FCA calls for input on proposed Cross-sector Sandbox by 30 August 2019

New technologies, such as artificial intelligence (“AI“) and distributed ledger technology (“DLT“), continue to have a significant impact on the way in which firms, customers and regulators interact.  Firms introducing innovative business models whose products or services fall under the jurisdiction of different sectoral regulators can find themselves having to address competing regulatory expectations.

As these new innovative technologies and cross-sector business models begin to emerge, regulators have recognised a need to:

  • create a safe and encouraging environment for firms to develop positive innovations. At the same time, providing regulatory certainty;
  • ensure consumers are protected from new technologies still under development; and
  • ensure efficient and cost saving new technologies are made available to the public in a timely manner.

On 29 May 2019, the FCA issued a Call for Input seeking views on whether a single point of entry cross-sectoral sandbox would be useful in achieving these goals.  This is the first cross-sector sandbox proposed by a [global] regulator and reflects the UK’s desire to be perceived as a key centre for innovation and a thought leader on technology.

In a nutshell, the proposed cross-sector sandbox will allow firms to test innovative products, services and business models in a live market environment. Firms whose business span across different sectors (e.g. telecommunications, public utilities and banking) will be able to use this opportunity to obtain informal regulator input and guidance.  Products will be tested on a small scale and appropriate safeguards would be put in place to protect test participants.  The deadline for submissions to the FCA is 30 August 2019.

It appears that technology companies, telecommunication companies, public utility providers and financial institutions will be the most likely users of the cross-sector sandbox. Possible use cases include the launch of Orange Bank by the French telecommunications company, the launch of Ant Financial by the Alibaba Group, and the introduction of other “hyper platform” models by technology companies such as Tencent and Baidu (Open Edge).

We consider the FCA’s proposed cross-sector sandbox in more detail below.

Background

Traditional business models have largely been considered by regulators on an individual basis.  Where there have been areas of overlap, the FCA have relied on bilateral memorandums of understanding (“MoUs“) and existing fora to discuss cross-cutting issues.  However, there is currently no practical mechanism for multiple regulators to collaborate. With the development of more innovative and cross sectoral business models, regulators have recognised the need for a more focused and streamlined approach.  This is where the proposed cross-sector sandbox comes in.

The FCA’s suggestion of introducing a cross-sector regulatory sandbox is also consistent with the global trend of fostering innovation: at least 31 global financial services regulatory agencies now have a regulatory sandbox.  In addition, in January 2019, the FCA and 35 other financial organisations also launched the Global Financial Innovation Network (“GFIN”) to launch a cross-border testing pilot. The FCA’s current proposed cross-sector sandbox builds on the lessons learned from existing sandboxes and aims to leverage new opportunities brought by technological developments.

Key features of the FCA’s proposed cross-sector sandbox

The key features of the FCA’s proposed regulatory sandbox includes:

  • Restricted authorisation– the FCA will have a tailored authorisation process for firms accepted into the sandbox. Any authorisation or registration will be restricted to allow firms to only test ideas as agreed with the FCA;
  • Individual guidance– the FCA will explain how it will interpret the requirements in the context of a specific test;
  • Informal steers– the FCA can provide views on the potential regulatory implications of an innovative product or business model that is at an early stage of development;
  • Waivers– the FCA may be able to waive or modify an unduly burdensome rule, for a test. However, the FCA will not able to waive national or international law; and
  • No enforcement action letters–  if the firm deals with the FCA openly, keeps to the agreed testing parameters and treats customers fairly, the FCA accepts that unexpected issues may arise but it does not expect to take disciplinary action.

The FCA stated it will closely oversee tests and set specific safeguards for consumers. Sandbox tests are expected to have a clear objective (e.g. reducing costs to consumers) and be conducted on a small scale. Under the sandbox arrangement, firms will be able to test their innovations for a limited duration (up to 6 months) with a limited number of customers.

Perceived benefits

From a financial services perspective, the proposed cross-sector sandbox is expected to help:

  • Reduce time and cost of getting innovative ideas to the market (e.g. using DLT/ crypto assets as a payment mechanism for utility bills);
  • Facilitate access to finance and regulatory insight for innovators;
  • Enable products with potential or immediate cross-sector relevance to be tested and introduced to the market;
  • Ensure appropriate consumer protection safeguards are built into new products and services;
  • Allow regulators to share learnings from various tests and other sectors (e.g., on AI, DLT, Big Data and machine learning);
  • Allow regulators to create a common or harmonised regulatory and policy approach to the development and implementation of new technologies; and
  • Provide firms with complex new business models which span more than one regulator with a unique, coordinated single-point entry sandbox. Whilst the FCA has identified the possible use cases referred to above (Orange Bank, Ant Financial, Tencent and Open Edge), there will be greater use of more innovative business models as more and more technology and telecommunication firms diversify into traditional business areas, such as banking and public utilities, and vice versa.

Potential Challenges

The FCA has also identified some of the potential challenges a prospective cross-sector sandbox could face. They include:

  • Lack of demand– it is difficult to predict how many firms would submit an application that meets the eligibility criteria set by participating regulators.
  • Misunderstanding about the purpose of a sandbox– the FCA expects that participating regulators will set eligibility criteria and only accept applications from firms who have shown a “need for testing”. This, the FCA believes, will separate these genuine cases from those which simply wish to gain a regulatory seal of approval;
  • Firms do not improve own in-house knowledge – since regulatory feedback will be given, some firms (particularly smaller firms) may lose the incentive to develop in-house knowledge. As such, successful applicants to the cross-sector sandbox will need to show that they have an understanding of the regulatory framework in which they operate. Applicants will also need to provide reports of their findings and next steps.  Also, restrictions on firms will only be removed once the FCA is satisfied that a firm’s knowledge of the regulated market has sufficiently (i.e. when firms are able to operate without exposing markets and consumers to unacceptable harm);
  • Differing regulatory remits– given regulators have different mandates and objectives, they may arrive at different conclusions when looking at the same trial outcomes. Given different regulatory philosophies, there may also be situations where competing objectives conflict. For example, a new innovative business model that is prudentially sound may be approved by the PRA.  However, it may not receive the FCA’s blessing if it does not promote effective competition in the interests of consumers. However, the FCA is of the view that looking at tests concurrently with other regulators will help mitigate instances of uncertainty.  Although the sandbox should foster greater cooperation between regulatory bodies in the live testing environment, issues that are inherent in the various distinct regulatory frameworks may arise even after the product or offering has advanced into the formal marketplace. For example, a cross-sector product might fall within scope of several distinct dispute resolution mechanisms – different schemes, such as the Financial Ombudsman Service and the Energy Ombudsman, have different powers to, and parameters for, ordering redress and compensation.

HSF Comment

The proposed cross-sector sandbox is a further evolution of the FCA’s commitment to fostering innovation, and recognises that, even where sectors remain distinct, user behaviours and expectations are driving increased interaction between regulated sectors.  Innovators from sectors other than the purely financial should be encouraged to respond to the call for evidence.

 

Karen Anderson
Karen Anderson
Partner, London
+44 20 7466 2404
Vicky Man
Vicky Man
Senior Associate, London
+44 20 7466 3861

NIS Directive and Regulations now in force

The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.

The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading

Managing cyber security risks in the telecommunications sector

Cyber security remains in the public eye with multiple incidents and vulnerabilities reported affecting telecoms companies. Telecoms companies need to continue to focus on the risks and consider updating their pro-active defence and cyber security response plans to reflect the increased legal, operational, technical and regulatory risks they are facing.

The evolution of the cyber threat has not escaped the attention of governments around the world. In 2018 the Network and Information Security Directive (NISD) as well as the General Data Protection Regulation (GDPR) will be implemented in the EU. The NISD, which is due to be implemented by May, will require operators of core “digital infrastructure” and certain “digital service providers” to ensure that their network and information systems meet minimum standards of cyber security. Continue reading

Formal DCMS response awaited by the end of the year on consultation to implement the Cyber Security Directive in the UK

The public consultation issued by the UK Department for Digital, Culture, Media & Sport on implementing the EU Network and Information Security Directive (“Cyber Security Directive”) into national legislation closed on 30 September 2017 (the “Consultation”).

The Consultation sets out the UK Government’s planned approach for implementing the Cyber Security Directive, along with a series of questions on a range of detailed policy issues relating to the implementation. It seeks to obtain views from industry, regulators and other interested parties on the proposed plans. The Government is currently analysing feedback and a formal response is expected in December 2017 (within ten weeks of the consultation closing date). The Government has also confirmed its intention for the implementing legislation to continue to apply in the UK post-Brexit (refer to our previous related article for further detail). Continue reading

ENISA Guidance: Incident Reporting for Digital Service Providers under Cyber Security Directive and the interplay with GDPR

The new report referenced in the article above, follows comprehensive guidelines (the “Guidelines“) published by ENISA in February 2017 for Member States and the European Commission on how to implement incident notification for “digital service providers” (“DSPs“) across the EU, in the context of the Cyber Security Directive.

DSPs: The Cyber Security Directive sets out obligations in respect of “operators of essential services” and DSPs, with a slightly “lighter touch” approach applying to the latter. DSPs are limited to three types of services:

  • online marketplaces – which allow consumers and traders to conclude online sales or service contracts with traders and are the final entity where the contract is concluded. The term excludes both online “intermediaries” to third party services through which a contract can be concluded, as well as online price comparison services of different traders that redirect the user to the preferred trader to purchase the product;
  • online search engines – excluding search functions that are limited just to the content of a specific website; or
  • cloud computing service providers – spanning a wide range of activities that can be delivered according to different models.

Continue reading