Technology Law Analysis May 16, 2019

RBI’s Regulatory Sandbox: Analyzing the Proposed Framework

  • The RBI released the draft regulatory sandbox framework in April for public comments; NDA has submitted its comments on the draft
  • The draft framework is targeted at fintech startups, with various eligibility conditions including a minimum net worth requirement of INR 50 Lakh
  • The draft is a positive step, but ambiguous phrasing of eligibility requirements and the high net worth requirement ought to be addressed

After the announcement of a regulatory sandbox by the Reserve Bank of India (“RBI”) governor at the NITI Aayog FinTech Conclave 2019, those in the fintech ecosystem waited eagerly for its criteria and features. On April 18, 2019, the RBI announced the Draft Enabling Framework for Regulatory Sandbox (“Proposed Framework”), detailing the proposed features of the sandbox. The Proposed Framework is a draft for public comments, and is not effective yet. Nishith Desai Associates (“NDA”) has on May 8, 2019 submitted its comments on the Proposed Framework (see Annexure).

A. Background

The Indian fintech sector has witnessed exponential growth and, by some accounts, is presently the world's second largest fintech hub with more than 2,000 entities operating in this sector.1 While the term “fintech” has emerged from a combination of the words “finance” and “technology”, there is no universal consensus on what innovations fall under the “fintech” umbrella. Some of the major products and services that are now synonymous with fintech innovations include the digital payments ecosystem, peer-to-peer lending platforms, crowd-funding, crypto-assets and blockchain technology, distributed ledgers technology, Big Data, smart contracts, robo-advisors and aggregators.

However, as traditional law and policy development is slow to catch up with the rapid pace of technological innovation, innovators look towards regulators to develop new approaches to support this rapid speed of growth.

In view of the growing significance of fintech innovations,2 the RBI set up an inter-regulatory ‘Working Group on FinTech and Digital Banking’ in July 20163 to study the regulatory responses to such innovations across the globe. The Group included representatives from the RBI, Securities Exchange Board of India (“SEBI”), Insurance Regulatory and Development Authority of India (“IRDAI”), and Pension Fund Regulatory and Development Authority (“PFRDA”), select financial entities regulated by these agencies, rating agencies and fintech consultants and companies.

On February 08, 2018, this Working Group released its report, which, among other things, recommended the formulation of an appropriate framework for a regulatory sandbox. The Working Group noted that sandboxes offered benefits including limited testing which would answer questions, before the product is made available more broadly, on the product’s concerns as well as its potential for success. It observed that the objective of a sandbox should be “to encourage more fintech experimentation within a well-defined space and duration where regulators will provide the requisite regulatory support, so as to increase efficiency, manage risks better and create new opportunities for consumers.”

The Proposed Framework was announced with the above objectives.4

B. What is a Regulatory Sandbox?

The Proposed Framework describes a regulatory sandbox (“RS”) as the live testing of new products or services in a controlled regulatory environment, for which regulators may or may not permit certain regulatory relaxations for the duration of the testing.

Broadly speaking, the objectives of an RS are: (i) for the innovator / fintech entity to test its product in a regulated environment, where regulations are otherwise absent or may be too stringent for the entity; (ii) for the regulator to examine whether existing regulations need to be changed to accommodate that financial innovation; and (iii) to bring benefits to consumers where the proposed innovation shows promise of significantly easing the delivery of financial services.

The Proposed Framework notes that regulators in a sandbox (in this case, the RBI) receive the novel opportunity to conduct carefully monitored field tests and gather first-hand evidence pertaining to the benefits and risks arising out of fintech innovations. Therefore, an RS may potentially replace a “ban first and think later” approach with a more evidence-based regulatory approach.

C. Eligibility Criteria

The eligibility for RS applicants is provided as a list of ‘fit and proper’ criteria,5 which include the following:

  • An RS applicant should be a company incorporated in India.
  • It should meet the criteria of a ‘start-up’ as per the notification issued by the (then) Department of Industrial Policy & Promotion. These criteria, in turn, are:

o The entity should have been incorporated less than seven years ago, from the time of the RS application;

o The turnover of the entity should not have exceeded INR 25 crore in any financial year;

o The entity should be “working towards innovation, development or improvement of products or processes or services” or be “a scalable business model with a high potential of employment generation or wealth creation.”

  • The entity should have a minimum net worth of INR 50 lakh as per its latest audited balance sheet.
  • Promoters and/or director of the entity should be ‘fit and proper’ per the criteria laid down in the Proposed Framework.
  • A satisfactory CIBIL or equivalent credit score of the promoters, directors, and entity is required.
  • The products or services should be “technologically ready for deployment in the broader market”.
  • There should be adequate safeguards and infrastructure for consumer data protection and cybersecurity.
  • The proposed solution “should highlight an existing gap in the financial ecosystem” and “demonstrate how it would address the problem, or bring benefits to consumers or the industry or perform the same work more efficiently.”
  • The applicant should demonstrate “a relevant regulatory barrier that prevents deployment of the product/service at scale”, or “a genuinely innovative and significantly important product/service/solution is proposed for which relevant regulation is necessary but absent”.

(Some of the above criteria raise concerns regarding potentially subjective interpretation).

  • Results of Proof of Concept (PoC) / testing of use cases are to be shared where applicable.
  • Significant risks arising from the proposed solution are to be assessed and mitigated.

Industry Verticals: Positive List

The products, services, and technologies expressly stated to be eligible for the RS are: payments, remittance, marketplace lending, digital KYC (Know Your Customer), financial advisory services, smart contracts, financial inclusion products, cyber security products, mobile technology applications, data analytics, API (Application Programming Interface) services, blockchain technologies, and artificial intelligence and machine learning applications.

Industry Verticals: Negative List

The RS expressly provides that the following are excluded from its scope: credit registry, credit information, crypto-currency/crypto-asset activities including Initial Coin Offerings (ICOs), chain marketing services, and any product or service banned by the government. The Proposed Framework also states that financial services already being offered in India may not be suitable for the RS, unless the RS applicant demonstrates that either “a different technology is being gainfully applied or the same technology is being applied in a more efficient and effective manner”.

Since crypto-assets are essential to public blockchain technology,6 it remains to be seen how blockchain projects which are based on public blockchains such as Ethereum (or otherwise use tokens or crypto-assets) will be considered by the RBI. The Ethereum blockchain is used by the Enterprise Ethereum Alliance, which includes Accenture, Deloitte, Government of Andhra Pradesh, HP, Infosys, J.P. Morgan, Microsoft and Samsung as its members.

D. How the Sandbox Works

The RS is proposed to work by selecting cohorts of participants, each with a limited number of entities (proposed to be 10-12 entities initially). Cohorts will be based on themes (e.g., financial inclusion, payments, KYC etc.) and are taken through an end-to-end sandbox process under the oversight of the FinTech Unit (“FTU”) of the RBI. The estimated timeline for each RS cohort is approximately six months.


Each thematic cohort of the RS shall have the following five stages and timeline:


Indicative time period


Preliminary Screening

4 weeks

The FTU will evaluate the shortlisted applicants and check if they are meeting the eligibility criteria.

Test Design

3 weeks

The FTU will finalize the test design through an iterative engagement with RS applicants.

Application Assessment

3 weeks

The FTU will vet the test design and propose regulatory modifications, if any.


12 weeks

This is the crux of the RS, where the solution will actually undergo testing. The FTU will gather empirical evidence from the testing.


4 weeks

The RBI will evaluate the final outcome of the testing on the basis of the expected parameters, and assess its viability.

Boundary conditions

The RS would also be subject to a set of ‘boundary conditions’, which are intended to limit the consequences of failure. These conditions include:

  • Start and end date
  • Target customer type
  • Limit on the number of customers involved
  • Transaction ceilings or cash holding limits
  • Cap on customer losses.

Extensions or exits

RS participants may apply to the RBI for an extension one month prior to the scheduled completion. The participation may also be discontinued at the discretion of the RBI if the intended purpose is not achieved or regulatory requirements are not complied with. Participants may also exit voluntarily with one week’s notice.

Regulatory relaxations

Under the Proposed Framework, the RBI may relax specific regulatory requirements (which the RS entity will otherwise be subject to) for the duration of the RS.

While the Proposed Framework does not elucidate the types of regulatory relaxations that may be provided, possible regulatory relaxations that may be considered by the RBI, as contemplated by the Working Group’s report, include: i) quantitative prudential requirements, such as statutory or liquidity requirement, minimum paid-up capital, capital adequacy, license fees, and financial soundness; ii) corporate governance requirements such as board composition, management experience, and fit and proper criteria; and iii) risk management, which includes technology risk management and outsourcing guidelines.

However, compliance with certain regulatory requirements has been stated to be mandatory in all circumstances. These mandatory requirements include customer privacy and data protection measures, secure storage of and access to payment data of stakeholders, security of transactions, KYC/AML7/CFT8 requirements, and statutory requirements (which presumably refers to legislative provisions which the RBI cannot relax).

E. Sandboxes Abroad – Australia, Singapore, U.K.

Globally, an RS is meant to be a safe space for innovators to test their products and services while granting regulatory relaxations for a specified period of time. The Australian Securities and Investments Commission (“ASIC”) released a detailed regulatory framework in May 2016 allowing eligible fintech businesses to test certain specified services in an RS without holding an Australian financial service (AFS) or credit license. This allows eligible businesses to notify the regulator and then commence testing without a licensing process.

The Financial Conduct Authority (“FCA”) of the U.K. introduced a regulatory sandbox in June 2016 which comprises various types of regulatory co-operation including restricted authorisation, individual guidance, informal steers, waivers and no enforcement letters. The Monetary Authority of Singapore (“MAS”) issued the FinTech Regulatory Sandbox guidelines in November 2016.9 Under the Singapore RS, the MAS stated it will provide regulatory support by relaxing specific MAS regulatory requirements for the duration of the sandbox.

The Proposed Framework has borrowed many features from the U.K. and Singapore, which were pioneers in initiating RS regimes. However, Singapore and the U.K. permit regulated financial institutions to apply for the RS, whereas the Proposed Framework is applicable only to ‘start-ups’ as defined by the Government of India.

Additionally, these regulators have innovation hub agreements / fintech bridge agreements among each other. For instance, the FCA Innovation Hub has an agreement with the ASIC Innovation Hub. The U.K. (HM Treasury and the FCA) and Singapore (MAS) also concluded a “FinTech Bridge” agreement under which, among other things, they share information and commit to facilitating the entry of fintech start-ups from the other jurisdiction into their respective regulatory sandboxes.

F. Conclusion

The RBI has taken an important pro-innovation step by announcing the Proposed Framework. The expectation is that a ‘learning by doing’ approach adopted under the Proposed Framework would allow it to take an empirical approach towards fintech innovation, while both the RBI and RS participants can learn from the sandbox testing to improve regulations and fintech solutions respectively. Additionally, the RS can potentially yield better outcomes for consumers through an increased range of products and services, reduced costs, and an improvement of financial inclusion.

However, the Proposed Framework also presents some challenges such as a high net-worth requirement, ambiguous phrasing of eligibility conditions and other requirements, and the inclusion of crypto-asset activity, which is essential to blockchain technology, in its negative list.


Feedback on the Draft Enabling Framework for Regulatory Sandbox

Recognizing the Proposed Framework as a positive step, NDA took the opportunity to contribute its suggestions, comments and feedback on the Proposed Framework that the RBI kindly put up for public consultation.

S. No.

Page No.

Regulation No.

Comments/Change Suggested

Rationale/Reasons for Comments/Suggestion


4, 5

4.3, 6.2, 6.6 and related provisions

Approach on ‘legal waivers’ to be reconsidered or clarified. To be confirmed whether Clause 4.3 refers to only legal waivers outside the jurisdiction or competence of the RBI.

Clause 4.3 provides that the RBI or the RS cannot provide any legal waivers. This sub-clause may create some divergent interpretations because one of the underlying purposes of an RS is to provide regulatory relaxations in fit cases. Clauses 6.2, 6.6 and other related clauses in fact recognize the power of the RBI to provide regulatory relaxations under the RS, which, in other words, would amount to ‘legal waivers’.

The drafting of these clauses should hence be suitably clarified according to the intent. If the intent is that Clause 4.3 refers only to matters outside the RBI’s jurisdiction, that should be suitably clarified.



6.5.1 (a)

It should be clarified that the RS applicant need not be registered as a ‘start-up’ with the Government of India.

Criterion no. 1 (a)(iii) of the said Government of India notification10 should be made optional.

The words “meet the criteria” may be interpreted by some to mean that the RS applicant should obtain registration under the Government of India notification. This does not appear to be the intent of the Proposed Framework, and in our view, would not be a necessity for an RS applicant.

The said criterion (iii) (see footnote produced adjacently) is subjective and is similar to criteria already required by the Proposed Framework itself. Hence, the requirement of innovation and public interest is already ensured by the Proposed Framework. To avoid conflicting interpretations, this criterion (iii) can be dispensed with.



6.5.1 (b)

RBI should consider reducing the net worth requirements applicable to start-up applicants.

RBI may consider introducing a requirement for RS applicants to obtain adequate professional indemnity insurance cover and maintain it throughout lifecycle of the RS process.

As per the Proposed Framework a RS applicant is required to have a minimum net worth of Rs.50 lakh as per its latest audited balance sheet.

We note that this may create significant barriers to the entry of various fintech innovators in the RS. It will be a challenge for many fintech startups to be able to reach this minimum net worth requirement in the initial years of their operations, which is also the most critical time period for fintech innovators. As a result, many promising fintech startups may not be able to avail of the benefits of the sandbox. Startups which are above the prescribed net worth requirement are in any case often able to marshal resources to comply with ordinarily applicable laws. It is those startups which are below this threshold that may most benefit from the Proposed Sandbox.

It is also pertinent to note, that if the capital is tied up for the purpose of fulfilling the minimum net worth requirement, it may impose financial constraints on RS applicants to utilize these funds for other vital activates such as hiring talent, purchasing technical infrastructure or developing new services. This may result in putting RS applicants with lesser financial capacity at a disadvantage, in terms of their capacity to innovate.

Further, Clause 8.1 of the Proposed Framework, states that the RBI shall bear no liability arising from RS process and any liability arising from the experiment will be borne by the RS applicant.

We observe that the minimum capital requirement may have been introduced to ensure protection of consumers, nurture confidence in financial markets and cover liability arising from the RS process. In light of the above, we recommend that instead of a minimum capitalization requirement for the RS applicants, potentially new insurance products may be explored or be created by Indian insurance companies for RS applicants to obtain adequate professional indemnity insurance cover and maintain it throughout the period of the RS process.

The above comments are in order to ensure that the net worth requirement does not impair the success of the Proposed Framework.


6, 7, 8

6.5.1(f), 6.5.2, 6.5.8,

Clause 6.5.1(f) should be amended to provide for a more concrete criterion.

Clauses 6.5.2, 6.5.3 and 6.5.8 lead to ambiguity and should be reconsidered.

The phrases and criteria in these clauses are subjective and can lead to a wide variety of interpretations, making it difficult to provide intelligible differentia between RS applicants whose applications have succeeded and failed. This may lead to disgruntlement and potential grievances of the latter. Rather, these criteria should be replaced by objective standards, including from international frameworks, to the extent possible.

Further, it should be clarified that the use of the words “or” in Clause 6.5.2 is intentional and only any one of the three criteria are required to be met.




RBI should consider removing the requirement for RS applicants to share their relevant prior experiences relating to the results of proof of concept / testing of use cases.

RBI should adopt good information governance practices throughout the lifecycle of the RS process, including the use of confidentiality agreements from the earliest stage.

As per the Proposed Framework, RS applicants will be required to share the results of proof of concept / testing of use cases including any relevant prior experiences before getting admission into RS for testing. Further, powers will be granted to RBI to check the IT systems used for end-to-end sandbox processing.

We note that this may be a cause of concern amongst fintech innovators, with respect to the risk of information leaks and the resulting disputes pertaining to their proprietary information and trade secrets developed by fintech innovators. It covers know how, business information and technological information. Disclosure of this information would undermine a fintech’s vital interest or a unique selling point.



6.1, 7

The time period for a cohort for testing an innovation in the sandbox should not be limited to 6 months, instead it should be extended for 12 months (or longer period) with a discretionary extension available for 6 months.

The Proposed Framework under clause 7.2, stipulates the various stages and timelines for the RS Process, the complete duration of which has been indicatively mentioned to be approximately 6 months, subject to request for extension.

However, we note that this may not be sufficient to assess the financial and operational benefits of fintech innovations. It would also be increasingly difficult to assess the impact on financial inclusion and the potential risks arising out the fintech innovations in such a short period of time.




The FinTech Unit (“FTU”) at the RBI should have representatives from other financial regulators, such IRDAI, SEBI, PFRDA and/or Department for Promotion of Industry and Internal Trade, (“DPIIT”) etc. to map and provide guidance on the inter-regulatory issues arising out of innovative fintech products and services.

As per clause 7.1 of the Proposed Framework, the role of oversight throughout the lifecycle of the RS process is upon the FTU at the RBI.

We note that there exists an inter-regulatory overlap due to the convergence of various financial services and creation hybrid products, which are regulated under different sectors, by fintech innovators. We recommend that representatives from other financial regulators, such as IRDAI, SEBI, PFRDA, DPIIT etc. should also be included in the composition of FTU under RBI.




India should enter into Fintech Bridge Agreements with other jurisdictions which have a conducive regulatory sandbox regime.

We note that the UK-Australia FinTech Bridge Agreement between Australian Securities and Investments Commission and the Financial Conduct Authority (“FCA”) of UK and the UK-Singapore FinTech Bridge Agreement between Monetary Authority of Singapore and UK FCA both seek to enable collaboration on FinTech between governments, financial regulators and the industry. It encourages FinTech innovators to use the facilities and assistance available in the other jurisdiction to explore new business opportunities and reduce barriers to entry.

We also note that such increased collaboration provides a novel opportunity to enhance trade and investment flows between their markets, thereby contributing to the development of the international fintech market.

A successful case study is Crowd2Fund, a UK-based fintech innovator that is launching an Australian office by utilizing the UK-Australia FinTech Bridge Agreement. This makes it easier for Crowd2Fund to run operations in the markets of both Australia and UK and has been able to procure company licensing in both jurisdictions.




It may be clarified what kind of liability is being envisaged in the disclaimer that the RBI will not bear liability.

It may be the intent to say that the sandbox does not excuse the liability of the RS applicant of complying with all applicable laws other than those under the RBI’s jurisdiction. If so, that should be clarified.

Harshil Agarwal, Aaron Kamath, Jaideep Reddy & Rohan Singh

You can direct your queries or comments to the authors

1 India Fintech Report 2019, Available at

2 Pursuant to a decision of the Government of India’s Financial Stability and Development Council - Sub Committee.



5 Unlike the usual use of ‘fit and proper’ by the RBI, this extends to the RS applicant entity and not just the officers of
the entity.

6 Since crypto-assets or tokens create the incentive for blockchain participants (hence leading to decentralization
and security), many experts such as Andreas Antonopoulos, Vitalik Buterin, Jeremy Clark, and Arvind Narayanan
have opined that a blockchain without crypto-assets is a severely hampered system.

7 Anti-Money-Laundering

8 Combating the Financing of Terrorism


10 “Entity is working towards innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.”

Nishith Desai Associates 2013. All rights reserved.