Contents 1. Background 1.1 The Reserve Bank of India (RBI) set up an inter-regulatory Working Group (WG) in July 2016 to look into and report on the granular aspects of FinTech and its implications so as to review the regulatory framework and respond to the dynamics of the rapidly evolving FinTech scenario. The report of the WG was released on for public comments. One of the key recommendations of the WG was to introduce an appropriate framework for a regulatory sandbox (RS) within a well-defined space and duration where the financial sector regulator will provide the requisite regulatory guidance, so as to increase efficiency, manage risks and create new opportunities for consumers. 1.2 Accordingly, a structured proposal highlighting the clear principles and role of the proposed RS, bringing out its pros and cons, including the reasons for setting up the RS and the expectations of the RBI, are detailed hereunder. 2. The Regulatory Sandbox: Principles and Objectives 2.1 The Regulatory Sandbox A regulatory sandbox (RS) usually refers to live testing of new products or services in a controlled/test regulatory environment for which regulators may (or may not) permit certain regulatory relaxations for the limited purpose of the testing. The RS allows the regulator, the innovators, the financial service providers (as potential deployers of the technology) and the customers (as final users) to conduct field tests to collect evidence on the benefits and risks of new financial innovations, while carefully monitoring and containing their risks. It can provide a structured avenue for the regulator to engage with the ecosystem and to develop innovation-enabling or innovation-responsive regulations that facilitate delivery of relevant, low-cost financial products. The RS is potentially an important tool which enables more dynamic, evidence-based regulatory environments which learn from, and evolve with, emerging technologies. 2.2 Objectives The RS provides an environment to innovative technology-led entities for limited-scale testing of a new product or service that may or may not involve some relaxation in a regulatory requirement before a wider-scale launch. The RS is, at its core, a formal regulatory programme for market participants to test new products, services or business models with customers in a live environment, subject to certain safeguards and oversight. The proposed financial service to be launched under the RS should include new or emerging technology, or use of existing technology in an innovative way and should address a problem, or bring benefits to consumers. 3. Regulatory Sandbox: Benefits The setting up of an RS can bring several benefits, some of which are significant and are delineated below: 3.1 First and foremost, the RS fosters ‘learning by doing’ on all sides. Regulators obtain first-hand empirical evidence on the benefits and risks of emerging technologies and their implications, enabling them to take a considered view on the regulatory changes or new regulations that may be needed to support useful innovation, while containing the attendant risks. Incumbent financial service providers, including banks, also improve their understanding of how new financial technologies might work, which helps them to appropriately integrate such new technologies with their business plans. Innovators and FinTech companies can improve their understanding of regulations that govern their offerings and shape their products accordingly. Finally, feedback from customers, as end users, educates both the regulator and the innovator as to what costs and benefits might accrue to customers from these innovations. 3.2 Second, users of an RS can test the product’s viability without the need for a larger and more expensive roll-out. If the product appears to have the potential to be successful, the product might then be authorized and brought to the broader market more quickly. If any concerns arise, during the sandbox period, appropriate modifications can be made before the product is launched in the broader market. 3.3 Third, FinTechs provide solutions that can further financial inclusion in a significant way. The RS can go a long way in not only improving the pace of innovation and technology absorption but also in financial inclusion and in improving financial reach. Areas that can potentially get a thrust from the RS include microfinance, innovative small savings and micro-insurance products, remittances, mobile banking and other digital payments. 3.4 Fourth, by providing a structured and institutionalized environment for evidence-based regulatory decision-making, the dependence of the regulator on industry/stakeholder consultations only is correspondingly reduced. 3.5 Fifth, the RS could lead to better outcomes for consumers through an increased range of products and services, reduced costs and improved access to financial services. 4. Regulatory Sandbox: Risks and Limitations 4.1 Innovators may lose some flexibility and time in going through the RS process (but running the sandbox program in a time-bound manner at each of its stages can mitigate this risk). 4.2 Case-by-case bespoke authorizations and regulatory relaxations can involve time and discretional judgements (this risk may be addressed by handling applications in a transparent manner and following well-defined principles in decision-making). 4.3 The RBI or its RS cannot provide any legal waivers. 4.4 Post-sandbox testing, a successful experimenter may still require regulatory approvals before the product/services/technology can be permitted for wider application. 4.5 Regulators can potentially face some legal issues, such as those relating to consumer losses in case of failed experimentation or from competitors who are outside the RS, especially those whose applications have been/may be rejected. These, however, may not have much legal ground if the RS framework and processes are transparent and have clear entry and exit criteria. Upfront clarity that liability for customer or business risks shall devolve on the entity entering the RS will be important in this context. 5. Regulatory Sandbox: Eligibility Criteria for Participating in the Sandbox The target applicants for entry to the RS are FinTech firms which meet the eligibility conditions prescribed for start-ups by the government. The focus of the RS will be to encourage innovations where there is absence of governing regulations; there is a need to temporarily ease regulations for enabling the proposed innovation; the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way. 6. Design Aspects of the Regulatory Sandbox The RBI shall consider the following key design features for the RS: 6.1 Sandbox Cohorts and Product/Services/Technology The RS may run a few cohorts (end-to-end sandbox process), with a limited number of entities in each cohort testing their products during a stipulated period. The RS shall be based on thematic cohorts focussing on financial inclusion, payments and lending, digital KYC, etc. The cohorts may run for varying time periods but should ordinarily be completed within six months. An indicative list of innovative products/services/technology which could be considered for testing under RS are as follows. 6.1.1 Innovative Products/Services Retail payments

Money transfer services

Marketplace lending

Digital KYC

Financial advisory services

Wealth management services

Digital identification services

Smart contracts

Financial inclusion products

Cyber security products 6.1.2 Innovative Technology Mobile technology applications (payments, digital identity, etc.)

Data Analytics

Application Program Interface (APIs) services

Applications under block chain technologies

Artificial Intelligence and Machine Learning applications 6.2 Regulatory Requirements/Relaxations for Sandbox Applicant The RBI may consider relaxing, if warranted, some of the regulatory requirements for sandbox applicants for the duration of the RS on a case-to-case basis. However, regulatory requirements that shall mandatorily have to be maintained by the applicants are as follows: Customer privacy and data protection

Secure storage of and access to payment data of stakeholders

Security of transactions

KYC/AML/CFT requirements

Statutory restrictions 6.3 Exclusion from Sandbox Testing The entities may not be suitable for RS if the proposed financial service is similar to those that are already being offered in India unless the applicants can show that either a different technology is being gainfully applied or the same technology is being applied in a more efficient and effective manner. An indicative negative list of products/services/technology which may not be accepted for testing is as follows: Credit registry

Credit information

Crypto currency/Crypto assets services

Trading/investing/settling in crypto assets

Initial Coin Offerings, etc.

Chain marketing services

Any product/services which have been banned by the regulators/Government of India 6.4 Number of FinTech Entities to be Part of a Cohort The focus of the RS should be narrow in terms of areas of innovation, and limited in terms of intake. The RS shall begin the testing process with 10-12 selected entities through a comprehensive selection process as detailed in the framework under ‘Fit and Proper criteria for selection of participants in RS’. 6.5 Fit and Proper Criteria for Selection of Participants in RS 6.5.1 The entities should satisfy the following conditions: The entity should be a company incorporated and registered in India and shall meet the criteria of a start-up as per Govt. of India, DIPP Notification No. G.S.R. 364(E) dated April 11, 2018. The entity shall have a minimum net worth of Rs.50 lakh as per its latest audited balance sheet. The promoter(s)/director(s) of the entity are fit and proper as per the criteria enumerated in . A declaration and undertaking shall be obtained to this effect as per . The conduct of the bank accounts of the entity as well its promoters/directors should be satisfactory. A satisfactory CIBIL or equivalent credit score of the promoter(s)/director(s)/ entity is required. Applicants should demonstrate that their products/services are technologically ready for deployment in the broader market. The entity must demonstrate arrangements to ensure compliance with the existing regulations/laws on consumer data protection and privacy. There should be adequate safeguards built in its IT systems to ensure that it is protected against unauthorized access, alteration, destruction, disclosure or dissemination of records and data. The entity should have robust IT infrastructure and managerial resources. The IT systems used for end-to-end sandbox processing will be checked by the RBI to ensure end-to-end integrity of information processing by the entities concerned. 6.5.2 The proposed FinTech solution should highlight an existing gap in the financial ecosystem and the proposal should demonstrate how it would address the problem, or bring benefits to consumers or the industry or perform the same work more efficiently. 6.5.3 The applicants should demonstrate that there is a relevant regulatory barrier that prevents deployment of the product/service at scale, or a genuinely innovative and significantly important product/service/solution is proposed for which relevant regulation is necessary but absent. 6.5.4 The test scenarios and expected outcomes of the sandbox experimentation should be clearly defined, and the sandbox entity should report to the RBI on the test progress, based on an agreed schedule. 6.5.5 The appropriate boundary conditions (refer to section 6.7) should be clearly defined for the RS to be meaningfully executed while sufficiently protecting consumers’ privacy. 6.5.6 An acceptable exit and transition strategy should be clearly defined in the event that the proposed FinTech-driven financial service has to be discontinued, or can proceed to be deployed on a broader scale after exiting the RS. 6.5.7 The applicants shall be required to share the results of Proof of Concept (PoC)/testing of use cases including any relevant prior experiences before getting admission into RS for testing, wherever applicable. 6.5.8 Significant risks arising from the proposed FinTech solution or financial service should be assessed and mitigated. 6.6 Extending or Exiting the Sandbox At the end of the sandbox period, the regulatory relaxations provided to the entities will expire and the sandbox entity must exit the RS. In the event that the sandbox entity requires an extension of the sandbox period, it should apply to the RBI at least one month before the expiration of the sandbox period and with valid reasons to support the application for extension. The decision of the RBI on the application will be final. The sandbox testing will be discontinued any time at the discretion of the RBI if the entity does not achieve its intended purpose, based on the latest test scenarios, expected outcomes and schedule mutually agreed by the sandbox entity with the RBI. Further, the RS may also be discontinued if the entity is unable to fully comply with the relevant regulatory requirements and other conditions specified at any stage during the sandbox process. The sandbox entity may also exit from the RS at its own discretion by informing the RBI one week in advance. The sandbox entity should ensure that any existing obligation to its customers of the financial service under experimentation is fully addressed before exiting the RS or discontinuing the RS. 6.7 Boundary Conditions When a sandbox operates in the production environment, it must have a well-defined space and duration for the proposed financial service to be launched, within which the consequences of failure can be contained. The appropriate boundary conditions should be clearly defined for the RS to be meaningfully executed while sufficiently protecting the interests of consumers. The boundary conditions for the RS may include the following: Start and end date of the RS

Target customer type

Limit on the number of customers involved

Transaction ceilings or cash holding limits

Cap on customer losses 6.8 Ensure Transparency Outreach with stakeholders and clear and adequate information to the participants in the RS is important. The RBI will communicate the entire RS process including its launch, theme of the cohort, and entry and exit criteria through its official website. 6.9 Consumer Protection The sandbox participant will be required to ensure that any existing obligations to the customers of the financial service under experimentation is fulfilled or addressed before exiting or discontinuing the RS. It may be noted that entering the RS does not limit the entity’s liability towards its customers. The entities entering the RS must be upfront and, in a transparent way, notify test customers of potential risks and the available compensation and obtain their explicit consent in this regard. 7. The Sandbox Process and its Stages in a Regulatory Sandbox 7.1 End-to-End Sandbox Process A detailed end-to-end sandbox process, including the testing of the products/innovations by FinTech entities, shall be overseen by the FinTech Unit (FTU) at the RBI. 7.2 The Sandbox Process: Stages and Timelines Each cohort of the RS shall have the following five stages and timeline: 7.2.1 Preliminary Screening (4 weeks) The FTU shall ensure that the applicant clearly understands the objective and principles of the sandbox and conforms to it. This phase shall last for 4 weeks from the launch of the sandbox, where the applications shall be received by the FTU and evaluated to shortlist applicants meeting the eligibility criteria. 7.2.2 Test Design (3 weeks) This phase may last for 3 weeks. The FTU shall finalize the test design through an iterative engagement with the applicants and identify outcome metrics for evaluating evidence of benefits and risks. 7.2.3 Application Assessment (3 weeks) This phase may last for 3 weeks. The FTU shall vet the test design and propose regulatory modifications, if any. 7.2.4 Testing (12 weeks) This phase may last for a maximum of 12 weeks. The FTU shall generate empirical evidence to assess the tests by close monitoring. 7.2.5 Evaluation (4 weeks) This phase may last for 4 weeks. The final outcome of the testing of products/services/technology as per the expected parameters including viability/acceptability under the RS shall be confirmed by the RBI. The FTU shall assess the outcome reports on the test and decide on whether the product/service is viable and acceptable under the RS. 8. Statutory and Legal Issues 8.1 Upon approval, the applicant becomes the entity responsible for operating in the RS. The RBI will provide the appropriate regulatory support by relaxing specific regulatory requirements (which the sandbox entity will otherwise be subject to), where necessary, for the duration of the RS. The RBI shall bear no liability arising from RS process and any liability arising from the experiment will be borne by the applicant as a sandbox entity. 8.2 Upon successful experimentation and on exiting the RS, the sandbox entity must fully comply with the relevant regulatory requirements. The applicant should clearly understand the objective and principles of the RS. It must be emphasized that the RS is not intended and cannot be used as a means to circumvent legal and regulatory requirements. 8.3 At the end of the sandbox period, the entity must exit the RS. 9. Disclosure The RBI shall reserve the right to publish any relevant information about the RS applicants on its website, including for the purpose of knowledge transfer and collaboration with other international regulatory agencies. Annex I ‘Fit and Proper’ Criteria for Director(s)/Promoter(s) of the Sandbox Entities 1. The Reserve Bank of India (RBI) shall satisfy itself that the promoter(s)/director(s) of the sandbox entity to be accepted to the regulatory sandbox (RS) meets the ‘fit & proper’ criteria based on the following documents submitted for each of the promoter(s)/director(s): Permanent Account Number under the Income Tax Act, 1961 Director Identification Number Bank account details including loan accounts CIBIL score Reference report obtained from regulators under which the entity is registered/licensed Other documents/reports listed under para no. 2 for each of the promoter(s)/director(s) of the entity 2. For the purpose of due diligence of the promoter(s)/director(s), in addition to the above, the entity shall obtain a ‘declaration and undertaking’ from the director(s)/promoter(s) in a standard format as furnished in . A copy of the same shall be forwarded to the RBI. Annex II Declaration and Undertaking by

Promoter/Director

(with enclosures as appropriate on ) I. Personal details of promoter/director a. Full name b. Date of Birth c. Educational Qualifications d. Relevant Background and Experience e. Permanent Address f. Present Address g. E-mail Address/Telephone Number h. Permanent Account Number under the Income Tax Act, 1961 i. Director Identification Number II. Relevant Relationships of promoter/director a. List of relatives, if any, who are connected with the entity (refer to Section 6 and Schedule 1A of the Companies Act, 1956). b. List of entities, if any, in which he/she is considered as being interested (refer to Section 299(3)(a) and Section 300 of the Companies Act, 1956). c. Fund and non-fund facilities, if any, presently availed of by him/her and/or by entities listed in II(b) above from the bank. d. Cases, if any, where the director or entities listed in II(b) above are in default or have been in default in the past in respect of credit facilities obtained from the bank or any other bank. III. Records of professional achievements a. Professional achievements relevant. IV. Proceedings, if any, against the promoter/director promppromoter/director a. If the director is a member of a professional association/body, details of disciplinary action, if any, pending or commenced or resulting in conviction in the past against him/her or whether he/she has been banned from entry of at any profession/occupation at any time. b. Details of prosecution, if any, pending or commenced or resulting in conviction in the past against the director and/or against any of the entities listed in II(b) above for violation of economic laws and regulations. c. Details of criminal prosecution, if any, pending or commenced or resulting in conviction in the past against the director. d. Whether the director attracts any of the disqualifications envisaged under Section 274 of the Company's Act 1956? e. Has the director or any of the entities at II(b) above been subject to any investigation at the instance of a government department or agency? f. Has the director at any time been found guilty of violation of rules/regulations/legislative requirements by customs/excise/income tax/foreign exchange/other revenue authorities? If so, give particulars. g. Whether the director at any time has come to the adverse notice of a regulator such as RBI, SEBI, IRDA, MCA. Undertaking I confirm that the above information is to the best of my knowledge and belief and is true and complete. I undertake to keep the entity fully informed, as soon as possible, of all events which take place subsequent to my appointment, which are relevant to the information provided above. Place : Signature of promoter/director Date :