New Delhi (ABC Live): The International Financial Services Centres Authority (IFSCA) has introduced the IFSCA FinTech Sandbox Framework, 2026.

The framework allows eligible firms to test new financial products, services and tools in the International Financial Services Centre (IFSC). It took effect on March 16, 2026.

At the same time, the framework replaced the FinTech Entity Framework, 2022 and the Regulatory Sandbox Framework, 2020. However, actions already taken under those rules remain valid. Likewise, existing Limited Use Authorisations remain valid until they expire.

The new framework is broad. First, it covers live testing with real users. Second, it supports non-live testing. In addition, it allows joint testing by several regulators and cross-border referrals.

Therefore, the framework may become an important part of GIFT City’s financial growth.

However, good design alone will not ensure success. Instead, the real test will be whether small firms can enter, complete testing and move towards full approval.

Meanwhile, IFSCA must protect users, financial data, customer funds and the wider market.

Thus, the main question is simple: Will the IFSCA FinTech Sandbox Framework 2026 open the door to useful ideas, or will it mainly help firms that already have money, staff and strong compliance teams?

Summary

The IFSCA FinTech Sandbox Framework 2026 creates one main system for financial technology testing in GIFT IFSC.

First, it offers four sandbox routes. These routes cover live testing, non-live product testing, joint regulatory testing and overseas cooperation.

Second, the framework lays down rules for user consent, risk notice, cyber safety, monthly reports, final reports and exit plans.

These safeguards are useful because financial tests may affect customer money, private data and market systems.

However, several concerns remain.

First, the document checklist is very long. As a result, new start-ups, research groups and small firms may find it hard to apply.

Second, IFSCA has wide powers over approval, relief, extension, change, suspension and exit. These powers may be needed. Even so, the Authority should use them through clear rules and written reasons.

Third, a successful test does not lead to an automatic licence. Therefore, a firm may prove that its product works but still face a fresh approval process.

Fourth, the Frequently Asked Questions contain different fee dates, different fit-and-proper periods and some drafting errors. Consequently, applicants may face avoidable doubt while preparing formal declarations.

Accordingly, Dinesh Singh Law Associates (DSLA) views the framework as a welcome step. Nevertheless, it also calls for fair process, lower entry barriers, stronger user safeguards and a clear path from testing to full market approval.

Key Points

  • The framework took effect on March 16, 2026.
  • It replaces earlier IFSCA sandbox rules.
  • It offers four sandbox routes.
  • Both Indian and foreign applicants may apply.
  • Applicants must first file a preliminary application.
  • Thereafter, accepted applicants may file a final application.
  • The normal testing period may last up to 12 months.
  • In addition, IFSCA may extend testing by up to six months.
  • Applicants must ask for each legal relaxation they need.
  • Live users must receive clear risk information.
  • Moreover, firms must obtain written user consent.
  • Monthly and final reports are compulsory.
  • Records must remain available for seven years after exit.
  • However, a successful test does not guarantee a full licence.
  • Heavy paperwork may harm smaller applicants.
  • Therefore, DSLA calls for risk-based and fair rules.

Why ABC Live Is Publishing This Report Now

IFSCA has now issued detailed Frequently Asked Questions on the 2026 framework.

As a result, applicants can better understand who may apply, how testing works and what reports they must file.

However, the same document also reveals how much work an applicant may need to complete before testing begins.

Therefore, this is the right time to examine both the promise and the limits of the new system.

A sandbox can help a useful product reach the market. Yet it can also become a difficult entry gate when legal costs, audit costs and approval delays become too high.

Moreover, the framework forms part of IFSCA’s wider plan for GIFT IFSC.

ABC Live has already examined how Indian public companies can access foreign capital through GIFT City. That report explained how GIFT IFSC seeks to connect Indian firms with overseas investors through a regulated system.

Likewise, ABC Live’s critical analysis of IFSCA’s framework for ship leasing reviewed IFSCA’s effort to bring global ship finance and leasing business to India.

Therefore, the FinTech Sandbox Framework should not be read in isolation. Instead, it forms part of a wider plan to build GIFT IFSC as a global financial centre under Indian regulatory control.

What Is a FinTech Sandbox?

A FinTech sandbox is a controlled space for testing a new financial product or service.

In practice, IFSCA may limit the number and type of users. It may also limit transaction values, the number of transactions, the testing period and the area of use.

In addition, the Authority may control product features, customer-fund use, data use, testing partners and reporting duties.

Thus, the firm receives only limited approval.

By contrast, it does not receive a full right to operate across the wider market.

This legal difference matters.

According to DSLA, a Limited Use Authorisation is not a permanent licence. Instead, it permits only the approved test and only within stated limits.

Therefore, every applicant should separate four stages.

First, the applicant enters the sandbox. Second, it receives approval to begin testing. Third, it completes the test. Finally, it seeks approval to enter the wider market.

Although a successful test may help at the fourth stage, it does not guarantee final approval.

What Activities Does the Framework Cover?

The framework covers many areas of finance.

For example, it covers banking, capital markets, company finance, investment funds, green finance and market systems.

In addition, it covers insurance, reinsurance, pensions, aircraft leasing, ship leasing, payment services and financial support services.

Moreover, the framework covers several forms of technology.

These include artificial intelligence, machine learning, data analysis, cyber safety, cloud services and digital identity.

Likewise, it covers Know Your Customer systems, anti-money-laundering tools, fraud checks, blockchain, Distributed Ledger Technology and regulatory technology.

In addition, the list includes supervisory technology, quantum technology, Web 3.0 and space technology.

The full list appears in the official IFSCA FinTech Sandbox Framework 2026 FAQs.

Therefore, the framework is not limited to payment apps or digital loans. Instead, it seeks to support new tools across the wider financial system.

Ship leasing offers one useful example. ABC Live’s analysis of IFSCA’s ship-leasing framework found that rules alone cannot build a strong market.

A sector also needs capital, trained people, clear contracts, dispute resolution, data and business partners. Likewise, the FinTech sector needs more than a sandbox document.

The Four Sandbox Routes

IFSCA FinTech Regulatory Sandbox

The IFSCA FinTech Regulatory Sandbox (FRS) allows testing with a limited number of real users.

Since real users take part, this route carries stronger safeguards. For example, firms must provide risk notices, obtain consent and deal with complaints.

In addition, firms must address data safety, payment limits, loss terms and incident reports.

An applicant may also ask IFSCA to relax a certain rule.

However, the applicant must clearly name the rule and explain why relief is needed.

IFSCA may accept, reject or modify the request.

Therefore, sandbox approval does not remove every legal duty. Unless IFSCA clearly grants relief, the normal rule will continue to apply.

IFSCA FinTech Innovation Sandbox

The IFSCA FinTech Innovation Sandbox (FIS) allows testing outside the live market.

For example, a firm may use market data supplied by an IFSC financial body.

Moreover, the firm does not always need a physical office in GIFT IFSC.

Since live users are normally absent, some rules do not apply in the same way. For instance, live-user consent rules and some foreign-currency rules do not apply fully.

Therefore, this route may help new start-ups, research groups, colleges, software teams and artificial-intelligence firms.

However, the paperwork should also be lighter.

Otherwise, a low-risk test may face the same burden as a live financial product. Consequently, the Innovation Sandbox may fail to serve early-stage firms.

Inter-Operable Regulatory Sandbox

The Inter-Operable Regulatory Sandbox (IoRS) applies where more than one regulator is involved.

For example, one product may involve banking, insurance and investments.

In such a case, IFSCA may work with the Reserve Bank of India, the Securities and Exchange Board of India, the Insurance Regulatory and Development Authority of India and the Pension Fund Regulatory and Development Authority.

This joint system may reduce repeat work.

However, it will work only if regulators use one clear process.

The applicant should not have to send the same papers to several bodies without a lead regulator or fixed timeline.

Moreover, even a successful IoRS test does not allow an immediate market launch. Instead, the firm must still seek final approval from IFSCA and other regulators.

Thus, the IoRS may solve the testing issue. Nevertheless, it may not solve the full licensing issue.

Overseas Regulatory Referral Mechanism or FinTech Bridge

The fourth route allows IFSCA to work with overseas regulators.

As a result, an Indian or foreign firm may enter a sandbox through a cross-border referral.

This is useful because GIFT IFSC aims to serve global markets.

However, a referral does not make the laws of two countries identical.

For instance, a foreign firm may still face separate rules on data transfer, cloud use, tax, consumer rights, intellectual property and cyber safety.

In addition, it may face different rules on outsourcing, foreign exchange and licensing.

Therefore, IFSCA should issue a simple guide for every active FinTech Bridge.

Who Can Apply?

Both Indian and foreign applicants may apply.

Indian applicants may include companies, Limited Liability Partnerships, partnership firms and IFSC branches.

In addition, recognised start-ups, regulated financial firms, research bodies, academic groups, incubator teams and accelerator teams may apply.

Foreign applicants may also include overseas FinTech firms, legal bodies, research teams and academic groups.

However, a foreign applicant cannot come from a high-risk country listed by the Financial Action Task Force for urgent action.

This wide entry rule is a major strength.

Yet formal entry does not always mean real access.

For example, a college research team may be allowed to apply. However, it may not have three years of accounts, a bank partner or a full cyber audit.

Therefore, IFSCA should match the document list with the size, age and risk level of the applicant.

What Must the New Idea Show?

The proposed idea must use new technology or a new process in finance.

In addition, the applicant must show real innovation, a clear need for testing and direct benefit to users.

Moreover, it must provide useful test cases, clear goals and proper risk controls.

The applicant must also show safe data use, user protection, complaint handling and readiness to test.

Finally, it should explain how the product may enter the market after testing.

This test is sensible because the sandbox should not reward old products that merely use new labels.

For example, a firm should not qualify only because it uses the words “artificial intelligence.”

Instead, it should explain what the tool changes, why testing is needed and how users will benefit.

The Two-Stage Application Process

The framework uses a two-stage process.

Stage One: Preliminary Application

First, the applicant must file a Preliminary Application through the Single Window Information Technology System portal.

IFSCA will then decide whether the idea is suitable for sandbox testing.

The FAQs refer to a 30-day review period.

However, it is not fully clear whether this is a fixed legal limit or only a working target.

Therefore, IFSCA should explain whether the clock stops when it asks for more details.

Stage Two: Final Application

Only an applicant that passes Stage One may file a Final Application.

At this stage, the applicant must pay the required fee and provide more records.

IFSCA may then grant In-Principle Approval.

The FAQs refer to a 60-day period for this stage.

However, the firm may still need to meet more terms. For example, it may need at least one testing partner within 30 days.

DSLA View on Timelines

DSLA recommends that IFSCA clearly state when the review period begins and when it may pause.

In addition, the Authority should explain how extra questions affect the period.

Moreover, applicants should receive notice of delay.

IFSCA should also explain whether a late reply may close the case, whether errors can be fixed and whether a rejected firm may seek review.

Clear timelines would help firms plan money, staff and contracts. Therefore, this issue requires early clarification.

What Is the Effect of In-Principle Approval?

In-Principle Approval means that IFSCA is willing to consider the test, subject to stated terms.

However, it is not the final Limited Use Authorisation.

This difference matters because a firm may spend a large amount after receiving such approval.

For example, it may hire a cyber auditor, find a testing partner or hire legal staff.

In addition, it may change its product, open an IFSC office or speak with investors.

Therefore, DSLA recommends that every In-Principle Approval should state each condition and deadline.

Moreover, it should explain the right to seek more time, the result of delay and the grounds for withdrawal.

It should also state whether a hearing will be given, how partial compliance will be treated and when testing may begin.

Without such details, a firm may treat a conditional approval as a final promise.

Testing Period and Boundary Conditions

The normal Testing Stage may last up to 12 months.

In addition, IFSCA may extend it by up to six months.

However, the firm has no automatic right to an extension.

Each Limited Use Authorisation will also set boundary conditions.

These may include the number and type of users, value limits, time limits and area limits.

In addition, they may include safety controls, testing partners, data sources, loss terms, report dates and exit duties.

These limits help contain risk.

However, the test must still be large enough to produce useful results.

Therefore, the approved plan should allow the firm to test system performance, user value, business use, financial risk and legal compliance.

What Is a Material Change?

A firm must obtain prior approval before making a material change.

However, the framework does not fully explain this term.

According to DSLA, a material change may include a new business model, a new financial product or a higher user limit.

Likewise, it may include a higher payment limit, a change in control or a new key service provider.

In addition, a new method of holding customer money, a major algorithm change or a new foreign data transfer may be material.

A change in loss terms, a new user group or a major cyber-system change may also need prior approval.

By contrast, a small software fix or layout change should not always need prior approval.

Instead, the firm may report it in the next monthly update.

Thus, IFSCA should publish simple examples of major and minor changes.

User Protection Is a Major Strength

Before adding a live user, the firm must explain what is being tested and what risks may arise.

In addition, it must explain that the product is operating inside a sandbox.

Moreover, the firm must tell the user whether loss cover is available, what the cover includes and what limits apply.

The firm must then obtain written consent.

This is a strong part of the framework because a user should know that the product has not received full market approval.

However, consent should not remove every legal right.

DSLA View on User Consent

According to DSLA, user consent cannot become a complete waiver of liability.

A user may accept a known test risk. However, the firm should remain liable for fraud, serious carelessness or false statements.

Likewise, the firm should remain liable for hidden facts, unauthorised payments and misuse of data.

In addition, it should remain responsible for breaches of testing limits, weak cyber safety and violations of law.

Therefore, the consent form should clearly separate normal test risk from loss caused by wrongdoing.

Risk Notice Is Not the Same as Loss Cover

The framework requires the firm to tell users whether it will pay for possible losses.

This rule helps users make an informed choice.

However, notice alone may not protect them.

For example, a firm may simply state that it will pay nothing.

That outcome may be unfair where the test involves customer money, investments or payments.

Therefore, IFSCA should set minimum safeguards based on risk.

These safeguards may include professional insurance, cyber insurance, an escrow account or a loss reserve.

In addition, they may include refunds for unauthorised payments, system failures or other approved loss events.

Such steps would support trust without blocking innovation.

Complaints Must Continue After Exit

A user problem may appear after testing ends.

For example, a user may later discover a wrong payment, misuse of data or a delayed settlement.

Likewise, the user may later find wrong investment details, a cyber breach or an unpaid claim.

Therefore, complaint support should not end on the last testing day.

DSLA recommends that every exit plan should name the officer responsible for later complaints.

In addition, it should state the complaint period, treatment of open payments and refund process.

Moreover, it should identify the IFSCA contact route, record period, person in charge of data and deletion process.

Thus, user duties should continue until all open matters are settled.

Monthly and Final Reports

A FinTech Sandbox Entity must file a monthly report before the tenth day of the next month.

The report must cover key goals, progress against limits and project steps.

In addition, it must cover user complaints, fraud, service failures, cyber events and data leaks.

Moreover, the firm must explain what action it has taken.

The firm must also report any official order within 15 days.

After testing ends, it must file a final report within 30 days.

That report should explain what was tested and whether the limits were followed.

It should also cover system performance, service performance, complaints, cyber safety and data use.

In addition, it should explain income, costs, business value, legal lessons, user safeguards and the exit plan.

Moreover, the firm must keep testing records for seven years after exit.

These rules improve oversight.

However, a small non-live test may not need the same reporting burden as a live payment service.

Therefore, IFSCA should use lighter forms for low-risk tests.

Record Keeping and Data Limits

The seven-year rule can help with audits and later disputes.

However, the records may include payment data, emails, identity papers and complaints.

In addition, they may include system logs, consent forms and cyber alerts.

Therefore, DSLA recommends a clear record policy.

Firms should divide data into official records, financial records, legal claim records and system logs.

Moreover, they should separate personal data, anonymous research data and records that should be deleted.

Thus, the seven-year rule should not become an excuse to keep every item forever.

Foreign-Currency Rules

A firm in the live Regulatory Sandbox must generally use an approved foreign currency.

It may pay office costs in Indian rupees.

However, it must normally keep accounts in a freely convertible foreign currency other than the Indian rupee.

In addition, it must report financial data to IFSCA in United States dollars.

The Innovation Sandbox does not face all these rules in the same way.

These rules reflect GIFT IFSC’s global role.

ABC Live’s report on how Indian public companies can access foreign capital through GIFT City also explains this separate financial structure.

However, an IFSC base does not remove every Indian law.

For example, a firm may still need to follow rules on companies, foreign exchange and tax.

Likewise, rules on data, intellectual property, workers, cyber safety and anti-money laundering may continue to apply.

Moreover, Indian start-ups may still pay most costs in rupees.

Therefore, IFSCA should explain mixed-currency accounts, exchange rates and exchange gains or losses.

In addition, it should clarify shared Indian costs, parent-company costs and reporting by new IFSC units.

The Document Checklist

Annexure I contains a long list of records.

For example, it may require company records, founding documents, board approval, identity proof and address proof.

In addition, it may require ownership details, shareholding details, Know Your Customer records and final owner details.

Moreover, it may seek system design, software details, artificial-intelligence details, blockchain details and intellectual-property records.

The list may also include cyber reports, safety tests, quality certificates and product-readiness details.

In addition, applicants may need pitch decks, business plans, financial forecasts and three years of audited accounts.

Finally, the list may require bank agreements, regulatory approvals, earlier pilot details, test limits, legal declarations and fit-and-proper forms.

This list may be fair for a mature firm handling customer money.

However, it may be too heavy for a new start-up, college team or non-live test.

Critical Issue One: The Checklist Looks Like Full Licensing

The document list appears closer to a full licence process than an early test process.

For example, a new firm cannot provide three years of audited accounts.

Likewise, a prototype team may not yet have a bank partner, full cyber report or final business plan.

Although the document uses terms such as “where needed,” the rule is still not clear enough.

Therefore, applicants may not know what is compulsory.

DSLA Recommendation

IFSCA should divide the documents into four groups.

First, it should identify records required from every applicant.

Second, it should list records required only before live testing.

Third, it should identify records needed only for certain firms or tests.

Finally, it should list material that is helpful but optional.

This simple split would reduce confusion and improve access.

Critical Issue Two: Cyber Costs May Arise Too Early

The checklist seeks a cyber safety report and a Vulnerability Assessment and Penetration Testing report.

Such checks are important before a product handles customer funds or private data.

However, a full outside audit can be costly.

Therefore, it may be unfair to require the audit before the firm knows whether its test will receive approval.

DSLA Recommendation

IFSCA should use stages.

First, the firm should complete a basic self-check.

Second, IFSCA should review the system design.

Third, the Authority may grant conditional approval.

Thereafter, the firm should complete an outside audit before live use.

Finally, a fresh audit should follow a major system change.

This approach would protect users while lowering early costs.

Critical Issue Three: Testing Partners May Become Gatekeepers

IFSCA may ask a firm to secure at least one testing partner.

A partner may provide customers, data, payment links or market access.

However, small firms may struggle to find such a partner.

Moreover, large banks or funds may demand exclusive rights, source-code access or wide control over data.

In addition, they may limit later deals or impose unfair business terms.

Therefore, the partner rule may create a private entry gate.

DSLA Recommendation

IFSCA should create a public partner list and organise partner meetings.

In addition, it should publish model secrecy terms, model data terms and fair intellectual-property rules.

Moreover, it should promote fair exit terms and incentives for financial firms that take part.

Critical Issue Four: Partner Contracts Need Protection

Before signing a testing deal, the applicant should settle existing intellectual property and new intellectual property.

In addition, the contract should deal with ownership of improvements, secrecy and data ownership.

Moreover, it should cover data use, cyber duties, legal duties, compensation and liability limits.

Finally, it should address exit rights and later market rights.

Regulatory approval does not replace a sound contract.

Therefore, small firms should carefully review a partner’s standard terms.

Critical Issue Five: A Successful Test Does Not Ensure Market Entry

The Limited Use Authorisation ends with the Testing Stage.

Likewise, any temporary legal relief ends unless the regulator grants more time or a new licence.

Therefore, the firm cannot simply launch after a successful test.

This creates a graduation gap.

A firm may spend money on product work, cyber audits, lawyers and compliance staff.

In addition, it may spend on testing partners, user support, reports and safety controls.

Yet it may still face a new licensing process.

DSLA Recommendation

IFSCA should publish a post-test guide.

The guide should state the likely licence, capital needs, management rules and office rules.

In addition, it should explain extra technology rules, expected review time and the value of sandbox results.

Moreover, it should state whether faster approval is possible.

Finally, every successful firm should receive a formal test-completion record.

Critical Issue Six: Wide Official Powers Need Clear Rules

IFSCA may accept or reject an application.

It may also set testing limits, grant or refuse relief and require an office.

In addition, it may approve or reject changes, extend or end testing, suspend approval or cancel approval.

These powers may be needed.

However, they should not lead to uncertain or unequal results.

DSLA View on Fair Process

According to DSLA, major decisions should give clear reasons.

This is especially important when IFSCA rejects a Final Application or refuses legal relief.

Likewise, reasons should be given when the Authority denies more testing time, ends a test early or suspends approval.

Moreover, reasons should support any final cancellation.

Written reasons improve fairness.

In addition, they help future applicants understand the regulator’s approach.

Therefore, IFSCA should also publish short anonymous case notes where possible.

Critical Issue Seven: Suspension Without Notice Needs Review

IFSCA may suspend approval without prior notice in an urgent case.

This may be fair after a major cyberattack, fraud or misuse of customer money.

Likewise, urgent action may be needed after a large data leak, serious system failure or threat to the market.

However, immediate suspension can also harm users, staff and investors.

DSLA Recommendation

An urgent suspension should lead to written reasons at once.

In addition, the firm should receive a short reply period and a quick hearing.

Moreover, IFSCA should issue user-protection and data-protection directions.

Finally, the matter should receive a fixed review date and a final written order.

Thus, urgent suspension should remain temporary until a proper review takes place.

Critical Issue Eight: The Grounds for Cancellation Are Broad

IFSCA may cancel approval for several reasons.

These include wrong facts, missing facts, false statements and weak risk controls.

In addition, cancellation may follow a breach of rules, loss of trust, insolvency or cyber harm.

Moreover, the Authority may act after user harm, repeated system faults or failure to follow directions.

Many of these grounds are fair.

However, terms such as “loss of trust” or “public harm” need more detail.

For example, a media claim should not carry the same weight as a final official finding.

Therefore, IFSCA should review the source, proof and real impact before acting.

Critical Issue Nine: Fit-and-Proper Rules Need One Standard

The forms ask for detailed fit-and-proper information from founders, directors, partners, managers and major owners.

However, one part refers to three years after certain orders.

By contrast, another part refers to five years.

This may reflect different rules.

Even so, the document does not explain the difference.

DSLA Recommendation

IFSCA should issue one clear fit-and-proper schedule.

Until then, applicants should give full facts instead of relying on the shorter period.

After all, missing facts may cause more harm than the old case itself.

Critical Issue Ten: Legal Declarations Need Room for Explanation

The checklist asks about penalties, inquiries, cases and official action.

A large group may not be able to state that no such matter has ever existed.

Moreover, an inquiry does not prove guilt.

Therefore, the form should allow the firm to explain what happened and which body acted.

In addition, it should allow details about the present stage, adverse findings and the effect on the proposed test.

Finally, the applicant should be able to explain the outcome and steps taken later.

IFSCA should judge the facts and seriousness of each matter.

Critical Issue Eleven: Fee Dates Need Clarification

The FAQs refer to a fee circular dated April 8, 2025.

However, Annexure I refers to a fee circular dated March 2, 2026.

Therefore, applicants may not know which fee rule controls.

IFSCA should clearly state the current circular and the correct fee table.

In addition, it should explain the application fee, later fees, refund rules and late fees.

Moreover, the Authority should clarify the treatment of older cases.

Critical Issue Twelve: Drafting Errors Create Doubt

The FAQs and forms contain spelling errors, date differences and mixed terms.

A small spelling error may not change the law.

However, these forms may support legal declarations and official action.

Therefore, IFSCA should issue a corrected version with one set of terms and correct dates.

In addition, it should use one fit-and-proper rule, corrected tables and a clear version number.

Moreover, it should publish a change record.

The FAQs state that the main law or circular will control in case of conflict.

Even so, official guidance should remain clear.

Critical Issue Thirteen: Foreign Entry Still Brings Legal Risk

The framework welcomes foreign firms.

This may bring money, skills and new tools to GIFT IFSC.

However, foreign firms may still face questions on data transfer, cloud use and overseas work.

In addition, they may face tax, intellectual-property, cyber and user-right issues.

Moreover, questions about choice of law may arise.

Therefore, IFSCA should issue simple country guides for major partner markets.

A FinTech Bridge should explain the real path in both countries.

Critical Issue Fourteen: Office Rules Need Early Notice

A physical office is generally not needed for the Innovation Sandbox.

However, it may be needed where a live test holds customer money.

In addition, IFSCA may require an office in other cases.

This power may be reasonable.

However, the firm should receive early notice because an office may require rent, local registration and staff.

Moreover, it may require tax planning, a bank account and local support.

Therefore, IFSCA should state the office rule at the early approval stage.

Link With IFSCA’s Wider GIFT City Plan

The sandbox forms part of a wider GIFT City plan.

For example, GIFT IFSC offers a route for eligible Indian public companies to reach overseas investors.

ABC Live explained this route in How Indian Public Companies Can Access Foreign Capital Through GIFT City.

Likewise, IFSCA has developed a separate system for ship leasing.

ABC Live’s Critical Analysis of IFSCA’s Framework for Ship Leasing found that good rules must be backed by capital, skills and legal certainty.

The same principle applies here.

A sandbox alone cannot build a strong FinTech system.

Instead, firms also need good data, willing partners and strong technology.

In addition, they need legal support, investors, trained workers and fair contracts.

Finally, they need a clear path to full approval.

Comparison With Global Practice

Many global sandbox systems examine whether an idea is new and whether users benefit.

In addition, they assess whether the product is ready and whether testing is needed.

Moreover, they examine risk controls and the need for regulatory support.

Some systems also separate live testing from early software development.

IFSCA follows a similar path through the Regulatory Sandbox and Innovation Sandbox.

However, a strong sandbox should offer more than test approval.

It should also offer data, guidance, partners and technical help.

In addition, it should provide investor access, model contracts and clear decisions.

Finally, it should create a practical path to market.

Therefore, IFSCA should not judge success only by application numbers.

Instead, it should publish applications received, applications accepted and tests started.

Moreover, it should report tests completed, average review time, user incidents and early exits.

Finally, it should publish cancelled approvals, full licences granted, funds raised and firms still active after testing.

ABC Live and DSLA Analysis

The IFSCA FinTech Sandbox Framework 2026 is an important step.

Its main strength is that it brings several test routes into one system.

First, it covers live tests. Second, it covers non-live tests. Moreover, it supports joint regulator tests and overseas referrals.

In addition, the framework keeps user safety at the centre.

It requires risk notice, written consent, cyber checks, reports and exit plans.

However, one key tension remains.

IFSCA wants to attract new firms. At the same time, its paperwork often appears designed for a mature financial body.

Therefore, the answer lies in risk-based rules.

For example, a software tool using fake data should not face the same burden as a live payment platform.

Likewise, a college team should not face the same account-history rules as a large bank.

Thus, IFSCA should grade cases by sandbox type, use of real users and use of customer money.

In addition, it should consider transaction size, data risk, cyber risk and market impact.

Finally, it should consider the age of the firm and its foreign links.

Without such grading, the system may reward the best-funded firms rather than the best ideas.

DSLA Legal and Regulatory Assessment

DSLA views the framework as a useful legal step.

However, its value will depend on fair and clear use of official powers.

IFSCA should ensure that its decisions remain clear, fair, even, reasoned and open to review.

Moreover, every decision should remain linked to the purpose of the law.

Applicants should also understand that sandbox entry does not remove general law.

For example, normal duties may continue under laws on contracts, data and cyber safety.

Likewise, foreign-exchange, tax, intellectual-property and anti-money-laundering rules may continue.

In addition, company law, insolvency law, user-right rules and criminal law may still apply.

Therefore, firms should read the exact terms of their Limited Use Authorisation.

They should not assume that “sandbox status” gives broad legal freedom.

Recommended Policy Changes

Publish One Corrected Version

IFSCA should correct date conflicts, fee references, spelling errors and fit-and-proper periods.

Use Risk-Based Entry Routes

Different rules should apply to research tests, early prototypes and non-live tests.

In addition, separate rules should apply to low-risk live tests, customer-money products and key market systems.

Clarify In-Principle Approval

Every approval should state its terms, dates, legal effect and withdrawal rules.

Create a Clear Graduation Route

Applicants should know the likely licence before testing begins.

Give Reasons for Major Decisions

Major refusals, suspensions and cancellations should include written reasons.

Add a Quick Suspension Review

Urgent suspension should lead to a fast hearing and a final written order.

Define Major Changes

IFSCA should list examples of changes that need prior approval.

Set Minimum User Protection

High-risk tests should use insurance, reserves, escrow or refund rules.

Keep Complaint Support Open After Exit

Users should have a fixed period to raise later claims.

Build a Testing-Partner Network

IFSCA should help approved firms find banks, insurers and other partners.

Publish Model Contracts

Model terms should cover data, secrecy, ownership, cyber duties and loss.

Phase Cyber Audits

Full outside audits should become due before live use, rather than at the first stage in every case.

Use Risk-Based Reports

Low-risk tests should file shorter reports. By contrast, high-risk tests should file the full set.

Publish Results

IFSCA should publish approval, testing, incident, exit and licensing data.

Risk Dashboard

Issue Purpose Main risk Suggested change
Long document list Check the applicant May block new firms Use applicant-based lists
Cyber audit Protect users High early cost Use audit stages
Testing partner Give market access Partner may control entry Create a partner list
Wide official powers Control risk Unequal results Give written reasons
Monthly reports Track testing Heavy burden Use shorter forms for low-risk tests
Foreign-currency records Support IFSC structure Hard for Indian founders Give mixed-currency guidance
No automatic licence Protect the wider market Successful firms may remain stuck Publish a licence path
User consent Explain test risks May become a full waiver Keep claims for wrongdoing
Loss notice Inform users No minimum payment Set risk-based cover
Urgent suspension Stop immediate harm No prior hearing Add quick review
Fit-and-proper forms Protect trust Different time periods Issue one standard
Seven-year records Support audit Too much data kept Use data limits
Foreign applicants Attract global firms Many laws still apply Publish country guides

What Happens Next?

The framework will now move from paper to practice.

IFSCA must review applications, decide relief and set testing limits.

In addition, it must monitor results, incidents and user complaints.

At the same time, firms must decide whether sandbox entry is worth the cost.

For example, they may need to pay for lawyers, cyber audits and partner deals.

Moreover, they may need to prepare product records, reports and user-support systems.

In some cases, they may also need local staff.

Therefore, IFSCA should study who enters the system and who graduates.

If only large firms succeed, the framework may not support real start-up growth.

However, if small firms, research teams and foreign innovators can enter and graduate, the framework may become a strong part of GIFT IFSC.

Conclusion

The IFSCA FinTech Sandbox Framework 2026 gives GIFT IFSC a broad system for financial testing.

It brings together live tests, non-live tests, joint regulator work and overseas links.

Moreover, it includes useful safeguards for users, data and market safety.

However, the framework will succeed only if it remains open enough for good ideas to enter.

Therefore, IFSCA should lower avoidable costs, grade rules by risk and explain every major approval step.

In addition, it should correct drafting gaps, strengthen user remedies and create a clear route to full licensing.

Otherwise, the framework may appear modern while still working mainly for large and well-funded firms.

Sources and Methodology

ABC Live reviewed the official IFSCA FinTech Sandbox Framework, 2026 Frequently Asked Questions.

The review covered the four sandbox routes, entry rules and application stages.

In addition, it examined testing limits, user safeguards, foreign-currency rules, monthly reports and final reports.

Moreover, ABC Live reviewed exit duties, cancellation powers, the document checklist and compliance forms.

DSLA provided legal input on fair official process, written reasons and In-Principle Approval.

In addition, it reviewed urgent suspension, user consent, loss cover and partner contracts.

Finally, it examined data use, fit-and-proper rules, record keeping and final market approval.

ABC Live retains full editorial control over the report.

Related ABC Live Reports

How Indian Public Companies Can Access Foreign Capital Through GIFT City

This report explains how eligible Indian public companies may reach overseas investors through GIFT IFSC. In addition, it examines foreign-currency funding, company law and IFSCA oversight.

Critical Analysis of IFSCA’s Framework for Ship Leasing

This report examines IFSCA’s plan to build GIFT IFSC as a ship-finance and leasing centre. Moreover, it explains why legal clarity, capital and market skills must support new rules.

Primary Regulatory Source

International Financial Services Centres Authority

IFSCA FinTech Sandbox Framework, 2026—Frequently Asked Questions

Frequently Asked Questions

What is the IFSCA FinTech Sandbox Framework 2026?

It is a controlled system for testing new financial products and technology in GIFT IFSC.

When did it take effect?

It took effect on March 16, 2026.

Does it replace earlier rules?

Yes. However, valid earlier action and approvals remain protected.

What are the four sandbox routes?

They are the Regulatory Sandbox, Innovation Sandbox, Inter-Operable Regulatory Sandbox and Overseas Regulatory Referral Mechanism or FinTech Bridge.

Can a foreign company apply?

Yes. However, some country-based limits apply.

Is an office in GIFT IFSC always needed?

No. However, IFSCA may require one for some live tests.

How long may testing continue?

Normally, testing may last up to 12 months. In addition, IFSCA may allow six more months.

Does a successful test allow full market launch?

No. Therefore, the firm may still need a separate licence.

Can IFSCA relax a rule?

Yes. However, the applicant must ask for clear and specific relief.

Must live users give consent?

Yes. In addition, the firm must explain the main risks and loss terms.

Does consent remove all liability?

No. It should not protect the firm from fraud, serious carelessness or breach of law.

What reports are required?

The firm must normally file monthly reports, special event reports and a final report.

How long must records be kept?

The firm must generally keep them for seven years after exit.

Why is the document list a concern?

It may be too heavy for a new firm, research team or early-stage product.

What does DSLA recommend?

DSLA calls for risk-based rules, fair process, stronger user protection and a clear path to full approval.