Fintech Sandboxes – Update on State Approaches

by Davis Wright Tremaine LLP

Arizona’s Fintech Sandbox

Last month Arizona became the first U.S. state to enact a law allowing for the establishment of a fintech regulatory sandbox program (H.B. 2434) to facilitate the growth of innovative financial products and services. The Arizona law charges the Attorney General to “establish a regulatory sandbox program” which would, in general, require a person to file an application and register to be in the sandbox, but would relieve the person from the state’s licensing requirements. In this way, innovators in financial services will have the opportunity to offer their products with a minimum of regulation, subject to meeting the other requirements of the law. Other states could soon follow Arizona’s lead; similar legislation has been introduced in Illinois and elsewhere. Federal regulators have also considered various approaches to encourage financial innovation.

What is a Fintech Regulatory Sandbox?

Fintech regulatory sandboxes are designed to be alternative regulatory mechanisms to facilitate the development or testing of innovative financial technology solutions, while still affording adequate consumer protection. Typically, existing regulatory requirements are adjusted to provide companies the opportunity to offer and test new products and services in a live environment, for a trial period, without the usual licensing process.

Regulatory sandboxes specifically for fintech are trending worldwide, with the first sandbox being implemented in the United Kingdom in 2015. The concept has spread widely, including to Australia, Canada, Russia, Switzerland and a number of countries in Asia and the Middle East.

The details of each regulatory sandbox vary depending on local concerns and interests, but all allow fintech organizations to test innovative products in a live environment with minimal licensing and other legal requirements.

While consumer advocacy groups have expressed concerns that customers could be at risk under such schemes for predatory or failed fintech products, the concept has proved successful in many countries. Local governments look to such programs as a way to attract and support fintech innovators in order to develop their local fintech ecosystems.

Arizona’s New Fintech Sandbox

The Arizona “regulatory sandbox program” gives relief from state licensure to persons who offer “innovative financial products or services.” “Financial product or service” for this purpose means “a product or service that requires licensure under [laws governing banks and financial institutions (including, among others, money transmitters, consumer lenders, debt management companies, mortgage brokers and deferred presentment companies), sales finance companies, and investment advisers] or a product or service that includes a business model, delivery mechanism, or element that may otherwise require a license or other authorization to act as a financial institution or enterprise or other entity that is regulated by [laws governing banks and financial institutions (including, among others, money transmitters, consumer lenders, debt management companies, mortgage brokers and deferred presentment companies), sales finance companies, and investment advisers].” “Innovative financial product or service” simply means a “financial product or service that includes an innovation.”

The most pivotal definition in the law is thus the definition of “innovation”: “innovation” under the Arizona law means:

the use or incorporation of new or emerging technology or the reimagination of uses for existing technology to address a problem, provide a benefit or otherwise offer a product, service, business model or delivery mechanism that is not known by the Attorney General to have a comparable widespread offering in this state.

The interpretation of these terms by the Attorney General will be essential to understanding the scope of the available relief, and presumably the best evidence of their interpretation will be the types of applications granted. The challenge of keeping regulation abreast of innovation is encapsulated in the effort to craft a broad definition of “innovation” itself. For example, the definition includes “business models” as a qualifying type of “innovation.” If the “business model” provides an alternative means to finance a product or service that in itself is similar to existing products or services, how can an applicant make the required showing that their product or service is somehow “different from other products or services available in th[e] state” as required elsewhere in the Arizona law? The business model or “delivery mechanism” may enable products or services to be offered faster, cheaper, or more conveniently – but financial products and services generally share many common features. If the policy intent is to foster innovation, to the extent consistent with consumer protection, we would hope the Attorney General will take a broad view in granting applications.

Other key provisions of Arizona’s fintech sandbox program include the following:

  • The program will open for applications in late July 2018 and run until July 2028.
  • The program will be administered by the state’s Attorney General’s Office.
  • The program will be open to companies with products that would normally require licensing from Arizona’s Department of Financial Institutions, such as money transmitters, consumer lenders, debt management companies, mortgage brokers and deferred presentment companies.
  • Applicants must submit a plan to monitor and test their product, as well as to protect consumers. The test period is 2 years with the possibility for a 1 year extension.
  • Applicants must include information on the benefits and risks to consumers of using their product and how the innovation is different from other products or services available in this state.
  • The law limits the number of users of a product or service to 10,000 Arizona residents unless the company can show it has the capitalization and risk management capacity to handle up to 17,500 users.
  • Consumer loan transactions are limited to a maximum value of $15,000 for individual loans and a total of $50,000 in aggregate loans per consumer.
  • Money transmission products or services are limited to a maximum value of $500 per transaction and no more than $2,500 in aggregate transactions per consumer. These amounts can be increased to $15,000 per transaction and up to $50,000 in total if the company demonstrates adequate capitalization and risk management.
  • Participants must comply with all other Arizona laws, including consumer fraud and any other state laws applicable to financial products or services as determined by the Attorney General.
  • Participants must provide specific disclosures to consumers before providing their product.
  • Participants are not exempt from compliance with federal consumer financial services laws, but are “deemed to possess an appropriate license under the laws of this state for purposes of any provision of federal law requiring state licensure or authorization.” In other words, the provisions of 18 U.S.C. § 1960 making it a federal crime to operate without a required state money transmitter license are deemed satisfied, at least according to the terms of the Arizona law.
  • The law authorizes the Attorney General to enter into agreements with state, federal, or foreign regulators to allow entities authorized to operate in sandboxes in other jurisdictions to be recognized as sandbox participants in Arizona.

Concerns with Implementing Arizona’s Sandbox

Consumer protection groups have expressed concerns about Arizona’s regulatory sandbox, noting that the sandbox may be too lightly regulated which could lead to predatory lending practices. Sandboxes are intended to allow a quicker response to a rapidly-changing industry, but regulators should still be able to protect consumers from harmful practices. Other concerns focus on why the program is being administered by the Arizona Attorney General instead of the state’s financial services regulator, noting that when the Attorney General changes, implementation of the program could change. Advocates for the sandbox point out that it has been structured to address these issues.

Illinois’ Proposed Fintech Sandbox

The Illinois General Assembly is also currently considering a bill (H.B. 5139) that would create a fintech sandbox program. If passed, the Illinois law would go into effect on January 1, 2019.

The Illinois bill differs from the Arizona law in a few material respects:

  • The Illinois Secretary of Financial and Professional Regulation would administer the program, not the Attorney General.
  • Companies would have a 12-month test period subject to a maximum 6-month extension – 18 months shorter than the maximum Arizona test period.
  • No more than 5,000 Illinois consumers could use the innovative product, significantly fewer than the 17,500 users allowed in some cases under the Arizona law.
  • The Illinois bill does not impose transaction limits during the test period, unlike the Arizona law.

Although the Illinois Governor has endorsed the bill, the Illinois Attorney General has publicly criticized it, citing consumer protection concerns. The Illinois Secretary of Financial and Professional Regulation has indicated he believes these concerns may be overstated.

Similar to the Arizona law, the Illinois bill has also faced criticism from consumer protection groups who raise the same concerns as those raised in Arizona.

Fintech Regulation in the US – Federal vs. State

One question looming over the effectiveness of state sandboxes is whether federal action should be taken to protect participants authorized to operate in the state sandboxes, including limiting the ability of federal regulators to take action against those participants. A waiver from the federal government could help states implement sandboxes. For example, the Consumer Financial Protection Bureau could defer enforcement against a person that is authorized to operate in a state sandbox. The CFPB’s “no action letter” policy offers a means to seek individual relief from enforcement, but the requirements for such letters are so restrictive and the relief so limited that only a single letter has been issued to date. (You can find our prior post about the “no action letter” policy here.)

Fintech regulatory sandboxes are intended to reduce regulatory barriers and costs in order to encourage companies to test their products in the United States. Arizona views its approach as a model for other states to follow. Arizona’s legislation includes a “passporting” provision, something currently available under European Union law as between Member States, which would allow a participant in Arizona’s sandbox to operate in other jurisdictions with similar programs (and likewise allow a participant in another state’s sandbox to enter into Arizona’s regulatory sandbox program). Such an approach would only be effective, however, once a number of states have established regulatory sandboxes. In addition, critics of the state sandbox approach point out that different regulatory approaches to sandboxes in different states, and even differently focused goals of each state sandbox, could make it difficult for that type of inter-jurisdictional approach to sandboxes to work. Current regulatory inconsistencies between states may otherwise be exacerbated by sandboxes.

Other federal regulators such as the SEC and CFTC have been considering the concept of federal sandboxes but have been doing so very slowly. The OCC’s proposed fintech bank charter has also been stalled, although the OCC has recently indicated we should expect further information about the charter in the next few months. (You can find our ongoing analysis of the OCC’s proposed fintech bank charter here.) In other countries, unitary national financial regulators are the entities overseeing those countries’ sandboxes (the FCA in the UK and the MAS in Singapore). Advocates of fintech regulatory sandboxes hope Arizona’s program will spur federal regulators into action, especially since the growth of state sandboxes could further fragment financial services regulation in the United States.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.