Garrigues Digital_

Legal innovation in Industry 4.0




‘Sandbox’: the secure testing framework for financial technology innovation makes its way into Spain and Latin America

In Spain, a bill approved by the Council of Ministers aims to bring the regulatory framework into line with the new digital context of the financial industry, combining flexibility and technological innovation with security, transparency and supervision by the relevant national authorities. The regulation of controlled regulatory environments has also made headway in countries such as Mexico, Peru or Colombia. Garrigues professionals in these jurisdictions review the most significant aspects to be borne in mind not only for innovation at traditional financial institutions but also for the new fintechs breaking into the market.

Aimed at the digital transformation of the financial system, the bill approved by the Council of Ministers on February 18, 2020, is a major step forward in the context of financial regulation in Spain and its goal is to coordinate the needs for innovation and development in the financial industry with the necessary supervisory and customer protection activities by creating a controlled testing space. The bill is in the final phase of parliamentary processing and its final approval and entry into force are said to be imminent.

The bill envisages the implementation in Spain of a secure testing environment, commonly known as sandbox, in which controlled and defined tests can be carried out on projects able to contribute technology-based innovation applicable to the financial system through innovative technology systems, all under the supervision of the national authority with jurisdiction in the industry in which each project operates (Bank of Spain, National Securities Market Commission or Directorate-General of Insurance and Pension Funds).

The bill seeks to provide the Spanish financial system with instruments that enable it to foster innovation securely, as well as to bring fintech initiatives into line with the financial regulations in force in Spain. To do this, the new regulations envisage a law-protocol regulatory scheme, under which the applicable regulatory framework will be the law itself (general regime) and a testing protocol prepared by the relevant authority and the developer of each project, which is to regulate the particular aspects of each project specifically and in detail (having regard to the minimum contents stipulated by law). This protocol will not be at a level with the regulations on the financial system, but any breach of the protocol will result in the interruption of the tests and even the imposition of specific administrative penalties.

This new mechanism seeks to foster the involvement of the financial authorities in the selection of new business models, putting them in charge of approving pilot projects and designating the person or persons responsible for monitoring each project or some of its tests.

The financial industry has reacted very favorably to the news of the imminent approval of the Spanish sandbox, which for some time now has been demanded by traditional institutions, as well as by the new market players and agents, especially fintech startups focused on the provision of investment services (particularly automatic trading, robo advisors, etc.), payment services, insurance business (insurtechs), etc.

Projects eligible for the sandbox environment must, in the opinion of the relevant authorities, contribute potential added value to existing uses and techniques, entailing progress on at least one of the following aspects: (i) simplification of regulatory compliance through the enhancement or standardization of processes or other instruments; (ii) potential benefit for financial service users that leads to cost reduction, an improvement of quality or access conditions or an increase in customer protection levels; (iii) enhancement of the efficiency of institutions or markets; and/or (iv) generation of mechanisms that lead to enhanced financial regulation or supervision.

The process envisaged by the Spanish bill begins with an application for access to the sandbox environment, to be submitted by each developer on the website of the Secretary-General of the Treasury and International Financing using the standard form approved for such purpose. The application can be submitted in English, although it will be processed, in all cases, in Spanish. The application must be accompanied by an explanatory report on the project, justifying the added value or innovation contributed by the project to the existing state of the art.

The Secretary-General of the Treasury and International Financing will forward the application immediately to the authority or authorities with jurisdiction over the project’s subject matter. The authorities will then evaluate the application and issue a reasoned report that classifies the project either favorably or unfavorably.

If a project is classified favorably, the relevant authorities and the developer of the project will have three months to sign the related testing protocol, stipulating the rules and conditions to which the pilot project is subject, including, inter alia, the project monitoring phases and methods, the rules on the developer’s guarantees and liabilities or the possibility for participants to withdraw.

After passing the tests in the sandbox environment, an authorization gateway will be set up so that the developers of these pilot projects can request authorization, or the extension of authorization, for the tested activity, permitting a simplified analysis of compliance with the current legislative requirements, thus significantly reducing administrative waiting periods.

The sandbox environment to be set up in Spain has important similarities with the regulatory sandbox already implemented in the UK and supervised by the Financial Conduct Authority, based on a scheme that begins with the related application and, as the case may be, the application’s approval, the development of a testing phase and, finally, the authorization or termination of the project.

The bill also envisages other measures aimed at promoting innovation in the financial industry on terms of proportionality and equality, by setting up a direct communication channel with the relevant authorities through which any interested party can submit written queries regarding new applications, business models, financial products and services with a significant technological innovation base, as well as written requests regarding the applicable regulations. The relevant authorities must respond to such requests within not more than two months after their receipt, and their failure to do so will not entail the related affirmative answer to the request.


Potential tax impact

The bill contains no provisions on tax matters. Nonetheless, as a result of the implementation of the sandbox in Spain, new fintech business models, all of which will have to be analyzed in the light of the regulations in force, are expected to proliferate.

Issues such as the possible future application of new taxes, such as the tax on certain digital services or the tax on financial transactions (for example, their application to transactions carried out by “algorithmic” managers), will become especially significant as the new fintech agents design their business plans.

An analysis will not only have to be performed on these new issues, but also on classical issues, such as the possible creation of a permanent establishment where non-resident enterprises in Spain begin to operate in Spain under the new financial regulations, or the definition of which fintech services can be exempt from VAT, depending on whether the specific service is treated as “financial” (and, in general, exempt) or “technological” (and therefore not exempt). As for the VAT treatment of fintech services, it is necessary to look to the recent publication of a judgment of the Court of Justice of the European Union (CJEU), of 2 July 2020, on whether the fund management part of a single supply of investment management services via a software platform used to manage investment funds and other portfolios could be treated as exempt (case Blackrock Investment Management (UK) Ltd. (C-231/19). In this case, the Court ruled that the nature of the service at the supplier must prevail and that it was not possible to split the VAT treatment according to the use given to a service deemed by the CJEU to be a single supply at source.


Data privacy and protection

Most of the technological developments of the financial industry contribute enhancements and innovations based on data management, taking advantage of the opportunities offered by the ever increasing data storage capacity (big data) and the equally increasing capacity to interrelate such data and to transfer it among various locations (analytics). In most of these cases, the data subject to storage and analysis is data related to individuals.

Accordingly, the bill contains references to the way a data subject’s personal data is processed. In our modest opinion, however, these references fall somewhat short, since they establish only one valid lawful basis for processing, and this runs counter to the regulatory scheme under the General Data Protection Regulation (GDPR) of the European Union. With almost total certainty, much of the data processed in a technological project can be processed on a lawful basis other than consent: because it is necessary for the performance of a contract, in order to comply with the legislation, or even due to legitimate interest after it is weighted appropriately. To regulate this matter with a vision limited to consent entails the raising of barriers where they are not needed. Conversely, the bill fails to include references that could be regarded as essential for innovative technology projects, such as the almost certain need to perform a privacy impact assessment, the need to control automated decisions with legal or equivalent effects or the very probable international transfers.

Lastly, one could lament the fact that the launch of a sandbox environment in Spain was not used as an opportunity to regulate a more ambitious scheme of controlled technology development. Already in March 2018, during the consultation period for the implementation of Data Protection Organic Law 3/2018, at that time being drafted and discussed with the Justice Committee of the Lower House of the Spanish Parliament, Garrigues submitted to Parliament the proposal of creating a regulatory sandbox that permitted the development of technological projects in an environment of controlled risk, both for the project developer, for the interested parties and for the regulator itself, who could supervise the innovative projects submitted to a scheme of this type. This same idea was put into practice months later in the UK under the supervision of the Information Commissioner’s Office. To establish a solely financial sandbox scheme that excludes, or fails to include with the needed detail, all the other elements that must necessarily be tested in an innovative technology project is to see only one side of the polyhedron. Although the bill envisages the participation and reporting of other authorities that may have something to say with respect to a specific project, such participation is neither regulated nor organized specifically. This being the case, even if a project passes the preliminary analysis phase in the financial sandbox with flying colors, it still might not be put into practice because it had not bee submitted to a similar analysis from other standpoints (such as privacy regulation or information society services) more and more convergent with that of telecommunications.

It would have been tremendously innovative at world level if, taking advantage of this opportunity to create legislation, a more ambitious objective had been pursued, with a broader regulatory focus and the participation of other regulation and supervisory authorities (Spanish Data Protection Agency –AEPD–, National Markets and Antitrust Commission –CNMC–), developing an integral technology sandbox scheme that would permit the resolution of many of the aforesaid problems through a single channel. It would doubtless have entailed, as already mentioned in the parliamentary submission, a magnet for innovative projects worldwide and a catalyst for bringing new business technology developments to Spain.


Latin American countries

The secure testing framework for financial technology innovation is also making its way into the various jurisdictions of Latin America. Countries such as Mexico, Peru or Colombia are taking steps to boost regulations that offer a controlled regulatory environment for fintechs.


Mexico: The Fintech Law published in 2018

In Mexico, the Law Regulating Financial Technology Institutions (Fintech Law) was published on March 9, 2018. This law sets forth a temporary authorization regime known as modelos novedosos or “innovative models” that seeks to emulate the concept of regulatory sandboxes.

The “innovative models” regime makes it possible to pursue an activity under an ad hoc regulatory regime for a limited time, provided that two basic requirements are met: (i) the activity is considered innovative; and (ii) in order to pursue the activity, an exception from or condition on the applicable regulatory provisions must be obtained.

The “innovative models” regime is usually accompanied by a scheme of economic and tax benefits aimed at providing incentives for the development of projects that have the characteristics needed to be treated as such. Unfortunately, in the case of Mexico, these incentive schemes did not complement the “innovative models” regime and there are certain doubts as to the regime’s regulatory cost.

With respect to innovation methods, the Fintech Law defines “innovative model” as “... that which, in order to provide financial services, uses technological tools or means with forms other than those existing on the market at the time at which the temporary authorization is granted pursuant to this Law”. Other than the definition transcribed above, there is no clear parameter for understanding what should be regarded as “new” or even for defining the concept of market or the actual scope of what can or should be understood as “forms other than those already existing”. For this reason, one of the most significant criticisms of the “innovative models” regime is that the Fintech Law grants excessive discretion to the regulatory authorities to determine what could or could not fall under this regime.

Given the questions arising from this lack of clarity, the regulatory authorities have stated, in various press releases, that innovation should be understood to exist in any of the following cases: (i) the product does not exist or has not previously been regulated; (ii) a new channel is being created, through which to offer the product or service; (iii) it is based on the application of financial technology or innovation that has not previously been tested in Mexico; or (iv) it is operated under exceptions to statutory provisions or, secondarily, at administrative level, at all times considering the application of financial technology.

It is important to clarify that the following will be eligible for the regime: financial institutions treated as such by law, financial technology institutions (collective finance institutions and electronic payment fund institutions) and other unregulated entities.

Pursuant to the Fintech Law, the “innovative models” regime can exist in various financial industries and, accordingly, powers are granted to financial regulators in each of those industries so that they can issue general provisions and specific regulations applicable to the industries under their authority. Although these secondary regulations have already been issued by each of the financial regulators, we do not believe they are in line with what the lawmaker expected from the Fintech Law.

On the other hand, the regulations also envisage the creation of a public registry at which each financial regulator is to register the institutions that obtain or have temporary authorization as an “innovative model”.

With respect to reporting obligations, the secondary provisions contemplatethe preparation and submission of quarterly reports to inform the relevant financial regulator of:  (i) the number of transactions; (ii) their individual amount, (iii) the total transactions carried out within the period; (iv) the list of operating and security contingencies; (v) any claims filed by customers; and (vi) a report on any actions taken to obtain permanent authorization pursuant to the applicable legislation.

Although reporting and controlled monitoring obligations are envisaged under this temporary authorization, it does not provide for a simple and direct mechanism for communicating with the relevant financial regulator, through which to discuss the technical and legal aspects of the provision of the service so as to make the necessary adjustments to the model subject to this regime. This is doubtless one of the aspects that differentiates the regulations applicable in Mexico from the bill in Spain.

The “innovative models” regime is only temporary: its term will last for a year as of the date on which the related authorization is obtained and it may be extended only once for an equal term. The objective is to encourage the applicant to obtain a definitive authorization as soon as possible and to operate in the form most suitable to the type of transaction it performs. Should this not be attained, it must submit to the market exit procedure and, by doing so, liquidate the applicant. Even in cases in which effectiveness has been proven, there is no guarantee that a permanent authorization enabling the operator to continue operating under the same form will be obtained.


Peru: new regulations expected in October 2020

In Peru, Emergency Decree No. 013-2020 (DU 013-2020) was published on January 23, 2020 to promote the financing of MSMEs, entrepreneurs and startups. The degree regulates some of the conditions on which the Financial Market Superintendency (Superintendencia del Mercado de Valores or SMV) can grant exceptions to the application of the regulations for entities such as fintechs.

The SMV can also approve a special regime with requirements that are different to and/or lighter than those imposed under DU 013-2020, in the context of reciprocal integration and/or cooperation processes with other jurisdictions, with a view to facilitating the performance of transactions between financial crowdfunding recipients and investors.

Thus, these provisions envisage the future creation of the regulatory sandbox, for the temporary performance of any transaction or activity using innovative models, being able to grant exceptions to the applicable regulations.

Pursuant to the applicable legislation, the supplementary financial crowdfunding regulations and, ultimately, the regulatory sandbox are expected around the middle of October 2020.


Colombia: progress on regulating the sandbox environment

In the case of Colombia, the authorities and other players of the financial ecosystem have been equally involved in the development of the fintech industry. In 2017 the Financial Superintendency of Colombia presented innovaSFC, a group that facilitates innovation processes in the financial industry and has promoted a controlled and supervised testing area for technological and financial innovations, known as a sandbox supervisor, which seeks to boost sustainable innovation in this industry.

In turn, in the Law on the National Development Plan for 2018-2022, the Colombian government included the possibility for enterprises to obtain temporary operating certificates when they propose the implementation of innovative technological developments for the pursuit of financial activities. It also developed the possibility for controlled financial institutions to implement innovative technological developments for the testing of new products or services, under the temporary supervision of the Financial Superintendency of Colombia.

With a view to regulating the provisions of the National Development Plan, in February 2020 the Colombian government published, for comments, a draft decree aimed at creating a controlled testing area (regulatory sandbox) as a tool for promoting innovation in the provision of financial services by taking prudential steps to make statutory and regulatory requirements more flexible and issuing temporary operating certificates (view here). The decree has not yet been enacted.