Home >Newsletters & Updates>JSA Prism>RBI amends regulatory sandbox scheme and integrates the new data privacy law

RBI amends regulatory sandbox scheme and integrates the new data privacy law

Please click here to download the Prism as PDF.

The concept of a regulatory sandbox (“RS”) involves regulatory authorities providing an environment for real-time testing of innovative products, services, and approaches. In the Indian FinTech industry, this concept originated from the efforts of the 2016 Inter-regulatory Working Group (“WG”) established by the Reserve Bank of India (“RBI”). This group was formed to delve into the intricate details of FinTech and the regulatory landscape. It aims to equip regulators with the necessary tools to effectively respond to, regulate, and support India’s rapidly evolving FinTech industry.

The WG released its report in 2018 and recommended setting up an enabling framework for regulatory sandbox (“RS Framework”) laying the groundwork for experimentation and innovation in the FinTech sector. The release of the latest amendment on February 28, 2024, underscores the RBI’s commitment to optimizing the RS Framework based on the insights gained from practical experience and stakeholder engagement.

Among the revisions introduced in the latest amendment, one of the key inclusions of the requirement on sandbox entities were to comply with the Digital Personal Data Protection Act, of 2023 (“DPDP Act”). The DPDP Act was published by the government of India (“GoI”) on August 11, 2023, and forms the new data protection framework and regulatory regime in India. However, as of February 2024, further actions on behalf of the GoI may be required to make the DPDP Act effective, including notifying the rules and regulations required for effective implementation and enforcement of the DPDP Act and repealing the earlier existing privacy rules.

 

What is the RS Framework?

The RS Framework permits limited-time testing of new financial services or products within a controlled setting. It aims to foster careful innovation in financial services, enhance efficiency, and ultimately benefit consumers. Additionally, it enables participants to assess their product feasibility without a full-scale costly launch. The RBI may grant certain relaxations during testing, and upon successful completion of the RS allows for regulatory approvals and authorizations.

FinTech companies, startups, banks, financial institutions, limited liability partnerships, partnership firms, or other entities may apply for testing their products within the RS, allowing experimentation in areas where regulations may be absent or require temporary relaxation. The products eligible for testing within the RS are required to meet specific criteria and may include retail payments, money transfer services, digital know you customer (KYC) and identification services, and offerings related to regulatory technology or supervisory technology. However, products involving credit registry or information, crypto-assets, or those prohibited by the GoI are not eligible for testing within the RS.

 

Recent tweaks in the updated RS Framework

  1. Themed cohorts: While the earlier framework would permit entry to RS entities based on the specified themes such as payments or financial inclusion, the revised framework allows cohorts to be theme neutral with products from various functions being eligible to apply.
  2. RS timelines: The RBI has extended the standard period for the RS process to run up to 9 (nine) months from the earlier 7 (seven) month period restriction.
  3. Fit and proper criteria for selection of applicants: The RBI has added 2 (two) new conditions to the fit and proper criteria envisaged under the RS framework. These conditions include:
    • where the proposed product is similar to one that has been already tested under RS and no innovation is envisaged, the same may not be considered eligible under RS; and
    • entities will be allowed to enter into in-principle partnership arrangements, if any, with various stakeholders at the time of applying to the RS.

Apart from this, the RBI has also included conditions that may lead to a selected applicant being disqualified from the RS. These new disqualifying scenarios include where the applicant has (i) furnished misleading or inaccurate information, or concealed material facts in its application; (ii) suffered any breach in the data security/ failed to address technical defects, if any, failure to develop or implement safeguards, or the entity goes into liquidation or has its regulatory license cancelled; and, (iii) been unable to start testing or enter into partnerships on time.

  1. Amendments in the RS process: The RBI has undergone a significant change in the regulatory sandbox process, implementing revisions across its various stages. These changes aim to streamline operations, enhance participant engagement, and improve the overall effectiveness of the sandbox initiative. The following outlines the updated procedure that applicants may need to adhere to:
    • Preliminary Screening: The FinTech Department (“FTD”) of RBI, guided by the Inter-Departmental Group (“IDG”) on RS, will oversee a comprehensive sandbox process from start to completion. FTD will assess applications and select suitable candidates according to the eligibility requirements and sandbox objectives. This phase is expected to last approximately 1 (one) month.
    • Application assessment and shortlisting: The selected applications will be evaluated on certain criteria such as innovation, technological components, security measures, and other factors. Any regulatory adjustments sought by applicants will be assessed on a case-to-case basis. Subsequently, applicants will present their concepts to IDG overseeing the RS for advancement to the testing phase. This phase is expected to last for a duration of 6 (six) weeks.
    • Formulation of test design and integration phase:Collaborating with the FTD, applicants will finalize the test design and define metrics to assess the benefits and risks of the proposed innovations. They may also collaborate with partners, if applicable, and make preparations for testing their product or service. This phase is projected to last over 6 (six) weeks.
    • Testing Phase: The applicants are permitted to conduct trials of their products and services for up to 5 (five) months. Throughout this period, they are required to submit bi-weekly reports on the test outcomes to the FTD.
    • Evaluation Phase: The FTD will evaluate the test outcome reports in both quantitative and qualitative terms to determine the viability and suitability of the product or service within the RS Framework. This stage is anticipated to take 1 (one) month.

The proposed timelines for each stage are approximate and subject to change, as each stage entails multiple factors and interactions with stakeholders. The FTD will have the discretion to determine the timelines for each stage while striving to closely adhere to them, ensuring the timely achievement of the RS objectives.

  1. Data-privacy-related changes: RS entities are required to handle all data within their possession or control in strict adherence to the regulations stipulated in the DPDP Act. This entails implementing suitable technical and organizational measures to ensure full compliance with the DPDP Act’s provisions. Additionally, RS entities are tasked with establishing robust safeguards to prevent any potential breaches of personal data. These measures are essential to uphold the integrity and security of personal data and maintain trust within the regulatory sandbox environment.

 

Conclusion

By integrating the DPDP Act in the RS Framework, the RBI demonstrates a commitment to bolstering data protection measures and fostering responsible innovation. This proactive approach enhances consumer trust, provides clarity for industry players, and establishes a more secure testing environment. As we advance, the inclusion of DPDP Act within the RS Framework is poised to facilitate the development and deployment of innovative FinTech solutions, driving the sustainable growth of India’s digital economy.

 

This Prism has been prepared by:

Sajai Singh, Partner, JSA

Sajai Singh
Partner

Saurabh Sinha
Senior Associate

Himanshu Kumar
Associate

 

For more details, please contact [email protected]

 

POST TAGS

MORE NEWSLETTER BY THE AUTHOR

Newsletters JSA Newsletter | Finance | May-June Edition 2024
Newsletters JSA Newsletter | Indirect Tax | July 2024
Newsletters JSA Newsletter | Insurance | April to June 2024 Edition
 

Search

Popular Posts

Newsletters & Updates

  • Newsletters
  • July 22, 2024

JSA Newsletter | Finance | May-June Edition 2024
  • Newsletters
  • July 18, 2024

JSA Newsletter | Indirect Tax | July 2024
  • Newsletters
  • July 17, 2024

JSA Newsletter | Insurance | April to June 2024 Edition
  • Newsletters
  • July 17, 2024

JSA Newsletter | Highways & Logistics | June 2024
  • Newsletters
  • July 17, 2024

JSA Newsletter | Anti-Corruption, White Collar Crimes and Investigations Practice | July 2024
  • JSA Prism
  • July 15, 2024

Stringent measures against cybercrimes in India’s new criminal justice system
View More