2. Recommendations for a sandbox in the Czech Republic

2.1.1. Objectives of a regulatory sandbox

A regulatory sandbox is a framework that allows FinTech companies to test innovative new products, services, and business models in a controlled environment under the oversight of a regulatory authority and without the bending of rules. The recommended main objectives of the proposed regulatory sandbox for FinTechs in the Czech Republic are shown in Figure 2.1.

Figure 2.1. Objectives of a regulatory sandbox

2.1.2. Understanding the concept of innovation

When creating a regulatory sandbox for FinTechs, the definition of what constitutes an innovative financial product is an important factor to consider. The definition must be precise, well-defined, and consider the rules and legislation of the Czech Republic. The regulatory sandbox can help the development and testing of new and emerging technologies while also guaranteeing that consumer protection and regulatory monitoring are maintained.

The definition of financial innovation should be comprehensive and take into account various factors. It is important to note that none of these criteria should be given preferential treatment, as they are all complementary and equally important for defining financial innovation. The first criterion is the impact of the innovation on the market and competition. Financial innovations may involve new products, services, or procedures that disrupt established market structures or create new market opportunities. The second criterion is the effect of the innovation on customer convenience and choice. Financial innovations may include new products, services, or procedures that expand customer options or improve user experience. The third criterion is the influence of the innovation on financial stability and risk management. Financial innovations can involve new products, services, or procedures that enhance the efficiency and resilience of the financial system or reduce systemic risks (Figure 2.2). The three criterions should be viewed as complementary, having similar importance.

Figure 2.2. Understanding the concept of innovation

Additionally, as the FinTech sector and regulatory landscape develop over time, the definition of an innovative financial product may also change. Therefore, it is important to take a holistic approach rather than merely focusing on the technology used, keeping in mind that innovation can also emerge from new business models or new ways of delivering financial services (OECD/Eurostat, 2018[1]).

In the case of the Czech regulatory sandbox, it is recommended that the definition of the term “innovative financial product” should refer to a new or improved financial product, service, or business strategy that leverages novel or emerging technologies to provide innovative and enhanced financial services. Payment service providers, aggregators, crypto-asset related firms, distributed ledger technology-based financial activity, robo-advisory platforms, and peer-to-peer lending platforms are a few examples of possible products in this category. A product, service, or business model that makes use of current technology in new or creative ways will also be referred to as an innovative financial product. For example, fraud can be detected using artificial intelligence, and credit risk can be evaluated using big data analytics.

2.1.3. Distinction between sandbox types

‘Standard’ regulatory sandbox

‘Standard’ regulatory sandboxes are types of innovation facilitators schemes that enable firms to test, pursuant to a specific testing plan agreed and monitored by a dedicated function of the competent authority, innovative financial products, financial services or business models (ESMA, EBA and EIOPA, 2019[2]). Table 2.1 displays a list of operational and planned regulatory sandbox within the EU.

Table 2.1. List of operational and planned regulatory sandboxes in the EU
#	Country	Sandbox	Banking	Insurance	Securities	Website
EU
1	AT	ü	ü	ü	ü	https://www.fma.gv.at/en/fintech-point-of-contact-sandbox/fma-sandbox/
2	BE	N
3	BG	Announced				https://www.minfin.bg/en/news/10967
4	CY	N
5	CZ	N
6	DE	N
7	DK	ü	ü	ü	ü	https://www.dfsa.dk/Supervision/Fintech/FT-lab
8	EE	Planned	ü	ü	ü	https://www.ebrd.com/news/2019/moving-the-regulatory-debate-forward-ebrd-and-estonia-are-working-on-their-first-sandbox.html
9	EL	Planned	ü	ü	ü	https://www.bankofgreece.gr/en/main-tasks/supervision/regulatory-sandbox
10	ES	Planned			ü	https://portal.mineco.gob.es/RecursosNoticia/mineco/prensa/noticias/2022/20220627-PR_AI_Sandbox_EN.pdf
11	FI	N
12	FR	N
13	HR	N
14	HU	ü	ü	ü	ü	https://www.mnb.hu/en/innovation-hub/regulatory-sandbox
15	IE	N
16	IT	ü	ü	ü	ü	https://www.dt.mef.gov.it/it/dipartimento/consultazioni_pubbliche/consultazione_regolamento.html
17	LT	ü	ü	ü	ü
18	LU	N
19	LV	ü	ü	ü	ü	https://www.bank.lv/en/co-operation/support-for-fintech-and-innovations/regulatory-sandbox
20	MT	ü	ü	ü	ü	https://www.mfsa.mt/fintech/regulatory-sandbox/
21	NL	ü	ü	ü	ü	https://www.dnb.nl/en/sector-information/supervision-stages/prior-to-supervision/innovationhub-and-regulatory-sandbox/
22	PL	Planned	ü	ü	ü	https://www.knf.gov.pl/?articleId=69563&p_id=18
23	PT	Planned	ü	ü	ü	http://dre.pt/application/conteudo/132133788
24	RO	N
25	SE	N
26	SK	ü	ü	ü	ü	https://nbs.sk/en/financial-market-supervision1/fintech/regulatory-sandbox/
27	SL	N
EFTA
28	IS	N
29	LI	N
30	NO	ü	ü	ü	ü	https://www.finanstilsynet.no/en/topics/fintech-and-regulatory-sandbox/finanstilsynets-regulatory-sandbox/
31	CH	ü	ü	ü	ü	https://www.finma.ch/en/news/2019March 20190315-mm-fintech/
32	UK	ü	ü	ü	ü	https://www.fca.org.uk/firms/innovation/regulatory-sandbox
Source: Based on ESMA, EBA and EIOPA (2019[2]), FinTech: Regulatory sandboxes and innovation hubs, https://ec.europa.eu/info/publications/180308-action-plan-fintech_en, and publicly available information on the websites mentioned in the table.

A regulatory sandbox may offer several key benefits to both FinTech companies and regulatory authorities in the Czech Republic. Regulatory sandboxes allow companies to test and validate their products and services in a real-world environment, gaining valuable insights into their feasibility and viability. This can help to reduce the risk of failure for new innovations. Additionally, regulatory sandboxes provide regulatory authorities with an opportunity to assess the potential impact of these innovations on consumers and the wider economy, allowing them to make informed decisions about the regulation of these products and services.

The scope of a regulatory sandbox can be extended to include data-sharing functionalities. There is often confusion between the concepts of data sharing and a data sandbox. Data sharing refers to the practice of sharing data between organisations or entities for a specific purpose, such as improving customer experience or fraud detection. On the other hand, a data sandbox is a secure testing environment that allows organisations to experiment with data without risking sensitive information or breaching data privacy regulations. Both concepts involve the sharing of data, either between different parties or within a controlled environment, for the purpose of testing or analysis. Both data sharing and a data sandbox can also potentially lead to innovation and the development of new products or services, as well as improvements in efficiency and cost savings. Additionally, both concepts can raise concerns around data privacy and security and require careful consideration of legal and regulatory frameworks. However, there are some differences in their purpose, scope, data ownership and security measures (Figure 2.3).

Figure 2.3. Data sharing vs. data sandbox

The recommendation for the Czech regulatory sandbox is to consider the establishment of a ‘standard’ regulatory sandbox and only extend its scope by incorporating data-sharing capabilities when the conditions allow it. Enriching the standard regulatory sandbox with a data-sharing option could be envisaged based on (i) the availability of datasets and ability to make these available; (ii) the capacity of the authorities participating in the regulatory sandbox.

It could also be envisaged that a data sandbox without a regulatory component could be outsourced and/or exist outside the Authorities, although even in this alternative the Czech Authorities would likely need to participate inter alia by means of providing data.

2.2.1. Limits of the testing environment

The recommended structure for the Czech regulatory sandbox advises against the provision of any waivers; restricted authorisations or other relaxation of existing applicable rules, which would anyway be against EU rules. It is recommended that a proportional application of existing regulatory and supervisory requirements, as embedded in EU financial services regulation, is used as appropriate and at the discretion of the Authorities for firms participating in the Czech regulatory sandbox. Such proportionality can apply to the governance process and system and control requirements, board composition; financial soundness; reputation; management experience and track record (Deloitte, 2017[6]). Proportionality should be applied on a case-by-case basis by the Authorities, depending on the business model and the applicable rules. The addition of safeguards to protect financial consumers should be considered if there is an assessment that extraordinary risks exist or if the existing regulatory framework does not address the risks associated with the innovation being tested.

Different jurisdictions have chosen different combinations of permitted and forbidden activities for firms participating in regulatory sandboxes. The ultimate boundaries in a given testing arrangement are the result of the legal provisions and regulations applicable to financial service providers and financial products and the overall objectives pursued by authorities in establishing a testing environment. Most countries that have implemented a regulatory sandbox have not opted to set it by defining a new legal regime and the legal boundaries of the testing environment are thus dictated by the existing license regime and the discretion available to the competent supervisors in law (EBRD, 2019[7]). A greater divergence between the provisions of the testing environment and the standard regulatory licensing regime would require defining in legislation a special legal regime for the testing environment, and that might take a long time to complete and defer the implementation of a regulatory sandbox. Further it might be in contradiction with the idea of technological neutrality that supervisors pursue. Nonetheless, some jurisdictions have chosen to amend existing legislation with innovative financial service providers in mind (Australia, Switzerland), and their regimes usually include a broader set of exemption for FinTechs.

The legal options that set the regulatory and enforcement boundaries for the participants of the previously established regulatory sandboxes world-wide can be classified as one of the following:

Restricted authorisation – Partial authorisation allows to grant an authorisation to operate a regulated activity but limiting the number of customers who participate in the test, or number of products offered to the customers. The UK offers restricted authorisation for firms participating in the regulatory sandbox. The introduction of a restricted license did not require a dedicated legislation in the UK. In Switzerland, firms in the sandbox may receive or invest public funds up to CHF 1 million without obtaining a license. This exemption was introduced by the Swiss Federal Council. In parallel, a separate “Fintech license” has been introduced in the Swiss Banking Act unrelated to sandbox participation. The Fintech license provides simplifications and lower market entry requirements, as compared to the full banking license.

Proportional authorisation – Regulatory sandboxes established in EU member countries stipulate that, to the extent that participation in the regulatory sandbox involves the carrying out of a regulated activity, the appropriate license is required to be held. Any divergence between the requirements of a regular licensing application and that of an application submitted by a regulatory sandbox participant are related to the interpretation of the competent supervisor of the idea of proportionality, exerted by the supervisor’s discretion. What this means in effect, is that the same proportionality is applicable to submission for a license by a non-sandbox firm. Embedded in EU financial services measures are tools to enable the proportionate application of regulatory and supervisory requirements. The joint report of the European Supervisory Authorities (ESA) points to the governance process and system and control requirements as appropriate for proportionality consideration. For the purpose of a concrete example, ESA mentions that governance system is subject to proportionality in Banking and Insurance EU laws (ESMA, EBA and EIOPA, 2019[2]).

In complement to certain supervisory relief, limitations or restrictions may be imposed for risk mitigation. Imposing limitations or other restrictions can be regarded as a lever for proportionality in the licensing or supervision process. In practice, in implementing proportionality for innovative firms, trying to lower boundaries that do not necessarily serve the purpose of the rule, EU member countries have focused on activities where the legal regime is set in national legislation, while much narrower discretionary space is taken in relation to EU laws. the Netherlands, Lithuania and Austria have stated that their respective regulatory sandboxes do not represent a new legal regime nor a “stripped down license”. Rather, supervisory requirements may be adapted on a case-by-case manner within the scope of the principle of proportionality for supervision, depending on the business model, where the laws permit this. In Lithuania, the regulatory sandbox regime is governed by a resolution of the Bank of Lithuania. In Austria the establishment and operation of the regulatory sandbox was achieved by means of legislative amendment in the underlying legal framework of the Financial Market Authority (FMA). According to Austrian officials, the need to set the operation of the regulatory sandbox in a designated law had two rationales – the first was to assure that additional resources are granted to the FMA for the operation of the regulatory sandbox; the second was for the law to protect the FMA from accusations that a flaw has occurred in the selection process to the regulatory sandbox. In the Netherlands, no specific legal amendments were performed. Outside of the EU, the regulatory sandboxes in Hong Kong, each operating under the supervision of the various financial supervisors, allow the supervisors to exercise discretion powers, but no newly created set of regulatory sandbox-specific laws or regulations was introduced.

Class waiver – The Australian Securities & Investments Commission (ASIC) has issued a class waiver/FinTech licensing exemption for regulatory sandbox participants. The scope of the waiver is quite wide as the participation in Australia’s regulatory sandbox is granted as a matter of law, rather than upon application, and innovation is not a prerequisite. A participant may enjoy the waiver after notifying the ASIC but only for a restricted period, and not all types of services are included in the class waiver (it is unapplicable to issuing financial products or providing credit). In Australia the issuance of the class waiver was within the powers of the ASIC and in accordance with its mandate.

Individual guidance – Innovation hubs often serve the role of a preliminary stage of a regulatory sandbox regime. Innovation hubs provide a dedicated point of contact for firms to raise enquiries with competent authorities and to seek non-binding guidance on regulatory and supervisory expectations, including licensing requirements. On the whole, there are no legal barriers posed by existing laws to the establishment of innovation hubs in EU jurisdictions any many members have established such a hub. The work and mandate of innovation hubs does not differ much from established practices where supervisors respond to queries in a non-binding manner, however jurisdictions have focused on increase the level of technical expertise attached to such hubs as well as designating dedicated teams to the topic. Some competent authorities complement their innovation hubs with specific ‘follow-up’ schemes. Guidance is a prominent component of most regulatory sandboxes as well. The participation in a regulatory sandbox by construction results in a continuous communication and exchange between participating firms and the supervising authority. Building and enhancing firms’ understanding of regulatory expectations, the application of the existing regulatory framework and compliance requirements is one of the objectives of regulatory sandboxes and to achieve it, much communication is needed. Importantly, many developers of financial innovative solutions have a technological background rather than financial background and thus have a low starting point in understanding financial regulation requirements. Increasing the regulator’s understanding and knowledge of the innovative products to better assess the risks of new business models and underlying technologies is another important objective, on the side of the supervisor. In the absence of a wide leeway for regulatory alleviations, this property becomes even more central as one of the major benefits and appeals for the participating firms as well as for the supervising authority, from establishing the regulatory sandbox.

In Israel, A pilot regime for FinTech is operated jointly by the Israel Innovation Authority (IIA) and the Israel Securities Authority (ISA). The framework does not offer any regulatory waivers, and general rules apply. The authorisation stage is not part of the regulatory sandbox, and the accepted firm should either enter the test with or without a license, as applicable by existing laws. Regulatory guidance is offered by ISA, if the concerning firm falls within its jurisdiction, and two other supervisors, i.e. the payment systems supervisor and the banks supervisor located withing the Bank of Israel participate as observers. A unique feature of the Israeli test regime is that accepted firms receive financial support for the testing (see further below).

No enforcement action letters – the FCA in the UK has the right to issue a no enforcement action letter stating that no FCA enforcement action will be taken against testing activities. The FCA’s commitment not to take enforcement action applies to the period from the issue of the NAL until the testing is completed or closed by the FCA. It is important to note that this only addresses the risk of enforcement action by the FCA and does not limit the Fintech’s liability towards its customers. The Bank of Lithuania in its resolution regarding the establishment of a regulatory sandbox has declared that it will not undertake enforcement measures toward financial market participant operating in the regulatory sandbox. In both cases this commitment is not guaranteed and there are some limitations to its implementation in extreme cases.

As a rule of thumb, regulatory sandboxes do not offer any alleviations in the testing environment with regard to regulatory requirements in these three areas (Deloitte, 2017[6]; EBRD, 2019[7]):

• Consumer protections provisions

• Data protection provisions

• Compliance with AML/CFT obligations

In addition, regulatory sandboxes do not offer solutions to several non-regulatory barriers that are often faced by FinTechs and are related to their business models. Participation in a regulatory sandbox does not guarantee the opening of a bank account for the FinTech, a common problem, where banks sometimes decline the opening of a bank account to FinTechs, due to regulatory AML rules applicable to them. Sandboxes, including those that have a focus on data, cannot offer access to individual-level data, because either it will constitute a breach of privacy rules, or in most cases such data is proprietary to incumbents. Supervisors allow, and even encourage, partnership between large firms (incumbents) and start-ups to apply to the regulatory sandbox, both to foster innovation based on data, and since such joint projects resolve the problem of the FinTech not being licensed, as it can operate as a third party and the incumbent assumes the supervisory obligations. Although obvious, a regulatory sandbox does not guarantee a consumer base for the innovative service or product, which can be a source of failure for the test as well.

A regulatory sandbox can offer financial aid in setting up the test. In Israel, such financial support constitutes one of the major attracting factors of the testing environment, as the regulatory assistance given takes the form of individual guidance and no further. The rate of financial support to the accepted firms varies from 20% to 50% of approved expenses associated with the testing. Financial support at an exceptional rate of 60% of the approved expenses will be given to a programme that has the potential to have an extraordinary impact on streamlining and improving the capital markets or the financial services industries in Israel.

Based on the above experience of other EU and OECD jurisdictions, and the conditions of the Czech FinTech ecosystem, it is recommended that the Czech regulatory sandbox does not provide any waivers; restricted authorisations or other relaxation of existing applicable rules, which would anyway be against EU rules. It is recommended that a proportional application of existing regulatory and supervisory requirements, as embedded in EU financial services regulation, is used as appropriate and at the discretion of the Authorities for firms participating in the Czech regulatory sandbox. Such proportionality can apply to the governance process and system and control requirements, board composition; financial soundness; reputation; management experience and track record (Deloitte, 2017[6]). Proportionality should be applied on a case-by-case basis by the Authorities, depending on the business model and the applicable rules.

2.2.2. Regulatory and supervisory oversight

The recommendation for the Czech regulatory sandbox that would maximise operational benefits, improve the dissemination of regulatory clarity on the one hand, and understanding of business models by the Authorities on the other hand, is to have the regulatory sandbox set up by the Czech Authorities, as per all EU regulatory sandboxes. The experience of these EU regulatory sandboxes has showed that FinTechs benefit from an unmediated exchange of knowledge with the Authorities. This is positive both in terms of the innovators’ ability to understand the regulatory and supervisory requirements, but also in terms of the possibility to directly introduce their specifics to the Czech Authorities and thus deepen mutual understanding. No exemptions are to be granted to participating firms in the regulatory sandbox under the licensing procedure beyond those provided by national and European law. There is therefore no need for legislative changes for the establishment of a regulatory sandbox, as the recommended design for the Czech regulatory sandboxes does not involve the disapplication of regulatory obligations that are required to be imposed as a result of EU and/or national law. The Czech Authorities can establish the regulatory sandbox by an internal act or by designating which posts will be dedicated to co-ordinating its operation within the relevant Authorities.

It is recommended that the Czech regulatory sandbox does not provide any form of waivers. Testing in regulatory sandboxes means enabling the provision of innovative financial services in the real market (perhaps in part of the market, depending on the case) under the intensive supervision of the Czech Authorities and in regular consultations with each other, which follows only after obtaining the relevant license. Participants shall benefit from guidance regarding compliance of their activity with applicable regulation and assistance in obtaining license.

It could also be envisaged that a data sandbox without a regulatory component could be outsourced and/or exist outside the Czech Authorities, although even in this alternative the Authorities would need to participate inter alia by means of providing data.

Regular consultations between the participant and the Czech Authorities shall take place throughout the testing phase, during which participants will be required to report on the testing process and any other relevant information. These regular consultations should be co-ordinated by a dedicated regulatory sandbox staff member and are attended by representatives of the Czech Authorities, e.g. representatives from the Financial Market Supervision Department, the Licensing and Sanctions Department, the Regulation and International Co-operation Department or the FinTech team.

The participant must clearly communicate with the users of their financial product that the product is provided in the testing regime of the regulatory sandbox. If a participant fails to comply with the testing plan, the Czech Authorities may use standard mechanisms such as a notice to remedy or, if remedy is not achieved within a specified period of time, a fine.

The regulatory sandbox will also allow the opportunity to get involved in cross-border testing in the EU. For example, the EU Digital Finance Platform will allow multi-sandbox testing in two or more regulatory sandboxes in different Member States, facilitating visibility over the tests among national authorities involved in testing. The cross-border testing is framework is developed by the European Forum for Innovation Facilitators and forms a gateway to regulatory sandbox testing involving multiple national authorities.3

It should be noted that competent authorities of other EU countries such as Denmark, Lithuania, the Netherlands and Poland, as well as the UK, have noted their statutory objectives of contributing to financial stability, promoting confidence in the financial sector in their jurisdictions and consumer protection as the foundation for their regulatory sandbox initiatives. As regulatory sandboxes can be used by authorities and firms to gain a good understanding of the opportunities and risks presented by innovations through the testing process, the lessons learned can inform the appropriate regulatory and supervisory response. That response could, for example, take the form of a new set of supervisory rules relating to the disclosure requirements for the sale of a specific new financial product in order to ensure an appropriate degree of protection for consumers or, indeed, a prohibition on the sale of the product if the risk of serious consumer detriment is identified. Given this, the above-mentioned authorities view the regulatory sandbox process no differently from any other tool available to them in developing regulatory and supervisory policies in relation to emerging activities (ESMA, EBA and EIOPA, 2018[8]).

2.2.3. Scope of a regulatory sandbox

The scope of a regulatory sandbox is a critical aspect that determines the flexibility and effectiveness of the framework. The design of the regulatory sandbox for the Czech Republic should be guided by the principles of fostering innovation while ensuring financial stability and consumer protection. The scope of the regulatory sandbox should be clearly defined, taking into account the existing regulatory landscape, the competency of the relevant authorities, and the potential cross-sectoral impacts of new financial technologies.

Typically, the authority’s supervisory mission and the characteristics of the domestic financial industry it oversees determine the scope of regulatory sandboxes. However, FinTechs frequently breach the conventional lines separating the various financial services sectors (e.g. financial aggregation platforms) or offer ideas that might increase efficiency horizontally across sectors (e.g. in risk management). Scholars emphasise the unfavorability of sectoral limits because they magnify already-existing regulatory barriers and potentially inhibit cross-sectoral innovation by limiting economies of scale (Parenti, 2020[9]).

The majority of the regulatory sandboxes that are now in use in the EU (Denmark, Hungary, Lithuania, Latvia and Malta) are hosted by an integrated national supervisor, encompassing the whole financial sector (e.g. banking, investment activities and services, insurance). The banking and capital markets supervisors in the Netherlands, which use a “twin peaks” model of financial supervision, collaborate to run the regulatory sandbox. In other countries with sectoral supervisors, one of the regulatory sandboxes planned is a combined operation by all sectoral supervisors (to the extent that this information is accessible, for example, Spain and Italy). With relation to innovation centres, sectoral restrictions show up more frequently, again mostly because of restrictions on the supervisor’s authority. In these situations, co-operatively run innovation centres (like Belgium and the Netherlands) have claimed benefits in terms of automated information exchange, an effective method for responding to inquiries, and improved cross-sector issue monitoring. To reduce the danger of creating fragmented cross-sectoral practises, improved regulatory collaboration and methods for information sharing between sectoral regulators are required where such combined operation is not practicable (Parenti, 2020[9]).

It is essential that the eligibility criteria, regulatory sandbox parameters, supervision and oversight, and exit criteria are well-defined while at the same time allow some level of flexibility. A well-defined and flexible scope can ensure that the regulatory sandbox is able to support innovation while also ensuring the protection of consumers and the integrity of the financial system. Last but not least, it is important to bear in mind that the scope of a regulatory sandbox may change over time as the FinTech industry and regulatory environment evolve, and this is why some level of flexibility is important.

Participating institutions from the government should include but are not limited to the Supervisory and Regulatory Authorities. These institutions should consider a range of possibilities for the regulatory sandbox such as, allowing for the testing of new products and services in a controlled environment, identifying relevant regulation for certain activities, and facilitating the development of new technologies and business models.

The design of the regulatory sandbox for the Czech Republic should be guided by the principles of fostering innovation while ensuring financial stability and consumer protection. The scope of the regulatory sandbox should be clearly defined, taking into account the existing regulatory landscape, the competency of the relevant authorities, and the potential cross-sectoral impacts of new financial technologies.

The recommended scope for the Czech regulatory sandbox would be cross-sectoral with no restrictions as to the sector of activity, provided that these fall under the remit of the financial Authorities directly or indirectly. In this context, ‘indirectly’ refers to any financial activity that may not fall under the definition of an activity requiring a license from the Authorities but may still have an impact on the financial sector. Applicant firms must comply with the eligibility criteria provided below (Section 2.3.2).4

Furthermore, the regulatory sandbox could be a ‘standard’ regulatory sandbox in line with established sandboxes in the EU, and/or could be enhanced with data-sharing capabilities. The recommendation for the Czech regulatory sandbox is to commence with the establishment of the ‘standard’ regulatory sandbox and, to the extent feasible, enrich it with the provision of data-sharing when the conditions allow it. The conditions for this option will be based on (i) the availability of datasets and ability to make these available; (ii) the capacity of the authorities participating in the regulatory sandbox.

It could also be envisaged that a data sandbox could be established outside the Czech Authorities (and/or outsourced). FinTechs participating in such data sandbox could build data-driven models that would form part of a business model or service and which may not necessarily directly involve financial market activity. However, even in this alternative the Czech Authorities would likely need to participate, inter alia by means of providing data.

2.2.4. Underlying legal framework for the operation of the regulatory sandbox

2.2.5. Consumer protection and risk management

It is recommended that the Czech regulatory sandbox offers no alleviations to sandbox participants with regard to consumer protection measures stipulated by regulation and supervision and those standard rules apply, aligning with common practice in other regulatory sandboxes. Proportionality considerations are as well usually unapplicable to consumer protection measures. Moreover, there might be restrictions imposed to further protect consumers. Specific measures that can be taken in the regulatory sandbox to protect consumers are shown in Figure 2.4.

Figure 2.4. Consumer protection measures

The ESA joint report suggests that compensation or redress measures accompany the regulatory sandbox should any detriment be suffered in the context of testing (ESMA, EBA and EIOPA, 2019[2]). This is a beneficial measure for consumers and if taken, will mean that less intense communication efforts to convey the associated risk of the test is needed. However, if firms bear all the risks, this could make the regulatory sandbox too expensive for small firms.

The FCA considered several compensation options before launching the first test cohort, with options ranging from no compensation offered and consumers knowingly consenting, to setting a condition for joining the regulatory sandbox that businesses undertake to compensate any losses (including investment losses) to customers and can demonstrate that they have the resources in place to cover such compensations. In the interim options, the FCA considered relying on the UK’s Financial Services Compensation Scheme (FSCS) that provides a broad compensation, covering claims in relation to deposits, investment business, home finance, insurance policies and insurance broking, provided by businesses authorised by the FCA and the Prudential Regulation Authority (PRA). However, the FCA, not wanting firms to bear the costs of paying fees to the Financial Ombudsman Service (FOS) and the FSCS decided to follow a case-by-case basis framework of setting the disclosure, protection, and compensation appropriate to the testing activity (FCA, 2015[15]).

In contrast, Switzerland has limited safeguards for the regulatory sandbox participants that according to the local set up are not authorised while they operate as restricted services, and these firms are not covered by the compensation scheme (EBRD, 2019[7]). In Australia, the ASIC has set requirements for adequate compensation arrangements: a professional indemnity insurance policy with a minimum CAD 1 million limit for any one claim and aggregated claims; and requiring the business to take reasonable steps to obtain run-off cover for a period of 12 months.

Under EU regulation, payment service providers, electronic money institutions and payment account information administrators are required to provide an insurance contract or a comparable guarantee as a prerequisite for getting a licence for payment initiation or account information service provision. Because the proposed Czech regulatory sandbox will not offer regulatory waivers, the compensation and consumer protection measure set in each license type should provide the appropriate protection so that all consumers can be offered the product. If the regulator assesses that extraordinary risks are associated with a particular test, it can use a consumer suitability test and allow only sophisticated/accredited/non-retail consumers to participate. Alternatively, it can demand a clear consent of consumers to use the service, expressing agreement to the risks.

In many regulatory sandboxes risk identification and mitigation measures are included as part of the eligibility criteria (Bromberg, Godwin and Ramsay, 2017[16]). In cases where a restricted licence or a waiver is offered, businesses or individuals might seek to use their participation in a regulatory sandbox as a means of legitimising their unlicensed schemes. In EU member states, regulatory sandboxes where no exemptions from the authorisation process are offered to participants, there should not be additional layers of risk other than the ones addressed and monitored by the supervisor for all supervised activities. In the case of Australia, ASIC’s industry licensing exemption has attracted the objections of consumer groups.

Most regulatory sandbox arrangements do not require that applicants use a particular technology to be accepted to the sandbox. A regulatory sandbox is a technology neutral solution (EBRD, 2019[7]). However, as regulatory sandboxes are set up with the objective to test a product, service, or business model it is expected in application criteria that the level of development of the business model and the underlying technology is sufficiently advanced to begin the testing. The regulatory sandbox supervisory and guiding team relies most often on the staff of the financial supervisor. Industry and technology experts are usually not part of this team, if anything, they have a role in the selection phase to the testing environment. An innovation hub is a more appropriate venue than a regulatory sandbox for firms that are still struggling to find the technological solution for their product.

Access to data is one of the attributes to be considered in the design recommendations of this feasibility study. Indeed, a considerable part of Czech FinTechs use data and access to data has the potential to foster more innovation. However, financial data at customer or SME level (such as banking or transactional data) contains personally identifiable information and is subject to strict obligations under GDPR.

Providing access to public data, test data, anonymised data or synthetic data are the possible options to overcome issues of data security and privacy. The FCA has so far been the only regulatory sandbox to include micro level data, real and public, or synthetic for FinTechs to test on. FinTechs have expressed high demand for the data though it is not without drawbacks (see Section 1.4).

The FCA conducted legal analysis and concluded that there is not a sufficient legal basis for its regulatory sandbox to make large volumes of real personal data available for FinTechs. Further, the FCA has decided so far against using pseudonymised and anonymised data assessing that the privacy risk remains considerable. The FCA therefore chose to generate and make available synthetic data to their regulatory sandbox participants (FCA, 2021[17]).

When developing the framework for the EU Digital Finance Platform’s Data hub, it was considered to use companies’ credits, loans and balance sheet information available to the European Commission (EC). However, many members of the EFIF warned the EC that this information (particularly the loan and credit data sets) was highly confidential/sensitive and could not be shared with third parties due to legal reasons. For that reason, a preliminary stage in the development of the data hub became the synthetic data pilot in Spain (Dirección General de Estabilidad Financiera et al., 2022[18]).

Within the pilot environment, the FCA provided data that could be accessed either via an API or through an integrated Jupyter Notebook (enabling to process and analyse large volumes of data) (FCA, 2021[17]).

2.2.6. Legislative changes

The main benefits of the recommended design of the regulatory sandbox relate to strengthened co-operation and increased level of assistance of the Czech Authorities to entrepreneurs in obtaining a licence, emphasis on the use of the current possibilities of proportional access and intensive exchange of knowledge. The proposed regulatory sandbox design could be launched within the framework of the current legislative framework and does not require a new law to be established, as it does not deviate from existing EU law and does not envisage the offering of any kind of waivers or exemptions. A proportional application of regulatory and supervisory requirements, as embedded in EU regulation, should be used appropriately and at the discretion of the Authorities.

If, after the first years of the operation of the regulatory sandbox, it is assessed that a beneficial option would be to use a restricted authorisation model or to introduce rule waivers, class waivers or no enforcement action letters, it would be necessary to enshrine such options in a legislative change. Equally, implications of the local legal framework of the Czech Republic (e.g. administrative law provisions and implications of public law for the implementation) are not being analysed in this report. Such legal advice can be obtained by the Czech Authorities from competent parties should they require such an assessment.

2.3.1. Recommended risk register

The operation of the regulatory sandbox should monitor whether a tested activity or service may result in the exacerbation of systematic or reputation risks or harm competition in the financial services sector. It is recommended that the sandbox keeps a risk register where the activity of participants is evaluated, and the following risks can be mitigated:

CGAP suggests that products and services that are tested in a regulatory sandbox may present additional risks that may be hard to assess before the innovation is fully launched in the market. These risks may include those stemming from features of the innovation and/or limited regulatory and supervisory capacity. Such a systematic risk can be prevented by well-designed regulatory requirements and adequate supervisory tools necessary for collecting and analysing the data generated or used by new technologies (Jenik and Lauer, 2017[19]).

Liability issues may arise in case of failed testing that results in harm to customers or other market participants in the case of regulatory sandboxes, which allow significant exceptions to the standard licensing regime. Such a situation would threaten the reputation of the regulator and trust of customers in the financial system. This risk is unapplicable with regard to the framework recommended for the Czech Republic, because no exceptions form the licensing regime are offered to FinTechs under this set of recommendations. Resolution and compensation measures for consumer are already in place with regard to licensed entities as per the standard applicable frameworks. On the Authority’s side, early termination is covered (see Section 2.3.7) if it realises that there is higher than expected risk to consumers or the financial sector stemming from the tested product/service or if fraud or any other similar shortcomings arise, in the same way that a license can be revoked under regular conditions.

Risks may also result from the lack of consumers’ understanding of a new product. Transparent communication of the specifics of the regulatory sandbox are needed to realistically adjust expectations.

Advice and support of the participant may be seen as a disruptor to the competition. Clear, not overly vague, selection criteria are providing transparency in order to avoid selection bias.

Possible limited capacity of regulator in terms of adequate resources of staff and funding may lead to following risk of poor selection of participants of the regulatory sandbox caused by the limited capacity of the regulator to assess the innovation. Moreover, overburdened staff which would be given extra duties in the frame of a regulatory sandbox instead of creating a new dedicated regulatory sandbox unit, there is a risk of insufficient capacity to address the main regulator’s responsibilities. Therefore, it is necessary to sufficiently assess the necessary number and skillset of dedicated personnel.

2.3.2. Eligibility criteria

The recommended criteria to be met by applicant firms wishing to be admitted to the Czech regulatory sandbox include (Table 2.3): The regulatory sandbox applicant offers an innovative financial product, service, business model or solution; the product brings benefits to users of financial services in the Czech Republic; the product is ready for market launch so that testing in a regulatory sandbox is feasible and safe; there is a specific need for testing of the product; the applicant is of good character; responsible management of personal data is ensured; the applicant commits to investor protection and compliance; and there is direct or indirect relevance to the Authority running the regulatory sandbox. It is recommended that participants in the regulatory sandbox hold the appropriate license for the regulated activity undertaken or are ready to apply for a license in order to have a license before the start of the testing phase, if the Authority deems that the activity falls within the perimeter of regulated financial activity.

In particular, the following eligibility criteria, which are based on good practice of the regulatory sandboxes of EU Member States, are recommended for the Czech regulatory sandbox in more detail:

The regulatory sandbox applicant offers an innovative product, service, or business strategy that makes use of novel or developing technologies to offer fresh or enhanced financial services in the Czech marketplace, including a new adaptation or material improvement of another financial product, service, business model or solution. A product, service, or business model that makes use of current technology in new or creative ways will also be referred to as an innovative financial product.

The product brings benefits to users of financial services in the Czech Republic and these benefits are identifiable e.g. it offers a different solution from other offerings on the Czech financial market, an enhancement of an existing product, service, business model or solution, a more inclusive business model or a solution that increases the efficiency of financial institutions or markets, etc.

The product is ready for market launch so that testing in a regulatory sandbox is feasible and safe if the applicant has a clear idea of what it expects from its participation in the regulatory sandbox (applicant is capable to specify a concrete testing target) and the company has sufficient staff and financial resources and capacity to ensure its operations and the provision of the relevant financial service. It includes readiness to handle testing technically (the product has appropriate and sufficiently robust and resilient ICT infrastructure and mechanisms for data security and against cyber-attacks), deal with risks that may arise during testing (i.e. analyse these potential risks in advance and prepare mitigation measures), and – importantly – readiness of the company to meet regulatory requirements. The latter means that the company is either a licensed company or ready to apply for a license in order to have a license before the start of the testing phase, if the license is deemed necessary according to the Czech Authorities. In case the Authorities deem that a license is not necessary, the Czech Authorities have the discretion to allow the company to perform the testing or not.

There is a specific need for testing of the product for example in case that there is an existing controversy or ambiguity about applicable law that would otherwise prevent the standard launch of the product or a there is a need to test the product in a limited form before it is fully launched.

The criterion of good character is demonstrated by clean criminal record of the applicant.

Responsible management of personal data is likely to be ensured if the Data Protection Authority does not identify high level of risk of unlawful processing of personal data or unlawful interference with the rights and freedoms of data subjects during the testing.

Commitment to investor protection and compliance can be demonstrated by mitigation mechanisms incorporated in the business plan.

The activity is directly or indirectly covered by the financial legislation.

The business model is relevant to the Authority running the regulatory sandbox.

The above recommended eligibility criteria have been formed taking into account the experience of other EU countries and the specific characteristics of the Czech FinTech ecosystem.

Technological readiness

For regulatory sandboxes to be effective, it is essential that the technology used to track and observe stakeholder participants is robust, reliable and up-to-date. In the design of a regulatory sandbox for the Czech Republic, technology readiness is an important consideration (.

Figure 2.6). It is recommended that firms that become eligible for participation in the Czech regulatory sandbox have a Technology Readiness Levels of at least TRL 4, so that there is a proof of concept tested in a lab setting.12

Figure 2.6. Technological readiness

Technology Readiness Levels (TRLs) are widely used in the technology industry to help management make informed decisions on the advancement and deployment of technology. TRLs offer several benefits when used in the design of a regulatory sandbox. Firstly, they provide a common understanding of the state of technology, allowing stakeholders to assess the maturity and readiness of a particular financial innovation. Secondly, they help in managing risks by providing a clear understanding of the technology’s development journey and its potential for successful deployment. In the third place, the regulator should take into account the technology’s stability and scalability. These evaluations are required to establish a strong foundation and guarantee the success of the testing procedure. Israel, for example, requires a TRL6 in its regulatory sandbox (Israel Innovation Authority, n.d.[20]).

There are, however, some limitations in the usefulness of TRLs. For example, there is no direct correlation between the readiness and the appropriateness or technological development of a product. The regulator has to take into account the compliance with current systems and regulations, and validate the ethical dimension of the technology (see Table 2.5).

Table 2.5. EU Definitions of technology readiness levels
Technology Readiness Level (EU)	Definition
TRL1	Basic principles observed
TRL2	Technology concept formulated
TRL3	Experimental proof of concept
TRL4	Technology validated in lab
TRL5	Technology validated in relevant environment (industrially relevant environment in the case of key enabling technologies)
TRL6	Technology demonstrated in relevant environment
TRL7	System prototype demonstration in operational environment
TRL8	System complete and qualified
TRL9	Actual system proven in operational environment (competitive manufacturing in the case of key enabling technologies)
Source: Extract from Part 19 of the Commission Decision C(2014)4995 from the European Commission (2020[21]), Technology readiness levels (TRL), https://ec.europa.eu/research/participants/data/ref/h2020/wp/2014_2015/annexes/h2020-wp1415-annex-g-trl_en.pdf.

One of the key elements of technology readiness in a regulatory sandbox is the ability to accurately track and observe the participants, including the ability to identify and verify the identity of the participating FinTech companies and their customers, as well as the ability to monitor and record the transactions and activities that take place within the regulatory sandbox. It is necessary the use of robust and reliable technology, such as blockchain and artificial intelligence, which can ensure that data is securely and accurately recorded and can be easily accessed by the regulator.

Another important aspect of technology readiness in a regulatory sandbox is the ability to ensure that the technology used is up-to-date. In order to do this, the technology used in the regulatory sandbox must be continuously tested and monitored so as to spot and fix any problems that may occur. To make sure the technology is appropriate for the task at hand, it might be necessary to use simulations and involve the participation of experts in the field.

In the third place, a critical aspect of technology readiness is the ability to ensure that the data collected is protected and secure. This is especially important in the Czech Republic, where data protection laws are strong and regulations are strict. To ensure compliance, it is essential to implement robust data security measures, such as encryption and multi-factor authentication, to protect the data collected from unauthorised access or breaches.

When it comes to the leadership of the implementation of the regulatory sandbox, it is important that the responsible entity is well equipped to handle the complex technical and regulatory issues that may arise. The responsible entity could be a dedicated unit within the financial regulator or a separate body with a mandate to oversee the regulatory sandbox. It should have the necessary resources and expertise to oversee the operation of the regulatory sandbox, monitor the progress of the participants, and provide guidance on regulatory issues. Additionally, close collaboration with international regulatory bodies and other regulatory sandbox initiatives in other countries should be established to exchange information and best practices.

2.3.3. Licensing procedure

It is recommended that, as in other EU member countries, the Czech regulatory sandbox does not waive licensing requirements or requirements under the national or EU legislation, and does not offer any alleviation to sandbox participants that cannot be granted as part of the normal authorisation process. To the extent that an applicant is pursuing an activity that requires authorisation, it will be subject to the same supervisory framework as applies to authorised firms in general. A license should be obtained before applying to the regulatory sandbox or it can be obtained at the application stage. In case that during the preparatory phase, the Czech Authorities assesses that the innovation of the applicant does not need the license, it can decide that the testing in the regulatory sandbox would nevertheless be beneficial and prepare the testing plan for the testing phase.

The UK allows a license to be obtained after admission to the regulatory sandbox but prior to commencement of the test as well. The supervisor may assist in the application, and often that is the case. If the firm has been accepted to the regulatory sandbox than that means that the supervisor has recognised that it offers a true innovative product and has the potential to contribute to consumer benefit, then this makes for the rationalisation of assisting the firm to receive authorisation. In fact, firms tend to see, often mistakenly, that the regulatory sandbox is a faster track to authorisation. If the supervisor plans to increase the supervisory resources, it allocates to the regulatory sandbox compared with the regular authorisation track than perhaps a faster process might be achieved. Regardless of the timeframe, all regulatory rules will continue to apply. The use of proportionality as discussed in Section 2.2.1 is the only leeway available to the supervisor in terms of the requirements from the firm to receive the license.

An alternative situation might be where the Czech Authorities are not sure whether the activity sought by the applicant fits within one of the existing license regimes. In this case there is much potential added value for the supervisor if this firm is accepted into the test, because it will give the Czech Authorities an opportunity to get a better understanding of the business model. In the end of the test phase, the Czech Authorities might have a clearer understanding of how the law applies to this activity, and whether a license is appropriate. Often, FinTechs seek authorisation as they see this as a way to legitimise their business and prefer to have a license even when they might not necessary require one by law. In particular in this group, we should consider firms where a legislation is underway, whether at the EU or national level and a firm that might soon be opt for authorisation is applying (for example the upcoming Markets in Crypto-Assets (MiCA) Regulation).

A possible type of applicants might be partnerships between established companies and third-party FinTechs. The licensed incumbent might seek such participation to avert the risk of pursuing an activity which is outside of its current license scope. If funding or data are also offered for participants, this will increase the attractiveness for incumbents. For the supervisor, the authorised incumbent will need to bear any regulatory requirements, but as it is already accustomed with supervision, it will already have most or all safeguards in place. In the FCA regulatory sandboxes such partnerships have participated, whereas in Austria so far there have not been applications of this form. In the first two cohorts of the FCA regulatory sandbox, partnerships between large firms and start-ups have proven to be successful for both parties, particularly for giving the start-up access to a larger pool of existing customers to test with (FCA, 2017[22]). FinTechs are also able to leverage the resources, experience, and knowledge of the large firm. Before launching their digital sandbox, 56% of participants stated they intended to collaborate with at least one other team in the cohort. Participants stated that the adjacent nature of their solutions meant there would be valuable learning opportunities and the potential for partnerships (FCA, 2021[17]). In Israel such co-operation is encouraged and several incumbents have made public on the test website what is the problem they are looking for a technological solution to. The co-operation might thus arise within the test framework, with the regulatory sandbox offering the motivation for both parts.

2.3.4. Application

To the extent possible, it is recommended that application be performed in a digital manner with as much of the documents having a predefined structure.

The following information has been identified as common in the application and appropriate for the objectives of the Czech regulatory sandbox:

1. a. Contact and identification details

2. b. License status, regulatory requirements, regulatory gaps

3. c. The business plan, description of the product, management competence, potential customer segment, firm financial capabilities, market competitors, potential for expansion abroad, market entry boundaries, expected market impact, what is the innovation

4. d. The need to enter the test

5. e. The outline of the test, including measurable milestones during the testing (technological and business)

6. f. Intellectual property aspects related to the tested product or service

7. g. a description of the key risks of the proposed test (to both consumers and the Applicant’s business) and how the Applicant intends to mitigate these

8. h. Underlying technology, development level

9. i. An exit plan

10. j. An outline of the applicant’s next steps if the test is successful.

2.3.5. Authorisation model for assessment

It is recommended that participants in the Czech regulatory sandbox be preselected by a special Advisory Board that will provide a non-binding opinion. This will then be validated or rejected by the Czech Authorities, not applying to the CNB, as the CNB has no legal basis to issue such a decision. The Advisory Board could for example comprise of representatives of the industry, academia, the Czech National Bank, the Ministry of Finance of the Czech Republic, Ministry of Industry and Trade, CzechInvest and Data Protection Agency. It would give a chance to consider multiple angles in relation to the eligibility criteria. It is reasonable to ensure diversity of the Advisory Board to maximise the positive effect of exchange of views and experience in relation to assessed business models. The CNB and the MFCR can provide their expertise in the context of the Advisory Board.

The exact design of the functioning of the Advisory Board should be chosen on the basis of a discussion between the regulatory sandbox implementer and the potential members to best reflect their specific ideas of involvement and capacity to ensure the effective functioning of the Advisory Board.

2.3.6. Preparatory phase

After the application has been evaluated and the applicant has been selected, the applicant is notified and allocated to the contact person in the regulatory sandbox. The selection is followed by the preparatory phase, during which the contact person prepares a testing plan together with the applicant. This plan determines how the testing will be carried out and the participant commits to its performance in the testing plan. The testing plan may include the length and rules of the testing, any restrictions, such as a maximum number of customers to be served, safeguards to protect users of the innovative financial service (e.g. the obligation to inform the user that the product is currently being tested in a regulatory sandbox, the obligation to obtain informed consent from the user, or the obligation to provide evidence of insurance to cover any potential damages the user may incur). The testing plan may specify a level of proportionality which the Czech Authorities may decide to exercise (supervisory discretion by considering certain factors, such as the risk profile, or the size, complexity and interconnectedness of the firms concerned) (Parenti, 2020[9]). The testing shall focus on the compliance of the financial innovation with the relevant regulation (i.e. regulatory aspects of innovative financial services, such as the adequacy of the existing regulation), the existence of any unexpected risks (which would be eliminated after their identification by the Czech Authorities) and the practical implementation of the financial innovation on the market (i.e. whether the product is in demand among users, whether the business model is well set up etc.). The test plan clarifies the expectations of the actors, it is for consideration whether there is a sufficient basis to make it legally binding. Testing on the basis of such a test plan is beneficial for both Authorities, who have the opportunity to learn from close observation of a potentially interesting innovation, and innovators, who have the opportunity to discuss their business model with Authorities and ensure its maximum compliance with relevant regulations.

2.3.7. Exit procedures: early and planned

It is recommended that firms applying to the Czech regulatory sandbox should produce an exit plan, accepted by the Authorities that would allow the orderly termination of the test at any point in time. Upon termination, a report by the firm should be submitted analysing the results and the experience in the regulatory sandbox. Early termination should remain an option both for the participating firms and the Authorities. For the firm such option should be available in case the business model turns-out as insufficient, and for the Authorities, if it comes to the conclusion that the activity poses any risk to financial stability or higher than expected risk to consumers, in the same way that a license can be revoked under regular conditions.

ESA proscribes that regulatory sandbox-participating firms should be required to develop plans to provide for a controlled exit from regulatory sandboxes, including to ensure an appropriate degree of protection for consumers, with either the continuation or discontinuation of the test propositions (ESMA, EBA and EIOPA, 2019[2]). The UK, Singapore and Hong Kong require regulatory sandbox participants to develop an exit plan to ensure the test can be terminated at any time with minimal damage to consumers (EBRD, 2019[7]). In the Netherlands, authorised financial institutions may be required to draw up an exit strategy envisaging an orderly market exit when entering the regulatory sandbox. For new market entrants (entity without (the correct) authorisation) it is required to provide an exit plan. The components of the exit plan should include, among others: triggers for exit; exit procedures; essential functions that will need to continue; communications plan; describe how ongoing customer relationships will be wound up. In Lithuania applicants need to show an activity termination plan which is to be applied if, following the exit from the regulatory sandbox, service provision will be terminated. In addition, FinTech applicants need to describe the actions to be taken after a successful exit from the regulatory sandbox to further develop the tested financial innovation.

Further, in frameworks where a waiver or a restricted licence is offered to participants, the termination of the testing phase usually implies that the testing firm cannot continue operating under this regime anymore and a full license, if applicable, is required (Australia). If the firm complies with the full license requirements it can broad the scope of the offered services.

Upon exit or termination of the test, authorities often request the participating firms to draw and submit a summarising report. In the UK, the report should include the lessons learned from the test, and how any deficiencies are to be dealt with. The report will include the description of the test and its main attributes, results and next steps for the business. The FCA also asks for participants feedback regarding their experience within the FCA regulatory sandbox and often publishes an analysis report for different cohorts of the regulatory sandbox, in particular if major changes were introduced to the framework, such as adding access to data. Good level of record keeping might be useful for an efficient analysis of the test. It is possible to consider requiring firms to submit interim reports for this purpose. In Israel, due to the financial support provided to the test, the IIA will conduct a financial and technological audit, at the end of which a final accounting will be carried out.

Early exit is usually available in reviewed sandboxes (see Annex D). In particular, this option is allowed in cases where the firm realises there is no consumer uptake. On the Authority’s side, early termination might be needed if it realises that there is higher than expected risk to consumers or the financial sector stemming from the tested product/service or if fraud or any other similar shortcomings arise, in the same way that a license can be revoked under regular conditions. The Bank of Lithuania mentions in addition that admission to its regulatory sandbox may be revoked if during its participation in the regulatory sandbox the participant fails to meet the testing conditions indicated in the testing plan (The Bank of Lithuania, 2018[23]).

2.3.8. Recommended timelines

The willingness of policy makers and supervisors to establish testing environment goes hand in hand with the recognition that supervision and authorisation process are often perceived by FinTechs as a barrier for growth. FinTechs operate in a competitive environment over funding, that can be of scarce supply, and due to their small and young nature, do not usually enjoy much internal disposable funding. Their effort is concentrated on completing as quick as possible the development and deployment of their product (time-to-market) to attract more funding. Bearing this objective in mind, it is recommended as a prerequisite for the Czech regulatory sandbox in order to attract demand by FinTechs, that the application and authorisation timelines be attractive.

As for the testing phase, the timeframes vary from 6 to 24 months. In the Netherlands, Hong Kong and Singapore testing timeframe is determined on a case-by-case basis (EBRD, 2019[7]). Time frame can usually be extended following a request by the firm. Alternatively, the competent authority has the power to terminate a test, or a firm may stop the testing through an orderly exit.

The main stages of the testing process that require setting a timeline are the following:

1. a. The application stage – is application to the regulatory sandbox continuously available or are there specific predefined and restricted time intervals throughout the year when firms can apply.

2. b. The time from the end of the application period until a decision on participation is communicated to the firm. As recommended, there will be a continuous option to apply for the regulatory sandbox, the time limits for this stage will depend on the frequency of gathering of the advisory board. We suggest the time for this stage not to exceed 90 days.

3. c. The consecutive stage is to allow the authority and the firm to construct a detailed testing plan. We propose 60 days for this phase. If the company is not already licensed and during the construction of the testing plan the Czech Authorities advises the company to apply for a specific license, this stage, including the licensing procedure will be determined by the administrative rules.

4. d. The testing phase itself when the firm is offering its products to customers, as applicable. We propose 12 months as is frequent in other regulatory sandboxes, with options both for an early exit and an extension.

5. e. The ending phase where usually the firm is required to draft and submit a report analysing the results of the test, and for the regulator to inform the firm of any restrictions that may be lifted, or imposed, to receive a full license, if applicable. We propose 60 days for this phase.

2.3.9. Measurement of performance

Regulators should have a clear understanding of how success will be measured in the regulatory sandbox. This can be achieved by identifying Key Performance Indicators (KPIs) and using feedback loops to continuously improve the supervisory approach. It is advisable for regulators to focus on principles-based regulation rather than rules-based regulation, as this will allow them to regulate the activity rather than the entity. Additionally, effective communication with the market is crucial. Some regulators have established dedicated webpages as regulatory sandbox portals to increase awareness, share relevant documents, and provide information to companies (World Bank, 2020[24]). The recommended set of KPIs for the Czech regulatory sandbox are presented in Figure 2.7.

Figure 2.7. Recommended set of KPIs

Having KPIs for monitoring a regulatory sandbox for FinTechs is essential in measuring the success of the sandbox, as it helps to determine if the sandbox is meeting its objectives. By selecting the right KPIs, regulators can effectively track progress, measure success, and make necessary adjustments to their regulatory approach. The KPIs selected for a regulatory sandbox should depend on the objectives of the regulatory sandbox. Possible categories of KPIs include people and skills, corporate finance, compliance and risk, competition, financial inclusion, and innovation and data management, provide a comprehensive picture of the impact of the regulatory sandbox. For instance, measuring the number of jobs created and the amount of money raised by FinTechs in the regulatory sandbox can help assess the contribution of the sandbox to facilitating and speeding up the deployment of innovation, and attracting FinTechs locally and globally. The number of registered users and of firms created can measure the regulatory sandbox’s impact on competition and adoption of new technologies, while the percentage and characteristics of the population reached can provide insight into the sandbox’s contribution to financial inclusion. Finally, the number of products available and the number of datasets available can demonstrate the regulatory sandbox’s success in fostering innovation and effective data management. These KPIs provide a comprehensive picture of the regulatory sandbox’s impact on various stakeholders and help regulators determine if the sandbox is meeting its objectives.