3 Secret Strategies Revealed to ensure a win at the Regulatory Sandbox

Let me first begin by defining the term “Regulatory Sandbox” for you before we discuss what kind of opportunity a “Regulatory Sandbox” offers to Start-ups.

“What is Regulatory Sandbox ?”

Well, where a sandbox is a place for kids to play a regulatory sandbox is a place where a start-up could play. In a Regulatory Sandbox, a Start-Up may choose to participate and the test is product and services before it adopts a go-to-market strategy. A Regulatory Sandbox is more common in financial services as it is the most regulated businesses in the world. In a Regulatory Sandbox, a regulator provides leverage to a start-up to test its commercial product and if such start-up requires, it also grants to the start-up relaxations from regulation so that it could take its financial product to the masses.

The practice of establishing a regulatory sandbox begun after the 2008 financial crisis and the first regulatory sandbox was established by the Financial Conduct Authority (‘FCA’) of the United Kingdom in 2015. This was because of the reasons that the regulations related to banking, insurance and securities were legislated for a brick and mortar model and the legislators never had known how new-age technologies such as artificial intelligence, blockchain and API’s work and challenges it may bring to the consumers. Accordingly, the Regulators choose to establish regulatory sandbox to understand that the offerings of different start-ups in details and test them in a closed environment before the license was issued to the start-ups to launch their product to the general public.  

With the introduction of Regulatory Sandbox, General Data Protection Regulations, 2018 and Payments and Settlement Directives II, FCA paved the path for open banking. We shall look at the case studies related to “Challenger Banks” and how the regulations facilitated their rise in Europe. We would also look at the impact that was brought to the banking system by open banking in Europe. In the end, we would look at the digital lending space in India and explore in an exercise how RBI’s regulatory sandbox could be utilised for providing disruptive lending products. More important is that the Regulatory Sandbox had facilitated go to market strategy by waiving specific restriction that is causing an obstacle to the business.

“Challenger Banks – Opportunity to rethink Banking.”

In the case of Tandem Bank, a challenger bank in Europe, the FCA granted certain waivers concerning the investment advice that it could offer to its clients. The Tandem Bank sells itself as a bank that helps in saving your money and manages your cashflow. A detailed case study is provided in my earlier blogs at https://www.dhirubhai.net/pulse/regulatory-sandbox-case-study-tandem-bank-aditya-tiwari/

The Tandem Bank was not the only digital bank that operates now in Europe and the reason to permit only digital banks for operations was a failing financial system and difficulty for banks to work and function in the given conditions. Here are the top 10 Challenger Banks:

“Open Banking – Using the Data Effectively”

           The second aspect that I would address is the issue concerning the development of open banking. Let us first understand as to what is “Open Banking”?. Conservatively, the banks would hold on to the data, it would generate regarding its customer, in a fiduciary capacity. Such holding of data by the bank may or may not result in any value-added service, which may be beneficial either for the bank or to its customer. The data sits in silos. To make this data available to the start-ups, banks turn to something which is referred to as “Open Banking”. The banks grant access to start-ups and other institutions for creating value-added services with the data available with the bank. This sharing of data is achieved through an application programming interface (‘API’). API is a conduit that allows the flow of data between systems in a controlled yet seamless fashion. API is not a new technology. API is used by investment bankers for procuring data related to market conditions and pricing from various sources. However, as specific regulations, Europe such as Payments and Systems Directives II, 2018 (‘PSD II’) and General Data Protection Regulations, 2018 (‘GDPR’) and Open Banking Standards in the UK laid open a market for innovation with the bank's data by start-ups. Whereas the PSD-II made it mandatory for the banks to make sharing of their data accessible for public, GDPR, made specified what data qualify as sensitive personal data, from whom consent for its usage is to be obtained and to what an extent personal sensitive data could be used.

           A Public API model is used by external partners and developers who would build innovative applications. This provides for engaging the developer community for innovation. A Public API model also extends market reach. A Partner API could be used bu business partners such as suppliers, vendors and resellers for an integrated approach. The Partner API reduces costs and enables monetisation of APIs’. Such sharing of data also enhances security. The Internal APIs are used by developers internally. And this minimises cost, increases efficiencies and to improve safety.

           In India, Open Banking is not facilitated through separate legislation or a directive. However, it exists in a controlled manner. Apart from sharing sensitive personal data, banks could share the remaining data either internally, with partners or publicly. In India, Data Empowerment & Protection Architecture (‘DEPA’) enables individuals to leverage their personal data for their own empowerment while maintaining privacy. DEPA provides for a technology platform to share documents and data after procuring appropriate consent. To understand the concept of consent that needs to be obtained and as to what it could be retrieved, it is necessary to understand the various kinds of data sets.

The various kinds of data sets are defined herein:

(i)                Non-Shareable Data – There could be a regulatory restriction on the sharing of a specific type of data. Say for example, UIDAI cannot share the biometric data with anyone, not even with criminal investigation agencies. The banks are today restricted for sharing sensitive personal data in terms of the intermediary regulations.

(ii)             Personal Data – Personal Data could be shared after consent is obtained from a person whose data is shared. Further, Personal Data can be divided downstream only and only if the permission in that regard is being collected. The data could be shared freely or for a value. The Personal Data is obtained through a KYC process and could be shared by a consent either through Digilocker or Electronic Data Consent.

(iii)           Generated Data – Generated Data is the one that is generated through machines such as transaction data, location history, and several people visiting a branch. This data also required consent before it is collected or for that matter shared with the third party. The downstream sharing of this data is limited. This data could be shared freely or for value after consent is obtained.

(iv)            Derived Data – Economic Commission for Europe in United Nations defined derived data as “A derived data element is a data element derived from other data elements using a mathematical, logical or another type of transformation e.g. arithmetic formulation, composition and aggregation.” Prior user consent is required for processing of the personal data. Downstream sharing is barred. The final report or the outcome could be procured for a price.

(v)              Anonymous Database – Anonymised loan book or anonymised travel data or any other anonymised data. Two factors are required for Anonymous Database to be qualified to share is that (a) that it is anonymised, and (b) it is relevant for the application to be shared. This however, has to meet the anonymised standards that are established.

(vi)            Public Data – This one is simple. The data that is available in public related to the population is Public Data. The Public Data available at government and other websites is useable, shareable, generatable, and derivable. However, at times some form of Public Data may have restrictions on its usage. For example, data related to patients could be utilised only in a precise manner.  

The consent layer, however, it managed through account aggregators in India. The consent layer is provided to empower the individual who would now have control over their data. The account aggregator entities could be government or private who is mandated by the government to serve this purpose. Banks or FinTech would be able to request data from account aggregators which they could utilise after the consent is provided by the individual. The individual has a right to revoke the approval as well. A pictorial representation of the consent layer is provided after this:

“7 Golden Principles of GDPR – The Golden Standard for Privacy”

While using the account aggregator technical platform, the professional team should also consider the data protection principles that would apply to the relevant data. The European Parliament issued the General Data Protection Regulations (‘Regulations’) for protection of natural persons about the processing of personal data and on the free movement of such data. Similar provisions are also enshrined in Personal Data Protection Bill, 2018 (“PDP Bill, 2018”) which is introduced in the parliament during the last session. The Regulations have become effective from May 28, 2018. However, PDP Bill, 2018 is not yet effective. Few of the essential aspects of the Regulations are summarised hereinafter:

1.        The objective of GDP Regulations

 A.   Regulation has the following objectives:

·              Protects fundamental rights and freedom of natural persons, in particular, their right to protection of their personal data;

·              Free movement of personal data within the union, it can neither be prohibited nor restricted for reasons of security of natural persons;

2.        Geographical Reach and Applicability

A. The Regulations applies to:

·              This Regulation applies to the processing of personal data wholly or partly by automated means or otherwise.

·              a person who processes personal data for its utilisation in its activities and to the person who processes such personal data within the European Union;

·              the processing of personal data of persons who are in the European Union, whether the controller of such data or the processor is within the European Union or not, if such processing is related to:

 (a)    the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)   the monitoring of their behaviour as far as their behaviour takes place within the Union.

 ·              the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

B.    Regulations do not apply to the protection of personal data when:

·              in the course of an activity which falls outside the scope of European Union law.

·              By the member states when carrying out activities which are expressly stated to be outside the scope of European Union.

·              By a natural person in the course of purely personal or household activity.

·              By government authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security.

3.        Principles for processing

A.   The following principles should be considered for processing of the personal data of the data subject:

·              it should be processed lawfully, fairly and in a transparent manner concerning individuals;

·              it should be collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes;

·              processing of data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

·              the data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

·              every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

·              kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

·              personal data may be stored for more extended periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals.

·              Data has to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4.        Consent – Whose & How    

A.   The Regulations provide that the Consent of the data subject is necessary for processing the data and the following should be considered while taking the consent:

·        consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes:

·        there must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity;

·        consent must also be separated from other terms and conditions, and you will need to provide simple ways for people to withdraw consent;

·        public authorities and employers will need to take particular care to ensure that consent is freely given.

 5.    Children’s Personal Data

A.   The Regulations contain new provisions intended to enhance the protection of children’s personal data which are stated hereinafter:

·        privacy notices for children should be written clearly and in a plain manner which is understood by children;

·        online services offered to children would require consent from a parent or guardian to process the child’s data;

·        if consent is the basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’.

6.        Individual Rights

A.    The Regulations provides the following rights for individuals: 

·        The right to be informed

·        The right of access

·        The right to rectification

·        The right to erasure

·        The right to restrict processing

·        The right to object

·        The right in relation to automated decision making and profiling.

7.        What needs to be done?

A.       The Regulations applies even if the data is concerning persons who are within European Union irrespective of the fact where the person for whom data is processed and who processes the data;

B.       The Regulations also applies if data is concerning monitoring of the behavior of a data subject within the European Union;

C.       If because of either of the aforementioned requirement, these Regulations are applicable, consent would have to be obtained, in a manner which is explicit, from the person to use data related to him for a particular purpose.

D.       The data subject also has certain rights such as erasure of data, restricting of processing and object to the processing of his data. These rights have to be made available to him and any non-compliance would result in damages.

E.        Any dealing with children would require consent from their parents or guardians.

           It is essential that before a strategy for Open Banking is put in place, it is imperative to ensure the nature of data set that one it using complies with all the provisions of the data protection laws in place.

“Various Business Models around API’s”

Now, let us look at what are the possible strategies in respect of the Open Banking that are adopted by various Banks and FinTech:

A.     API Market Place

         In this model, banks provide API’s for sale to start-ups.

B.     The Account Aggregator

         The Account Aggregator aggregates the data from various financial institutions and other such government and non-governmental organisation.

C.     Robo Advisors

         API’s are utilised for creating Robo-advisors that advise on wealth tech products or insurance policies or loans etc.          

D.     Cross-Industry Collaboration

         API’s also facilitates Cross-Industry Collaborations such as collaborations between Telecom companies and 

E.     Crowd Sourcing

         API’s could be crowdsourced from RapidAPI or ProgrammableWeb for preparing various apps concerning financial services.

F.     FinTech Collaboration

         API’s also ensure engagement of FinTech firms with banks. This FinTech may provide added value services created from the data that API provides for the existing customers of the banks so that banks could differentiate their offerings.

G.     Banking as a Service

         BaaS includes providing all the financial services over the web.

H.     White Label Product Vendor

         A White Label is a product that a start-up can integrate into the existing processes of the bank and can be offered to the client of the bank with its logo.

I.      Community Source Banking Systems

         A system where the community pools in money and cooperates with the members and provides funds as and when the other member of the community requires it.

J       OpenID Connect

         Wikipedia defines OpenID Connect as “OpenID Connect is a simple identity layer on top of OAuth 2.0 protocol, which allows computing clients to verify the identity of the end-user based on the authentication performed by an authorisation server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.”

K      Integration PaaS

         Gartner defines Integration PaaS as “a suite of cloud services enabling development, execution and governance of integration flows connecting any combination of on premises and cloud-based processes, services, application and data within individual or across multiple organisations.

“P2P Lending – Unsolved Puzzle”

          The Third Part of the discussion upon which we would focus upon is a peer to peer lending in India. The online lending space could be segregated into (i) lending market place, (ii) consumer lending, (iii) SME Lending, and (iv) P2P Lending.

A      Lending Market Place

         The lending market place is an aggregator that provides a comparison of loans, cards and investments. These market places give information to the bank customers and let the customer judge the relevancy of a particular bank for their needs. This platform also provides for information regarding the CIBIL Score of the customer. The platform telemarkets the loan and other products to the prospective customers and supports their journey in procuring a mortgage, card or make investments as the case may be.

B      Consumer Lending

         The Consumer Lending market place is backed by NBFC who provide small-ticket loans to consumers in India who for some reasons don’t qualify to obtain loans from regular banks. The loan decisions in most cases, is based credit scoring and not credit rating. The credit scoring is generated from the wallet transactions, mobile data and other transactions data and decision to grant a loan are made instantly by using machine learning algorithm.

C      SME Lending

         These platforms are financing need of loans of small and medium businesses. This platform funds small business for their term finance of loan against card swipes. This platform also funds consumer loans online while you are making a big purchase.

D      P2P Lending

         The P2P Lending platforms such as faircent and I-Lend brings together borrowers and lenders on the same platform. They monetize their platforms by charging fee for getting the transaction close and by providing KYC and Credit Scoring services to the Lenders.

           The Peer – to – Peer Lending space has a vast market that still needs to be addressed. There is a whole possibility to created products around agriculture, health and personal lending. Challenges though remain as relating to a strict KYC and recovery of the loan amount. Assimilating information beyond that is provided by small and medium enterprise concerning financial remains a challenge. The Reserve Bank of India (“RBI”) is in the process of putting public credit registry in place. At the same time, financial information provider would enable sharing of data through DEPA to enable new products.

“Closing Remarks”

           In all the three strategies either Challenger Banks or Open Banking or P2P Lending would offer opportunities to startups, and in case there are legal challenges, start-ups may elect to make an application with the regulators such as RBI, IRDAI and SEBI. In my earlier article, that you would find at https://www.dhirubhai.net/pulse/rbis-regulatory-sandbox-creating-opportunities-fintech-aditya-tiwari/, you may find the details regarding rules and regulations about the regulatory sandbox guidelines issued by RBI, IRDAI and SEBI.

Thanks