Comments on BSP’s

Regulatory Sandbox Framework

Atty. Rafael Padilla
Professor of Law, San Beda Alabang School of Law
Co-Founder & Trustee, BlockDevs Asia Inc.
Author, Fintech: Law & First Principles
rafpadilla@farcovelaw.com

19 September 2022

1. Introduction; challenges in integrating fintech

The counterintuitive features of emerging financial technologies (fintech), such as

decentralized cryptocurrencies, blockchain and smart contracts, challenge conventional legal
and regulatory regimes and compliance norms. How do decentralized finance (DeFi) projects
and other decentralized applications (dApps) fit in the existing regulatory schemes that are
premised on having a financial intermediary that can be directed by law to police financial
transactions and enforce financial service rules?1 Is it even possible to design a framework for
financial regulation in a manner that would not rely on middlemen to monitor, ensure and
enforce compliance?2

Some policymakers and regulators do not believe that fintech firms should be given
special treatment, regardless of their potential to spur innovation. In the United States, the
Financial Crimes Enforcement Network (FINCEN) issued guidance as early as 2013, clarifying
that crypto exchanges and crypto wallet providers would be classified as money transmitters
under the U.S. Bank Secrecy Act, who are therefore required to register as money service
business (MSB) and to comply with anti-money laundering laws and regulations just like
traditional MSBs.3

In extreme cases, the financial regulator may restrict or prohibit the use of emerging
technologies to insulate regulated financial institutions from the risks associated with them in
particular when the technology is immature and untested for wide-scale deployment. The
People’s Bank of China (PBOC) traditionally restricted financial institutions from dealing with
or transacting with bitcoin and other cryptocurrencies. In 2018, the Reserve Bank of India
prohibited banks and other financial institutions from dealing in and providing services that
facilitate dealings in cryptocurrencies; the 2018 circular issued by the central bank was
eventually set aside by the Supreme Court of India in 2020 because the regulation was
disproportionate considering that there was no empirical evidence to prove that regulated
financial institutions suffered damages by providing banking services to crypto exchanges.4

Many fintech startups whose owners or founders did not come from the traditional
financial service industry may have limited experience in dealing with compliance and
regulatory matters. Because of this limitation, even rules that can be regarded by well-

1
DeFis and dApps are protocols or programs that leverage blockchain and other distributed ledger technology
(DLT) to automate financial transactions, transforming traditional financial products or services into natively
digital artifacts that can be accessed without involving trusted intermediaries such as banks, brokers, insurers or
payment processors.
2 Rafael Padilla, Fintech: Law and First Principles, Rex Book Store, p. 5 (2020)
3 Id.
4 Internet and Mobile Association v. Reserve Bank of India, Writ Petition (Civil) No. 528 of 2018 (2020).

1
entrenched incumbent financial institutions as lenient or “light touch” could be perceived by
fintech startups as onerous, “heavy-handed” and cumbersome. Thus, when the New York
Department of Financial Services (DFS) issued the world’s first regulation on cryptocurrency
business activities, the agency was criticized for requiring lengthy and bureaucratic
requirements and conditions to qualify for what is colloquially known as the “Bitlicense.” A
number of crypto-focused ventures, most of which were startups, that previously operated in
New York migrated their business elsewhere to avoid the heavy-handed New York
regulation.5

Most fintech firms are startup ventures that sometimes have limited access to funding.
Only few can afford the regulatory and compliance costs associated with maintaining a
financial service license, including capital, bond and collateral requirements. Considering the
scarce resources of many fintech startups, regulatory costs compete with engineering,
software maintenance, information security, user acquisition and customer/technical support
that are typically on top of the priority list. This may result in what is sometimes referred to
as “legal debt,” which is the implied additional cost of compliance that will need to be repaid
in the future as a consequence of the decision not to follow the rules today and until the startup
can afford it.6

2. Regulatory sandbox as policy innovation

On the other hand, some policymakers introduced the concept of regulatory sandbox
where the financial regulator outlines bespoke guidance for new financial intermediaries and
technology vendors with respect to the application of existing regulations to new delivery
channels.7 Within the sandbox, fintech firms could test their products or services inside a
controlled environment. For a limited duration, fintech firms that are approved and accepted
to “play in the sandbox” may be allowed to provide financial service subject to conditions
specified by the regulator, without immediately triggering regulatory or licensing
consequences.

Regulatory sandbox allows fintech firms, technology vendors or service providers and
incumbent financial institutions to launch financial products or services on a limited scale to
actual customers without incurring the large regulatory burdens and cost that they would
otherwise face. This controlled environment makes it easier for innovators and startups to
navigate the often cumbersome regulatory process.8 As observed by John Ho Hee Jung, a
banking lawyer who heads the legal division for financial markets of a global bank: “(i)f
technology is to play its proper role in innovation, it needs the right ecosystem to support it.
Increasingly, regulatory and financial institutions are working closely to test innovative
products via regulatory sandboxes, innovation hubs, technology labs or similar initiatives to
crowdfund new ideas and solutions.”9

5 Rafael Padilla, Fintech: Law and First Principles, Rex Book Store, p. 6. (2020)
6 The term was inspired by the concept known in software development as technical debt, which is the implied cost
of additional development work brought by opting for an easy solution now rather than resorting to a better
approach that would take longer. If technical debt is not repaid sooner, it can make it more difficult for software
developers to implement the required changes or upgrades.
7 Delivery channel refers to customer's point of access to a financial service, which can include low-tech channels

(e.g., branch, remittance center, microfinance NGOs, checks and ATM.) and high-tech channels (e.g., online
banking, mobile banking, e-wallets, unhosted or non-custodial crypto wallet, and smart contract).
8 John Ho Hee Jung; Chapter 12, Regtech and Suptech, The Future of Compliance; Jelena Madir, Fintech, Law and Regulation;

p. 275. (2019)
9 Id., p. 275.

2
 In 2020, the Insurance Commission issued Circular Letter No. 2020-73 or the Guidelines
on the Adoption of a Regulatory Sandbox Framework for Insurance Technology (InsurTech)
Innovations, recognizing the advantages that can be enjoyed from the growth and
development of technological innovations in the insurance business. In gist, regulatory
sandboxes concerning insurance and any activity that requires licensing by the Insurance
Commission must first be approved before they are adopted and implemented. This initiative
was followed by the issuance of special sandbox regimes for agricultural insurance, health
maintenance organizations (HMO), and pre-need industries in 2021.10 Meanwhile, the
Securities and Exchange Commission (SEC) hinted that, as a member of the Global Financial
Innovation Network, it can perform pilot-testing of new technologies or adopt regulatory
sandbox approach to assess how a product or service might operate in a live market setting
in multiple jurisdictions.

Some financial regulators are legally authorized to calibrate the execution of the laws
they administer and therefore they are empowered to waive administrative rules or observe
leniency in enforcing them when they are onerous, impractical or inappropriate for new
intermediaries, having in mind the unique features of their financial products or services. One
example is Section 72 of the Securities Regulation Code11 on exemptive relief that gives the SEC
an exemptive power or authority to “conditionally or unconditionally exempt any person,
security, or transaction, or class or classes of persons, securities or transactions, from any or
all provisions of this Code.”

3. Legal bases of regulatory sandbox

a. Policy innovation is encouraged by the Philippine Innovation Act

The statutory policy of the Philippine Innovation Act12 seeks to foster innovation as a
vital component of national development and sustainable economic growth. In accordance
with Section 10, Article XIV of the Constitution that recognizes science and technology as
essential for national development and progress and gives priority to research and
development, invention, innovation and their utilization, it is the intent of the law to place
innovation at the center of development policies, guided by clear and long-term goals that
consider the Philippines’ key advantages and its opportunities in the regional and global
economic arena. As such, innovation efforts should be harnessed to help the poor and the
marginalized and to enable micro, small and medium enterprises (MSMEs) to be a part of the
domestic and global supply chain.13

The law recognizes the importance of an effective and efficient innovation ecosystem
that addresses and delivers action in various policy areas, including finance. This requires the
various departments and agencies of government to implement a “whole of government”
approach that will ensure policy coherence, alignment of priorities, and effective coordination
in program delivery. This ecosystem should facilitate and support innovation efforts across

10 See Circular Letter 2021-60 (Guidelines on the Adoption of Regulatory Sandbox Framework for Piloting
Agriculture Insurance) and Circular Letter 2021-64 (Guidelines on the Adoption of a Regulatory Sandbox
Framework for Innovations in the Insurance, Health Maintenance Organizations and Pre-Need Industries).
11 R.A. No. 8799 (2000).
12 R.A. No. 11293; An Act Adopting Innovation as Vital Component of the Country's Development Policies to Drive

Inclusive Development, Promote the Growth and National Competitiveness of Micro, Small and Medium
Enterprises, Appropriating Funds Therefor, and for Other Purposes (2019).
13 Sec. 2(a), Philippine Innovation Act (2019).

3
various industries, including the financial sector.14 Governance has an indispensable role in
enabling and maximizing the benefits from the country’s innovation policy.15

Indeed, one of the objectives of the Philippine Innovation Act is to remove obstacles
to innovation by suppressing bureaucratic hurdles, and adapting the regulatory framework
to support the creation of and diffusion of new knowledge, products, and processes.16
Innovation is defined by law as “the creation of new ideas that results in the development of
new or improved policies, products, processes, or services which are then spread or
transferred across the market.”17

Section 5 of the Philippine Innovation Act mandates the government to adopt a

broader view in developing its innovation goals and strategies covering all potential types
and sources of innovation, including product innovation and policy innovation. Product
innovation refers to the introduction of a good or service that is new or significantly improved
with respect to its features, applications, characteristics or intended uses.18 On the other hand,
policy innovation means the introduction of new or significantly different solutions to policy
problems.19

Financial technologies and their applications are examples of product innovation. The
BSP’s regulatory sandbox approach as well as the deployment of various supervisory
technologies (suptech)—such as the BSP Online Buddy (BOB) and the Data Management
Initiative20—demonstrate policy innovation.21 But while the Philippines’ innovation goals
should be directed at developing new innovative technologies, the country should also
harness global knowledge and technology that would aid in developing new processes or
services for increasing productivity and for promoting overall public welfare.22

b. Impossibilium nulla obligatio est

Many of the prudential regulations23 established by statutes contemplate traditional

business models and did not envisage the novel approaches and innovations introduced by
financial technology. In several instances, fintech firms are like square pegs in round holes
where regulators try hard to insert new financial intermediaries into legal paradigms
originally designed for traditional institutions; existing financial regulations and broad
principles might apply in theory but in reality they are practically impossible to observe.

Laws do not require the impossible to be done. This legal principle reflected even in
ancient maxims such as ad impossibilia nemo tenetur (“nobody must keep a commitment to do
impossible things”) and impossibilium nulla obligatio est (“there is no obligation to do
impossible things”) justifies calibrated deviation from strict interpretation of statutory
requirements in cases where it is legally impossible for an actor to obey them to the letter.24

14 Sec. 2(d), Philippine Innovation Act (2019).

15 Sec. 2(e), Philippine Innovation Act (2019).
16 Sec. 4(e), Philippine Innovation Act (2019).
17 Sec. 3(f), Philippine Innovation Act (2019).
18 Sec. 3(r), Philippine Innovation Act (2019).
19 Sec. 3(o), Philippine Innovation Act (2019).
20 BSP Media Releases; BSP Awarded Two Recognitions for Fintech and Regtech Initiatives, 12 Sept. 2019

(http://www.bsp.gov.ph/publications/media.asp?id=5127).
21 Rafael Padilla, Fintech: Law and First Principles, Rex Book Store, p. 486. (2020)
22 Sec. 5, Philippine Innovation Act (2019).
23 Prudential regulation is the body of rules designed to ensure the safety and soundness of financial institutions and

to safeguard financial stability. (World Bank, [2019]).

24 Indeed even under the general principles of civil law, “impossible conditions”, which may include legal

conditions, “shall annul the obligation which depends upon them.” Art. 1183, Civil Code.

4
 4. Non-negotiables; some rules cannot be relaxed in the sandbox

Even in jurisdictions where policymakers have championed light touch regulation

when it comes to financial innovation, some rules simply cannot be relaxed. After all,
regulating financial innovation requires a balancing of interest between the promotion and
fostering of innovative solutions on one hand, and investor or consumer protection on the
other hand. While the deployment of new digital services enhances competition and efficiency
in the market which should be encouraged, financial regulation is naturally zealous when it
comes to consumer protection, financial stability, and resilience amid diverse technology
risks.25

For example, there is a common thread that regulations concerning anti-money

laundering (AML) and combating of financing of terrorism (CFT) cannot be compromised for
the sake of financial technology. This is especially true considering that technology itself,
beneficial as it may be, also presents money laundering risks. This is because criminals and
bad actors are usually the early adopters of emerging technologies knowing how they can be
harnessed to facilitate the commission of crimes and other illicit activities. Indeed,
Recommendation 15 of the Financial Action Task Force (FATF) addresses the peculiar risks
associated to new technologies and directs countries and financial institutions to “identify and
assess the money laundering or terrorist financing risks that may arise in relation to (a) the
development of new products and new business practices, including new delivery
mechanisms, and (b) the use of new or developing technologies for both new and pre-existing
products.”26

Another area where rules cannot be relaxed even in the context of regulatory sandbox
is consumer protection. The regulation of financial services, such as banking, money service
business and sale of securities, is strongly driven by a statutory policy to protect the public
from potential abuse that may be committed by an intermediary who takes hold or custody
of the money from a financial consumer. It can be fairly stated that financial regulation is
invasive (e.g. due diligence, fit and proper rules), tedious (e.g. licensing application), expensive
(e.g. capital requirement) and onerous (e.g. notifications and periodical reporting) mainly
because of the need to ensure that consumers are amply protected. Fintech firms and
technology service providers cannot be excused from such rules solely on the argument that
existing financial services laws were designed only for traditional financial institutions, but
not for intermediaries who employ technologies that did not exist when these laws were
enacted. In the words of Finance Secretary Benjamin Diokno: “(c)onsumer protection means
financial institutions offering fintech-enabled services are required to have the necessary
safeguards to ensure the protection of financial consumers against IT-related fraud and data
compromise.”27

In countries with regulatory sandbox frameworks such as the United Kingdom28 and
Singapore, financial regulators need to be assured that fintech firms approved to play in the

25 Pranay Gupta & Mandy Tham. Fintech: The New DNA of Financial Services; Peiying Chua, Adrian Fisher,
Hagen Rooke, Joel Chang, Peter Fairman & Ching Yee Gui, Legal Implications of Fintech p. 453 (2019).
26 International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation (FATF

Recommendations for brevity)

27Benjamin E. Diokno, The Philippine Economy: Moving the Financial Services Industry Forward Through

Inclusive Technology, Green Initiatives, 10 October 2019

(http://www.bsp.gov.ph/publications/speeches.asp?id=682).
28 UK Financial Conduct Authority, Applying to the Regulatory Sandbox

(https://www.fca.org.uk/firms/innovation/regulatory-sandbox-prepare-application)

5
sandbox has put in place the necessary safeguards, risk management and control systems to
address the peculiar risks that could arise from new delivery mechanisms, “contain the
consequences of failure and maintain the overall safety and soundness of the financial
system.”29 As part of consumer protection, data privacy and confidentiality of financial
transactions are not bargained away by policy innovation nor allowed to be relaxed even
within a sandbox environment.

5. BSP’s Regulatory Sandbox Framework (BSP Circular No. 1153)

a. Guidelines for the Regulatory Sandbox

On 05 September 2022, the BSP issued BSP Circular No. 1153 or the Guidelines for the
Regulatory Sandbox (“Guidelines”). According to the Guidelines, BSP policy seeks “to foster an
enabling environment for responsible innovation to promote the development of an inclusive
digital financial ecosystem that is complemented by a sound risk management system.”30 BSP
has “welcomed transformative and game-changing technologies over the years under the
‘test-and-learn’ approach.”31 BSP has engaged with fintech firms, technology vendors and
incumbents through a flexible “test and learn” environment, which enabled the central bank
to fully understand new business models in regulated financial service while assessing
emerging risks (e.g. technology, operational, and legal risks).

As example of BSP’s sandbox approach, the central bank approved in 2019 the pilot
launch of a peso-backed stablecoin issued by a Philippine bank. Live transactions were
conducted among three participating institutions that were part of a blockchain-based
clearing system and payments networks for rural banks. Initially, the stablecoin, dubbed as
“PHX,” was available only to the participants who can buy PHX by directly debiting from
their bank accounts. Participants would be able to easily redeem PHX for Philippine pesos
(PHP) and have the funds credited to their bank accounts. As the issuer of PHX, the bank
undertook to back its value and guaranteed that it will be at parity with PHP at all times.32

With the issuance of Circular No. 1153, BSP formalized and institutionalized the
existing test-and-learn approach through the adoption of the Regulatory Sandbox Framework
(RSF), which aims to promote a proactive evidence-based and results-driven assessment of
emerging financial solutions.33 The RSF starts from the enabling position adopted by the BSP
during the initial engagement with the applicant. The applicant is then guided by clear rules
for implementation, and is continuously monitored until the innovative financial service
matures. With a ring-side view of how financial innovation is deployed by the applicant, the
BSP is able to timely instruct risk-mitigating measures and formulate responsive policies to
address financial consumer protection, secure financial system and other relevant areas of
concern.34

29 Monetary Authority of Singapore, Overview of Regulatory Sandbox

(https://www.mas.gov.sg/development/fintech/regulatory-sandbox)
30 Section 1, BSP Circular No. 1153 (2022).
31 Id.
32 See Unionbank of the Philippines Clarification of News Article posted in Philstar.net; UnionBank Launches Own

Cryptocurrency, 26 July 2019 .(https://edge.pse.com.ph/downloadHtml.do?file_id=609112)

33 Section 1, Policy Statement, BSP Circular No. 1153, p. 1 (2022).
34 BSP Gov. Benjamin E. Diokno, Inclusion and Digital Transformation: A Collaborative Approach to Regulating

Fintech, 11 October 2019 (http://www.bsp.gov.ph/publications/speeches.asp?id=684)

6
 A regulatory sandbox must be a controlled, time-bound, and live testing environment.
The sandbox may also feature regulatory waivers at the BSP’s discretion.35 However, BSP
clarifies that the regulatory sandbox is not intended and cannot be used to circumvent
existing laws and regulations under the guise of proposing new and innovative products or
services. Thus, in order for the sandbox to operate within a safe and secure environment,
participants are required to adhere to the eligibility standards and operational guidelines set
by the RSF.36 As a controlled environment, the sandbox may require limits and testing
parameters within which the participant must operate.37 Testing parameters refer to rules or
guidelines agreed upon by the BSP and the participant in implementing testing exercises,
which should include metrics to assess the viability of the solution being proposed.

b. Coverage

The RSF applies to (1) BSP-supervised financial institutions (BSFI); (2) third party
service providers of BSFI; (3) other BSP-registered institutions; and (4) new players that intend
to offer or use an emerging or new technology to deliver financial products or services that
fall within the regulatory perimeter of the BSP.38

c. Operational guidelines; four-stage process

Each sandbox must undergo a four-stage process consisting of (1) application; (2)
evaluation; (3) testing; and (4) exit stages. For the application stage, the applicant must submit
a letter of intent, board resolution approving the application for sandbox, completed
Regulatory Sandbox Application Form, and eligibility self-assessment checklist.39

d. Evaluation state; eligibility standards

For the evaluation stage, the BSP will evaluate the documents submitted by the
applicant as to their completeness, correctness, and suitability based on specific eligibility
standards. According to these standards, applicants must meet the following criteria to be
allowed to “play” in the sandbox:

1. the financial solution (a) uses new or emerging technology or utilizes an existing
technology in an innovative manner;40 or (b) bridges a market gap in the delivery of
financial products/services;41
2. applicant must provide an initial test plan, which includes test case scenarios and
expected outcomes of the experiment;
3. applicant must identify significant risks, including money laundering and terrorist
financing (ML/TF) risks, technology and cybersecurity, data integrity and data
privacy, market acceptability, consumer protection, project execution relevant to the
innovation, and the corresponding safeguards and risk mitigation strategies;
4. applicant must identify key performance indicators (KPl) or other metrics in
monitoring the progress of the pilot implementation; and
5. applicant must provide an acceptable exit and transition strategy once the
experimentation is completed regardless of the outcome.

35 Section 1, Definition of Terms, BSP Circular No. 1153, p. 2 (2022).

36 Section 1, Definition of Terms, BSP Circular No. 1153, p. 2 (2022).
37 Section 1, Definition of Terms, BSP Circular No. 1153, , p. 2 (2022).
38 Section 1, Coverage, BSP Circular No. 1153, p. 1 (2022).
39 Section 1, Application Stage, BSP Circular No. 1153, p. 4 (2022).
40 The applicant must provide justification (e. g., business case/market research) that shall support the mentioned

characteristic in the proposed solution. Id., see Eligibility Standards.

41 This must be supported by research that would be part of the documents submitted to the BSP. Id., see Eligibility

Standards.

7
 Eligible applicants will be informed of the subsequent steps for the experimentation.
Applicants who did not meet the eligibility standards will be notified of the reasons for the
rejection of their application without prejudice to the filing of a new application after a
cooling-off period of six (6) months from the release of the result of the notification.42

e. Testing stage

After an applicant passes the evaluation stage, it will now be allowed to participate
and proceed to the testing stage. The testing stage will determine the viability of the proposed
financial solution. This stage is divided into two phases: (1) testing design phase and (2)
testing implementation.

The testing design phase will require the participant to present the proposed innovation
to the BSP, which must cover the overview of the solution, the proposed products or services
created by the use of the solution, financial projections on the expected revenues and expenses
and the assumptions used, operational/systems flow, and the test and roll-out plan. In this
phase, the BSP will approve the test plan that will be employed during the experimentation
period by issuing a Letter to Proceed with Test Implementation.

The design of the test plan should be suited to the features of the proposed solution
which at the minimum must contain the (1) overall timeline and budget; (2) testing
performance metrics; (3) testing methodologies or scripts; (4) customer acquisition plan; (5)
customer communications; (6) minimum safeguards (IT, AML/CFT, consumer protection,
etc.); (7) specific regulatory requirements to be relaxed during the testing period, if any; (8)
exit plan after completing the sandbox activity; and (9) testing deliverables.43

After the test plan is approved, the participant will proceed with the testing
implementation phase, which shall be monitored by the BSP. The duration of this phase can
range from three to twelve months from go-live date, as may be determined by the BSP taking
into account the complexity of the proposed solution. Any adjustments in the duration of the
sandbox or in the future of the proposed solution being tested must be submitted to BSP for
evaluation and approval.44

f. Conditions of approval

A participant that has been approved to experiment in the sandbox are required to
comply with the following conditions at all times:

1. oversee the sandbox activities through an appropriate top-level committee;

2. integrate the sandbox in its overall strategic plan to ensure that the products or
services being tested do not put undue strain on its systems, financial performance,
and risk management capability;
3. ensure that the sandbox activities satisfy the legal and regulatory requirements for
AML/CFT;
4. comply, to the extent possible, with the relevant regulations on payments, information
technology (IT) risk management, Electronic Products and Financial Services (EPFS),
business continuity management, and consumer protection and market conduct,
among others;
5. implement the sandbox not longer than twelve (12) months from the go-live date;

42 Section 1, Evaluation Stage, BSP Circular No. 1153, p. 5 (2022).

43 Section 1, Testing Stage, BSP Circular No. 1153, p. 6 (2022).
44 Id.

8
 6. after the sandbox period, submit a report summarizing the activities,
accomplishments, and recommendations. The report must include discussions or
information on the following:
(a) outcome evaluation - the degree to which the sandboxed products/services are
appropriate to their target market segments and other relevant stakeholders; the
extent to which the sandbox stated objectives are achieved; and the assessment of
growth or change, measuring the results across different levels (customers,
participant, and BSP);
(b) viability evaluation - investigation of the value proposition’s sustainability, including
lessons learned; and
(c) recommendations - recommended action plans for the sandboxed product/service,
and recommended policy issuances or amendments to address risks arising from the
public launch of the sandboxed product/service;
7. provide the necessary customer assistance in addressing issues/concerns that may
arise during the sandbox period;
8. if the sandboxed product/service is delivered through an application programming
interface (API)-based distribution and servicing models, ensure that the internal and
security controls supporting its delivery shall be subject to independent security
assessments and a report will be provided to BSP when requested; and
9. submit to the BSP, through the Technology Risk and Innovative Services Department
(TRISD), for evaluation any enhancements or changes to services offered in the
sandbox within thirty (30) calendar days prior to the date of roll-out.

The BSP’s approval of the live deployment of the proposed solution is limited to the
agreed terms and conditions of the regulatory sandbox plan and should not be interpreted as a
mode to circumvent any legal or regulatory requirements in offering a financial product or
service.45

g. Non-negotiables; consumer protection

As mentioned above, there are certain non-negotiables even within a regulatory

sandbox. One of these non-negotiables is consumer protection. Thus, participants are
required to adopt measures to protect the rights and interests of financial consumers when
implementing the sandbox experiment and ensure that customers are well-informed and
protected when accessing the financial product or service being tested.46

In particular, customers must be informed that the product or service they will avail
is within the regulatory sandbox and that their use is part of a pilot implementation.
Moreover, customers should be informed of all the possible risks associated with the product
or service and the participant must ensure that these risks and their implications are fully
understood. Finally, customers should be informed of the complaints handling and dispute
resolution procedures, and a participant must ensure that adequate, prompt, and effective
mechanisms or procedures are in place to handle and resolve disputes.47

h. Non-negotiables; data privacy

Another non-negotiable is data privacy and data protection. Regulatory sandboxes

must observe and comply with data privacy laws, rules and guidelines in all implementation
phases. Customers participating in the experiment should be informed that they own the data
being collected and processed through the transaction, and that they have all the rights

45 Section 1, Restrictions of Sandbox Approval, BSP Circular No. 1153, p. 9 (2022).

46 Section 1, Consumer Protection, BSP Circular No. 1153, p. 9 (2022).
47 Id.

9
enumerated under Philippine data privacy laws, such as those specified in the Data Privacy
Act of 2012.48 The authorization of the participants to control the use of customer data are
limited by the boundaries of the informed consent expressly provided by the customer when
availing the proposed product or service.49

i. Regulatory Sandbox Lite

Applicants for regulatory sandbox may be advised by the BSP to use a simplified
approach dubbed as “Regulatory Sandbox Lite” (RSL). This approach is designed to
accelerate the end-to-end process of the testing period and is shorter than the entire regulatory
sandbox process.

RSL is limited and applicable only to BSP supervised financial institutions to

encourage digitalization or participation in the electronic delivery of financial products or
services that are already within the scope of existing BSP regulations. The regulatory
requirements and expectations that may be temporarily lifted will be identified by the BSP on
a case-by-case basis, considering the merits of the proposed activity and its associated risks.50

j. Revocability of sandbox approval

The BSP may revoke the approval or authority to participate in the sandbox after due
process, which may be triggered by implementation-related conditions (e.g., failure to deliver
approved product, material deviation, failure to implement safeguards, falsification or
misrepresentation, compliance breaches, etc.) or entity-related conditions (e.g., financial
constraints, enforcement actions, safety and soundness concerns, etc.) as set out in the
Guidelines for Regulatory Sandbox. Moreover, the BSP reserves the authority to revoke
sandbox approval, even without prior notice, if there is an urgent need to protect the financial
system, the participant, its customers, or the general public.51

k. Exit stage

After the testing stage, the BSP will conduct a comprehensive evaluation of the as part
of the exit procedure. The exit stage may be triggered by the completion of the sandbox activity
(upon expiration of the sandbox timeline or as soon as the testing objectives are attained) or
at the discretion of the participant (as when the participant becomes incapable of continuing
the sandbox or simply wishes to stop for strategic reasons), subject to BSP notification through
a withdrawal letter, citing the date of termination and the reasons for the withdrawal. In any
case, the participant must ensure that it fulfills any existing obligations to its customers before
its exit.52

During the exit stage, the participant may also submit to the BSP recommendations on
policy issuances or proposed rule amendments to address risks arising from the innovative
financial solution. This recognizes the advantages of crafting bespoke rules that are custom-
fit for new delivery channels for financial services, addressing the problem of “square peg in
round hole” when it comes to financial regulation.53

48 R.A. No. 10173 (2012).

49 Section 1, Data Privacy and Data Protection, BSP Circular No. 1153, p. 9 (2022).
50 Section 1, Regulatory Sandbox Lite, BSP Circular No. 1153, p. 10 (2022).
51 Section 1, Revocation of the Regulatory Sandbox Approval or Termination of the Sandbox Activity, BSP Circular

No. 1153, p. 6-7 (2022).

52 Section 1, Exit Stage, BSP Circular No. 1153, p. 6 (2022).
53 Rafael Padilla, Fintech: Law and First Principles, Rex Book Store, p. 10 (2020).

10
 l. Authority to Operate

A participant whose sandbox activities are assessed as successful and whose products
or services are deemed fit for public consumption may be issued an Authority to Operate by
the BSP. To be granted this authority, the participant must formally submit to the BSP an
application54 to operate and offer for public use and consumption the proposed product or
service that was subjected to the sandbox activity, including any proposed new regulations
or changes to existing regulations.55

It should be highlighted that a successful sandbox testing will not automatically result
in the approval of the application for Authority to Operate, and the BSP reserves its discretion
to approve or disapprove a proposed financial product, service or solution.56

6. Conclusion

The sandbox approach is underpinned by the notion that a progressive, dynamic and
sometimes out-of-the-box regulatory paradigm is needed to encourage, rather than stifle,
financial innovation. The regulatory sandbox framework is beneficial both for the BSP and the
participants, especially fintech startups. The sandbox enables the BSP to have a ringside view
on how the fintech product or service can be commercially deployed and understand the
relevant policy issues that should be considered. At the same time, the sandbox offers new
players such as fintech startups an exposure on the dynamics of financial regulation and how
they might interplay with the innovative models and new products they wish to bring to the
market.

Laws should be interpreted in a way that will make them practically workable.57
Financial service regulations should not be administered as requiring compliance with what
cannot be legally accomplished, considering unique facts or circumstance, such as those
surrounding fintech-related activities. In such cases, the law should instead be applied in a
way that would permit substantial compliance.58

The sandbox approach can enable the feasible execution of financial services laws and
regulations as contextually applied to new financial intermediaries such as fintech firms,
where financial regulators—guided by materiality and proportionality—can relax what
would otherwise be regarded as outmoded rules if strictly implemented to the letter.
Consequently, the sandbox participant should be deemed to have substantially complied with
the relevant financial services laws and regulations as long as the agreed terms and conditions
of the sandbox have been followed.

54 The relevant requirements and processing timelines for the issuance of an authority to offer Electronic Products
and Financial Services (EPFS) will apply for the purpose of this application for Authority to Operate. (Id.)
55 Section 1, Authority to Operate, BSP Circular No. 1153, p. 6 (2022).
56 Id.
57 Nevada v. Slemmons, 43 ALR (2d) 693, 244 Iowa 1068, 59 N. W. (2d) 793.". “Hence if a statute apparently requires

the performance of things which cannot be performed, or apparently bases its commands upon the assumption of an impossible
state of affairs, the courts must seek for some interpretation of its terms, not too strained or fantastic, which will avoid these
results.” (Black on Interpretation of Laws, 2nd Ed., p. 121.)
58 Ruben E. Agpalo, Statutory Construction, p. 253, 6th Edition (2009).

11