Regulating Fintech in the EU: the Case for a Guided Sandbox

New financial technology holds the promise of innovation and competition, challenging established products and services and frequently improving market processes. However, regulation of these new services faces a double challenge: to keep pace with innovation and facilitate new market entries while at the same time understanding and managing the regulatory risks that are involved. At this stage, the existing EU regulatory framework is of little help: the bulk of the present body of financial regulation stems from a different time, with different regulatory problems in mind. EU regulation is also very slow to change and to adapt. Therefore, this paper proposes a regulatory “sandbox” – an experimentation space – as a step towards a regulatory environment where such new business models can thrive. A sandbox would allow market participants to test fintech services in the real market, with real consumers, but under the close scrutiny of the supervisor. The benefit of such an approach is that it fuels the development of new business practices and reduces the “time to market” cycle of financial innovation, while simultaneously safeguarding consumer protection. At the same time, a sandbox allows for mutual learning in a technical field which is sometimes poorly understood, both for firms and for the regulator. This would help to reduce the prevalent regulatory uncertainty for all market participants. In the particular EU legal framework with various layers of legal instruments, the implementation of such a sandbox is not straightforward. In this paper, we propose a “guided sandbox”, operated by the EU Member States, but with endorsement, support, and monitoring by EU institutions. This innovative approach would be somewhat uncharted territory for the EU, and thereby also contribute to the future development of EU financial market governance as a whole.


I. INTRODUCTION
Regulating new technology is never an easy task. On the one hand, governments frequently want to encourage innovation and new ideas to secure the benefits of new business trends. On the other, new technology may involve a number of risks that are not fully understood by either regulators or consumers.
Nowhere is this more accurate than in the financial sector. The past several years have seen an unprecedented rise of a new breed of financial intermediaries and service providers, usually referred to as "financial technology" or "fintech". Offering innovative services to consumers, they are a welcome addition to the financial market. However, at the same time they bring new challenges for the current regulatory framework, in particular in the slow-moving EU. Written before the emergence of fintech, the financial rulebook appears to be both over-and underinclusive, as many categories used by it are difficult to match to the activities of this new type of financial player. In addition, rules are often applied differently among EU Member States. The result is a patchwork of different rules and requirements that apply to fintechs, depending on which EU Member State they are operating in, creating great uncertainty not only among market players, but also for the regulators. Apart from idiosyncratic regulatory issues of certain fintech applications, structural changes can be observed. Namely, different from previous occasions, innovation nowadays primarily comes from a magnitude of small players, and not (only) from the incumbent finance giants. Further, innovation now tends to happen in an all-digital setting, causing major problems for the incumbent infrastructure and existing regulatory processes. The increasing use of artificial intelligence (AI) and machine learning is further complicating their task. All of this, taking place in accelerating innovation cycles, elevates the complexity of the financial system to a new level. In this paper, we argue that regulators must react to these changes, as the current legal framework is virtually unable to address these issues adequately.
The challenge is thus to design a regulatory environment that is flexible enough to accommodate new fundamental changes to markets and, at the same time, is able to create regulatory certainty for all market participants. This paper proposes a regulatory "sandbox" as a first step to facilitate this. A regulatory sandbox would allow market participants to test fintech services in the real market, with real consumers, but under the close supervision of the regulator. Most importantly, the sandbox allows for mutual learning concerning new business models, both for firms and for the regulator. This would help reduce the prevalent regulatory uncertainty for all market participants. At the same time, it supposedly provides the required flexibility to react appropriately to unknown business models and risk profiles.
In the EU legal framework, with various layers of legal instruments, installing a sandbox is not straightforward. In this paper, we propose a "guided sandbox", which should be guided by an interplay between the federal (EU) and national levels. More specifically, it would be the Member States who operate the sandbox, but with endorsement, support, and monitoring by EU institutions. This innovative approach would be somewhat uncharted territory for the EU, and would therefore also contribute to the future development of EU financial market governance.
The article is organised as follows. Section II comprehensively explores the phenomenon of regulatory sandboxing. We first describe the general concept and the promises that are connected with this regulatory tool, and subsequently apply it to the regulatory situation of fintechs. Subsequently, Section III develops these considerations into a concrete proposal for implementation in the EU context. In particular, this includes a difficult navigation through the multi-layer EU framework, resulting in our pragmatic "guided sandbox" proposal. Section IV concludes.

II. THE CASE FOR A REGULATORY SANDBOX
Our main aim is to make the case for a "regulatory sandbox" to cope with new challenges in the financial sector. We argue that a sandbox is, at this stage, the optimal solution, since it fuels the development of innovative services, addresses the majority of shortcomings of the current regulatory framework, and simultaneously ensures consumer protection. No less importantly, it facilitates a mutual "learning process" that on the one hand allows regulators to better assess the risks that are connected with respective fintech firms, and on the other enables fintechs to benefit from the regulator's expertise in applying the legal framework.
This section is structured as follows: first, we explain what a "regulatory sandbox" is and describe its underlying principles. Subsequently we give a brief overview of existing implementations of regulatory sandboxes. Then, after showing the general benefits of the principle, we illustrate how a sandbox would be a great improvement for the current regulatory situation of financial technology firms and the challenges of the financial sector that are yet to come. Ultimately, we will address the disadvantages of regulatory sandboxing and conclude that we consider it not the ultimate objective, but rather a good and necessary first step towards an improved future regulatory framework.

Description and general principle
A good starting point of what the principle of a sandbox is can be derived from its name: a safe playground in which to experiment, collect experiences and play without having to face the strict rules of the "real world". Whereas the sand of an actual sandbox protects against harm while playing, certain consumer safeguards are established to fulfil that task in its regulatory counterpart. Meanwhile clear entry and exit requirements, as well as a pre-defined scope, display the borders of the box.
Recently this concept has been applied in several (non-financial) areas. A "sandbox" for programmers was established, where potentially unsafe codes could be run and studied, without the risk of infecting the entire system. 1 Recently, the Singaporean Energy Market Authority (EMA) set up a regulatory sandbox to support energy innovations. 2 The term "sandbox" is also used in medicine, where it refers to clinical trials for new methods of treatment. 3 Each of thoseand other "sandbox" analogieshave in common that before an (innovative) product is being put on the market, it is tested in a safe environment, where the potential harm is strongly limited and cannot break out of the box to cause widespread damage.
The sandbox, as used in this paper, is a regulatory tool that has recently been explored and tested by various jurisdictions. In the financial sector itirrespective of its specific implementationrefers to a controlled space in which businesses can test and validate innovative products, services and business models, and delivery mechanisms with the support of an authority for a limited period of time. 4 The risk of harm for consumers is limited through special safeguards, and regulations which normally apply when conducting the respective service are significantly reduced.

Concept of a regulatory sandbox
The idea of a regulatory sandbox for financial services was pioneered by the British Financial Conduct Authority (FCA) in 2016. 5 Since then, the idea has seen an unmatched support in all parts of the world. In November 2019 there were more than 24 sandboxes in operation worldwide. 6 While there is clear heterogeneity across jurisdictions, as well as in the specifics of implementation, all versions share common policy objectivesparticularly consumer and investor protection, market integrity, financial inclusion and promoting innovation and competition. 7 In the following, we describe parameters common to these sandboxesalthough they differ in their implementation. 8 a. Entry conditions Each regulator defines certain requirements to determine which firm should be granted access to the sandbox. Aspects of importance usually include: an innovation test, its effect on market stability, individual need for participation (ie regulatory burden on the regular market) and some specific safety requirements that need to be met by the potential participant. 9 The FCA, for instance, publishes a list of eligibility criteria for the upcoming cohort. 10 Interested firms have to explain how they meet those criteria in a form provided by the FCA and apply for testing during a designated time-frame. Other jurisdictions (for example the Netherlands or Poland) do not operate in cohorts, so that firms may submit an application at any time. 11 Also the scope of firms that sandboxes potentially cover varies greatly. There are sectoral restrictions, for instance, based on the scope of the respective regulation authority. For example, Hong Kong's sandbox, which was established by the Hong Kong Monetary Authority (HKMA), is limited to the scope of the HKMA's regulatory authority, ie banks and banking activities. The Dutch as well as the UK sandboxes, on the other hand, have no sectoral restrictions. In case of the Dutch sandbox, this is achieved by a cooperation between the Dutch National Bank (DNB) and the Dutch Financial Market Authority AFM (together supervising all financial institutions under the so called "Twin Peaks" model). Differences in scope of the sandboxes can further be observed regarding the treatment of existing regulated entities. While most sandboxes are open to regulated as well as unregulated entities, some regulators refuse entry to regulated entities, therefore solely supporting unlicensed firms, which are mostly start-ups. 12 Furthermore, the sandbox is usually limited to a certain number of participants. 13 b. Consumer protection/safeguards Numerous approaches are taken to protect customers who participate in the sandbox testing. The FCA, for example, ensures customer protection on a case-by-case basis with the following standards: 14 • "retail customersthis type of customer should not bear the risks of sandbox testing, thus, they should always have the right to complain to the firm, then to Financial Ombudsman Service and have access to the Financial Services Compensation Scheme (FSCS), if a firm fails"; • "sophisticated customersdepending on the specifics of the trial, and if legally possible, we could consider tests that only engage with sophisticated customers who have consented to limiting their claim for compensation"; • "Additional safeguardsdepending on the size, scale and risks from the trial, additional safeguards may be necessary, eg disclosure about being involved in a sandbox test to retail customers".
In the case of "robo advice" (automated investment advice) for example, an "additional safeguard" was established, which in most cases requires the firm to include qualified financial advisers checking the automated advice outputs generated by the underlying algorithms in order to avoid unsuitable advice. 15 11 European Supervisory Authorities (ESAs), "Joint Report on FinTech: Regulatory sandboxes and innovation hubs" (JC 2018/74, 7 December 2018) 22 <eba.europa.eu/-/esas-publish-joint-report-on-regulatory-sandboxes-and-innovation-hubs>. 12 For a brief overview, see Zetzsche et al, supra, note 8, at p 73. 13 For example, cohort 2 of the FCA's sandbox consisted of 24 participants, while the current fourth cohort consists of 29 firms. The Australian sandbox, however, has no limitation on participants. 14 FCA, "Default standards", supra, note 9. 15 FCA, Regulatory Sandbox: Lessons Learned Report (October 2017) <www.fca.org.uk/publication/research-anddata/regulatory-sandbox-lessons-learned-report.pdf> accessed 24 January 2020.
The Australian Securities and Investments Commission (ASIC) on the other handapart from compensation arrangements and disclosure obligationsadditionally set up a number of limitations for eligible participants, such as: 16 • the company provides services to no more than 100 retail clients; • the maximum exposure limit for each client is 10,000 AUD; and • the total exposure of all clients is less than 5 million AUD.
There are numerous other restrictions that regulators are able to impose for security reasons. The application of those measures is often at the discretion of the authority. Usually the number or intensity of restriction increases with number of retail clients or the focus of the firm. 17 c. Timeframe of sandboxing The testing period for participating firms is in most cases limited to either a standard duration (typically 6 to 12 months) or an individual duration, set on a case-by-case basis. 18 Some sandboxes though are more dynamic and not strictly limited to a specific period. 19 Naturally, the duration is less strictly limited in sandboxes that already have a strict functional limitation (such as limits on the number of customers or a transaction threshold).

d. Relaxation of regulatory burden
When looking at the core competence of the sandbox, namely the relief of regulatory requirements that normally need to be met, a variety of different approaches can be observed. Most authorities do not specify what exact requirements may be waived and which may not. Albeit varying in detail, almost all have in common that they aim at reducing unnecessary and inappropriate regulatory burdens, with a special emphasis on unnecessary. 20 It is true that certain rules can be deemed unnecessary where a specific (formal) requirement is not met by the firm, but its underlying purpose is, or where a risk to be addressed by a rule does not exist with the firm. Some even go one step further and determine on a case-by-case basis the most 16 See eg ASIC, "Testing fintech products and services without holding an AFS or credit licence", Regulatory Guide 257 (August 2017) p 22 ff, <download.asic.gov.au/media/4420907/rg257-published-23august-2017.pdf> accessed 24 December 2020; for further differences between the FCA and the ASIC sandbox, see eg Banking Stakeholder Group, "Regulatory Sandboxes: Proposal to the EBA" (20 July 2017) <www.eba.  appropriate and effective form of regulation given the specific risk of the entity. 21 Instruments for achieving that purpose are for instance "No enforcement action letters", waivers or modifications, alternative interpretation of rules andno less importantindividual guidance. Also some sandboxes, including the Dutch and the UK versions, offer restricted licences for unregulated firms. Particular considerations apply in the EU context. As opposed to fully sovereign jurisdictions, 22 EU Member States are limited in their ability to waive regulatory requirements, since many elements of the legal framework stem from the EU level and may not be changed at Member State level. 23 Put differently, EU legislation restricts the flexibility of national supervisors and sandboxes in that the national level is not allowed to waive rules stemming from EU legislation.
In that regard, the Dutch AFM and DNB outline a hierarchy for the possible scope of a sandbox. 24 They state that supervisors have most room for sandboxing in terms of their own policies, followed by policies set by the European Supervisory Authorities (ESAs) and national legislation. In terms of EU law, the supervisors' possibilities are most restricted, only being able to offer tailored options where EU legislation explicitly provides scope to do so. 25 These limitations may explain why certain sandboxes in the EU, such as the Danish one, seem to focus on the clarification of rules and licencing requirements. 26 Other national regulators (not operating sandboxes) even claim to not be authorised to promote individual treatment at all. 27 In those cases, preceding actions by the legislature would be necessary to pave the way for a regulatory sandbox.

e. Exit
In most sandboxes, participants must provide an "exit strategy" as part of their application. The purpose of this requirement is to minimise the potential detriment to participating consumers, and it can therefore be partly understood as an investor protection device. Another aspect regarding the exit from the sandbox is that there are typically specific grounds on which the regulator may remove the privilege, and hence withdraw a firm from the sandbox. 28 Reasons for such an exit may be 21 So conducted for example by the MAS in Singapore. See MAS, "Frequently Asked Questions on Fintech Regulatory Sandbox" (16 November 2018) <www.mas.gov.sg/-/media/MAS/Smart-Financial-Centre/Sandbox/ FAQs.pdf?la=en&hash=1ED7B8848A3443FB1DE810EFB28211489 DA08409> accessed 24 January 2020. 22 For example, the Australian ASIC has the power to (fully) exempt firms from a predefined set of regulations and also has the discretion to grant relief from compliance with a rule when its applicability to the fintech industry is unclear. 23 See eg the apparent constraints of the Dutch authorities: AFM and DNB, "More Room for innovation in the financial sector" (December 2016) <www.dnb.nl/en/binaries/More%20room%20for%20innovation%20in%20the% 20financial%20sector_tcm47-350715.pdf> or those of the FCA, "Regulatory Sandbox" (November 2015) <www. fca.org.uk/publication/research/regulatory-sandbox.pdf> both accessed 24 January 2020. 24  non-compliance with rules and misconduct or simply the non-achievement of the sandbox's purpose. What we can observe from the discussion above is that there is a common ground with regard to the underlying principles of sandboxes across all jurisdictions, while the specific implementation varies. Since the sandboxing phenomenon is still in its infancy, there is not yet much data on the efficacy of the different varying approaches. Therefore, to date, it is not feasible to properly evaluate the effects of each respective design andon that groundprefer one approach over another. Against this backdrop, a diversity of approaches should be highly appreciated, as the best way to find the most appropriate approach is still through experimentation.

General benefits of a regulatory sandbox
The first and probably most apparent benefit of a sandbox is the reduced time-to-marketcycle, lowering the corresponding market barrier: in tightly regulated areas like the financial sector, firms must meet a list of propositions to conduct their business. This prolongs the development phase, while conversely delaying the start of the business, from which point investments that were undertaken during the development phase can be amortised. Besides, high regulatory market barriers are a common incentive for arbitrage activities in order to circumvent the overwhelming requirements. Discovering and sanctioning those activities is laborious and resource-intensive.
A regulatory sandbox can address these problems: it reduces the time-to-market-cycle by reducing the regulatory burden and uncertainty within a safe space for innovation. Firms can, therefore, usually determine whether their new product is worth being put on the regular market, or not. Also, reducing the time-to-market-cycle mitigates the risk for firms that their (innovative) business model might be copied by a competitor with deeper pockets during a long authorisation process.
The second and maybe even more important benefit of a regulatory sandbox is the implementation of an "institutionalised" dialogue between the regulator and firms. This dialogue enhances a mutual learning process that strongly benefits both regulators and regulated firms. 29 The sandbox provides a platform, on which regulators and innovators naturally engage with each other. Whenever new, potentially disruptive, technologies emerge on the market, the authorities need to assess the risks as soon as possible and decide whether the incumbent rules are suited to those risks or may rather be an unnecessary burden. In order to fulfil that task properly, collecting reliable data is of crucial importance. 30 In this regard, digitalisation has huge potential, as almost every part of the respective process is automatically being saved in the provider's system. This, in connection with advancements in technology and computing power, even renders "real-time" 29 As explicitly outlined, for example, by the DFSA with regard to its sandbox: see DFSA, supra, note 26. This particular benefit of a regulatory sandbox is also acknowledged by BIS, "Sound Practices, Implications of fintech developments for banks and bank Supervisors" (2018) Basel Committee on Banking Supervision, available at <www.bis.org/bcbs/publ/d431.pdf> accessed 18 December 2019, p 39 and the FSB, supra, note 7, p 3. 30 On the importance of collecting data in the regulatory process, see eg M Fenwick et al, "Regulation Tomorrow What Happens When Technology is Faster than the Law" (2017) 6 American University Business Law Review 561. supervision possible. A regulatory sandbox would be a good platform on which to test and establish such systems. Ideally, in this way risks could be identified and addressed at a very early stage, as opposed to making hasty decisions after a risk materialised. 31 New firms, on the other hand, benefit from the dialogue by receiving support from regulators in complying with the rules, and potentially more proportional and tailored rule-interpretation.
Adding the instruments of the sandbox to that dialogue, the sandbox is able to reduce a large portion of regulatory uncertainty that is often prevalent among providers of new technology. More than that, within the sandbox, the regulator provides clear, suitable and appropriate (and eased) regulatory requirements for the firms, which might not only eliminate constraints for firms, but even encourage them to experiment within that (normally) legally uncertain "grey zone".
Reducing the above-mentioned market barriers therefore holds the promise of fuelling innovation by incentivising experimentation with new technologies. This incentive becomes even stronger when one considers the positive signalling effect a sandbox creates through communicating regulatory flexibility and open-mindedness towards new technologies and innovative firms. This effect can already be observed in the UK: the FCA sandbox has been credited with contributing to London becoming the foremost fintech hub in the world. 32 Strengthening innovative forces can ultimately lead to more competition and put pressure on incumbents, which may be especially desirable in highly-concentrated industries.
Zetzsche and others furthermore point out the positive external effects that regulatory sandboxes could entail. 33 First, they could incentivise incumbent firms to accelerate their digitalisation process. Secondly, they may even boost regulatory competition among jurisdictions as to which one is to become the pre-eminent fintech hub. 34

A sandbox for financial technology
Having explored the benefits of a regulatory sandbox in general, we now proceed to explore why such a tool would provide a good complement to EU financial regulation, more specifically to the regulation of financial technology. A regulatory sandbox would help both regulators and innovators and would thus ultimately be an important step towards a more flexible and sound regulatory ecosystem.
As shown by numerous contributions from academia, as well as public authorities, one major issue in the context of the regulation of fintech is regulatory uncertainty.  This relates to both the sheer magnitude of regulations that new start-ups in the financial sector have to navigate in order to be licensed, and also to many ambiguous categorisations in the law that make it extremely difficult and costly to successfully complete the regulatory journey. 36 One obvious reason is that those laws were written at a time when most of the presently rising fintech applications did not exist. As a result, several innovative fintechs are hard to fit into those categories, or rules conflict with the digital setting of their services. Moreover, as opposed to previous innovations in finance, some fintechs have the potential to prompt structural changes in the financial landscape and, to a certain degree, this process has already begun. Consequently, regulators need to assess what kind of risks this involves and in a second stepwhether those risks can be properly handled by the existing framework. Until this process is completed, new fintech applications often find themselves in a regulatory "grey zone", marked by great uncertainty on both sides, that of regulators and of the respective fintech firm. From a regulatory perspective, this implies potential risks for consumers of a macroprudential nature. For fintechs and potential innovators, as well as investors, uncertainty constitutes a huge market barrier, ultimately preventing innovation from happening (in the EU). In the following we will show how a regulatory sandbox addresses the majority of those problems, while avoiding premature changes in "hard law" regulation. As we will see, many problems are directly addressed through the sandbox; for some, however, a ready solution is not immediately at hand. Nevertheless, they may be addressed in an indirect way, since the established dialogue and the corresponding learning-process build up the grounds for adequately addressing those problems in the future.

a. How a sandbox benefits fintechs
The most prevalent market barrier that has been identified by commentators and fintech firms themselves appears to be regulatory uncertainty. 37 This uncertainty is mainly a result of unfitting categories within the law, or rules that are not technology-neutral. In related work, we illustrate this uncertainty in the case of robo advisors applying MiFID obligations on investment advice to their automated service. 38 Given that small start-up firms typically lack sufficient regulatory expertise, this uncertainty turns into a major problem and constitutes a huge market barrier for fintechs and potential innovators. Reducing this uncertainty hence appears to be one of the regulatory sandbox's key attractions.
accessed 24 January 2020. An EBA Discussion Paper further shows that fintech services stay partly unregulated and that regulation strongly varies between Member States within the EU. See EBA Discussion Paper, supra, note 4. In another paper, we conduct an analysis of the regulatory situation of robo advisors in the EU, showing a prevailing regulatory uncertainty: see WG Ringe and C Ruof, "A Regulatory Sandbox for Robo Advice" (2018) EBI Working Paper no 26/2018, available at <ssrn.com/abstract=3188828>. 36 Insiders estimate that the total costs for operating a fintech until the receipt of a licence amounts to roughly €20 million. See P Gelis, "Why Fintech Banks Will Rule The World" in S Chishti and J Barberis (eds), Before beginning to test in the sandbox, each participant is provided with the exact rules of the game and precise instructions, leaving no room for uncertainty. Within the sandbox, regulators may help firms to navigate through the EU legislative framework which compensates for the participants' lack of expertise. The "Lessons Learned" Report, published by the FCA in October 2017, indicates that the British sandbox successfully met those objectivesbased on feedback from former sandbox participants as well as the fact that a vast majority of participants continued towards a wider market launch following the test phase. 39 Even after exiting the sandbox, the preserved dialogue and the presumably good relationship between regulator and regulatee make it straightforward for fintechs to seek clarification when encountering any problems with applying legal rules (such as KYC or AML requirements or issues with data protection and cybersecurity). Under the operation of a sandbox, both can identify rules that may be at odds with the specific service provided by the firm. Together, different approaches to those propositions can be tested with a view to identifying the most effective and also most cost-efficient way of complying.
Secondly, sandboxes would reduce the time-to-market cycle by smoothing the authorisation process. Under the current framework, most fintechs have to go through a heavily time-consuming and costly authorisation process. However, the barrier to become part of a sandbox is significantly lower. Firms are typically able to enter the sandbox with a restricted licence that is more suited to their particular service and consequently much easier to obtain. Additionally, the strong support by the competent authority makes identifying and complying with respective rules much faster and more cost-efficient. After successfully exiting the sandbox, firms should be able to benefit from the knowledge they gained from the dialogue with the authority, such that they are better equipped to face the (full) authorisation process. Effectively, the sandbox would significantly smooth the entrance for small firms to the financial market.
Thirdly, an early close supervision ensures safety for consumers. The sooner regulators engage with a certain innovation, the better they are able to identify and address risks for consumers and the system as a whole. Also, fintechs get the opportunity to adapt their service in accordance with the concerns of regulators at a stage where the costs of adaptation are still reasonable. Early on, sound supervision in combination with transparency and enhanced communication with all market participants are further able to create trust and mitigate scepticism towards some digital-based financial services. 40 This also makes technology firms potentially more attractive to investors, who canas a result of the sandboxalso more accurately assess the risk of their investment. 41 In sum, a sandbox could help consumers to better assess the quality and characteristics of a fintech application, while enabling investors to more efficiently allocate their investments. Done properly, this creates trust in the market and thereby contributes to the functioning of the system as a whole. In its "Lessons Learned" Report, the FCA states that testing in the sandbox has helped facilitate access to finance for participants. 42 b. How a sandbox helps regulators As numerous publications show, there areespecially macroprudentialrisks that accompany the emergence of financial technology. 43 Although most of them are not yet acute, when looking at the dissemination and growth of fintech, they have to be taken seriously. To date, the lack of (good) data makes it hard for regulators to properly assess those risks. 44 Simultaneously there is the unpredictable development of AI and machine learning. 45 In those regards, a regulatory sandbox entails great opportunities. Testing all different kinds of innovative fintech applications in a safe space makes it possible to collect a huge amount of data. Due to the all-digitalfunctioning of the participants, every action and every outcome can be preserved in the system of the regulator. Looking at the prevailing risks, data is and will even more be the most valuable and essential resource for regulators. They should, therefore, seize the opportunity and find ways to make use of the (potential) multitude of data as soon as possible, for instance with the help of Regulatory Technology ("RegTech") 46 or Supervisory Technology ("SupTech"). 47 The same technologies that are harnessed by fintech firms could also be used to improve supervisory efficiency. For example, DLT-based reporting systems could potentially allow supervisors to monitor actions of market participants in real-time. 48 The sandbox provides the perfect platform for collecting data in any kind of fashion. Survey and empirical research could, for example, be supplemented by interviews and consultations with employees of fintechs, not only with regard to compliance, but also to technical issues or the business model. Agencies could also take that opportunity to simulate different market scenarios within the sandbox and assess the reaction of algorithm-based fintechs. Here the predictability of all-digital, algorithmbased services (as opposed to individual human reactions) can be of great benefit. With regard to structural changes and future developments in the financial market, the sandbox's key characteristic is its flexibility and early-on engagement. This allows regulators to more quickly identify important trends and corresponding risks, and which the sandbox provides the necessary flexibility to react to.
However, it seems that regulators struggle not only with the assessment of (future) risks and corresponding questions of appropriate legal design, but also when applying the existing legal rules. 49 In this context, the enhanced knowledge about sandboxed technologies, facilitated by the institutionalised dialogue, should be able to establish some certainty in applying the current legal framework. In the end, removing uncertainty on the side of the regulator is a necessary first step for addressing regulatory uncertainty among sandboxed firms.
c. How sandboxes benefit consumers and contribute to their protection As the sandbox framework enables firms to manage regulatory risks during the testing stage, more innovative products can potentially be introduced to the market. Those products have, among other things, the potential to be cheaper, more efficient and more convenient for consumers. Obviously, an authority that is more experienced in risk assessment and better at addressing new risks (as described above) is also in the interest of investors. In the current situation, the regulatory framework can be under-inclusive, putting consumers at risk when using innovative (unchecked) services. 50 By providing tailored regulatory treatment, a regulatory sandbox could fill those gaps and give consumers the opportunity to make use of innovative new services, without the risks of detriment that could otherwise occur. Hence, the benefits that we identified for the regulator are likewise beneficial for consumers in the long run.
Conversely, this "consumer benefit" also displays an upside for fintechs: ensuring consumer protection by adequate, prudently developed regulation creates trust in new technologies, consequently stimulating demand for those products. Higher demand on the other hand fuels innovation, which is again in the consumer interest.
d. How a sandbox can support financial stability Financial markets are frequently highly concentrated and lack competitive pressure from new entrants. Apparently, high market barriers are one major reason for this. Recent years have seen regulators around the globe placing an increased focus on competition and innovation objectives. The emergence of regulatory sandboxes can partly be seen as a consequence of that development. By lowering barriers to entry, creating trust in new financial products and making new firms more attractive for potential investors, the sandbox fosters competition in the respective market.
Despite the issue of whether this will actually lead to more diversity in the sector, positive effects of competitive pressure from new entrants can in fact already be observed through incumbent financial institutions setting up innovation labs and putting resources into digitalisation in order to defend their share in the respective market.
Finally, a sandbox will help regulators to deal with rising threats for financial stability, such as side effects of AI and machine learning (see above). It is highly recommended to keep pace with those issues, starting at the very beginning of their development, otherwise it might be impossible to come back on track.
Having applied the benefits of a regulatory sandbox to the case of fintech, we can observe that many benefits and interests are often highly correlated. For example, the dialogue between firms and regulators will not only promote innovation on the side of firms (by making it easier for them to comply with applicable regulation), but will also improve regulators' understanding of new technologies, contributing to consumer protection and financial stability. Not less, it can strengthen the trust of the consumer towards those technologies. Also, fuelling innovation on the one hand benefits consumers by providing better or cheaper products, while on the other hand has the potential to facilitate competition, which may positively contribute to financial stability. 51

Advantages over a change of the regulatory framework
The advantages of implementing a regulatory sandbox compared to directly adjusting the regulatory framework to a specific emerging fintech application are numerous. In regular circumstances, the regulator or legislature needs to assess risks on the market. Without a learning platform like the sandbox, this process usually takes a significant amount of time. By the time the findings of this process reach the legislative stage, the stakes are usually high, or risks are already on the verge of materialising. Subsequently, under pressure a proper and (hard) law-worthy solution has to be found. In the past, this frequently resulted in overly hasty adjustments of the legal regime that were inappropriate and poorly designed. Also, in particular in the EU the traditional lawmaking process is immensely time consuming since most new EU instruments have to be transposed into domestic law 52 or supported by delegated (secondary) EU acts. Given the urgency of regulatory action that is typically prevailing at this stage, this procedure seems largely inefficient.
To follow a precautionary approach 53 is not recommended either. Regulating or even prohibiting certain types of fintech, before having gathered reliable data on it, is likely to heavily impede innovation in the financial sector, lose creative entrepreneurs to other jurisdictions and ultimately slow down economic growth. 54 Also, a new phenomenon may be volatile, which cannot be judged at the time of its appearance. That could mean once the regulation has changed, the phenomenon has already disappeared. The development of a large share of fintech services, arguably of fintech as a whole, is still at an early stage, when it is too soon to decide whether legislative adjustments are necessary. The responses to the Commission's consultation underpin this view, as there are a broad variety of opinions on the necessity of legislative action. 55 Against this background, a regulatory sandbox is a reasonable compromise. It does not take any premature regulatory actions, while speeding up the process of assessing the risks of new technologies and creating necessary capacities for prospective actions. After some time of testing the new fintech inside the sandbox, the regulator would be in a better position to adjust respective regulations, if necessary.

Downsides and preliminary conclusion
Of course, a sandbox for fintechs is no panacea. Like every concept, it has its limits: it offers no solution to some of the threats fintech brings, for instance the problem of cyber risk. Also, for some of the prevailing problems and risks discussed above it may only offer an indirect cure (if a cure at all), as the real solution is expected to result from the knowledge that has been developed with the help of the sandbox. 56 Even more fundamental scepticism can be observed at some national authorities, above all the German Financial Supervisory Authority BaFin. 57 Arguments put forward are that a sandbox would not be covered by their mandate 58 as well as level-playing-field concerns. BaFin for instance keeps on putting a strong emphasis on the old principle "same business, same risks, same rules". 59 Apart from that, there are some obstacles that depend on implementation. Sandboxing may be resource-intensive, thus costly. For jurisdictions with no well-equipped and financially strong regulators, this poses a problem. In this regard some commentators assert that due to the lack of expertise, those regulators may either make promises of liberal treatment that they cannot live up to, or they may tend to allow unacceptable levels of risk. 60 Correspondingly, some sandboxes arenot least because of their own marketing effortssuspected of being deregulation through the backdoor. 61 Additionally, the capacity in regard of participants (and correspondingly its effect) is strongly dependent on the resources put into the sandbox project. Engaging with fintechs on a case-by-case basis, as it is the case in the FCA and many other sandboxes, imposes a natural limit on the sandboxes scalability, 62 as typically every participant is allocated to an individual agent within the authority. 63 Also, as mentioned before, one objective of regulatory sandboxes is enhancing innovation and competition. This objective may be thwarted if incumbent ("too-bigto-fail") institutions are the ones to benefit most from its implementation. Even when excluded from the sandbox, this scenario may occur if those institutions were to begin acquiring firms from the sandbox. 64 Indirectly, the firms that benefit from the sandbox (which is conducted at public expense) would then be the same ones whose costs of failure will be borne by the public. 65 With regard to the same objective, regulators should ensure that they actually provide sandbox firms with sufficient room for innovation. In its "Lessons Learned" Report, the FCA states that around one third of participants in the first sandbox cohort significantly pivoted their business model ahead of launch in the wider market. 66 This might be a hint that the FCA advised some more exotic concepts to adapt a more regulation friendly model. 67 As regulators develop preferences (within the sandbox) about specific product designs, oversight might lead to a model convergence 68 that potentially increases the herding risk. Another downside that has been raised by scholars 69 as well as (potential) sandbox participants 70 is the lack of transparency. Firms claim that it is not clear on which basis the regulator makes its assessment and determines who to allow to access the sandbox. In this context it may also be problematic that some criteria for entering the sandbox are in essence of a subjective nature. 71 This can intensify opaque practices and reduce legal certainty among (potential) participants. As a key element of regulatory sandboxing is the close relationship between the regulator and firms, regulators might be particularly prone to cognitive capture. 72 Staying in constant and close cooperation could lead to a rather "fintech-friendly" mind-set, only seeing the benefits, while losing sight of certain risks. Allen reasonably observes that this risk is heightened particularly by the FCA's sandbox version, as each firm will be allocated a dedicated case officer. 73 However, the sandbox phenomenon is still at a very early stage of development, and thus far from perfect. It is a positive aspect that sandbox criteria, instruments, and requirements are not set in stone and can therefore be easily adjusted by the authority. 74 Consequently, those aspects should not be seen as insurmountable disadvantages of the sandbox idea as a whole, but rather as issues that still need to be improved. In sum, we view a regulatory sandbox as definitely a step in the right direction, which has the potential to significantly improve the quality of the regulator's work.

III. SPECIFIC PROPOSAL
After demonstrating the benefits a regulatory sandbox would entail for the various sides, this paper now turns to the question of what kind of implementation could be adequate and feasible in an EU context. The multi-layer EU framework for financial services is a complicated mix of legal instruments, and we mentioned earlier that some countries struggle to adopt a meaningful sandbox within this relatively rigid system. 75 In this convoluted context, we see three basic options to set up a regulatory sandbox. The first option would be a genuine EU-level sandbox, designed and implemented at the EU level. In that scenario, the most adequate institution to design and oversee the sandbox would presumably be either the European Securities and Markets Authority (ESMA) or the European Commission. However, since the competence for enforcement of laws and supervision of financial markets largely rests with Member States and their national authorities, this would require a revision of the European Treaties. A second variant of an EU-based sandbox could be common EU rules that would harmonise Member States' regulatory sandbox approaches, whilst maintaining national authorities as the pivotal point for execution and day-to-day communication. And as a third option, sandboxes could also be realised at a Member State level, and include the EU in a coordinating role. This paper proposes an implementation of the final version, since it is more feasible and best-suited to the current situation.

An EU-wide regulatory sandbox
Following the ongoing discussions, an EU-wide approach on regulatory sandboxing seems to be the zeitgeist. 76 In September 2016 Olivier Guersent, Director-General for 73 Allen, supra, note 32, at p 636. Allen also presents a possible solution for that problem on p 637. 74 For instance the FCA and the ASIC are continuously making discreet, small adjustments to the contours of their regulatory sandboxes. See FCA, supra, note 23, stating that the sandbox can be revised in light of experiences made; regarding recent adjustment of the ASIC, see Clifford Chance, "Growing the Sandbox -Australia's enhanced Fintech Regulatory Sandbox" (7 November 2017) Clifford Chance Client Briefing <www.cliffordchance.com/content/dam/ cliffordchance/briefings/2017/11/growing-the-sandbox-australias-enhanced-fintech-regulatory-sandbox.pdf> accessed 24 January 2020. 75 See above section II.B. 76 See for example European Banking Federation, "Innovate. Collaborate.Deploy. The EBF vision for banking in the Digital Single Market" (14 November 2016) <www.ebf-fbe.eu/wp-content/uploads/2016/11/EBF-vision-for-bankingin-the-Digital-Single-Market-October-2016.pdf> accessed 24 January 2020; from a policy perspective, an EU regulatory sandbox is also proposed by A Andhov, "Will FinTech become the Enabler for the Capital Market Financial Stability, Financial Services and Capital Markets, fuelled rumours of an EUwide sandbox by saying "we think we should dedicate a bit of thought to how we can have a sound regulatory sandbox approach in Europe that allows markets to develop, that allows innovation to flourish, that allows those companies that innovate to go across borders in the single market while being consistent with our framework". 77 Further, in the European Commission's Consultation Document on fintech, respondents, particularly from the industry side but also national authorities, expressed the need for such a measure. 78 However, a closer look reveals that the perceptions of an "EU-wide sandbox" among its proponents are not always homogeneous. While most of them seem to have a harmonised approach in mind, 79 resting the execution on Member State level, some seem to advocate for a genuine EU sandbox, also executed at the EU level. 80 The strongest barrier to the concept of a genuine and centralised EU sandbox (as mentioned above) is that it appears largely unrealistic and legally difficult to implement. Such a step would require a delegation of regulatory powers from Member States to the EU, which has proven to be politically and legally challenging. For example, the Meroni doctrine sets limits to entrusting EU agencies with discretionary powers. 81 Even if feasible, the realisation of necessary amendments would be enormously time-consuming. Since fintech is a fast-developing and dynamic phenomenon, the prospect of a lengthy implementation on the EU level would not satisfy the need for a quick and flexible measure. An EU-based regulatory sandbox would represent a complex readjustment of the entire EU legal framework, which should only be attempted after the collection of sound analysis and data. Looking at the challenges of fintech, the focus should rather be on flexibility and collecting data and knowledge. Against this backdrop, any ultimate answer seems to be premature.
A less ambitious and more realistic approach has been proposed by, among others, the European Banking Federation (EBF) and the Banking Stakeholder Group (BSG). 82 Union?", available at <papers.ssrn.com/sol3/papers.cfm?abstract_id=3210202> accessed 24 January 2020. Within a report of the European Parliament, the Committee on the Internal Market and Consumer Protection encouraged a sandbox approach on a European level (see European Parliament, "Report These institutions recommend a harmonised framework for experimentation with harmonised tools that avoid national divergences in implementation and facilitate the establishment of a level playing field for all countries and participants, while letting the execution of this framework rest within the power of national authorities ("harmonised sandbox approach"). Comparable concepts are also favoured by a significant number of respondents to the Commission consultation. Arguments that are being put on the table most frequently are that this approach would avoid creating additional fragmentation in the single market, avoid distortion of competition between operators in the EU and prevent regulatory arbitrage and a corresponding "race to the bottom". 83 However, the possibility of implementing a variety of different sandbox approaches across Member States with a dose of regulatory competition also presents potential benefits. Responses in the Consultation Document further imply the reasonable claim that different approaches cause legal uncertainty among applicants. A vast majority of respondents underline a lack of clarity when it comes to definitions, terminology and transparency. 84 Although not as time-consuming as the first alternative of a genuine EU-based sandbox, the harmonised sandbox approach would still take a lot of time to be implemented. Again, the effects of different sandbox approaches have not yet been properly evaluated, which is why it is too soon to make a final decision at this stage. Just like the phenomenon of fintech, sandboxing itself is still in a phase of experimentation. And the similarities do not stop there: regulators neither possess much experience with sandboxing, nor have any robust data or certainty about its effects. Thereforein line with the arguments in favour of a regulatory sandbox for fintechsit seems to be more appropriate in the current situation to start a form of guided policy experimentation, 85 ie testing different approaches on regulatory sandboxes in order to develop the respective expertise. Also a "one-size-fits-all" model would fall short of taking into account legal as well as geopolitical differences among Member States. And, as we shall see, legal certainty and transparency can also be achieved without the harmonisation of sandbox requirements.

The case for a "guided sandbox" on the Member State level
The challenge is therefore to design an implementation concept that reaps the benefits of experimentation and regulatory competition, while simultaneously not losing the upsides of an EU-wide approach that primarily lie in legal certainty. For reasons that have already been described above (mainly flexibility and a speedy implementation process), we advocate for finding an option that fits within the current legal framework. To facilitate this, we propose the idea of a "guided sandbox" on the Member State level. This idea is essentially a sandbox version that is operated by the Member States, but in close interaction with the EU institutions as monitors and guardians. Those would also serve as a forum for the exchange of knowledge and experiences. 86 EBA has recently established a "Fintech Knowledge Hub" to provide an overarching forum that brings together competent authorities and stakeholders in a common setting to facilitate information-and experience-sharing. 87 Given the potential synergies, a forum for a "guided sandbox" could easily be established in a similar way and be connected to the Fintech Hub.
In its first function as a guardian, the EU could provide guidance to Member States with regard to regulatory sandboxing. Such guidance should be based on experience that national authorities have already collected, especially that of the FCA. Right now, there is little data to make use of, since there are only few European sandboxes established (some of them very recently). However, this datain addition to the data that is available from foreign authoritiescan build the ground for a preliminary sandbox body. Given the resources and expertise that are available at the EU level, various improvements can be tested. Technically, the guidance would be best executed by the ESAs within their given power, thus on the third level of EU lawmaking. 88 The ESAs could issue guidelines, high-level principles and recommendations that set out best practices on the implementation of a regulatory sandbox as well as basic principles that each sandbox should be built on. 89 These instruments could include specific recommendations about the key sandbox parameters that we discussed in Section II. In such a framework, the ESAs could propose different conceivable approaches on each parameter, for instance varying measures that may work as consumer safeguards. Consequently, national authorities could choose from such a menu, at their own discretion, which variant works best given their specific market conditions, geopolitical situation and their capabilities in terms of budget and human resources. Ideally, this should result in a toolkit that puts every domestic regulator in the position of being able to establish a sandbox that is well-tailored to their particular needs, as opposed to a one-size-fitsall version. To ensure a certain degree of transparency for potential participants, those recommendations should be made publicly available by the ESAs. This should be complemented by further informal Q&A, FAQs, reports and tailored advice to 86 In its Fintech Action Plan, the European Commission supports a comparable setup for innovation hubs, see European Commission, "FinTech Action plan: For a more competitive and innovative European financial sector" (8 March 2018, COM(2018) 109 final) 9. A speech by Sabine Lautenschläger, former Member of the Executive Board of the ECB, indicates that the ECB already has specific plans for such a measure (see S Lautenschläger, "Digital na(t)ive? Fintech and the future of banking" (Frankfurt 27 March 2017) available at <www.ecb.europa.eu/ press/key/date/2017/html/sp170327_1.en.html> accessed 24 January 2020). 87 See EBA, "Fintech Knowledge Hub" <eba.europa.eu/financial-innovation-and-fintech/fintech-knowledge-hub>; for further information, see EBA, The EBA's Fintech Roadmap (15 March 2018) <www.eba.europa.eu/documents/ 10180/1919160/EBAFinTechRoadmap.pdf> p 28 ff, both accessed 24 January 2020. 88 For further information on the Lamfallussy process see Moloney, supra, note 81, at p 854 ff. 89 A concept similar to this one was also suggested by some respondents (from the industry side) in European Commission, see supra, note 55, p 53. Following that, within their Fintech Action Plan, supra, note 86, the Commission decided to present a report with best practices or regulatory sandboxes for regulatory sandboxes by Q1 2019 (see on p 9). The EBA decided to affiliate with that plan, intending to conduct further analysis on regulatory sandboxes with a view to defining common features and best practices and assessing compatibility with EU law (see EBA, supra, note 87, p 21). It plans to issue a corresponding report by the end of 2020. Creating more certainty, this will presumably be an important first step in encouraging more Member States to adopt regulatory sandboxes.
regulators. For this purpose, the ESAs should establish a central contact point for domestic regulators that offers support with specific questions regarding the set up and implementation of the sandbox or other related regulatory issues. To ensure that regulators are not overstepping the boundaries of EU law, the ESAs should, on the basis of feedback and reports by domestic regulators, make regular assessments. The advantage of this method over a harmonised sandbox would be not only the speed of issuance, as those guidelines etc would avoid the lengthy process of regular EU legislation; they would also gain the corresponding flexibility in adjustment and therefore be more responsive to market innovation. Smaller, less well-equipped regulators would particularly benefit from the external research on sandboxing that is conducted by the ESAs and the certainty that comes with those recommendations. 90 This means that the process of designing a regulatory sandbox at the national level would be much less resource intensive. Consequently, those regulators would be able to concentrate their manpower in the mere implementation of any given recommendations. For more sophisticated authorities, on the other hand, this concept maintains the possibility of gaining a competitive advantage over other regulators by experimenting on other/better approaches and advertising their respective benefits. Within the close dialogue between national regulators and the ESAs, regulators would also have an opportunity to seek advice on their individual sandbox approach. If there were concerns about the consistency of a specific approach that deviated from the EU guidelines, the ESAs could provide some certainty.
Secondly, the EU would function as a coordinating forum for continuing exchange of experiences that have been made by national regulators with sandboxing, with the aim of establishing an effective feedback loop. While national regulators would report regularly to the ESAs, the ESAs would aggregate and analyse the data and in turn would be able to provide constructive feedback and recommendations for improvement. This should preferably run in an institutionalised set up with predefined and fast communication channels and a responsible department at the ESAs. As discussed above, the Fintech Hub already serves as a forum bringing together all relevant stakeholders. This hub could also operate as the pivotal point for exchanging experiences with the different variants of the sandbox. Apart from that, direct communication channels between Member State authorities and the ESAs should be established in order to ensure constant information flow and support in daily issues with regard to sandboxing. Given the flexibility of this concept, the iterative feedback between national regulators and the ESAs would facilitate continuing refinement and improvement of the EU guidance. The objective of this exchange would be to engage in a mutual learning process that allows the collection of more data and expertise on sandboxing in a decentralised way. As within the regulatory sandboxing itself, a cooperative relationship is one key element of this 90 For instance the Hungarian market supervisor has identified substantial demand for a regulatory sandbox and is currently evaluating options of an implementation. See Magyar Nemzeti Bank, Innovation and Stability -Overview of Fintech in Hungary (Consultation Document 2017), available at <www.mnb.hu/letoltes/consultationdocument.pdf> accessed 24 January 2020. At this stage, it would significantly benefit from EU guidance as proposed in this paper.
concept. Depending on the outcome of this process, the EU could subsequently engage in further steps which might be an EU-wide sandbox, an adjustment of the regulatory framework, or any other action.
In January 2019, the ESAs published a report 91 which makes similar proposals to those we set out here, and is therefore to be welcomed. Informed by a comparative analysis and by experiences of domestic (EU) regulators, the report sets out best practices for designing and operating regulatory sandboxes. Those best practices are intended to support Member States' authorities with both establishing and improving sandboxes. Not less important, the ESAs identified as possible areas for further development the creation of an EU joint-initiative on cooperation and coordination between the national regulators, as well as an EU network to "bridge" sandboxes established at a Member State level. This is certainly an important and welcome step, though there is much more work to be done. First, the report's best practices are far from being comprehensive. They rarely contain any practical advice, for instance on the resources and equipment needed to run a sandbox, which communication channels are appropriate and what systems have to be in place before initiating the project. Generally, the best practices cannot yet be considered as a toolkit that is able to put especially smaller regulators in a position to run a regulatory sandbox. At this stage, the guidance appears to be at best weak and the knowledge exchange system is not at all institutionalised, as it primarily takes place in the form of consultations and reports. Those, however, are ponderous and therefore not suited to the challenges that a rapidly changing environment entails. Rather, as described above, a robust system should be able to efficiently gather the decentralised knowledge of domestic regulators and accumulate it at a central point, where it is processed. A promising suggestion by the ESAs report in that regard is to complement the guidance with a platform for practitioners and experts to support participating authorities with firm-specific questions and the treatment of certain innovations. 92 Ultimately, the project takes a welcome direction, yet clearly lacks ambition and consistency.
A widespread concern that is being raised against an unharmonised approach towards regulatory sandboxes in the EU is regulatory arbitrage and a corresponding race to the bottom. 93 If executed properly, this concern should have very little bearing. The existing regulatory framework within the EU already entails a highly integrated regulatory standard. Likewise, the ESAs emphasise in their recent report that sandboxes are not an instrument for the disapplication of relevant EU law but only make full use of the discretion that is already provided by the legal framework. 94 Where appropriate regulation does not (yet) exist for a certain service, the sandbox provides a platform to address corresponding risks much faster and with a greater degree of flexibility 91 ESAs Report, supra, note 11. 92 ESAs Report, supra, note 11, at p 38. 93 See eg European Commission, supra, note 55, at p 50. Also, Zetzsche et al, supra, note 8, see the risk of a "race-tothe-bottom style competition", however stating that the more likely outcomes from sandboxes will be beneficial (at p 78 ff). Allen, supra, note 32, a raises a comparable concern regarding a sandbox in the US enforced by different state agencies. 94 ESAs Report, supra, note 11, at pp 5 and 18, 20. than in the regular process. This view seems to be corroborated by the experiences of national regulators who do not identify any additional risk resulting from regulatory sandboxes or other innovation facilitators in place. 95 Hence, the risk of a race to the bottom is more likely to decrease rather than to increase. Quite the opposite may be true: we could expect a quality-based competition between Member States in providing the best conditions and the most innovation-friendly environment. 96 That is, improvements in the quality of sandboxes may not only be nurtured by the above mentioned mutual learning process, but alsoand perhaps even to a higher degreethrough competition between Member States. A reason for this is the dynamic and fast nature of the market. National authorities may become aware very quickly if fintechs are particularly attracted by another authority's sandbox, and hence try to design a better version of it. Positive signals and creative input may also come from the market itself, expressing desires for certain sandbox features. Given the existing regulatory body with its rather rigid legislative standards, one might however raise the question of how a sandbox could work within such a setting. 97 Since Member States are not able to grant relief of rules that are based on European legislation, possible instruments and flexibility within the sandbox are admittedly more limited than they might be for completely "independent" jurisdictions. 98 The Australian sandbox for instance is able to grant full relief for firms without a case-by-case review. 99 Firms that meet the eligibility criteria are automatically freed from any licensing requirement. 100 The obvious benefits of this approach are the extremely low costs of operation, making the process less resource-intensive than, for example, the FCA sandbox. Also, there is no limited number of sandbox participants. On the other hand, the requirements for relief are quite narrow, which also narrows the room for innovation. Moreover, firms applying for relief are obliged to disclose whether or not they have a regulatory licence, while also being limited in numbers of customers and assets under management. Under these circumstances, the relief granted by this limited sandbox appears to lose much of its attractiveness: firms are limited in innovation, while also not being able to operate under real market conditions. This is impressively demonstrated by the fact that in 2017-2018 only six firms have taken advantage of the Australian sandbox licensing exemption. 101 Furthermore, the lack of communication and individual engagement with innovation from the regulator's side 95 ibid, at p 34. 96 A competition of that kind requires a framework that would allow firms to "shop" for the sandbox that fits them the best, for which the EU Single Market provides a tested level playing field. 97 Certainly, some Member States might also experience problems under domestic law. Some authorities for example claim that establishing a regulatory sandbox would exceed their legal mandate (see ESAs Report, supra, note 11, at p 36). The discussion of such domestic legal issues is, however, not within the scope of this paper. 98 For example, regulators cannot allow firms that carry out a regulated financial service under EU law to start testing without a licence. See ESAs Report, supra, note 11, at pp 18, 21. 99 More specifically, the regulatory sandbox regime in Australia is comprised of both an individual licencing exemption and the (general) fintech licencing exemption (see ASIC Guide, supra, note 16). For more information on the Australian sandbox, also in comparison to the FCA sandbox, see Bromberg et al, supra, n 65, at p 320 ff. 100  cuts the sandbox concept short of one of its key justifications, which is the mutual learning process. Moreover, certain EU rules, as an expression of the proportionality or flexibility principle, offer a margin of discretion for the regulator. 102 The feasibility of regulatory sandboxing within the existing EU regulatory framework is not at least evidenced by the existing implementations (UK, Netherlands, Poland, Denmark and Lithuania). 103 Also, those versions are not simply copies of each otherfar from it. Compared with the British FCA, the Dutch authorities take a more "principles based" approach by attempting to use the scope offered within the legal framework. Put differently, they seek to provide a regulatory solution for firms only if the underlying purposes of the respective policies, rules, and regulations are satisfied. 104 The FCA, meanwhile, focuses more on individual guidance and coordination with sandbox participants and offersby way of its general power to grant licences subject to certain limitationsrestricted licences to participants. Those are typically connected to the respective testing parameters. 105 The Polish sandbox, in contrast, seems to have set its focus on assistance in obtaining all necessary authorisations to conduct the firm's services. To achieve this, the Polish Financial Supervision Authority (UKNF) provides comprehensive training and legal advice for the preparation of the respective licence. All of this ultimately indicates that there is somealbeit limitedscope for regulators. The limitations may be deplored but may also have positive side effects: Member States engage in a competition about best regulatory practices and the best quality advice, rather than attempting to attract firms with deregulation. Moreover, too much scope would allow for a much broader variety of regulation approaches, which could potentially cause an unhealthy level of fragmentation. While there is no data on the Dutch sandbox available yet, effects of the FCA sandbox can already be observed: a growing number of applications in each cohort, and the position of London as the world capital of fintech, 106 indicate a demand for the concept as well as some return on the investment.
As mentioned above, one goal of the proposed concept is to encourage especially smaller jurisdictions to engage in the process in order to lure innovative start-ups. Given the relatively large amount of resources that are needed for running a sandbox, the "credibility" of those sandboxes could become an issue. 107 It is obvious that small country regulators will not have resources and capacity comparable to the FCA. Nevertheless, smaller regulators also have the possibility to turn this perceived lack of resources into an advantage. As a first step of a "guided sandbox", both the structure and implementation of the sandbox would be determined by the EU. Those regulators may then focus on the enforcement of these guidelines and recommendations. To boost the quality of their sandbox, regulators in smaller Member States may consider not overloading themselves with a large number of participants, but rather start with accepting just a few, while making sure they provide a decent service. Also, they could avoid (direct) competition with stronger regulators by engaging in specialisation. Some sandbox features may be particularly suitable for a specific fintech application. Identifying, designing and emphasising those features could make them more appealing for the respective type of fintech compared to a more general sandbox. 108 Hence, the disadvantage in the total amount of resources could be compensated by pooling them. Ultimately, this concept provides potential to make ground on the US fintech market, as there is no such programme running to date. Even though the US Treasury, in a recent report, strongly endorsed the creation of a federal US sandbox, 109 the chances of its actual realisation are rather slim. Due to the fragmentation inherent in the US financial supervisory system and overlapping competences of authorities, implementing a regulatory sandbox on the federal level constitutes a profoundly complex endeavour. 110

Follow-up regulatory trajectory 111
We saw above that a regulatory sandbox constitutes only the basis of an adequate regulation of fintech. At the present time it is a sound regulatory instrument, whose primary benefit lies in facilitating knowledge exchange, collecting information and reducing uncertainty. However, it does not offer a sustainable cure for flaws that are incorporated in the EU legal framework. Also, the value of the learning process is limited, since some risks only emerge as the phenomenon matures and the respective service or product reaches a certain scale, that is, long after the respective advisor has exited the sandbox.
As previously mentioned, one of the regulatory sandbox's key objectives is to lower barriers to enter the market for small firms. However, that alone may not be enough. In the following, we will argue that, after having facilitated market entry, regulation should stick to this underlying idea. That is, it should continue to reconsider (unreasonable) barriers to scaling up that exist within the (regular) market. In this regard, it is important to note that this should not be understood as an unconditional support of fintechs or an intervention in the selection process of the market. Most certainly, plenty of barriers and regulatory obstacles have their justification, also with regard to small fintechs. Hence, only those barriers are to be addressed that constitute an inadequate obstacle. Moreover, common rules of competitive markets are preserved, while a sufficient level of consumer protection must be ensured at all times. For these reasons, the follow-up regulation after the sandbox phase should follow a regulatory "trajectory" that proceeds in line with the size and risk-level of the respective fintech. This trajectory should consist of the following elements: first, it should maintain the same close dialogue with the firms that has been established during the sandbox phase in order to collect more valuable information about the new service offered by the fintech. Secondly, it should mitigate unnecessary barriers that appear at each stage of its growth, while ensuring consumer protection and monitoring risks for financial stability at all times. Thirdly, we recommend enhanced cooperation of regulators around the globe, facilitating simplified access for fintechs to new markets. Ensuring those elements would once more boost the attractiveness of the EU market as a hub for fintech startups.

IV. CONCLUSION
This paper has explored the challenge of regulating financial technology against the double uncertainty of having to square the facilitation of innovation with securing against any risk, both for investors and market stability.
At this stage, the existing EU regulatory framework is of little help. It does not adequately address these concerns, and neither does it support the development of new financial technologies. Instead, this paper proposes a regulatory "sandbox"an experimentation spaceas a step towards a regulatory environment where such new business models can thrive. A sandbox would allow market participants to test automated services in the real market, with real consumers, but under the close scrutiny of the supervisor. The benefit of such an approach is that it fuels the development of new business practices and reduces the "time to market" cycle of financial innovation while simultaneously safeguarding consumer protection. At the same time, a sandbox allows for mutual learning in a technical field which is sometimes poorly understood, both for firms and for the market authority. This would help to reduce the prevalent regulatory uncertainty for all market participants.
In the particular EU legal framework, with various layers of legal instruments, the implementation of such a sandbox is not straightforward. In this paper, we propose a "guided sandbox", operated by the EU Member States, but with endorsement, support, and monitoring by EU institutions. This innovative approach would be somewhat uncharted territory for the EU, and would therefore also contribute to the future development of EU financial market governance as a whole.