In November of 2018, Cayman Islands Financial Services Minister Tara Rivers announced that her ministry is planning to implement a regulatory sandbox for digital assets and other innovative financial technologies that do not neatly fall within existing regulations. According to Ms. Rivers, the aim is to “encourage, foster and incubate legitimate activities,” while ensuring, “sufficient oversight and monitoring to ensure the activities taking place are compliant, fair and transparent.”
The move is intended to address concerns that Cayman is falling behind other jurisdictions that have already established regulatory frameworks for digital assets. Although Cayman has hosted numerous initial coin offerings (ICOs), including the largest to date (EOS/Block.one, which raised over $4 billion), uncertainty remains as to the regulatory status of digital assets issued in the jurisdiction. A recent article on the popular software blog Hackernoon listed the top ten jurisdictions for a “worry free initial coin offering” as: (1) Switzerland, (2) Singapore, (3) Gibraltar, (4) the United States, (5) Thailand, (6) Israel, (7) France, (8) Malta, (9) Russia, and (10) Estonia.
At first glance, it may appear paradoxical that regulation should be required in order to encourage innovation. In most cases, regulation inhibits innovation (except within the narrow context of innovations enabling compliance with the regulation). However, in the case of finance, regulation is now so pervasive that innovators fear that, unless they are expressly given permission to operate, they may well be in violation of one or more regulations – now or in the near-future.
One solution to this conundrum is explicitly to pre-empt such threats by removing as many regulatory roadblocks as possible. For example, under its Digital Ledger Technology (DLT) framework, which entered into force in January 2018, Gibraltar has established a set of nine principles for the operation of DLTs. In addition, in its proposed regulation for tokens, which was scheduled to be enacted into law in late 2018, it has deemed that: “Most often, tokens do not qualify as securities under Gibraltar or EU legislation. In many cases, they represent the advance sale of products that entitle holders to access future networks or consume future services. They are akin to mobile phone companies pre-selling airtime in networks they plan to build using the proceeds of those airtime sales. As such, these tokens represent commercial products (albeit reliant on future availability and utility) and are not caught by existing securities regulation in Gibraltar.”
Switzerland has taken a slightly different approach, establishing a relatively simple and clear process for the registration of ICOs. Switzerland’s Financial Markets Authority (FINMA) rules on each application individually and applies different rules depending on whether the token is classified either as a payment, utility or asset.
Another approach, adopted first in the U.K. but now followed by several others, including Singapore, Hong Kong, Australia, Canada, India, Malaysia and Abu Dhabi, has been to create a “regulatory sandbox”. The term derives, originally, from the sandbox – a small cordoned-off area of sand in which children can experience some of the delights of the beach and experiment, building sandcastles and the like, without risk of being swept away by the tide or traipsing sand into the house. The term was then adopted by software engineers who have for years used code “sandboxes” in which they experiment with changes to a program in an environment that largely replicates but is isolated from the live code.
A regulatory sandbox performs a similar function for the regulation of new technologies and business models, as the U.K.’s Financial Conduct Authority, explained when it introduced the idea in 2015: “A regulatory sandbox is a ‘safe space’ in which businesses can test innovative products, services, business models and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question.”
Thus, for example, in the U.K. context, “A sandbox could allow a firm to make their advice platform available to a limited number of consumers. As a safeguard, once the advice is issued, but before transactions are executed, financial advisers would review the advice. This would allow firms to learn how consumers interact with their advice platform and how their algorithm performs compared to human assessment.”
Regulatory sandboxes enable companies to develop and implement, on a small scale – i.e. with a limited number of customers – novel financial technologies that either do not neatly fall under existing regulations or could pose compliance challenges due to their unusual nature. They are also applicable to new products with an uncertain market – enabling firms to trial the products without having to go through a full regulatory review process.
Regulatory sandboxes typically require applicants to provide details of the proposed trial, demonstrate the financial wherewithal to implement the trial, specify the timeframe and scale of the trial (i.e. the number of customers, maximum size of transactions), demonstrate that the applicant has in place appropriate risk mitigation measures, and describe the planned “exit strategy” (i.e. either through expanding the program if successful or transitioning customers if not). In addition, where applicable, sandbox applicants must ensure the anonymous nature of any “test” client data used, as well as all safeguards that would be in place to maintain cybersecurity across the code base.
The UK’s FCA undertook an evaluation of its regulatory sandbox program in 2017. In its first cohort, the FCA received 146 applicants, of which it accepted 50. Of those, it found that 75 percent successfully completed testing. Moreover, it found: “Around 90 percent of firms that completed testing in the first cohort are continuing toward a wider market launch following their test. The majority of firms issued with a restricted authorization for their test have gone onto secure a full authorization following completion of their tests.”
The G20 has also been working on a proposal for a set of standards for crypto-currencies and other digital assets, with a particular focus on issues related to AML and KYC. In the communiqué from its December meeting in Buenos Aires, the G20 stated: “We will continue to monitor and, if necessary, tackle emerging risks and vulnerabilities in the financial system; and, through continued regulatory and supervisory cooperation, address fragmentation. We look forward to continued progress on achieving resilient non-bank financial intermediation.
We will step up efforts to ensure that the potential benefits of technology in the financial sector can be realized while risks are mitigated. We will regulate crypto-assets for anti-money laundering and countering the financing of terrorism in line with FATF standards, and we will consider other responses as needed.”
Given the widespread interest in new digital assets, including ICOs and other blockchain-based products, combined with the likelihood of increased scrutiny of such products from an anti-money laundering (AML) and “know your customer” (KYC) perspective, the introduction of a regulatory sandbox for these and other novel financial technologies is to be welcomed in Cayman. In so doing, it is important to create a simple application and review process.
Cayman might also follow Gibraltar’s example and specify clearly up-front which tokens will be considered securities.