CBN Issues Framework for Regulatory Sandbox

0

1.0 Introduction
In view of increasing consumer appetite for payment solutions and emerging disruptive technology in the financial services space, the Central Bank of Nigeria (CBN) has deemed it pertinent to ensure new and more flexible ways of engaging with the industry. One of the options being the use of a Regulatory Sandbox which is a formal process for firms to conduct live tests of new, innovative products, services, delivery channels, or business models in a controlled environment, with regulatory oversight, subject to appropriate conditions and safeguards. This would enable the Bank stay abreast of innovations while promoting a safe, reliable and efficient Payments System to foster innovation without compromising on the delivery of its mandate.

This Framework, therefore, defines the establishment, rules and operations of a Regulatory Sandbox for the Nigerian Payments System to promote effective competition, embrace new technology, encourage Financial Inclusion and improve customer experience, with a view to engendering public confidence in the Financial System.

1.1 Objectives

The objectives of the Regulatory Sandbox Operation in Nigeria are as follows:

i. To increase the potential for innovative business models that advance financial inclusion;

ii. To reduce time-to-market for innovative products, services, and business models;

iii. To increase competition, widen consumers’ choice and lower costs;

iv. To ensure appropriate consumer protection safeguards in innovative products;

v. To clearly define the roles and responsibilities of stakeholders and the operations of the Sandbox for the Nigerian Payments System industry;

vi. To ensure adequate provisions in regulations to create an enabling environment for innovation without compromising on safety for consumers and the overall payments system; and

vii. To provide an avenue for regulatory engagement with FinTech firms in the payment space, while contributing to economic growth.

1.2 Scope

The Framework provides standards for the operations of a Regulatory Sandbox, and prescribes the processes and procedures for analyzing, collecting, updating, integrating, and storing of consumer data and information. The Sandbox encourages innovation that can improve the design and delivery of payment services and is therefore, also suitable for proposed products, services or solutions that are either not contemplated under the prevailing laws and regulations, or do not precisely align with existing regulations.

The CBN reserves the right to provide further support by relaxing specific regulations within the period of operations in the sandbox. Upon completion and on exiting the sandbox, the successful entity is expected to meet relevant legal and regulatory requirements. Innovative products or services previously rejected shall be considered for sandbox trials on a case by case basis. However, products and services that are outrightly unlawful under the laws of the Federal Republic of Nigeria shall not qualify for sandbox trials.

1.3 Eligibility of Sandbox Participants

The eligibility criteria for applicants is as follows:

(a) The product, service or solution is innovative with clear potential(s) to:

i. Improve accessibility, customer choices, efficiency, security and quality in the provision of financial services; or

ii. Enhance the efficiency and effectiveness of Nigerian Financial Institutions management of risks; or

iii. Address gaps in or open up new opportunities for financial benefits or investments in the Nigerian economy.

(b) Ensure that applicants will provide the proposed project within a limited transaction (value and volume) for better risk management and mitigation. The limits shall not be exceeded during the testing period.

(c) The applicant has conducted an adequate and appropriate assessment to demonstrate the usefulness and functionality of the product, service or solution and identified the associated risks which should be devoid of adverse effect to existing structures and consumer experience;

(d) The applicant has the necessary resources to support testing in the sandbox. This includes the required resources and expertise to mitigate and control potential risks and losses arising from offering of the product, service or solution;

(e) The applicant should have a business plan to show that the product, service or solution can be successfully deployed after exit from the sandbox;

1.4 Participants In The Sandbox Operations

The Sandbox application process is open to both existing CBN licensees (financial institutions with FinTech initiatives) and other local companies. The latter may include Page 5 of 15 financial sector companies as well as technology and telecom companies intending to test an innovative payments product or service industry deemed acceptable by the CBN. Others that can also apply include: Those proposing non-regulated financial products and services using emerging technologies, i.e., Innovators whose proposed solution involves technologies which are currently not covered under existing CBN regulations.

1.5 Risk Assessments And Safeguards

1.5.1 An applicant shall identify the potential risks to financial institutions and financial consumers that may arise from the testing of the product, service or solution in the sandbox and propose appropriate safeguards to address the identified risks.

1.5.2 In assessing the risks and evaluating the proposed safeguards, the Bank will give due regard to the following:

a. Preserving sound financial and business practices consistent with monetary and financial stability;

b. Promoting the fair treatment of consumers;

c. Compliance with AML/CFT regulations;

d. Protecting the confidentiality of customer information;

e. Promoting the safety, reliability and efficiency of payment systems and payment instruments;

f. Encouraging healthy competition for financial products and services.

Proshare Nigeria Pvt. Ltd.

2.0 Application and Approval Requirements
Applications to the sandbox process would involve an invitation placed on the CBN website, and local newspaper advertisement. The details of the advert would include the minimum eligibility criteria to shortlist applicants who qualify to be absorbed into the sandbox. Receipt of application shall be acknowledged to applicants within 5 working days after submission.

Firms wishing to enter into the CBN’s Regulatory Sandbox shall apply to the CBN through the Regulatory Sandbox online application platform accessed via the CBN’s official email address – Sandbox@cbn.gov.ng .The application must be submitted with a cover letter signed by an authorised signatory of the entity and addressed to the Director, Payments System Management Department, Central Bank of Nigeria, Abuja.

The Bank will inform an applicant of its eligibility and approval to participate in the sandbox, 45 working days after the closure of the application window. A Letter of Approval (LoA) would be issued to the Innovator which would allow Sandbox participants to test their innovation upon entry into the sandbox.

2.1 Documentary Requirements

All application trials into the Sandbox shall be accompanied with the following:

i. Board Approval (where applicable) ii. Certificate of Incorporation iii. The company profile and functional contact: e-mails, telephone numbers, office and postal addresses iv. Memorandum of Association Shareholding structure of the Company v. Forms CAC 1.1 (Application for Registration) vi. CVs of Board and Management of the Company vii. Organogram of the Company viii. Project plan alongside a detailed business proposal ix. Key outcomes that the testing is intended to achieve x. A document that shall outline the strategy of the sandbox trials including current and potential engagements, geographical spread and benefits to be derived xi. AML/CFT Policy xii. Evidence of patent certificates or registration of patent rights, where applicable xiii. All firms shall supply any other information that the CBN may require from time-to-time.

3.0 Operational Requirements
The CBN operational requirements of the Sandbox would cover, at least, the following phases:

  1. Filing requirements.

  2. Reporting requirements while in the Sandbox.

  3. Exit conditions and approval for expiration, and/or

  4. Evaluation and Review of an approval.

3.1. Filing Requirements

3.1.1 After the issuance of Letter of Approval, the Bank will engage the admitted participants on the following:

a. Testing parameters such as the scope and duration of the test, regulatory flexibilities requested and frequency of reporting;

b. Specific measures to determine the success or failure of the test at the end of the testing period;

c. An exit strategy should the test fail; and

d. The next steps the firm would take if the test is successful.

3.1.2 In addition to the above, participants prior to entry, shall include the following in the filing requirements:

a. A brief description of the Participant’s organization, including its financial standing, technical and business domain expertise;

b. A brief description of the financial service to be experimented on, in the Sandbox;

c. A description of how the Participant has met the Eligibility Criteria described in Section 1.3 with supporting evidence;

d. A disclosure of the boundary conditions for the Sandbox such as start and end dates, target volunteer customer types, customer limits, transaction thresholds, cash holding limits, and so on;

e. An assessment of the Participant’s readiness for testing which shall include customer safeguards and testing plans;

f. Test scenarios shall include a quantification of the maximum potential direct and indirect losses and impact of the experiment;

g. A description of the customer communications plan, shall include risk disclosures and material information about the company and the Sandbox;

h. A description of the targets and key performance indicators, which will be used to determine the success of the experiment;

i. A description of information and cyber security and other relevant measures taken by the Participant to ensure maintaining safety of the solution;

j. A description of any third-party outsourcing arrangement including the due diligence conducted by the Participant on the third party to ensure information and cyber security; and

k. An assessment of the exit plan, scale-up and deployment strategy, along with an assessment of the timeline and gaps if any in meeting any heightened legal and regulatory requirements after exiting the Sandbox.

3.2. Reporting Requirements While In The Sandbox

  1. Entities shall put in place testing parameters to limit risks to the financial system and for the consumers, while achieving effective testing processes.

  2. The participants shall set consumer protection safeguards, to guarantee consumer protection. Consequently, consumers participating in the testing phase need to be made aware of their rights and especially, be provided with information and contact details of the sandbox to report any complaint or problem they experience.

  3. The participants shall ensure proper maintenance of records during the testing period for a maximum of 5 years, to support reviews of the test by the Bank.

  4. The participant shall submit periodic reports to the Bank on the progress of the test, which includes information on the following:

a) Key performance indicators, key milestones and statistical information;

b) Key issues arising as observed from fraud or operational incident reports;

c) An updated risk register including possibility and treatment of any emerging risk(s);

d) Details on any audits conducted (and where applicable, submission of signed audit reports;

e) Customer satisfaction report, including complaints – if any: f) A detailed log of operational or technical incidents – (if any) and steps taken to address the same; and g) Actions or steps taken to address the key issues referred to in Section 3.1.

  1. The participants shall submit a final report containing the following information to the Bank within 30 calendar days from the expiry of the testing period:

(a) Key outcomes, key performance indicators against agreed measures for the success or failure of the test and findings of the test;

(b) A full account of all incident reports and resolution of customer complaints; and

(c) In the case of a failed or unsuccessful test, lessons learnt from the test and how the firm tends to wind down the test.

  1. The periodic and final reports shall be confirmed by the Chief Executive Officer (CEO) of the company.

Proshare Nigeria Pvt. Ltd.

3.3 Conditions For Extension And Exit From The Sanbox

  1. The application should explicitly indicate the initial testing timeline (in months) for the proposed test. To extend the testing period, a written application must be submitted by the participants to the Bank no later than 30 calendar days before the expiry of the testing period.

  2. The application should state the additional time required and clearly explain reasons for requiring the extension.

  3. To minimize market distortion, the Bank will not generally approve a protracted extension of the testing period unless the solution has been tested positively in general and it can be demonstrated that the extended testing is necessary to respond to specific issues or risks identified during initial testing.

  4. Upon the completion of a sandbox test, the Bank will decide whether the product, service or solution should be introduced into the market.

  5. Innovators must compare the results of their test against its original objectives and specify whether and how they intend to scale-up the technology tested: e.g., direct to consumers or, licensing it to other firms, or establishing new partnerships with other CBNlicensed firms, etc.

  6. The Bank may also prohibit deployment of the product, service or solution in the market upon the completion of the testing due to the following reasons: (a) In the event of an unsuccessful testing based on agreed test measures; or

(b) The product, service or solution has unintended negative consequences for the public and/or financial stability.

  1. Where a participant opts to discontinue in the sandbox, it may do so in writing, seeking the consent of the Bank. The Bank’s consent shall be based on the effective closure of any outstanding regulatory obligations and consumer related matters, that may have arisen from the participant’s sandbox operations

  2. The Bank may provide support for a successful participant for the purpose of obtaining requisite licence in the following ways:

a) Providing guidance in filing their applications for licence

b) Advising on options for addressing identified risk issues.

3.4 EVALUATION AND REVIEW OF AN APPROVAL

3.4.1 The CBN may evaluate and review an approval to participate in the sandbox at any time before the end of the testing period if the participant:

(a) Fails to carry out the safeguards referred to in Sections 1.5 and 7.0.

(b) Submits false, misleading or inaccurate information, or has concealed or failed to disclose material facts in its application;

(c) Contravenes any applicable law administered by the Bank or any applicable law in Nigeria or abroad which may affect the participant’s integrity and reputation;

(d) Is undergoing or has gone into liquidation;

(e) Breaches data security and confidential requirements;

(f) Carries on business in a manner detrimental to consumers or the public at large; or

(g) Fails to effectively address any technical defects, flaws or vulnerabilities in the product, service or solution which gives rise to recurring service disruptions or fraud incidents.

3.4.2 Before reviewing an approval to participate in the sandbox, the Bank will:

(a) Give the participant 45 days’ notice in writing of its intention to review the approval; and provide an opportunity for the participant to respond to the Bank on the grounds for review.

(b) Where any delay in reviewing the approval would be detrimental to the interests of the participant, their customers, the financial system or the public generally, the CBN may review the approval immediately and provide the opportunity for participant to respond after the effective date of review. If the response is accepted by the Bank, the Bank may reinstate the approval to participate in the sandbox.

3.4.3 Upon the review and evaluation of an approval, the participant must:

(a) Immediately implement its exit plan to cease the provision of the product, service or solution to new and existing consumers;

(b) Provide notification to customers informing them of the cessation and their rights to redress where relevant;

(c) Comply with obligations imposed by the CBN to dispose of all confidential information including customer personal information collected over the duration of the testing;

(d) Submit a report to the Bank on the actions taken within 30 working days after review.

4.0 Sandbox Cohorts
The term cohort refers to the group of innovators that share the characteristic of having been allowed to enter the Sandbox at the same time for the same period. There will be one cohort per year named after the year in which the cohort was accepted (for example: 2019 Cohort). Application windows for a given cohort as well as list of the firms included in that cohort would be published on the Bank’s website. The number of innovators to be accepted into a cohort is a function of the Bank’s resource capacity to support innovators. Typically, a cohort will be made up of a predetermined number of innovators, as the type of innovators to be accepted into a cohort is based on the sandbox eligibility criteria and on the sandbox strategic objectives.

5.0 Responsibilities of The Central Bank of Nigeria
The CBN shall be responsible for:

i. Issuance of the Regulatory Framework for Sandbox Operations;

ii. Admitting all eligible participants into the Sandbox process;

iii. Issuance of a Letter of Approval (LoA) for entry into the sandbox;

iv. Communication of the Bank’s decision on the outcome of the participants in the sandbox test;

v. Issuance of an Approval-in-Principle (AIP) in order to deploy its digital solution to the market, subject to the participants being able to meet CBN’s licensing requirements;

vi. Ensuring that the objectives of the Sandbox are fully achieved;

vii. Conducting oversight on Sandbox participants’ operations and systems;

viii. Monitoring other stakeholders to ensure compliance;

ix. Issuing circulars to regulated institutions on the operations of the Sandbox;

x. Reviewing this framework for the operations of the Sandbox from time to time;

xi. Apply appropriate sanctions for non-compliance where needed;

xii. The Director, Payments System Management Department of the CBN shall review cases referred to it before issuance of an operating licence or a formal clearance to an entity/participant for the purpose of delisting from the Sandbox.

Proshare Nigeria Pvt. Ltd.

6.0 Responsibilities Of Participants

The participants in the Sandbox shall:

i. Be responsible for monitoring and supervising the activities of its operations and staff.

ii. Have information on the tests carried out for each type of service or innovation;

iii. Monitor effective compliance with set limits and establish other prudential measures in each case;

iv. Take all other measures to enable it to operate strictly within the requirements of this Framework.

v. May leverage APIs available from other CBN licensed institution’s innovation sandboxes.

The Bank encourages innovation; thus, participants may leverage the sandbox of other regulators to the extent of the segment of their products that falls within the jurisdiction of the other regulator.

7.0 Positioning 0f Customer Safeguards
As part of the evaluation phase, the Bank and Innovator shall agree on the set of consumer safeguards in order to mitigate the risk to consumers participating in the testing exercise. While the measures are bespoke to each test, it will depend on the nature of the risks identified, and will be proportionate to the impact and probability of the risks occurring or causing consumer disadvantage.

While the list is inexhaustive, below are examples:

i. Limitations on the number and type of customer(s)/clients that will participate in the test.

ii. Limitations on the type and size of transactions.

iii. Extra requirements related to the participants Fintech company handling and protecting of consumer data, in line with extant laws and regulations.

iv. Providing adequate disclosure of the potential risks to customers participating in the sandbox and confirmation from such customers that they fully understand and accept the attendant risks.

v. Limiting the duration of the testing period to a maximum of six (6) months cohort basis, or promptly asking for an extension when needed.

vi. Providing a consumer redress mechanism, including the possibility for financial compensation for sandbox participants whose data may be harmed in a test under clearly specified circumstances; the Bank shall review all cases handled through the Consumer Redress Mechanism handled by the participant to measure fairness.

vii. In the event the customer is not satisfied with a resolution of the participant, such issues may be escalated to the Sandbox Innovation Office.

viii. Committing adequate and competent resources to undertake the testing and implement risk mitigation solutions that have been proven to be effective in containing the consequences of failure.

ix. Requirements to carry out system penetration simulations.

x. Requirements to obtain consumers’ prior verifiable consent to the participation in the test.

xi. Restriction or prohibition to hold or control client money or financial assets. xii. Sandbox participants should allow its customers opt out of the test provided they abide with disclosure non-disclosure agreements.

8.0 Confidentiality

  1. Participants shall decide which ideas to discuss, and the extent of details to be disclosed to other participants in the Sandbox.

  2. Participants are required to keep confidential all information disclosed by one party (the Disclosing Participant) to the other participant (the Receiving Participant) during Sandbox events, whether that information is disclosed verbally, in writing or in any other form and whether or not expressly stated to be confidential (confidential information).

  3. The Receiving Participant shall not use the confidential information of any Disclosing Participant to develop content, products, services, technologies or applications, or otherwise other than with the consent of the Disclosing Participant concerned.

  4. If requested by the Disclosing Participant, the Receiving Participant shall destroy or return all the confidential information disclosed during the Sandbox operations.

  5. For the purposes of this Section, confidential information will not include information that is publicly available or has been independently developed without reference to the confidential information shared within the Sandbox, as demonstrated by reasonable written evidence.

  6. The copyright, database rights, trade marks, designs, patents and other intellectual property (IP) arising in any confidential information existing prior to commencement of the Sandbox operations, or subsequently created exclusively by any participant (without reference to the confidential information of, or assistance from, other participants), shall be owned exclusively by that participant.

  7. IP created by any participant by reference to the confidential information of, or in conjunction with, other participants shall be owned jointly by those participants. This means that the affected participants will not be able to copy, use or exploit that joint IP without the consent of the others involved in creating that joint IP.

  8. Participants shall be aware that disclosures of a detailed nature relating to new inventions may prejudice the ability to obtain patent protection for these inventions at a later date. To that end, whilst participants are encouraged to share and shape ideas, detailed disclosures relating to processes or specifications should be reserved until the IP is registered and protected.

Address all enquiries to:

The Director,

Payments System Management Department,

Central Bank of Nigeria, Corporate Headquarters

Central Business District, Abuja.

Tel. No: +234(0)946238346

This site uses Akismet to reduce spam. Learn how your comment data is processed.