This chapter presents recommendations on the optimal design of a feasible innovation facilitator in the Czech Republic. The proposed design caters to the specificities of the Czech Republic as identified in the analysis, including the structure of the Czech financial sector, the Czech FinTech ecosystem, the national and EU regulatory and supervisory framework and future expected developments in the regulation of financial innovation. The recommendations have been developed in close consultation with the Czech and European Authorities and draw on past experiences of sandbox models in jurisdictions where these have been established (in OECD and non-OECD member countries with a focus on European Union countries).
Supporting FinTech Innovation in the Czech Republic
2. Recommendations for a sandbox in the Czech Republic
Abstract
The design recommendations (see Executive summary for an outline) cover the definition of ‘innovation’ or ‘innovative financial product’ that would merit its inclusion; eligibility criteria for the entrepreneurs to be admitted to participate in the sandbox, including the licensing procedure; authorisation model; limits of the testing environment; exit procedures; measurements of performance; and recommended timelines. The chapter also describes regulatory and supervisory principles and/or standards, including the risk register and risk management considerations, and offers a communication strategy to ensure all stakeholders are aware of the regulatory sandbox’s purpose and function. The latter is particularly important given observed misconceptions in the Czech Republic around the definition and purpose of regulatory sandboxes.
The recommended design for a Czech regulatory sandbox is based on the feasibility study for its implementation in the Czech Republic and is tailored to the specificities of the Czech ecosystem, considering relevant opportunities and limitations of the domestic environment. The key design recommendations for the Czech Regulatory Sandbox are as follows.
Definition of “innovative financial product”: a new or improved financial product, service, or business strategy that leverages novel/emerging technologies to provide innovative/enhanced financial services.
Objectives of the proposed regulatory sandbox for FinTechs: facilitate innovation and speed up productive innovation; promote competition and financial inclusion in the financial sector; facilitate the adoption of new technologies; and attract FinTechs.
Recommended scope: cross-sectoral with no restrictions concerning the sector of activity, if it falls under the remit of the financial authorities, directly or indirectly. In this context, ‘indirectly’ refers to financial activity that may not fall under the existing definitions of activities requiring a license from Authorities but may still have an impact on the financial sector. Applicants must comply with the eligibility criteria in all cases.
Limits of the testing environment: The recommended structure advises against the provision of any waivers, restricted authorisations or other relaxation of existing applicable rules, which would anyway be against EU rules. It is recommended that a proportional application of existing regulatory and supervisory requirements, as embedded in EU financial services regulation, is used as appropriate, and at the discretion of the supervisor for firms participating in the Czech regulatory sandbox. Such proportionality can apply to the governance process and system and control requirements, board composition; financial soundness; reputation; management experience and track record. Proportionality should be applied on a case‑by-case basis by the supervisor, depending on the business model and the applicable rules.
Regulatory and supervisory oversight: The recommendation for the Czech regulatory sandbox to maximise operational benefits and improve the dissemination of regulatory clarity on the one hand, and understanding of business models by the supervisor on the other hand, is to have the sandbox set up by the Authorities. The practice in all EU regulatory sandboxes has been for regulatory sandboxes to be established at the supervisory authority. Since the suggested testing framework will not offer exemptions to participating firms in the sandbox beyond those provided by national and European law, there is therefore no need for legislative changes for the establishment of a regulatory sandbox. The Czech Authorities could establish the regulatory sandbox by an internal act or by designating which posts will be dedicated to co‑ordinating its operation within the relevant Authorities.
Standard regulatory vs. data sandbox: The recommendation for the Czech sandbox is to commence with the establishment of the ‘standard’ regulatory sandbox and, to the extent feasible, provide data-sharing when the conditions allow it. The feasibility of this option will be based on (i) the availability of datasets and ability to make these available; (ii) the capacity of the authorities participating in the regulatory sandbox. It could also be envisaged that a data sandbox without a regulatory component to it could be outsourced and/or be established outside the Czech Authorities, although even in this case the Authorities would need to participate inter alia by means of providing data. The two types of sandboxes, regulatory and data, are not mutually exclusive.
Types of data in the data sandbox: The recommendation about the Czech data sandbox will depend on the feasibility analysis of such endeavour, which, in turn, will depend to a large extent on the datasets that can be made available, taking under consideration legal and technical limitations with respect to companies participating in such facilitator, while it will also depend on the allocation of capacity to operate such a sandbox, both in terms of numbers and in terms of technical skillsets, to allow for its operation.
Synthetic data in the data sandbox: It is recommended to avoid this option at the first stages of development of the data sandbox, unless there is a willingness to deploy important resources, both internally / pre‑existing and externally in terms of providers of specialised services that may not be available within the Czech authorities. In the future, depending on the availability of resources and the experience of the sandbox, Czech authorities can consider engaging in a more resource‑intensive phase of the data sandbox, involving synthetic datasets.
Participants: Categories of firms that may participate and would find it useful include companies that already have a license but wish to test a new technology and/or business model; companies that do not have the required license within the financial legislation to provide the desired activity; companies where it is uncertain whether the activity requires a license within the financial legislation.
Eligibility criteria: It is recommended that participants in the regulatory sandbox hold the appropriate license for the regulated activity undertaken or are ready to apply for a license in order to have it before the start of the testing phase, if the supervisor deems that the activity falls within the perimeter of regulated financial activity. In case the supervisor deems that a license is not necessary, the Czech Authorities have the discretion to allow the company to perform the testing or not. This could be beneficial for both the Czech Authorities and the service provider, for example, if regulation in this area is being negotiated and co‑operation is assessed as beneficial for familiarisation with this type of product.
Authorisation model: Participants are preselected by a special Advisory Board based on enclosed eligibility criteria, which provides a non-binding recommendation. This will then be validated or rejected by the Czech Authorities, and this does not apply to the CNB, as the CNB has no legal basis to issue such a decision. The Authority operating the sandbox would issue a decision regarding the selection upon considering the recommendation of the Advisory Board.
2.1. Definitions and objectives
2.1.1. Objectives of a regulatory sandbox
A regulatory sandbox is a framework that allows FinTech companies to test innovative new products, services, and business models in a controlled environment under the oversight of a regulatory authority and without the bending of rules. The recommended main objectives of the proposed regulatory sandbox for FinTechs in the Czech Republic are shown in Figure 2.1.
2.1.2. Understanding the concept of innovation
When creating a regulatory sandbox for FinTechs, the definition of what constitutes an innovative financial product is an important factor to consider. The definition must be precise, well-defined, and consider the rules and legislation of the Czech Republic. The regulatory sandbox can help the development and testing of new and emerging technologies while also guaranteeing that consumer protection and regulatory monitoring are maintained.
The definition of financial innovation should be comprehensive and take into account various factors. It is important to note that none of these criteria should be given preferential treatment, as they are all complementary and equally important for defining financial innovation. The first criterion is the impact of the innovation on the market and competition. Financial innovations may involve new products, services, or procedures that disrupt established market structures or create new market opportunities. The second criterion is the effect of the innovation on customer convenience and choice. Financial innovations may include new products, services, or procedures that expand customer options or improve user experience. The third criterion is the influence of the innovation on financial stability and risk management. Financial innovations can involve new products, services, or procedures that enhance the efficiency and resilience of the financial system or reduce systemic risks (Figure 2.2). The three criterions should be viewed as complementary, having similar importance.
Additionally, as the FinTech sector and regulatory landscape develop over time, the definition of an innovative financial product may also change. Therefore, it is important to take a holistic approach rather than merely focusing on the technology used, keeping in mind that innovation can also emerge from new business models or new ways of delivering financial services (OECD/Eurostat, 2018[1]).
In the case of the Czech regulatory sandbox, it is recommended that the definition of the term “innovative financial product” should refer to a new or improved financial product, service, or business strategy that leverages novel or emerging technologies to provide innovative and enhanced financial services. Payment service providers, aggregators, crypto‑asset related firms, distributed ledger technology-based financial activity, robo‑advisory platforms, and peer-to-peer lending platforms are a few examples of possible products in this category. A product, service, or business model that makes use of current technology in new or creative ways will also be referred to as an innovative financial product. For example, fraud can be detected using artificial intelligence, and credit risk can be evaluated using big data analytics.
2.1.3. Distinction between sandbox types
‘Standard’ regulatory sandbox
‘Standard’ regulatory sandboxes are types of innovation facilitators schemes that enable firms to test, pursuant to a specific testing plan agreed and monitored by a dedicated function of the competent authority, innovative financial products, financial services or business models (ESMA, EBA and EIOPA, 2019[2]). Table 2.1 displays a list of operational and planned regulatory sandbox within the EU.
Table 2.1. List of operational and planned regulatory sandboxes in the EU
# |
Country |
Sandbox |
Banking |
Insurance |
Securities |
Website |
---|---|---|---|---|---|---|
EU |
||||||
1 |
AT |
✓ |
✓ |
✓ |
✓ |
https://www.fma.gv.at/en/fintech-point-of-contact-sandbox/fma-sandbox/ |
2 |
BE |
N |
||||
3 |
BG |
Announced |
||||
4 |
CY |
N |
||||
5 |
CZ |
N |
||||
6 |
DE |
N |
||||
7 |
DK |
✓ |
✓ |
✓ |
✓ |
|
8 |
EE |
Planned |
✓ |
✓ |
✓ |
|
9 |
EL |
Planned |
✓ |
✓ |
✓ |
https://www.bankofgreece.gr/en/main-tasks/supervision/regulatory-sandbox |
10 |
ES |
Planned |
✓ |
|||
11 |
FI |
N |
||||
12 |
FR |
N |
||||
13 |
HR |
N |
||||
14 |
HU |
✓ |
✓ |
✓ |
✓ |
|
15 |
IE |
N |
||||
16 |
IT |
✓ |
✓ |
✓ |
✓ |
https://www.dt.mef.gov.it/it/dipartimento/consultazioni_pubbliche/consultazione_regolamento.html |
17 |
LT |
✓ |
✓ |
✓ |
✓ |
|
18 |
LU |
N |
||||
19 |
LV |
✓ |
✓ |
✓ |
✓ |
https://www.bank.lv/en/co-operation/support-for-fintech-and-innovations/regulatory-sandbox |
20 |
MT |
✓ |
✓ |
✓ |
✓ |
|
21 |
NL |
✓ |
✓ |
✓ |
✓ |
|
22 |
PL |
Planned |
✓ |
✓ |
✓ |
|
23 |
PT |
Planned |
✓ |
✓ |
✓ |
|
24 |
RO |
N |
||||
25 |
SE |
N |
||||
26 |
SK |
✓ |
✓ |
✓ |
✓ |
https://nbs.sk/en/financial-market-supervision1/fintech/regulatory-sandbox/ |
27 |
SL |
N |
||||
EFTA |
||||||
28 |
IS |
N |
||||
29 |
LI |
N |
||||
30 |
NO |
✓ |
✓ |
✓ |
✓ |
|
31 |
CH |
✓ |
✓ |
✓ |
✓ |
|
32 |
UK |
✓ |
✓ |
✓ |
✓ |
Source: Based on ESMA, EBA and EIOPA (2019[2]), FinTech: Regulatory sandboxes and innovation hubs, https://ec.europa.eu/info/publications/180308-action-plan-fintech_en, and publicly available information on the websites mentioned in the table.
A regulatory sandbox may offer several key benefits to both FinTech companies and regulatory authorities in the Czech Republic. Regulatory sandboxes allow companies to test and validate their products and services in a real-world environment, gaining valuable insights into their feasibility and viability. This can help to reduce the risk of failure for new innovations. Additionally, regulatory sandboxes provide regulatory authorities with an opportunity to assess the potential impact of these innovations on consumers and the wider economy, allowing them to make informed decisions about the regulation of these products and services.
The scope of a regulatory sandbox can be extended to include data-sharing functionalities. There is often confusion between the concepts of data sharing and a data sandbox. Data sharing refers to the practice of sharing data between organisations or entities for a specific purpose, such as improving customer experience or fraud detection. On the other hand, a data sandbox is a secure testing environment that allows organisations to experiment with data without risking sensitive information or breaching data privacy regulations. Both concepts involve the sharing of data, either between different parties or within a controlled environment, for the purpose of testing or analysis. Both data sharing and a data sandbox can also potentially lead to innovation and the development of new products or services, as well as improvements in efficiency and cost savings. Additionally, both concepts can raise concerns around data privacy and security and require careful consideration of legal and regulatory frameworks. However, there are some differences in their purpose, scope, data ownership and security measures (Figure 2.3).
The recommendation for the Czech regulatory sandbox is to consider the establishment of a ‘standard’ regulatory sandbox and only extend its scope by incorporating data-sharing capabilities when the conditions allow it. Enriching the standard regulatory sandbox with a data-sharing option could be envisaged based on (i) the availability of datasets and ability to make these available; (ii) the capacity of the authorities participating in the regulatory sandbox.
It could also be envisaged that a data sandbox without a regulatory component could be outsourced and/or exist outside the Authorities, although even in this alternative the Czech Authorities would likely need to participate inter alia by means of providing data.
Data sandbox
Data sandboxes are testing environments where companies can experiment with new data-driven products and services or components of products/services that are based on data in a similar setting. In a data sandbox, companies have the freedom to test new product elements using real-world data or synthetic data, in a controlled environment.
Companies could build data-driven models that would form part of a business model or service and which may not necessarily directly involve financial market activity. Indicatively, one example of a potential use case for a data sandbox would be a FinTech lender wishing to create and validate a machine learning-based model for the assessment of creditworthiness of potential borrowers. Any datasets of SME financial data (e.g. debt metrics including debt repayment history; amount of debt; credit mix; debt capacity; metrics related to collateral pledged, traditional credit scores) made available to the FinTech in the context of such data sandbox, combined with other non-traditional data, would allow the FinTech to create, calibrate and validate new models for alternative credit scoring.
Such a data sandbox could offer several key benefits to FinTech companies in the Czech Republic. The data sandbox would help to foster innovation by providing companies with access to real-world data, or synthetic data mimicking the real world, allowing them to test, train and validate new products and technologies. Often, FinTechs have a problem getting access to valuable data sets, even though their products depend on data, because this data is privately held by financial institutions or by the public sector, and it might be a cost barrier to the FinTechs or straightforward impossible to access it. Depending on the data provided, it should be assessed who will be able to access the data and under what legal and technological commitments. In theory, for public data, no restrictions should apply. Indeed, some authorities already make large amount of public data available with different options of access including data download and API access (see Table 2.2 for example). For synthetic data, sensitivities other than privacy, which are resolved through the generating process, may remain. The FCA and the Bank of Spain have not made access to their synthetic data available outside of the sandbox (see further below).
In addition, a data sandbox may offer participant various technological tools to facilitate access to data, data manipulation and analysis and the creation of additional features of the data.
The concept of a data sandbox has gained traction globally as a way for regulators to allow experimentation with new financial technologies, while also managing any associated risks. The goal of these data sandboxes is to create a supportive environment for innovation and growth in the financial sector, while also ensuring the protection of consumers and maintaining the stability of the financial system. Some possible data types that could be shared and accessed in a data sandbox for a use by FinTechs are provided in Table 2.2 below.
The recommendation for the establishment of the ‘standard’ regulatory sandbox as a first step will allow the Czech Authorities to gather any datasets that may not be immediately available, or to format those that are not available in the format that would allow their usage by firms. In parallel, it would allow some time for the operational preparations within the authority (e.g. in terms of IT infrastructure requirements or appointment of external consultants in case of outsourcing). Input is required by Czech Authorities on the availability of such datasets (currently or in the near future), as a first step, and on whether these could be made available in some form (e.g. anonymised or with other deferential privacy methods, synthetic, other), to allow the assessment of feasibility of the data sandbox.
Synthetic data in a data sandbox
Synthetic data is artificially produced to replicate the statistical components of real data. As such, to generate a synthetic data, access to the real data must also be available, must also be available for some synthetic data generation techniques such as Agent-based modelling and Generative Adversarial Networks (GANs). But it does not need to be shared to other entities after the synthetic data was successfully generated. The synthetic data generation process provides an alternative to real data and can produce inexhaustible amounts of simulated data, and a potentially cheaper way of improving the predictive power and enhancing the robustness of machine learning models, especially where real data is scarce or expensive or contains personally identifiable information that cannot be shared. Importantly, synthetic data is not anonymised data as it is created for artificial entities. The generation of synthetic data requires high statistical and technological expertise.1 To develop the synthetic data sets, the FCA collaborated with financial services industry participants, innovators, academics, technologists and data scientists. In the synthetic data pilot in Spain, the objective was to create a synthetic data set and to analyse whether it can substitute for real world data for testing purposes. Synthetic data was generated out of the original confidential data held by the national supervisor (Bank of Spain). The real data never left the premises of the supervisor, and no external user accessed the data; the supervisor remains the legal owner of the synthetic data; the generation process was done with a software provided by a private firm whose services were acquired through a tender procedure.
When it comes to the use of synthetic data in a Czech data sandbox, the recommendation is to avoid this option at the first stages of development of a sandbox, unless there is a willingness to deploy important resources, both internally / pre‑existing and externally in terms of providers of specialised services that may not be available within the Czech Authorities. In the future, depending on the availability of resources and the experience of the regulatory sandbox, Czech Authorities can consider engaging in a more resource‑intensive phase of a data sandbox, involving synthetic datasets.
The creation of synthetic data, that could be useful for FinTechs for testing and validating their products, requires access to a real-world data set, otherwise it cannot be built. For example, if there is no availability of micro data on loans to individuals, it is impossible to generate a synthetic dataset with similar statistical properties.2 Moreover, to create a synthetic dataset, it is necessary to know all the distribution parameters of the actual data set, which can only be obtained by working with data specialists. In the third place, if such a synthetic dataset were to be built, it also must be trusted by the FinTechs as being statistically similar to actual data, which is a key consideration in the process. Synthetic data can also be fully compliant with data protection obligations (as compared against anonymisation and pseudonymisation where there is still a risk of trace‑back of individuals). Practical examples of data sandboxes can be found in Annex C.
The recommendation for a Czech data sandbox will depend on the feasibility analysis of such an endeavour. The feasibility of a data sandbox in the Czech Republic will depend to a large extent on the datasets that can be made available, taking under consideration legal and technical limitations, to companies participating in such facilitator, while it will also depend on the allocation of capacity, both in terms of numbers and in terms of skillsets, to allow its operation. In addition, financial and other authorities might not possess the kind of data that is valuable to FinTechs. It is thus important to get a good understanding of the data needs of the Czech FinTechs through dialogue and surveys. Table 2.2 provides the types of datasets that have been made available in data or other regulatory sandboxes globally in OECD and non-OECD countries, other data sources not included in this table would also need to be considered depending on the Czech Authorities’ availability. The selection of data types should be made with the needs of Czech FinTechs in mind through dialogue within the regulatory sandbox.
Table 2.2. Datasets made available to FinTechs in data or other sandboxes in OECD and non-OECD countries
Type of data |
Datasets |
Type |
Example of established sandbox (country) |
---|---|---|---|
Financial Data |
SME lending: loan history, credit card history, current account history, SME directors, COVID‑19 lending, factoring, profit and loss, accounts receivable, lending providers. |
Synthetic |
FCA Digital Sandbox (UK) |
Retail and wholesale banking transactions |
Synthetic |
FCA Digital Sandbox (UK) |
|
Asset resolution dataset |
Synthetic |
FCA Digital Sandbox (UK) |
|
ESG – sustainability linked bonds |
Synthetic |
FCA Digital Sandbox (UK) |
|
Device data related to faster payments usage |
Synthetic |
FCA Digital Sandbox (UK) |
|
Annual accounts reported by non-financial firms |
Synthetic |
Bank of Spain synthetic data pilot (Spain) |
|
Loans extended to legal entities resident and non-resident and reported to the Central Credit Register |
Synthetic |
Bank of Spain synthetic data pilot (Spain) |
|
Macro financial public data – interest and exchange rates, money supply1 |
Real |
Monetary Authority of Singapore website (Singapore) |
|
Core banking system data2 |
Test data |
APIX Sandbox (AFIN3) |
|
Public firms’ disclosures (periodic accounts) |
Real |
Pilot regime in FinTech (Israel) |
|
Trade on the Tel Aviv Stock Exchange data |
Real |
Pilot regime in FinTech (Israel) |
|
Public administration public data4 |
Real |
Open Data Platform (Colombia) |
|
Non-Financial Data |
Planet satellite data |
Synthetic |
FCA Digital Sandbox (UK) |
ESG – business energy usage data |
Synthetic |
FCA Digital Sandbox (UK) |
|
ESG – cement, iron and steel production |
Real |
FCA Digital Sandbox (UK) |
|
ESG – European Red List |
Real |
FCA Digital Sandbox (UK) |
|
ESG – Sustainable Development Goal Indicators |
Real |
FCA Digital Sandbox (UK) |
|
Public administration public data4 |
Real |
Open Data Platform (Colombia) |
Notes:
1. The Monetary Authority of Singapore (MAS) provides Application Programming Interfaces (APIs) for developers to access relevant data from MAS and make use of the datasets for streamlining of applications and systems; the Government of Singapore (2022[3]), Monetary Authority of Singapore (MAS) APIs – Streamlining of Financial Applications through Data Singapore Government Developer Portal, https://www.developer.tech.gov.sg/products/categories/data‑and-apis/mas-apis/overview.html.
2. APIX (2023[4]), Sandbox | Collaborative Integrated Development Environment (IDE).
3. AFIN is a non-for-profit entity that was jointly formed by the Monetary Authority of Singapore (MAS), the World Bank Group’s International Finance Corporation (IFC) and the ASEAN Bankers Association.
4. The Ministry of Information Technologies and Communications (2023[5]), Datos Abiertos Colombia, https://www.datos.gov.co/.
2.2. Regulatory and supervisory considerations
The detailed design recommendations in the following sections relate to the regulatory sandbox recommendation, as the data sandbox option does not have a regulatory component and can be established outside the Czech Authorities at the discretion of participating parties.
2.2.1. Limits of the testing environment
The recommended structure for the Czech regulatory sandbox advises against the provision of any waivers; restricted authorisations or other relaxation of existing applicable rules, which would anyway be against EU rules. It is recommended that a proportional application of existing regulatory and supervisory requirements, as embedded in EU financial services regulation, is used as appropriate and at the discretion of the Authorities for firms participating in the Czech regulatory sandbox. Such proportionality can apply to the governance process and system and control requirements, board composition; financial soundness; reputation; management experience and track record (Deloitte, 2017[6]). Proportionality should be applied on a case‑by-case basis by the Authorities, depending on the business model and the applicable rules. The addition of safeguards to protect financial consumers should be considered if there is an assessment that extraordinary risks exist or if the existing regulatory framework does not address the risks associated with the innovation being tested.
Different jurisdictions have chosen different combinations of permitted and forbidden activities for firms participating in regulatory sandboxes. The ultimate boundaries in a given testing arrangement are the result of the legal provisions and regulations applicable to financial service providers and financial products and the overall objectives pursued by authorities in establishing a testing environment. Most countries that have implemented a regulatory sandbox have not opted to set it by defining a new legal regime and the legal boundaries of the testing environment are thus dictated by the existing license regime and the discretion available to the competent supervisors in law (EBRD, 2019[7]). A greater divergence between the provisions of the testing environment and the standard regulatory licensing regime would require defining in legislation a special legal regime for the testing environment, and that might take a long time to complete and defer the implementation of a regulatory sandbox. Further it might be in contradiction with the idea of technological neutrality that supervisors pursue. Nonetheless, some jurisdictions have chosen to amend existing legislation with innovative financial service providers in mind (Australia, Switzerland), and their regimes usually include a broader set of exemption for FinTechs.
The legal options that set the regulatory and enforcement boundaries for the participants of the previously established regulatory sandboxes world-wide can be classified as one of the following:
Restricted authorisation – Partial authorisation allows to grant an authorisation to operate a regulated activity but limiting the number of customers who participate in the test, or number of products offered to the customers. The UK offers restricted authorisation for firms participating in the regulatory sandbox. The introduction of a restricted license did not require a dedicated legislation in the UK. In Switzerland, firms in the sandbox may receive or invest public funds up to CHF 1 million without obtaining a license. This exemption was introduced by the Swiss Federal Council. In parallel, a separate “Fintech license” has been introduced in the Swiss Banking Act unrelated to sandbox participation. The Fintech license provides simplifications and lower market entry requirements, as compared to the full banking license.
Proportional authorisation – Regulatory sandboxes established in EU member countries stipulate that, to the extent that participation in the regulatory sandbox involves the carrying out of a regulated activity, the appropriate license is required to be held. Any divergence between the requirements of a regular licensing application and that of an application submitted by a regulatory sandbox participant are related to the interpretation of the competent supervisor of the idea of proportionality, exerted by the supervisor’s discretion. What this means in effect, is that the same proportionality is applicable to submission for a license by a non-sandbox firm. Embedded in EU financial services measures are tools to enable the proportionate application of regulatory and supervisory requirements. The joint report of the European Supervisory Authorities (ESA) points to the governance process and system and control requirements as appropriate for proportionality consideration. For the purpose of a concrete example, ESA mentions that governance system is subject to proportionality in Banking and Insurance EU laws (ESMA, EBA and EIOPA, 2019[2]).
In complement to certain supervisory relief, limitations or restrictions may be imposed for risk mitigation. Imposing limitations or other restrictions can be regarded as a lever for proportionality in the licensing or supervision process. In practice, in implementing proportionality for innovative firms, trying to lower boundaries that do not necessarily serve the purpose of the rule, EU member countries have focused on activities where the legal regime is set in national legislation, while much narrower discretionary space is taken in relation to EU laws. the Netherlands, Lithuania and Austria have stated that their respective regulatory sandboxes do not represent a new legal regime nor a “stripped down license”. Rather, supervisory requirements may be adapted on a case‑by-case manner within the scope of the principle of proportionality for supervision, depending on the business model, where the laws permit this. In Lithuania, the regulatory sandbox regime is governed by a resolution of the Bank of Lithuania. In Austria the establishment and operation of the regulatory sandbox was achieved by means of legislative amendment in the underlying legal framework of the Financial Market Authority (FMA). According to Austrian officials, the need to set the operation of the regulatory sandbox in a designated law had two rationales – the first was to assure that additional resources are granted to the FMA for the operation of the regulatory sandbox; the second was for the law to protect the FMA from accusations that a flaw has occurred in the selection process to the regulatory sandbox. In the Netherlands, no specific legal amendments were performed. Outside of the EU, the regulatory sandboxes in Hong Kong, each operating under the supervision of the various financial supervisors, allow the supervisors to exercise discretion powers, but no newly created set of regulatory sandbox-specific laws or regulations was introduced.
Class waiver – The Australian Securities & Investments Commission (ASIC) has issued a class waiver/FinTech licensing exemption for regulatory sandbox participants. The scope of the waiver is quite wide as the participation in Australia’s regulatory sandbox is granted as a matter of law, rather than upon application, and innovation is not a prerequisite. A participant may enjoy the waiver after notifying the ASIC but only for a restricted period, and not all types of services are included in the class waiver (it is unapplicable to issuing financial products or providing credit). In Australia the issuance of the class waiver was within the powers of the ASIC and in accordance with its mandate.
Individual guidance – Innovation hubs often serve the role of a preliminary stage of a regulatory sandbox regime. Innovation hubs provide a dedicated point of contact for firms to raise enquiries with competent authorities and to seek non-binding guidance on regulatory and supervisory expectations, including licensing requirements. On the whole, there are no legal barriers posed by existing laws to the establishment of innovation hubs in EU jurisdictions any many members have established such a hub. The work and mandate of innovation hubs does not differ much from established practices where supervisors respond to queries in a non-binding manner, however jurisdictions have focused on increase the level of technical expertise attached to such hubs as well as designating dedicated teams to the topic. Some competent authorities complement their innovation hubs with specific ‘follow-up’ schemes. Guidance is a prominent component of most regulatory sandboxes as well. The participation in a regulatory sandbox by construction results in a continuous communication and exchange between participating firms and the supervising authority. Building and enhancing firms’ understanding of regulatory expectations, the application of the existing regulatory framework and compliance requirements is one of the objectives of regulatory sandboxes and to achieve it, much communication is needed. Importantly, many developers of financial innovative solutions have a technological background rather than financial background and thus have a low starting point in understanding financial regulation requirements. Increasing the regulator’s understanding and knowledge of the innovative products to better assess the risks of new business models and underlying technologies is another important objective, on the side of the supervisor. In the absence of a wide leeway for regulatory alleviations, this property becomes even more central as one of the major benefits and appeals for the participating firms as well as for the supervising authority, from establishing the regulatory sandbox.
In Israel, A pilot regime for FinTech is operated jointly by the Israel Innovation Authority (IIA) and the Israel Securities Authority (ISA). The framework does not offer any regulatory waivers, and general rules apply. The authorisation stage is not part of the regulatory sandbox, and the accepted firm should either enter the test with or without a license, as applicable by existing laws. Regulatory guidance is offered by ISA, if the concerning firm falls within its jurisdiction, and two other supervisors, i.e. the payment systems supervisor and the banks supervisor located withing the Bank of Israel participate as observers. A unique feature of the Israeli test regime is that accepted firms receive financial support for the testing (see further below).
No enforcement action letters – the FCA in the UK has the right to issue a no enforcement action letter stating that no FCA enforcement action will be taken against testing activities. The FCA’s commitment not to take enforcement action applies to the period from the issue of the NAL until the testing is completed or closed by the FCA. It is important to note that this only addresses the risk of enforcement action by the FCA and does not limit the Fintech’s liability towards its customers. The Bank of Lithuania in its resolution regarding the establishment of a regulatory sandbox has declared that it will not undertake enforcement measures toward financial market participant operating in the regulatory sandbox. In both cases this commitment is not guaranteed and there are some limitations to its implementation in extreme cases.
As a rule of thumb, regulatory sandboxes do not offer any alleviations in the testing environment with regard to regulatory requirements in these three areas (Deloitte, 2017[6]; EBRD, 2019[7]):
Consumer protections provisions
Data protection provisions
Compliance with AML/CFT obligations
In addition, regulatory sandboxes do not offer solutions to several non-regulatory barriers that are often faced by FinTechs and are related to their business models. Participation in a regulatory sandbox does not guarantee the opening of a bank account for the FinTech, a common problem, where banks sometimes decline the opening of a bank account to FinTechs, due to regulatory AML rules applicable to them. Sandboxes, including those that have a focus on data, cannot offer access to individual-level data, because either it will constitute a breach of privacy rules, or in most cases such data is proprietary to incumbents. Supervisors allow, and even encourage, partnership between large firms (incumbents) and start-ups to apply to the regulatory sandbox, both to foster innovation based on data, and since such joint projects resolve the problem of the FinTech not being licensed, as it can operate as a third party and the incumbent assumes the supervisory obligations. Although obvious, a regulatory sandbox does not guarantee a consumer base for the innovative service or product, which can be a source of failure for the test as well.
A regulatory sandbox can offer financial aid in setting up the test. In Israel, such financial support constitutes one of the major attracting factors of the testing environment, as the regulatory assistance given takes the form of individual guidance and no further. The rate of financial support to the accepted firms varies from 20% to 50% of approved expenses associated with the testing. Financial support at an exceptional rate of 60% of the approved expenses will be given to a programme that has the potential to have an extraordinary impact on streamlining and improving the capital markets or the financial services industries in Israel.
Based on the above experience of other EU and OECD jurisdictions, and the conditions of the Czech FinTech ecosystem, it is recommended that the Czech regulatory sandbox does not provide any waivers; restricted authorisations or other relaxation of existing applicable rules, which would anyway be against EU rules. It is recommended that a proportional application of existing regulatory and supervisory requirements, as embedded in EU financial services regulation, is used as appropriate and at the discretion of the Authorities for firms participating in the Czech regulatory sandbox. Such proportionality can apply to the governance process and system and control requirements, board composition; financial soundness; reputation; management experience and track record (Deloitte, 2017[6]). Proportionality should be applied on a case‑by-case basis by the Authorities, depending on the business model and the applicable rules.
2.2.2. Regulatory and supervisory oversight
The recommendation for the Czech regulatory sandbox that would maximise operational benefits, improve the dissemination of regulatory clarity on the one hand, and understanding of business models by the Authorities on the other hand, is to have the regulatory sandbox set up by the Czech Authorities, as per all EU regulatory sandboxes. The experience of these EU regulatory sandboxes has showed that FinTechs benefit from an unmediated exchange of knowledge with the Authorities. This is positive both in terms of the innovators’ ability to understand the regulatory and supervisory requirements, but also in terms of the possibility to directly introduce their specifics to the Czech Authorities and thus deepen mutual understanding. No exemptions are to be granted to participating firms in the regulatory sandbox under the licensing procedure beyond those provided by national and European law. There is therefore no need for legislative changes for the establishment of a regulatory sandbox, as the recommended design for the Czech regulatory sandboxes does not involve the disapplication of regulatory obligations that are required to be imposed as a result of EU and/or national law. The Czech Authorities can establish the regulatory sandbox by an internal act or by designating which posts will be dedicated to co‑ordinating its operation within the relevant Authorities.
It is recommended that the Czech regulatory sandbox does not provide any form of waivers. Testing in regulatory sandboxes means enabling the provision of innovative financial services in the real market (perhaps in part of the market, depending on the case) under the intensive supervision of the Czech Authorities and in regular consultations with each other, which follows only after obtaining the relevant license. Participants shall benefit from guidance regarding compliance of their activity with applicable regulation and assistance in obtaining license.
It could also be envisaged that a data sandbox without a regulatory component could be outsourced and/or exist outside the Czech Authorities, although even in this alternative the Authorities would need to participate inter alia by means of providing data.
Regular consultations between the participant and the Czech Authorities shall take place throughout the testing phase, during which participants will be required to report on the testing process and any other relevant information. These regular consultations should be co‑ordinated by a dedicated regulatory sandbox staff member and are attended by representatives of the Czech Authorities, e.g. representatives from the Financial Market Supervision Department, the Licensing and Sanctions Department, the Regulation and International Co‑operation Department or the FinTech team.
The participant must clearly communicate with the users of their financial product that the product is provided in the testing regime of the regulatory sandbox. If a participant fails to comply with the testing plan, the Czech Authorities may use standard mechanisms such as a notice to remedy or, if remedy is not achieved within a specified period of time, a fine.
The regulatory sandbox will also allow the opportunity to get involved in cross-border testing in the EU. For example, the EU Digital Finance Platform will allow multi-sandbox testing in two or more regulatory sandboxes in different Member States, facilitating visibility over the tests among national authorities involved in testing. The cross-border testing is framework is developed by the European Forum for Innovation Facilitators and forms a gateway to regulatory sandbox testing involving multiple national authorities.3
It should be noted that competent authorities of other EU countries such as Denmark, Lithuania, the Netherlands and Poland, as well as the UK, have noted their statutory objectives of contributing to financial stability, promoting confidence in the financial sector in their jurisdictions and consumer protection as the foundation for their regulatory sandbox initiatives. As regulatory sandboxes can be used by authorities and firms to gain a good understanding of the opportunities and risks presented by innovations through the testing process, the lessons learned can inform the appropriate regulatory and supervisory response. That response could, for example, take the form of a new set of supervisory rules relating to the disclosure requirements for the sale of a specific new financial product in order to ensure an appropriate degree of protection for consumers or, indeed, a prohibition on the sale of the product if the risk of serious consumer detriment is identified. Given this, the above‑mentioned authorities view the regulatory sandbox process no differently from any other tool available to them in developing regulatory and supervisory policies in relation to emerging activities (ESMA, EBA and EIOPA, 2018[8]).
2.2.3. Scope of a regulatory sandbox
The scope of a regulatory sandbox is a critical aspect that determines the flexibility and effectiveness of the framework. The design of the regulatory sandbox for the Czech Republic should be guided by the principles of fostering innovation while ensuring financial stability and consumer protection. The scope of the regulatory sandbox should be clearly defined, taking into account the existing regulatory landscape, the competency of the relevant authorities, and the potential cross-sectoral impacts of new financial technologies.
Typically, the authority’s supervisory mission and the characteristics of the domestic financial industry it oversees determine the scope of regulatory sandboxes. However, FinTechs frequently breach the conventional lines separating the various financial services sectors (e.g. financial aggregation platforms) or offer ideas that might increase efficiency horizontally across sectors (e.g. in risk management). Scholars emphasise the unfavorability of sectoral limits because they magnify already-existing regulatory barriers and potentially inhibit cross-sectoral innovation by limiting economies of scale (Parenti, 2020[9]).
The majority of the regulatory sandboxes that are now in use in the EU (Denmark, Hungary, Lithuania, Latvia and Malta) are hosted by an integrated national supervisor, encompassing the whole financial sector (e.g. banking, investment activities and services, insurance). The banking and capital markets supervisors in the Netherlands, which use a “twin peaks” model of financial supervision, collaborate to run the regulatory sandbox. In other countries with sectoral supervisors, one of the regulatory sandboxes planned is a combined operation by all sectoral supervisors (to the extent that this information is accessible, for example, Spain and Italy). With relation to innovation centres, sectoral restrictions show up more frequently, again mostly because of restrictions on the supervisor’s authority. In these situations, co‑operatively run innovation centres (like Belgium and the Netherlands) have claimed benefits in terms of automated information exchange, an effective method for responding to inquiries, and improved cross-sector issue monitoring. To reduce the danger of creating fragmented cross-sectoral practises, improved regulatory collaboration and methods for information sharing between sectoral regulators are required where such combined operation is not practicable (Parenti, 2020[9]).
It is essential that the eligibility criteria, regulatory sandbox parameters, supervision and oversight, and exit criteria are well-defined while at the same time allow some level of flexibility. A well-defined and flexible scope can ensure that the regulatory sandbox is able to support innovation while also ensuring the protection of consumers and the integrity of the financial system. Last but not least, it is important to bear in mind that the scope of a regulatory sandbox may change over time as the FinTech industry and regulatory environment evolve, and this is why some level of flexibility is important.
Participating institutions from the government should include but are not limited to the Supervisory and Regulatory Authorities. These institutions should consider a range of possibilities for the regulatory sandbox such as, allowing for the testing of new products and services in a controlled environment, identifying relevant regulation for certain activities, and facilitating the development of new technologies and business models.
The design of the regulatory sandbox for the Czech Republic should be guided by the principles of fostering innovation while ensuring financial stability and consumer protection. The scope of the regulatory sandbox should be clearly defined, taking into account the existing regulatory landscape, the competency of the relevant authorities, and the potential cross-sectoral impacts of new financial technologies.
The recommended scope for the Czech regulatory sandbox would be cross-sectoral with no restrictions as to the sector of activity, provided that these fall under the remit of the financial Authorities directly or indirectly. In this context, ‘indirectly’ refers to any financial activity that may not fall under the definition of an activity requiring a license from the Authorities but may still have an impact on the financial sector. Applicant firms must comply with the eligibility criteria provided below (Section 2.3.2).4
Furthermore, the regulatory sandbox could be a ‘standard’ regulatory sandbox in line with established sandboxes in the EU, and/or could be enhanced with data-sharing capabilities. The recommendation for the Czech regulatory sandbox is to commence with the establishment of the ‘standard’ regulatory sandbox and, to the extent feasible, enrich it with the provision of data-sharing when the conditions allow it. The conditions for this option will be based on (i) the availability of datasets and ability to make these available; (ii) the capacity of the authorities participating in the regulatory sandbox.
It could also be envisaged that a data sandbox could be established outside the Czech Authorities (and/or outsourced). FinTechs participating in such data sandbox could build data-driven models that would form part of a business model or service and which may not necessarily directly involve financial market activity. However, even in this alternative the Czech Authorities would likely need to participate, inter alia by means of providing data.
2.2.4. Underlying legal framework for the operation of the regulatory sandbox
Licensing of financial services, which should be followed for any licensing in the context of the regulatory sandbox
The general regulation that governs the character and course of administrative proceedings in the granting of a license is Act No. 500/2004 Coll., Code of Administrative Procedure, as amended. The procedure and requirements for obtaining a license for a specific type of financial service are laid down in specific sectoral laws.5 The details of the requirements, annexes, etc. are regulated by the relevant internal acts issued by the Authority to implement the respective laws.
Simplified license
There are certain cases in which Act No. 370/2017 Coll. on Payments (Act on Payments), as amended, which is implementing Payment Services Directive 2 (PSD2),6 gives a possibility to small-scale payment service providers and small-scale electronic money issuers to be exempted from obligation to have a full license.7 Instead, it is sufficient to apply for simplified small-scale payment service provider license according to the Section 59 of the Act on Payments and small-scale electronic money issuer license according to the Section 99 of the Act on Payments.
Limited licenses
In certain cases, it is in accordance with Czech law to attach certain restrictions or conditions to the issued license. This possibility is provided in Section 1 (8) of the Act No. 21/1992 Coll., on Banks, as amended, which states that a banking license “shall contain a nominal definition of the permitted activity and may contain a definition of the scope of the permitted activity, but not in the sense of a limitation on the number of individual business cases, and may also contain a determination of the conditions which a bank or a branch of a bank from a non-Member State must meet before commencing any permitted activity or comply with in the performance of any permitted activity.” It is important to note that the provision is in direct contradiction with the restricted authorisation principle as mentioned above in the report and therefore the recommended design of the regulatory sandbox is not based on the restricted authorisation principle.
The possibility to attach a restriction or requirement to the approval of a proposed acquisition is in line with European law in relation to licenses related to direct insurance other than life assurance. According to the judgement of the Court of Justice of the European Union on t25 June, 2015, in the case of CO Sociedad de Gestión y Participación SA and Others v De Nederlandsche Bank NV and Others, such restrictions or requirements are in line with the Directive 92/49/EEC on the co‑ordination of laws, regulations and administrative provisions relating to direct insurance other than life assurance and its articles 15, 15a and 15b.8
As per the exceptions provided for in MIFID II” in Article 2 (c). – transposed into Czech law in the Act No. 256/2004 Coll., Capital Market Business, as amended – “the provision of a principal investment service shall not require authorisation under this Act if the principal investment service is provided (..) by a person providing the main investment service only occasionally, in connection with the exercise of another professional or business activity, provided that there is another legal regulation or code of ethics governing such activities and that regulation provides for the provision of such principal investment service.” Thus, if participation in a regulatory sandbox would not be considered a continuous business activity within the meaning of the MIFID II, the persons defined above would not need to obtain authorisation/licensing.
In other areas, it is not possible to grant limited licenses in the Czech Republic under the current legal regulations. For the use of limited licenses within the regulatory sandbox, a new regulation special to the laws that regulate licenses in areas where it is in line with European legislation would be necessary. A similar approach was taken, for example, in the establishment of the Spanish regulatory sandbox (Banco de España, 2022[10]).
Recommended application of supervisory discretion and proportionality in accordance with EU principles
The study of the European Parliament on Regulatory Sandboxes and Innovation Hubs for FinTech notes that while respecting boundaries set by the EU harmonisation, Member States use the exercise of legally embedded levers of proportionality which allow supervisory discretion by considering certain factors, such as the risk profile, or the size, complexity and interconnectedness of the firms concerned (Parenti, 2020[9]). As mentioned above in Section 2.2.1 and 2.2.2, it is recommended that proportionality is applied to participants of the regulatory sandbox, as appropriate and on a case‑by-case basis, in accordance with EU applicable regulatory frameworks.
There are examples of the calls for proportional approach, for example Article 74(2) of Directive 2013/36/EU,9 which is addressed also in Guidelines on internal governance under Directive 2013/36/EU by the European Banking Agency (EBA, 2021[11]).
For example, the Supervisory Authority details general procedures for the exercise of individual discretion with examples of its discretion in relation to Regulation No. 575/2013 on prudential requirements for credit institutions and investment firms (Czech National Bank, n.d.[12]).10
For national rules regulating an area not covered by European rules, there is room for discretion only where these laws explicitly allow it. In this area, however, there is room for an internal discussion on the appropriate modification of the legislation for the purpose of establishing a regulatory sandbox. For example, the Czech National Bank has more opportunities to exercise discretion in relation to the general guidelines it has issued itself.11
Relevant stakeholders and their required engagement
The establishment of the Czech regulatory sandbox by the Czech Authorities will allow valuable knowledge exchange and meaningful benefits to be reaped for both the applicants and the Authorities. The Czech Authorities shall be the one choosing successful applicants (see Section 2.3.5).
The regulatory sandbox is also an opportunity to build on the good practice of stakeholders’ interaction and knowledge sharing through roundtables organised by the FinTech Contact. It is recommended to establish an Advisory Board, which could include representatives of the industry, the Czech National Bank, the Ministry of Finance of the Czech Republic, other representatives of state administration and academia to assess applicants’ requests to participate in the regulatory sandbox. In this way, the application of the eligibility criteria can be assessed from multiple perspectives of a diverse Advisory Board.
The authority operating the Czech regulatory sandbox should be able to co‑operate with administration agencies that have supervisory responsibilities concerning the participating or applying FinTechs, as far as that administration agency is not represented directly in the sandbox. This can build on the existing co‑operation channels between relevant agencies (OECD, 2022[13]).
As innovations are bound to be multifaceted, the list of partners should not be definite, but it is reasonable to engage in communication, namely with the Data Protection Agency and CzechInvest, which can share its recent experience of supporting new business models in its Technology Incubation project (Hořínek, 2022[14]).
Industry Associations can be vital partners in disseminating information on regulatory sandbox among its members and are a valuable source of feedback on the functionalities of the regulatory sandbox. Representatives could provide their expertise in the frame of the Advisory Board.
It is good practice to publish press releases and regular reports on activity of the regulatory sandbox. It is a suitable tool to transparently describe scale and level of the engagement of the Czech Authorities with involved actors, assessing the frequency and depth of the collaboration and consider adjustment of the design of the regulatory sandbox to ensure highest possible efficiency. It is also an opportunity to evaluate the number of applicants and participants of the regulatory sandbox.
2.2.5. Consumer protection and risk management
It is recommended that the Czech regulatory sandbox offers no alleviations to sandbox participants with regard to consumer protection measures stipulated by regulation and supervision and those standard rules apply, aligning with common practice in other regulatory sandboxes. Proportionality considerations are as well usually unapplicable to consumer protection measures. Moreover, there might be restrictions imposed to further protect consumers. Specific measures that can be taken in the regulatory sandbox to protect consumers are shown in Figure 2.4.
The ESA joint report suggests that compensation or redress measures accompany the regulatory sandbox should any detriment be suffered in the context of testing (ESMA, EBA and EIOPA, 2019[2]). This is a beneficial measure for consumers and if taken, will mean that less intense communication efforts to convey the associated risk of the test is needed. However, if firms bear all the risks, this could make the regulatory sandbox too expensive for small firms.
The FCA considered several compensation options before launching the first test cohort, with options ranging from no compensation offered and consumers knowingly consenting, to setting a condition for joining the regulatory sandbox that businesses undertake to compensate any losses (including investment losses) to customers and can demonstrate that they have the resources in place to cover such compensations. In the interim options, the FCA considered relying on the UK’s Financial Services Compensation Scheme (FSCS) that provides a broad compensation, covering claims in relation to deposits, investment business, home finance, insurance policies and insurance broking, provided by businesses authorised by the FCA and the Prudential Regulation Authority (PRA). However, the FCA, not wanting firms to bear the costs of paying fees to the Financial Ombudsman Service (FOS) and the FSCS decided to follow a case‑by-case basis framework of setting the disclosure, protection, and compensation appropriate to the testing activity (FCA, 2015[15]).
In contrast, Switzerland has limited safeguards for the regulatory sandbox participants that according to the local set up are not authorised while they operate as restricted services, and these firms are not covered by the compensation scheme (EBRD, 2019[7]). In Australia, the ASIC has set requirements for adequate compensation arrangements: a professional indemnity insurance policy with a minimum CAD 1 million limit for any one claim and aggregated claims; and requiring the business to take reasonable steps to obtain run-off cover for a period of 12 months.
Under EU regulation, payment service providers, electronic money institutions and payment account information administrators are required to provide an insurance contract or a comparable guarantee as a prerequisite for getting a licence for payment initiation or account information service provision. Because the proposed Czech regulatory sandbox will not offer regulatory waivers, the compensation and consumer protection measure set in each license type should provide the appropriate protection so that all consumers can be offered the product. If the regulator assesses that extraordinary risks are associated with a particular test, it can use a consumer suitability test and allow only sophisticated/accredited/non-retail consumers to participate. Alternatively, it can demand a clear consent of consumers to use the service, expressing agreement to the risks.
In many regulatory sandboxes risk identification and mitigation measures are included as part of the eligibility criteria (Bromberg, Godwin and Ramsay, 2017[16]). In cases where a restricted licence or a waiver is offered, businesses or individuals might seek to use their participation in a regulatory sandbox as a means of legitimising their unlicensed schemes. In EU member states, regulatory sandboxes where no exemptions from the authorisation process are offered to participants, there should not be additional layers of risk other than the ones addressed and monitored by the supervisor for all supervised activities. In the case of Australia, ASIC’s industry licensing exemption has attracted the objections of consumer groups.
Most regulatory sandbox arrangements do not require that applicants use a particular technology to be accepted to the sandbox. A regulatory sandbox is a technology neutral solution (EBRD, 2019[7]). However, as regulatory sandboxes are set up with the objective to test a product, service, or business model it is expected in application criteria that the level of development of the business model and the underlying technology is sufficiently advanced to begin the testing. The regulatory sandbox supervisory and guiding team relies most often on the staff of the financial supervisor. Industry and technology experts are usually not part of this team, if anything, they have a role in the selection phase to the testing environment. An innovation hub is a more appropriate venue than a regulatory sandbox for firms that are still struggling to find the technological solution for their product.
Access to data is one of the attributes to be considered in the design recommendations of this feasibility study. Indeed, a considerable part of Czech FinTechs use data and access to data has the potential to foster more innovation. However, financial data at customer or SME level (such as banking or transactional data) contains personally identifiable information and is subject to strict obligations under GDPR.
Providing access to public data, test data, anonymised data or synthetic data are the possible options to overcome issues of data security and privacy. The FCA has so far been the only regulatory sandbox to include micro level data, real and public, or synthetic for FinTechs to test on. FinTechs have expressed high demand for the data though it is not without drawbacks (see Section 1.4).
The FCA conducted legal analysis and concluded that there is not a sufficient legal basis for its regulatory sandbox to make large volumes of real personal data available for FinTechs. Further, the FCA has decided so far against using pseudonymised and anonymised data assessing that the privacy risk remains considerable. The FCA therefore chose to generate and make available synthetic data to their regulatory sandbox participants (FCA, 2021[17]).
When developing the framework for the EU Digital Finance Platform’s Data hub, it was considered to use companies’ credits, loans and balance sheet information available to the European Commission (EC). However, many members of the EFIF warned the EC that this information (particularly the loan and credit data sets) was highly confidential/sensitive and could not be shared with third parties due to legal reasons. For that reason, a preliminary stage in the development of the data hub became the synthetic data pilot in Spain (Dirección General de Estabilidad Financiera et al., 2022[18]).
Within the pilot environment, the FCA provided data that could be accessed either via an API or through an integrated Jupyter Notebook (enabling to process and analyse large volumes of data) (FCA, 2021[17]).
2.2.6. Legislative changes
The main benefits of the recommended design of the regulatory sandbox relate to strengthened co‑operation and increased level of assistance of the Czech Authorities to entrepreneurs in obtaining a licence, emphasis on the use of the current possibilities of proportional access and intensive exchange of knowledge. The proposed regulatory sandbox design could be launched within the framework of the current legislative framework and does not require a new law to be established, as it does not deviate from existing EU law and does not envisage the offering of any kind of waivers or exemptions. A proportional application of regulatory and supervisory requirements, as embedded in EU regulation, should be used appropriately and at the discretion of the Authorities.
If, after the first years of the operation of the regulatory sandbox, it is assessed that a beneficial option would be to use a restricted authorisation model or to introduce rule waivers, class waivers or no enforcement action letters, it would be necessary to enshrine such options in a legislative change. Equally, implications of the local legal framework of the Czech Republic (e.g. administrative law provisions and implications of public law for the implementation) are not being analysed in this report. Such legal advice can be obtained by the Czech Authorities from competent parties should they require such an assessment.
2.3. Recommended process flow and implementation guidance
The recommended process flow is illustrated in Figure 2.5, and the various stages are elaborated on in detail in the following subsections, including the recommended risk register, the application eligibility criteria, the authorisation model, the licensing procedure, and limits to the testing environment.
2.3.1. Recommended risk register
The operation of the regulatory sandbox should monitor whether a tested activity or service may result in the exacerbation of systematic or reputation risks or harm competition in the financial services sector. It is recommended that the sandbox keeps a risk register where the activity of participants is evaluated, and the following risks can be mitigated:
CGAP suggests that products and services that are tested in a regulatory sandbox may present additional risks that may be hard to assess before the innovation is fully launched in the market. These risks may include those stemming from features of the innovation and/or limited regulatory and supervisory capacity. Such a systematic risk can be prevented by well-designed regulatory requirements and adequate supervisory tools necessary for collecting and analysing the data generated or used by new technologies (Jenik and Lauer, 2017[19]).
Liability issues may arise in case of failed testing that results in harm to customers or other market participants in the case of regulatory sandboxes, which allow significant exceptions to the standard licensing regime. Such a situation would threaten the reputation of the regulator and trust of customers in the financial system. This risk is unapplicable with regard to the framework recommended for the Czech Republic, because no exceptions form the licensing regime are offered to FinTechs under this set of recommendations. Resolution and compensation measures for consumer are already in place with regard to licensed entities as per the standard applicable frameworks. On the Authority’s side, early termination is covered (see Section 2.3.7) if it realises that there is higher than expected risk to consumers or the financial sector stemming from the tested product/service or if fraud or any other similar shortcomings arise, in the same way that a license can be revoked under regular conditions.
Risks may also result from the lack of consumers’ understanding of a new product. Transparent communication of the specifics of the regulatory sandbox are needed to realistically adjust expectations.
Advice and support of the participant may be seen as a disruptor to the competition. Clear, not overly vague, selection criteria are providing transparency in order to avoid selection bias.
Possible limited capacity of regulator in terms of adequate resources of staff and funding may lead to following risk of poor selection of participants of the regulatory sandbox caused by the limited capacity of the regulator to assess the innovation. Moreover, overburdened staff which would be given extra duties in the frame of a regulatory sandbox instead of creating a new dedicated regulatory sandbox unit, there is a risk of insufficient capacity to address the main regulator’s responsibilities. Therefore, it is necessary to sufficiently assess the necessary number and skillset of dedicated personnel.
2.3.2. Eligibility criteria
The recommended criteria to be met by applicant firms wishing to be admitted to the Czech regulatory sandbox include (Table 2.3): The regulatory sandbox applicant offers an innovative financial product, service, business model or solution; the product brings benefits to users of financial services in the Czech Republic; the product is ready for market launch so that testing in a regulatory sandbox is feasible and safe; there is a specific need for testing of the product; the applicant is of good character; responsible management of personal data is ensured; the applicant commits to investor protection and compliance; and there is direct or indirect relevance to the Authority running the regulatory sandbox. It is recommended that participants in the regulatory sandbox hold the appropriate license for the regulated activity undertaken or are ready to apply for a license in order to have a license before the start of the testing phase, if the Authority deems that the activity falls within the perimeter of regulated financial activity.
In particular, the following eligibility criteria, which are based on good practice of the regulatory sandboxes of EU Member States, are recommended for the Czech regulatory sandbox in more detail:
The regulatory sandbox applicant offers an innovative product, service, or business strategy that makes use of novel or developing technologies to offer fresh or enhanced financial services in the Czech marketplace, including a new adaptation or material improvement of another financial product, service, business model or solution. A product, service, or business model that makes use of current technology in new or creative ways will also be referred to as an innovative financial product.
The product brings benefits to users of financial services in the Czech Republic and these benefits are identifiable e.g. it offers a different solution from other offerings on the Czech financial market, an enhancement of an existing product, service, business model or solution, a more inclusive business model or a solution that increases the efficiency of financial institutions or markets, etc.
The product is ready for market launch so that testing in a regulatory sandbox is feasible and safe if the applicant has a clear idea of what it expects from its participation in the regulatory sandbox (applicant is capable to specify a concrete testing target) and the company has sufficient staff and financial resources and capacity to ensure its operations and the provision of the relevant financial service. It includes readiness to handle testing technically (the product has appropriate and sufficiently robust and resilient ICT infrastructure and mechanisms for data security and against cyber-attacks), deal with risks that may arise during testing (i.e. analyse these potential risks in advance and prepare mitigation measures), and – importantly – readiness of the company to meet regulatory requirements. The latter means that the company is either a licensed company or ready to apply for a license in order to have a license before the start of the testing phase, if the license is deemed necessary according to the Czech Authorities. In case the Authorities deem that a license is not necessary, the Czech Authorities have the discretion to allow the company to perform the testing or not.
There is a specific need for testing of the product for example in case that there is an existing controversy or ambiguity about applicable law that would otherwise prevent the standard launch of the product or a there is a need to test the product in a limited form before it is fully launched.
The criterion of good character is demonstrated by clean criminal record of the applicant.
Responsible management of personal data is likely to be ensured if the Data Protection Authority does not identify high level of risk of unlawful processing of personal data or unlawful interference with the rights and freedoms of data subjects during the testing.
Commitment to investor protection and compliance can be demonstrated by mitigation mechanisms incorporated in the business plan.
The activity is directly or indirectly covered by the financial legislation.
The business model is relevant to the Authority running the regulatory sandbox.
Table 2.3. Recommended eligibility criteria for the Czech regulatory sandbox
Eligibility criteria |
To be accepted |
Not to be accepted |
---|---|---|
The regulatory sandbox applicant offers an innovative financial product, service, business model or solution |
The applicant adequately explains how their good, service, or business strategy that makes use of novel or developing technologies to offer fresh or enhanced financial services is considered to be new and original in the Czech marketplace, including a new adaptation or material improvement of another financial product, service, business model or solution. A product, service, or business model that makes use of current technology in new or creative ways will also be referred to as an innovative financial product. |
The applicant will not be accepted with the financial product, service, business model or solution that are offered in the Czech Republic by other companies and does not offer any enhancement or does not makes use of current technology in new or creative way |
The product brings benefits to users of financial services in the Czech Republic |
The innovation may bring clearly identifiable positive impacts on its users such as direct impact (cheaper offers, greater variety of offers, accessibility) or indirect impacts (solutions increasing efficiency and reducing back-office costs). |
The innovation does not seem to bring clearly identifiable positive impacts on its users. |
The product is ready for market launch so that testing in a regulatory sandbox is feasible and safe |
Technological readiness: Technology Readiness Levels (TRLs) are a method for understanding the technical maturity of a technology.1 The applicant shall be able to reach at least TRL 4. |
Technological readiness: The applicant does not reach at least TRL 4. |
The applicant must provide a sound and viable business plan. |
The applicant does not have a clear idea on business case of its innovation. |
|
The applicant ready to start the licensing procedure within reasonable time upon consultation with Czech Authorities, in case it is deemed that a license is necessary for proposed innovation. |
The applicant is not ready for the licensing procedure, and it needs more time to be ready for consultation with Czech Authorities in order to be able to submit relevant application for an authorisation. |
|
There is a specific need for testing of the product |
The applicant analysed relevant legislation and their innovation raises questions about the correct application of relevant legislation. The applicant shall list their expectation from testing their financial product or service and plans to exit the regulatory sandbox. |
The application did not do legal analyses related to the innovation and/or regulation does not raise major questions. The applicant is not able to identify benefits of the testing for their innovation. |
The applicant is of a good character |
The applicant has a clean criminal record. |
The applicant does not have a clean criminal record. |
Responsible management of personal data |
The applicant is ready to demonstrate their mechanism to ensure responsible management of personal data in line with the respective legislation. |
The applicant does not have mechanisms to ensure responsible management of personal data in line with the respective legislation in place. |
Commitment to investor/consumer protection and compliance |
The applicant can outline their plan on investor/consumer protection and has sufficient financial and human resources that enable them to act on it during the testing. |
The applicant is not able to outline their plan on investor/consumer protection and/or does not have sufficient financial and human resources to be able to act on it during the testing. |
The activity is directly or indirectly covered by the financial legislation |
The innovation involves a financial service or product. The financial regulation covers the activity. |
The innovation is not a financial service or product. The financial regulation does not cover the activity. |
Table 2.4. Eligibility criteria in regulatory sandboxes established in EU countries
Eligibility criteria: |
Eligibility criteria in regulatory sandboxes of following countries: |
---|---|
The regulatory sandbox applicant offers an innovative financial product, service, business model or solution |
DK, HU, LT, LV, NL, MT BG, CY, EE, EL, ES, HR, IE, PT, RO, SK, AT |
The product brings benefits to users of financial services in domestic market |
DK, HU, LT, LV, NL, MT BG, EE, EL, ES, HR, PT, SK |
The product is ready for market launch so that testing in a regulatory sandbox is feasible and safe |
Test readiness: DK, HU, LT, NL, MT ES, IE, PT, SK, AT |
There is a specific need for testing of the product |
Risk mitigation: NL, EE, EL, AT |
The applicant is of good character |
DK, LT, NL, MT BG, HR, PT, SK |
Responsible management of personal data |
SK |
Commitment to investor protection and compliance |
There are a number of regulatory sandboxes focused solely on data protection. |
The activity is directly or indirectly covered by the financial legislation |
CY, EL |
Source: Based on the European Parliament (2020[9]), Regulatory Sandboxes and Innovation Hubs for FinTech, https://www.europarl.europa.eu/RegData/etudes/STUD/2020/652752/IPOL_STU(2020)652752_EN.pdf.Source: Based on Regulatory Sandboxes and Innovation Hubs for FinTech and updated; https://www.europarl.europa.eu/RegData/etudes/STUD/2020/652752/IPOL_STU(2020)652752_EN.pdf
The above recommended eligibility criteria have been formed taking into account the experience of other EU countries and the specific characteristics of the Czech FinTech ecosystem.
Technological readiness
For regulatory sandboxes to be effective, it is essential that the technology used to track and observe stakeholder participants is robust, reliable and up-to-date. In the design of a regulatory sandbox for the Czech Republic, technology readiness is an important consideration (.
Figure 2.6). It is recommended that firms that become eligible for participation in the Czech regulatory sandbox have a Technology Readiness Levels of at least TRL 4, so that there is a proof of concept tested in a lab setting.12
Technology Readiness Levels (TRLs) are widely used in the technology industry to help management make informed decisions on the advancement and deployment of technology. TRLs offer several benefits when used in the design of a regulatory sandbox. Firstly, they provide a common understanding of the state of technology, allowing stakeholders to assess the maturity and readiness of a particular financial innovation. Secondly, they help in managing risks by providing a clear understanding of the technology’s development journey and its potential for successful deployment. In the third place, the regulator should take into account the technology’s stability and scalability. These evaluations are required to establish a strong foundation and guarantee the success of the testing procedure. Israel, for example, requires a TRL6 in its regulatory sandbox (Israel Innovation Authority, n.d.[20]).
There are, however, some limitations in the usefulness of TRLs. For example, there is no direct correlation between the readiness and the appropriateness or technological development of a product. The regulator has to take into account the compliance with current systems and regulations, and validate the ethical dimension of the technology (see Table 2.5).
Table 2.5. EU Definitions of technology readiness levels
Technology Readiness Level (EU) |
Definition |
---|---|
TRL1 |
Basic principles observed |
TRL2 |
Technology concept formulated |
TRL3 |
Experimental proof of concept |
TRL4 |
Technology validated in lab |
TRL5 |
Technology validated in relevant environment (industrially relevant environment in the case of key enabling technologies) |
TRL6 |
Technology demonstrated in relevant environment |
TRL7 |
System prototype demonstration in operational environment |
TRL8 |
System complete and qualified |
TRL9 |
Actual system proven in operational environment (competitive manufacturing in the case of key enabling technologies) |
Source: Extract from Part 19 of the Commission Decision C(2014)4995 from the European Commission (2020[21]), Technology readiness levels (TRL), https://ec.europa.eu/research/participants/data/ref/h2020/wp/2014_2015/annexes/h2020-wp1415-annex-g-trl_en.pdf.
One of the key elements of technology readiness in a regulatory sandbox is the ability to accurately track and observe the participants, including the ability to identify and verify the identity of the participating FinTech companies and their customers, as well as the ability to monitor and record the transactions and activities that take place within the regulatory sandbox. It is necessary the use of robust and reliable technology, such as blockchain and artificial intelligence, which can ensure that data is securely and accurately recorded and can be easily accessed by the regulator.
Another important aspect of technology readiness in a regulatory sandbox is the ability to ensure that the technology used is up-to-date. In order to do this, the technology used in the regulatory sandbox must be continuously tested and monitored so as to spot and fix any problems that may occur. To make sure the technology is appropriate for the task at hand, it might be necessary to use simulations and involve the participation of experts in the field.
In the third place, a critical aspect of technology readiness is the ability to ensure that the data collected is protected and secure. This is especially important in the Czech Republic, where data protection laws are strong and regulations are strict. To ensure compliance, it is essential to implement robust data security measures, such as encryption and multi-factor authentication, to protect the data collected from unauthorised access or breaches.
When it comes to the leadership of the implementation of the regulatory sandbox, it is important that the responsible entity is well equipped to handle the complex technical and regulatory issues that may arise. The responsible entity could be a dedicated unit within the financial regulator or a separate body with a mandate to oversee the regulatory sandbox. It should have the necessary resources and expertise to oversee the operation of the regulatory sandbox, monitor the progress of the participants, and provide guidance on regulatory issues. Additionally, close collaboration with international regulatory bodies and other regulatory sandbox initiatives in other countries should be established to exchange information and best practices.
2.3.3. Licensing procedure
It is recommended that, as in other EU member countries, the Czech regulatory sandbox does not waive licensing requirements or requirements under the national or EU legislation, and does not offer any alleviation to sandbox participants that cannot be granted as part of the normal authorisation process. To the extent that an applicant is pursuing an activity that requires authorisation, it will be subject to the same supervisory framework as applies to authorised firms in general. A license should be obtained before applying to the regulatory sandbox or it can be obtained at the application stage. In case that during the preparatory phase, the Czech Authorities assesses that the innovation of the applicant does not need the license, it can decide that the testing in the regulatory sandbox would nevertheless be beneficial and prepare the testing plan for the testing phase.
The UK allows a license to be obtained after admission to the regulatory sandbox but prior to commencement of the test as well. The supervisor may assist in the application, and often that is the case. If the firm has been accepted to the regulatory sandbox than that means that the supervisor has recognised that it offers a true innovative product and has the potential to contribute to consumer benefit, then this makes for the rationalisation of assisting the firm to receive authorisation. In fact, firms tend to see, often mistakenly, that the regulatory sandbox is a faster track to authorisation. If the supervisor plans to increase the supervisory resources, it allocates to the regulatory sandbox compared with the regular authorisation track than perhaps a faster process might be achieved. Regardless of the timeframe, all regulatory rules will continue to apply. The use of proportionality as discussed in Section 2.2.1 is the only leeway available to the supervisor in terms of the requirements from the firm to receive the license.
An alternative situation might be where the Czech Authorities are not sure whether the activity sought by the applicant fits within one of the existing license regimes. In this case there is much potential added value for the supervisor if this firm is accepted into the test, because it will give the Czech Authorities an opportunity to get a better understanding of the business model. In the end of the test phase, the Czech Authorities might have a clearer understanding of how the law applies to this activity, and whether a license is appropriate. Often, FinTechs seek authorisation as they see this as a way to legitimise their business and prefer to have a license even when they might not necessary require one by law. In particular in this group, we should consider firms where a legislation is underway, whether at the EU or national level and a firm that might soon be opt for authorisation is applying (for example the upcoming Markets in Crypto-Assets (MiCA) Regulation).
A possible type of applicants might be partnerships between established companies and third-party FinTechs. The licensed incumbent might seek such participation to avert the risk of pursuing an activity which is outside of its current license scope. If funding or data are also offered for participants, this will increase the attractiveness for incumbents. For the supervisor, the authorised incumbent will need to bear any regulatory requirements, but as it is already accustomed with supervision, it will already have most or all safeguards in place. In the FCA regulatory sandboxes such partnerships have participated, whereas in Austria so far there have not been applications of this form. In the first two cohorts of the FCA regulatory sandbox, partnerships between large firms and start-ups have proven to be successful for both parties, particularly for giving the start-up access to a larger pool of existing customers to test with (FCA, 2017[22]). FinTechs are also able to leverage the resources, experience, and knowledge of the large firm. Before launching their digital sandbox, 56% of participants stated they intended to collaborate with at least one other team in the cohort. Participants stated that the adjacent nature of their solutions meant there would be valuable learning opportunities and the potential for partnerships (FCA, 2021[17]). In Israel such co‑operation is encouraged and several incumbents have made public on the test website what is the problem they are looking for a technological solution to. The co‑operation might thus arise within the test framework, with the regulatory sandbox offering the motivation for both parts.
2.3.4. Application
To the extent possible, it is recommended that application be performed in a digital manner with as much of the documents having a predefined structure.
The following information has been identified as common in the application and appropriate for the objectives of the Czech regulatory sandbox:
a. Contact and identification details
b. License status, regulatory requirements, regulatory gaps
c. The business plan, description of the product, management competence, potential customer segment, firm financial capabilities, market competitors, potential for expansion abroad, market entry boundaries, expected market impact, what is the innovation
d. The need to enter the test
e. The outline of the test, including measurable milestones during the testing (technological and business)
f. Intellectual property aspects related to the tested product or service
g. a description of the key risks of the proposed test (to both consumers and the Applicant’s business) and how the Applicant intends to mitigate these
h. Underlying technology, development level
i. An exit plan
j. An outline of the applicant’s next steps if the test is successful.
2.3.5. Authorisation model for assessment
It is recommended that participants in the Czech regulatory sandbox be preselected by a special Advisory Board that will provide a non-binding opinion. This will then be validated or rejected by the Czech Authorities, not applying to the CNB, as the CNB has no legal basis to issue such a decision. The Advisory Board could for example comprise of representatives of the industry, academia, the Czech National Bank, the Ministry of Finance of the Czech Republic, Ministry of Industry and Trade, CzechInvest and Data Protection Agency. It would give a chance to consider multiple angles in relation to the eligibility criteria. It is reasonable to ensure diversity of the Advisory Board to maximise the positive effect of exchange of views and experience in relation to assessed business models. The CNB and the MFCR can provide their expertise in the context of the Advisory Board.
The exact design of the functioning of the Advisory Board should be chosen on the basis of a discussion between the regulatory sandbox implementer and the potential members to best reflect their specific ideas of involvement and capacity to ensure the effective functioning of the Advisory Board.
2.3.6. Preparatory phase
After the application has been evaluated and the applicant has been selected, the applicant is notified and allocated to the contact person in the regulatory sandbox. The selection is followed by the preparatory phase, during which the contact person prepares a testing plan together with the applicant. This plan determines how the testing will be carried out and the participant commits to its performance in the testing plan. The testing plan may include the length and rules of the testing, any restrictions, such as a maximum number of customers to be served, safeguards to protect users of the innovative financial service (e.g. the obligation to inform the user that the product is currently being tested in a regulatory sandbox, the obligation to obtain informed consent from the user, or the obligation to provide evidence of insurance to cover any potential damages the user may incur). The testing plan may specify a level of proportionality which the Czech Authorities may decide to exercise (supervisory discretion by considering certain factors, such as the risk profile, or the size, complexity and interconnectedness of the firms concerned) (Parenti, 2020[9]). The testing shall focus on the compliance of the financial innovation with the relevant regulation (i.e. regulatory aspects of innovative financial services, such as the adequacy of the existing regulation), the existence of any unexpected risks (which would be eliminated after their identification by the Czech Authorities) and the practical implementation of the financial innovation on the market (i.e. whether the product is in demand among users, whether the business model is well set up etc.). The test plan clarifies the expectations of the actors, it is for consideration whether there is a sufficient basis to make it legally binding. Testing on the basis of such a test plan is beneficial for both Authorities, who have the opportunity to learn from close observation of a potentially interesting innovation, and innovators, who have the opportunity to discuss their business model with Authorities and ensure its maximum compliance with relevant regulations.
2.3.7. Exit procedures: early and planned
It is recommended that firms applying to the Czech regulatory sandbox should produce an exit plan, accepted by the Authorities that would allow the orderly termination of the test at any point in time. Upon termination, a report by the firm should be submitted analysing the results and the experience in the regulatory sandbox. Early termination should remain an option both for the participating firms and the Authorities. For the firm such option should be available in case the business model turns-out as insufficient, and for the Authorities, if it comes to the conclusion that the activity poses any risk to financial stability or higher than expected risk to consumers, in the same way that a license can be revoked under regular conditions.
ESA proscribes that regulatory sandbox-participating firms should be required to develop plans to provide for a controlled exit from regulatory sandboxes, including to ensure an appropriate degree of protection for consumers, with either the continuation or discontinuation of the test propositions (ESMA, EBA and EIOPA, 2019[2]). The UK, Singapore and Hong Kong require regulatory sandbox participants to develop an exit plan to ensure the test can be terminated at any time with minimal damage to consumers (EBRD, 2019[7]). In the Netherlands, authorised financial institutions may be required to draw up an exit strategy envisaging an orderly market exit when entering the regulatory sandbox. For new market entrants (entity without (the correct) authorisation) it is required to provide an exit plan. The components of the exit plan should include, among others: triggers for exit; exit procedures; essential functions that will need to continue; communications plan; describe how ongoing customer relationships will be wound up. In Lithuania applicants need to show an activity termination plan which is to be applied if, following the exit from the regulatory sandbox, service provision will be terminated. In addition, FinTech applicants need to describe the actions to be taken after a successful exit from the regulatory sandbox to further develop the tested financial innovation.
Further, in frameworks where a waiver or a restricted licence is offered to participants, the termination of the testing phase usually implies that the testing firm cannot continue operating under this regime anymore and a full license, if applicable, is required (Australia). If the firm complies with the full license requirements it can broad the scope of the offered services.
Upon exit or termination of the test, authorities often request the participating firms to draw and submit a summarising report. In the UK, the report should include the lessons learned from the test, and how any deficiencies are to be dealt with. The report will include the description of the test and its main attributes, results and next steps for the business. The FCA also asks for participants feedback regarding their experience within the FCA regulatory sandbox and often publishes an analysis report for different cohorts of the regulatory sandbox, in particular if major changes were introduced to the framework, such as adding access to data. Good level of record keeping might be useful for an efficient analysis of the test. It is possible to consider requiring firms to submit interim reports for this purpose. In Israel, due to the financial support provided to the test, the IIA will conduct a financial and technological audit, at the end of which a final accounting will be carried out.
Early exit is usually available in reviewed sandboxes (see Annex D). In particular, this option is allowed in cases where the firm realises there is no consumer uptake. On the Authority’s side, early termination might be needed if it realises that there is higher than expected risk to consumers or the financial sector stemming from the tested product/service or if fraud or any other similar shortcomings arise, in the same way that a license can be revoked under regular conditions. The Bank of Lithuania mentions in addition that admission to its regulatory sandbox may be revoked if during its participation in the regulatory sandbox the participant fails to meet the testing conditions indicated in the testing plan (The Bank of Lithuania, 2018[23]).
2.3.8. Recommended timelines
The willingness of policy makers and supervisors to establish testing environment goes hand in hand with the recognition that supervision and authorisation process are often perceived by FinTechs as a barrier for growth. FinTechs operate in a competitive environment over funding, that can be of scarce supply, and due to their small and young nature, do not usually enjoy much internal disposable funding. Their effort is concentrated on completing as quick as possible the development and deployment of their product (time‑to-market) to attract more funding. Bearing this objective in mind, it is recommended as a prerequisite for the Czech regulatory sandbox in order to attract demand by FinTechs, that the application and authorisation timelines be attractive.
As for the testing phase, the timeframes vary from 6 to 24 months. In the Netherlands, Hong Kong and Singapore testing timeframe is determined on a case‑by-case basis (EBRD, 2019[7]). Time frame can usually be extended following a request by the firm. Alternatively, the competent authority has the power to terminate a test, or a firm may stop the testing through an orderly exit.
The main stages of the testing process that require setting a timeline are the following:
a. The application stage – is application to the regulatory sandbox continuously available or are there specific predefined and restricted time intervals throughout the year when firms can apply.
b. The time from the end of the application period until a decision on participation is communicated to the firm. As recommended, there will be a continuous option to apply for the regulatory sandbox, the time limits for this stage will depend on the frequency of gathering of the advisory board. We suggest the time for this stage not to exceed 90 days.
c. The consecutive stage is to allow the authority and the firm to construct a detailed testing plan. We propose 60 days for this phase. If the company is not already licensed and during the construction of the testing plan the Czech Authorities advises the company to apply for a specific license, this stage, including the licensing procedure will be determined by the administrative rules.
d. The testing phase itself when the firm is offering its products to customers, as applicable. We propose 12 months as is frequent in other regulatory sandboxes, with options both for an early exit and an extension.
e. The ending phase where usually the firm is required to draft and submit a report analysing the results of the test, and for the regulator to inform the firm of any restrictions that may be lifted, or imposed, to receive a full license, if applicable. We propose 60 days for this phase.
2.3.9. Measurement of performance
Regulators should have a clear understanding of how success will be measured in the regulatory sandbox. This can be achieved by identifying Key Performance Indicators (KPIs) and using feedback loops to continuously improve the supervisory approach. It is advisable for regulators to focus on principles-based regulation rather than rules-based regulation, as this will allow them to regulate the activity rather than the entity. Additionally, effective communication with the market is crucial. Some regulators have established dedicated webpages as regulatory sandbox portals to increase awareness, share relevant documents, and provide information to companies (World Bank, 2020[24]). The recommended set of KPIs for the Czech regulatory sandbox are presented in Figure 2.7.
Having KPIs for monitoring a regulatory sandbox for FinTechs is essential in measuring the success of the sandbox, as it helps to determine if the sandbox is meeting its objectives. By selecting the right KPIs, regulators can effectively track progress, measure success, and make necessary adjustments to their regulatory approach. The KPIs selected for a regulatory sandbox should depend on the objectives of the regulatory sandbox. Possible categories of KPIs include people and skills, corporate finance, compliance and risk, competition, financial inclusion, and innovation and data management, provide a comprehensive picture of the impact of the regulatory sandbox. For instance, measuring the number of jobs created and the amount of money raised by FinTechs in the regulatory sandbox can help assess the contribution of the sandbox to facilitating and speeding up the deployment of innovation, and attracting FinTechs locally and globally. The number of registered users and of firms created can measure the regulatory sandbox’s impact on competition and adoption of new technologies, while the percentage and characteristics of the population reached can provide insight into the sandbox’s contribution to financial inclusion. Finally, the number of products available and the number of datasets available can demonstrate the regulatory sandbox’s success in fostering innovation and effective data management. These KPIs provide a comprehensive picture of the regulatory sandbox’s impact on various stakeholders and help regulators determine if the sandbox is meeting its objectives.
2.4. Communication strategy
A clear and effective communication strategy is essential for the success of a regulatory sandbox for FinTechs. The communication plan should outline the methods and channels to be used to interact with different stakeholders such as FinTech companies, regulators, and consumers. The communication strategy for the Czech Regulatory Sandbox should aim to build trust and transparency between all stakeholders, foster collaboration and co‑operation, and ensure that the goals of the regulatory sandbox are clearly communicated and understood by all.
The recommended communication strategy for the Czech regulatory sandbox should include various layers to ensure effective communication with interested parties (see Figure 2.8). The strategy could be built on the established contact point which has already channels and experience in providing assistance, answering questions, and offering support to FinTechs. A dedicated website is recommended to be established to disseminate information about the regulatory sandbox, including scope and objectives, rules and eligibility criteria, updates and news, and possibly the answers to questions submitted by interested firms for guidance of others. A dedicated email address or mailbox is recommended to also be created to handle inquiries and questions from the participants, the public, and other stakeholders. Additional tools to be considered include newsletters that can be sent periodically to subscribers and interested parties to provide updates and promote awareness of the regulatory sandbox. A framework for communication and sharing between regulatory sandbox participants is recommended, such as a chatroom. Finally, a regulatory sandbox manual is recommended to be created to provide clear guidance and instructions on the regulatory sandbox’s procedures, policies, scope and objectives. This manual can help streamline the application process and ensure that participants are aware of their obligations and responsibilities while participating in the regulatory sandbox.
For FinTech companies, the communication strategy should provide clear and consistent information on the regulatory sandbox’s goals, requirements, processes and limits (in particular that no exemptions or waivers are provided). Regular updates on the status of their application and clear instructions on how to participate in the regulatory sandbox should be communicated. Ensuring this helps to minimise confusion and guarantees that the FinTech companies are equipped with the information they need to be successful in the regulatory sandbox.
The communication strategy should also include the means by which the relevant regulators, those that have responsibilities concerning financial service providers (see OECD (2022[13])), will communicate with each other and with other stakeholders such as industry associations and consumer groups, for example to inform them of participating firms or of exit of firms from the testing phase, or if any issues concerning consumer protection and a participating firm have arisen. It is generally agreed that a website (regularly maintained) is a suitable strategy. This will ensure that all parties are aware of any updates or changes to the requirements of the regulatory sandbox, timelines, forms etc.
In the third place, the communication strategy should consider the ways in which the results of the regulatory sandbox will be communicated to the wider public. This may include regular reports on the progress of the regulatory sandbox and its impact on the FinTech industry, as well as highlighting success stories and best practices.
When designing the communication strategy for a regulatory sandbox for FinTechs in the Czech Republic, it is important to consider ways to reduce the application and evaluation process time. This can be achieved by expanding communication channels and encouraging participants to discuss their applications through various means such as email, video conferencing, face‑to-face meetings, or establishing direct contact with specific divisions’ representatives. However, such facilitating measures during the application phase could not be made available by the CNB, which currently cannot commit to provide this capacity. In addition to this, efforts should be made to simplify and reduce the paperwork involved in the application and inspection process. To facilitate this, the creation of a dedicated website can be considered. The website can provide clear and concise information on the application process, evaluation criteria, and contact information for relevant departments. This would not only reduce the administrative burden on applicants but also provide a central location for stakeholders to access information and keep up-to-date with the latest developments.
Occasionally, entrepreneurs lack the necessary legal expertise to understand how the financial operations or new product they intend to develop are regulated and supervised. In this situation, the relevant authority should strongly consider devoting additional capacity to advising and communicating due to the absence of a thorough grasp of financial legislation (APEC Economic Committee, 2021[25]).
The objectives of the communication strategy are illustrated in Figure 2.9. A clear and effective communication strategy can help build trust and confidence in the regulatory sandbox, encourage participation and promote the benefits of innovation in the financial sector. The communication strategy serves to inform and engage different stakeholders in the regulatory sandbox, including FinTech companies, investors, regulators, and the general public. For FinTech companies, the communication strategy should focus on providing clear and transparent information on the paperwork, application, entrance, and exit requirements. For other stakeholders, the strategy should highlight the purpose, advances, and challenges of the regulatory sandbox, including the potential impact on the financial industry. The general public should be informed of the purpose and expected impacts of the regulatory sandbox, as well as the measures in place to protect consumers.
Relevant authorities should comprehensively explain basic characteristics of the regulatory sandbox on their website and other communication channels and link to the web page of the regulatory sandbox, promote the information of the establishment of the regulatory sandbox and share excerpts from public updates on regulatory sandbox activities prepared by the Czech Authorities. It is recommended that participants should sufficiently familiarise themselves with regulatory sandbox rules prior to applying for participation in the sandbox. Participants should also actively engage with the Czech Authorities and respond timely in order to use the testing phase efficiently.
2.5. Action plan for the implementation of the regulatory sandbox
Table 2.6. Proposed timeline for the implementation of a regulatory sandbox
Task |
Actor |
Timeline |
|
---|---|---|---|
1 |
Pre‑application Phase |
3‑5 months |
|
Communication strategy: set up the various layers of communication regarding the regulatory sandbox including establishing a dedicated website and email address, a regulatory sandbox manual, and various additional tools |
Czech Authorities |
30‑45 days |
|
Application portal: develop an application portal consistent with all criteria to be reviewed initially by the Advisory Board and later validated by the Authorities |
Czech Authorities |
30‑45 days |
|
Establish the Advisory Board: set up an Advisory Board for applicant pre‑selection comprising of representatives of industry, academia, relevant ministries and authorities |
Czech Authorities |
30‑60 days |
|
2 |
Application Phase |
Ongoing |
|
Publicly launch regulatory sandbox: launch elements of the communication plan and announce application portal opening with regular updating of the communication materials |
Czech Authorities |
1‑2 days of launch |
|
Application assessment by Advisory Board: the application portal is recommended to be continuously open, and applications are to be gathered by the Advisory Board every 90 days (max.) |
Advisory Board |
≤ 90 days |
|
3 |
Review Phase |
≤ 3 months |
|
Application review by Advisory Board and the Czech Authorities: applicants are to be preselected by the Advisory Board and validated or rejected by the Czech Authorities in 90 days intervals (max.) |
Advisory Board, the Czech Authorities |
≤ 90 days |
|
Deliver outcome to applicants: applicants will be notified whether their application is successful, incomplete, or rejected |
Czech Authorities |
1‑2 days post review |
|
Contact successful applicants: successful applicants are to be contacted and made aware of next steps and assigned to the relevant contact person |
Czech Authorities |
1‑2 days post acceptance |
|
4 |
Testing Phase |
13 months |
|
Preparation of testing plan: over the following 60 days, the successful applicant together with the contact person prepare a testing plan that the sandbox participant must comply with. If the company is not already licensed and during the construction of the testing plan the Czech Authorities advises the company to apply for a specific license, this stage, including the licensing procedure will be determined by the administrative rules. |
Czech Authorities, CNB |
60 days, or until license is granted |
|
Assess proposed testing plan: the testing plan is to be reviewed by the Authorities |
Czech Authorities |
on a case‑by-case |
|
Implement testing plan: implementation logistics will vary on a case‑by-case basis and testing timelines are proposed to be 12 months |
Czech Authorities |
12 months |
|
Conduct checkpoint meetings and reviews: the participant and the contact point are to be in regular contact on the progress of the testing environment |
Czech Authorities |
Ongoing |
|
5 |
Exit and Review |
3 months |
|
Approve exit in case of early termination: the exit plan produced in the application phase will be reviewed by the Authorities in case early termination is requested |
Czech Authorities |
30 days |
|
Review and discussion of exit report submitted by the firm: the firm is to produce a report analysing the results of the regulatory sandbox testing experience |
Czech Authorities |
30 days |
|
Collect and document lessons learned: lessons learned from the sandbox experience can be gathered through interviews of participants, analysis of reports, etc |
Czech Authorities |
30 days |
References
[25] APEC Economic Committee (2021), “FinTech Regulatory Sandboxes Capacity Building Summary Report”, Asia-Pacific Economic Cooperation Secretariat, http://www.cbr.ru (accessed on 20 March 2023).
[4] APIX (2023), Sandbox | Collaborative Integrated Development Environment (IDE), APIX, https://apixplatform.com/sandbox (accessed on 11 May 2023).
[10] Banco de España (2022), Controlled testing space (sandbox), Banco de España, https://www.bde.es/wbe/en/entidades-profesionales/operativa-gestiones/autorizaciones-acreditaciones/facilitadores-innovacion/espacio-controlado-pruebas-sandbox.html (accessed on 5 May 2023).
[16] Bromberg, L., A. Godwin and I. Ramsay (2017), “Fintech sandboxes: Achieving a balance between regulation and innovation”, Journal of Banking and Finance Law and Practice, Vol. 28/4, pp. 314-336.
[12] Czech National Bank (n.d.), Uplatňování individuálních diskrecí orgánem dohledu, https://www.cnb.cz/cs/legislativa/vykon-cinnosti-a-obezretnostni-pravidla/uplatnovani-individualnich-diskreci-organem-dohledu/ (accessed on 29 March 2023).
[6] Deloitte (2017), Regulatory Sandbox - Making India a Global Fintech Hub.
[18] Dirección General de Estabilidad Financiera, I. et al. (2022), Synthetic data pilot with Banco de España, Findings and recommendations, FISMA, https://www.cde.ual.es/ficha/synthetic-data-pilot-with-banco-de-espana-findings-and-recommendations/ (accessed on 5 May 2023).
[11] EBA (2021), Final Report on Guidelines on internal governance under Directive 2013/36/EU, EBA, https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/1016721/Final%20report%20on%20Guidelines%20on%20internal%20governance%20under%20CRD.pdf (accessed on 29 March 2023).
[7] EBRD (2019), Poland: Feasibility study on innovative technological solutions in the Polish financial markets including building a Regulatory Sandbox, ERBD, https://www.ebrd.com/work-with-us/projects/tcpsd/poland-feasibility-study-on-innovative-technological-solutions-in-the-polish-financial-markets-including-building-a-regulatory-sandbox.html (accessed on 2 May 2023).
[2] ESMA, EBA and EIOPA (2019), FinTech: Regulatory sandboxes and innovation hubs, https://ec.europa.eu/info/publications/180308-action-plan-fintech_en (accessed on 5 May 2023).
[8] ESMA, EBA and EIOPA (2018), FinTech: Regulatory sandboxes and innovation hubs, https://ec.europa.eu/info/publications/180308-action-plan-fintech_en (accessed on 29 August 2022).
[21] European Commission (2020), Technology readiness levels (TRL), https://ec.europa.eu/research/participants/data/ref/h2020/wp/2014_2015/annexes/h2020-wp1415-annex-g-trl_en.pdf (accessed on 11 May 2023).
[17] FCA (2021), Supporting innovation in financial services: the digital sandbox pilot, https://www.fca.org.uk/publication/corporate/digital-sandbox-joint-report.pdf (accessed on 20 March 2023).
[22] FCA (2017), Regulatory sandbox lessons learned report, FCA, https://www.fca.org.uk/publication/research-and-data/regulatory-sandbox-lessons-learned-report.pdf (accessed on 5 May 2023).
[15] FCA (2015), Regulatory sandbox, FCA.
[3] Government of Singapore (2022), Monetary Authority of Singapore (MAS) APIs - Streamlining of Financial Applications through Data | Singapore Government Developer Portal, Government of Singapore, https://www.developer.tech.gov.sg/products/categories/data-and-apis/mas-apis/overview.html (accessed on 11 May 2023).
[14] Hořínek, D. (2022), CzechInvest seeks innovative startups for Technology Incubation, CzechInvest, https://www.czechinvest.org/en/Homepage/News/June-2022/CzechInvest-seeks-innovative-startups-for-Technology-Incubation (accessed on 29 March 2023).
[20] Israel Innovation Authority (n.d.), How to evaluate routes in the growth division, https://innovationisrael.org.il/general_content/3813 (accessed on 11 May 2023).
[19] Jenik, I. and K. Lauer (2017), “Regulatory sandboxes and financial inclusion”, cgap.org, https://www.cgap.org/sites/default/files/researches/documents/Working-Paper-Regulatory-Sandboxes-Oct-2017.pdf (accessed on 19 April 2022).
[13] OECD (2022), The FinTech Ecosystem in the Czech Republic, OECD Publishing, Paris, https://doi.org/10.1787/068ba90e-en.
[1] OECD/Eurostat (2018), Oslo Manual 2018: Guidelines for Collecting, Reporting and Using Data on Innovation, 4th Edition, The Measurement of Scientific, Technological and Innovation Activities, OECD Publishing, Paris/Eurostat, Luxembourg, https://doi.org/10.1787/9789264304604-en.
[9] Parenti, R. (2020), “Regulatory sandboxes and innovation hubs for FinTech”, Study for the committee on Economic and Monetary Affairs, Policy Department for Economic, Scientific and Quality of Life Policies, European Parliament, Luxembourg, September.
[23] The Bank of Lithuania (2018), RESOLUTION ON THE APPROVAL OF THE REGULATORY SANDBOX FRAMEWORK OF THE BANK OF LITHUANIA, Bank of Lithuania, https://www.lb.lt/uploads/documents/files/EN/our-functions/supervision-of-financial-institutions/sandbox/03-166_2018%2009%2019_EN.pdf (accessed on 29 March 2023).
[5] The Ministry of Information Technologies and Communications (2023), Datos Abiertos Colombia, https://www.datos.gov.co/en/ (accessed on 11 May 2023).
[24] World Bank (2020), How Regulators Respond to Fintech: Evaluating the Different Approaches-Sandboxes and Beyond, World Bank.
Notes
← 1. British FCA is establishing a Synthetic Data Expert Group. Source: Synthetic Data Call for Input Feedback Statement, pg. 9
← 2. Technically speaking, the creation of synthetics that are entirely artificial is possible, however, the relevance compared to the real data is expected to be inexistent if not based on existing datasets.
← 4. This means the following categories of firms can participate: companies that already have a license within the financial legislation, but wish to test a new technology and/or business model; companies that do not have the required license within the financial legislation to provide the desired activity; companies where it is uncertain whether the activity requires a license within the financial legislation.
← 5. e.g. Act No. 21/1992 Coll., on Banks, as amended, Act No. 240/2013 Coll., on Management Companies and. Investment Funds, as amended, Act No. 256/2004 Coll., on Capital Market Business, as amended, and Act No. 190/2004 Coll., on Bonds, as amended.
← 6. Article 32 of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02015L2366‑2015 1223
← 7. Section 58 (2) “A small-scale payment service provider is authorised to provide payment services only if the monthly average of the amounts of payment transactions executed by this provider in the Czech Republic, including payment transactions executed through its authorised agents, does not exceed the amount of EUR 3, 000, 000 for the last 12 months. If a small-scale payment service provider is a member of a group, these average monthly amounts also include payment transactions that the other small-scale payment service providers, which are members of the group, have executed in the Czech Republic over the last 12 months, including payment transactions made through their authorised agents.”
← 8. C‑18/14 – CO Sociedad de Gestion y Participación and Others https://curia.europa.eu/juris/liste.jsf?num=C-18/14
← 9. Consolidated text: Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02013L0036-20220101
← 10. Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32013R0575
← 11. See more on the mandate of the CNB in the Annex.
← 12. The only reference among reviewed jurisdictions where the team was able to find regarding the level of Technology Readiness Level (TRL) is the Israeli pilot in FinTech regime, where the eligibility criteria mention a TRL of 6‑8. https://innovationisrael.org.il/general_content/3813