"Establishing a sandbox is a decisive commitment to the financial sector’s digital transformation"

Question: The Ministry of Economy is considering creating a regulatory sandbox in Spain and has published draft legislation on this which has been opened to public consultation. Is it a good idea?

Answer: Yes, it's a fantastic idea. It's a project that enjoys widespread support across the industry, not only from the banking sector, but also from representatives of new fintech and insurtech entrants in Spain. This project has a clear fundamental benefit: it places Spain on the cutting-edge of defining favorable environments for fintech innovation in the EU. It also has an advantage for the regulators: the sandbox will be coordinated by different authorities to facilitate early-stage financial innovation projects. The regulatory authority will have visibility in these projects during the early stages. It will be able to learn about the type of innovations that go to market and what the regulatory response should be. Industry participants – whether financial institutions or other type of innovators – will be able to perform low-risk testing in a place that is not subject to existing regulation, testing specific innovations with potential benefits for the customer.

The sandbox will be coordinated by different authorities to facilitate early-stage financial innovation projects

Q: So, we are talking about places to launch projects that don’t necessarily have to comply with existing legislation, so regulators can see how they function, and if required adapt the legislation. 

A: It's important to understand it correctly because there are a lot of mistaken ideas about what a regulatory sandbox is. In Europe, each country is interpreting what a sandbox is in a different way. Originally, it was an innovation used by the British authorities (the Financial Conduct Authority). Later, different flavors of the concept were adapted both in different regions of Europe and further afield. One of the mandates of the European authorities is to compile the current state-of-play on sandboxes, to identify best practices and common criteria so that in Europe, at least, we have a common understanding.

In the case of Spain's draft legislation, we are talking about a place that is not subject to defined regulation, that facilitates the development of early-stage, innovative projects that can potentially improve the offer of financial services during an initial stage, as long it has been approved within the sandbox. Once a project has been accepted, a protocol for testing with real customers is defined. This protocol defines the project's exemptions – in terms of conditions and types of regulations – during this testing period. From there, it might have a natural fit with existing regulation, which would imply a transition to the corresponding licensing framework or might not have a fit. In the latter case, the regulatory authorities will see the required response; some change to the legislation, for example.

Q: Could sandboxes set the agenda for the regulator?

A: They’ll help the regulator better understand what should be regulated and what not, and give them more time to respond. So far, to launch a project, an innovator goes to the authorities with a concrete proposal that they want to test with customers, a proposal that is well defined, and the authorities have very little time to say if it fits into the regulatory framework. It if does, the project is or is not authorized, depending on whether it complies with the applicable requirements. The sandbox brings this point of contact between innovators and authorities forward so that they can check if the business models and technologies that they want to use have the desired customer response, if they are able to roll out a product or service that makes commercial sense when it comes to complying with all applicable regulation. The regulatory authority can also see if there is a fit with the legislation, to provide clarity to the innovator.

Q: Do the banks and startups agree on this proposed sandbox?

A: There is a tendency that is increasingly losing traction that sees regulatory sandboxes as a way to promote the entry of new players into a specific market. In other words, regulation can be seen as a barrier to entry, and there are those who see the regulatory sandbox exclusively as a way to facilitate entry. From our point of view, there are also advantages for the industry players who are already regulated. The draft legislation caters for the possibility that a financial institution that is already regulated due to its business activities - such as a bank -  requests use of the sandbox for an innovative project. In such a case, the authorities and the financial institution together define the scope of the project and the regulations from which they want exemption during the period. This is how the innovative project that is in the sandbox is separated from the bank's normal business.

The innovative project is in the sandbox is separated from the bank's normal business

Q: In other words, it's safe for the consumer.

A: The sandbox needs to be designed – as the Ministry of Economy is doing – in such a way that always ensures maximum consumer safeguards, which will not be damaged by virtue of participation in one of these trial phases.

Q: In fact, theoretically it benefits them because it brings more innovative products to market.

A: Here we have two categories of consumers to consider. If we think about consumers as a whole, like society, they will benefit from more innovation. If the sandbox works correctly, it means that there will be more innovative projects that ultimately hit the market with a commercial launch. It's a benefit to society. The question arises when thinking about the specific consumers who participate in the sandbox testing and how to guarantee that they are protected.

Q: And will these consumers know that the product is in testing?

A: Yes. There are some similarities, for example, with the clinical trial phases that are used by pharmaceutical companies.  Anyone participating in these phases knows that it is a trial,  which exposes them to a proposal that has added value. Customers know that they will be protected but also know they are exposed to a service that does not have the same quality level or guaranteed continuity as it would have in other circumstances. It is something that will be explained clearly to customers, and they will have to provide informed consent if they are going to participate in one of these projects.

Anyone participating in these phases knows that it is a trial,  which exposes them to a proposal that has added value.

Q: Who will regulate these places for experimentation?

A: As it is being defined in Spain, the project will have a single point of entry with the Secretary of the Treasury acting as gatekeeper.  Once a project enters the sandbox, the Secretary of the Treasury will determine what regulatory authorities will be involved in the evaluation of the project, and where appropriate, in the definition of the corresponding protocol. These authorities will fundamentally be the Bank of Spain, the National Securities Market Commission, and the General Directorate of Insurance. It will be possible for other relevant authorities to participate. From an industry perspective, we would expect participation from other authorities such as the Spanish Data Protection Agency and Sepblac, the authority responsible for the prevention of money laundering.

Q: You've described this proposal as cutting-edge. Are there not many countries that have something similar?

A: The U.K. was the first to set up a true sandbox. Today, we can find them in Singapore and Hong Kong, but there are not many regions that have a true, working sandbox.

Q: Do they work well?

A: None of the current sandboxes are perfect, but Singapore and the U.K. have done a good job. The sandbox in the U.K. operates on a cohort system; they have just announced the fourth group of projects to be accepted. Instead of having a permanently open sandbox, project applications are submitted in windows of opportunity.

Q: In Spain will the sandbox be “always-open” or will it operate through batches?

A: In principle it will also work on a cohort system. This has an advantage for the supervisor, since it helps better anticipate the level of effort that will be required. An always-open window could have the problem that the authorities’ capacity to review projects could be filled quite quickly.

Q: How is it decided who participates? Is each project application considered, regardless of who submits it?

A: A coordinating body between Treasury and the different authorities will decide which projects will participate and which regulatory authorities will be involved in each project. The draft legislation establishes that any individual or company with a European tax residence can apply to participate in the Spanish regulatory sandbox.

Q: Can the project come from outside Spain?

A: Yes. Although logically the project sponsor would be someone who would want to offer their product in Spain, a foreign company could participate. The question is, although there is a certain degree of regulatory standardization in Europe, there are still differences between countries. The implementation of a single digital market, specifically for financial services, is not complete. If someone uses Spain's sandbox to run a trial with the intention to roll it out in Germany, they’ll probably run into some difficulties. Something that has been rendered in Spain conforms with the Spanish legal system, although it might come from  European legislation or it could be national law that does not correspond with German law.

Q: Wouldn’t an initiative at the European level make sense?

A: Ideally, there should only one European regulatory sandbox to foster cross-border services within the European Union. That would be ideal but for the moment it poses complications among member states that have yet to be resolved. The European banking, markets and insurance authorities are going to collate best practices and issue a series of recommendations to national authorities that want to set up a sandbox with minimal harmonization. In the future it would probably make sense that in order to complement national sandboxes, for there also to be a European sandbox to try out in cross-border projects.

Ideally, there should only one European regulatory sandbox to foster cross-border services within the European Union

Q: With Britain’s exit from the EU perhaps there are startups Europe could attract if there were a European sandbox.

A: That would be interesting, yes. That’s why if this bill is passed in the next few months, it would lend Spain credibility in the development of a complete sandbox framework. This is a really firm commitment to facilitate the digital transformation of the sector. It could be a pole of attraction for talent that wants to come and innovate in the fintech field in Spain and also great opportunity for the country. It could make Spain a source of inspiration for other countries, for example, in Latin America.

Q: ¿What is the expected calendar for the approval of the bill?

A: At the moment it is a draft act subject to public consultation. The text will need to be submitted to the State Council which will hand down its opinion. If the judgment is favorable, it should go before parliament in the latter part of the year. It obviously depends on the parliamentary agenda for the law. This is a piece of draft legislation that has been on the radar of different governments in Spain.

Q: ¿How is Spain set in terms of financial digital regulations apart from this bill?

A: The bulk of the digital regulations in the financial sector come from EU regulations, which in some cases need to be embodied in national legislation and in other cases adopted in direct application. There are regulated areas at the domestic level, but increasingly fewer. Europe as a whole is one of the jurisdictions where most progress has been made in how to regulate innovative business models but also in allowing incumbent players to transform themselves although there is still a lot to be done in this area. As regards transversal digital regulations which do not apply specifically to the financial sector, such as cybersecurity and data protection, Europe is a global benchmark. With the bill on sandboxes, Spain stands out in Europe as a whole. Another area where Spain has been a frontrunner is in crowdfunding legislation.

Q: Is Europe leading the way in digital financial regulation with PSD2?

A: PSD2 is one of the elements but the thinking in Europe goes beyond that. There is a lot of lot of concern about understanding the impact of digitalization on the economy as a whole and also on the financial sector.

Q: Is the online financial business adequately controlled?

A: The financial sector has been regulated not only from the point of view of competition, as in other sectors; there is also a prudential and risk-management rationale. So, any business that emerges in the market which poses new risks should be subject to regulation. And obviously it’s not the same for something at the start-up stage and low-scale as opposed to something that has become a tangible reality and commonplace in the market. When there are new businesses in the market that pose risks the regulator has to understand what is happening and set the rules of play to control risks without biases between players already regulated in the market and newcomers who have not been regulated and want to enter the market.

Q: ¿Do you think measures are needed in Europe to create a level playing field for established financial companies and newcomers?

A: The European Banking Authority (EBA) is currently revising the regulatory perimeter. You have to understand new businesses with critical mass in the market which pose new risks in order to come up with new regulations and help the national authorities in this sense. A clear example of this is crypto-currencies. Once you grasp there could be an issue of consumer protection, the next question is how you control something that is not an established legal entity.

Q: Could cryptocurrencies be regulated?

A: If you think about a cryptocurrency, there is no legal body behind it because it is based on decentralized global protocols. This is what really complicates legislating for it. The way Europe is going about it, for example, is through a proposed new directive on money-laundering regulating exchange activity between fiat money and crypto-money and wallets for storing this money.

Q: Alongside PSD2, another piece of pioneering European legislation has emerged in the shape of GDPR. What impact is it having on the financial sector?

A: GDPR affects all companies and involves a change not only in compliance in the short term but also a fundamental change in how companies handle personal data. Beyond what we might have seen in the first few months, this requires a rethink about how to go about dealing with personal data for any new product or service before launching it. Before developing a product or application questions emerge on how to secure appropriate consent, on traceability, and on how to allow customers exercise their rights regarding their personal data. This involves a paradigm shift. Initially it was perceived outside Europe as a means of defense against companies from other countries, but the reality is that in the wake of recent events and the extent to which a culture of data privacy is created, GDPR is giving rise to more regulations in other countries.