Previous Article in Journal
Examining the Impact of FinTech and Artificial Intelligence on Financial Performance: The Moderating Role of Dynamic Capabilities
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
FinTech
Volume 5
Issue 2
10.3390/fintech5020046
fintech-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Accountability and Liability in AI-Related Financial Regulatory Sandboxes: A Comparative Legal Analysis

by
János Kálmán
Faculty of Law and Political Sciences, István Széchenyi University, 9026 Győr, Hungary
FinTech 2026, 5(2), 46; https://doi.org/10.3390/fintech5020046 (registering DOI)
Submission received: 7 April 2026 / Revised: 26 May 2026 / Accepted: 28 May 2026 / Published: 30 May 2026
Browse Figure
Versions Notes

Abstract

Regulatory sandboxes have evolved from specialised FinTech tools into broader mechanisms of regulatory experimentation. As artificial intelligence (AI) applications become embedded in credit decisioning, payment-fraud detection, identity verification, crypto-asset compliance, customer-facing advice and supervisory analytics, sandbox design increasingly affects how legal and institutional responsibility is allocated among regulators, participating firms, technology vendors and users. This article provides a comparative doctrinal and institutional analysis of accountability and liability in AI-related financial regulatory sandboxes. It clarifies the relevant AI modalities, distinguishes accountability (answerability and enforceability during sandbox participation) from liability (contractual, tort/product and regulatory/public law responsibility after harm), and maps framework-level safeguards across the European Union, the United Kingdom, Singapore, Norway and Hungary. The analysis does not seek to measure sandbox effectiveness empirically. Instead, it examines how publicly available legal and regulatory materials structure the allocation of duties before, during and after sandbox testing. The article shows that sandboxes generally do not operate as liability shields. Their legal significance lies in reallocating ex ante accountability duties—documentation, disclosure, monitoring, human oversight and exit planning—while preserving baseline liability rules. An Accountability and Liability Protocol is proposed to clarify roles, protect baseline consumer rights, support evidentiary traceability and connect sandbox learning to enforceable post-sandbox obligations.

1. Introduction

Regulatory sandboxes have become prominent instruments of financial regulation, enabling innovators to test products or services with real users under enhanced supervisory engagement, limited scope and tailored safeguards [1,2,3,4,5]. Legal scholarship increasingly characterises sandboxes as instruments of experimental or adaptive governance [6,7,8,9,10,11,12,13], because they may reduce regulatory uncertainty, generate evidence for rulemaking and accelerate innovation. At the same time, the growing use of AI in finance [14,15,16,17,18,19,20,21,22] creates distinctive governance problems: opacity, data dependence, model drift, automation bias and complex multi-actor supply chains complicate the allocation of responsibility and the provision of redress.
This article addresses a gap in the literature concerning how sandbox governance interacts with the allocation of accountability and liability for AI-enabled financial innovations. Prior research has examined sandbox diffusion, innovation outcomes, regulatory learning and legitimacy [1,2,3,4,5,6,7,8,9,10,11,12,13]. AI governance scholarship has addressed explainability, impact assessments, human oversight and accountability [23,24,25,26,27,28,29,30,31,32,33,34], while AI liability literature has analysed evidentiary burdens, causal uncertainty and product-defect standards [35,36,37,38,39]. Yet the legal redistribution of accountability and liability within AI-related financial regulatory sandboxes remains insufficiently analysed in comparative perspective.
The article makes three primary contributions. First, it clarifies the AI modalities legally relevant to sandbox governance and introduces a functional typology of AI-related financial regulatory sandboxes. Second, it develops an accountability/liability framework that distinguishes answerability, enforceability and post-incident legal responsibility. Third, it compares five regulatory models—the European Union, the United Kingdom, Singapore, Norway and Hungary—and proposes an Accountability and Liability Protocol designed to preserve baseline protections while maintaining the learning benefits of experimentation [40,41,42].
The analysis is based on comparative doctrinal and institutional legal analysis supported by structured analytical mapping. It draws on legal texts, regulatory guidance, publicly available sandbox materials [43,44,45,46,47,48], official reports and peer-reviewed scholarship on regulatory sandboxes, AI governance, RegTech/SupTech and AI liability. The article does not claim to provide an empirical effectiveness evaluation of sandboxes; rather, it identifies how framework-level legal and regulatory materials allocate duties, safeguards and liability-relevant responsibilities.
In addition to doctrinal debates, the sandbox literature offers further perspectives. Conceptual reviews highlight both the regulatory learning potential of sandboxes and their perception as ‘regulation-light.’ Concerns regarding selection effects, unequal access, and legitimacy are also identified. Empirical and comparative studies examine diffusion and effectiveness, demonstrating that institutional design and transparency influence whether sandboxes produce broad or tailored regulatory outcomes. Research on experimentalist governance in the EU situates sandboxes within learning-by-doing regulatory architectures.
Another body of literature examines the broader drivers of FinTech and AI adoption. Industry-level digital disruption and the global expansion of the FinTech market provide the context in which sandboxes function as mechanisms for innovation. At the organisational level, research highlights the importance of governance capacity, regulatory engagement, and digital culture in determining innovation outcomes.
Recent publications highlight the practical challenges encountered by sandboxes as they increasingly address AI and compliance issues. Topics include generative AI applications in finance, the integration of AI in payment systems and banking transformation, sustainability-oriented narratives linking FinTech and AI, regulatory developments concerning crypto-assets, and empirical analyses of stablecoins [49,50,51,52,53]. Although these studies do not focus exclusively on sandboxes, they contribute to understanding accountability and liability considerations when sandboxes are used to test AI-intensive financial innovations.

2. Materials and Methods

2.1. Scope and Definitions

For the purposes of this article, an AI-related financial regulatory sandbox refers to a controlled testing environment administered or supervised by a regulatory authority in which AI is either the object of testing, an embedded component of a financial product, or an operational tool used for regulatory or compliance monitoring. The relevant AI modalities are not limited to large language models. They include supervised machine-learning models used for credit scoring or underwriting; anomaly detection models used in fraud or anti-money-laundering monitoring; biometric or document-verification systems used for onboarding and KYC; natural-language processing and large-language-model tools used for customer communication, robo-advice or compliance support; and AI-enabled SupTech analytics used by regulators to monitor sandbox tests. This article does not assess model architecture, training performance or benchmark accuracy. Its focus is the legal significance of AI characteristics that matter for accountability and liability, including data provenance, training-data quality, opacity, model drift, automation bias, explainability, human oversight and multi-actor AI supply chains.
The analysis is situated within financial regulation and adjacent legal fields, especially data protection, consumer protection, product liability and public law supervision. This focus is justified by the prevalence of real-user testing and high-stakes decisions in financial sandboxes, including credit allocation, payment integrity, customer onboarding and market-conduct controls. Accountability is used broadly to cover answerability—the duty to explain, justify and document decisions—and enforceability—the capacity to impose corrective measures, conditions, sanctions or exit requirements. Liability is used more narrowly to refer to legal responsibility after harm, including contractual liability, tort/product liability and regulatory or public law liability.

2.2. Methodological Approach

The methodological approach is comparative, doctrinal and institutional. It employs a functional analysis of legal principles and regulatory design choices across jurisdictions. The study examines how different sandbox frameworks respond to a shared set of operational challenges: regulatory uncertainty, consumer exposure, data protection compliance, AI model opacity, evidentiary difficulties, supervisory discretion and the allocation of responsibility across AI supply chains. The analysis covers: (i) relevant legal instruments, including the EU AI Act, product-liability reform and national sandbox regimes; (ii) regulatory guidance and publicly available sandbox documentation; and (iii) academic literature addressing sandbox governance, AI accountability, RegTech/SupTech and liability. The study is not a technical AI-performance paper and does not evaluate the architecture or accuracy of particular AI models.

2.3. Case Selection and Comparative Strategy

The comparative design follows a functional approach. Jurisdictions are treated as different legal-institutional responses to a common problem: how experimental financial regulation should allocate duties and risks when AI-powered decision-making is tested or supervised in a controlled environment. Rather than seeking identical doctrinal categories, the analysis compares how sandbox architectures manage comparable risk functions—entry screening, exposure control, evidence generation, user protection, monitoring, exit and post-test enforcement—in light of AI-specific uncertainties such as opacity, drift and multi-actor supply chains.
The case selection is purposive and aims at institutional contrast while preserving functional comparability. The European Union is included because the AI Act creates a dedicated regulatory-sandbox concept within a harmonised risk-based AI framework and because EU product-liability reform shapes the ex post liability background. The United Kingdom and Singapore are included as mature FinTech sandbox ecosystems with different legal traditions and supervisory styles. Norway is included as an EEA jurisdiction with a data-protection-authority-led AI sandbox that foregrounds responsible AI and privacy governance. Hungary is included as a Central and Eastern European Member State where the central bank operates a regulatory sandbox with decree-based deviations and a formalised relief model. Together, these cases allow the study to examine how responsibility is allocated when the sandbox operator is a financial supervisor, an AI-oriented authority framework or a data protection authority.
To maintain analytical tractability, the comparative scope is limited to sandbox arrangements that entail live or realistic testing with potential implications for consumers or market integrity, such as credit underwriting, payments, fraud detection, onboarding/KYC, or advisory interfaces. Each sandbox is conceptualised as a set of interrelated design choices—encompassing legal basis, eligibility criteria, operational conditions, monitoring mechanisms, disclosure requirements, redress procedures, and exit strategies. The analysis then evaluates how these design elements redistribute responsibility among regulators, participating firms, and third-party technology providers.

2.4. Source Corpus and Evidentiary Base

The materials analysed fall into four categories. First, the study examines binding legal texts that frame sandbox operation and AI-related liability exposure, including the EU AI Act, EU product-liability reform, sectoral financial rules and baseline data-protection and consumer-protection regimes. Second, it analyses publicly available documentation of regulators and sandbox operators, including framework descriptions, guidance, eligibility criteria, application materials, cohort summaries and, where available, evaluation or lessons-learned reports. Third, it includes strategy documents and official communications that reveal the policy rationale for sandbox experimentation. Fourth, it synthesises peer-reviewed scholarship across three studies: regulatory sandboxes and experimental governance, AI governance and algorithmic accountability, and AI/digital product liability.
The article does not present a PRISMA-style systematic literature review. Instead, it uses a structured doctrinal review and targeted comparative analysis. The source corpus was assembled from frequently cited anchor publications, forward and backward citation checks, regulator websites, official sandbox reports and recent journal literature on FinTech, AI governance and liability. The evidentiary claims are therefore framework-level and interpretive: they concern what publicly available legal and regulatory materials require, imply or leave unclear, rather than the empirical effectiveness of individual sandbox projects.
Given that many aspects of sandbox operation are confidential by design—including firm-specific conditions, detailed test results, and internal supervisory analytics—the analysis distinguishes between (a) public-facing accountability, which concerns transparency and justification to the broader public, and (b) supervisory accountability, where the relevant forum may be the regulator, judicial bodies, ombuds institutions, or other authorities. Where public documentation is limited, this is treated as a variable affecting accountability, rather than merely as a data constraint.

2.5. Analytical Mapping Protocol: Accountability and Liability Along the Sandbox Lifecycle

The study operationalises accountability and liability through a lifecycle-based analytical mapping protocol. Each jurisdictional framework is assessed across three phases: (1) entry and design (gatekeeping, eligibility, risk classification and test conditions); (2) in-sandbox operation (monitoring, documentation, model governance, incident response and user-facing safeguards); and (3) exit and post-sandbox transition (scale-up pathways, continuing compliance and redress). The mapping records whether the relevant accountability or liability dimension is explicit in public framework materials, implicit or inferable from framework conditions, unclear because public materials are insufficient, or not applicable.
In terms of accountability, the coding dimensions include: (A1) transparency of entry criteria and selection; (A2) clarity of roles and allocation of responsibilities across the AI supply chain (participant, vendor, cloud/outsourcing, data provider); (A3) requirements for documentation and audit trails (including monitoring for model drift); (A4) user-facing safeguards (disclosure, consent/opt-in where relevant, complaint handling, redress and compensation routes); (A5) supervisory governance (decision logs, procedural safeguards, contestability and escalation); and (A6) public learning (publication of cohort results, anonymised lessons, and avoidance of implicit endorsement).
For liability, the coding dimensions include: (L1) whether the sandbox framework clearly preserves baseline private law liability and how it communicates that posture; (L2) interaction with strict liability regimes for defective products/software and with contractual performance standards in financial services; (L3) evidentiary posture and the availability of logs, documentation, and explainability to support causation and fault assessments; (L4) the interface between private redress and public enforcement (administrative sanctions, supervisory actions, market conduct measures); and (L5) the possibility of public law/state liability in cases where supervisory conduct becomes a salient causal factor.
Table 1 sets out the analytical mapping scheme. It is not presented as a quantitative coding instrument and does not measure sandbox effectiveness. Rather, it provides a transparent framework for comparing how publicly available sandbox materials address the duties and liability-relevant safeguards that matter for AI-enabled financial experimentation. Table 2 and Table 3 summarise how the coded dimensions appear across jurisdictions and typical harm scenarios.

2.6. Reliability, Limitations, and Interpretive Stance

This study adopts a doctrinal and interpretive stance. It analyses how legal and regulatory instruments structure responsibility allocation and how these structures would likely matter in the event of AI-related harm. The analysis does not empirically measure the effectiveness of sandboxes or establish causal links between sandbox participation and innovation outcomes. Its objective is to provide a legally grounded mapping of accountability and liability allocations that can inform both academic debate and practical sandbox design.
Several limitations follow. First, many operational details of sandbox projects are confidential by design, including project-specific conditions, detailed test results, contractual allocations between firms and vendors, and internal supervisory analytics. The comparative conclusions therefore focus on framework-level materials and publicly stated safeguards. Second, accountability, responsibility and liability are not used uniformly across jurisdictions. Third, EU implementation of AI Act sandboxes is still evolving. These limitations are partly mitigated by triangulating legal texts, official materials, evaluation reports and peer-reviewed literature, and by treating transparency itself as a comparative variable.
The normative position adopted is deliberately circumspect. The proposed protocol does not advocate either greater permissiveness or greater restrictiveness in sandbox policy. Instead, it specifies minimum design conditions necessary to ensure that experimental approaches remain consistent with baseline consumer protection and fundamental rights while facilitating transferable learning beyond the immediate sandbox context.

3. Conceptual Framework: Accountability vs. Liability in Experimental Governance

3.1. Accountability as Answerability and Enforceability

Public accountability is often analysed as a relationship in which an actor must explain and justify conduct to an accountability forum, which may question, judge, and impose consequences [29,30]. In sandbox contexts, there are multiple accountability relationships: (i) regulator-to-public (legitimacy, transparency, fairness, non-arbitrariness); (ii) firm-to-regulator (compliance, disclosure, monitoring); (iii) firm-to-user (informed consent, redress, contractual transparency); (iv) regulator-to-other-regulators (coordination, data sharing, supervisory consistency).
For analytical clarity, answerability and enforceability are separated. Answerability mechanisms require actors to provide reasons, documentation, explanations or audit trails: examples include entry criteria, model documentation, user disclosures, incident reports and exit reports. Enforceability mechanisms attach consequences to non-compliance or harm: examples include test suspension, modified conditions, remediation orders, complaints handling, compensation routes, sanctions and post-sandbox authorisation conditions. This distinction matters because many sandboxes are strong on answerability but weaker on enforceable follow-up duties.
Algorithmic systems raise well-documented accountability frictions. Algorithmic decision-making can be opaque in design and operation, shifting the evidence burden from ex post adjudication to ex ante documentation and oversight [31,32,33]. Even where explanations are technically possible, legal “right to explanation” claims may be more limited than public debate suggests, as the reliance on governance tools such as impact assessments, audits, and documentation [34] rises. In financial services, these problems intersect with complex contractual chains (vendors, cloud providers, model providers) and regulated operational requirements (outsourcing, model risk governance).

3.2. Liability as Ex Post Responsibility and Compensation

Liability regimes allocate costs of harm across actors and can shape incentives for care, monitoring, and information disclosure. AI challenges liability through (i) causal uncertainty (multiple interacting components), (ii) unpredictability or evolving learning, (iii) information asymmetry (black-box models, trade secrets), and (iv) shifting control over time (updates, retraining, post-deployment adaptation) [35,36]. EU liability reform debates have focused on evidentiary tools and presumptions, as well as on modernising product liability to include software and digital services [37,41,42]. Sector-specific contexts—such as financial services—introduce additional layers: regulatory duties of firms and supervisors, public law sanctions, and consumer protection frameworks, which may coexist with private law remedies [38].
To maintain consistency, this article uses a tripartite liability framing throughout the analysis: contractual liability, tort/product liability and regulatory or public law liability. Contractual liability concerns failure to deliver the promised financial service or safeguard. Tort/product liability concerns negligent design, defective software-enabled products, discriminatory or harmful outputs and causal evidentiary questions. Regulatory or public law liability concerns supervisory enforcement, administrative sanctions, data-protection remedies, public law accountability and, in exceptional cases, potential state liability where supervisory conduct becomes a salient causal factor.

3.3. Why Sandboxes Strain Both Accountability and Liability

Sandboxes aim to create a controlled “space” for experimentation. Yet experimentation is able to blur the line between regulatory guidance and regulatory endorsement. If a regulator actively shapes a sandbox project using workshops and ongoing feedback, questions arise about: (a) whether this increases the regulator’s accountability for outcomes; (b) whether it affects private-law liability perceptions (e.g., reliance by consumers or investors); and (c) how to preserve the regulator’s enforcement credibility after acting as facilitator.
These tensions are explicit in non-financial AI sandboxes. For example, Norway’s DPA sandbox is described as a dialogue-based guidance service rather than an approval mechanism; nevertheless, the model creates internal tension between the authority’s facilitator role and its supervisory mandate [24,25,26,43]. Similar tensions emerge in financial sandboxes, where close supervisory engagement can reduce uncertainty, whereas raising legitimacy concerns if selection criteria, outcomes, or learnings are opaque [6,11].

4. Typology of AI-Supported Sandboxes and Risk Allocation

The study proposes a typology useful for legal and governance analysis. The terminology is revised to avoid suggesting that the article assesses AI architecture or training performance. The typology instead identifies the legally relevant role that AI plays within the sandbox setting.
Type 1: AI-system testing sandboxes. These sandboxes are designed to test AI systems against horizontal AI governance, data-protection or fundamental-rights constraints. The relevant legal questions concern documentation, impact assessment, training-data governance, human oversight and post-test obligations (e.g., AI Act sandboxes and DPA-led AI sandboxes) [23,24,26,40].
Type 2: AI-embedded FinTech product sandboxes. These financial sandboxes test products or services in which AI is integral to functionality, such as credit underwriting, fraud detection, KYC, robo-advice or customer-support tools. Liability concerns involve both service performance and decision impact, including discrimination, wrongful denial, false positives and user detriment [5,49,50].
Type 3: AI-enabled supervisory sandboxes. These arrangements involve regulators using AI-enabled SupTech or analytics tools to monitor tests, identify anomalies or generate evidence. They may improve supervisory capacity but also create public law accountability questions if supervisory inferences materially influence entry, monitoring, enforcement or exit decisions [15,16,17].
Type 4: Multi-authority AI-FinTech sandboxes. These arrangements combine AI testing, financial testing and cross-border or multi-regulator coordination. They are especially relevant where a single project must satisfy financial conduct, data-protection, consumer-protection and AI-governance requirements simultaneously [5,28,46].
Across these types, AI changes the sandbox risk surface. Traditional sandbox safeguards—limited customer numbers, limited duration and enhanced disclosures—may not be sufficient where AI introduces distributional effects, model drift, automation bias, explainability gaps, training-data quality issues or data-security risks. The central design task is therefore to make the relevant accountability duties and liability pathways legible to firms, regulators, vendors and users before the test begins.
Figure 1 presents the actor chain through a concrete AI credit-scoring sandbox scenario. It makes explicit the regulator’s role in entry screening, monitoring and exit decisions, and shows where answerability, enforceability and liability triggers arise.

5. Comparative Legal Analysis

Table 3 operationalises the analytical mapping scheme at framework level. The categories are qualitative rather than numerical: E = explicit in public materials; I = implicit or inferable from conditions and procedures; U = unclear in publicly available materials; N/A = not applicable.

5.1. European Union

The EU AI Act establishes a risk-based framework for AI systems and provides for regulatory sandboxes as controlled environments intended to foster innovation while supporting compliance [40,54]. For present purposes, its importance lies in combining experimentation with documentation, risk management, human oversight and fundamental-rights safeguards. AI Act sandboxes therefore create a horizontal governance model that can intersect with financial regulation when AI tools are tested in credit, payments, fraud detection, onboarding, robo-advice or supervisory analytics.
Financial services in the EU remain subject to sectoral rules on conduct, prudential supervision, payments, data protection and operational resilience. AI-driven financial innovation frequently implicates several of these regimes simultaneously. The EU model is therefore best understood as a multi-layered sandbox environment: the AI Act may structure AI-specific governance duties, while financial, consumer and data-protection rules continue to define baseline obligations and remedies.
Liability reform is especially relevant. The revised EU Product Liability Directive modernises strict liability concepts and is relevant for software-enabled and AI-related harms [37,41]. The withdrawal of the separate AI Liability Directive proposal leaves the revised Product Liability Directive and national tort law as the principal private-law background [36,42]. Sandbox participation does not displace these regimes. Its legal significance is instead evidentiary and procedural: documentation, disclosure, model-governance records and human-oversight arrangements may help prove or rebut causation, defect, fault or compliance with the expected standard of care.

5.2. United Kingdom

The UK Financial Conduct Authority (FCA) sandbox remains one of the most influential financial sandbox models. It operates through supervised testing, eligibility criteria, tailored safeguards and close case-officer engagement [4,48]. The FCA’s own lessons-learned materials emphasise consumer safeguards, exit planning and the need to build protection into innovative products and services during testing. This makes the UK model comparatively strong on operational safeguards and supervisory answerability, although broader public learning still depends on the extent to which test outcomes are generalised beyond firm-specific feedback.
In liability terms, FCA sandbox participation is not a general immunity. It may, however, shape the evidentiary record and the standard-of-care analysis by documenting the test plan, limits, consumer safeguards and remedial actions. In this respect, the sandbox affects how liability is evidenced rather than whether baseline liability exists.

5.3. Singapore

Singapore’s Monetary Authority of Singapore (MAS) sandbox framework follows a permissioned-experimentation logic: testing occurs within defined boundaries, with risk mitigation, customer safeguards and supervisory oversight [47,55]. This model can strengthen enforceability because participation is conditional and framed by explicit test parameters. Its main accountability challenge is public visibility: strong bilateral supervision may produce high-quality regulatory learning, but the public value of that learning depends on how far it is communicated beyond the regulator-firm relationship.

5.4. Norway

Norway provides a distinctive European model because its flagship AI sandbox is led by the Data Protection Authority (Datatilsynet), rather than a financial supervisor. The Norwegian DPA sandbox is a guidance-oriented model: it helps selected participants explore data-protection compliance, but does not constitute prior approval or a binding decision [26,43]. Its accountability logic is therefore deliberative and public-facing. The authority engages in dialogue, publishes reports and externalises lessons for others facing similar compliance problems. This guidance-oriented model also relates to wider debates on public-sector AI sandboxes and explainable, interpretable AI governance [56,57,58,59].
A concrete example is the Finterai project, in which the Norwegian DPA sandbox examined federated learning for anti-money-laundering and counter-terrorist-financing purposes [60]. The project illustrates why AI-related sandbox accountability cannot be reduced to generic references to AI. The relevant technical feature was federated learning: participating banks could learn from transaction patterns without directly sharing customer data. This raised accountability questions about processing responsibility, data minimisation, model vulnerability and security. It also raised liability-relevant questions: a false negative could create AML compliance exposure, a false positive could affect customers, and data-protection harms could trigger GDPR remedies. The sandbox did not immunise the participant; rather, it clarified governance duties and documented the compliance reasoning.

5.5. Hungary

Hungary’s central bank (Magyar Nemzeti Bank, MNB) operates a central-bank-led regulatory sandbox that permits temporary deviation from selected MNB decree provisions within a supervised test environment [44,45]. The MNB model emphasises preliminary consultation, licensing, live testing with real clients for a limited period, cooperative monitoring and joint evaluation at the end of the test. Public MNB materials indicate possible exemptions relating to remote identification, payment rules, complaint handling and reporting duties [45].
The Hungarian model therefore differs from Norway’s guidance-first logic. It is more formalised and supervisory-control oriented: legal relief is granted within a central-bank process, while consumer protection and monitoring remain central. This can strengthen legal certainty for participants but may generate less public-facing learning than a DPA model that publishes project reports. The comparison illustrates two European accountability logics: Norway externalises learning through public guidance, whereas Hungary internalises learning within a central-bank supervisory process.

6. Cross-Cutting Comparative Observations

6.1. Sandboxes Are Not Liability Shields, but They Can Create Accountability Gaps

Across the examined frameworks, the predominant sandbox logic is not legal immunity but structured regulatory engagement. None of the public frameworks analysed clearly waives baseline contractual, tort/product, data-protection or consumer-protection liability. However, accountability gaps may arise when selection criteria are opaque, outcomes are not published, confidentiality is used broadly, supervisory roles are not clearly distinguished from facilitative roles, or multiple authorities share responsibility without a clear coordination mechanism. In this sense, the sandbox is legally significant less because it removes liability and more because it changes the documentation, disclosure, monitoring and standard-of-care context in which liability is later assessed.

6.2. AI Increases the Need for Documentation, Explainability and Impact Assessment

A consistent framework-level observation is that AI increases the evidentiary and governance burden. Explainability and interpretability are not merely ethical aspirations; they support answerability, reviewability and evidentiary traceability [31,57,58,59]. Data-protection constraints, training-data quality, model drift and the limited reach of individual rights to explanation strengthen the case for documentation, impact assessment, audit trails and human oversight [32,33,34]. Sandboxes can operationalise these tools before market entry, but only if they specify deliverables and post-sandbox obligations.
Table 4 translates these observations into a consistent tripartite liability framework. It shows how sandbox documentation can affect contractual liability, tort/product liability and regulatory or public law liability without eliminating any of them.

6.3. RegTech/SupTech Changes Regulator Accountability as Well as Firm Accountability

When regulators use AI-enabled tools for supervision, they can improve detection and evidence generation, but they also assume new accountability duties. Supervisory analytics must themselves be governed, documented and contestable where they materially influence entry, monitoring, enforcement or exit decisions. RegTech/SupTech should therefore be treated as part of digital regulatory governance rather than as a purely technical aid [14,15,16,17].

6.4. Norway and Hungary Illustrate Two Distinct European “Institutional Logics”

Norway and Hungary illustrate two different European institutional logics. Norway’s DPA-led model is deliberative and guidance-first: it preserves baseline legal duties while publishing project-level learning and clarifying compliance reasoning. Hungary’s MNB-led model is supervisory-control oriented: it provides formalised, decree-based deviations within a closely monitored financial sandbox. The first model is stronger in public-facing answerability; the second is stronger in formal supervisory control and legal relief. This contrast shows that accountability gaps do not arise only from weak supervision. They can also arise when supervisory learning remains internal and is not translated into generalisable public guidance.

7. Design Recommendations: An Accountability and Liability Protocol for AI-Supported Sandboxes

The study proposes an Accountability and Liability Protocol with minimum design requirements. The Protocol is not legal advice and is not intended to impose identical burdens on all firms. It should be applied proportionately: low-risk AI uses may require simplified documentation, while high-impact consumer-facing uses, such as credit scoring, KYC, fraud monitoring or advice, require stronger documentation, redress and human-oversight safeguards. Several elements are already visible in mature sandbox practice, especially the UK emphasis on consumer safeguards and exit planning and the Singapore emphasis on defined testing boundaries and risk mitigation [47,48].

7.1. Role Clarity and Responsibility Mapping

(1) Role map: require a concise RACI-style matrix identifying who is Responsible, Accountable, Consulted and Informed for model design, data governance, monitoring, incident response and user communication. (2) Supply chain accountability: identify third-party model providers, data brokers, cloud providers and outsourcing partners, and align contractual obligations with regulatory duties.

7.2. Baseline Rights and Consumer Protection

(3) No silent waivers: regulatory relief must be explicit, narrow and published in principle, even where individual firm details remain confidential. Broad informal comfort should be avoided. (4) Exposure limits: maintain caps on customer numbers, transaction values and test duration, with enhanced notice or opt-in where retail customers are exposed. (5) Redress: require complaint handling, compensation routes and, where appropriate, insurance coverage.

7.3. Evidence and Documentation Deliverables

(6) AI documentation pack: for AI-based tests, require a minimum documentation set covering purpose, scope, training-data provenance, model description, performance metrics, bias/fairness testing, security controls, human oversight and monitoring. (7) Impact assessment: where high-stakes decisions occur, such as credit, identity or fraud, require DPIA-like and fundamental-rights-oriented assessments adapted to sandbox conditions [14,31].

7.4. Supervisory Accountability

(8) Decision log: regulators should maintain a written rationale for admission, conditions imposed, material supervisory interventions and early termination. (9) Publication discipline: regulators should publish at least anonymised lessons and recurring patterns, while avoiding language that could be read as certification or endorsement [6,43].

7.5. Exit and Post-Sandbox Obligations

(10) Exit plan: require a plan for transition to full authorisation, decommissioning or controlled continuation. The plan should specify post-sandbox compliance duties, continuity of redress and the evidentiary status of the sandbox documentation generated during the test. For small firms, regulators should provide standard templates for role maps, model cards and exit plans to reduce compliance costs while preserving accountability.

8. Conclusions

AI-related financial regulatory sandboxes can accelerate regulatory learning and reduce uncertainty, but they also reshape accountability and liability in ways that are not always visible to users or the broader public. This comparative doctrinal analysis shows that sandboxes generally do not erase liability. Instead, they reconfigure the ex ante accountability environment through documentation, disclosure, monitoring, human oversight and exit planning. The EU AI Act sandbox model adds a horizontal AI-governance layer, while the UK and Singapore illustrate mature financial sandbox approaches. Norway and Hungary demonstrate divergent European models: public guidance and deliberative learning on one side, formal central-bank relief and supervisory control on the other.
The practical implication is that sandboxes should be engineered as accountability infrastructures, not merely as innovation infrastructures. Future research should examine how cohort documentation, post-sandbox outcomes, consumer complaints, enforcement actions and litigation records reveal whether accountability duties created during testing actually improve redress and regulatory learning after the test has ended.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No personal, confidential or non-public empirical data were collected. The analysis is based on publicly available legal texts, regulatory guidance, sandbox framework documents, official reports and peer-reviewed literature. The structured analytical mapping used for the comparative analysis is reported in the manuscript and may be made available by the author upon reasonable request.

Acknowledgments

The author thanks the anonymous reviewers for their constructive comments. Any remaining errors are the author’s own.

Conflicts of Interest

The author declares no conflicts of interest.

References

  1. Zetzsche, D.A.; Arner, D.W.; Buckley, R.P. The Future of Fintech: The Regulatory Sandbox. Eur. Bus. Organ. Law Rev. 2020, 21, 1–24. [Google Scholar]
  2. Ahern, D. Regulatory Lag, Regulatory Friction and Regulatory Transition as FinTech Disenablers: Calibrating an EU Response to the Regulatory Sandbox Phenomenon. Eur. Bus. Organ. Law Rev. 2021, 22, 395–432. [Google Scholar] [CrossRef]
  3. Ringe, W.-G.; Ruof, C. Regulating Fintech in the EU: The Case for a Guided Sandbox. Eur. J. Risk Regul. 2020, 11, 604–629. [Google Scholar] [CrossRef]
  4. de Carvalho, P.S. Retaining Influence in Post-Brexit International Financial Regulation: Lessons from the UK’s FinTech Framework. J. Financ. Regul. 2022, 8, 104–131. [Google Scholar] [CrossRef]
  5. Kálmán, J. The Role of Regulatory Sandboxes in FinTech Innovation: A Comparative Case Study of the UK, Singapore, and Hungary. FinTech 2025, 4, 26. [Google Scholar] [CrossRef]
  6. Johnson, W.G. Caught in QuickSand? Compliance and Legitimacy Challenges in ‘Regulatory Sandboxes’ and ‘Regulatory Pioneers’. Regul. Gov. 2023, 17, 709–725. [Google Scholar] [CrossRef]
  7. Wang, Y.; Zhou, Z. Effectiveness of Regulatory Sandboxes in Financial Services: A Systematic Review. Regul. Gov. 2026. [Google Scholar] [CrossRef]
  8. Raudla, R.; Douglas, S.; Tenorio, L. To Sandbox or Not to Sandbox? A Global Analysis of Regulatory Sandboxes. Regul. Gov. 2025, 19, 917–932. [Google Scholar] [CrossRef]
  9. Goo, J.J.; Heo, J.-Y. The Impact of the Regulatory Sandbox on the FinTech Industry, with a Discussion on the Relation between Regulatory Sandboxes and Open Innovation. J. Open Innov. Technol. Mark. Complex. 2020, 6, 43. [Google Scholar] [CrossRef]
  10. Parenti, R. Regulatory Andboxes and Innovation Hubs for FinTech, European Parliament, Brussel, 2020. Available online: https://www.europarl.europa.eu/RegData/etudes/STUD/2020/652752/IPOL_STU(2020)652752_EN.pdf (accessed on 7 April 2026).
  11. Brown, E.; Piroska, D. Governing Fintech and Fintech as Governance: The Regulatory Sandbox, Riskwashing, and Disruptive Social Classification. New Political Econ. 2022, 27, 19–32. [Google Scholar] [CrossRef]
  12. Cornelli, G.; Doerr, S.; Gambacorta, L.; Merrouche, O. Regulatory Sandboxes and Fintech Funding: Evidence from the UK. BIS Working Papers No 901, 2023. Available online: https://www.bis.org/publ/work901.pdf (accessed on 10 March 2026).
  13. Sabel, C.F.; Zeitlin, J. Learning from Difference: The New Architecture of Experimentalist Governance in the EU. Eur. Law J. 2008, 14, 271–327. [Google Scholar] [CrossRef]
  14. Buckley, R.P.; Arner, D.W.; Zetzsche, D.A.; Weber, R.H. The Road to RegTech: The (Astonishing) Example of the European Union. J. Bank. Regul. 2020, 21, 26–36. [Google Scholar] [CrossRef]
  15. McNulty, D. Data Access Technologies and the ‘New Governance’ of Financial Regulation. J. Financ. Regul. 2023, 9, 225–254. [Google Scholar] [CrossRef]
  16. McCarthy, J. The Regulation of RegTech and SupTech in Finance. J. Financ. Regul. Compliance 2023, 31, 186–205. [Google Scholar] [CrossRef]
  17. Bagherifam, N.; Naghdi, S.; Ahmadian, V.; Fazlzadeh, A.; Shishehgarkhaneh, M.B. Digital Regulatory Governance: The Role of RegTech and SupTech in Transforming Financial Oversight and Administrative Capacity. Int. J. Financ. Stud. 2025, 13, 217. [Google Scholar] [CrossRef]
  18. von Solms, J. Integrating Regulatory Technology (RegTech) into the Digital Transformation of a Bank Treasury. J. Bank. Regul. 2020, 22, 152–168. [Google Scholar] [CrossRef]
  19. Vives, X. Digital Disruption in Banking. Annu. Rev. Financ. Econ. 2019, 11, 243–272. [Google Scholar] [CrossRef]
  20. Haddad, C.; Hornuf, L. The Emergence of the Global Fintech Market: Economic and Technological Determinants. Small Bus. Econ. 2019, 53, 81–105. [Google Scholar] [CrossRef]
  21. Alaassar, A.; Mention, A.-L.; Aas, T.H. Exploring How Social Interactions Influence Regulators and Innovators: The Case of Regulatory Sandboxes. Technol. Forecast. Soc. Change 2020, 160, 120257. [Google Scholar] [CrossRef]
  22. Butler, T.; Gozman, D.; Lyytinen, K. The Regulation of and Through Information Technology: Towards a Conceptual Ontology for IS Research. J. Inf. Technol. 2023, 38, 151–188. [Google Scholar] [CrossRef]
  23. Truby, J.; Brown, R.D.; Ibrahim, I.; Caudevilla Parellada, I. A Sandbox Approach to Regulating High-Risk Artificial Intelligence Applications. Eur. J. Risk Regul. 2022, 13, 270–294. [Google Scholar] [CrossRef]
  24. Buocz, T.; Pfotenhauer, S.M.; Eisenberger, A. Regulatory Sandboxes in the AI Act: Reconciling Innovation and Safety. Law Innov. Technol. 2023, 15, 357–389. [Google Scholar] [CrossRef]
  25. Lanamäki, A.; Väyrynen, K.; Vainionpää, F.; Hietala, H.; Tervo, E.; Moltzau, A.; Weerts, S. What to Expect from the Upcoming EU AI Act Sandboxes? Panel Report. Digit. Soc. 2025, 4, 42. [Google Scholar] [CrossRef]
  26. Undheim, T. Regulatory Sandboxes as a Policy Tool for Moral Imagination: An Example from Norway. AI Ethics 2023, 3, 997–1002. [Google Scholar] [CrossRef]
  27. Paul, L.A. From Watchdogs to Partners in Tech Innovation: How Data Protection Authorities Use Regulatory Sandboxes. In Cambridge Forum on AI: Law and Governance; Cambridge University Press: Cambridge, UK, 2025. [Google Scholar]
  28. Genicot, G.; Moraes, C. Exploring the Boundaries of AI Regulatory Sandboxes under the AI Act. In Cambridge Forum on AI: Law and Governance; Cambridge University Press: Cambridge, UK, 2025. [Google Scholar]
  29. Bovens, M. Analysing and Assessing Accountability: A Conceptual Framework. Eur. Law J. 2007, 13, 447–468. [Google Scholar] [CrossRef]
  30. Bovens, M.; Schillemans, T.; Hart, P. Does Public Accountability Work? An Assessment Tool. Public Adm. 2008, 86, 225–242. [Google Scholar] [CrossRef]
  31. Diakopoulos, N. Accountability in Algorithmic Decision Making. Commun. ACM 2016, 59, 56–62. [Google Scholar] [CrossRef]
  32. Mittelstadt, B.D.; Allo, P.; Taddeo, M.; Wachter, S.; Floridi, L. The Ethics of Algorithms: Mapping the Debate. Big Data Soc. 2016, 3, 2053951716679679. [Google Scholar] [CrossRef]
  33. Tsamados, A.; Aggarwal, N.; Cowls, J.; Morley, J.; Roberts, H.; Taddeo, M.; Floridi, L. The Ethics of Algorithms: Key Problems and Solutions. AI Soc. 2022, 37, 215–230. [Google Scholar] [CrossRef]
  34. Wachter, S.; Mittelstadt, B.; Floridi, L. Why a Right to Explanation of Automated Decision-Making Does Not Exist in the GDPR. Int. Data Priv. Law 2017, 7, 76–99. [Google Scholar] [CrossRef]
  35. Buiten, M.; de Streel, A.; Peitz, M. The Law and Economics of AI Liability. Comput. Law Secur. Rev. 2023, 48, 105794. [Google Scholar] [CrossRef]
  36. Hacker, P. The European AI Liability Directives—Critique of a Half-Hearted Approach and Lessons for the Future. Comput. Law Secur. Rev. 2023, 51, 105871. [Google Scholar] [CrossRef]
  37. De Bruyne, J.; Dheu, O.; Ducuing, C. The European Commission’s Approach to Extra-Contractual Liability and AI: An Evaluation of the AI Liability Directive and the Revised Product Liability Directive. Comput. Law Secur. Rev. 2023, 51, 105894. [Google Scholar] [CrossRef]
  38. Montagnani, M.L.; Najjar, M.-C.; Davola, A. The EU Regulatory approach(es) to AI liability, and its Application to the financial services market. Comput. Law Secur. Rev. 2024, 534, 105984. [Google Scholar] [CrossRef]
  39. Rosati, E. Infringing AI: Liability for AI-Generated Outputs under International, EU, and UK Copyright Law. Eur. J. Risk Regul. 2024, 16, 603–627. [Google Scholar] [CrossRef]
  40. Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, 13 June 2024.
  41. Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC. Official Journal of the European Union, 23 October 2024.
  42. European Parliament. AI Liability Directive. Legislative Train Schedule. Available online: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-ai-liability-directive (accessed on 29 March 2026).
  43. Agenda Kaupang. Evaluation of the Norwegian Data Protection Authority’s Regulatory Sandbox for Artificial Intelligence (English Version); Report for the Norwegian Data Protection Authority; Agenda Kaupang: Oslo, Norway, 2023. [Google Scholar]
  44. Magyar Nemzeti Bank. Press Release: The MNB Promotes the Innovations of the Financial Sector by a Regulatory Sandbox Among the First Countries in the Region. 19 December 2018. Available online: https://www.mnb.hu/en/pressroom/press-releases/press-releases-2018/the-mnb-promotes-the-innovations-of-the-financial-sector-by-a-regulatory-sandbox-among-the-first-countries-in-the-region (accessed on 5 March 2026).
  45. Magyar Nemzeti Bank. Innovation Hub: Regulatory Sandbox. Available online: https://www.mnb.hu/innovation-hub/ (accessed on 5 March 2026).
  46. Magyar Nemzeti Bank. MNB FinTech Strategy (English); Magyar Nemzeti Bank: Budapest, Hungary, 2019. [Google Scholar]
  47. Monetary Authority of Singapore. FinTech Regulatory Sandbox Guidelines/Framework (Initially Launched 2016; Updated Versions). Available online: https://www.mas.gov.sg/development/fintech/sandbox (accessed on 5 April 2026).
  48. UK Financial Conduct Authority. Regulatory Sandbox—Cohort Reports and Guidance (Since 2016). Available online: https://www.fca.org.uk/firms/innovation/regulatory-sandbox (accessed on 5 April 2026).
  49. Lee, D.K.C.; Guan, C.; Yu, Y.; Ding, Q. A Comprehensive Review of Generative AI in Finance. FinTech 2024, 3, 460–478. [Google Scholar] [CrossRef]
  50. Manta, O.; Vasile, V.; Rusu, E. Banking Transformation Through FinTech and the Integration of Artificial Intelligence in Payments. FinTech 2025, 4, 13. [Google Scholar] [CrossRef]
  51. Vasile, V.; Manta, O. FinTech and AI as Opportunities for a Sustainable Economy. FinTech 2025, 4, 10. [Google Scholar] [CrossRef]
  52. Mkrtchyan, G.; Treiblmaier, H. Business Implications and Theoretical Integration of the Markets in Crypto-Assets (MiCA) Regulation. FinTech 2025, 4, 11. [Google Scholar] [CrossRef]
  53. Ante, L.; Fiedler, I.; Willruth, J.M.; Steinmetz, F. A Systematic Literature Review of Empirical Research on Stablecoins. FinTech 2023, 2, 34–47. [Google Scholar] [CrossRef]
  54. European Commission. AI Act—Application Timeline and Entry into Force Information. Shaping Europe’s Digital Future. Available online: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai (accessed on 29 March 2026).
  55. Vijayagopal, P.; Jain, B.; Ayinippully Viswanathan, S. Regulations and FinTech: A Comparative Study of the UK, the US and Singapore. J. Risk Financ. Manag. 2024, 17, 324. [Google Scholar] [CrossRef]
  56. Moltzau, E. Norway’s AI Sandbox: A Model for Responsible AI Development. Harv. Data Sci. Rev. 2024. [Google Scholar] [CrossRef]
  57. Rudin, C. Stop Explaining Black Box Machine Learning Models for High Stakes Decisions and Use Interpretable Models Instead. Nat. Mach. Intell. 2019, 1, 206–215. [Google Scholar] [CrossRef]
  58. Arrieta, A.B.; Díaz-Rodríguez, N.; Del Ser, J.; Bennetot, A.; Tabik, S.; Barbado, A.; Garcia, S.; Gil-Lopez, S.; Molina, D.; Benjamins, R.; et al. Explainable Artificial Intelligence (XAI): Concepts, Taxonomies, Opportunities and Challenges toward Responsible AI. Inf. Fusion 2020, 58, 82–115. [Google Scholar] [CrossRef]
  59. Guidotti, R.; Monreale, A.; Ruggieri, S.; Turini, F.; Giannotti, F.; Pedreschi, D. A Survey of Methods for Explaining Black Box Models. ACM Comput. Surv. 2018, 51, 1–42. [Google Scholar] [CrossRef]
  60. Norwegian Data Protection Authority. Finterai: Machine Learning Without Data Sharing. Regulatory Sandbox Report. 2025. Available online: https://www.datatilsynet.no/en/regulations-and-tools/reports-on-specific-subjects/reports/finterai-machine-learning-without-data-sharing/ (accessed on 17 May 2026).
Fintech 05 00046 g001
Figure 1. Accountability and liability hand-offs in an AI credit-scoring sandbox scenario.
Figure 1. Accountability and liability hand-offs in an AI credit-scoring sandbox scenario.
Fintech 05 00046 g001
Table 1. Analytical mapping scheme for accountability and liability in AI-related financial regulatory sandboxes.
Table 1. Analytical mapping scheme for accountability and liability in AI-related financial regulatory sandboxes.
DimensionOperational QuestionTypical Evidence in Sandbox MaterialsPrimary Accountability/Liability Relevance
A1—Entry transparency & gatekeepingWho can enter the sandbox and on what criteria; are selection and rejection reasons traceable?Eligibility criteria; application templates; published cohort summaries; decision rationales (where available)Legitimacy and equal treatment; reduces arbitrariness and improves contestability
A2—Role clarity across the AI supply chainAre responsibilities allocated across participant, vendor, cloud/outsourcing, data providers?RACI matrices; outsourcing/third-party disclosure; contractual assurance requirements; governance mapsPrevents ‘accountability dilution’; supports later attribution of control/fault
A3—Documentation, audit trail & monitoringWhat artefacts must be produced and retained; how is model drift monitored?Model documentation packs; logging requirements; KPI dashboards; incident reporting templatesEnables answerability and strengthens evidentiary position in ex post claims
A4—User-facing safeguards & redressHow are users informed; how are complaints and compensation handled?Disclosure scripts; opt-in forms; complaints workflow; insurance/compensation schemes; ombuds routesProtects consumers; shapes contractual expectations; supports enforceability
A5—Supervisory governance & due processHow are supervisory decisions made, recorded, and reviewable?Decision logs; escalation procedures; separation-of-functions policies; review mechanismsConstrains regulator discretion; reduces procedural risk; supports administrative-law accountability
A6—Public learning and non-endorsement disciplineDoes the sandbox generate generalisable learning without implying certification?Anonymised lessons learned; published reports; communication policies; transparency statementsAddresses riskwashing and reputational endorsement effects
L1—Baseline civil liability postureIs it clear that sandbox participation does not waive civil liability?Explicit disclaimers; consumer information; contractual terms; regulator statementsAvoids ‘liability shield’ misconceptions; manages reliance
L2—Product/software liability interfaceHow might the innovation be characterised as a product/service; how are defects framed?Technical descriptions; vendor role statements; update policies; quality controlsConnects to strict liability regimes and defect analysis
L3—Evidence, causation, and information asymmetryAre logs and explanations available to support causation/fault claims?Retention policies; explainability artefacts; audit rights; incident reportsMitigates ‘black-box’ evidentiary gaps; affects burden of proof
L4—Public enforcement and private redress interfaceHow do supervisory remedies interact with consumer compensation or litigation?Enforcement discretion notes; complaints and remediation rules; reporting obligationsShapes incentives and deterrence; prevents governance gaps
L5—Potential state/public liability touchpointsCould supervisory conduct become a relevant cause of harm, triggering public law accountability?Facilitation vs. enforcement separation; advisory disclaimers; procedural safeguardsClarifies boundaries of regulator involvement; supports legitimacy and risk management
Table 2. Typology of AI-related financial regulatory sandboxes and legally relevant risk features.
Table 2. Typology of AI-related financial regulatory sandboxes and legally relevant risk features.
TypeSandbox FocusTypical Accountability MechanismsTypical Liability ImplicationsIllustrative Examples
AI-system testingTesting AI systems against horizontal AI governance, data-protection or fundamental-rights constraintsDocumentation deliverables; impact assessment; supervisory guidance; public learning reportsNo displacement of baseline GDPR/tort/product liability; documentation affects evidentiary positionEU AI Act sandboxes; DPA AI sandboxes such as Norway
AI-embedded FinTech productTesting financial products/services where AI is integral (credit, fraud, KYC/AML, robo-advice)User disclosure; exposure limits; complaint handling; monitoring and incident reportingContractual, tort/product and regulatory liability remain; sandbox conditions shape standard of careFCA, MAS and MNB financial sandboxes
AI-enabled supervisionUse of AI-enabled SupTech or analytics by regulators during sandbox testingGovernance of supervisory tools; decision logs; contestability of supervisory inferencesPotential administrative-law challenge if AI-supported supervisory analytics affect regulatory decisionsRegTech/SupTech governance models
Multi-authority AI-FinTechProjects involving multiple authorities or cross-border testingJoint protocols; inter-authority coordination; harmonised deliverablesComplex allocation across firm, vendor, regulator and redress forum; accountability gaps if coordination failsCross-border pilots and AI-FinTech test environments
Table 3. Operational analytical mapping of accountability and liability dimensions across jurisdictions.
Table 3. Operational analytical mapping of accountability and liability dimensions across jurisdictions.
DimensionEUUKSingaporeNorwayHungary
A1 Entry transparencyEEEEI
A2 Role clarity across AI supply chainE/IIIII
A3 Documentation and monitoringEIE/IEI
A4 User safeguards and redressEEEIE
A5 Supervisory governanceIIEEI
A6 Public learning/non-endorsementIIU/IEU/I
L1 Baseline civil liability preservedE/IIIE/II
L2 Product/software liability interfaceEIIIE
L3 Evidence and causation supportE/IIIII
L4 Public/private enforcement interfaceIIIII
L5 Public law/state-liability touchpointsIU/IU/III
Table 4. AI-related harm scenarios and tripartite liability framing in sandbox testing.
Table 4. AI-related harm scenarios and tripartite liability framing in sandbox testing.
ScenarioAccountability Deliverables in SandboxTripartite Liability Analysis and Sandbox-Specific Effect
AI credit scoring/underwritingData lineage; feature governance; bias testing; human review; adverse-action explanation; drift monitoringContractual: wrongful denial or breach of service terms if promised safeguards are not delivered. Tort/product: negligent model design, discriminatory output or defective AI-enabled software; documentation may prove or rebut causation. Regulatory/public law: consumer, anti-discrimination and data-protection enforcement; sandbox records affect standard-of-care analysis.
Fraud detection/transaction monitoringThreshold governance; false-positive review; incident reporting; escalation workflowContractual: blocked or delayed transactions may trigger service claims. Tort/product: negligent controls where foreseeable harm follows from false positives or false negatives. Regulatory/public law: market-conduct, AML and consumer enforcement; monitoring logs show whether safeguards were proportionate.
AI-enabled KYC/identity verificationRepresentative testing data; manual fallback; DPIA-style assessment; vendor assuranceContractual: wrongful refusal or onboarding failure may breach customer-facing terms. Tort/product: exclusion, discriminatory impact or privacy harm may support tort/product or data-protection claims. Regulatory/public law: data-protection and financial-crime supervision; sandbox conditions shape reasonable fallback expectations.
LLM/generative AI in advice or communicationHuman-in-the-loop controls; prompt/output logs; guardrails; clear user disclosureContractual: misleading advice/support may breach service obligations. Tort/product: hallucinated or unsuitable recommendations may support negligence or defect arguments. Regulatory/public law: consumer-protection and conduct enforcement; logs are critical for attribution and causation.
AI-enabled SupTech monitoringDecision logs; contestability; separation between facilitation and enforcementContractual: usually indirect unless supervisory outputs affect firm-user obligations. Tort/product: only exceptional and fact-dependent. Regulatory/public law: administrative-law review, due-process claims and possible state-liability arguments where AI-supported supervisory inferences materially affect regulatory decisions.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kálmán, J. Accountability and Liability in AI-Related Financial Regulatory Sandboxes: A Comparative Legal Analysis. FinTech 2026, 5, 46. https://doi.org/10.3390/fintech5020046

AMA Style

Kálmán J. Accountability and Liability in AI-Related Financial Regulatory Sandboxes: A Comparative Legal Analysis. FinTech. 2026; 5(2):46. https://doi.org/10.3390/fintech5020046

Chicago/Turabian Style

Kálmán, János. 2026. "Accountability and Liability in AI-Related Financial Regulatory Sandboxes: A Comparative Legal Analysis" FinTech 5, no. 2: 46. https://doi.org/10.3390/fintech5020046

APA Style

Kálmán, J. (2026). Accountability and Liability in AI-Related Financial Regulatory Sandboxes: A Comparative Legal Analysis. FinTech, 5(2), 46. https://doi.org/10.3390/fintech5020046

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop