The Sandbox Approach

1.What is a Sandbox?

A sandbox is a live test environment in which financial services products can be tested in a controlled environment, therefore reducing risks to the public.


2.Why use a Sandbox?

Testing regulated products and services in any form beyond internal alpha testing could erroneously bring an entity into conducting regulated activity by way of business. The Authority only provides a regulatory licence or authorisation where products and services have been fully tested. A solution to this scenario is to allow a business to build its product in a live test environment where the risks to more vulnerable consumers (such as retail consumers) and the financial system are contained.


The Authority has the power to apply exceptions or modifications to rules by imposing relevant conditions on the licence as a means of mitigating the risks to the public whilst permitting limited testing. Currently, the power to apply exceptions or modifications is limited to persons licensed under the Financial Services Act 2008.

3.What is the Sandbox process?

For the purposes of the sandbox process, the software development lifecycle is defined as follows:





Stage 1

Proof of Concept

A new product or service that is not used by members of the public.


At the proof of concept stage an entity does not require to be licensed, as it would not be undertaking regulated activity by way of business.


Stage 2

Minimum Viable Product

Normally alpha testing commenced at this stage.


Like stage one, stage two – a minimum viable product or service – does not require an entity to be licensed. Whilst at this point the entity may be undertaking regulated activity, it would not be doing so by way of business.

Whilst a product or service, at this stage, is being developed, the entity should engage with the Authority to progress its licence application and discuss its proposals.

Stage 3


A product or service that is functional and is ready for beta testing.


A product or service at pre-production stage would require a licence to be issued. At this stage, testing would amount to undertaking regulated activity by way of business, even if the business is not taking fees.

Beta testing allows for a product or service that is not fully developed to work in an environment so any stability, fail safes and/or other safety systems can be fully reviewed and worked into the full product.

The Authority does not normally licence a business using a pre-production product or service, however, to create a safe environment for innovation, the Authority can (where applicable) apply conditions to a licence to mitigate risk to the public. The relevant conditions would depend on the nature of the regulated business and the product or service, but typical examples include restrictions on the locations in which the product or service can be used, the maximum number of customers that can test it and the nature of the customers (such as limiting it to corporate entities or particular types of individuals). The Authority could also use its ability to modify or exempt certain Rule Book requirements if this would be appropriate and not put its regulatory objectives at risk.

Stage 4

Launch ready

A product or service that is fully tested and is ready to be used by the public.


When the product or service is launch ready, the Authority may remove some conditions from the licence, or change modifications, as and when it is appropriate to do so.


Stage 5 


The entity is licenced and the product or service is made available to the public.

After issuance of the Licenced the entity should expect more intensive supervisory engagement. This will reduce as the entity matures.

It is important to note, that the Authority licenses entities, not products. If an entity wishes to undertake regulated activity with a product or service to test, it will need to meet the requirements of the Licensing Policy for entities (FSA08).


4. Sandbox Application

The following is required in order for the Authority to consider a regulatory sandbox:

  • Licence application documentation
  • A test plan which includes a timeline, relevant milestones and the expected test results that demonstrate functionality of stated product or service
  • The business plan for product or service rollout
  • A plan to safely wind the entity down if the product or service is unsuccessful.

On specific cases the Authority may also require the following:

  • A testing plan with clear milestones of what should be achieved and when;
  • A security analysis of the product;
  • A penetration testing audit; and
  • A code review of the product or service’s code base.

 The list is not exhaustive, the Authority’s officers will discuss what additional documentation (if any) will be required as part of the application process.