FinTech and Regulatory Sandboxes in the UK, Hong Kong and Singapore

As the FinTech industry continues to expand, regulators around the globe are starting to react. The past 18 months have seen the emergence of a new trend in financial services regulation, the “sandbox.”

Since the launch of the UK’s regulatory sandbox in May 2016, regulators across the globe have adopted similar frameworks. There are now regulatory sandboxes in Abu Dhabi, Australia, Canada, Hong Kong, Lithuania, Singapore, Switzerland and Thailand, to name a few, and the European Union recently set out proposals for a possible EU-wide regulatory sandbox.

The “sandbox” is a concept that regulators have adopted from the world of software development. A sandbox is a tool that allows developers to test a technological proof of concept prior to a full-scale public release. This gives a firm the ability to amend and improve a product iteratively based on feedback before path dependency and network effects set in and before it has invested significant sunk costs in the project.

In a regulated sector such as financial services, this iterative approach can be difficult for firms to replicate, particularly for startups, which typically lack the regulatory permissions that are needed to conduct real-world tests. By allowing new firms to experiment with real customers in a regulatory sandbox, regulators hope to remove some of the temptation for firms to rely on loopholes, regulatory arbitrage or an aggressive reading of financial services rules, in order to try to fall outside the scope of regulation in their testing phase. The sandbox is designed to create a “safe space” in which firms can enter the financial services market and experiment with new ideas with a degree of regulatory oversight and support.

Such regulatory sandboxes are not only of interest to startup firms. They also have potential benefits for more established market players that are looking to launch innovative new products that do not fit easily within the mold of existing financial services regulation. This could include larger firms in the banking, payment services and asset management sectors. Indeed, in the UK’s first round of sandbox applications around one-third of all applications were from larger financial institutions such as banks.

This post discusses the regulatory sandboxes in the UK, Hong Kong and Singapore and identifies points for firms thinking of using such sandboxes to consider.


The UK Financial Conduct Authority (FCA) launched its regulatory sandbox program in May 2016. So far 55 applicants have been accepted, with more expected to follow in the months ahead. Twenty-four applicants were accepted in the first cohort, 18 of which had their product testing plans approved in October 2016. A second cohort of 31 applicants were accepted on June 15, 2017. The FCA recently accepted applications for a third cohort and plans for a fourth cohort are anticipated. The firms accepted into the sandbox to date represent a range of market participants, both in terms of size and product types.

The sandbox aims to deliver more effective competition in the interests of consumers by:

  • Reducing the time and, potentially, the cost of getting innovative ideas to market;
  • Enabling greater access to funding for innovators;
  • Enabling more products to be tested and, thus, potentially introduced to the market; and
  • Allowing the FCA to work with innovators to ensure that appropriate consumer protection safeguards are built in to their new products and services.

The sandbox program is part of a broader initiative, “Project Innovate,” developed by the FCA to foster competition and growth in financial services by supporting businesses that are developing products and services that could “genuinely improve consumers’ experience and outcomes.” In addition to the regulatory sandbox, the FCA offers tailored regulatory support services to firms that it considers to be innovative and provides feedback to firms developing automated advice and guidance models.

To conduct a regulated activity in the UK, a firm must be authorized by or registered with the FCA, unless certain exemptions apply. Successful firms will need to apply for the relevant authorization or registration in order to test their products or services if these involve a regulated activity. However, the FCA has a tailored authorization process for firms accepted into the sandbox. Any authorization or registration is restricted and permits firms to test only the proposals agreed with the FCA. The FCA has stated that this tailored authorization process should make it easier for firms to meet its requirements and reduce the cost and time to get the test up and running.

The FCA has stated that the sandbox may be useful for the following types of firms:

a. Firms that need to become FCA authorized before testing their innovation in a live environment;
b. FCA authorized firms looking for clarity about rules before testing an idea that does not easily fit into the existing regulatory framework; and
c. Technology businesses that want to provide services to FCA regulated firms (e.g., through outsourcing agreements) and need clarity about rules before testing their services.

The sandbox is selective. The FCA is only able to monitor a small number of firms in each cohort and they are only interested in firms which they consider to be “genuinely innovative.” The box on the following page sets out the criteria and positive indicators that the FCA will consider when assessing applications. The positive indicators are not exhaustive and fulfilling each of them is not a condition of meeting the relevant criterion.

FCA Sandbox – Criteria and Positive Indicators

1. In scope: Are you looking to deliver innovation that is either regulated business or supports regulated business in the UK financial services market?

2. Genuine innovation: Is your innovation groundbreaking or a significantly different offering in the marketplace?

  • Desk research produces few or no comparable offerings already established on the market.
  • Step-change in scale.

3. Consumer benefit: Does the innovation offer a good prospect of identifiable benefit to consumers (either directly or via heightened competition)?

  • The innovation is likely to lead to a better deal for consumer directly or indirectly.
  • The business has identified any possible consumer risks and proposed mitigation.
  • The innovation will promote effective competition.

4. Need for a sandbox: Do you have a genuine need to test the innovation in our sandbox?

  • The innovation does not easily fit the existing regulatory framework, making it difficult or costly to get the innovation to market.
  • There is a clear need for a sandbox tool to test in a live environment.
  • The business has no alternative means of engaging with the FCA or achieving the testing objective.
  • The full authorization process would be too costly/difficult for a short viability test.

5. Ready for testing: Are you ready to test the innovation in the real market with real consumers?

  • You have a well-developed testing plan with clear objectives, parameters and success criteria.
  • Some testing has been conducted to date.
  • The firm has the resources to test in the sandbox.
  • The firm has sufficient safeguards in place to protect consumers and is able to provide appropriate redress if required.

Firms considering applying for the FCA sandbox should think carefully about whether using the sandbox gives the firm an advantage over an application for full authorization (or a variation of permission) for the relevant activity. While the sandbox can provide firms with greater flexibility, it may also bring greater regulatory scrutiny of the relevant business and could lead to the business having to be discontinued if the FCA is not satisfied with the way in which the firm is running it. Another point to consider is that firms using the sandbox must have sufficient capital to compensate clients in the event of loss resulting from the service offered. This could potentially mean having a higher level of capital than the firm would be required to maintain under a full regulatory authorization (e.g., as a payment institution).

EU FinTech Developments

In March 2017, the European Commission published a consultation paper on FinTech in which it suggested the creation of a pan-EU regulatory sandbox. This can be seen partly as a competitive initiative in the context of the UK’s departure from the EU (Brexit), due to take place by March 30, 2019. The UK is currently the main European hub for FinTech business and the timing of the European Commission’s consultation suggests that at least a part of the Commission’s objectives is to ensure that the remaining EU member states are able to compete with the UK in the post-Brexit European FinTech market. However, unsurprisingly, the Commission has not confirmed this formally.On August 4, the European Banking Authority published the results of a large-scale “mapping exercise” of Europe’s FinTech companies, which found that the largest proportion of sampled FinTech companies (31 percent) were not subject to any financial regulatory regime at all. These findings, together with the European Commission’s proposals, suggest that EU policy makers and regulators could soon be looking to bring more FinTech firms under regulatory supervision, albeit with the stated objectives of improving competition and innovation.

Hong Kong

In September 2016, the Hong Kong Monetary Authority (the HKMA) announced the launch of its Fintech Supervisory Sandbox (the HKMA Sandbox).

The HKMA Sandbox initiative aims to allow banks to conduct pilot trials of FinTech and other technology initiatives within a controlled environment, without the need to fully comply with the HKMA’s usual regulatory requirements during the trial. The HKMA’s model is only available to banks regulated by the HKMA and excludes start-ups, stored value facility operators and other non-bank institutions. However, such entities may collaborate with a bank under this initiative and participate indirectly in the HKMA Sandbox with bank sponsorship.

There is no limit to the number of participants that may conduct tests in the HKMA Sandbox. From September 2016 to May 2017, 15 pilot trials of FinTech products were conducted by six banks, and some of these initiatives have since been rolled out to the market. The trials included FinTech products that relate to authentication options involving biometric features, application programming interfaces, soft tokens, chatbots, and securities trading and blockchain technology for use in mortgage valuation. Early assessments by participating banks have indicated that participation in the HKMA Sandbox helped accelerate the launching process for certain products by two to three months.

The HKMA does not currently publish a full list of supervisory requirements that may be relaxed during the FinTech product’s trial period. However, it has indicated that it will hold individual discussions with banks wishing to utilize the HKMA Sandbox regarding the appropriate supervisory flexibility. With the HKMA’s approval, banks can therefore test FinTech products without incurring the usual regulatory consequences during their development stage, such as certain security-related e-banking requirements and the requirement to conduct a pre-launch independent assessment for new technologies by third-party consultants.

HKMA Sandbox Controls

Within the HKMA Sandbox, banks can also test FinTech initiatives which provide banking services to a limited number of customers (such as staff members or focus groups of customers) in order to gather real-life data and user feedback in a controlled environment and to make appropriate refinements to their products before the full launch. This is subject to compliance with the following controls:

  • Adequate measures must be implemented to protect the interests of customers throughout the trial. These include: (a) ensuring that participating customers provide informed and voluntary consent; (b) ensuring that enhanced customer complaints procedures and avenues to compensate for financial losses caused by any failures of the trial are in place; and (c) maintaining appropriate arrangements for customers who wish to withdraw from the trial.
  • Appropriate risk management controls must be in place to mitigate any risks arising from less than full compliance with the HKMA’s supervisory requirements and to address the risks (including cyber-attacks and system disruptions) that may be caused by the trial to other bank systems and to customers who did not join the trial.
  • The scope and phases of the trial (such as the number and type of customers participating, and the FinTech and banking services involved), timing and termination arrangements must be clearly defined.
  • The systems and processes must be ready for trial, and the trial must be monitored adequately to ensure that the bank can promptly identify and manage any significant issues that may arise.

Banks interested in participating in the HKMA Sandbox are required to contact the HKMA. The HKMA has stated that it will continue to refine the HKMA Sandbox over time in light of its implementation experience and industry developments in this area.

The HKMA Sandbox is part of a broader regulatory policy to promote FinTech in Hong Kong’s banking sector. In March 2016, the HKMA established the Fintech Facilitation Office to support these efforts. The HKMA has also introduced several other initiatives, including the Cybersecurity Fortification Initiative in May 2016, which is a new platform comprising three pillars — cybersecurity risk assessment, intelligence sharing, and talent development — to enhance the cyber resilience of the banking system. Further, in collaboration with the Hong Kong Applied Science and Technology Research Institute (ASTRI), the HKMA embarked on a specialized research project on distributed ledger technology to explore its potential for application to the local banking industry and established the Fintech Innovation Hub at ASTRI’s premises to provide technical support for the banking and FinTech sectors. Finally, on a wider scale, the HKMA and the FCA have entered into a cooperation agreement to foster collaboration between the two regulators on FinTech.

Outside of the banking industry, lawmakers have urged regulators, such as the Securities and Futures Commission (SFC) and the Insurance Authority, to clone the HKMA’s Sandbox in order to progress FinTech initiatives for brokers, insurance companies and other non-bank organizations. For example, there have been calls to promote equity crowd funding, which is currently banned in Hong Kong. However, at present the SFC does not see a need to introduce a sandbox for the purposes of developing FinTech initiatives, while the Insurance Authority noted that its dedicated FinTech liaison platform would work to enhance greater communication with the FinTech industry in Hong Kong. Therefore, it remains to be seen whether Hong Kong will follow in the footsteps of the UK and Singapore in allowing financial institutions (other than banks) to conduct pilot trials of their FinTech solutions. It is clear, however, that the HKMA is committed to raising Hong Kong’s profile as a FinTech hub by taking active steps to provide the necessary regulatory environment conducive to the testing of new and innovative products and initiatives.


In November 2016, the Monetary Authority of Singapore (MAS) issued the FinTech Regulatory Sandbox Guidelines together with an application template form for applicants seeking entry into its regulatory sandbox.

There is no limit on the number of firms that may participate in the MAS’ sandbox. A successful sandbox applicant will have its name and the start and expiry dates of the sandbox period published on the MAS’ website. As of July 2017, there was one active participant in the sandbox.

The MAS aims to transform Singapore into a smart financial center by encouraging the adoption of innovative and safe technology in the financial sector. The objective of the sandbox is to encourage more FinTech experimentation within a well-defined space and duration where the MAS will provide the requisite regulatory support, so as to:

  • Increase efficiency;
  • Manage risks better;
  • Create new opportunities; and
  • Improve people’s lives.

To conduct an MAS-regulated activity in Singapore, a firm must be licensed by the MAS, unless it is able to utilize an applicable licensing exemption. With the introduction of the regulatory sandbox, the MAS may relax specific legal and regulatory requirements for conducting MAS-regulated activities on a case-by-case basis. Examples of legal and regulatory requirements that the MAS may consider relaxing for the duration of the sandbox experimentation period include asset maintenance and capital adequacy requirements, board composition and management experience, while examples of the requirements that the MAS intends to maintain include customer confidentiality and rules relating to anti-money laundering and countering terrorist financing.

MAS Evaluation Criteria

The MAS has stated that it will use the following evaluation criteria to assess sandbox applicants:

  1. The proposed financial service must include new or emerging technology, or use existing technology in an innovative way (e.g., research should show that few or no comparable offerings are available in the Singapore market).
  2. The proposed financial service should address a problem, or bring benefits to consumers or the industry (e.g., supported by evidence from relevant consumer or industry research).
  3. The applicant must have intention and ability to deploy the proposed financial service in Singapore on a broader scale after exiting the sandbox. If there are exceptional reasons why the proposed financial service cannot be deployed in Singapore, e.g., it is not commercially viable to deploy in Singapore, the applicant should be prepared to continue contributing to Singapore in other ways, such as continuing the developmental efforts of the proposed financial service in Singapore.
  4. The test scenarios and expected outcomes of the sandbox experimentation should be clearly defined, and the sandbox applicant should report to the MAS on the test progress based on a schedule agreed with the MAS.
  5. The appropriate boundary conditions should be clearly defined, for the sandbox to be meaningfully executed while sufficiently protecting the interests of consumers and maintaining the safety and soundness of the industry.
  6. Significant risks arising from the proposed financial service should be assessed and mitigated (e.g., providing evidence of preliminary testing of the proposed financial service as part of the sandbox application, identifying the risks discovered from the preliminary testing and the proposal for mitigating the risks).
  7. An acceptable exit and transition strategy should be clearly defined in the event that the proposed financial service has to be discontinued, or can proceed to be deployed on a broader scale after exiting the sandbox.

The sandbox is open to all firms, including financial institutions, technology firms and professional services firms partnering with or providing support to such businesses.

Interested applicants are encouraged to contact the MAS before submitting their applications, in order to clarify any questions regarding the sandbox. The MAS has indicated that it will inform applicants on the potential suitability of their proposed financial service to be in the sandbox within 21 working days of receipt of a properly completed application. If a proposed financial service is found to be potentially suitable, the MAS will then proceed to the next evaluation stage, at the end of which the MAS will either approve the application (in which case the applicant may proceed to the sandbox experimentation stage) or reject the application. At the end of the sandbox period, the legal and regulatory requirements relaxed by the MAS will expire, and the sandbox entity must exit from the sandbox. Upon exiting, the sandbox entity can proceed to deploy the financial service under experimentation on a broader scale, provided that the MAS and the sandbox entity are satisfied that the sandbox has achieved its intended test outcomes, and the sandbox entity can fully comply with the relevant legal and regulatory requirements.

The sandbox is part of the MAS’ vision for Singapore to be a Smart Financial Centre where innovation is pervasive and technology is widely used. In August 2015, the MAS formed a Financial Technology & Innovation Group (FTIG) within the MAS to drive the Smart Financial Centre initiatives. An MAS FinTech Office, established on May 3, 2016, serves as a one-stop virtual center for all FinTech-related matters and aims to promote Singapore as a FinTech hub. The MAS is working on a number of other technological initiatives within this broader regulatory policy, including in relation to activity-based regulation for payments, blockchain infrastructure for cross-border inter-bank payments, a national “know-your-customer” utility, and an open application programming interface (API) infrastructure.

Conclusion: To Play or Not to Play

Regulatory sandboxes may be a useful option for firms of all sizes to consider when launching innovative new products and services that do not fit easily within existing regulatory frameworks. However, firms should consider carefully whether testing the product in a regulatory sandbox is the best route to market. On that note, we leave sandbox hopefuls with a few tips . . .

  • Don’t bring your bucket and spade until you’re ready to play

Firms should assess whether the product in question is likely to fulfil the criteria of the relevant sandbox. If the regulator does not think the firm has fulfilled the criteria, or the product is not ready for testing, you might find that you are not allowed in the sandbox.

  • Don’t bother with the sandbox if you’re ready for the playground

If a firm is relatively certain of the regulatory authorization it requires for a full rollout of the product, applying to a regulatory sandbox may simply delay the go-to-market timeframe. Firms should consider whether restrictions or ambiguity under existing rules make applying for full authorization from the regulator problematic and whether further testing with an ongoing regulatory dialogue could be helpful. If so, the sandbox may be for you. If not, you may be better off just seeking authorization in the normal way.

  • Remember you are being supervised

Unlike children playing in a sandbox, who may be blissfully unaware of a parent’s watchful eye (until they start throwing sand at one another), it will be very clear to firms testing products in a regulatory sandbox that they are subject to oversight. That may be no bad thing from the firm’s perspective, as it will have the benefit of continual feedback from the regulator as the product is developed and tested. It may also give the firm the opportunity to build a constructive working relationship with the regulator and learn more about the regulator’s supervisory culture and expectations. However, firms should also be mindful that the sandbox is as much about the regulator testing the firm as about the firm testing the product. As such, you had better be on your best behavior if you do not want a parent to take away your toys.

  • Don’t get stuck in quicksand

If the regulator concludes that the firm is not ready to roll out the product beyond the sandbox, the firm’s legal and compliance function may have to tell the business that their planned go-to-market date was a pipe dream. As such, firms in the sandbox need to be flexible and take on board feedback from the regulator throughout the process. This means the business needs to keep an open ear to the regulator and those internal functions liaising with it. Firms should also have a “plan B” in case the regulatory approval they ultimately require is not forthcoming. This could be a cut-down version of the product or an alternative structure that fits more easily within the existing regulatory framework or an exemption from the relevant authorization requirement.