Bank Negara issues new Fintech Sandbox Framework
08 March 2024
Bank Negara Malaysia (‘
BNM’) issued the
Financial Technology Regulatory Sandbox Framework (‘
Policy Document’) on
29 February 2024. The Policy Document came into effect immediately upon its issuance and supersedes the policy document of the same name issued on 18 October 2016 (‘
Superseded Policy Document’).
The Policy Document applies to:
- a financial institution, namely:
- a licensed bank, including a licensed digital bank, and a licensed investment bank under the Financial Services Act 2013 (‘FSA’);
- a licensed Islamic bank, including a licensed Islamic digital bank, under Islamic Financial Services Act 2013 (‘IFSA’);
- a prescribed development financial institution under the Development Financial Institutions Act 2002;
- a licensed insurer, including a professional reinsurer, under the FSA;
- a licensed takaful operator, including a professional retakaful operator under the IFSA;
- a licensed money services business under the Money Services Business Act 2011 (‘MSBA’);
- an approved issuer of a designated payment instrument under the FSA;
- an approved issuer of a designated Islamic payment instrument under the IFSA;
- an approved and registered intermediary, namely:
- an approved insurance broker including marine, aviation and transit (MAT) insurance broker under the FSA;
- an approved financial adviser under the FSA;
- an approved Islamic financial adviser under the IFSA;
- an approved money broker under the FSA;
- an approved takaful broker including approved takaful brokers (specialised) under the IFSA;
- an electronic trading platform (ETP) approved by BNM; and
- a registered adjuster under the FSA;
- an approved operator of a payment system under the FSA or the IFSA;
- a registered merchant acquirer under the FSA to carry on merchant acquiring services;
- a company (excluding a financial institution) that utilises or plans to utilise technology or any other innovation to provide financial services (‘fintech’) to test solutions within the sandbox environment subject to BNM’s approval under the Policy Document (‘fintech company’) which collaborates with a financial institution, an approved and registered intermediary, an approved operator of a payment system or a registered merchant acquirer; and
- a fintech company intending to carry on:
- an authorised or registered business as defined in the FSA;
- an authorised business as defined in the IFSA; or
- a money services business as defined in the MSBA.
The Policy Document introduces two key enhancements to the Superseded Policy Document:
- simplifying of the Stage 1 eligibility assessment criteria of the Standard Sandbox pathway, to ensure that the rigour of assessment is proportional and better aligned with the development cycle of new innovations; and
- introducing a risk-proportionate accelerated track (‘Green Lane’) to facilitate faster testing of innovative solutions by granting regulatory flexibility to financial institutions with a strong track record in risk management, governance and compliance capabilities.
Standard Sandbox
The Policy Document provides that an application to participate in the Standard Sandbox is to be reviewed in two stages, namely:
• Standard Sandbox Stage 1 – Eligibility; and
• Standard Sandbox Stage 2 – Preparation.
Stage 1 - Eligibility
An applicant must satisfy the following criteria to be eligible to participate in the Standard Sandbox:
Criteria 1: Identification of the regulatory impediment
An applicant must demonstrate the existence of any regulatory impediment in respect of its proposed solution. It is to be noted that in respect of Islamic financial services, any non-compliance or inability to comply with Shariah principles or Shariah ruling shall not be construed as a regulatory impediment in determining the eligibility to participate in the sandbox; |
Criteria 2: Value Proposition
The proposed solution must be innovative with clear potential to improve accessibility, efficiency, or quality of financial services, or enhance the effectiveness of risk management in financial services; |
Criteria 3: Business Plan and State of Readiness
An applicant is reasonably resourced to demonstrate a semi-functional prototype as specified in Appendix III of the Policy Document within three months from the time of application (or such longer period as allowed by BNM on a case-by-case basis); |
Criteria 4: Risk Management
An applicant must demonstrate its ability to identify and mitigate risks associated with its proposed solution in a manner that is proportionate with the projected scale of business activity and its nature of risk; and |
Criteria 5: Fit-and-proper
An applicant must demonstrate a proven track record of the credibility and integrity of its key management personnel and persons with significant decision-making authority in the proposed solution. |
BNM will endeavour to inform the applicant of its eligibility to participate in the sandbox within 15 working days after receiving a complete set of information necessary for the assessment as specified in Appendix II of the Policy Document. Eligibility to participate in the sandbox is
not to be construed as approval to test in the sandbox. Stage 1 of the Standard Sandbox serves to inform the applicant of its potential suitability to participate in the sandbox and to help the applicant with its business and resource planning.
Stage 2 – Preparation
Once an applicant is notified by BNM of its eligibility to participate in the Standard Sandbox, it will proceed to Stage 2. During Stage 2, BNM will consider whether to approve the applicant to test a solution in the Standard Sandbox based on the applicant’s ability to satisfy the following:
- an applicant must demonstrate the practical feasibility of its solution via a fully functional prototype as specified in Appendix III of the Policy Document. This includes the readiness of its front-end and back-end infrastructure supplemented by proper product documentation (e.g. functional, technical design document, user guide, etc.);
- an applicant must demonstrate that it has sufficient resources to support the testing of its solution in the sandbox prior to live testing with proper evidence (such as letter of funding);
- an applicant must be able to identify the potential risks to financial institutions and financial consumers that may arise from the testing of the solution in the sandbox and propose appropriate safeguards to address the identified risks;1 and
- in respect of Islamic financial services, an applicant must provide an attestation by an appointed Shariah Committee or consultant that the new solution to be tested is consistent with prevailing Shariah ruling2.
In addition to the above, BNM may require the applicant to provide, without limitation, the following:
- the testing parameters, including the scope and duration of the test, regulatory flexibilities requested and reporting frequency;
- specific measures to determine the success or failure of the test at the end of the testing period;
- an exit strategy if the test fails or is discontinued; and
- a transition plan for the deployment of the solution on a commercial scale upon successful testing and exit from the sandbox.
The Green Lane
The eligibility of a financial institution to participate in the sandbox through the Green Lane involves two levels of assessment:
- a one-off assessment of a financial institution’s risk management, compliance and governance capabilities based on existing track record where BNM will determine whether to grant approval for the applicant to utilise the Green Lane; and
- subsequent simplified registration procedures for approved Green Lane participating institutions to test individual solutions that face regulatory impediments.
An overview of the Green Lane’s operational mechanism is illustrated in Appendix IV of the Policy Document.
Application Procedure and Assessment Process
All financial institutions may apply to participate in the sandbox through the Green Lane. Fintech companies are
not eligible to participate in the sandbox through the Green Lane. Notwithstanding the foregoing, applications by financial institutions to use the Green Lane may include collaborations with fintech companies. However, BNM reserves the right to determine whether the testing of a solution involving such collaborations should be performed in the sandbox through the Green Lane or the Standard Sandbox procedure.
Financial institutions intending to utilise the Green Lane must have a strong track record in risk management, compliance and governance. In considering an application to participate in the sandbox through the Green Lane, BNM will assess a financial institution’s risk management, compliance and governance capabilities based on its existing track record.
3
Admission of financial institutions to the Green Lane will be performed on a cohort basis. Application will be opened twice a year, from 1 to 31 January and 1 to 31 July. Further details on the submission requirements for admission to the Green Lane are set out in Part D of the Policy Document. Additional information set out in paragraph 7.8 of the Policy Document must also be submitted to BNM together with the application to utilise the Green Lane.
BNM will endeavour to inform the financial institution of its decision to approve the latter’s participation in the sandbox through the Green Lane within 30 working days of receiving a complete application as specified in Part A of Appendix V of the Policy Document.
Upon its application to participate in the sandbox through the Green Lane being approved, a financial institution will be deemed as a Green Lanne participating institution
4. An approval granted to a Green Lane participating institution shall remain effective unless revoked by BNM.
5
Qualified Projects – Parameters and Safeguards
Green Lane participating institutions may avail themselves to a simplified registration procedure to commence testing of a new solution in the Green Lane subject to the following:
- A Green Lane participating institution intending to test a solution offered to the general public must limit the offering to 20,000 unique customers per registered solution throughout the testing period which shall not exceed 12 months, provided that BNM may require the customer limit to be lower than 20,000 if it deems the registered solution to be of higher risk;
- A Green Lane participating institution must consider the potential direct financial losses related to its solution that all customers and entities may suffer and provide appropriate compensation should such a risk materialise;
- A Green Lane participating institution must register with BNM its intent to test any new solution at least 15 working days before the planned date for its testing by submitting the complete information as specified in Part B of Appendix V of the Policy Document; such registration is referred to as a ‘registration’ of a Green Lane solution.6
Where BNM does not express any concern or specifically prohibit a solution that has been duly registered within the time frame specified in the Policy Document, a Green Lane participating institution may proceed with the testing of the registered Green Lane solution on the planned testing date upon receiving notification from BNM. The regulatory flexibilities
7 listed by the Green Lane participating institution in its application for registration of each solution are to be deemed to have been granted by BNM, subject to the expiry or revocation of the approval to participate in the sandbox or any written instruction from BNM to stop the testing of the particular registered Green Lane solution.
BNM may allow a Green Lane participating institution to increase the number of customers participating in a registered solution beyond 20,000 customers on a case-by-case basis.
8 An application for approval of an upward revision of the participants must be submitted to BNM at least 30 working days prior to the date the institution proposes to implement the revised limit. The institution is required to state in its application the increment required and the justification for it. It may only proceed with the testing of the registered solution under the revised limit upon receiving notification from BNM.
Each Green Lane participating institution may register more than one solution to be tested in the Green Lane throughout the year.
General requirements
Application requirements
An applicant interested to test its solution in the sandbox must submit to BNM:
- an application letter signed by the CEO of the applicant or an officer of the applicant as duly authorised by the CEO;
- the application form, in the format set out in Appendix II (for applicants using the Standard Sandbox track) or Part A of Appendix V (for applicants seeking approval to use the Green Lane) of the Policy Document; and
- supporting documents to substantiate the information provided in the application form.
A guide illustrating the application process is provided in Appendix I of the Policy Document.
Expiry and revocation of approval
The testing period in the sandbox, regardless of whether it is under the Standard Sandbox or the Green Lane, shall not exceed 12 months from the start date of the test. Upon expiry of the testing period, approval to participate in the sandbox and any regulatory flexibility accorded to the participants will automatically expire, unless the participant has obtained the prior written approval from BNM for an extension of the testing period.
To extend the testing period, a written application must be submitted to BNM no later than 30 calendar days before the expiry of the testing period. The application must state the additional time required and clearly explain the reasons for requiring the extension. BNM will not generally approve a protracted extension of the testing period unless the solution has tested positively and it can be demonstrated by the applicant that the extended testing is necessary to respond to specific issues or risks identified during the initial testing.
Upon completion of the testing, BNM will decide whether to allow the solution to be introduced in the market on a wider scale. If BNM decides to allow, participating fintech companies intending to carry out regulated businesses will be assessed by BNM based on applicable legal and regulatory requirements, including licensing, approval, and registration criteria under the FSA, IFSA and MSBA, as the case may be.
Where there are adverse developments observed, BNM may revoke an approval granted to participant to participate in the Standard Sandbox or require a Green Lane participating institution to terminate the testing of a particular registered solution in the Green Lane at any time before the end of the testing period. Non-exhaustive examples of adverse developments are set out in paragraph 9.4 of the Policy Document.
BNM may also prohibit the deployment of the solution in the market upon the completion or termination of the testing in the sandbox for the following reasons:
- in the event of an unsuccessful testing based on agreed testing parameters between BNM and the participant;
- the participant is unable to comply with the applicable relevant regulatory requirements upon completion of the testing; or
- the solution has unintended negative consequences upon the public and/ or financial stability.
Save as mentioned in the following paragraph, BNM will give a participant 30 calendar days’ notice in writing of its intention to revoke the approval or terminate the testing and provide an opportunity for the participant to make a representation in writing to BNM on the grounds for the revocation of the approval or termination of the testing.
Where delay in revoking an approval or terminating the testing would be detrimental to the interests of the participant, its customers, the financial system or the general public, BNM may revoke the approval or order the testing be terminated immediately and provide the opportunity for the participant to make a representation in writing after the effective date of revocation of the approval or termination of the testing. Upon considering the written representation by the participant, BNM may decide to reinstate the approval for the participant to participate in the sandbox or allow the continuation of the testing, with or without any additional conditions.
Upon being notified by BNM of the revocation of an approval to participate in the sandbox or termination of the testing, the participant must, among others:
- immediately implement its exit plan to cease the provision of the solution to new and existing customers;
- provide a written notification to customers informing them of the cessation of the solution and the customers’ rights to redress where relevant;
- compensate any customers who had suffered direct financial losses arising from problems attributable to the solution in accordance with the applicant’s statement or commitment in providing consumer redress mechanism; and
- submit a report to BNM on the actions taken within 30 working days after the revocation of the approval or termination of the testing.
Submission of information and reports
A participant must submit to BNM progress reports and a final report within 30 calendar days from the expiry of the testing period or termination of the testing, which shall comprise the information set out in paragraph 10.1 of the Policy Document.
BNM will additionally determine the frequency of interim reports and specific details to be included in such reports in consultation with the participant, taking into account the duration, complexity, scale, and risks associated with the test.
The interim and final reports must be attested by the CEO of the participant that all information submitted is true and accurate. In the case of a joint testing by a financial institution or an approved or registered intermediaries and a fintech company, the reports must be attested by the CEOs of both the financial institution and the fintech company.
A set of Frequently Asked Questions that was issued simultaneously with the Policy Document can be accessed
here.
Comments
The Policy Document is an expanded version of the Exposure Draft of the Policy Document on Financial Technology Regulatory Sandbox Framework (‘
Exposure Draft’) issued by BNM on 28 March 2023.
It is the first revision to the Superseded Policy Document since the latter came into effect on 18 October 2016. The introduction of a two-staged application procedure for a standard sandbox application and in particular, an expedited procedure for testing of a proposed solution under the Green Lane will be welcomed by stakeholders, especially financial institutions. Fintech companies may be disappointed at their exclusion from having direct access to the Green Lane. Perhaps the next major step for the Malaysian sandbox framework will be the granting of access to the Green Lane to qualified fintech companies.
Alert by Lee Ai Hsian (Partner) of the Fintech Practice of Skrine.
1 Refer to paragraphs 6.7 and 6.8 of the Policy Document for factors that BNM will consider in terms of risks and risk mitigation measures.
2 If there is no Shariah ruling made in relation to the new solution, the appointed Shariah committee or Shariah consultant shall assess and deliberate on such matters and provide an attestation that the solution is in line with Shariah principles.
3 Refer to paragraph 7.7 of the Policy Document for further details.
4 A ‘Green Lane participating institution’ is defined in paragraph 5.2 of the Policy Document as a financial institution which has been approved by BNM to participate in the sandbox through the Green Lane.
5 Refer to paragraphs 7.12 to 7.14 of the Policy Document for more information on revocation of a Green Lane approval and to paragraph 9.4 for a list of non-exhaustive circumstances in which an approval to a Green Lane participating institution may be revoked.
6 Refer to paragraph 7.22 of the Policy Document for further details of matters to be considered in registering a solution for participating in the sandbox through the Green Lane.
7 Refer to paragraph 7.25 of the Policy Document as to the circumstances in which regulatory flexibilities will
not be provided.
8 In considering an application for an upward revision of the 20,000 participant limit, BNM will consider the factors set out in paragraph 7.18 of the Policy Document.
This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.