Essential reading for anyone interested in the FCA regulatory sandbox (one AISP business’s experience)
Regulation is important for consumers and business. While the FCA sandbox can be a good way to experiment and get going, it’s not a light touch.
untied learnt three lessons on our way to becoming a registered AISP (RAISP) that we’re happy to share:
- Don’t rely on timings
- Do things in parallel
- Have a backup plan
And a fourth which perhaps we forgot at times:
- The FCA are people too
I was recently asked about untied’s experience of the FCA sandbox and the value of the opportunity to experiment and test innovative offerings. Here I’ve summarised my responses in the hope they may be of use to other businesses. As highlighted in the note of caution below, take it as one journey, but yours will be different.
The sandbox works in cohorts (effectively it seems for processing purposes, rather than anything else). They’re now in Cohort 6.
In untied’s cohort (Cohort 5), 29 companies were accepted to join the sandbox out of the 99 that applied, so about a 30% chance of getting in. Those taking part were a mix of giants (Barclays, Post Office, Standard Chartered) and new businesses with big dreams.
The Financial Conduct Authority has an unenviable responsibility. If something goes wrong in financial services, the world turns to them as the regulator and asks “how could you let this happen?” They protect consumers. And by working to keep bad people out (and bad things from happening), maintain the reputation of legitimate financial services businesses.
But for a new startup, regulation can be the difference between having something you can launch, and actually launching it. It’s a giant mountain that needs to be overcome before your world changing idea can be tested in a real setting. And while you’re not testing, you’re not learning.
Enter the FCA regulatory sandbox, which “allows firms to test innovative offerings in a live environment”, offering the potential of “reduced time-to-market at potentially lower cost”.
I first looked at it within a few weeks of starting untied, 15 months ago. But it wasn’t quick. Approval and set up was only completed in September, nearly a year after we first applied.
I’m happy to share what I wish I’d known then.
Getting into the sandbox
To start, I just want to set out the stages we went through, who was responsible, and roughly how long it took. Where something is down to the business I’ve put the effort required as the elapsed time will vary. It’s from untied’s perspective in cohort 5; the FCA may see the stages very differently. And whatever your own timing will be, it will be different!
|Getting ready to test (Business)||5 months from concept to fully integrated built MVP (this will of course vary from business to business)|
|Sandbox application (Business)||5 hours’ effort (plus submitting other documents that already existed)|
|Waiting for sandbox deadline (FCA)||2 months|
|Approval to be in the Sandbox (FCA)||3 months following the deadline|
|Testing plan (Business)||15 hours’ effort|
|Testing plan approved (FCA)||6 weeks with some back and forth all resolved fairly quickly (we have heard from others that this isn’t always the case)|
|Apply for registration for the firm (Business) – required a Regulatory Business Plan and lots of separate sub documents||80 hours’ effort (some guidance on what is needed but largely this is pointing you to what requirements are to be met rather than templates)|
|Registration approved (FCA)||4 months (with some to-ing and fro-ing, including additional information we needed to write)|
|Ongoing communications while in the sandbox||Weekly calls (sometimes five minutes, sometimes half an hour depending on what issues have come up or questions we have had – these are very helpful)|
A note of caution
This has been our journey. Others will have their own. Take what you will. You’re probably looking for a different approval. Each business is unique. Regulations around our activity are pretty recent, and Open Banking presents its own challenges. We were applying mid-Brexit. And as the FCA knows, there were times when we took a while to reply too!
So all mileages vary. But we also know that you probably want to know about a real experience. And at untied we want to give answers, rather than simply saying “take advice” (which sometimes means “pay for advice from someone who has professional insurance if it goes wrong”).
Background – why does untied need regulation?
When we set about building untied, we asked ourselves, “Where do we find the information that’s needed to help people with their taxes?” And the answer lay in people’s bank statements. Except that now, we don’t need to ask people for their statements – there is technology that enables a user to give us permission to get this directly from their bank accounts. From there, once a user has linked their bank and card accounts to the untied app, untied makes tax sense of their transactions, and prepares a return which can then be submitted directly to HMRC.
From the start we understood this meant that untied would need to be regulated by the FCA as an account information service provider (AISP / RAISP), a relatively new type of regulation which applies to businesses like us offering services based on bank transaction data.
As an aside, one way we get this data is through Open Banking, a set of standards and permissions through which consumers can connect services to their accounts. You’ll be hearing a lot about Open Banking.
Could a business start without regulation?
First the legitimate option. There are ways to fall under another organisation’s regulation – for instance by acting as agent. This was just becoming an option as we were setting up untied. We looked at a couple of alternatives, but one was very pricey and the other didn’t give us the reach that we needed. If we’d known it would have taken so long to get our own approval, I think we would have considered this more seriously.
At the other end of the scale we’ve also come across businesses that had just launched without regulation, with the mindset that it’s easier to seek forgiveness than permission. That’s a high stakes thing to do – for the business and the individuals associated with it. We didn’t want to break rules that are there to protect customers. It would risk our reputation and our business especially as untied is here to make compliance easy, not to avoid it. If you’re still thinking about it, take a look at the fines on offer.
What can you say about timings?
I believe we lost time by delaying our application until our product was built and nearly ready to test. Even though being ready to test is stated as a criterion before applying to the FCA sandbox, it feels that what we really needed was more spiritual readiness at that point! So long as we had a clear idea of what the product is, I think we could have submitted a strong application.
Unfortunately, we struggled to get clarity on the timings or process. We did not know that our cohort was running several months after the equivalent cohort last year, and that further delays were ahead. It also meant that the test schedule slipped. Of course we also held things up at times, sometimes because we were just too busy, and at others because we were afraid of sending something that may not be up to scratch.
In all this, I think not understanding the process was a big factor. It felt akin to walking up a mountain, thinking you’ve reached the summit only to then spot a higher peak a couple of miles further along. Rinse and repeat.
Why are there so many steps?
The steps come about because they’re covering both the activity and the firm. Most of the sandbox team’s work is looking at the activity. Only once they’re happy that the activity and your plan to test it qualify do they then shift you to the team that registers or authorises you as a firm – if you’re like us this comes as a shock as you probably don’t have 80-100 clear hours in your diary. In contrast, a firm that is already authorised can test new activities in the sandbox – that’s what a lot of the big institutions do. Slightly off topic here, but the result is the sandbox ends up biased towards existing institutions rather than encouraging new ones.
For what it’s worth, I don’t really understand the difference between registration and authorisation. It depends on what you’re doing. And they’re both a lot of work.
But the good news if you’re reading this (and which I wish we’d known) is you can be doing a lot of this in parallel. Having submitted the sandbox application, it’s worth thinking about your testing plan and especially making the application for relevant registration or authorisation. It means that if the sandbox is delayed you have a plan B which means you could potentially be ready to skip the sandbox and go for full approval.
Are there any tips about the application?
While it was not something we encountered, we were advised to be careful to ensure consistency. The paperwork is repetitive and we were told that if answers are different to those in other sections then they may pick up on it. We ended up doing a lot of copying and pasting.
One other thing is we were writing documents for the application and were aware that while we felt they were appropriate to our scale, they would be compared with submissions of big institutions with large compliance departments. I’m not sure how much this is a factor for the FCA, and never actually asked them! I’d look at a policy that we’d prepared in plain English and wondered how it would be received.
Did you use an advisor?
We had plenty of offers, saying that it would move things forward. The point where it would have been helpful was in preparing the Regulatory Business Plan. However by that point we were already getting into the detail and also wanted to make sure we understood things for ourselves. My sense is that the right advisor could have helped with the drafting at that point.
We’ve been told advisors may charge £15k-£25k and that of course depends on what you’re being regulated for and you’ll still need to invest a lot of time answering their questions!
What else do businesses need to think about?
There are three things:
- policies/documentation … from an untied perspective we developed these in sync with the FCA sandbox process. We would probably have had a more comprehensive set of documents if we’d gone down the advisor route, but this meant we were doing everything consciously. We were (and remain) alert to keep these in sync since there is quite a lot of cross reference and repetition (and if it says we do something monthly in one place, and quarterly elsewhere this could be an issue)
- insurance … contact me and I’d be very happy to recommend our insurers. We tried a few different options, but it took a friend/family connection to find one that covered everything we do in a single policy
- security testing … in addition to our own security processes and automated checks, we’d carried out manual penetration testing as part of onboarding with a client. Although this wasn’t explicitly an FCA requirement it’s pretty good practice!
What are informal steers?
Good question. The sandbox offers “informal steers”, we asked for one or two during the application. I interpreted the term as a lay person would, but I got the sense that there is a fairly technical definition that they were applying.
One effect was we felt a reluctance to be explicit … particularly in the period between acceptance for the sandbox and starting the test, we would have benefited from more engagement. They did try to help … if we asked a question, we’d have our attention drawn to the relevant regulations for us to interpret. But we were hoping for something more direct, “Add a bit more here saying XYZ and that should do it,” or, “You’re so far off what’s needed, it may be an idea to bring in support for this area.” This is a shame as there were regulatory riddles where we would really have been helped by more specific guidance on how to answer them.
In this vein, also note that in our case there wasn’t any direct conversation at all with the person reviewing our application. At times a phone call would have helped to ensure we’re all on the same page, such as “We’re really missing something can you clarify what you mean?” But it was all rather third hand and with carefully couched language. I haven’t spoken to other businesses about their experience in this area.
From now being in the sandbox, there is a much more personal interaction with the FCA. If we ask a question we get very constructive answers. However, beyond the FCA sandbox, a lot of their processes and systems are hard to navigate. We’ve been asked to fill in forms we can’t access and every time we phone them we end up speaking to someone else. But I guess that’s what comes of dealing with a larger organisation.
You mentioned plan B. Did you have a plan B?
We had multiple. An alphabet soup of alternatives. But because FCA regulation always seemed so close, we didn’t actually put any of them into effect. One of them was to just go for full registration. It may have been quicker (because it wouldn’t have involved all the sandbox-specific delays).
Another plan was looking at regulation outside the UK and “passporting” in. We approached the Belgian authorities, and their response was very different to the FCA. They positively encourage phone calls and meetings before an application is made – within a few days of contacting them, we’d completed a half hour call and a face to face meeting in Brussels, which included the sort of steers and templates we’d expected from the FCA about what would make a successful application. One of them is that they want the business to have a meaningful Belgian presence which is understandable. If we’d known that the sandbox process would take so long we would have moved forward with an alternative more seriously.
How have the FCA responded to comments?
The FCA is made up of people like the rest of us. Trying to do their jobs. I’m sure they’d be as happy as we would be for things to be smoother. And they have recently undertaken a review of the sandbox. Particularly since we actually got into the sandbox, they seem keen to learn.
Have you had contact with other cohort businesses?
I’ve had informal conversations thanks to introductions people have made. If you’re looking at the cohort as a group of businesses all in it together and sharing experiences, then you’ll be disappointed. It feels more administrative than anything. A pity and possibly a missed opportunity, but they have enough on their plates!
I also thought about bringing people together. It hasn’t happened yet. But we do need to coordinate – businesses and regulator – to make this a better place for innovation that also gives the consumer confidence in what we’re doing.
What’s been your experience actually in the sandbox?
We are feeling positive. We started with weekly calls that have now become slightly less frequent. These are helpful and allow us to talk through constructively some of the things that are on our mind. Sometimes it’s a way of bouncing ideas about the customer journey; in other cases there are technical issues with one bank or another. It’s a sympathetic ear. As an aside I just googled “sympathetic ear FCA” and while relevant results are few, the second is an article from 2014 that talks about how the FCA needed to show such feelings to those wanting to develop new products. So if you’re reading this from the FCA, more of this is welcomed.
The FCA have also given us further offers of help and engagement that are going to be useful.
Are you glad you went down the sandbox route, and how do you exit?
On balance, we are glad (but take note of the lessons we’ve learned!). While we hear stories of businesses that get regulated quicker by applying directly, there are others that don’t. Many of these are larger organisations than untied.
Certainly it hasn’t been straightforward. But that doesn’t mean that other routes would have been easier. Imagine driving to a party and hitting loads of traffic, wishing you’d taken another route. And then half an hour later, people arrive having taken that other route complaining about their own hold ups.
As we’ve noted now that we’ve got FCA registration, we’re enjoying more engagement with the sandbox team, including weekly calls. It’s all leading towards a successful test of untied.
As for the final question, having tested the product, we have now exited the sandbox. If you’re in the same position, we’ve been advised that typically a sandbox business has done 70-90% of the work for full registration. Maybe that’s something for another chapter.