It’s A Bird… It’s A Plane … Nope… It’s A Sandbox

When I first heard in November 2015 that the Financial Conduct Authority (FCA) was planning to launch a “regulatory sandbox” in UK, I was convinced I must have misunderstood. Word borrowing from one discipline to another usually leads to confusion and pleas for precise definition (e.g: “cloud” and its ironically vaporous meaning). In the IT delivery world, if you develop anything from mobile apps to analytics applications, you will by definition have sandbox environments with very specific constraints on access, programs and data. A sandbox is designed to allow a developer to try a solution while minimising any possible impact to the rest of the environment where the “good” code is stored. A sandbox has no “future” to speak of — it can be re-set several times per day and it will never become a productive system; meaning is solely used by developers.

So, I donned deerstalker hat, oversized magnifying glass and investigated. Had the loose term of “sandbox” already taken hold? I will not repeat here the points I made in the previous article in The Asian Banker — “Innovation — the “regulatory sandbox” way” but people asked me after the publication of this article why I am not praising the “regulatory sandbox” as was seemingly mandatory. Surely, the FCA is forward thinking, mobile, hip & trendy?

Well no, not really. So, in the following article I would like to bring into the sandbox discussion the perspective of an architect.

In consulting, the architect often works with field specialists and sales people to produce solutions for clients, within given time and money constraints. Over the years I have received countless documents from clients (requests for proposals, quotation, information, etc), which had more or less the following structure:

We have a problem:

That we want to solve

By implementing/developing a piece of software

Which should have at least the following features: x, y, z.

Can you advise us:

What software we should buy or if we should develop in-house?

How much it would cost?

How long it would take?

How many people and with what skills you would need from us?

The FCA “regulatory sandbox” documentation and discussions to date bear a lot of similarity with an RPP/RFQ process so I will apply this structure to analyse the FCA’s requirements.

So, going back to the FCA’s “Regulatory Sandbox” document I searched for the problem statement, and immediately I ran into an underlying issue. I could not find it clearly. I have selected however a few clues:

“We believe that it is feasible for the FCA to reduce some of the existing regulatory barriers to firms that are testing new ideas, while also maintaining suitable safeguards” — section 1.5

“The FCA wants to promote competition by supporting disruptive innovation.” — section 2.2

“The potential benefits of a regulatory sandbox could be significant from:

• Reduced time-to-market at potentially lower cost

• Better access to finance

• More innovative products reaching the market” (section 2.3)

The lack of an explicit problem statement, led me to make an assumption that the problem was as follows:

FCA wants the UK to be an attractive market with an appropriate regulatory framework for Fintech companies. There are important barriers to entry within the market and the FCA believes that a “regulatory sandbox” would lower some of these, while still safeguarding the interests and rights of the consumers. The FCA believes it has a role to play in authorising who can access the sandbox and under which eligibility conditions.

I then tried to find more information about what FCA thinks the sandbox should be and what functionality it should provide to the users and participants. The FCA document insists more on the authorisation process and there is little light into what the sandbox itself will do or contain. I have selected the following statements:

“A regulatory sandbox is a ‘safe space’ in which businesses can test innovative products, services, business models and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question.” (section 1.2)

In the virtual sandbox participants will not enter the real market but will test “with publicly available data sets, or with data provided by other firms through the virtual Sandbox” (section 1.6, point 5)

“The sandbox is intended for testing new solutions, in real life situations” (section 2.6)

“The sandbox enables the FCA to work with innovators to ensure that appropriate consumer protection safeguards are built in to their new products and services before these reach a mass market”(section 2.5)

“Safeguards for consumers and the financial system while testing will be agreed between the businesses and the FCA on a case-by-case basis” (section1.6)

“The virtual sandbox could be, for example, a cloud-based solution set up and equipped in collaboration between the industry, which businesses then could customize for their products or services, run tests with public data sets or data provided by other firms through the virtual sandbox, and then invite firms or even consumers to try their new solution. (section 4.4)

The document gives most attention to possible safeguarding options for the customers taking part in the tests and to a new and simplified authorisation process to be managed by a dedicated sandbox team. (section 1.6) The cost and timeframe for delivering sandbox type of platform and the functionality of such a platform are not addressed in the document. It seems to me that there is not much “skin in the game” for FCA to refine the problem further as the sandbox will be delivered by “the industry”.

To summarise again, this time the FCA’s requirements for sandbox functionality:

the sandbox could be a cloud-based platform where the technology companies (start-ups) will be able to test their solutions with consumers or firms, sometimes in “real life situations” sometimes “not entering real market” using public data sets or data provided by other firms. The sandbox team of FCA will monitor the testing. As the “regulatory sandbox” will be used for live testing with the customers it is not in technical terms a sandbox at all.

Unfortunately, this is not enough information to start building the sandbox or to buy something.

Let’s try to think just a few steps further though by taking the example of a “regulatory sandbox” candidate, an un-authorised start-up with a beautiful mobile app and a transaction categorisation engine behind that they need to calibrate by testing with customers. The company applies to test on the sandbox, the eligibility criteria and the “testing parameters” having been published this week. Instead of crafting a long convoluted story around our start-up, I will just go through some questions which come to mind when I try to understand how the sandbox will help them and who will be the other stakeholders which need to participate. If you have answers and ideas how things work please help me out of my misery.

• The regulator decided that the start-up provides “genuine innovation” according to the eligibility criteria. One could argue that all the banks and dozens of start-ups have relatively good mobile apps and categorisation engines. The start-up however convinces FCA that their innovation is “genuine” and worthwhile and they gain access to the sandbox.
• The “regulatory sandbox “(singular) is meant to cater for all sort of Fintech propositions not only our candidate. Identity, authentication, payments, aggregation, P2P lending, robo-advisory, blockchain models are just few randomly picked areas of focus for Fintech and FCA will see for sure applicants from all these areas. What are the needs of our particular technology start-up in terms of data and functionality? For simplicity, let’s assume that for “learning” they “just” need transactional data to calibrate their categorisation engine. For testing however they would need integration with something that looks like a bank or operates like a bank or .. is a bank.

A bank is made of thousands of applications with various functions. Yes, it is not ideal. Yes, this is how it evolved in time. Yes, things could get better. Could things go so fabulously well that we have a bank in one platform/application, etc for which this sandbox is the beginning? I’d say no. Sorry to disappoint. Yes, you can dream on. Many people are annoyed about complexity and imagine that if you “simplify” the problem, the complexity goes away. It just doesn’t. To this point, the FCA will not need one system, one sandbox — but dozen interconnected applications just in order to replicate the basic banking data objects (customer, product, transactions) and the processes between them.

• So, it will not be one sandbox but a mini-bank? Hmm, maybe. I don’t know how FCA wants to play this.
• Is it just a “bank”? I’d say that a bank in itself cannot do anything. A bank is a participant in the financial services system and the client’s actions are enabled by this participation. For a start-up to really test with clients it would mean that this “magic box” of FCA would allow the interconnectivity with the real financial services system.
• If this is the case, who would enable this? FCA? How? Will FCA’s force the incumbent banks to co-operate on certain propositions at their own expense? Technical integration is complicated and it is not free.

The FCA paper suggested that the industry will provide “data” for the sandbox. Depending on the start-up business model they will have very different needs or no needs for historical data at all. Assuming that there is a need for data — let’s limit ourselves at three basic data objects: customer, product, and transactions. Would we expect banks to provide such data? Under which conditions? Will the complete anonymisation make the data unusable for the purpose of the start-up? Our candidate start-up would need to know that those transactions belong to a family of four from Sevenoaks to enable and calibrate “people like you” functionality. They would need to run real-time tests if they want to asses if the customer behaviour changes in anyway by using their application which provides let’s say more relevant information.

The quantity of data would not be so important to a start-up trying to calibrate their model but they would need to be able to make specific data requests and then validate their findings. Would this go through FCA or directly to the bank?

• In the case of integration between sandbox and existing financial services institutions in order to enable live testing through access to the finance ecosystem, what role the sandbox will play and why will it be necessary at all as a technology layer?
• We forgot about the start-up’s proposition! Sure they have their own code! Do we install it somewhere with the regulator? Will the regulator run a IaaS? Who assures the security end-to-end? Let’s assume this is sorted and all what they need will be integration with a bank, any bank. Will FCA broker the relationship? Will banks compete for start-ups? Will the start-ups compete for banks?
• Start-ups need customers to run the tests and FCA tells them in the “testing parameters” document published this week that they will have to source the customers themselves. FCA suggests a number of possible approaches for safeguarding the customers taking part in testing (section 3.14 -3.18) If all these are ok and agreed, is there a mechanism that we don’t know yet of which allows a customer to easily pass his/her banking data to a third party? Or we all go the Yodlee way?

There are plenty of other questions and to make matters more confusing, the FCA announced this week that they will operate the sandbox in a way “not dissimilar to how accelerators operate”. I am sure this is not news to many but accelerators don’t have sandboxes.. They have various way of working and bringing value to the start-ups — mentorship, partnership brokering with financial institutions and investors, etc. FCA cannot go into this without clearly creating conflict of interest.

Given my above comments you would think that I am against innovation in financial services. I want to assure you that on the opposite, I almost “desperately” want innovation to happen. I want to see experimentation, open innovation, competition and collaboration. I do not understand how the selection by regulator of what “genuine innovation” is can encourage competition and innovation. How the selection of “two cohorts per year” encourages competition? Is competition and innovation something that happens on schedule by ticking boxes?

The regulators should definitely play its role and establish the rules, which would allow collaboration to happen freely on the market. I do not believe however that this includes that they should centrally manage platforms for live testing. The same rules that stop banks today from sharing any customer data with a third party will stop the same institutions to share them on the regulatory sandbox. The same rules, which stop banks from using public cloud, will make the management of the “sandbox” a nightmare. Why not re-think the blocking rules so that competition and innovation happen organically in the financial services industry in UK?