Spain passes a new law creating a fintech “Regulatory Sandbox”

Spain has passed a new law relating to digital transformation of its financial system (pending publication in the Official Gazette in the next few days). The law introduces the highly anticipated regulatory sandbox: a testing space that can be used to try out technological innovation in financial services under special flexible rules. The aim is to curb costs and regulatory complexity, while ensuring supervision by regulators and due protection for the market.


In July 2018, following the UK’s example, the Spanish government proposed a new law to boost technological innovation in the Spanish fintech sector. Following a public consultation and parliamentary debate, a draft bill on the “digital transformation of the financial system” has been approved by the Spanish Senate and passed into law (the DTFS Law) on 4 November 2020.

We summarise below the main aspects and features of this new law on the digital transformation of the financial system creating a regulatory sandbox.


The stated aim of the sandbox is:

  • to create a controlled testing ground that enables technological innovations in the financial system to be put into practice, fully in line with the legal and regulatory framework, respecting in any event the principle of no discrimination, and
  • to give the relevant authorities and sponsors of technology-based innovations, of application in the financial system and for financial services customers, the tools to help them understand the implications of digital transformation. This aims at increasing efficiency, the quality of services and, particularly, security and protection against new fintech risks.

The sandbox will enable technological innovation projects developed by any individual or firm, including technology firms, financial institutions, credit servicers, representative associations, public or private centres of research or any other interested party (Sponsors) that are granted entry to carry out tests in a special regulatory environment.

Sandbox projects will not be subject to the specific legislation usually applicable to financial services. However, firms will be required to act in accordance with the DTFS Law and a protocol established between the relevant authorities and the Sponsor.

The sandbox is conceived as a temporary arrangement under which ‘tests’ can be carried out before a solution is rolled out ‘in the real world’.

Entrance and applicable rules
  • Applications: Applications are to be made electronically through a standard form to be published by Spain’s Secretariat General for the Treasury and International Finance (Secretaría General del Tesoro y Financiación Internacional). The relevant regulatory authorities by area will conduct a preliminary assessment for allowing the test.

    Applications (which can be submitted in English) must be accompanied by a supporting statement explaining the project and detailing compliance with the requirements mentioned below and, if accepted, how Sponsors plan to provide the required safeguards and protection set out in the DTFS Law.

    For applications to be accepted, propositions must be innovative, ‘sufficiently advanced’ and able to provide added value. Regulators will also consider the relevant project’s possible impact on the Spanish financial system.
  • Testing: When a proposition receives positive pre-assessment, a testing protocol will be entered into between the Sponsor and the relevant authority or authorities. This sets out the details of how the proposition works and the specific conditions under which it will be tested.

    The testing phase will be supervised by the relevant authority in the area (the Bank of Spain, the securities and markets regulator (CNMV) or pensions and insurance regulator (DGSFP)). Where projects are a success, sponsors will be able to get the necessary approvals, if needed, to bring them to market.
  • Participants: The DTFS Law states that each participant to a sandbox project must state their written informed consent to involvement in that testing. Participants must first be informed of the test and its possible risks and the rules on their withdrawal. All participants will have the right to stop taking part in a test at any time, without any entitlement to compensation for Sponsors.
  • Sponsor liability: Sponsors will have sole liability for any possible participant losses as a result of their participation in tests, where these result from breaches of the protocol, from risks not duly reported, or from any form of negligence or technical or human errors.
  • Guarantees for losses: The Sponsor must have sufficient financial guarantees, and this will be stated in the relevant protocol, to cover any losses for which it has to compensate participants, proportionate to the actual risk.
  • Supervision: The relevant regulatory authority must appoint one or more monitors of the tests that form the pilot project. Authorities and Sponsors are expected to remain in constant contact throughout tests. The supervisor can issue instructions for compliance with the protocol or the DTFS Law and insist on changes to protocols for tests to be carried out successfully.
  • Confidentiality: Safeguards on confidentiality may be included in protocols to protect Sponsor’s industrial and intellectual property.
  • Non-compliance: Tests will be discontinued if the DTFS Law or relevant protocol are not complied with. Individuals and businesses, as well as their directors or officers, who as a result of that non-compliance violate rules and regulations will be liable for the penalties under those rules and regulations.
Exiting the sandbox

The DTFS Law states that at the end of or during pilot projects according to the protocols, Sponsors can apply for authorisation to start the relevant activity, if they are not already authorised, or to extend it.

The DTFS Law allows fast-track authorisation for regulated activities where these will be mainly conducted through the technology and business model tests in the sandbox. This is provided that the authorising regulators consider that the testing allows a simplified analysis of whether the requirements under applicable legislation are met. Authorisation application times will be shortened and a proportionality rule be used.

Protocols must set out in the manner in which, if tests are satisfactory, firms will make the transition from the sandbox to ordinary business. Where this cannot be determined when the protocol is entered into, plans may be annexed to it subsequently.

Other aspects covered by the DTFS Law
  • Proportionality: The DTFS Law contains a general mandate for the relevant authorities to make use of the principle of proportionality when considering requirements that are subject to weighting.
  • Communication channels: It also establishes certain channels of communication with the relevant regulatory authorities to deal with queries concerning new applications, processes, products, business models and other matters related with technological innovation applied to financial services, including a system for written enquiries.
  • Coordination between public authorities: Finally, measures are set out so that the lessons learned from the propositions tested in the sandbox are passed up to the Spanish government and parliament, and for coordination between public authorities, so that these can be used to adapt regulations to new technological requirements.

The sandbox is of interest to Fintech start-ups that want to launch new technology-based financial products and services in Spain, but also to well-established actors that want to use it as a step before bringing innovative projects to market. The application window for the first cohort of the regulatory sandbox is expected to open soon.