On the 1st of July, the Malta Digital Innovation Authority (‘MDIA’) issued a consultation document inviting stakeholders to give their feedback on a Technology-Driven Innovative Technology Arrangement Sandbox (‘ITA Sandbox’), complementing the MDIA’s innovative technology arrangement (‘ITA’) full certification framework.
The MDIA intends to set-up an ITA Sandbox which will complement Malta’s robust certification framework, which framework aims to provide user and investor assurances that the ITA functions in a correct manner and is dependable. The MDIA recognizes that Malta operates a high-barrier entry consequent to the fact that certification is awarded by a national authority which certification aims to ensure investor protection. Through this ITA Sandbox the MDIA seeks to make authority-recognised audits accessible to small player, such as start-ups.
The ITA Sandbox will ensure that regulatory certainty can be given to ITAs developed by small entities and that a balance is reached between maintaining full certification and the adopted high-barrier entry approach, whilst addressing financial and technical barriers for smaller entities, such as: the cost of a full-system auditing which acts a financial barrier and the issues surrounding deployment and roll-out of technology before certification, which acts a technical barrier.
The consultation document puts forward three main questions:
- Do you agree with the provision of a ITA Sandbox as a means of providing official recognition of technical audits based on the principle of proportionality? (‘Question 1’)
- Do you agree with the underlying principles and non-negotiable aspects for acceptance within the ITA Sandbox? (‘Question 2’)
- Do you agree with the proposed processes for sandbox residency? (‘Question 3’)
With reference to Question 1, the MDIA recognizes user and investor assurances, as a result of third-party audits of recognised technologies, as a cornerstone of the ITA Sandbox. Although the MDIA understands that a sandbox must be flexible for its success, it believes that in following the ethos of the ITA certification, the following core elements should be present in the ITA Sandbox, these mainly being:
1. Independent third-party auditing of certain aspects of the processes, technology and operations.
2. The design and setup of a Forensic Node to record all relevant activity which is available to the Authority and for future auditing.
3. Legal obligations arising from national legislation or due to other national authorities.
On the other hand, the MDIA recognizes that certain requirements may be imposed at different stages depending on the nature of the ITA and when applicants consider certain requirements not to be required for initial auditing and certification. Such requirements include degree of readiness of technology and adaptive measures for changing systems.
Question 2 addresses the practical elements of the ITA Sandbox such as the capping of its participants, thus ensuring that all participants are properly monitored.
ITA Sandbox Applicants should register their interest after which they may apply for the ITA Sandbox following a call for applications by the MDIA. Such call will be carried out either through: regular calls with fixed dates or through an ad hoc call when the MDIA’s participant capacity increases or through an open call with fixed evaluation dates or through an open call with immediate evaluation.
Following application and submission of necessary information including, risk analysis and mitigation plans, forensic node setup, sandbox residency period and exit strategy, the ITA will be evaluated. The MDIA intends either for third parties to carry out the evaluation or to appointment expert evaluators, the latter being preferred seeing as the applicants may incur extra costs if having to engage third-parties.
Throughout the ITA Sandbox period, regular reports must be submitted and furthermore whenever there is an update to the ITA blueprint, updates must be given.
The offboarding process from the ITA Sandbox can occur in three ways: (i) when the ITA has advanced to full deployment and operations, and goes for full MDIA certification; (ii) the ITA provider chooses to withdraw from the sandbox; or (iii) the MDIA decides to remove a participant in case of violation of conditions.
Finally, with reference to Question 3, the MDIA recognizes that other sandbox environments may exist and thus aims to synchronise efforts to avoid extra cost.
The consultation period closes on the 31st of July 2020 and any feedback is to be sent to the MDIA on firstname.lastname@example.org.
Update written by Dr Bernice Saliba.
This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.