Click here to Visit the RBI’s new website


526 kb
Date : 28 Feb 2024
Enabling Framework for Regulatory Sandbox

February 28, 2024
(Updated on October 08, 2021)
(Updated on December 16, 2020)
(Updated on August 13, 2019)

1. Background
2. The Regulatory Sandbox: Principles and Objectives
3. Regulatory Sandbox: Benefits
4. Regulatory Sandbox: Risks and Limitations
5. Regulatory Sandbox: Eligibility Criteria
6. Design Aspects of the Regulatory Sandbox
7. Regulatory Sandbox: Process and its Stages
8. Statutory and Legal Issues
9. Transparency and Disclosure

1. Background

1.1 The Reserve Bank of India (RBI) set up an inter-regulatory Working Group (WG) in July 2016 to look into and report on the granular aspects of FinTech and its implications so as to review the regulatory framework and respond to the dynamics of the rapidly evolving FinTech scenario. The report of the WG was released on February 08, 2018, for public comments. One of the key recommendations of the WG was to introduce an appropriate framework for a Regulatory Sandbox (RS) within a well-defined space and duration where the financial sector regulator will provide the requisite regulatory guidance, so as to increase efficiency, manage risks and create new opportunities for consumers.

1.2 Accordingly, a comprehensive framework highlighting the clear principles and role of the proposed RS, including the reasons for setting up the RS and the expectations of the RBI, are detailed hereunder.

2. The Regulatory Sandbox: Principles and Objectives

2.1 The Regulatory Sandbox

RS usually refers to live testing of new products or services in a controlled/test regulatory environment for which regulators may (or may not) permit certain regulatory relaxations for the limited purpose of the testing. The RS allows the regulator, the innovators, the financial service providers (as potential deployers of the technology) and the customers (as final users) to conduct field tests to collect evidence on the benefits and risks of new financial innovations, while carefully monitoring and containing their risks. It can provide a structured avenue for the regulator to engage with the ecosystem and to develop innovation-enabling or innovation-responsive regulations that facilitate delivery of relevant, low-cost financial products. The RS is an important tool which enables more dynamic, evidence-based regulatory environments which learn from, and evolve with, emerging technologies.

2.2 Objectives

The objective of the RS is to foster responsible innovation in financial services, promote efficiency and bring benefit to consumers.

The RS is, at its core, a formal regulatory programme for market participants to test new products, services or business models with customers in a live environment, subject to certain safeguards and oversight. The proposed financial service to be launched under the RS should include new or emerging technology, or use of existing technology in an innovative way and should address a problem and bring benefits to consumers.

3. Regulatory Sandbox: Benefits

The setting up of an RS can bring several benefits, some of which are significant and are delineated below:

3.1 First and foremost, the RS fosters ‘learning by doing’ on all sides. Regulators obtain first-hand empirical evidence on the benefits and risks of emerging technologies and their implications, enabling them to take a considered view on the regulatory changes or new regulations that may be needed to support useful innovation, while containing the attendant risks. Incumbent financial service providers, including banks, also improve their understanding of how new financial technologies might work, which helps them to appropriately integrate such new technologies with their business plans. Innovators and FinTech companies can improve their understanding of regulations that govern their offerings and shape their products accordingly. Finally, feedback from customers, as end users, educates both the regulator and the innovator as to what costs and benefits might accrue to customers from these innovations.

3.2 Second, users of an RS can test the product’s viability without the need for a larger and more expensive roll-out, if the product appears to have the potential to be successful. If any concerns arise, during the sandbox period, appropriate modifications can be made before the product is launched in the broader market.

3.3 Third, FinTechs provide solutions that can further financial inclusion in a significant way. The RS can go a long way in not only improving the pace of innovation and technology absorption but also in financial inclusion and in improving financial reach. Areas that can potentially get a thrust from the RS include microfinance, innovative small savings, remittances, mobile banking and other digital payments.

3.4 Fourth, by providing a structured and institutionalized environment for evidence- based regulatory decision-making, the dependence of the regulator on industry/stakeholder consultations only is correspondingly reduced.

3.5 Fifth, the RS could lead to better outcomes for consumers through an increased range of products and services, reduced costs and improved access to financial services.

4. Regulatory Sandbox: Risks and Limitations

4.1 Innovators may lose some flexibility and time in going through the sandbox process. However, running the RS in a time-bound manner at each stage can mitigate this risk.

4.2 Case-by-case bespoke authorizations and regulatory relaxations can involve time and discretional judgements. This risk may be addressed by handling applications in a transparent manner and following well-defined principles in decision-making.

4.3 The RBI or its RS cannot provide any legal waivers.

4.4 Post-sandbox testing, a successful experimenter may still require regulatory approvals before the product/services/technology can be permitted for wider application.

4.5 There is potential for some legal issues coming up, such as those relating to consumer losses in case of failed experimentation. Such instances may not have much legal ground if the RS framework and processes are transparent and have clear entry and exit criteria. Upfront clarity that liability for customer or business risks shall devolve on the entity entering the RS will be important in this context.

5. Regulatory Sandbox: Eligibility Criteria

The target applicants for entry to the RS, are FinTech companies including start-ups, banks, financial institutions, any other company, Limited Liability Partnership (LLP) and partnership firms, partnering with or providing support to financial services businesses, subject to the sandbox criteria laid down in these guidelines.

The focus of the RS will be to encourage innovations intended for use in the Indian market in areas where:

  1. there is absence of governing regulations;

  2. there is a need to temporarily ease regulations for enabling the proposed innovation;

  3. the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way.

6. Design Aspects of the Regulatory Sandbox

The RBI shall consider the following key design features for the RS:

6.1.1 Regulatory Sandbox Cohorts

The RS may run a few cohorts (end-to-end sandbox process), with a limited number of entities in each cohort testing their products during a stipulated period. The RS shall be based on thematic cohorts focussing on financial inclusion, payments and lending, digital KYC, etc. The cohort may also be theme neutral wherein innovative products/services/technologies cutting across various functions in RBI’s regulatory domain would be eligible to apply. The cohorts may run for varying time periods but should ordinarily be completed within nine months, starting from receipt of complete and eligible applications, i.e., excluding the preliminary screening period.

6.1.2 ‘On Tap’ Application

In order to ensure continuous innovation in the closed themes, the RS may also accept ‘On Tap’ applications for otherwise closed themes. The details of the themes open for ‘On Tap’ application shall be communicated through the Reserve Bank website. All the terms and conditions for participation in ‘On Tap’ facility will be same as those applicable under the RS.

6.1.3 Product/Services/Technology under RS

An indicative list of innovative products/services/technology which could be considered for testing under RS is given below. Innovative Products/Services

  • Retail payments

  • Money transfer services

  • Marketplace lending

  • Digital KYC and Digital identification services

  • Financial advisory and Wealth management services

  • Smart contracts

  • Financial inclusion products

  • Cyber security products

  • RegTech and SupTech Innovative Technology

  • Mobile technology applications (payments, digital identity, etc.)

  • Data Analytics

  • Application Program Interface (APIs) services

  • Applications under block chain technologies

  • Artificial Intelligence and Machine Learning applications

6.2 Regulatory Requirements/Relaxations for Applicant

The RBI may consider relaxing, if warranted, some of the regulatory requirements for applicants for the duration of the RS on a case-to-case basis. A few of the examples of regulatory relaxation which may be granted are given below:

  • Liquidity requirements

  • Board composition

  • Management experience

  • Financial soundness

  • Track record

  • Statutory restrictions

However, the requirements that shall mandatorily be complied with by the applicants are given below:

  • Customer privacy and data protection

  • Secure storage of and access to payment data of stakeholders

  • Local Data storage

  • Security of transactions

  • KYC/AML/CFT requirements

  • Statutory requirements

6.3 Exclusion from Sandbox Testing

The entities may not be suitable for the RS if the proposed financial service is similar to those that are already being offered in India unless the applicants can show that either a different technology is being gainfully applied or the same technology is being applied in a more efficient and effective manner.

An indicative negative list of products/services/technology which may not be accepted for testing is given below.

  • Credit registry

  • Credit information

  • Crypto currency/Crypto assets services

  • Trading/investing/settling in crypto assets

  • Initial Coin Offerings, etc.

  • Chain marketing services

  • Any product/services which have been banned by the regulators/Government of India.

6.4 Number of FinTech Entities to be part of a Cohort

The focus of the RS shall be narrow in terms of areas of innovation, and limited in terms of intake. The RS shall begin the testing process with a few selected entities through a comprehensive selection process as detailed in the framework under ‘Fit and Proper criteria for selection of participants in RS’. The decision of the RBI on the application shall be final.

6.5 Fit and Proper Criteria for Selection of Participants in RS

6.5.1 Every applicant shall satisfy the following conditions:

(a) It should be a company incorporated and registered in India or banks licensed to operate in India or Limited Liability Partnership (LLP) or Partnership firm registered in India. Further, financial institutions constituted under a statute in India would also be eligible.

(b) The entity shall have a minimum net worth of Rs.10 lakh as per its latest audited balance sheet.

(c) The entity, whose application for participation is rejected under the RS, will be eligible to apply again with same or similar product only after the completion of mandatory cooling period of six months.

(d) All the promoter(s)/director(s)/partner(s) of the entity should be fit and proper as per the criteria enumerated in Annex I. A declaration and undertaking shall be obtained to this effect from every director as per Annex II.

(e) The conduct of the bank accounts of the entity as well its promoters/directors should be satisfactory.

(f) The credit history of the promoter(s)/director(s)/partner(s)/ entity shall be satisfactory.

(g) The entity should demonstrate that the products/services are technologically ready for deployment in the broader market. The Reserve Bank shall not provide technology testbed and/or data for testing of the product/services/technology.

(h) The entities may get into in-principle partnership arrangements, if any, with various stakeholders at the time of applying to the RS.

(i) The entity must demonstrate arrangements to ensure compliance with the existing regulations/laws on consumer data protection and privacy.

(j) There should be adequate safeguards built in its IT systems to ensure that it is protected against unauthorized access, alteration, destruction, disclosure or dissemination of records and data.

(k) The entity should have robust IT infrastructure and managerial resources. The IT systems used for end-to-end sandbox processing shall provide end-to-end integrity of information processing.

6.5.2 The entities shall additionally satisfy the following conditions:

(a) The proposed FinTech solution should highlight an existing gap in the financial ecosystem and the proposal should demonstrate how it would address the problem and bring benefits to consumers or the industry and/or perform the same work more efficiently. Alternatively, the applicants should demonstrate that there is a relevant regulatory barrier that prevents deployment of the product/service at scale, or a genuinely innovative and significantly important product/service/solution is proposed for which relevant regulation is necessary but absent.

(b) If the proposed product/ service is similar to the one which was already tested under RS and no new innovation is envisaged, the same may not be considered eligible under RS.

(c) The test scenarios and expected outcomes of the RS experimentation should be clearly defined, and the sandbox entity should report to the RBI on the test progress, based on an agreed schedule.

(d) The appropriate boundary conditions (refer to section 6.7) should be clearly defined for the RS to be meaningfully executed while sufficiently protecting consumers’ privacy.

(e) An acceptable exit and transition strategy should be clearly defined in the event that the proposed FinTech-driven financial service has to be discontinued, or can proceed to be deployed on a broader scale after exiting the RS.

(f) The applicants shall be required to share the results of Proof of Concept (PoC)/testing of use cases including any relevant prior experiences before getting admission into RS for testing,

(g) Significant risks arising from the proposed FinTech solution or financial service should be assessed and mitigation plan shall be submitted.

6.5.3 The RS is a new regulatory initiative to foster responsible innovation in financial services, while carefully monitoring and containing their risks. The selection of entities for a cohort shall, inter-alia, be based on conformity to the fit and proper criteria as indicated in para 6.5.1 and 6.5.2 above. In case the number of applicants is large, the compliance with fit and proper criteria shall be a necessary condition and the final selection will be based on novelty of the innovation and the potential benefit which the product/service/ technology brings to the consumers/industry.

6.6 Extending or Exiting the RS

a) At the end of the sandbox period, the regulatory relaxations provided to the entities will expire and the sandbox entity must exit the RS. In the event that the sandbox entity requires an extension of the sandbox period, it should apply to the RBI at least one month before the expiration thereof and with valid reasons to support the application for extension. The RBI shall take an informed decision to allow extension or otherwise, on a case-by-case basis, based on the stage of the testing, the results of the testing till then, justification for its continuance and the expected outcome in the extended period.

b) The sandbox testing will be discontinued any time at the discretion of the RBI:

  1. if the sandbox entity does not achieve its intended purpose, based on the latest test scenarios, expected outcomes and the schedule mutually agreed by the sandbox entity with the RBI.

  2. if the sandbox entity is unable to fully comply with the relevant regulatory requirements and other conditions specified at any stage during the sandbox process.

  3. if the sandbox entity has not acted in the best interest of consumers due to negligence or deliberate malicious practices.

  4. if the sandbox entity has submitted false, misleading or inaccurate information, or concealed material facts in its application to RS.

  5. if there is any breach in the data security/ failure to address technical defects, if any, failure to develop or implement safeguards, the entity goes into liquidation or has regulatory license cancelled.

  6. if the sandbox entity is unable to start the testing or get into the required partnerships.

c) The sandbox entity may also exit from the RS at its own discretion by informing the RBI one month in advance.

d) The sandbox entity shall ensure that any existing obligation to its customers of the financial service under experimentation is fully addressed before exiting the RS or discontinuing the RS.

6.7 Boundary Conditions

When the RS operates in the production environment, it must have a well-defined space and duration for the proposed financial service to be launched, within which the consequences of failure can be contained. The appropriate boundary conditions should be clearly defined for the RS to be meaningfully executed while sufficiently protecting the interests of consumers. The boundary conditions for the RS may include, but not restricted to, the following:

  • Start and end date of the Testing Period

  • Target customer/ merchant type

  • Limit on the number of customers/ merchants involved

  • Transaction ceilings or cash holding limits

  • Cap on customer losses

6.8 Consumer Protection

6.8.1 The sandbox entity will be required to ensure that any existing obligations to the customers of the financial service under experimentation are fulfilled or addressed before exiting or discontinuing the RS. It may be noted that entering the RS does not limit the sandbox entity’s liability towards its customers.

6.8.2 The entities entering the RS must, in an upfront and transparent way, notify test customers of potential risks and the available compensation and obtain their explicit consent (preferably in language understood by the customer) in this regard. There should be an appropriate arrangement for customers to revoke the consent and exit from the test.

6.8.3 Sandbox entities shall be required to take liability/indemnity insurance of an adequate amount and period to safeguard the interest of the customers. The adequacy of indemnity cover may depend on the product/ service/ technology being tested and shall, among others, include parameters like (i) maximum exposure to a single customer (ii) the number of claims that could arise from a single event (potential for multiple claims), (iii) number of claims that might be expected during the policy period or (iv) rolling insurance coverage wherein if there is no claim made by the customer within two months of the date of RS transaction/ operation, the insurance limit may be rolled over and used to cover subsequent transactions/ operations. The policy cover shall begin with the start of testing stage and end three months after exit of the sandbox entity from the RS.

7. Regulatory Sandbox: Process and its Stages

7.1 End-to-End Sandbox Process

A detailed end-to-end sandbox process, including the testing of the products/innovations by FinTech entities, shall be overseen by the FinTech Department (FTD) of RBI under overall guidance of the Inter Departmental Group (IDG) on RS of RBI with participation of representatives of various regulatory departments of RBI and other domain experts.

7.2 The Sandbox Process: Stages and Timelines

Each cohort of the RS shall have the following five stages and timeline:

7.2.1 Preliminary Screening

The applications received by the FTD shall be evaluated to shortlist applicants meeting the eligibility criteria and the objectives of RS. This phase may last ordinarily for one month from the submission of complete application form by the applicant and further information, as desired by FTD, necessary for the screening and due diligence. This period is outside the overall RS Cohort timeline of nine months.

7.2.2 Application Assessment and Shortlisting

The FTD shall vet the applications to evaluate innovation, technology aspects, security etc. The regulatory relaxations, if any, requested by the applicant will be considered on a case-by-case basis in consultation with the regulatory department concerned. The shortlisted applicants will present their product/service/technology before the IDG, based on which they will be shortlisted for Testing Phase. This stage may last for up to one and a half month.

7.2.3 Formulation of Test Design and Integration Phase

The FTD shall finalise the test design through an iterative engagement with the applicants and identify outcome metrics for evaluating evidence of benefits and risks associated with the products/services/technology. Further, the shortlisted entities shall integrate with their partners, if any, and be ready to start the testing of the product/ service / technology. This phase may last for one and a half month.

7.2.4 Testing Phase

This phase may last for a maximum of five months. The entities will report the test results on a fortnightly basis and the FTD shall assess the test results by close monitoring.

7.2.5 Evaluation Phase

The FTD shall assess the outcome reports of the test both quantitatively and qualitatively and decide on whether the product/service is viable and acceptable under the RS. The final outcome of the testing of product/service/technology as per the expected parameters shall be confirmed by the RBI. This phase may last for one month from the submission of complete test results and further supplementary information as desired by FTD.

The timelines suggested in various stages are indicative and may vary as each stage involves various considerations and engagements with stakeholders. The FTD will have the flexibility to decide on the timelines for each stage while endeavouring to closely monitor the timelines, so that the objectives of the RS are achieved in a timebound manner.

8. Statutory and Legal Issues

8.1 Upon approval, the applicant becomes the sandbox entity responsible for operating in the RS. The RBI will provide the appropriate regulatory support by relaxing specific regulatory requirements (which the sandbox entity will otherwise be subject to), where necessary, for the duration of the RS. The RBI shall bear no liability arising from sandbox process and any liability arising from the experiment will be borne by the applicant as a sandbox entity.

8.2 The sandbox entity must process all the data, in its possession or under its control with regard to RS testing, in accordance with the provisions of Digital Personal Data Protection Act, 2023. In this regard, the sandbox entity should have appropriate technical and organisational measures to ensure effective compliance of the provisions of the Act and rules made thereunder. Further, the sandbox entity should ensure adequate safeguards to prevent any personal data breach.

8.3 Upon successful experimentation and on exiting the RS, the sandbox entity must fully comply with the relevant regulatory requirements. The applicant should clearly understand the objective and principles of the RS. It must be emphasized that the RS is not intended and cannot be used as a means to circumvent legal and regulatory requirements.

8.4 At the end of the sandbox period, the sandbox entity must notify the customers of the completion of the sandbox testing, de-board the customers and exit the RS.

9. Transparency and Disclosure

9.1 Outreach with stakeholders and clear and adequate information dissemination on the RS is important. The RBI will communicate the entire sandbox process including its launch, theme of the cohort, applicants selected for RS and products/services/technology found viable and acceptable under the RS through its official website.

9.2 The RBI shall reserve the right to publish any relevant information about the RS applicants on its website, including for the purpose of knowledge transfer and collaboration with other international regulatory agencies, without revealing any proprietary/intellectual property rights related information.