Sandboxes Are For Kids, Grownups Play Hardball

Tuesday, 20 July 2021
By Michael Mainelli

The unnecessary complexity of regulation has led to a counter-complexity initiative from regulators, ‘sandboxes’. In 2015, the UK Financial Conduct Authority (FCA) announced that it was launching a regulatory sandbox. The FCA hoped the sandbox would provide:

  • the ability to test products and services in a controlled environment;
  • reduced time-to-market at potentially lower cost;
  • support in identifying appropriate consumer protection safeguards to build into new products and services;
  • better access to finance.

As of 2020 about 30 countries have followed this approach, e.g. some advanced countries such as Singapore and Switzerland, highly regulated economies with strongly enforced frameworks for operating in the financial sector, and some developing countries such as Kenya, South Africa, and Sierra Leone. However, significant jurisdictions have said “no”, Germany, France, Ireland, the USA federal government (two states, Arizona and Wyoming have, but not 48 other states). Many regulators have consulted on the idea. It has been dismissed as ‘just marketing to politicians’ by some. Others have noted that the regulators job is to enforce regulation. If you desire marketing set up a marketing or industry support department. A few regulators have categorically dismissed the idea, saying to their governments that fostering innovation and foreign direct investment most certainly should be segregated from regulation. Let’s look at each proposed benefit:

A controlled environment for testing – One argument for sandboxes has been that firms can use real data and real customers. This is alluring. Startups need real customers and real data, but in reality have to be operating anyway to get them. One could argue that “sandboxes are where children play”, yet take it further. Large financial behemoths, for example the big four banks in the UK by number of customers, Lloyds, Barclays, RBS, Nationwide, find it difficult to change. Any IT change is fraught, yet to advance they have to take risks. If a change on real customers is a failure, there are serious consequences. Perhaps “sandboxes are where the big kids are allowed to play without hurting themselves”. So long as big firms use a sandbox and make full restitution if they screw up, they can continue to experiment on catching up with the leading edge. The little kids and real innovation occur elsewhere.

Reduced time-to-market – This argument might be better rephrased as “more certain time to market”. Some anecdotes from Z/Yen and Long Finance indicate that smaller firms do appreciate engagement with the regulator that gives them some assurance what they are proposing to do won’t be peremptorily closed down. However, these firms equally point out that engagement with a regulator most certainly does not reduce time-to-market. It just makes excessive time-to-market at late notice less likely.

Consumer protection safeguards – Most firms find this the least credible argument. Consumer-corporate interactions on finance are well-understood. Data protection obligations equally so. To most professionals in finance this argument is regulatory whitewash and self-justification. Perhaps if the regulator signed off that successful sandbox activity was fully compliant with customer protection, but no regulator to date has given any assurances that a successful sandbox application is in any way ‘certified’, because of course that would favour certain firms over others.

Better access to finance – This argument is true, for those who manage to get into the sandbox. The apparent ‘imprimatur’ of the regulator implies that the business case of a startup looks more credible than others, and that, in some way, the regulator ‘approves’ of the new innovative approach.


But aren’t sandboxes anti-competitive? This is a particularly strong argument. First, the sandbox idea makes investors look for pseudo-approved startups. Second, startups look to get into sandboxes to improve their chances of raising finance. Third, investors begin to let regulators do their pre-selection work for them, not least influenced by the notion that even if they identify a good firm outside the sandbox funnel, it’s going to get approval after sandbox firms or just less likely to get regulatory approval later on. Fourth, firms that don’t need the sandbox concept, nevertheless realise that pretending they need to get in will help fundraising, thus displacing those who might benefit. Fifth, the regulatory application funnel most often gets clogged up and delayed, having underestimated demand for regulatory imprimaturs for fundraising – itself a sign of overregulation. So, we wind up with a situation where the regulator is the gateway to the speed and nature of innovation. Not exactly what was intended.

That said, there are useful, progressive regulatory interventions, so long as they are directed at supporting open, competitive markets. Here are a few:

  • provide open industry data test sets, e.g. anti-money laundering, or consumer activity, that allow firms to test that their prototype systems can hand real, though anonymised, data;
  • work on consistent standards for connecting firms together, more for inputs and output than processes;
  • promote open data wherever possible, for example European regulators could go much further with GDPR to push for consumer-ownership of data and firms just ‘leasing it back’;
  • promoting e-signatures in the round, as well as digital signature (more secure subset of e-signatures with certificates) and BankID approaches;
  • permit, subject to restitution, firms large and small to experiment so long as they notify the regulator in advance.