Payment Law Advisor Legal Commentary and Resources for the Payment Industry

Arizona Attorney General Launches Regulatory Sandbox Program for Fintech Companies

Posted in Deals and Technology, Regulatory and Compliance

The financial technology company seeking to launch an innovative financial product or financial service—and in need of a group of consumers to test whether the idea even works—might consider working in Arizona’s FinTech Sandbox.

The Arizona Attorney General, Mark Brnovich, has established the state’s Regulatory Sandbox Program (“Sandbox”), and the state’s AG Office is prepared to accept applications from individuals or entities seeking to test an “innovative” financial product or financial service with consumers residing in the state.

What’s the main benefit of Arizona’s Sandbox?

  • Operating without a license: A fintech company would be allowed to provide the new financial product or service in the state—generally during a two-year period—without being subject to the state’s relevant licensure requirement.

What are the main limitations on testing the innovative financial product or service?

  • Must fit within one of three regulated areas: (1) banking (including transmitting money); (2) the business of a sales finance company; or (3) investment advisory services (including regulated financial planning).
  • Oversight by the Arizona AG: Even though the Arizona regulatory sandbox law affords targeted relief from potential enforcement action or other liability arising from a violation of the substantive requirements that apply to the product or service, a fintech company would not receive not immunity, and the AG will monitor the fintech company while working in the Sandbox.
  • Exit strategy is a must have: Generally speaking, while in the Sandbox Generally speaking, while in the Sandbox a fintech company must limit delivery to fewer than 10,000 consumers in Arizona. If the testing fails, the fintech company must be prepared to address potential risks of harm to affected consumers. Alternatively, if successful in the Sandbox after the two-year period, the company must continue through the standard process of obtaining a license to achieve scale. Either way, the fintech company may not simply stay in the Sandbox.

Key Elements of Arizona Attorney General’s Regulatory Sandbox Program

As we previously reported in our survey of approaches for fintech sandboxes, Arizona became the first state in the United States to enact a law that authorizes a fintech regulatory sandbox. In general, a fintech regulatory sandbox is designed to speed the development or testing of innovative financial technology solutions, while still providing baseline standards or requirements to protect consumers who are using the innovative financial products or services.
Arizona’s Sandbox follows a typical framework: certain licensing requirements are suspended temporarily so that a fintech company can evaluate, in a live environment, whether the innovative financial product or service actually works or could work on a larger scale.

A fintech company seeking to work in the Sandboxes must submit an application, using the Arizona FinTech Sandbox Application form, and pay the $500 application fee. Each innovative financial product or financial service to be tested in the Sandbox requires a separate application.

Assessing whether to submit an application to the Sandbox involves various considerations, particularly in light of the stage of development of the product or service or level of supervision (if any) already in place for the fintech company. Here are three core elements of the program the Arizona AG recently has established.

I. Innovation: The Product or Service Must Be Novel to the AG

The specific financial product or service must contain an “innovation,” which is defined in the regulatory sandbox law as follows:

[T]he use or incorporation of new or emerging technology or the reimagination of uses for existing technology to address a problem, provide a benefit or otherwise offer a product, service, business model or delivery mechanism that is not known by the Attorney General to have a comparable widespread offering in this state.

Ariz. Rev. Stat. Ann. § 41-5601(4).  Under the law and in the application process, the Arizona AG is the arbiter of whether a fintech-company’s financial product or service involves the use of, say, a “new” or “emerging” technology, and must be persuaded that there is no “comparable widespread offering” in Arizona.  However, at this time, the AG is offering scant guidance about how each of those statutory factors could be interpreted when processing an application.  In the FAQs accompanying the AG’s prescribed application form (“What kinds of products or services can be admitted into the Sandbox?), the AG states that certain classes of products “would” or “might” be eligible, but there does not appear to be any guidance addressing the newness of a product or service, or the degree to which it must not be “widespread” in the state.

II. Objectives and Milestones: Testing Requires a Rationale

Innovation is not sufficient for the “Testing” (defined to mean the provision of the specific financial product or service in the Sandbox).  The fintech company also must demonstrate to the satisfaction of the Arizona AG that the specific financial product or service will satisfy other criteria, consistent with certain provisions of the regulatory sandbox law.

The Arizona AG has exercised the discretion allowed in the regulatory sandbox law to relieve a fintech company from explaining, ex ante, how the innovation would benefit consumers.  See § 41-5603(F).  Still, the application form states that the fintech company must submit a detailed plan that, among other issues, addresses:

  • Objectives of working in the Sandbox;
  • Factors for assessing whether the Test is successful or unsuccessful; and
  • Why the fintech company is “not able to proceed with the Test outside the Sandbox” (emphasis added).

In the FAQs (“By what criteria does the Attorney General evaluate applications?”), the AG states that an application will be evaluated “holistically to determine the applicant’s ability to conduct a test that does not place undue risk on consumers.”  However, the last required element of the Testing plan could be vexing because the standard —“not able to proceed”— suggests that the fintech company lacks the capacity to otherwise qualify for a license to engage in the activity relevant to the innovative product or service.  Could a fintech company reasonably submit an application to work in the Sandbox while admitting that its provision of the innovative financial product or service possibly could violate Arizona law regulating banking, sales financing, or investment advisory services?

Since the process for administering the Sandbox is recently underway, some of these thorny questions for fintech-company applicants have not been addressed.  A fintech company should consider both its near-term objectives and long-range plans when preparing its submission to the Arizona AG; at a minimum, for example, the AG is authorized to tailor substantive requirements to the provision of financial product or service while in the Sandbox.  See § 41-5605(G).  Also, as noted above, the fintech company must prepare in advance to be able to reduce the potential risks of harm to affected consumers in the event the testing fails.  See § 41-5609(B).

III. Recordkeeping

The regulatory sandbox law involves the creation or maintenance of certain records, notably when the innovative financial product or service involves investment advisory services.  See, e.g., § 41-5605(B)(6).  Apart from the statutory requirements, as part of the application process a fintech company must describe the records that will be maintained in the ordinary course of its business.  In the FAQs (“What type of recordkeeping and reporting will be required for a Sandbox participant testing products or services?), the AG explains that the records to be kept include “advertising materials, accounting workbooks, drafts of model contracts and forms, signed contracts and forms, communications between the business and consumers, data in its native format, and any metadata.”

From the perspective of designing a framework that relieves regulatory requirements in order to spur innovation and explore ways to more effectively serve consumers, the explicit requirements for records and data might appear to be anomalous.

However, designing systems to collect relevant data and keep appropriate records could serve near-term objectives, as well as possibly longer term goals.  First, during the two-year period of working in the Sandbox, the fintech company’s books and records can be expected to be the object of examination by the AG.  In this regard, the fintech company should expect the AG to monitor the company’s performance on key metrics of the company’s own stated plan (described in the application) for addressing key risks to consumers.  The AG also could examine the company to confirm that its operations fit within the thresholds prescribed by the regulatory sandbox law (e.g., stay below the caps for loans), disclosure requirements (see § 41-5606), and potential violations of Arizona’s Consumer Fraud Act.  Second, if the fintech company succeeds in providing its innovative product or service, when the company exits the Sandbox, the maintenance of books and records could prove useful in an application for the relevant license.

We and our colleagues at DWT will continue to be closely engaged with this area.