O’Melveny Worldwide

Expanded CFPB Sandbox Promises Greater Protections for Fintech and Other Financial Services Companies

January 4, 2019

A little more than four months after the Consumer Financial Protection Bureau (CFPB) announced the appointment of a new assistant director to lead the Bureau’s newly branded Office of Innovation, the agency has taken further steps to expand its “sandbox” initiatives. On December 13, 2018, the CFPB released a proposed policy and procedural rules to establish a new “Policy on No-Action Letters and the BCFP Product Sandbox.” While these rules will not go into effect until sometime after the comment period ends in mid-February, they promise significant new benefits to those companies that apply and should cause Fintech companies in particular to look closely at the opportunity for regulatory protection and to discuss the relative benefits with their legal and strategic advisors.

First, the CFPB aims to breathe new life into the Bureau’s No-Action Letter (NAL) policy, which previously resulted in only a single no-action letter since the Bureau first announced Project Catalyst, its earlier innovation initiative, in 2012. The Bureau’s current NAL policy, which was issued in 2016, was considered unduly burdensome by many would-be applicants in that it required companies to provide 15 different categories of information, including detailed analyses of potential consumer risks and a showing of why the NAL was necessary to reduce regulatory risk and allow for development of the product. A particularly burdensome condition of the 2016 application process required companies to commit to open-ended sharing of data about their products with the Bureau.

Second, the CFPB proposes to create a “Product Sandbox,” which would provide avenues for specific safe harbor relief. Through an application process similar to that for a NAL, the Product Sandbox would offer an approved company certainty that particular products or services, if provided in compliance with specific terms and conditions, will not create the risk of civil liability.

Although both of these proposed expansions are welcome, they are also naturally limited to activities that involve consumer financial transactions subject to the Bureau’s jurisdiction such as, for example, mortgage, student, or auto lending and servicing, credit reporting, or debt collection.

Streamlined Application and Agency Decision for No-Action Letters

The CFPB’s proposed new policy rejects many of the requirements of the current NAL policy and explicitly aims to reduce the burden on applicants, speed up Bureau decision-making, and encourage wider participation in the NAL process. The Bureau proposes to streamline the application requirements to eliminate some of the more burdensome and exhaustive elements. For example, rather than requiring detailed discussions of comparative risks among similar products in the marketplace and statutory analyses of relevant consumer protections statutes, the Bureau’s new application focuses instead on requiring a description of the potential benefits of the proposed product for consumers along with the effectiveness of controls in place to mitigate risks. Accordingly, the investment of time and resources required to compile and submit a NAL application has been reduced.

Another key change in the proposed policy elevates the level at which the CFPB would issue a NAL. Whereas NALs under the current policy are to be issued at the staff level, under the new policy, they will be issued by “duly authorized officials of the Bureau to provide recipients greater assurance that the Bureau itself stands behind the no-action relief provided by the letters.”

The proposed policy also does away with the presumption established in the current policy that there would not be any unfair, deceptive, and abusive acts and practices (UDAAP)-focused NALs. Critics of the current policy complained that this limitation makes the NAL process a hollow one given that most of the Bureau’s enforcement actions involve UDAAP claims. By explicitly disclaiming any limitation on considering UDAAP-focused NALs, the CFPB will now significantly broaden the potential utility for a company in receiving one.

Importantly, the CFPB has also now recognized that a company’s ability to receive an expeditious decision on its NAL application is critical to its ability to maneuver within fast-paced emerging marketplaces. The new policy provides that the “Bureau intends to grant or deny an application within 60 days of notifying the applicant that the Bureau has deemed the application to be complete.”

Expanded “Product Sandbox”

In a new expansion of the sandbox concept, the CFPB proposes to create a “Product Sandbox,” intended to provide specific and reliable safe harbors for approved companies during an expected two-year time period. This change follows on the Bureau’s announcement in September that it was implementing substantial industry-friendly revisions to its Trial Disclosure Program1 similar to those found in the policy issued in December 2018. As with the earlier NAL process, the Trial Disclosure Program had not resulted in a single approved disclosure in its first five years of existence, but the Bureau is now aiming to revive these programs and expand its sandbox.

The Product Sandbox that the CFPB has announced with its new policy is noteworthy in that it goes further than the NAL or the Trial Disclosure Program in providing potential regulatory relief to sandbox participants and is arguably the first real regulatory “sandbox” on the federal level. Specifically, the Product Sandbox is a process by which a company can apply to the Bureau for specific approval of its planned product or service, or exemption from otherwise applicable statutory or regulatory requirements, resulting in a “safe harbor” for that activity assuming the company is in good faith compliance with the terms and conditions of the approval or exemption. This protection from liability is available in relation to the three consumer protection statutes with built-in safe harbors, specifically the Truth in Lending Act, 15 U.S.C. 1640(f), the Equal Credit Opportunity Act, 15 U.S.C. 1691e(e), and the Electronic Funds Transfer Act, 15 U.S.C. 1693m(d), and 15 U.S.C. 1691c–2(g)(2), as well as for statutes allowing the Bureau to make exceptions or exemptions, such as the Home Ownership and Equity Protection Act, 15 U.S.C. 1639(p)(2), and the Federal Deposit Insurance Act, 12 U.S.C. 1831t(d).

As with the new NAL policy, the Product Sandbox utilizes a streamlined application and decision-making process intended to result in decisions on applications within 60 days, as well as a process for requesting extensions of the sandbox protections beyond two years with appropriate justification.

Taking the Lead with Other Regulators

One of the proposed policy’s overarching goals is to provide for “coordination with existing or future programs offered by other regulators designed to facilitate innovation.” This statement of the Bureau’s intent to lead coordination on both the federal level and with the states is a notable commitment by a financial regulator, although there is, of course, no guarantee of the CFPB’s ability to achieve successful coordination. Nevertheless, NAL or Product Sandbox applicants may facilitate potential coordination by identifying in their applications the other regulators with which they have been communicating or from whom they have otherwise sought approval for their products and services. The CFPB expresses in this policy its intention and desire to coordinate with both state and federal regulators to the extent of being willing to enter into agreements with other regulators, potentially recognize sandbox protections that have already been extended to companies, and to coordinate regulatory relief in specific instances.

The Comment Process

Although the CFPB’s proposed new rules simplify the application process and incorporate improved timelines for decision-making on specific applications by the Bureau, Fintech and other financial services companies will need to weigh the utility of the potential protections, which are necessarily limited by the scope of the Bureau’s jurisdiction and its ability to influence other state and federal regulators, against the time and resources required to apply.

Additionally, companies that are engaged in developing or providing consumer financial products and services, particularly those utilizing emerging technologies, may find it worthwhile to review the proposed Policy on No-Action Letters and BCFP Product Sandbox, and consider whether they would like to submit comments on the substance or procedure of the proposed policy on or before the February 11, 2019, deadline.


1 Policy to Encourage Trial Disclosure Programs, 83 Fed. Reg. 45574, accessed here.


This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Laurel Loomis Rimon, an O’Melveny senior counsel licensed to practice law in California, Eric Sibbitt, an O’Melveny partner licensed to practice law in California and New York, Elizabeth L. McKeen, an O’Melveny partner licensed to practice law in California, and Danielle Oakley, an O’Melveny partner licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.