CMA Regulatory Sandbox Guidelines 2025

1 THE CAPITAL MARKETS AUTHORITY REGULATORY SANDBOX GUIDELINES 2025 Arrangement of Guidelines PART I – PRELIMINARY.

1. Title
2. Definitions
3. Objectives of the Guidelines
4. Scope and application PART II _ ELIGIBILITY, APPLICATION, ACCEPTANCE CRITERIA AND EXIT
5. Application and Approval.
6. Evaluation of application and approval.
7. Preparation of the product
8. Testing of the product
9. Exit from the sandbox
10. Commercial Deployment
11. Revocation and suspension
12. Processes following a suspension/approval
13. Compliance with the law. Part III _ OBLIGATIONS AND RESTRICTIONS
14. Reporting requirements of the participants
15. Oversight and management of the sandbox

2 The Capital Markets Regulatory Sandbox Guidelines (Under section 29(d) of the Capital Markets Authority Act, Cap. 64) IN EXERCISE of the powers conferred on the Capital Markets Authority (“Authority”) by Section 29 of the Capital Markets Authority Act, Cap 64 (“The Act”), these Guidelines are made this 11th day of June 2025.

1. These Guidelines shall be referred to as the Capital Markets Regulatory Sandbox Guidelines.
2. For purposes of these guidelines “Applicant” means a registered or incorporated entity that has applied to the Authority for approval to participate in the Regulatory Sandbox; “Authority” means the Capital Markets Authority. “Innovation” is a proposed innovative financial product/service/solution that does not exist in the capital markets or has characteristics that are significantly different from existing ones. “Live testing” is the process of putting a proposed innovative product/service/solution on trial in a live environment under a set of conditions and limitations. “Participant” means an Applicant that has been accepted by the Authority to participate in the Regulatory Sandbox; “Sandbox” is a framework set up to allow small-scale, live testing of innovations by entities in a controlled environment (operating under a special exemption, allowance, or other limited, time-bound exception) under supervision.
3. Objectives of the Guidelines In light of the rapid growth of technology and its significant impact on various sectors, the Capital Markets Authority acknowledges the need to foster a dynamic and innovative environment. This commitment aligns with its mandate to facilitate and develop capital markets while also aiming to protect investors, promote confidence, and ensure honesty and transparency within these markets. As a result, the Capital Markets Authority has established these Regulatory Sandbox Guidelines to: i. Promote innovation; The sandbox will promote innovation by allowing experimentation of new and innovative capital markets products within a clearly defined space and time and with the Authority providing the necessary regulatory support. The Sandbox aims to acquire regulatory insights and improve regulatory efficiency by learning about new products and their associated risks, evaluating regulatory responses to mitigate these risks while safeguarding investors effectively, identifying regulatory gaps, and supporting policy innovation by providing structured feedback loops to guide new law-making processes.Protect investors as mandated under section 6(d) of the Capital Markets Authority Act, cap

ii. Enhance regional and international competitiveness. iii. Promote financial inclusion.

3 4. Scope and application I. The sandbox is available to companies and other entities registered within Uganda or entities licensed/approved by a securities market regulator in another jurisdiction that intends to offer innovative securities products, solutions, or services in Uganda following a successful exit from the sandbox. II. They apply to an entity that has applied for and been duly approved by the Authority to participate in the sandbox. III. The sandbox will only apply to products, that fit within the securities definition in the Capital Markets Authority Act, cap 64 and to services, technologies and solutions that are ancillary, incidental or relate to the creation, issuance, trading, and custody of such products PART II 5. Application and Approval. I. Applicants may submit their applications for participation in the Regulatory Sandbox at any time. The Authority will evaluate applications on a continuous basis. II. The application will be accompanied by the following documents a) Completed application form as set out in schedule A; b) Certified copies of the certificate of incorporation or certificate of registration, and memorandum and articles of association or registered partnership deed. c) Certified copy of the beneficial owner's form. d) Certified list of directors and shareholders, or ; e) Copies of the National Identity cards for all Ugandan directors f) notarized copies of the certificate of good conduct or its equivalent and passport for all foreign directors/partners. g) Passport-size photographs for all applicants. h) CVs and copies of academic documents for directors, or partners and key personnel involved in the proposed sandbox product i) A business plan. III. The application must include supporting information and evidence to demonstrate fulfilment of the following sandbox evaluation criteria. a) The Participant must ensure that the proposed innovation is within the scope of the Sandbox. b) The proposed product or service is innovative, new, emerging, or innovatively using existing technology. c) The proposed product addresses a problem or brings benefits to investors or the industry. d) That adequate resources and measures are in place to safeguard investor interests during the test trial. This should, among other things, include;

4 e) internal processes and controls that will ensure only well-informed investors take up the proposed innovation; f) proper dispute resolution mechanisms; and, a compensation plan to compensate persons who suffer pecuniary loss occasioned by any default of a Participant or any employee of a Participant, in the course of, or in connection with, the test trial, being a loss in relation to any money, securities or other property which was entrusted to, or received by, the Participant or an employee for, and on behalf of, the Participant. g) The test scenarios and expected outcomes of the sandbox experimentation should be clearly defined, and the participant should report to the Authority on the test’s progress based on an agreed schedule, including a comprehensive report after exiting the sandbox. h) ensure that the proposed innovation is at an advanced stage, ‘ready to test stage’, which may, among other things, entail; i. having a detailed test plan outlining timelines for execution of key Sandbox stages/milestones; ii. having a reporting framework; and iii. having clear and concise methods of testing and controls necessary during the test trial i) Clearly define the appropriate boundary conditions to ensure the sandbox operates effectively while adequately protecting investors’ interests and maintaining the safety and soundness of the industry. These conditions may include but are not limited to, limits on the number of clients based on client type, restrictions on the number of transactions, caps on the value per transaction, and maximum total transaction values. j) Fit and proper tests of senior management and governance bodies shall be undertaken. k) Significant risks arising from the proposed service should be assessed and mitigated. l) Appropriate dispute resolution and, if deemed necessary by CMA, compensation mechanisms, as well as appropriate professional indemnity insurance, should be in place. m) An acceptable exit and transition strategy should be clearly defined in the event that the proposed product has to be discontinued or can proceed to be deployed on a broader scale after exiting the sandbox. n) Ensure sufficient human and financial resources to participate in the Sandbox. o) Have systems to securely store and maintain client information, reports, and correspondence with the Authority. p) Pay the requisite application fee. q) Notwithstanding the above, the Authority may impose any other requirements as it sees fit.

5 r) The Authority shall in its sole discretion determine the adequacy of the requirements submitted by the applicant above. IV. The Authority will determine which rules and regulations the sandbox entity has to follow during the testing phase and which may be relaxed. This may include new rules and regulations that the Authority intends to test. 6. Evaluation of application and approval. I. The Authority shall evaluate the application, and for successful applicants, it shall issue a letter of approval to participate in the Regulatory Sandbox in accordance with these guidelines. II. The approval shall constitute the following information: a) a confirmation that the innovator has been accepted into the sandbox as a Participant to carry out the test under the agreed methodology for sandbox testing; b) an indication of the date of issuance and expiry of the temporary approval; c) a detailed description of the innovation to be tested; d) a list of the agreed consumer safeguards; III. The Authority shall inform Participants of its decision, citing reasons for approval/rejection within 45 working days following Submission of a complete application. 7. Preparation of the product I. Upon approval, the Participant shall submit to the Authority a test plan with the following information. a) Key test objectives (including the specific regulatory questions or hypotheses to be tested in the Regulatory Sandbox); b) Testing metrics and/or performance indicators; c) Testing methodologies; d) Scope and testing parameters (e.g., number and/or kind investor and/or test market, aggregate value and/or frequency of transactions, etc.); e) Proposed testing period; f) Relevant reports to be submitted during the testing period and feedback mechanisms; and g) Safeguards and remediation measures. II. The Authority will review and approve the test plan with such modifications as may be necessary. III. Upon approval, the Participant may proceed to the next stage. IV. The Authority may require additional modifications to the test plan during the testing period, as necessary, to ensure the achievement of test objectives or to protect investor interests, and the Participant may propose such modifications for the Authority’s approval.

6 8. Testing of the product I. The Participant will be permitted to test a proposed innovation in a live environment according to an agreed test plan. II. The Testing stage shall not exceed a twelve (12) months period. III. Under special circumstances, the Authority may grant an extension to the initial Testing period which shall not exceed 12 months. 9. Exit from the sandbox I. A participant shall exit the sandbox when the testing period ends, when the authorization is revoked by the Authority or participant, or for any other reason determined by the Authority from time to time. II. In the case where the exit is as a result of the testing period being completed, the Authority shall take any of the following decisions: a) Grant the Participant approval to operate in Uganda subject to compliance with existing legal and regulatory requirements; or b) Adopt new regulations or guidelines pursuant to Sections 29 and 149 of the Capital Markets Authority Act Cap 64, based on insights gained from the Regulatory Sandbox test where there is a need for a broader legal or regulatory reform (for example, the design and adoption of a new regulation to govern a specific class of business model or innovation that is not adequately addressed under existing regulation); or; c) Deny permission for the Participant to operate in Uganda under prevailing legal and regulatory requirements. d) Prior to grant of approval in (a) above the applicant shall satisfy the Authority has the intention and demonstrates the ability to deploy the proposed product in Uganda on a broader scale after exiting the sandbox. 10. Commercial deployment. I. Participants may receive official approval for the commercial deployment of their innovation upon successfully completing all sandbox testing stages. II. The approval shall be granted within 30 days of receipt of the Exit Report. 11. Revocation and suspension I. The Authority may, in addition to any other enforcement action, revoke or suspend an approval to participate in the Regulatory Sandbox at any time before the end of the testing period if the Participant: a) Contravenes any applicable laws.

7 b) Fails to proceed with the Testing stage within an agreed time. c) Fails to address identified weaknesses in the Testing stage within a specified duration as guided by the Commission. d) Fails to implement adequate consumer/investor protection and risk management measures. e) Submits false, misleading, or inaccurate information or fails to disclose material information concerning the Innovation. f) Engages in criminal or unlawful activity. g) Is undergoing or facing imminent liquidation. h) Breaches data security and confidential requirements. i) Fails to meet any conditions of the Sandbox. j) Any other reason determined by the Authority. i. The Authority shall not revoke or suspend an approval without first giving the entity an opportunity of being heard. ii. A notice of revocation/suspension shall also be communicated to the Public through a gazette notice or mainstream media. iii. The Participant may voluntarily seek revocation of their approval to participate in the Regulatory Sandbox subject to clearly demonstrating how it has addressed the interests of existing clients or investors to the satisfaction of the Authority. 12. Processes following a suspension/approval I. The Participant shall halt the onboarding of new clients in case of a suspension. II. The Participant shall inform all customers/investors of the revocation and advise clients on available redress procedures for potential losses. III. The Participant shall publish a public notice of the revocation/suspension in a newspaper of wide circulation. IV. The Participant shall implement their compensation plan and ensure all persons who suffer pecuniary loss occasioned by any default of the Participant or any employee of the Participant, in the course of, or in connection with, the test trial, being a loss in relation to any money, securities or other property which was entrusted to, or received by, the Participant or an employee for, and on behalf of, the Participant is compensated. V. The Participant shall meet all contractual obligations to its customers and other creditors. VI. The Participant shall comply with all obligations agreed upon in the Sandbox. VII. Within 30 days of the revocation approval, the Participant must submit a report detailing the actions taken to wind down operations and exit the Sandbox. 13. Compliance with the law

8 Subject to these guidelines, a participant shall comply with the Capital Markets Authority Act, cap 64, the Collective Investment Schemes Act, cap 65, where applicable and all the other laws of Uganda. PART III 14. Reporting requirements of the participants I. The Participant shall be required to submit periodic reports to the Authority during the Sandbox lifespan; II. The Authority shall determine the nature of periodic reports that the Participant will be expected to submit; III. At the request of the Authority, the Participant shall be required to submit adhoc reports; IV. The reports will contain information that includes the following; a) Key performance indicators, key milestones and statistical information; b) Key issues arising as observed from misconduct, fraud or operational incident reports and, if any, measures taken by the Participant to address such incidents; c) Actions or steps taken to address customer complaints, emergent risks, or other issues relevant to the Authority’s assessment of applicable regulatory requirements; d) Proposed changes to the Participant’s key personnel, management, leadership, business plan, or any concerns on financial solvency; and e) Any other relevant matters. V. Participants shall ensure proper record maintenance during the testing period to support the Authority’s review of the testing activities. VI. Participants shall submit a final report to the Authority within thirty calendar days from the expiry of the testing period or within any other period as may be agreed upon by the Authority and the Participant. The final report shall contain: a) Key outcome and performance indicators; b) A full account of all incident reports and resolution of customer complaints; and c) In the case of a failed test, lessons learned from the test; or d) In the case of a successful test, the Participant’s plan for transitioning the product, solution, or service to a commercial scale. VII. The Authority shall treat the Test plans and all test results as confidential unless otherwise indicated in these guidelines or agreed upon with the Participant. VIII. From time to time, the Authority may disclose data on and types of firms that have applied to participate in the Regulatory Sandbox. 15. Oversight and management of the sandbox

9 I. The Authority shall establish the Sandbox Management Committee (SMC) to consider and approve applications to be admitted to the Sandbox, oversee the activities of the Sandbox’s participants, approve mode of exit from the sandbox, II. The members of the SMC shall be staff of the Authority appointed by the Board on the recommendation of Management who will also propose the Chair and secretary of the Committee. III. The SMC may subject to approval of Management co-opt external experts to provide expertise in the process of considering any matter to do with admission to, participation in and exit from the sandbox IV. The SMC shall, among other things, be responsible for; a) monitoring, evaluating, and advising Participants in all stages of the Sandbox. b) Conduct thorough reviews of applications for admission into the CMA regulatory sandbox. c) Closely monitor the implementation of test plans by sandbox participants. d) Oversee the transition process of entities exiting the sandbox. e) Serve as a central channel for the efficient sharing of information both internally within the CMA and externally with relevant stakeholders. f) Review and analyze policy and legislative amendments related to innovative products or services developed within the sandbox. g) Provide tailored regulatory support and technical advice to participants within the regulatory sandbox as needed. h) Approve the entry of applicants into the sandbox. i) Suspending or revoking approvals. j) Provide timely and informative feedback on inquiries from both potential and admitted participants in the sandbox. k) Collaborate with innovators to ensure the development of robust consumer protection safeguards are integrated into all new products and services within the sandbox. l) Review and approve all communication to their selected customers and to the general public. SCHEDULE 1 APPLICATION FORM Corporate entity Information

10 Name of firm Full names of all owners/founders Business address Phone number Website URL (if available; if password protected, please provide relevant access details) Contact person: Name Title Telephone number Email address Is your business or any affiliated business (or their owners/founders or employees) currently registered, licensed, or supervised by the Capital Markets Authority? If yes, please provide details. Is your business, any affiliated business (or their owners/founders or employees) currently involved in an active dispute or enforcement action within the mandate of the Capital Markets Authority? If yes, please provide detail Is your business or any affiliated business (or their owners/founders or employees) currently registered, licensed, or supervised by any other financial services authority in Uganda or other jurisdiction? If yes, please provide details. Is your business or any affiliated business (or their owners/founders or employees) currently operating under any regulatory exemption granted by the Authority or any other authority in Uganda or other jurisdiction? If yes, please provide details. Please describe the nature and scale of your current operations in Uganda Detailed Key Personnel Details of the Sandbox Proposal Additional information may be provided as supporting documents Describe your innovative product, solution or service. Attach a business model or project synopsis. Describe the technology and/or methodology that will be used to offer your product, solution or service.

11 Explain how your product, service, or solution will foster or accelerate the development of the Uganda n capital markets. Identify the type of customers and/or investors you will target to participate in the Regulatory Sandbox test. How do you intend to acquire and engage clients? Identify any other businesses or partners or institutions that you are working with or plan to work with if you are selected to participate in the Regulatory Sandbox Describe the business strategy or plan to deploy the product, solution or service in the broader Uganda marketplace after exiting the Regulatory Sandbox Explain why your product, solution or service would benefit from participation in the Regulatory Sandbox. Identify the specific legal and regulatory requirements prescribed by the Authority that would need to be varied or waived in connection with a Regulatory Sandbox test of your product, solution or service. If you think your product, solution or service raises new or complex regulatory concerns, please describe. Describe the current stage of development of your product, solution or service. If the product is not sufficiently developed to offer to customers, what is the anticipated development path and timeline for live testing? Describe the key investor protection, market stability and any other risks associated with your product, solution or service and how you have or intend to address those risks? Describe your plan for exiting from the Regulatory Sandbox. If you are successful, what is your plan for offering your product, service or solution on broader scale within Uganda ? If you are unsuccessful, what is your plan for winding down the firm and addressing investors interests or developing an alternative approach? Briefly describe or attach short bios on your key personnel’s technology or financial industry experience.

12 Please describe the financial resources, including any venture funding or potential funding, you intend to use to develop and test your product, service, or solution in the Sandbox. . Testing Criteria Describe the use case that you are proposing to test in the Regulatory Sandbox. Describe in detail the testing program you propose, including: (a) test objectives and intended outcomes; (b) test parameters to measure the success of the test objectives/outcomes; (c) control boundaries for the test, including, inter alia, customer type and number, and transaction size and total exposure limit; (d) customer acquisition plan for the test; (e) customer communication plans,customer journey (in case of online or USSD based platform) and templates, including sample risk disclosures for the live-test; (f) key testing milestones and timelines; (g) anticipated duration; and (h) an exit strategy for customers upon completion or discontinuation of the live test. Describe the proposed control program and safeguards for a live test, including: (a) measures to monitor and ensure compliance with the safeguards to be established for the test; (b) measures to mitigate risks and impact to customers arising from any test failures; (c) reliance on other test partners (such as regulated financial institutions) to monitor or mitigate regulatory risks; (d) measures to handle customer inquiries, after-test services and complaints in a fair and effective manner; and (e) any programs for compensating customers who may have suffered damage as a result of participating in the test. (f) System vulnerability testing programe ( in case of an IT based product Vulnerability Penetration Testing plan/program) (g)

13 I/WE…………………………………………………………………………………………… ……….. declare that all information given in this application and in the attached documents is true and correct. Dated this ………………………………..day of …………………………20……. Signed Name ……………………………………………… Position ……………………………………………. Name …………………………………………….. Position …………………………………………