On 5 September 2022, and in line with its policy of enabling responsible innovation to promote the development of an inclusive digital financial ecosystem, the Bangko Sentral ng Pilipinas (“BSP”) issued Circular No. 1153 and approved a Regulatory Sandbox Framework to be incorporated as Section 115 of the Manual of Regulations for Banks (“MORB”) and Sections 112-Q/115- S/115-P/113-T/103-N/141-CC of the Manual of Regulations for Non-Bank Financial Institutions (“MORNBFI”). In broad terms, the new rules allow fintech developers to test the use of new or emerging technology to deliver financial products and services in a controlled environment.
1. What is the Regulatory Sandbox?
The Regulatory Sandbox is a controlled, time-bound, live testing environment which may feature regulatory waivers at the regulators’ discretion in order to promote the development of transformative technologies under the “test and-learn” approach. Applicants that are assessed as eligible to participate in the regulatory sandbox (“Participants”) must operate within testing parameters agreed upon by the BSP and the Participants. Testing parameters include metrics to assess the viability of the solution being offered.
2. What is the scope and coverage of the FPSCPA and the FCP Framework?
The Regulatory Sandbox Framework applies to all BSP Supervised Financial Institutions (each a “BSFI”), third party service providers of BSFIs, other BSP-registered institutions, and other entities that intend to offer or use any emerging or new technology to deliver financial products/services within the regulatory authority of the BSP.
3. What are the eligibility standards that applicants should meet in order to participate in the regulatory sandbox?
Under the Regulatory Sandbox Framework, applicants must meet the following criteria to participate in the regulatory sandbox:
a. the financial solution offered by the applicant either:
(i) uses new or emerging technology or utilizes existing technology in an innovative manner, or (ii) bridges a market gap in the delivery of financial
products/services;
b. the applicant must show that it has the capability to deploy the proposed solution through a roll-out strategy;
c. the applicant must provide an initial test plan demonstrating scenarios and expected outcomes of the experimentation;
d. the applicant must have identified significant risks relevant to the innovation and the proposed
safeguards and mitigation strategies to address these risks;
e. the applicant must have specified Key Performance Indicators (“KPI”) in monitoring the progress of the implementation of the solution; and
f. the applicant must provide an acceptable exit and transition strategy to be implemented upon the completion of the experimentation.
4. Are there continuing conditions that must be complied with by the Participants that have been granted approval to perform sandbox activities?
Yes, under the Regulatory Sandbox Framework, Participants must comply with certain conditions in the performance of sandbox activities.
Among these conditions, Participants in a regulatory sandbox must ensure that an appropriate top-level committee oversees sandbox activities and that the sandbox is integrated in the overall strategic plan of the entity to ensure that the entity’s systems, financial performance and risk management capability are capable of handling the new product/service.
Further, Participants must guarantee that sandbox activities satisfy legal and regulatory requirements for Anti-Money Laundering/Combating Terrorism and Proliferation Financing, together with relevant regulations on payments, IT risk management and Electronic Products and Financial Services (“EPFS”).
Note that under the Regulatory Sandbox Framework, the sandbox must be implemented for a period no longer than 12 months. After such period, a report must be submitted by participants summarizing the outcome of the experimentation and the viability of the product offered, supplemented by recommended action plans for the offered product/service.
5. What is the process followed in a regulatory sandbox?
The Regulatory Sandbox Framework contemplates that each regulatory sandbox shall undergo a four-stage process: the Application, Evaluation, Testing and Exit Stages. These are discussed briefly below.
a. Application Stage – Under this stage, applicants are mandated to submit certain minimum documentary requirements. These include a letter of intent, application form, eligibility self-assessment checklist, and exit plan (using the forms annexed to Circular No. 1153), and copies, certified by the corporate secretary of the applicant, of the resolutions of its board of directors approving the application for regulatory sandbox authority.
b. Evaluation Stage – The BSP evaluates the completeness of the documentary requirements submitted based on the eligibility standards outlined in item 3(a) above.
c. Testing Stage – The testing stage is divided into two phases: (i) a testing design phase; and (ii) testing implementation. These determine the viability of the proposed solution.
During the testing design phase, Participants are required to present the proposed innovation to the BSP. If it finds everything in order, the BSP shall approve the test plan to be utilized during the experimentation period and issue a Letter to Proceed with the next phase. The test plan should, at a minimum, contain the following: (a) overall timeline and budget, (b) testing performance metrics, (c) testing methodologies and/or scripts, (d) customer acquisition plan, (e) customer communications, (f) Minimum safeguards (such information security, consumer dispute resolution/redress mechanism, and anti-money laundering/and terrorist financing safeguards), (9) identification of the regulatory requirements to be relaxed during the testing period, (h) exit plan upon completion of the sandbox activity or in case there is any serious concern on the continued implementation of the sandbox activity, and (i) testing deliverables.
The test implementation phase may range from three to 12 months in duration, depending on the complexity of the proposed solution. Note that any proposed adjustments in the duration of the sandbox activity must be submitted to the BSP for evaluation at least 30 calendar days before the expiration of the sandbox testing period.
d. Exit Stage – After the testing stage, a final report shall be prepared by the Participants providing a comprehensive evaluation of the entire sandbox activity.
6. When are participants deemed fit to operate with their proposed product/service?
Participants whose products or services are deemed fit for public consumption after having completed the testing and exit stages referred to above may submit to the BSP an application for authority to operate and to offer the proposed product to the public.
Note that despite successful sandbox testing, the approving authorities reserve the right to approve or disapprove the proposed product or service.
7. What are the conditions that will trigger the revocation/termination of the Regulatory Sandbox Approval?
The BSP may revoke the authority of entities to participate in the sandbox based on (i) sandbox implementation-related conditions and (ii) entity-related conditions.
Sandbox implementation-related conditions consist of the failure of Participants to deliver the approved product/service features, or failure to develop and implement the required safeguards appropriate for the proposed solution. Further, significant breaches on data protection and the inability of the participants to effectively address technical defects or vulnerabilities in the proposed solution also fall under the foregoing conditions.
Entity-related conditions, on the other hand, pertain to issues in the operational and/or business conditions of the Participant.
8. What are the conditions that will trigger the revocation/termination of the Regulatory Sandbox Approval?
Participants are mandated by the Regulatory Sandbox Framework to submit interim and final reports to the BSP to facilitate monitoring of the regulatory sandbox activities. Interim reports must describe the status of the sandbox activities including key issues encountered and actions undertaken to address emerging risks. The final report shall thereafter contain the final results of the experimentation presenting complete information on the key outcome of the activity. Note that the final report must be submitted by participants to the BSP within 60 calendar days from the end of the sandbox activity.
9. How are consumers who are subject to sandbox experimentation protected?
Under the Regulatory Sandbox Framework, participants in the sandbox activity must adopt measures to protect the rights and interests of consumers. Customers must be informed that the product/service offered by the participants is under the regulatory sandbox platform and must be informed of the possible risks associated with the product.
Further, all regulatory sandbox experimentation shall follow the rules and regulations on data sharing, data privacy, and data protection in all implementation phases. The use of customer data should be limited to the consent provided by the customer in availing the product or service.
2 SyCipLaw Banking Bulletin | March 2023
NPC AMENDS GUIDELINES ON PROCESSING DATA FOR LOAN TRANSACTIONS
On 14 September 2020, the National Privacy Commission (“NPC”) issued Circular No. 20-01 setting forth the guidelines on the processing of personal data for loan-related transactions. On December 1, 2022, the NPC also issued an amendatory circular, Circular No. 2022-02, further expounding Circular No. 20-01 in order to respond to exigencies in the processing of personal data (collectively, the “Guidelines”)
1. Who are covered by the guidelines?
The Guidelines apply to lending or financing companies which process personal information for the purposes of loan processing activities, as well as any natural or juridical person who acts as such whether or not they are granted authority to do so by the Securities and Exchange Commission (“SEC”) (collectively, “Covered Persons”). The Guidelines also apply to any personal information processor (“PIP”) or third-party service providers engaged by them. However, the following are expressly excluded from the definition of lending and financing companies: banks, investment houses, savings and loan associations, pawnshops, insurance companies, cooperatives, credit institutions regulated by law, and other financial institutions organized or operating under special laws.
2. Are there information, in addition to those provided for by Republic Act No. 10173 or the Data Privacy Act (“DPA”) and its implementing rules and regulations (“IRR”), that must be provided to borrowers? Are there additional requirements for obtaining consent from the borrowers?
Yes, the Guidelines provide that the following information shall be provided to borrowers:
a. all information concerning all phases of the loan processing activity;
b. information regarding the use of profiling, automated processing, automated decision-making, or credit rating or scoring before the use of such or at the next practical opportunity, if applicable; and
c. categories of data considered in deciding whether or not to approve loan applications subject to reasonable policies on minimum information and manner of disclosure that may be maintained to avoid
manipulation or exploitation of the evaluation process.
In providing the required information under the Guidelines, the DPA, and its IRR, Covered Persons are required to format
the information in a way that considers the accessibility of the information and convenience of the borrowers. The Guidelines also require that policies and procedures be adopted in order to adequately address inquiries and clarifications by borrowers.
The Guidelines reiterate the DPA and its IRR such that consent for the processing of personal data should be obtained from data subjects when necessary and that the data subject, prior to the giving of consent, should be provided details as to how the information will be processed.
With regards to credit data of a borrower, when required to be disclosed or submitted pursuant to law or regulation, the DPA shall apply. This includes instances wherein Covered Persons share credit data to a third party or obtain personal data from other entities that may help determine creditworthiness.
3. What kind of data may be collected by Covered Persons and are there limitations as to the purposes for collection and processing?
Yes, the Guidelines provide limits on the kind of personal data to be collected and the purposes for the processing of such information.
Under the Guidelines, Covered Persons are mandated to limit the collection of the borrowers’ data only to those which are adequate, relevant, suitable, necessary, and not excessive in relation to their know your customer (“KYC”) policies and those necessary to determine creditworthiness and prevent fraud.
The processing of information is limited to the primary purpose for its collection. Processing of information for compatible purposes may be allowed, provided there is a direct and objective link between the primary purpose and the other compatible purpose. The Guidelines enumerate examples of compatible purposes such as customer behavior analysis, system administration, service maintenance, and customer service or support. Compatible purposes, however, do not include marketing, cross-selling, or sharing of data with third parties for purposes of offering products and services not related to loans. For these purposes, Covered Persons must have a separate lawful criterion for such processing, in accordance with the DPA.
The Guidelines emphasize that the retention in perpetuity of personal data of those borrowers who were denied loan applications or those who have fully settled their loans is not allowed and violators will be subject to applicable penalties as provided under the DPA.
4. What are the specific regulations when online applications are used for loan processing activities?
Registration with the NPC
As part of their registration with the NPC, Covered Persons are required to submit a complete list of the names of all publicly available applications owned or operated by them.
With regards to PIPs or third-party service providers, the Guidelines also provide for certain requirements: (a) if operating in the Philippines, they shall be required to register with the NPC, and (b) if operating outside the Philippines, the Covered Persons hiring them shall ensure that proper technical and contractual controls are in place to ensure
3 SyCipLaw Banking Bulletin | March 2023
appropriate protection in the processing of personal data, in line with the provisions of the DPA and its IRR.
The registration of the Covered Persons and/or PIPs may be revoked upon determination by the NPC that they have violated the Guidelines and shall be subject to penalties and disciplinary measures as provided in the DPA, its IRR, and other NPC issuances.
Processing of Information
Under the Guidelines, Covered Persons are prohibited from conducting “unnecessary” processing. This includes requiring unnecessary permissions that involve personal and sensitive personal information. The Guidelines provide that mobile applications shall only require data subjects to provide access to personal data when suitable, necessary, and not excessive to legitimate purposes.
The processing of personal data from application permissions which include accessing contact lists and cameras, should only commence when the information to be collected is necessary
for legitimate purposes. Additionally, when the legitimate purposes have already been achieved, the application must be able to prompt the data subject to turn off or disallow the permissions granted. This includes access given to the borrower’s phone camera or photo gallery for purposes of KYC. The processing of contact lists is allowed, provided that the processing is not unconstrained, excessive, and disproportional to its purpose. When access to contact lists is given for purposes of contacting character references or guarantors, such access must be limited and only to the extent necessary to allow the borrowers to choose from their phone contact list their character reference or guarantor.
5. What is a character reference and what are the regulations with regards to the processing of information of character references?
A character reference is a person whose contact information is provided by the borrower for the verification of their identity and the information they have provided for the grant of a loan.
Covered Persons are required to adopt policies and procedures in handling the personal data of character references. Although primarily it is the responsibility of the borrower to inform their character reference regarding their inclusion as such, Covered Persons are also required to adequately inform the character reference of the loan applicant and how their contact details were obtained. In this connection, the character references shall have the option of having their personal information removed as a character reference. The Guidelines make it clear that contacting character references for purposes other than the verification of identity and information provided by the borrower shall be prohibited.
6. What is a guarantor and what are the regulations with regards to the processing of information of guarantors?
Guarantors are persons that have agreed with the creditor that they will fulfill the obligations of the individual borrower in case the latter fails to do so. In order to be considered a guarantor, the person should have given their consent in accordance with the provisions of the Civil Code.
Whenever a guarantor is involved in a loan transaction, Covered Persons are required to obtain their separate consent in accordance with the provisions of the DPA.
Additionally, Covered Persons may only contact the guarantor for the purposes of debt collection.
7. May Covered Persons outsource the processing of personal data?
Yes, Covered Persons are allowed to outsource any personal data processing activity. However, the details of the PIPs or third-party service providers should be made available to the borrowers. These arrangements shall also be governed by the DPA and its IRR, particularly the provisions on Outsourcing and Subcontracting Arrangements. It shall be the duty of Covered Persons to ensure that PIPs and third-party service providers are aware of their obligations under the DPA, its IRR, and other NPC issuances.
8. What are the rights of the data subject?
The data subject is accorded the same rights as provided for under the DPA. To this end, Covered Persons are mandated to adopt policies and procedures which enable borrowers to exercise their rights under the DPA.
