BSP APPROVES REGULATORY SANDBOX FRAMEWORK
On 5 September 2022, and in line with its policy of enabling responsible innovation to promote the development of an inclusive digital financial ecosystem, the Bangko Sentral ng Pilipinas (“BSP”) issued Circular No. 1153 and approved a Regulatory Sandbox Framework to be incorporated as Section 115 of the Manual of Regulations for Banks (“MORB”) and Sections 112-Q/115-S/115-P/113-T/103-N/141-CC of the Manual of Regulations for Non-Bank Financial Institutions (“MORNBFI”). In broad terms, the new rules allow fintech developers to test the use of new or emerging technology to deliver financial products and services in a controlled environment.
1. What is the Regulatory Sandbox?
The Regulatory Sandbox is a controlled, time-bound, live testing environment which may feature regulatory waivers at the regulators’ discretion in order to promote the development of transformative technologies under the “test-and-learn” approach. Applicants that are assessed as eligible to participate in the regulatory sandbox (“Participants”) must operate within testing parameters agreed upon by the BSP and the Participants. Testing parameters include metrics to assess the viability of the solution being offered.
2. What is the scope and coverage of the FPSCPA and the FCP Framework?
The Regulatory Sandbox Framework applies to all BSP-Supervised Financial Institutions (each a “BSFI”), third party-service providers of BSFIs, other BSP-registered institutions, and other entities that intend to offer or use any emerging or new technology to deliver financial products/services within the regulatory authority of the BSP.
3. What are the eligibility standards that applicants should meet in order to participate in the regulatory sandbox?
Under the Regulatory Sandbox Framework, applicants must meet the following criteria to participate in the regulatory sandbox:
(i) uses new or emerging technology or utilizes existing technology in an innovative manner,
or (ii) bridges a market gap in the delivery of financial products/services;
4. Are there continuing conditions that must be complied with by the Participants that have been granted approval to perform sandbox activities?
Yes, under the Regulatory Sandbox Framework, Participants must comply with certain conditions in the performance of sandbox activities.
Among these conditions, Participants in a regulatory sandbox must ensure that an appropriate top-level committee oversees sandbox activities and that the sandbox is integrated in the overall strategic plan of the entity to ensure that the entity’s systems, financial performance and risk management capability are capable of handling the new product/service.
Further, Participants must guarantee that sandbox activities satisfy legal and regulatory requirements for Anti-Money Laundering/Combating Terrorism and Proliferation Financing, together with relevant regulations on payments, IT risk management and Electronic Products and Financial Services (“EPFS”).
Note that under the Regulatory Sandbox Framework, the sandbox must be implemented for a period no longer than 12 months. After such period, a report must be submitted by participants summarizing the outcome of the experimentation and the viability of the product offered, supplemented by recommended action plans for the offered product/service.
5. What is the process followed in a regulatory sandbox?
The Regulatory Sandbox Framework contemplates that each regulatory sandbox shall undergo a four-stage process: the Application, Evaluation, Testing and Exit Stages. These are discussed briefly below.
6. When are participants deemed fit to operate with their proposed product/service?
Participants whose products or services are deemed fit for public consumption after having completed the testing and exit stages referred to above may submit to the BSP an application for authority to operate and to offer the proposed product to the public.
Note that despite successful sandbox testing, the approving authorities reserve the right to approve or disapprove the proposed product or service.
7. What are the conditions that will trigger the revocation/termination of the Regulatory Sandbox Approval?
The BSP may revoke the authority of entities to participate in the sandbox based on (i) sandbox implementation-related conditions and (ii) entity-related conditions.
Sandbox implementation-related conditions consist of the failure of Participants to deliver the approved product/service features, or failure to develop and implement the required safeguards appropriate for the proposed solution. Further, significant breaches on data protection and the inability of the participants to effectively address technical defects or vulnerabilities in the proposed solution also fall under the foregoing conditions.
Entity-related conditions, on the other hand, pertain to issues in the operational and/or business conditions of the Participant.
8. What are the conditions that will trigger the revocation/termination of the Regulatory Sandbox Approval?
Participants are mandated by the Regulatory Sandbox Framework to submit interim and final reports to the BSP to facilitate monitoring of the regulatory sandbox activities. Interim reports must describe the status of the sandbox activities including key issues encountered and actions undertaken to address emerging risks. The final report shall thereafter contain the final results of the experimentation presenting complete information on the key outcome of the activity. Note that the final report must be submitted by participants to the BSP within 60 calendar days from the end of the sandbox activity.
9. How are consumers who are subject to sandbox experimentation protected?
Under the Regulatory Sandbox Framework, participants in the sandbox activity must adopt measures to protect the rights and interests of consumers. Customers must be informed that the product/service offered by the participants is under the regulatory sandbox platform and must be informed of the possible risks associated with the product.
Further, all regulatory sandbox experimentation shall follow the rules and regulations on data sharing, data privacy, and data protection in all implementation phases. The use of customer data should be limited to the consent provided by the customer in availing the product or service.
Read more here.