, Poland and the UK.

Overall, the study found “no significant differences” and concluded that all five sandboxes impose testing parameters on a case-by-case basis; ensure that all participants make a “controlled exit” when testing has completed; and require licenses for any firm carrying out regulated financial services, even in testing phases. None of the sandbox provisions include waiving any regulatory obligations under EU or national law, but the programmes do allow for “proportionality” when applying regulations in testing phases.

The insight that all the authorities treat financial stability and consumer protection as foundations for their sandbox initiatives also goes some way to counter the concern that sandboxes will snowball into an anarchistic nightmare.


In the Alphaville Column, Kelly writes: “We've seen the kind of problems that the "disruptive technology" that is crypto — and in particular the ICO market — can lead to, but that's just the start of it. Financial innovation, even if it starts off with good intentions, often leads to disaster.

“In the last cohort, almost half of the 29 firms' business models were based either crypto or blockchain.”

But, as Barclay’s Nicole Sandler points out, it is a misleading to conflate cryptocurrency and blockchain - or distributed ledger technology (DLT).

The technology underneath cryptocurrencies, blockchain or other DLT, can be used for a range of data management and automation applications. It’s true that 12 of the 29 firms in the last cohort of the FCA’s sandbox are using DLT, but in fact only two firms are working on crypto applications. Across all the cohorts, DLT is the most common feature of test products (33 firms out of the 89), but only four firms have tested cryptocurrency services. Other applications of DLT include money transfer, digital identification, trade settlement, flight insurance, anti-money laundering (AML) and invoice payments. There may be other risks arising from these products, but the danger from sandbox-endorsed ICO products is overblown.

“The majority of firms we have supported through the sandbox are not crypto or blockchain based,” says head of FCA Innovate, Anna Wallace.

On the other side of the ICO “problem”, there is a real need for regulators to get a handle on the activities and risks. A blanket ban of ICOs is not a sustainable approach.

Sandler comments: “A number of companies are going to keep raising funds this way. I think it is unfair to state that all ICOs are bad however it may be unclear whether they are compliant with the required regulations.  

“A regulator is not going to be able to fully understand how to regulate this properly until they actually work with it [in a sandbox].  If the regulation on ICOs was clearer and we understood what the remits were as a bank and as an industry, we would be able to work with those companies.”

In October 2018, a ‘Stakeholder Group’ of the European Securities and Markets Agency (ESMA) published research and advice on the risks of ICO’s and the state of existing regulation across Europe. It found that Malta, Switzerland, Lithuania, Gibraltar, Jersey and the Isle of Man have developed specific guidelines or frameworks for assessing ICOs and establishing how to apply financial services legislation.

A global approach

The UK’s FCA has led the way for other jurisdictions to develop similar sandbox programmes. But it’s unfair to place the responsibility on the UK regulator for any risks arising from sandboxes in other jurisdictions. Inevitably, not all regulators are born equal, as Jemima Kelly noted in Alphaville column. But this discrepancy is already being tackled by an active global network of financial regulators, who believe that sharing insights is the best way to ensure financial stability and consumer protection across all jurisdictions. For some regulators, including the FCA, the end-goal is a global fintech sandbox whereby cross-jurisdictional tests and supervision would mitigate the “race to the bottom” risk, and help even out the different levels of protection.

“One of the things I like about fintech is that it is so collaborative,” explains Sandler, who is supportive of and has advised on a global fintech sandbox initiative. “You get to do things with lots of different people, cross-industry but also cross-border. Fintech does not understand borders. [Industry players] want to be working closely with a number of regulators and policymakers and you want your regulators and policymakers to be working together. That is why I believe that it is a great idea for sandboxes to be more global.”