The Central Bank of Nigeria (CBN) is committed to building a financial services sector that promotes innovation in financial services, effective service delivery, healthy competition and financial inclusion. In this regard, the Bank has implemented several reform initiatives towards the achievement of these objectives.
In continuation of these efforts, the CBN hereby exposes for comments, the Regulatory Framework for Sandbox Operations in Nigeria. The Framework details the requirements for conduct of live tests on innovative products, services and other solutions in a controlled environment.
Kindly forward your inputs to the Director, Payments System Management Department or through [email protected] on or before July 15, 2020.
In view of increasing consumer appetite for payment solutions and emerging disruptive technology in the financial services space, the Central Bank of Nigeria (CBN) has deemed it pertinent to ensure new, more flexible ways of engaging with the industry. One of the options being the use of a Regulatory Sandbox which is a formal process for firms to conduct live tests of new, innovative products, services, delivery channels, or business models in a controlled environment, with regulatory oversight, subject to, appropriate conditions and safeguards. This would enable the Bank stay abreast of innovations while promoting a safe, reliable and efficient Payments System to foster innovation without compromising on the delivery of its mandate.
This Framework therefore defines the establishment, rules and operations of a Regulatory Sandbox for the Nigerian Payments System in order to promote effective competition, embrace new technology, encourage Financial Inclusion and improve customer experience, with a view to engendering public confidence in the Financial System.
The objectives of the Regulatory Sandbox Operation in Nigeria are as follows:
- To increase the potential for innovative business models that advance financial inclusion;
- To reduce time-to-market for innovative products, services, and business models;
- To increase competition, widen consumers’ choice and lower costs;
- To ensure appropriate consumer protection safeguards in innovative products;
- To clearly define the roles and responsibilities of stakeholders and the operations of the Sandbox for the Nigerian Payments System industry;
- To ensure adequate provisions in regulations to create an enabling environment for innovation without compromising on safety for consumers and the overall payments system; and
- To provide an avenue for regulatory engagement with FinTech firms in the payment space, while contributing to economic growth.
The Framework provides standards for the operations of a Regulatory Sandbox, and prescribes the processes and procedures for analyzing, collecting, updating, integrating, and storing of consumer data and information.
The Sandbox cannot be used to circumvent existing laws and regulations and is therefore not suitable for a proposed product, service or solution that is already appropriately addressed under prevailing laws and regulations. Products already rejected by the regulators or the Federal Government of Nigeria shall not qualify for sandbox trials.
The Bank will provide formal guidance and advice to the sandbox applicant(s) on the modifications that can be made to align proposed business models or solutions with prevailing laws and regulations.
1.3 Eligibility Of Sandbox Participants
The eligibility criteria for applicants is as follows:
(a) The product, service or solution is innovative with clear potential(s) to:
- Improve accessibility, customer choices, efficiency, security and quality in the provision of financial services; or
- Enhance the efficiency and effectiveness of Nigerian Financial Institutions management of risks; or
- Address gaps in or open up new opportunities for financial benefits or investments in the Nigerian economy.
- Ensure that applicants will provide the proposed project within a limited transaction (value and volume) for better risk management and mitigation. The limits must not be exceeded during the testing period.
(b) The applicant has conducted an adequate and appropriate assessment to demonstrate the usefulness and functionality of the product, service or solution and identified the associated risks which should be devoid of adverse effect to existing structures and consumer experience;
(c) The applicant has the necessary resources to support testing in the sandbox. This includes the required resources and expertise to mitigate and control potential risks and losses arising from offering of the product, service or solution;
(d) The applicant should have a realistic business plan to deploy the product, service or solution on a commercial scale in Nigeria after exit from the sandbox;
1.4 Participants In The Sandbox Operations
The Sandbox application process is open to both existing CBN licensees (financial institutions with FinTech initiatives) and other local companies. The later may include financial sector companies as well as technology and telecom companies intending to test an innovative payments product or service industry deemed acceptable by the CBN.
Others that can also apply include:
- Those proposing non-regulated technology i.e. Innovators whose proposed solution involves technologies which are currently not covered under existing CBN regulations.
- A Letter of Approval (LoA) would be issued to the Innovator which would allow Sandbox participants to test their innovation upon entry into the sandbox.
1.5 Risk Assessments and Safeguards
1.5.1 An applicant must identify the potential risks to financial institutions and financial consumers that may arise from the testing of the product, service or solution in the sandbox and propose appropriate safeguards to address the identified risks.
1.5.2 In assessing the risks and evaluating the proposed safeguards, the Bank will give due regard to the following:
- Preserving sound financial and business practices consistent with monetary and financial stability;
- Promoting the fair treatment of consumers;
- Compliance with AML regulations;
- Protecting the confidentiality of customer information;
- Promoting the safety, reliability and efficiency of payment systems and payment instruments;
- Encouraging healthy competition for financial products and services.
2.0 Application and Approval Requirements
Applications to the sandbox process would involve an invitation placed on the CBN website, and local newspaper advertisement. The details of the advert would include the minimum eligibility criteria to shortlist applicants who qualify to be absorbed into the sandbox.
Firms wishing to enter into the CBN’s Regulatory Sandbox must apply to the CBN through the Regulatory Sandbox online application platform accessed via the CBN’s official website [ITD/WebTeam to develop portal upon approval]. The application must be submitted with a cover letter signed by an authorised signatory of the entity and addressed to the Director, Payments System Management Department, Central Bank of Nigeria, Abuja.
2.1 Documentary Requirements
All application trials into the Sandbox shall be accompanied with the following:
- Board Approval (where applicable)
- Certificate of Incorporation
- The company profile and functional contact: e-mails, telephone numbers, office and postal addresses
- Memorandum and
- Articles of Association
- Shareholding structure of the Company
- Forms CAC 1.1 (Application for Registration)
- CVs of Board and Management of the Company
- Organogram of the Company
- Project plan alongside a detailed business proposal
- Key outcomes that the testing is intended to achieve
- A document that shall outline the strategy of the sandbox trials including current and potential engagements, geographical spread and benefits to be derived
- AML/CFT KYC Policy
- All firms shall supply any other information that the CBN may require from time-to-time
3.0 Operational Requirements
The CBN operational requirements of the Sandbox would cover, at least, the following phases:
- Filing requirements.
- Reporting requirements while in the Sandbox.
- Exit conditions and approval for expiration, and/or
- Evaluation and Review of an approval.
3.1. Filing Requirements
3.1.1 The Bank will inform an applicant of its eligibility and approval to participate in the sandbox 30 working days after completion of application requirements.
Thereafter, the Bank will engage the admitted participants on the following:
- Testing parameters such as the scope and duration of the test, regulatory flexibilities requested and frequency of reporting;
- Specific measures to determine the success or failure of the test at the end of the testing period;
- An exit strategy should the test fail or be discontinued; and
- The next steps the firm would take if the test is successful.
3.1.2 In addition to the above, applicants prior to entry shall include the following filing requirements:
- A brief description of the Applicant’s organization, including its financial standing, technical and business domain expertise;
- A brief description of the financial service to be experimented on, in the Sandbox;
- A description of how the Applicant has met the Eligibility Criteria described in Section 1.3 with supporting evidence;
- A disclosure of the boundary conditions for the Sandbox such as start and end dates, target volunteer customer types, customer limits, transaction thresholds, cash holding limits, and so on;
- An assessment of the Applicant’s readiness for testing which shall include customer safeguards and testing plans;
- Test scenarios must include a quantification of the maximum potential direct and indirect losses and impact of the experiment;
- A description of the customer communications plan, which must include risk disclosures and material information about the company and the Sandbox;
- A description of the targets and key performance indicators, which will be used to determine the success of the experiment;
- A description of information and cyber security and other relevant measures taken by the Applicant to ensure maintaining safety of the solution;
- A description of any third-party outsourcing arrangement including the due diligence conducted by the Applicant on the third party to ensure information and cyber security; and
- An assessment of the exit plan, scale-up and deployment strategy, along with an assessment of the timeline and gaps if any in meeting any heightened legal and regulatory requirements after exiting the Sandbox.
3.2. Reporting Requirements While In The Sandbox
- Entities shall put in place testing parameters to limit risks to the financial system and for the consumers, while achieving effective testing processes.
- The participants shall set consumer protection safeguards, to guarantee consumer protection. Consequently, consumers participating in the testing phase need to be made aware of their rights and especially, be provided with information and contact details of the sandbox to report any complaint or problem they experience.
- The participants shall ensure proper maintenance of records during the testing period to support reviews of the test by the Bank.
- The participant shall submit interim reports to the Bank on the progress of the test, which includes information on the following:
- Key performance indicators, key milestones and statistical information;
- Key issues arising as observed from fraud or operational incident reports;
- An updated risk register including possibility and treatment of any emerging risk(s);
- Details on any audits conducted (and where applicable, submission of signed audit reports;
- Customer satisfaction report, including complaints – if any:
- A detailed log of operational or technical incidents – (if any) and steps taken to address the same; and
- Actions or steps taken to address the key issues referred to in Section 3.1.
- The participants shall submit a final report containing the following information to the Bank within 30 calendar days from the expiry of the testing period:
- Key outcomes, key performance indicators against agreed measures for the success or failure of the test and findings of the test;
- A full account of all incident reports and resolution of customer complaints; and
- In the case of a failed or unsuccessful test, lessons learnt from the test and how the firm intents to wind down the test.
- The interim and final reports must be confirmed by the CEO of the company.
3.3 Exit Conditions And Approval Of Expiration
- The application should explicitly indicate the initial testing timeline (in months) for the proposed test. To extend the testing period, a written application must be submitted by the participants to the Bank no later than 30 calendar days before the expiry of the testing period.
- The application should state the additional time required and clearly explain reasons for requiring the extension.
- To minimize market distortion, the Bank will not generally approve a protracted extension of the testing period unless the solution has been tested positively in general and it can be demonstrated that the extended testing is necessary to respond to specific issues or risks identified during initial testing.
- Upon the completion of a sandbox test, the Bank will decide whether to allow the product, service or solution should be introduced into the market.
- Innovators must compare the results of their test against its original objectives and specify whether and how they intend to scale-up the technology tested: e.g. direct to consumers or, licensing it to other firms, or establishing new partnerships with other CBN-licensed firms etc.
- The Bank may also prohibit deployment of the product, service or solution in the market upon the completion of the testing due to the following reasons:
- In the event of an unsuccessful testing based on agreed test measures; or
- The product, service or solution has unintended negative consequences for the public and/or financial stability.
3.4 Evaluation And Review Of An Approval
3.4.1 The CBN may evaluate and review an approval to participate in the sandbox at any time before the end of the testing period if the participant:
- Fails to carry out the safeguards referred to in Sections 1.5 and 7.0.
- Submits false, misleading or inaccurate information, or has concealed or failed to disclose material facts in its application;
- Contravenes any applicable law administered by the Bank or any applicable law in Nigeria or abroad which may affect the participant’s integrity and reputation;
- Is undergoing or has gone into liquidation;
- Breaches data security and confidential requirements;
- Carries on business in a manner detrimental to consumers or the public at large; or
- Fails to effectively address any technical defects, flaws or vulnerabilities in the product, service or solution which gives rise to recurring service disruptions or fraud incidents.
3.4.2 Before reviewing an approval to participate in the sandbox, the Bank will:
- Give the participant 30 days’ notice in writing of its intention to review the approval; and provide an opportunity for the participant to respond to the Bank on the grounds for review.
- Where any delay in reviewing the approval would be detrimental to the interests of the participant, their customers, the financial system or the public generally, the CBN may review the approval immediately and provide the opportunity for participant to respond after the effective date of review. If the response is accepted by the Bank, the Bank may reinstate the approval to participate in the sandbox.
3.4.3 Upon the review and evaluation of an approval, the participant must:
- Immediately implement its exit plan to cease the provision of the product, service or solution to new and existing consumers;
- Provide notification to customers informing them of the cessation and their rights to redress where relevant;
- Comply with obligations imposed by the CBN to dispose of all confidential information including customer personal information collected over the duration of the testing;
- Submit a report to the Bank on the actions taken within 30 working days after review.
4.0 Sandbox Cohorts
The term cohort refers to the group of innovators that share the characteristic of having been allowed to enter the Sandbox at the same time for the same period.
There will be one cohort per year named after the year in which the cohort was accepted (for example: 2019 Cohort). Application windows for a given cohort as well as list of the firms included in that cohort would be published on the Bank’s website.
The number of innovators to be accepted into a cohort is a function of the Bank’s resource capacity to support innovators. Typically, a cohort will be made up of a predetermined number of innovators, as the type of innovators to be accepted into a cohort is based on the sandbox eligibility criteria and on the sandbox strategic objectives.
5.0 Responsibilities Of The Central Bank Of Nigeria
The CBN shall be responsible for:
- Issuance of the Regulatory Framework for Sandbox Operations;
- Admitting all eligible participants into the Sandbox process;
- Issuance of a Letter of Approval (LoA) for entry into the sandbox;
- Issuance of an Approval-in-Principle (AIP) in order to deploy its digital solution to the market, subject to the Innovator being able to meet CBN’s licensing requirements;
- Ensuring that the objectives of the Sandbox are fully achieved;
- Conducting oversight on Sandbox participants’ operations and systems;
- Monitoring other stakeholders to ensure compliance;
- Issuing circulars to regulated institutions on the operations of the Sandbox;
- Reviewing this framework for the operations of the Sandbox from time to time;
- Apply appropriate sanctions for non-compliance where needed;
- The Director, Payments System Management Department of the CBN shall review cases referred to it before issuance of an operating licence or a formal clearance to an entity/participant for the purpose of delisting from the Sandbox.
6.0 Responsibilities of Participants
- The participants in the Sandbox shall:
- Be responsible for monitoring and supervising the activities of its operations and staff.
- Have information on the tests carried out for each type of service or innovation;
- Monitor effective compliance with set limits and establish other prudential measures in each case;
- Take all other measures to enable it to operate strictly within the requirements of this Framework.
- Address all enquiries to:
Payments System Management Department,
Central Bank of Nigeria, Corporate Headquarters
Central Business District, Abuja.
Tel. No: +234(0)946238346
7.0 Positioning Of Customer Safeguards
As part of the evaluation phase, the Bank and Innovator must agree on the set of consumer safeguards in order to mitigate the risk to consumers participating in the testing exercise. While the measures are bespoke to each test, it will depend on the nature of the risks identified, and will be proportionate to the impact and probability of the risks occurring or causing consumer disadvantage.
While the list is inexhaustive, below are examples:
- Limitations on the number and type of customer(s)/clients that will participate in the test.
- Limitations on the type and size of transactions.
- Extra requirements related to the participating Fintech company handling and protecting of consumer data.
- Providing adequate disclosure of the potential risks to customers participating in the sandbox and confirmation from such customers that they fully understand and accept the attendant risks;
- Limiting the duration of the testing period to a maximum of six (6) months cohort basis, or promptly asking for an extension when needed;
- Providing a consumer redress mechanism, including the possibility for financial compensation for sandbox participants whose data may be harmed in a test under clearly specified circumstances; and
- Committing adequate and competent resources to undertake the testing and implement risk mitigation solutions that have been proven to be effective in containing the consequences of failure.
- Requirements to carry out system penetration simulations.
- Requirements to obtain consumers’ prior written consent to the participation in the test.