On the 1^st of July, the Malta Digital Innovation
Authority (‘MDIA’) issued a consultation document inviting
stakeholders to give their feedback on a Technology-Driven
Innovative Technology Arrangement Sandbox (‘ITA Sandbox’),
complementing the MDIA’s innovative technology arrangement
(‘ITA’) full certification framework.

The MDIA intends to set-up an ITA Sandbox which will complement
Malta’s robust certification framework, which framework aims to
provide user and investor assurances that the ITA functions in a
correct manner and is dependable. The MDIA recognizes that Malta
operates a high-barrier entry consequent to the fact that
certification is awarded by a national authority which
certification aims to ensure investor protection. Through this ITA
Sandbox the MDIA seeks to make authority-recognised audits
accessible to small player, such as start-ups.

The ITA Sandbox will ensure that regulatory certainty can be
given to ITAs developed by small entities and that a balance is
reached between maintaining full certification and the adopted
high-barrier entry approach, whilst addressing financial and
technical barriers for smaller entities, such as: the cost of a
full-system auditing which acts a financial barrier and the issues
surrounding deployment and roll-out of technology before
certification, which acts a technical barrier.

The consultation document puts forward three
main questions:

1. Do you agree with the provision of a ITA Sandbox as a means of
   providing official recognition of technical audits based on the
   principle of proportionality? (‘Question 1’)




2. Do you agree with the underlying principles and non-negotiable
   aspects for acceptance within the ITA Sandbox? (‘Question
   2’)




3. Do you agree with the proposed processes for sandbox residency?
   (‘Question 3’)

With reference to Question 1, the MDIA
recognizes user and investor assurances, as a result of third-party
audits of recognised technologies, as a cornerstone of the ITA
Sandbox. Although the MDIA understands that a sandbox must be
flexible for its success, it believes that in following the ethos
of the ITA certification, the following core elements should be
present in the ITA Sandbox, these mainly being:

1. Independent third-party auditing of certain aspects of
the processes, technology and operations.

2. The design and setup of a Forensic Node to record all
relevant activity which is available to the Authority and for
future auditing.

3. Legal obligations arising from national legislation or
due to other national authorities.

On the other hand, the MDIA recognizes that certain requirements
may be imposed at different stages depending on the nature of the
ITA and when applicants consider certain requirements not to be
required for initial auditing and certification. Such requirements
include degree of readiness of technology and adaptive measures for
changing systems.

Question 2 addresses the practical elements of
the ITA Sandbox such as the capping of its participants, thus
ensuring that all participants are properly monitored.

ITA Sandbox Applicants should register their interest after
which they may apply for the ITA Sandbox following a call for
applications by the MDIA. Such call will be carried out either
through: regular calls with fixed dates or through an ad hoc call
when the MDIA’s participant capacity increases or through an
open call with fixed evaluation dates or through an open call with
immediate evaluation.

Following application and submission of necessary information
including, risk analysis and mitigation plans, forensic node setup,
sandbox residency period and exit strategy, the ITA will be
evaluated. The MDIA intends either for third parties to carry out
the evaluation or to appointment expert evaluators, the latter
being preferred seeing as the applicants may incur extra costs if
having to engage third-parties.

Throughout the ITA Sandbox period, regular reports must be
submitted and furthermore whenever there is an update to the ITA
blueprint, updates must be given.

The offboarding process from the ITA Sandbox can occur in three
ways: (i) when the ITA has advanced to full deployment and
operations, and goes for full MDIA certification; (ii) the ITA
provider chooses to withdraw from the sandbox; or (iii) the MDIA
decides to remove a participant in case of violation of
conditions.

Finally, with reference to Question 3, the MDIA
recognizes that other sandbox environments may exist and thus aims
to synchronise efforts to avoid extra cost.

The consultation period closes on the 31^st of July
2020 and any feedback is to be sent to the MDIA on info@mdia.gov.mt.
                                             
                                                                                                                  

Update written by Dr Bernice Saliba.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.