1.0. Why Regulatory Sandbox and Which Fintech Company Should Participate in Regulatory Sandbox?
In view of the growing demand for easier and cheaper payment solutions through disruptive technology in the financial services space, the Central Bank of Nigeria (CBN) has deemed it pertinent to ensure new and more flexible ways of engaging with the payment industry. Apart from payment terminals, payment solutions service and mobile money operators licences, the CBN introduced Regulatory Sandbox for innovative fintech payment firms to conduct live tests of their new, innovative products, services, delivery channels, or business models in a controlled environment, with regulatory oversight, subject to appropriate conditions and safeguards. From government perspectives, these live tests enable regulators to stay abreast of fintech payment innovations while promoting a safe, reliable and efficient payments system to foster innovation. From entrepreneurs’ point of view, the Sandbox allows fintech innovators to offer new technological solutions to the public even where there is no existing licensing framework that can accommodate the new technology. It is in furtherance of the above that the CBN issued the Framework for Regulatory Sandbox Operations published on 13th of January 2021 (“Sandbox Framework”). And participation in a Sandbox trial is free!
The Sandbox application process is open to both existing CBN licencees (financial institutions with FinTech initiatives) and other local companies. The latter may include financial sector companies as well as technology and telecom companies intending to test an innovative payments product or service industry deemed acceptable by the CBN. Others that can also apply include: Those proposing non-regulated financial products and services using emerging technologies, i.e., Innovators whose proposed solution involves technologies which are currently not covered under existing CBN laws or regulations. The Sandbox encourages innovation that can improve the design and delivery of payment services and is also suitable for proposed fintech payment products, services or solutions that are either not contemplated under the prevailing laws and regulations, or do not precisely align with existing regulations.
The CBN reserves the right to provide further support by relaxing specific regulations within the period of operations in the Sandbox. Upon completion and on exiting the sandbox, the successful entity is expected to meet relevant legal and regulatory requirements within a timeframe prescribed by the CBN. Innovative products or services previously rejected may be considered for sandbox trials on a case by case basis. However, products and services that are outrightly unlawful under the laws of the Federal Republic of Nigeria shall not qualify for sandbox trials.
Sandbox participants may leverage the sandbox of other regulators like the Securities and Exchange Commission (“SEC”), Nigerian Communications Commission (“NCC”) etc. to the extent of any segment of their products that falls within the jurisdiction of the other regulator(s). Also, participants may leverage the APIs available from other CBN licensed institution’s innovation sandboxes.
2.0. What are the Objectives of Regulatory Sandbox in Nigeria?
The objectives of the Regulatory Sandbox in Nigeria, as distilled from the Sandbox Framework, are as follows:
- To increase the potential for innovative business models that advance financial inclusion;
- To reduce time-to-market for innovative products, services, and business models;
- To increase competition, widen consumers’ choice and lower costs;
- To ensure appropriate consumer protection safeguards in innovative products;
- To clearly define the roles and responsibilities of stakeholders and the operations of the Sandbox for the Nigerian Payments System industry;
- To ensure adequate provisions in regulations to create an enabling environment for innovation without compromising on safety for consumers and the overall payments system; and
- To provide an avenue for regulatory engagement with FinTech firms in the payment space, while contributing to economic growth.
As part of the evaluation phase, the CBN and the Innovators shall agree on the set of consumer safeguards to be put in place to mitigate the risk to consumers participating in the testing exercise. While the safeguard measures are bespoke to each test, they will largely depend on the nature of the risks identified, and will be proportionate to the impact and probability of the risks occurring or causing consumer disadvantage.
Although the list of such safeguards is inexhaustive, however, below are examples:
i. Limitations on the number and type of customer(s)/clients that will participate in the test.
ii. Limitations on the type and size of transactions.
iii. Extra requirements related to the participants Fintech company handling and protecting of consumer data, in line with extant laws and regulations.
iv. Providing adequate disclosure of the potential risks to customers participating in the sandbox and confirmation from such customers that they fully understand and accept the attendant risks.
v. Limiting the duration of the testing period to a maximum of six (6) months cohort basis, or promptly asking for an extension when necessary.
vi. Providing a consumer redress mechanism, including the possibility for financial compensation for sandbox participants whose data may be harmed in a test under clearly specified circumstances.
vii. The power of the CBN to review all cases passing through the Consumer Redress Mechanism and addressed by the participant to measure fairness and the obligation of the participant to escalate an issue to the Sandbox Innovation Office where a customer is not satisfied with a resolution by the participant.
viii. Committing adequate and competent resources to undertake the testing and implement risk mitigation solutions that have been proven to be effective in containing the consequences of failure.
ix. Requirements to carry out system penetration simulations.
x. Requirements to obtain consumers’ prior verifiable consent to the participation in the test.
xi. Restriction or prohibition to hold or control client money or financial assets.
xii. The obligation of the Sandbox participants to allow its customers opt out of the test provided they abide with non-disclosure agreements.
3.0. What are the Eligibility Criteria for Sandbox Participation in Nigeria?
The CBN reserves the prerogative to set the criteria for determining which Fintech company to be selected for participation in Sandbox trials. The criteria set out in the Sandbox Framework are as follows:
(a) The product, service or solution must be innovative with clear potential(s) to:
- Improve accessibility, customer choices, efficiency, security and quality in the provision of financial services; or
- Enhance the efficiency and effectiveness of Nigerian Financial Institutions management of risks; or
- Address gaps in the financial sector or open up new opportunities for financial benefits or investments in the Nigerian economy.
(b) Ability of the applicants to provide the proposed project within a limited transaction (value and volume) for better risk management and mitigation. The limits shall not be exceeded during the testing period of six (6) months unless extended by the CBN.
(c) Evidence that the applicant has conducted an adequate and appropriate assessment to demonstrate the usefulness and functionality of the product, service or solution and identified the associated risks which should be devoid of adverse effect to existing structures and consumer experience;
(d) Proof that the applicant has the necessary resources to support testing in the sandbox. This includes the required resources and expertise to mitigate and control potential risks and losses arising from offering of the product, service or solution to the consumers;
(e) The applicant should have a business plan to show that the product, service or solution can be successfully deployed after exit from the sandbox;
4.0. What is the Procedure for Application for Regulatory Sandbox Participation in Nigeria?
Applications to participate in the sandbox process are made on the invitation of the CBN and participants are selected based on CBN’s capacity (in addition to sandbox eligibility criteria and strategic objectives) and grouped in a yearly cohort (e.g. 2023 Cohort). Usually, the CBN would invite qualified applicants through a publication on its website, and local newspaper advertisement to submit applications. The details of the advert would include the minimum eligibility criteria to shortlist applicants who qualify to be absorbed into the sandbox. Receipt of application shall be acknowledged to applicants within Five (5) working days after submission.
The CBN will inform an applicant of its eligibility and approval to participate in the sandbox process within forty-five (45) working days after the closure of the application window and the names of selected applicants would be published on CBN’s website. A Letter of Approval would thereafter be issued by the CBN to allow Innovators as Sandbox participants to test their innovation upon entry into the sandbox.
5.0. What are the Requirements for Regulatory Sandbox in Nigeria?
Please note that there are application requirements which relate to the documentary requirements which each applicant is required to present during application stage. Also, there are operational requirements of the Sandbox which cover, at least, the following phases:
1. Filing requirements.
2. Reporting requirements while in the Sandbox.
3. Exit conditions and approval for expiration, and/or
4. Evaluation and Review of an approval.
5.1. Application or Documentary Requirements: All applications into the Sandbox shall be accompanied with the following documents:
i. Board Approval (where applicable);
ii. Certificate of Incorporation, Status Report of Application for Registration and Memorandum and Articles of Association of the Company;
iii. The company profile and functional contact: e-mails, telephone numbers, office and postal addresses;
iv. Shareholding structure of the company;
v. Organogram of the Company;
vi. Curriculum Vitae of Board and Management members of the Company;
vii. Project plan alongside a detailed business proposal;
viii. Key outcomes that the testing is intended to achieve;
ix. An outline of the strategy of the sandbox trials including current and potential engagements, geographical spread and benefits to be derived;
x. Anti-Money Laundering/Combating Financial Terrorism Policy;
xi. Evidence of patent certificates or registration of patent rights, where applicable; and
xii. Any other information that the CBN may require from time-to-time.
5.2. Filing Requirements: Upon successful selection of the qualified applicants, a Letter of Approval will be issued by the CBN to the selected applicants. After the issuance of Letter of Approval, the CBN will engage the admitted participants on the following:
i. Testing parameters such as the scope and duration of the test, regulatory flexibilities requested and frequency of reporting;
ii. Specific measures to determine the success or failure of the test at the end of the testing period;
iii. An exit strategy should the test fail; and
iv. The next steps the firm would take if the test is successful.
5.3.In addition to the above, participants prior to entry, shall include the following in the filing requirements:
i. A brief description of the Participant’s organization, including its financial standing, technical and business domain expertise;
ii. A brief description of the financial service to be experimented on, in the Sandbox;
iii. A description of how the Participant has met the Eligibility Criteria with supporting evidence;
iv. A disclosure of the boundary conditions for the Sandbox such as start and end dates, target volunteer customer types, customer limits, transaction thresholds, cash holding limits, and so on;
v. An assessment of the Participant’s readiness for testing which shall include customer safeguards and testing plans;
vi. Test scenarios shall include a quantification of the maximum potential direct and indirect losses and impact of the experiment;
- A description of the customer communications plan, including risk disclosures and material information about the company and the Sandbox;
viii. A description of the targets and key performance indicators, which will be used to determine the success of the experiment;
ix. A description of information and cyber security and other relevant measures taken by the participant to ensure safety of the solution;
x. A description of any third-party outsourcing arrangement including the due diligence conducted by the participant on the third party to ensure information and cyber security; and
xi. An assessment of the exit plan, scale-up and deployment strategy, along with an assessment of the timeline and gaps, if any, in meeting any heightened legal and regulatory requirements after exiting the Sandbox.
All of the above filing requirements will be reviewed to determine the suitability of the Applicant’s participation in the Sandbox trials.
6.0. What are the Reporting Obligations for Participants in a Sandbox in Nigeria?
1. Testing Parameters: Applicants shall put in place testing parameters to limit risks to the financial system and for the consumers, while achieving effective testing processes.
2. Consumer Protection Policy: The participants shall set consumer protection safeguards, to guarantee consumer protection. Consequently, consumers participating in the testing phase need to be made aware of their rights and especially, be provided with information and contact details of the sandbox to report any complaint or problem they experience.
3. Record-Keeping: The participants shall ensure proper maintenance of records during the testing period for a maximum of five (5) years, to support reviews of the test by CBN.
4. Periodic Reports: The participant shall submit periodic reports to CBN on the progress of the test, which includes information on the following:
a) Key performance indicators, key milestones and statistical information;
b) Key issues arising as observed from fraud or operational incident reports;
c) An updated risk register including possibility and treatment of any emerging risk(s);
d) Details on any audits conducted and, where applicable, submission of signed audit reports;
e) Customer satisfaction report, including complaints – if any;
f) A detailed log of operational or technical incidents (if any) and steps taken to address them; and
g)Actions or steps taken to address key issues identified during the testing.
5. Final Report: The participants shall submit a final report, confirmed by the Chief Executive Officer (“CEO”) of the company, containing the following information of the testing period:
(a) Key outcomes, key performance indicators against agreed measures for the success or failure of the test and findings of the test;
(b) A full account of all incident reports and resolution of customer complaints; and
(c) In the case of a failed or unsuccessful test, lessons learnt from the test and how the firm tends to wind down the test.
7.0. Are there any Responsibilities of Sandbox Participants?
Yes. The participants in the Sandbox shall:
i. Be responsible for monitoring and supervising the activities of its operations and staff.
ii. Have information on the tests carried out for each type of service or innovation.
iii. Monitor effective compliance with set limits and establish other prudential measures in each case.
iv. Take all other measures to enable it to operate strictly within the requirements of this Framework.
8.0. What does an Applicant Need to Know about the Timeline, Extension of Time and Exit from a Sandbox?
Timeline for Testing: Every application to participate in the Sandbox is required to explicitly indicate the initial testing timeline (in months) for the proposed test, not exceeding six (6) months. The estimated testing period may be extended at the discretion of CBN.
Extension of Testing Period: In order to extend the testing period, a written application must be submitted by the participants to CBN not later than thirty (30) calendar days before the end of the testing period. The application should state the additional time required and clearly explain reasons for requiring the extension. To minimize market distortion, CBN will not generally approve a protracted extension of the testing period unless the solution has been tested positively in general and it can be demonstrated that the extended testing is necessary to respond to specific issues or risks identified during initial testing.
Conclusion & Exit from the Sandbox: Upon the completion of a sandbox test, CBN will decide whether the product, service or solution should be introduced into the market. The CBN will issue an Approval-in-Principle (“AIP”) to successful participants in order to deploy their digital solution to the market, subject to the participants being able to meet CBN’s licensing requirements. The CBN may provide support for a successful participant for the purpose of obtaining requisite licence in the following ways:
a) Providing guidance in filing their applications for licence.
b) Advising on options for addressing identified risk issues.
Where a participant opts to discontinue in the sandbox, it may do so in writing, seeking the consent of CBN to withdraw from the sandbox trial. The consent of CBN shall be based on the effective closure of any outstanding regulatory obligations and consumer related matters, that may have arisen from the participant’s sandbox operations. Innovators must compare the results of their test against its original objectives and specify in their Final Report whether and how they intend to scale-up the technology tested: e.g., direct to consumers or, licensing it to other firms, or establishing new partnerships with other CBN-licensed firms, etc.
CBN may also prohibit deployment of the product, service or solution in the market upon the completion of the testing due to the following reasons:
(a) In the event of an unsuccessful testing based on agreed test measures; or
(b) The product, service or solution has unintended negative consequences for the public and/or financial stability.
9.0. How is the Confidentiality of the Innovation Protected during Sandbox Trials?
There are genuine concerns around confidentiality of the ideas disclosed to regulators or discussed during the testing period. So, the Regulatory Sandbox allows participants to decide which ideas to discuss, and the extent of details to be disclosed to other participants in the Sandbox. Participants shall be aware that disclosures of a detailed nature relating to new inventions may prejudice the ability to obtain patent protection for these inventions at a later date. To that end, whilst sandbox participants are encouraged to share and shape ideas, detailed disclosures relating to processes or specifications should be reserved until the IP is registered and protected.
Please note that the copyright, database rights, trade marks, designs, patents and other intellectual property (IP) arising in any confidential information existing prior to commencement of the Sandbox operations, or subsequently created exclusively by any participant (without reference to the confidential information of, or assistance from, other participants), shall be owned exclusively by that participant. IP created by any participant by reference to the confidential information of, or in conjunction with, other participants shall be owned jointly by those participants. This means that the affected participants will not be able to copy, use or exploit that joint IP without the consent of the others involved in creating that joint IP.
Participants are required to keep confidential all information disclosed by one party (the Disclosing Participant) to the other participant (the Receiving Participant) during Sandbox events, whether that information is disclosed verbally, in writing or in any other form and whether or not expressly stated to be confidential (confidential information). The Receiving Participant shall not use the confidential information of any Disclosing Participant to develop content, products, services, technologies or applications, or otherwise other than with the consent of the Disclosing Participant concerned.
If requested by the Disclosing Participant, the Receiving Participants shall destroy or return all the confidential information disclosed during the Sandbox operations. Please note that confidential information will not include information that is publicly available or has been independently developed without reference to the confidential information shared within the Sandbox, as demonstrated by reasonable written evidence.
**********************************************************************************
ABOUT KORIAT & CO.
We are a commercial law firm in Nigeria with network of lawyers and consultants in Ghana, Kenya and Rwanda. We assist clients on business registrations and licensing across multiple jurisdictions.
The above article is not legal advice and does not automatically make our readers our clients unless they specifically instruct us to act or represent them in any way.
Please contact Koriat & Co. through admin@koriatlaw.com or 09067842241 if you require additional information about or assistance in making the application for a Fintech licence.
