Didenko, Anton N --- "A Better Model for Australia's Enhanced Fintech Sandbox" [2021] UNSWLawJl 38; (2021) 44(3) UNSW Law Journal 1078

	Home \| Databases \| WorldLII \| Search \| Feedback University of New South Wales Law Journal

On 1 September 2020, Australia’s ‘enhanced regulatory sandbox’ (‘ERS’) finally became operational. The ERS replaced the previous FinTech sandbox established and operated by the Australian Securities and Investments Commission (‘ASIC’), which had existed since 2016 but attracted only seven participants. This research analyses how and why Australia’s sandbox framework – with its unique non-authorisation model of operation – has evolved until now and evaluates whether the new enhanced sandbox regime can help to achieve its stated objectives. This article shows that the current sandbox reform merely scrapes the surface of the many challenges underlying ASIC’s FinTech sandbox and argues that these challenges can only be adequately resolved by revising the chosen sandbox model and switching to an authorisation-based sandbox design.

I INTRODUCTION

The long wait is finally over. On 28 May 2020, Australia adopted the revised FinTech sandbox regulations.1 The new regime, informally labelled ‘enhanced regulatory sandbox’ (‘ERS’), or simply ‘enhanced sandbox’, became operational on 1 September 2020 and is expected to accelerate the development of the domestic financial technology (‘FinTech’) sector:

The enhanced sandbox will provide a further boost to Australia’s rapidly maturing fintech ecosystem, reducing barriers to entry and promoting competition. Australian consumers will benefit from greater choice in financial services, with technology- driven offerings that are convenient, tailored and cost effective.2

* Senior Lecturer at UNSW Sydney. This research was funded by the Australian Government through the Australian Research Council (project FL200100007 ‘The Financial Data Revolution: Seizing the Benefits, Controlling the Risks’). The views expressed herein are those of the author and are not necessarily those of the Australian Government or Australian Research Council. I am grateful to Ross Buckley and three anonymous reviewers for their invaluable comments.

2 Jane Hume, ‘Regulatory Sandbox to Boost Fintech Innovation and Competition in the Financial System’ (Media Release, 28 May 2020) <https://ministers.treasury.gov.au/ministers/jane-hume-2019/media- releases/regulatory-sandbox-boost-fintech-innovation-and-competition>.

At least so goes the theory. The underlying rationale for this reform is to revise a regulatory initiative that had proven largely unsuccessful in Australia: over almost four years of operation, the original FinTech sandbox had attracted only seven firms3 and earned a certain level of notoriety4 among academics trying to figure out the secret of its perceived fiasco.5

While it is not the only example of a FinTech sandbox in a developed economy with few participants,6 the Australian initiative has attracted academic attention for two reasons. First, Australia was one of the early adopters of the regulatory sandbox concept: the first FinTech sandbox was launched here at the end of 2016, following the establishment of sandboxes in major financial centres like the United Kingdom (‘UK’) (by the Financial Conduct Authority (‘FCA’)), Singapore (by the Monetary Authority of Singapore (‘MAS’)) and Hong Kong (by the Hong Kong Monetary Authority (‘HKMA’)). Second, Australia’s unique approach to the design of its regulatory sandbox (which follows the non-authorisation model discussed in Part II(B)) attracts attention regardless of the number of participants – albeit with the plausible implication that perhaps this unique design is to blame.

A Relevance

Australia’s ‘twin peaks’ regulators, the Australian Prudential Regulation Authority (‘APRA’) and the Australian Securities and Investments Commission (‘ASIC’), are constantly under pressure: on the one hand, they need to keep pace with modern technology; on the other hand, they are expected to facilitate competition in the financial sector. The idea that ‘it is competition – not regulation

– that is the best means of ensuring consumers get value for money in financial services’7 has been engraved in legislation as part of APRA’s8 and (since 2018) also ASIC’s9 mandate. Against this background, it is unsurprising that financial

3 See Australian Securities and Investments Commission, Submission No 14 to Senate Select Committee on Financial Technology and Regulatory Technology, Parliament of Australia (December 2019) 9 [27] (‘Submission No 14’).

5 For example, Allen hypothesises (without drawing any specific conclusions) that the features making Australia’s sandbox ‘less palatable for fintech firms’ may include the scope of the licensing exemption, the corresponding restrictions, the underlying obligations, the mandatory client disclosures or, perhaps, the fact that the competent regulator may revoke the sandbox privileges: see Hilary J Allen, ‘Regulatory Sandboxes’ (2019) 87(3) George Washington Law Review 579, 599.

6 For example, the FinTech Regulatory Sandbox established by the Monetary Authority of Singapore (‘MAS’) in 2016 has accepted only twelve participants at the time of writing (the number is based on the author’s correspondence with the MAS and publicly available data from the regulator’s website).

7 Kelly O’Dwyer, ‘Address to the ASIC Annual Forum 2018, Sydney’ (Speech, ASIC Annual Forum, 19 March 2018) <https://ministers.treasury.gov.au/ministers/kelly-odwyer-2016/speeches/address-asic- annual-forum-2018-sydney>.

8 Australian Prudential Regulation Authority Act 1998 (Cth) s 8(2). Under this provision, in performing its functions and exercising its powers, APRA ‘is to balance the objectives of financial safety and efficiency, competition, contestability and competitive neutrality’.

9 Australian Securities and Investments Commission Act 2001 (Cth) s 1(2A). This provision, which was added only in 2018, states that ASIC ‘must consider the effects that the performance of its functions and the exercise of its powers will have on competition in the financial system’.

regulation in Australia is steering towards new initiatives to promote FinTech, such as regulatory sandboxes (both domestic and international).10

The regulatory reform of 2020 that established Australia’s enhanced (domestic) sandbox has been praised by the government as nothing short of revolutionary. During the second reading of the draft legislation, the Minister introducing the sandbox Bill in the House of Representatives described the revised sandbox as ‘the world’s most forward-leaning regulatory sandbox for fintech development’ that will promote competition, reduce the time to market for financial products and services, stressing that the corresponding ‘productivity benefits ... will be huge’.11 However, the alarming findings of the Royal Commission into Misconduct

in the Banking, Superannuation and Financial Services Industry (‘Hayne Royal Commission’)12 question the wisdom of promoting competition through further liberalisation of market access for unregulated firms, as was stressed during the final hearing of the Bill in the Senate:

I want to point out to senators – especially those who were in the chamber for the legislation that we’ve just passed on the Hayne royal commission bill – the irony and the contradiction that, before us now, we have a piece of legislation that’s going to deregulate financial markets and increase risk for investors and consumers. Have we learnt nothing? ... What’s this? A regulatory sandbox, providing a more flexible environment for entrepreneurs to develop sophisticated financial products. You know what that spells to me? One word: risk. These kinds of initiatives will be like burley to sharks.13

Given that the revised sandbox regulations have been adopted in the wake of the Hayne Royal Commission, an in-depth analysis of Australia’s sandbox regime has never been as relevant as it is today.

B Objectives and Structure

This article puts Australia’s FinTech regulatory sandbox front and centre and provides the first comprehensive study of the domestic sandbox regime, critically analysing the changes introduced by the new rules adopted in 2020.

Part II pursues two objectives. At first, it disentangles the confusing characterisation of regulatory sandboxes in academic and other discourse and

10 To promote international harmonisation of regulatory sandboxes, an international group of financial regulators established the Global Financial Innovation Network (‘GFIN’) in January 2019. However, the inherent complexities and different expectations of various stakeholders identified during the public consultation phase led to the revision of the scope of this project. The GFIN ended up as a group of regulators (joined by several observers) aiming to perform three different functions: (i) a network to

collaborate and share experiences in the FinTech space, (ii) a forum for joint policy work and discussions among financial regulators and (iii) an environment for firms to test cross-border solutions (a cross- border sandbox): see Global Financial Innovation Network, ‘Terms of Reference for Membership

and Governance of the Global Financial Innovation Network (GFIN)’ (Terms of Reference, August 2019) <https://static1.squarespace.com/static/5db7cdf53d173c0e010e8f68/t/5db92a0d519a7150a9072 bc6/1572416023693/gfin-terms-of-reference.pdf >.

11 Commonwealth, Parliamentary Debates, House of Representatives, 4 July 2019, 316–17 (Michael Sven Sukkar, Assistant Treasurer and Minister for Housing).

12 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry

13 Commonwealth, Parliamentary Debates, Senate, 6 February 2020, 371 (Peter Stuart Whish-Wilson).

highlights gaps and inconsistencies in it. Then it focuses on Australia’s FinTech sandbox, argues that its unique features test the limits of the sandbox concept – and identifies the major gaps in existing analyses of Australia’s model of a FinTech regulatory sandbox.

Part III analyses the ERS framework adopted in 2020, putting it into historical context and comparing it with the previous sandbox designs in Australia.

Part IV builds on the preceding discussion and argues that instead of simply enhancing the existing sandbox model (ie, offering more of the same), the objectives of responsible promotion of FinTech would be better served by changing the sandbox model itself, in particular, by transitioning to an authorisation-based sandbox model.

II AUSTRALIA’S ORIGINAL SANDBOX MODEL (DECEMBER 2016 – AUGUST 2020)

The ERS of 2020 represents a major overhaul of the original sandbox framework established back in December 2016.14 However, the recent revisions are not the starting point of this research. Before analysing them in greater detail, let us first consider the current academic discourse concerning regulatory sandboxes (in Part II(A)) and ways in which Australia’s original (2016–20) sandbox model does not fit into that narrative (in Part II(B)).

A FinTech Regulatory Sandboxes and the Challenges of the Relevant Academic Discourse

The rationale for this Part is not to criticise FinTech regulatory sandboxes as a regulatory initiative. Far from it. Although impact analysis is not the focus of this research, the article accepts that sandboxes can be quite useful in a proper setting. What is not very useful, however, is to suggest that the ‘regulatory sandbox’ concept has been uniformly understood, as demonstrated in this Part.

Although the term ‘sandbox’, as noted by the French regulators, ‘does not benefit from a clear and consistent definition’,15 the relevant academic literature considers regulatory sandboxes a standalone type of regulatory strategy for FinTech that is defined by a number of characteristics that can be briefly summarised as follows.

First, they create a controlled and supervised environment allowing innovative businesses to test their business model.16 Second, this regulatory environment is

14 A comparison of the key changes is provided in Table 1: see below Part III(B).

15 Banque de France and Autorité de Contrôle Prudentiel et de Résolution, Submission to European Commission, Public Consultation on FinTech: A More Competitive and Innovative European Financial Sector (15 June 2017) 11 <https://acpr.banque-france.fr/sites/default/files/medias/documents/20170615_ reponse_consultation_europe_0.pdf>.

restricted in a number of ways, such as threshold limits17 or maximum time during which a firm is allowed to remain in the sandbox.18 Third, the relevant tests are carried out with real customers.19

These similarities closely follow (and essentially reiterate) the existing regulatory narrative – that is, a description provided by the party that created regulatory sandboxes and is, understandably, most interested in promoting them in the first place. For this reason, these descriptions may not be very helpful. Things get more complicated, and may get confusing, when we try to differentiate regulatory sandboxes from other related regulatory practices. In other words, can we tell the difference if one simply removes the ‘sandbox’ label?

Brummer and Yadav examine the entire ‘spectrum of approaches toward fintech’20 – ranging from the less formal or informal guidance (eg, speeches or no- action letters)21 to the more formal measures (such as pilots22 and discrete licences)23

– and conclude that regulatory sandboxes are a distinct type of regulatory approach:

The sandbox arguably provides a genuinely new addition to the regulatory arsenal, different from past practices on which policymakers have relied to accommodate financial innovation.24

To determine what makes sandboxes ‘genuinely new’, we have to look beyond the following general explanation of this concept (which is not very helpful for these purposes):

The sandbox rests on two basic ideas: (i) innovators are provided an environment within which to experiment and try out their innovations under real-world conditions; and (ii) to do so, regulators offer developers a relaxed regulatory environment, albeit one subject to specific supervisory parameters and subject to continuing supervision.25

Brummer and Yadav refer to regulatory sandboxes ‘as examples of more experimental regulatory strategies’26 but do not explain what this characteristic entails compared to other forms of experimentation (like pilots or restricted licences). Compared to earlier regulatory approaches (referred to as ‘ad hoc policy responses’),27 these authors view sandboxes as ‘more forward-looking forms of

17 Bromberg, Godwin and Ramsay (n 16) 316; Brummer and Yadav (n 16) 291; Zetzsche et al (n 16) 45.

regulatory engagement’28 and generally a ‘more innovative approach to regulation’.29 This analysis follows a similar argument previously made by Zetzsche et al (who argue that sandboxes are a form of ‘more structured approaches’ to FinTech)30 and emphasises the long-term, structured nature of a sandbox, which is not limited to one-off (‘ad hoc’) measures. While this may be true, we cannot ignore the fact that other regulatory initiatives (such as no-action letters or discrete licences) do not exist in a vacuum either: their application is often governed by dedicated long- term programmes and rules setting out the corresponding criteria, which blurs the distinction.

For example, in 2019 the United States (‘US’) Consumer Financial Protection Bureau (‘CFPB’) issued two related policies, one governing the issuance of no- action letters,31 the other establishing a regulatory sandbox (formally known as the Compliance Assistance Sandbox).32 Both instruments commenced on the same date (10 September 2019) and established long-term (as opposed to ad hoc) forward- looking programs to facilitate innovation. The differences between the two are largely technical and relate to issues like the duration of relief or type of relief available, and even then, may not be easily perceptible. For example, since the CFPB decided not to offer exemptions from regulatory requirements as part of the sandbox,33 applicants can only seek ‘approvals’ from the regulator, namely ‘binding assurance that specific aspects of a product or service are compliant with specified legal provisions’.34 On the other hand, no-action letters from the CFPB (issued under a different policy) offer applicants a ‘discretionary determination not to exercise supervisory or enforcement activity against specific aspects of a product or service’.35 Overall, the substantial similarity between the two regimes may explain why the final guidance – which, in contrast to the original proposal, comes in the form of two separate policies – is described as ‘less confusing’ by the regulator itself.36 However, despite this split, the functional similarities do not disappear.

Overall, while sandbox definitions based on qualitative characteristics can be too broad (and thus overly inclusive), attempts to refine them (using descriptions like ‘more experimental’, ‘more forward-looking’, ‘more structured’ and ‘more innovative’) fail to provide a sufficiently specific threshold: the difference from related regulatory initiatives can be almost ethereal.

Brummer and Yadav accept that regulatory sandboxes are created by ‘combining’ other types of FinTech-oriented regulatory strategies.37 Fáykiss et al

32 Policy on the Compliance Assistance Sandbox, 84 Fed Reg 48246 (13 September 2019). 33 Ibid 48247–8.

36 Policy on No-Action Letters, 84 Fed Reg 48229, 48230 n 10 (13 September 2019) (‘The Bureau has determined that finalizing the two policies in separate documents will be less confusing for potential applicants, and better serve the public interest’).

also consider other regulatory initiatives (including no-action letters and restricted licences) in the sandbox context and argue that such initiatives form ‘a toolset that ensures legal application’ of a sandbox,38 although admittedly this approach simply follows the description of regulatory practices adopted by some regulators.39

Zetzsche et al attempt to differentiate regulatory sandboxes from other forms of so-called ‘structured experimentation’ (such as class waivers and piloting) but concede that the issue may eventually boil down to a simple labelling exercise, suggesting that the same structured and long-term initiative can be classified as falling within, or outside, the sandbox concept:

We thus speculate that there is an inherent connection between a regulatory sandbox on the one side, and testing and piloting on the other. Those jurisdictions with a sandbox approach put certain piloting and testing activities inside the sandbox since this is more convenient for both the FinTech and the regulators (with regulatory liability shielded and the testing and piloting transparent). Meanwhile jurisdictions without a regulatory sandbox are forced to implement a more generous approach to testing and piloting ...40

In a sense, regulatory sandboxes – as regulatory initiatives – can have surprisingly little personality (or rather few distinct features) of their own: they do not only mimic other regulatory approaches to FinTech but can also integrate them completely. In this context, the overall objective of a regulatory sandbox to facilitate innovation in the financial sector41 is not helpful either, since in that case the whole characterisation of a regulatory regime as a regulatory sandbox may ultimately turn on whether a particular regulator positions itself as pro-innovation or not. In other words, if the objective alone is determinative, then old regulatory initiatives can essentially be rebranded as ‘old wine in a new bottle’ when the only thing that actually changes is the regulatory narrative. Furthermore, promotion of innovation is often expressly cited as the objective of numerous regulatory initiatives that tend to be contrasted with sandboxes, such as no-action letters42 or restricted licences.43

This interim conclusion (concerning lack of a distinct personality or distinct features) is important for the discussion that follows in Part II(B)(3). In the meantime, the current Part concludes that analysis of a FinTech regulatory sandbox by reference to the underlying, or even competing, regulatory tools is not determinative; whereas analysis based on the underlying objectives is not helpful either. This complexity permeates the academic literature and challenges our

38 Fáykiss et al (n 16) 54. Admittedly, the authors of this article view these regulatory initiatives as part of ‘a toolset that ensures legal application’ – but if the sandbox toolset encompasses standalone regulatory approaches, this makes it essentially impossible to distinguish the two.

39 See, eg, ‘Regulatory Sandbox’, Financial Conduct Authority (Web Page, 6 January 2021) <https://www. fca.org.uk/firms/innovation/regulatory-sandbox>.

41 Brummer and Yadav (n 16) 291 (‘Sandboxes expressly seek to encourage innovation’); Bromberg, Godwin and Ramsay (n 16) 314 (‘The rationale behind [this approach] is to support innovation in financial services’); Zetzsche et al (n 16) 45 (‘Regulatory sandboxes seek to support competitive innovation in financial markets’).

42 See, eg, Policy on No-Action Letters, 84 Fed Reg 48229 (13 September 2019).

understanding of the sandbox concept. Australia’s unusual sandbox model pushes the boundaries of that understanding, as discussed further in Part II(B).

B How Australia’s FinTech Sandbox Model Disrupts the Academic Discourse

Much of the current FinTech regulatory environment is characterised by the high speed of change and early involvement of regulators, or put simply, the race to be the first, as suggested by Brummer and Yadav: ‘The first movers are likely to be rewarded with an inflow of business as capital flows to jurisdictions that move it using state-of-the-art technology at the lowest transaction cost’.44

Given the speed of change in this area, academic literature similarly struggles to keep up – publications typically address developments of the first generation of sandboxes (ie, the sandboxes launched back in 2016) and do not tackle the new developments, such as the recent attempts to modernise existing sandbox regimes.45 Although the arrival of the ERS has made the existing literature on Australia’s regulatory sandbox lose much of its relevance, its analysis remains useful for the purposes of this article, since many underlying issues have remained unchanged, as demonstrated in Parts III and IV.

Parts II(B)(1)–(2) argue that – although Australia’s FinTech sandbox has been discussed in the academic literature – this sandbox model does not neatly fit in the current academic narrative. So far, Australia’s sandbox has largely played the very limited role of being a rare example of a sandbox model that does not require authorisation. Furthermore, the relevant academic discourse focuses exclusively on the very broad interpretation of the ‘regulatory sandbox’ concept adopted by ASIC in the previous years. Part II(B)(3) argues that this approach has been unfortunate and identifies the major underlying implications.

1 Main Features of ASIC’s Original Sandbox Model

Prior to the entry into force of the ERS in September 2020, ASIC defined a ‘regulatory sandbox’ as a combination of three different types of regulatory

45 For example, the MAS established a new concept of ‘Sandbox Express’ to complement, rather than replace, the existing sandbox model. The idea was first floated in a public consultation in November 2018 and was subsequently implemented in August 2019: Monetary Authority of Singapore, ‘Sandbox Express’ (Consultation Paper No P015 – 2018, 14 November 2018) <https://www.mas.gov.sg/-/media/ MAS/News-and-Publications/Consultation-Papers/2018-Nov-Sandbox-Express/Consultation-Paper-on- Sandbox-Express.pdf>; Monetary Authority of Singapore, ‘MAS Launches Sandbox Express for Faster Market Testing of Innovative Financial Services’ (Media Release, 7 August 2019) <https://www.mas.gov. sg/news/media-releases/2019/mas-launches-sandbox-express-for-faster-market-testing-of-innovative- financial-services>. The main difference between the regular sandbox and ‘Sandbox Express’ stems from their scope: the former is open for all financial innovators generally, whereas the latter targets a specific subset of FinTech firms matching a predefined profile – namely firms that intend to conduct certain activities regulated by MAS. Initially, Sandbox Express was designed to cover the following activities:

flexibility permitting firms to test innovative solutions without an Australian financial services licence (‘AFSL’) or Australian credit licence (‘ACL’):

(c) individual relief granted by ASIC in the form of tailored licensing exemptions to a particular business to facilitate product or service testing.47 This broad interpretation adopted by ASIC implied that its original sandbox,

in fact, combined the elements of two different sandbox models: an ‘authorisation- based’ model (which involves review of individual sandbox applications by the regulator) and a ‘non-authorisation’ model (in which entry into the sandbox does not require a regulator’s approval).

On the one hand, the individual exemptions forming the third category (individual relief) implied an application-based process of vetting individual requests for regulatory flexibility – in line with the vast majority of sandboxes in the world.48 For this reason, ASIC claimed that such exemptions were ‘similar to the “regulatory sandbox” frameworks established by financial services regulators in other jurisdictions’.49 Relevantly, however, individual relief had been offered by ASIC long before the emergence of the earliest FinTech regulatory sandboxes50 and thus the labelling of such relief as an element of a ‘regulatory sandbox’ could be seen as largely superficial (without prejudice to its overall effectiveness in promoting FinTech: after all, to be effective, a regulatory tool does not have to be a part of a ‘sandbox’).51

46 This licensing exemption was established by two instruments: ASIC Corporations (Concept Validation Licensing Exemption) Instrument 2016/1175 (Cth); ASIC Credit (Concept Validation Licensing Exemption) Instrument 2016/1176 (Cth).

47 Australian Securities and Investments Commission, ‘Testing Fintech Products and Services without Holding an AFS or Credit Licence’ (Regulatory Guide No 257, August 2017) RG 257.22 (‘ASIC Regulatory Guide 257’). This regulatory guide was withdrawn by ASIC on 25 August 2020, shortly prior to the entry into force of the ‘enhanced regulatory sandbox’.

48 Most sandboxes follow the same authorisation-based model, whereby sandboxes introduce carve-outs from the otherwise applicable rules (which remain unchanged) but restrict the application of such carve- outs to a limited set of firms preselected by the regulator. The scope of such carve-outs is generally determined on a case by case basis, taking into account a number of factors, such as the type of product or service in question and the underlying risks of testing the innovation on-market with real customers.

50 The first FinTech regulatory sandbox was launched by the UK FCA in June 2016: see Financial Conduct Authority, ‘Regulatory Sandbox Lessons Learned Report’ (Report, October 2017) 4 [2.1] <https://www. fca.org.uk/publication/research-and-data/regulatory-sandbox-lessons-learned-report.pdf>.

51 See, eg, Australian Securities and Investments Commission, ‘Applications for Relief’ (Regulatory Guide No 51, December 2009) (‘ASIC Regulatory Guide 51’).

On the other hand, the remaining two elements of ASIC’s regulatory sandbox (namely, the existing statutory exemptions and the ‘fintech licensing exemption’) followed a completely different (non-authorisation) model, as they did not involve any screening of applicants ex ante. These applied differently as well. The statutory exemptions (such as authority to provide financial services or engage in credit activities without a licence when acting on behalf of an existing licensee)52 were generally available to any entity without limitation as to their duration. In contrast, the FLE constituted a special regulatory regime available to eligible parties for a limited time only (up to 12 months) and required prior notice to the regulator (even though no approval was needed).

Neither of the two types of ASIC’s non-authorisation sandbox involved ex ante assessment of the level of innovativeness of the relevant product or service, thus reducing the workload of the regulator. However, major differences emerged ex post. ASIC was empowered to terminate a firm’s access to the FLE where, in the regulator’s view, the relevant activities ‘[were] not innovative and/or [did] not use technology when providing financial services or credit’.53 Admittedly, this residual authority to perform retrospective evaluation of the sandbox project is difficult to justify in the context of a non-authorisation sandbox – a model which does not involve vetting of prospective participants. While it is understandable that the regulator may not be prepared to relinquish authority to terminate sandbox privileges, an ex post determination that the product or service tested in the sandbox is not sufficiently innovative raises the question about the role of the regulator in managing the sandbox and could generate uncertainty. Strictly speaking, FinTech firms relying on the FLE could find themselves in a less advantageous position compared to an authorisation sandbox.54 After all, firms that have passed the vetting process (in the latter model) do not face the risk of exclusion from the sandbox on similar grounds. In contrast, FinTech firms using ASIC’s FLE had to bear the risk that their sandbox privileges could be withdrawn at any time due to failure to comply with certain parameters (namely, insufficient innovativeness or inadequate use of technology) that were – surprisingly – not even listed among the eligibility criteria and therefore remained undefined.

2 ASIC’s Original Sandbox Model in the Literature

Despite the multifaceted (three-part) nature of the sandbox structure described by ASIC in its Regulatory Guide 257, the academic literature has so far focused almost entirely on the second element – the FLE – in an attempt to analyse and explain it as a sandbox. However, the specific features of the FLE have made the use of the common sandbox terminology and approaches problematic, as demonstrated in this section.

54 For example, when compared to a firm admitted to an FCA cohort in the UK following an application screening round by the regulator.

The non-authorisation model (which the FLE implemented) is clearly incompatible with the widely accepted presumption that ‘it is an essential condition for getting into the test that the innovation should have a significant content of novelty’.55 The absence of any form of ex ante evaluation of innovativeness of the proposed technical solution, however, did not offer FinTech firms peace of mind, since, as discussed in the previous section, an ex post finding by the regulator that a business is not innovative could terminate sandbox privileges.

Brummer and Yadav only briefly discuss Australia’s sandbox but focus exclusively on the FLE and its main features, namely the licensing waiver,56 the 200-client restriction and the maximum client exposure.57 However, the FLE itself does not satisfy the fundamental criteria of a regulatory sandbox outlined by the same authors:

Although sandboxes come in different guises, with agencies and jurisdictions varying in what terms they offer, the guiding idea is simple enough: rather than be subject to restrictive or complex rules that elevate regulatory risk and potentially stifle innovation, the sandbox offers a means of testing new ideas in a simplified, interactive regulatory environment.58

Of course, experts will no doubt question whether the structured rules-based FLE framework can be deemed a ‘simplified’ regulatory environment – but the main contradiction lies elsewhere. Brummer and Yadav do appreciate that sandboxes come in different shapes or forms, and yet, in their view, interactivity is an essential (rather than optional) element of a sandbox design – one that involves both ‘continuing supervision’59 and a means for regulators to ‘give input into [sandbox innovation] design’.60 In contrast, the FLE minimised interactivity between the regulator and the regulated entity by design in what can be described as a regulatory hands-off approach: in addition to the absence of any ex ante screening of applicants, the FLE did not require sandbox participants to provide any interim reports.61 Furthermore, the language of ASIC Regulatory Guide 257 strongly suggested that even the final report at the end of the sandbox period was provided by FinTech firms on a voluntary basis.62

In a similar fashion, the FLE design (which minimises contact with the regulator) goes against Allen’s main argument about the philosophy of regulatory sandboxes:

61 See also Table 1 in Part III(B) below for a historical comparison of levels of interactivity in ASIC’s FinTech sandbox.

62 The relevant provision stated: ‘We ask that testing businesses that rely on the fintech licensing exemption provide us with a short report within two months after the end of their testing period’ (emphasis added): ‘ASIC Regulatory Guide 257’ (n 47) RG 257.121. This is in stark contrast with those provisions which set out mandatory requirements and therefore use a different language: at RG 257.113 (‘You must include the following information about the business ...’) (emphasis added).

This Article argues that a regulatory sandbox is an application of new governance theory, in that the sandbox is ‘pragmatic, information- and experience-based, directed toward ongoing problem-solving, and built around highly participatory and carefully structured dialogue.’63

The prescriptive nature of the FLE, which was based on a set of fixed and non-negotiable parameters, does not really correspond with the view that FinTech sandboxes ‘provide financial regulators and innovative businesses with a level of flexibility that may not be available under traditional regulatory models’.64 On the contrary, as other commentators have noted, within the FLE ‘ASIC ties its hands to a greater extent than any other regulator’.65 Bromberg, Godwin and Ramsay eventually acknowledge that the FLE is altogether not compatible with the sandbox philosophy:

While the exemption has been characterised by ASIC as forming a part of its regulatory sandbox, it might be argued that it is inconsistent with the logic that underpins the sandbox approach. Sandboxes are aimed at facilitating the testing of concepts in a safe space, ie an environment designed by the regulator to prevent (or mitigate) consumer harm. As discussed above, consumer groups are concerned that the industry licensing exemption does not create a safe environment for innovation

It is important to understand the context here. The above reference to a ‘regulatory holiday’ originates from a submission to ASIC’s June 2016 Consultation Paper 260 that provided an early outline of the original sandbox regime (which only came into force in December 2016). This submission, prepared by one of Australia’s consumer advocate groups,67 focused specifically on the ‘financial advice industry’:

This is an industry that has left too many consumers out of pocket and has yet to prove that it can deliver services in a way that protects clients’ interests. It is not appropriate to grant new businesses in this sector a regulatory holiday given the risks posed to consumers.68

Ironically, this criticism towards the sector feels no less relevant today, in the light of the related conclusions and recommendations of the Hayne Royal Commission.69 Yet, for the purposes of this article, another aspect is arguably more important. The words ‘regulatory holiday’ could be read in a different light – not only as a holiday offered by regulators, but also as a holiday for regulators, given the minimal direct involvement of ASIC in the administration of the FLE.

Ultimately, despite the lack of empirical evidence that we have today, Bromberg, Godwin and Ramsay concluded, back in 2017, that ‘“standard” regulatory sandboxes implemented by regulators such as the FCA [were] superior

67 See Choice, Submission to the Australian Securities and Investments Commission, Consultation Paper 260: Further Measures to Facilitate Innovation in Financial Services (July 2016).

to the other models currently in operation’.70 Like others, these authors focused on the FLE and suggested that this non-interactive regulatory approach was inferior and ‘more in line with traditional forms of regulation than the proactive regulation that has characterised regulatory sandboxes in other markets’.71

This conclusion was no doubt inspired by the analysis of Zetzsche et al,72 who stress that the increased certainty of the FLE comes at the expense of establishing a very narrow (and hence unattractive) experimental space.73 The approach of Zetzsche et al, however, is puzzling at times. On the one hand, the relevant article systematically analyses various aspects of the FLE as part of Australia’s sandbox and compares them to other sandboxes established elsewhere in the world. On the other hand, the authors end up firmly rejecting the notion that the FLE should be considered a sandbox in the first place:

A closer look reveals how different the class waiver is from a regulatory sandbox. ASIC does not engage with innovative firms prior to granting the privilege – the waiver is granted as a matter of law, rather than upon application. Innovation is not a prerequisite, nor does a knowledge exchange take place between privileged firms and ASIC. In fact, the Australian class waiver is the traditional approach of specific regulation cloaked in Fintech-friendly terminology.74

The above analysis shows a mosaic of different views on the concept of the regulatory sandbox in Australia, all suggesting – albeit in different forms – that Australia’s original sandbox model does not fit into the common sandbox terminology. Even where some authors highlighted certain inconsistencies, the critique was inconsistent and did not reveal an academic consensus. Is there a better solution to the design of the regulatory sandbox in Australia that meets the expressed objectives? Before answering this question, let us formulate the key lessons from the existing academic discourse.

3 Lessons from the Academic Discourse on Australia’s FinTech Sandbox Framework

The preceding analysis clearly demonstrates that the existing literature, despite offering some insights about the underlying ideas and logic behind a ‘regulatory sandbox’ (see Part II(A)), generally adopts the broad interpretation of the concept of ‘regulatory sandbox’ (see Part II(B)(2)) formulated by ASIC in ASIC Regulatory Guide 25775 (as outlined in Part II(B)(1)).76 This section argues that reliance on this characterisation has been unfortunate for three reasons.

72 See Zetzsche et al (n 16). Bromberg, Godwin and Ramsay reference a draft version of this article that was available to them: Bromberg, Godwin and Ramsay (n 16) 320 n 47.

74 Ibid (emphasis added). In a later article published in 2020, the same authors again analyse the FLE as a sandbox: see Buckley et al (n 16). Therefore, whether they ultimately consider the FLE a sandbox or not remains an open question.

76 To the author’s knowledge, this three-prong ‘sandbox’ design envisaged in ASIC Regulatory Guide 257 has not been challenged in the academic literature.

Over-reliance on the regulator’s own characterisation creates the risk of overlooking the fact that the corresponding regulatory regime may not be compatible with certain functional characteristics of the sandbox concept. This inherent contradiction is particularly noticeable in the Australian context and sometimes leads to authors cautiously acknowledging the existence of some inconsistency (Bromberg, Godwin and Ramsay),77 or, in the case of Zetzsche et al, a puzzling outcome suggesting that the same regulatory toolset is both a sandbox and not a sandbox at the same time78 (see Part II(B)(2)).

While there is little doubt that the regulators’ own context and narrative are useful, over-reliance on the existing characterisation designed by the regulators themselves is not helpful for analysing Australia’s regulatory sandbox, for a number of reasons. This article provides five counterarguments.

First, it can be relatively simple to ‘dress’ a regulatory initiative in sandbox terminology – and Australia’s experience is rather illuminating in this respect. Let us go back in time to briefly consider the historical context and analyse the documentation that preceded the release of ASIC Regulatory Guide 257, which established the narrative stating that the FLE is just one of three elements constituting Australia’s ‘regulatory sandbox framework’.79 Neither ASIC’s initial announcement in May 2016,80 nor the subsequent Consultation Paper issued a month later,81 envisaged such a complicated, three-part, sandbox framework. On the contrary, the original proposal introduced the concept of a ‘regulatory sandbox exemption’,82 which, as can be deduced from its name, acted as a precursor to what later became known as the FLE:

We propose to give conditional, industry-wide relief to allow new Australian businesses to test certain financial services for one period of six months without needing to obtain an AFS licence. We refer to this as the ‘regulatory sandbox exemption’.83

While some of the specific parameters of the proposed sandbox (such as the sandbox duration, which was initially limited to just six months,84 or the requirement to have a ‘sandbox sponsor’85) changed with the launch of ASIC Regulatory Guide 257 in December 2016, the fundamentals did not. ASIC’s sandbox initiative was inspired by the UK sandbox approach and the US no-action letter policy and reflected an intention to set up a different and less interactive format of a sandbox:

80 Australian Securities and Investments Commission, ‘16-129MR Innovation Hub: Regulatory Sandbox Proposal’ (Media Release, 4 May 2016).

81 Australian Securities and Investments Commission, ‘Further Measures to Facilitate Innovation in Financial Services’ (Consultation Paper No 260, June 2016) (‘ASIC CP 260’).

This proposal has been informed by developments in other jurisdictions, such as the ‘regulatory sandbox’ established by the Financial Conduct Authority (FCA), and the Consumer Finance Protection Bureau’s (CFPB) no-action letter policy. We believe that this proposal compares favourably with international developments, especially as it removes the need ... to separately negotiate testing conditions with us.86

Despite the clear intention to avoid ex ante assessment of applicants and their business models, the original proposal nevertheless included a range of entry requirements that were omitted in the final version. For example, the relevant FinTech firms were expected to provide – in addition to a notice to ASIC – evidence of sponsorship from a sandbox sponsor and a declaration that the firm ‘has reasonable grounds to expect that it can operate its business for a period of six months from the specified date’.87

Crucially, for the purposes of this section, the ‘sandbox’ mentioned in the original ASIC proposal was limited to the licensing waiver alone. The sudden expansion of the sandbox terminology that appeared in ASIC Regulatory Guide 257 was not explained even in ASIC’s response to the submissions received as part of the public consultation process.88 Yet the transformation of the ‘regulatory sandbox exemption’ (in ASIC Response to CP 260 Submissions) into the FLE (in ASIC Regulatory Guide 257) was more than just a linguistic tweak. It attempted, at least on paper, to elevate the ‘sandbox’ to the status of a broader framework that extends beyond similar initiatives available overseas (which, as we know today, are predominantly based on individual authorisations), since – according to ASIC Regulatory Guide 257 – the FLE was merely a part of the greater sandbox.89

Overall, the three-prong classification of Australia’s regulatory sandbox framework in ASIC Regulatory Guide 257 appears to have been the result of a last- minute change in language and concept that does not correspond with the original proposal to establish a ‘regulatory sandbox exemption’.

Second, ASIC’s characterisation has not been accepted in academia, as the analysis in Part II(B)(2) suggests: the academic discourse focuses almost exclusively on the FLE.

Third, the public and media have firmly associated the ‘sandbox’ with the FLE, which remained true in 202090 just as it was in 2016.91

88 Australian Securities and Investments Commission, ‘Response to Submissions on CP 260 Further Measures to Facilitate Innovation in Financial Services’ (Report No 508, December 2016) (‘ASIC Response to CP 260 Submissions’).

90 Stephanie Palmer-Derrien, ‘Government Passes Laws Extending Fintech Regulatory Sandbox – Finally’, SmartCompany (Web Page, 12 February 2020) <https://www.smartcompany.com.au/startupsmart/news/ government-extended-fintech-regulatory-sandbox/>.

91 Gina Baldassarre, ‘ASIC Launches Regulatory Sandbox Allowing Fintechs to Test New Products and Services’, Startup Daily (Web Page, 16 December 2016) <https://www.startupdaily.net/2016/12/asic- regulatory-sandbox-fintech/>.

Fourth, the non-FLE parts of the ‘sandbox regulatory framework’ had been established long before the sandbox terminology became mainstream.92

The fifth counterargument to ASIC’s characterisation lies elsewhere. It has become clear that the initial expectation that ASIC’s sandbox would ‘lead the world and leapfrog what the UK [was] contemplating’93 did not materialise. By overstating the scope of the sandbox, ASIC may have done a disservice to the remainder of the so-called ‘regulatory sandbox framework’ (as defined in ASIC Regulatory Guide 257) – since the low number of participants in the FLE might be attributed to a failure of the entire framework (including ASIC’s power to grant individual relief).

If that is not enough, even the government and regulators supporting and developing Australia’s sandbox framework have not followed ASIC’s classification. According to Jane Hume, Australia’s Assistant Minister for Superannuation, Financial Services and Financial Technology, the new 2020 regulations (discussed in Part III) establish the ERS.94 Yet the only thing being enhanced at this point is the FLE. On top of that, the 2020 regulations themselves use the words ‘FinTech Sandbox’95 and even ASIC itself refers to the FLE participants as ‘sandbox entities’ in the Innovation Hub infographic.96

Considering the above, this article argues that the broad interpretation of the sandbox concept in ASIC Regulatory Guide 257 ended up not only being unnecessary but also confusing to all stakeholders. In a sense, the withdrawal of said regulatory guide in August 2020 has been fortuitous – however it appears to be dictated solely by the entry into force of the ERS (discussed in Part III), rather than acknowledgment of the issues described above.

Surprisingly, despite various attempts to explain the nature of a ‘regulatory sandbox’ (discussed in Part II(A)), there have been no meaningful attempts to consistently apply the functional characteristics of a sandbox concept to the many regulatory measures bearing the ‘sandbox’ label. Given that the vast majority of so- called regulatory sandboxes follow a similar authorisation-based model, perhaps there was not enough reason to do so: although the distinctiveness of the FLE has been observed, the entirety of ASIC’s original sandbox framework has been analysed as a sandbox nonetheless.

92 See ‘ASIC Regulatory Guide 51’ (n 51). Issued in December 2009, this was based on ASIC’s statutory discretionary powers.

93 Denham Sadler, ‘Australian Fintech Startups to Get Access to a “World-Leading” Regulatory Sandbox’, SmartCompany (online, 10 June 2016) <https://www.smartcompany.com.au/finance/australian-startups- to-get-access-to-a-world-leading-regulatory-sandbox/>.

96 Australian Securities and Investments Commission Innovation Hub, ‘Progress Report’ (Infographic, December 2018) <https://download.asic.gov.au/media/4956819/innovation-hub_progress-report- infographic_dec18.pdf>.

This article argues that, as a concept, ‘regulatory sandbox’ has not been adequately theorised, and the concept itself has not been consistently applied. This is unfortunate and calls for a revision of the concept.

First, the scope of the ‘regulatory sandbox’ concept has been expanding continuously, particularly over the past two years, as new spin-off concepts have emerged bearing the same designation. Examples include the so-called ‘Sandbox Express’ established by the MAS in 2019,97 the ‘Fintech Supervisory Sandbox 2.0’ that replaced HKMA’s original sandbox98 and the ‘global sandbox’ concept (subsequently subsumed into the broader Global Financial Innovation Network (‘GFIN’) initiative).99 This process, which may be called ‘sandboxification’, has kept gaining velocity and is likely to continue in the post-COVID-19 world. Sandboxification has now begun spreading to areas outside finance.100

Second, only consistent application of the conceptual approach can help to understand (and reconcile) the rationale of regulators in jurisdictions firmly rejecting the sandbox idea, such as Germany.101 Indeed, what exactly does the German financial services regulator (‘BaFin’) reject? Could it be that the same risks are differently interpreted (alongside the sandbox concept, which can have different meanings, as shown in this article) or more relevant only for some sandbox models, rather than the others – given that BaFin generally takes a conservative approach and (rightly) argues that ‘[t]here is still no clear definition of the concept of a fintech company’?102

Third, a consistently applied conceptual approach is the missing link between early scholarship on regulatory sandboxes and the more recent writings aiming to assess the efficiency of a FinTech sandbox as a regulatory tool. Although the lack of transparency in their operation and effectiveness103 makes it extremely hard

97 See above n 45. See also Monetary Authority of Singapore, ‘Sandbox Express Guidelines’ (Guidelines, 7 August 2019).

98 See ‘Fintech Supervisory Sandbox (FSS)’, Hong Kong Monetary Authority (Web Page, 3 May 2021)

99 See Global Financial Innovation Network, ‘Cross-Border Testing: Lessons Learned’ (Report, January 2020).

100 For example, in May 2019, the UK FCA launched a call for input to examine the feasibility of setting up a ‘cross-sector sandbox’ – a form of regulatory collaboration that aims to connect a whole array of regulators operating outside finance, including the Civil Aviation Authority, Gambling Commission,

Information Commissioner’s Office, Office for Communications (‘Ofcom’), Office of Gas and Electricity Markets (‘Ofgem’) and Water Services Regulation Authority (‘Ofwat’): see Financial Conduct Authority, ‘Call for Input: Cross-Sector Sandbox’ (Report, May 2019) 3 n 2.

101 In its Digitalisation Strategy, BaFin affirms that it ‘expressly does not follow any sandbox approach, but is guided by the proven principle of “the same business, the same risk, the same regulation”’: see BaFin, ‘BaFin’s Digitalisation Strategy’ (Report, August 2018) 6.

102 See ‘Company Start-Ups and Fintech Companies’, BaFin (Web Page, 2021) <https://www.bafin.de/EN/ Aufsicht/FinTech/fintech_node_en.html>.

103 The author does not intend to engage in the debate concerning the importance of know-how or business model secrecy as a competitive advantage for innovators and merely refers to the objectively non- transparent method of operation of most regulatory sandboxes. The closest we get to transparency are the very rare disclosures from regulators: see, eg, Financial Conduct Authority, ‘Regulatory Sandbox Lessons Learned’ (Report, October 2017).

to verify how well regulatory sandboxes work in practice, a recent publication provocatively argues that sandboxes are not, in fact, that useful:

While sandboxes tend to attract the headlines and attention, the real work of promoting and facilitating innovation in financial services tends to be done, in virtually all jurisdictions where it does occur, by some form of innovation hub.104

A conceptual approach that defines a sandbox by reference to generally accepted features will greatly assist this kind of analysis and permit us to differentiate regulatory sandboxes from other related, but different, initiatives aimed at facilitating FinTech development. An example of a corresponding definition of a FinTech regulatory sandbox might look like this:

A standing (or at least long-term) regulatory strategy that facilitates the development of innovative technology-driven solutions in the financial sector and (i) involves actual on-market testing involving real customers, (ii) is conducted under regulatory supervision and (iii) provides limited exceptions from the otherwise applicable regulatory framework (but regardless of specific regulatory tools used to administer such exceptions).

This tentative definition combines the core features of the different approaches found in the literature, in moderation. Importantly, there is no assumption that this approach is the only possible (let alone the best) one. The proposed definition is inclusive and can be narrowed down by integrating additional factors, with the result that some regulatory initiatives designated as regulatory sandboxes will fall outside the definition.

For example, if we consider that regulatory sandboxes can only be used by FinTech firms for a limited time (which is clearly the status quo in the majority of jurisdictions at the time of writing), the sandbox in Switzerland105 will no longer qualify. The so-called Swiss sandbox aims to facilitate innovation indirectly: instead of authorising specific time-limited projects, it lowers the barriers for accepting deposits from third parties. This approach is highly pragmatic, since many business models (from payments to crowdfunding) require FinTech firms to accept client deposits, which – in principle – is open to licensed banks only. To facilitate the development of such business models, the initiative the Swiss Financial Market Supervisory Authority (‘FINMA’) has called a ‘sandbox’ simply waives the requirement to obtain a banking licence for innovators who accept public deposits up to CHF1,000,000 (regardless of the number of depositors), provided that (i) such deposits are not invested and do not bear interest and (ii) depositors are informed in advance that the business is not subject to FINMA supervision and that the deposits are not covered by the deposit protection scheme.106

Conversely, if we (like some authors)107 stress the importance of interactivity or dialogue between the regulators and the regulated, then Australia’s FLE is likely to fail the ‘sandbox test’.

105 See Swiss Financial Market Supervisory Authority, ‘Sandbox and Settlement Accounts: FINMA Amends Circular’ (Press Release, 1 September 2017).

Ultimately, the key to consistency is not the definition as such – but conceptual uniformity in its application (something that has been sorely lacking in the literature so far, particularly given the peculiar design of Australia’s FLE).

The conclusion that Australia has a single national FinTech sandbox, administered by ASIC, is firmly grounded in the academic and professional literature. This is unsurprising, given that ASIC is the only financial services regulator in Australia that has announced the creation of a ‘sandbox’. The issues with this approach become immediately apparent if one applies the conceptual approach (and tentative definition) discussed in the previous section to the entire Australian regulatory framework for financial services.

This article argues that the restricted ADI108 (‘RADI’) regime introduced by APRA in 2018 qualifies as a regulatory sandbox – an initiative that has not been associated with the sandbox terminology in the literature, perhaps because APRA itself has not called its initiative a ‘sandbox’. This is all the more surprising, given that APRA’s RADI regime is in some respects even better aligned with the sandbox definition proposed in the previous section (and most other definitions as well).

First, the RADI regime facilitates innovation in finance, in particular by online-only banks. This is acknowledged in APRA’s guidance, which states that the regulator ‘has adopted a principles based approach to the eligibility guidelines for the restricted route given the potential for innovative new business models to emerge’.109 While the emphasis on facilitating innovation has been toned down in the final guidance, it is clear from the earlier discussion paper issued in 2017110 that the concept of RADI licences is closely associated with FinTech promotion. As part of its preliminary analysis, APRA compared various approaches ‘to facilitate new entrants or encourage innovation’, including regulatory sandboxes implemented in Hong Kong and Singapore.111 According to APRA, the ‘potential population of eligible applicants could include fintech and traditional start-ups, institutions with non- traditional business models and existing non-ADI financial institutions looking to enter the banking industry’.112 Consequently, even though the eligibility requirements for a RADI licence do not expressly require applicants to demonstrate that their business is innovative per se, innovation is clearly expected and encouraged.

Second, a RADI licence allows engagement of real customers (subject to various disclosure obligations), including not only staff of the RADI itself and

109 Australian Prudential Regulation Authority, ‘ADI Licensing: Restricted ADI Framework’ (Information Paper, 4 May 2018) 21 (‘APRA Restricted ADI Framework’) (emphasis added).

110 Australian Prudential Regulation Authority, ‘Licensing: A Phased Approach to Authorising New Entrants to the Banking Industry’ (Discussion Paper, 15 August 2017).

111 Ibid 11. It should be noted that, as part of this comparison, APRA chose the restricted licensing regime in the UK operated jointly by the Prudential Regulation Authority and FCA (rather than the regulatory sandbox operated by the FCA alone).

family and friends of staff, but also the general public, depending on the type of products offered.113

Third, the RADI licensing regime is closely supervised by APRA, which recovers the costs of supervision via the annual supervisory levy.114 The level of regulatory involvement is much higher compared to the FLE, and involves pre- application consultations, review of applications and, for successful applicants, ongoing engagement with the RADI and formal progress reviews at least every six months.115

Finally, a whole range of requirements, in particular Prudential Standards, either do not apply, or are modified specifically for RADIs.116

If we narrow down the sandbox definition to include the element of interactivity (recall the definitions proposed by Allen and Brummer and Yadav, as discussed in Part II(B)(2) above), APRA’s RADI framework will pass the test with flying colours, unlike the FLE. In terms of interactivity, APRA takes a very different stance. In contrast to ASIC’s hands-off approach, APRA offers various forms of direct engagement with FinTech businesses at various stages of the process, from early-stage meetings with APRA’s IT specialists ‘where a ... proposed business involves innovative or particularly complex IT systems’,117 to ongoing formal progress reviews.118

Admittedly, on its own, characterisation of the RADI licensing regime as another national regulatory sandbox in Australia’s financial sector may be seen as a technicality. However, in this article this conclusion is important in the context of changes introduced as part of the ERS (discussed in Part III) and will be considered in Part IV(B).

III AUSTRALIA’S ENHANCED REGULATORY SANDBOX (SEPTEMBER 2020 ONWARDS)

The scope of changes introduced by the ERS in 2020 can best be understood if analysed in the context of ASIC’s entire sandbox journey. For this reason, Part III starts with an overview of the early attempts to modernise the FLE (in Part III(A)) and then (in Part III(B)) compares the ‘enhanced’ sandbox with both (i) the FLE regime and (ii) the original sandbox design envisaged in ASIC’s Public Consultation Paper issued in June 2016.

A Historical Context

Australia has already made substantial progress in attracting technological innovation in finance. Between 2014 and 2020, the number of FinTech start-ups

increased more than sevenfold, from less than 100119 to over 700 firms.120 This puts Australia into the same league as Hong Kong (with over 600 FinTech start-ups)121 but still behind Singapore (with over 1,000 FinTech firms)122 and the UK, which hosts over 1,600 FinTech companies.123 Admittedly, these comparisons should be taken with a grain of salt, since the methodology used by the industry and regulators to calculate the corresponding numbers is unclear and could be very different. However, despite the obvious methodological challenges, it is clear that Australia’s sandbox framework was developed amidst fierce international competition that shows no signs of slowing down. Although the FinTech landscape in Australia is becoming increasingly diverse,124 regional and global competitors are launching new regulatory initiatives and programmes to support FinTech that may sway innovators. And so continues the global race to attract FinTech talent.

As part of this race, regulators are revising their regulatory approaches to FinTech – especially those that have not reached the desired goals. In Australia, ASIC’s FLE was identified as the underperformer very quickly, less than a year after its launch: a public consultation on the feasibility of a modernised sandbox regime was carried out in October – December 2017.125

This early consultation introduced the concept of ERS. The nature of the proposed changes suggested that the main perceived deficiency of the existing sandbox regime in Australia lay in its many restrictions on the scope of eligible innovations. For example, under the original FLE, FinTech firms were not permitted to issue their own products and instead were only able to (i) provide advice, distribute, or deal in, existing financial products, or (ii) act as an intermediary or provide credit assistance in relation to credit contracts.126 The purpose of the proposed ERS was to make the existing regime more attractive for FinTech firms by getting rid of some of the original limitations:

The enhanced regulatory sandbox allows more businesses to test a wider range of new financial and credit products and services without a licence, for a longer time.127

119 KPMG, ‘Scaling the Fintech Opportunity: For Sydney and Australia’ (Issues Paper No 17, July 2017) 7.

120 Ian Pollari and Daniel Teper, ‘Australian Fintech Landscape 2020’, KPMG (Web Page, 21 December 2020) <https://home.kpmg/au/en/home/insights/2017/08/australian-fintech-landscape.html>.

121 ‘Fact Sheet: Hong Kong Fintech Landscape’, FintechHK (Web Page, 16 March 2021) <https://www. hongkong-fintech.hk/en/insights/news/news-2021/fact-sheet-hong-kong-fintech-landscape/>.

122 ‘FinTech and Innovation’, Monetary Authority of Singapore (Web Page, 10 May 2021) <https://www.mas. gov.sg/development/fintech>.

123 UK Department for International Trade, ‘UK FinTech: State of the Nation’ (Report, 2019) 12.

124 KPMG, ‘KPMG Australian Fintech Landscape’ (Infographic, 2019) <https://home.kpmg/content/dam/ kpmg/au/pdf/2019/australian-fintech-landscape-2019.pdf>.

125 See ‘Enhanced Regulatory Sandbox’, Treasury (Web Page, 23 October – 1 December 2017) <https:// treasury.gov.au/consultation/c2017-t230052>.

127 Exposure Draft Explanatory Memorandum, Treasury Laws Amendment (2017 Measures No. #) Bill 2017 (Cth) 7 [1.3] (‘Enhanced Sandbox Bill Memorandum’) (emphasis added).

Unlike the FLE, which was introduced by ASIC128 relying on its own statutory powers under the Corporations Act129 and the NCCP Act,130 the ERS was based on the Government’s authority to pass delegated legislation envisaged in these two Acts.131 For this reason, in response to the proposed ‘enhanced sandbox’ consultation, ASIC submitted its feedback along with all other commentators.132

Despite the different origins of the FLE and the ERS, the objective of the latter was not to establish a second sandbox operating in tandem with the FLE – but rather to update the FLE itself. This is clear from the documentary history. The ERS was proposed as part of the Government’s reform package to facilitate FinTech – its origins can be traced back to the 2017–18 Budget, which mentioned ‘enhancements to the financial services regulatory sandbox’ (clearly referring to the FLE).133 The explanatory memorandum supplementing the draft ERS framework also confirmed the objective of the new rules to ‘enhance the regulatory sandbox’,134 rather than establish an entirely new one. Furthermore, just like the academic literature discussed in Part II(B)(2), the documentation relating to the ERS was not aligned with ASIC’s broad (three-part) definition of ‘regulatory sandbox framework’ in its Regulatory Guide 257. Instead, the ERS explanatory memorandum135 associated the regulatory sandbox concept only with the FLE. It follows that the ERS was designed as a replacement, not a companion, for the FLE. The draft ERS documentation consisted of two parts: (i) statutory amendments and (ii) corresponding regulations. New legislation was needed to enable regulations to provide for conditional licensing exemptions: prior to the amendments, the Corporations Act and NCCP Act expressly granted this authority to ASIC136 but not to the regulations. The need for legislative change delayed the implementation of the ERS substantially: the relevant Bill was introduced to Parliament in February 2018 but eventually lapsed in May 2019 with the new elections. In 2019, the Bill was reintroduced and finally became law in February 2020. Later in 2020, ASIC

128 See ASIC Corporations (Concept Validation Licensing Exemption) Instrument 2016/1175 (Cth) and ASIC Credit (Concept Validation Licensing Exemption) Instrument 2016/1176 (Cth).

129 See Corporations Act 2001 (Cth) s 926A(2)(a) (allowing ASIC to ‘exempt a person or class of persons from all or specified provisions’ of the Act relating to licensing).

132 See Australian Securities and Investments Commission, Submission to The Treasury, Enhanced Regulatory Sandbox Proposal (10 November 2017) (‘ASIC Enhanced Sandbox Submission’).

133 Australian Government, Budget 2017–18: Budget Strategy and Outlook (Budget Paper No 1, 9 May 2017) 1–24.

135 Ibid 7 [1.2] (‘The ASIC regulatory sandbox is comprised of ASIC’s FinTech licensing exemptions provided under ASIC Corporations (Concept Validation Licensing Exemption) Instrument 2016/1175 and ASIC Credit (Concept Validation Licensing Exemption) Instrument 2016/1176’).

137 ‘Info 248 Enhanced Regulatory Sandbox’, Australian Securities and Investments Commission (Web Page, August 2020) <https://asic.gov.au/for-business/innovation-hub/enhanced-regulatory-sandbox/info-248- enhanced-regulatory-sandbox> (‘ASIC Information Sheet 248’).

B What Exactly Has Been ‘Enhanced’?

While the legislation that commenced in February 2020 did not introduce any substantial changes compared to the 2017 draft (except the obligation to review the operation of the sandbox after 12 months),138 the corresponding regulations underwent several revisions. In the interests of brevity, this article does not compare the draft regulations with their final version. Instead, to cover the entire history of Australia’s sandbox regime up until now, it provides in Table 1 (next page) a side-by-side comparison of certain key features of (i) the early design of the regulatory sandbox envisaged in ASIC’s June 2016 public consultation,

The ERS did not change the sandbox model and follows the same non- authorisation approach as the FLE:140 although there is no formal application process, firms intending to make use of the sandbox need to submit an advance notice to ASIC before commencing the testing phase. Just like the FLE, the new ‘enhanced’ sandbox regulations do not require ASIC to assess the level of innovativeness of the technical solution proposed by FinTech firms before the start of the test,141 but at the same time, ASIC retains the authority to terminate sandbox privileges on the grounds of insufficient novelty, namely if ASIC is not satisfied that (i) the relevant financial service is new or ‘a new adaptation, or new improvement, of another financial service’142 or (ii) the relevant credit activity is new or ‘a new adaptation, or new improvement, of another credit activity’.143 In line with its predecessor, the ERS retains minimal interactivity between ASIC and eligible firms and, in fact, goes even further than the FLE in this aspect: the new 2020 regulations do not mention any kind of reporting, whether interim, or at the end of the test.144

It is fair to say that the word ‘enhanced’ in the ERS is a synonym of ‘expanded’. True to its objective to allow ‘more businesses to test a wider range of new financial and credit products and services’, the ERS offers a much longer testing period (two times longer compared to the FLE and four times longer than the initial sandbox proposal)145 and admits new types of activities into the sandbox (such as

139 ASIC has provided a detailed comparison of the FLE and the ERS: see Australian Securities and Investments Commission, ‘Comparison of Key Features of the ASIC Sandbox and the Australian Government’s Enhanced Regulatory Sandbox’ (Report, August 2020).

141 Although ASIC Information Sheet 248 seems to suggest that the regulator aims to be proactive and may even ‘confirm that [a] notification satisfies the minimum requirements’, this cannot change the fact that the ERS remains notice-based (as discussed in Part IV): see ‘ASIC Information Sheet 248’ (n 137).

144 It will be recalled from Part II(B)(2) that, under the FLE, FinTech firms provided the final report at the end of the sandbox period, albeit apparently on a voluntary basis.

145 Not considering sandboxes without a pre-defined maximum duration of a sandbox test, only a handful of regulatory sandboxes (such as the FinTech Regulatory Laboratory of the Abu Dhabi Global Market)

offer such a long testing period: see, eg, Abu Dhabi Global Market, ‘The Fintech Regulatory Laboratory:

	Public Consultation (June 2016)	Fintech Licensing Exemption (December 2016 – August 2020)	Enhanced Regulatory Sandbox (September 2020 onwards)
Maximum Duration	6 months	12 months	24 months
Multiple Uses/ Extension	Prohibited	Prohibited	Allowed
Scope	Giving financial advice in relation to certain Australian securities, managed investment schemes and deposit products Arranging for other persons to deal in financial products	Financial services: (i) providing advice, (ii) dealing in or (iii) distributing existing financial products (direct issue of products prohibited) Credit activities: only (i) acting as intermediary or (ii) providing credit assistance in relation to certain credit contracts (not providing credit directly)	New types of activities covered Issuing, varying or disposing of a non-cash payment facility Providing crowd-funding services Providing credit (new restriction: duration only up to 4 years)
Admission	No application Notice to ASIC Declaration to ASIC Evidence of sponsorship	No application 14-day notice to ASIC	No application 30-day notice to ASIC
Novelty Assessment	Ex ante: No Ex post: No	Ex ante: No Ex post: Yes	Ex ante: Yes Ex post: Yes
Early Termination Grounds	Testing contravenes the laws administered by other regulators Breach of advertising rules Clients are being misled about the nature of exemption	Poor conduct Failure to meet conditions Previous misconduct Business not innovative/does not use technology	Failure to meet conditions Benefits are unlikely to outweigh the risks to the public Service/credit activity is not new, or not a new adaptation/ improvement Failure to act fairly, efficiently or honestly New exemption used to continue a previous one Expected significant detriment to clients
Reporting Obligations	Yes A mandatory report at the end of testing	No A voluntary report at the end of testing	No A voluntary report at the end of testing
Interactivity Level	Minimal	Minimal	Minimal

crowdfunding services and provision of credit). At the same time, FinTech firms are required to give a much earlier advance notice before the start of the test (at least 30 days in advance,146 compared to just 14 days under the FLE).147

Overall, the ERS offers a much wider range of testing opportunities in the financial sector. Nonetheless, this article argues that the 2020 sandbox revisions have failed to address the fundamental issues that undermined the effectiveness of the FLE. Part IV analyses these issues and proposes a solution.

IV THE NEED TO REVISE, NOT ENHANCE

As discussed in Part III, the need to adjust the FLE became apparent rather quickly – but the low number of sandbox participants is just one indicator of the need for reform. Despite the emergence of more than 50148 regulatory sandboxes in the financial sector – and considering that the FLE was one of the earliest FinTech sandboxes in the world149 – at the time of writing, no other jurisdiction has adopted a sandbox model mimicking the FLE approach (which says a lot about its attractiveness). On top of that, some academic commentators have firmly rejected Australia’s sandbox model as a suitable model for domestic reform. For example, as part of her analysis of the best way forward for the US sandbox strategy, Allen concludes that ‘the United States should not follow ASIC’s example of providing a clean exemption’ for a range of reasons, including limited interactivity and information sharing within the FLE.150 Furthermore, the argument in the literature that ‘innovation hubs provide all the benefits that the policy discussion associates with regulatory sandboxes’151 questions the efficiency of the FLE as a standalone regulatory tool (although, to be fair, this critique is aimed at sandboxes more generally, rather than the FLE alone).

Part IV argues that, despite the new measures to expand the scope of permitted activities, the ERS is not the appropriate solution for the deficiencies of the FLE and calls for a revision of the current sandbox model to better align the design of Australia’s FinTech sandbox with the stated objectives and chosen mode of implementation.

The Regime for FinTech Innovation’ (Brochure, February 2020) <https://www.adgm.com/documents/ publications/en/fintech-regulatory-authority-brochure.pdf>.

147 ASIC Corporations (Concept Validation Licensing Exemption) Instrument 2016/1175 (Cth) s 6(2); ASIC Credit (Concept Validation Licensing Exemption) Instrument 2016/1176 (Cth) s 6(2).

149 Although Australia is not the only jurisdiction with a non-authorisation sandbox model, the specific features of the FLE (such as the residual power to terminate sandbox privileges) distinguish Australia’s model from the non-authorisation sandboxes that consistently apply a hands-off approach. An example of the latter is the Swiss sandbox that takes the form of an unrestricted licensing waiver: see above n 105 and the corresponding discussion in Part II(B)(3).

A Enhanced Sandbox Is Inconsistent with the Chosen Model

This section critically analyses the design of the ERS and focuses on those features that are aligned with the authorisation-based sandbox model but, at the same time, create major obstacles to the proper functioning of the current non- authorisation sandbox design.

1 Missing Gatekeeper

Screening of prospective participants is the key feature of any authorisation sandbox that allows regulators to exercise the gatekeeping function by admitting only those businesses that truly innovate and minimise end user risks. In Australia, the screening of sandbox candidates has taken an unusual shape but has not disappeared completely. Instead of applications, FinTech firms must send notices to ASIC before testing starts (14 days in advance under the FLE and 30 days in advance under the ERS). There are three issues with this approach.

First, neither the FLE nor the ERS require ASIC to perform the screening: FinTech firms may start their test immediately upon the expiration of the notification period.152 Although ASIC may technically decide that the relevant firm should not be allowed to perform the test, nothing precludes ASIC from completely disregarding this power and instead interfering at a much later stage. This creates a conundrum. If screening of sandbox candidates is supposed to be voluntary, cursory or random, then the FLE and the ERS effectively have no gatekeeper in place. If, on the contrary, ASIC intends to review each notice before the start of the relevant test anyway (as the current language of ASIC Information Sheet 248 suggests), then the notice-based ERS sandbox de facto follows the authorisation model (without acknowledging it).

Interestingly, the early design of the ASIC sandbox envisaged in the June 2016 public consultation153 addressed the same issue quite differently. While the sandbox was not intended to follow an authorisation model and thus did not involve formal applications addressed to the regulator, the gatekeeping function was to be partially performed by third parties, known as ‘sandbox sponsors’:

We propose that the AFS licensing exemption ... will apply only if the testing business is ‘sponsored’ by an organisation (‘sandbox sponsor’) recognised by ASIC.

We propose that sandbox sponsors will be not-for-profit industry associations or other Government-recognised entities. The ASIC-approved sponsors would be named in the licensing exemption (and could be updated from time to time).154

According to ASIC, sandbox sponsors were expected to (i) reduce the underlying risks by ‘declining to sponsor potential testing businesses that are more likely to engage in poor conduct’ and (ii) ‘remove the need for case-by-case approval from ASIC’.155 In other words, sponsorship arrangements were supposed

to provide comfort to ASIC, which did not intend to operate an authorisation sandbox and review each application:

We agree that sandbox sponsors could play an important gatekeeper role as they would be sensitive to reputational risk associated with poor outcomes in the testing environment.156

After the public consultation, ASIC abandoned the idea of sandbox sponsorship, citing a range of reasons (such as the potential to confuse consumers, additional costs and competition concerns)157 and with it, the very reason for not requiring ‘case-by-case approval’. Although ASIC retained the overall supervisory function, with the removal of the sponsorship requirement, the gatekeeping function was not passed on to anyone (ASIC did not inherit this duty, since it was under no obligation to vet prospective participants). The 2020 ERS regulations also failed to address this gap. In ASIC Information Sheet 248, ASIC seems to suggest that it is prepared to be actively involved in analysing notices from ERS users – but this readiness does not affect the design of the ERS, which requires no approval before testing can commence. In this sense, ASIC Information Sheet 248 needs better drafting and alignment with the ERS regulations.158

Second, the role of notices to ASIC remains unclear. On the one hand, ASIC assumes no duty to review them. On the other hand, the licensing waiver under the ERS is only available once the (30-day) notification period has ended ‘without ASIC giving ... written notice of a decision ... relating to the notification’.159 In ASIC Information Sheet 248, ASIC rather confusingly states that ERS participants can start their test if ASIC confirms ‘that [the] notification satisfies the minimum requirements’.160 What should we make of this caveat? If ASIC indeed reviews each notification – as ASIC Information Sheet 248 and its submission to the Select Committee on Financial Technology and Regulatory Technology seem to suggest

Third, if ASIC indeed keeps reviewing all the sandbox notifications submitted to it but maintains the current non-authorisation model, then the procedure established by the ERS makes all firms in the sandbox collectively worse off. It is logical to assume that review of sandbox notifications does not occur strictly on the 30^th day following submission, especially in cases of multiple concurrent submissions. If this assumption is correct, it is likely that at least some notifications

158 For example, it includes a section entitled ‘How to apply for the ERS exemption’ (emphasis added), which clearly goes against the notice-based non-authorisation design envisaged by the ERS regulations: see ‘ASIC Information Sheet 248’ (n 137).

161 In its December 2019 submission, ASIC provided the following assessment of sandbox notifications: ‘A total of seven entities have participated in the ASIC Sandbox. A further 44 entities have submitted

preliminary notifications but do not meet the criteria necessary to qualify.’ This suggests that the regulator is reviewing all notifications: see Australian Securities and Investments Commission, Submission No 14 (n 3) 9 [27].

will be reviewed before the deadline (and, depending on the regulator’s workload, some may be reviewed very quickly). However, under the ERS, even if a decision is made that a FinTech firm is eligible for the sandbox, such a firm cannot start testing until the expiration of the entire notification period.162 Since the latter has more than doubled compared to the FLE,163 it follows that eligible FinTech firms are collectively in a worse position compared to an authorisation sandbox (where eligible entities can receive the green light as soon as their application has been reviewed and approved) and compared to the FLE (where the notification period was just 14 days).164

2 Grounds for Early Termination

Grounds for early termination of sandbox privileges are another puzzling area of the ERS. While there is little doubt that regulators are likely to retain at least some powers to stop a firm’s participation in a sandbox test even in a non- authorisation sandbox, in Australia the scope of this residual authority is hard to justify. As discussed in Part II(B)(1), under the FLE, ASIC was empowered to terminate a firm’s access to the sandbox if the relevant activities ‘are not innovative and/or do not use technology’165 – thus putting Australian FinTech firms in a position of uncertainty that does not arise for an authorisation sandbox model (where assessment of innovativeness is part of the admission test).

The ERS expands the grounds for terminating sandbox privileges and, just like in the FLE, grants ASIC the authority to stop the test if the relevant service or activity is not innovative. Thus, the previous discussion in Part II(B)(1) also applies to the ERS, but with some caveats. Somewhat usefully, ASIC Information Sheet 248 states that a notice to ASIC must explain that the relevant firm meets the newly established ‘innovation test’.166 This new test, which would look natural and logical in any authorisation-based sandbox, seems oddly out of place in the ERS, which remains notice-based. The ERS remains non-interactive and does not involve any dialogue with ASIC that could help quickly resolve certain issues – for example, if ASIC’s decision to prohibit the sandbox test is based on a technicality. Even though ASIC’s review of any resubmitted notice is likely to be a lot quicker, any resubmission would invariably trigger, again, a full 30-day notice period under the current design before any testing can commence.

Under the ERS regulations, if for some reason ASIC fails to review any sandbox notice received within 30 days, the testing period will commence automatically (but remain under the risk of a subsequent determination that the activity is not sufficiently innovative). However, since FinTech firms operating in the sandbox are not required to provide any interim reports concerning the status of their testing

166 ERS users are expected to explain ‘why each eligible financial service, financial product or credit activity is considered either new or a new adaptation or improvement of another service’: see ‘ASIC Information Sheet 248’ (n 137).

progress, no fresh data would be flowing to ASIC from the relevant test – and thus a subsequent decision to terminate access to the sandbox while the test is already underway is likely to be based on the old information included in the notification – rather than on some new development that could not have been predicted.

3 Economy of Resources

In the context of the existing non-authorisation sandbox model, it is important to consider one of the perceived benefits it brings – the economy of regulator’s resources (which, in the ideal scenario, should stem from the absence of an applicant screening procedure and ongoing monitoring, rather than from the lack of participants). After all, multiple regulators have suggested that sandboxes are not cheap,167 and thus it is important to consider the costs of operating a FinTech sandbox.

However, it would be too simplistic to just analyse whether the ERS is cheaper compared to its international authorisation-based counterparts. All else being equal, a regulatory initiative that does not require the regulator to review each sandbox application and interim report provided by sandbox participants has to be less expensive than the one that does. This article argues, however, that a better approach is to consider whether the expected (and guaranteed) cost savings from the enhanced sandbox are properly aligned with the chosen (non-authorisation) sandbox model. This approach is not limited to the analysis of a regulator’s available resources, but considers, among other things, whether in pursuit of cost savings regulators may inadvertently trigger other negative consequences, such as misaligned consumer expectations.

Back in 2017, in response to the ERS public consultation, ASIC made it very clear that direct supervision of unlicensed sandbox entities within the sandbox was neither desirable, nor realistic:

These will be unlicensed entities and as such ASIC will not monitor or supervise them. This is consistent with our approach to the ASIC regulatory sandbox. While ASIC does monitor and supervise existing licensed businesses this is supported by a broad regulatory toolkit and framework applicable to licensed financial services. We do not have this capacity or capability for unlicensed entities.168

In contrast, the wide scope of the final ERS regulations and ASIC Information Sheet 248 suggest that the regulator is expected to play a more active role in the entire process, by utilising its broad new powers to terminate access to the sandbox on new grounds, such as ASIC’s conclusion that the benefits of the sandbox are unlikely to outweigh the detriment to the public,169 or that the relevant activity is

167 United Nations Secretary-General’s Special Advocate for Inclusive Finance for Development FinTech Working Group and Cambridge Centre for Alternative Finance, ‘Early Lessons on Regulatory Innovations to Enable Inclusive FinTech: Innovation Offices, Regulatory Sandboxes, and RegTech’ (Report, 2019) 31.

likely to cause significant detriment to customers.170 Effectiveness of these new powers under the ERS will depend on two key factors: (i) availability of up-to-date data about the sandbox test and (ii) ASIC’s ability and willingness to use those powers. The first factor is likely to be problematic, given the absence of ongoing reporting obligations under the ERS (as discussed previously). The second is unlikely to be realistic either, considering ASIC’s submission in 2017, in which the regulator admitted:

Given the policy approach that the entities in the sandbox be unlicensed and the approach to supervision set out above we envisage this power will not be commonly used.171

Eventually, ASIC concluded that ‘it may be worth considering removal of the power’ altogether, due to (i) the large potential number of firms relying on the licensing exemption and (ii) the fact that ‘it might confuse consumers by suggesting that ASIC supervises these businesses’.172 While it is too early to discuss the first ground (ie, the number of FinTech entities interested in the ERS), let us consider the specific implications of the second one (ie, misaligned consumer expectations). Coexistence of the new monitoring powers under the ERS, on the one hand, and the absence of ‘capacity or capability’ (in ASIC’s own words) to monitor unlicensed entities, on the other, puts the regulator in an unenviable position. Indeed, how would ASIC characterise its own standard of engagement with firms relying on the ERS? It would no doubt be inconvenient to admit that the regulator has insufficient resources to control the risks and protect the consumers, or, worse yet, voluntarily chooses not to monitor unlicensed businesses when it is authorised to do so in the first place. Thus, if ASIC does not plan to exercise its monitoring powers and is unlikely to possess the data required for such monitoring anyway, what reason does the expansion of those powers in the ERS serve? In this setting, the use of limited resources to vet prospective applicants (as is common for authorisation sandboxes) is likely to be not only more efficient, but also better

In other words, this article does not posit that the current non-authorisation sandbox model brings no cost savings – it most likely does. Instead, I argue that these potential savings do not justify the supervisory model implemented as part of the ERS.

4 Undue Complexity

The last, but also arguably the most important, perceived inconsistency stems from the increased complexity of the ERS compared to the FLE. Even disregarding the previous discussion, a critical aspect of any regulatory sandbox is its usability. In authorisation-based sandboxes, much of the anxiety is relieved due to the formal application process and resulting information exchange with the regulator.

The ERS is different. In the words of Mark Adams (ASIC’s Senior Executive Leader leading the Innovation Hub), under the ERS, ASIC aims to apply a so- called ‘pragmatic approach’: in making assessments, the regulator will only rely on the information provided in any ERS notice and information sourced by ASIC itself.173 ASIC is not planning to seek additional information or do any additional work in making its assessment because ‘time does not permit that’.174 Regulators are known to have limited resources. So be it.

But let us now consider the other, non-regulatory, perspective. If the only meaningful feedback from the regulator within the ERS takes the shape of a response confirming or denying compliance with eligibility parameters, the onus is on FinTech firms to ‘get it right’ on the first attempt, to avoid wasting time on resubmissions and resetting the 30-day timer. In this setting, the ease of use and clarity of eligibility requirements become critical to attract innovators. Unclear, complex requirements require FinTech firms to spend additional time and expense (eg, on legal consultants), which undermines the usefulness of the ERS as an accessible sandbox format to promote innovation. Unfortunately, instead of simplifying the access requirements, the ERS has only grown in complexity compared to the FLE. In particular, the ERS implements two new tests: the net public benefit test and the innovation test defined in ASIC Information Sheet 248. ERS users are essentially required to make a self-assessment against vague and non- specific criteria that are based on the new requirements, all while considering the underlying terminology that is far from straightforward.175 Ironically, the adequacy of the innovation requirement has been questioned in the literature: Buckley et al argue (in the context of the FLE) that the task of assessing the degree of novelty is ‘arguably beyond [the regulators’] skill set, and one that ASIC ... expressly chose not to undertake’.176 Despite this, after finally replacing the FLE, the ERS has formally introduced the innovation test.

Somehow, the desire to enhance the original regulatory sandbox has produced an outcome that combines the key features of authorisation sandboxes (such as the ex ante test of innovativeness) without offering FinTechs the matching application- based regime and the opportunities for a formal dialogue with the regulator within the sandbox framework (informal assistance can still be provided by the Innovation Hub but it is hardly sufficient – for if informal support alone was sufficient, there would be no need for a regulatory sandbox in the first place).

175 For example, ASIC Information Sheet 248 uses the term ‘significant decision makers’, which the draft notification form defines as ‘any person(s) ... (i) who is not an employee or director of the applicant or of any related body corporate of the applicant; and (ii) whose role includes being responsible for making significant decisions about the ongoing provision of each eligible credit activity’: see, eg, Australian

Securities and Investments Commission, ‘Notification to Use the Enhanced Regulatory Sandbox Exemption to Test Eligible Credit Activities’ (Form, 1 September 2020) 6 [6] <https://download.asic.gov.au/ media/5772214/20200826_notification-to-use-the-enhanced-regulatory-sandbox-exemption-credit.pdf>.

B The Desirability of Aligning ASIC’s and APRA’s Sandboxes

Part II(B)(3) identified another FinTech regulatory sandbox in Australia – APRA’s RADI licensing framework – which raises the question about the prospects of alignment of ASIC’s and APRA’s sandbox regimes. Although ASIC and APRA have so far operated their respective sandboxes quite differently, each following a different model,177 the revisions made as part of the ERS have brought the two regimes closer to each other (see Table 2).

Table 2: Enhanced Regulatory Sandbox Compared to APRA’s Restricted ADI Parameters

	Enhanced Regulatory Sandbox (September 2020 Onwards)	Restricted ADI Licensing (May 2018 Onwards)
Maximum Duration	24 months	24 months
Multiple Uses/ Extension	Allowed (for different products/ services)	Allowed (in exceptional circumstances)
Admission	No application 30-day notice to ASIC	Application
Novelty Assessment	Ex ante: Yes Ex post: Yes	Ex ante: No Ex post: No
Early Termination Grounds	Failure to meet conditions Benefits are unlikely to outweigh the risks to the public Service is not new, or not a new adaptation/improvement Failure to act fairly, efficiently, or honestly New exemption used to continue a previous one Expected significant detriment to clients	Failure to meet conditions Insufficient progress Financial distress
Reporting Obligations	No	Yes (monthly)
Interactivity Level	Minimal	High

Under the FLE, overlaps between the two (APRA’s and ASIC’s) sandboxes were unlikely, not just due to the different time limits (12 months under the FLE and 24 months with possible extension under the RADI framework), but mainly as a result of the very narrow scope of activities permitted under the FLE.178 In contrast, the ERS matches the maximum duration of the RADI licence, allows

177 It will be recalled that APRA’s regime allows FinTech firms to obtain a restricted licence – not a licensing waiver – and thus follows the authorisation model.

extensions, and expands the scope of ASIC’s sandbox to include, among other things, credit activities.179

As part of international competition to attract FinTech talent, where two or more sandboxes operated by different regulators overlap, some overseas jurisdictions have offered joint administration of such sandboxes to facilitate sector-wide or even cross-sectoral testing. For example, Hong Kong’s three financial services regulators (the HKMA, the Insurance Authority and the Securities and Futures Commission) are now offering a single point of entry for cross-sector FinTech solutions.180 The UK regulators have gone further and proposed a single point of entry for a cross-sector sandbox.181

A similar approach is likely to be useful to further promote ASIC’s and APRA’s pro-innovation philosophy. In addition, it would be perfectly aligned with the updated Memorandum of Understanding (‘MoU’) between these two regulators issued on 28 November 2019182 as a response to recommendations 6.9 and 6.10 of the Hayne Royal Commission.183 Under the revised MoU, ASIC and APRA commit to engage with each other, ‘having regard to each other’s mandate and broader regulatory objectives’.184 However, since the ERS offers minimal interaction between ASIC and eligible FinTech firms, in the sandbox context ASIC’s ability to reach some of the key MoU objectives (such as agreement to ‘proactively provide appropriate information’ or to promptly respond to information and document requests)185 is likely to be much lower compared to APRA, which actively engages with RADI licence holders at all stages of the sandbox test.186

C Sandbox as a Solution Waiting for a Problem?

Back in 2016, the Australian Government concluded that a FinTech regulatory sandbox would be beneficial for the economy:

The Government will support ASIC and other regulators on the development of a ‘regulatory sandbox’ and other facilitative measures that will help position Australia as a leading market for FinTech innovation and investment in Asia.187

181 Financial Conduct Authority, ‘Call for Input: Cross-Sector Sandbox’ (n 100) 3 n 2.

182 Memorandum of Understanding between the Australian Prudential Regulation Authority and the Australian Securities and Investments Commission, signed 28 November 2019 <https://download. asic.gov.au/media/5362689/apra-asic-memorandum-of-understanding-2019.pdf> (‘APRA – ASIC Memorandum of Understanding’).

187 Australian Government, ‘Backing Australian FinTech’ (Report, 2016) 21 <https://treasury.gov.au/sites/ default/files/2019-03/Fintech-March-2016-v3.pdf>.

Four years later, the idea of a regulatory sandbox has not lost its attractiveness: the ERS is expected to bring ‘huge’ productivity benefits.188 However, is a simple expansion of the FLE really the best answer? Does the broadened scope of the ERS address all the deficiencies of the previous sandbox? This article argues that Australia’s unusual model of a FinTech sandbox requires clear answers to all of these questions. It demands precision, rewards foresight and punishes miscalculations much more than the typical (authorisation-based) sandbox design.

The ERS is not an interactive form of a regulatory sandbox. By design, there is no ongoing information exchange with the regulator, no mandated periodic (or even final) reporting,189 no possibility to apply for extension of the sandbox term (as there is no application process to begin with), and no better solution for FinTechs that quickly outgrow the limitations of the ERS than to immediately exit from the sandbox. The list could go on.

The efficiency of a non-interactive non-authorisation sandbox model ultimately hinges on the ability of the regulator to predict the future direction of FinTech development in the relevant jurisdiction. Since there is no application process or dialogue with the regulator and no flexibility in modifying the sandbox parameters, such a sandbox model can be called a ‘solution waiting for a problem’. If the relevant prediction is right, the sandbox works. If the calculation is incorrect, there is no demand and the sandbox becomes useless. This means that, for the ERS to be useful, it is not enough to admit that the ‘low number of applications in the Australian context suggests that we’re not doing it right’ and consequently ‘there is a need for reform’.190 Comprehensive research is necessary. But since the earlier calculations relating to the FLE have not materialised,191 the same could be true for the ERS and ASIC’s prediction that the numbers of ERS users ‘could be in the hundreds per year’.192

Another problem with any non-authorisation approach applied by regulators is that the underlying challenges and elements of sandbox design are mutually reinforcing. Since regulators are keen to minimise risks for end users, the list of permitted activities within a non-authorisation sandbox is likely to be both (i) narrow and (ii) limited to areas where the risks are well understood. But if the underlying risks are already clear and/or immaterial, the regulators overseeing such a sandbox are likely to have little or no interest in having some kind of dialogue with the sandbox users in the first place.

188 Commonwealth, Parliamentary Debates, House of Representatives, 4 July 2019, 317 (Michael Sven Sukkar, Assistant Treasurer and Minister for Housing).

189 The ERS regulations do not establish reporting requirements, while ASIC Information Sheet 248 includes only an invitation to provide a final report (‘If you rely on the ERS exemption, please provide us with a short report within two months after the end of the exemption period’): ‘ASIC Information Sheet 248’ (n 137).

190 Commonwealth, Parliamentary Debates, Senate, 6 February 2020, 370 (Jennifer Ryll McAllister).

191 ‘The 2017 Fintech Australia census reports that 9% of Australian fintechs plan to use ASIC’s sandbox in the next 12 months’: see ASIC Enhanced Sandbox Submission (n 132) 2.

D Desirability of Switching to an Authorisation Sandbox Model

The deficiencies discussed previously in Part IV are the result of the misalignment of the non-authorisation sandbox model used in Australia and its implementation. Part IV(A) has identified the key challenges of the ERS that the current sandbox model cannot resolve due to constraints of its design. Part IV(B) has stressed the need for cooperation between APRA and ASIC in the sandbox space and argued that the ERS design is not well suited for that purpose. In addition, Part IV(C) has shown that the usefulness of the existing sandbox model largely hinges on the regulators’ ability to predict the vector of FinTech development in the future – traditionally not a strength of regulators.

This article argues that all of the above issues could be adequately resolved by switching to an authorisation sandbox model. This conclusion does not imply that an authorisation sandbox is ipso facto the most efficient or desirable – such analysis is outside the scope of this research. Instead, I argue that the past and current implementation of the chosen sandbox model is ineffective and inconsistent.

The design choices that would have worked well in an authorisation sandbox are out of place in the ERS. The gatekeeper entity (sandbox sponsor) was removed, but the gatekeeping function did not disappear – yet even if ASIC ends up being efficient in this role, the ERS procedures make FinTechs collectively worse off (as noted in Part IV(A)). ASIC’s new powers suggest the regulator should have more control and engagement in the operation of its sandbox, and yet the benefits of the chosen non-authorisation model (including cost-saving) are likely to be maximised when the regulatory involvement remains minimal. Although the ERS has become substantially more complex (compared to the FLE), it has not offered FinTechs the tools available in similarly complex frameworks implementing authorisation-based access regimes (such as opportunities for a formal dialogue with the regulator within the sandbox framework).

The solution proposed in this article is thus: to replace the current notification- based FinTech sandbox model with a straightforward authorisation-based model that is widely used globally.

The statutory amendments introduced in February 2020 as part of the ERS opened a pathway to more than just incremental revisions to the existing sandbox framework. Importantly, these statutory changes are not linked to a specific sandbox model and empower ASIC to play a more active role in any sandbox framework. This means that a transition to an authorisation sandbox model does not require lengthy statutory amendments, although the May 2020 regulations (which follow the notice-based non-authorisation approach) are still in the way and would need to be revised to make possible a transition to the authorisation-based model.

Furthermore, given that it is the dominant sandbox format globally, the authorisation-based model of FinTech sandbox is likely to be more easily understood by the end users compared to the current puzzling – partially hands- on and partially hands-off – regime. A framework that is simple and clear would promote legal certainty and, it is argued, is better aligned with ASIC’s competition promotion mandate.193 After all, if legal professionals (such as law firms) still get

confused by the sandbox rules in 2020, it is probably unrealistic to expect FinTechs to navigate the ERS framework with ease.194

V CONCLUSION

Amidst the COVID-19 turmoil of 2020, the revision of ASIC’s regulatory sandbox took place without fanfare – yet the importance of this reform must not be overlooked. It is an opportunity to fix the design flaws of the underperforming FLE that continued for almost four years. Alas, the new ERS offers more of the same – a similar sandbox design coupled with fewer restrictions but also greater complexity.

This article has demonstrated that the current sandbox reform merely scrapes the surface of the many challenges underlying ASIC’s sandbox. It has argued that these challenges can only be adequately resolved by revising the chosen sandbox model and switching to an authorisation-based sandbox design.

Australia’s financial sector must innovate if it hopes to be regionally, let alone globally, competitive, and revision of regulatory sandbox frameworks is an important step towards enabling further responsible innovation. But time is precious in the current race to attract FinTech talent. An attempt to create a unique ‘world-first’ non-authorisation sandbox model may have generated publicity – but it has also added much confusion and few tangible results. I suspect the ERS will attract more FinTech firms than the previous framework even without changing the sandbox model proposed in this article. However, this probable increase should not obscure the bigger issues outlined in this research, which – if left unchecked – will continue to limit Australia’s FinTech potential.

The transition to an authorisation sandbox that I propose in this article has one potential cosmetic flaw: it will make Australia’s sandbox framework look less unique on paper. But at least it is more likely to get the job done.

194 A recent ERS legal alert prepared by Baker McKenzie states: ‘Applications for relief must comply with the detail [sic] requirements in the Regulations’. The confusion stems from the fact that the sandbox operated by ASIC does not envisage any applications: see ‘Australia: New Sandbox Regulations Remove Client Number Limits and Broaden Scope of Products’, Baker McKenzie (Web Page, 12 June 2020)

152	See above nn 146–7.
153	See ‘ASIC CP 260’ (n 81).
154	Ibid 32 [92].
155	Ibid 33 [94].

University of New South Wales Law Journal

Didenko, Anton N --- "A Better Model for Australia's Enhanced Fintech Sandbox" [2021] UNSWLawJl 38; (2021) 44(3) UNSW Law Journal 1078

A BETTER MODEL FOR AUSTRALIA’S ENHANCED FINTECH SANDBOX

I INTRODUCTION

A Relevance

B Objectives and Structure

II AUSTRALIA’S ORIGINAL SANDBOX MODEL (DECEMBER 2016 – AUGUST 2020)

A FinTech Regulatory Sandboxes and the Challenges of the Relevant Academic Discourse

B How Australia’s FinTech Sandbox Model Disrupts the Academic Discourse

1 Main Features of ASIC’s Original Sandbox Model

2 ASIC’s Original Sandbox Model in the Literature

3 Lessons from the Academic Discourse on Australia’s FinTech Sandbox Framework

III AUSTRALIA’S ENHANCED REGULATORY SANDBOX (SEPTEMBER 2020 ONWARDS)

A Historical Context

B What Exactly Has Been ‘Enhanced’?

IV THE NEED TO REVISE, NOT ENHANCE

A Enhanced Sandbox Is Inconsistent with the Chosen Model

1 Missing Gatekeeper

2 Grounds for Early Termination

3 Economy of Resources

4 Undue Complexity

B The Desirability of Aligning ASIC’s and APRA’s Sandboxes

C Sandbox as a Solution Waiting for a Problem?

D Desirability of Switching to an Authorisation Sandbox Model

V CONCLUSION