Utah Governor Gary Herbert signed H.B. 378, Regulatory Sandbox, into law on March 25, 2019. This bill created the nation’s third regulatory sandbox program for fintechs, after Arizona, which enacted sandbox legislation in March 2018, and Wyoming, which enacted sandbox legislation in February of this year.
Regulatory sandboxes are laboratories for the development of innovative technologies in an environment that is free from onerous government restrictions. The sponsor of Utah’s legislation, Rep. Marc Roberts, highlighted “the opportunity Utah’s Regulatory Sandbox will give fintech companies and entrepeneurs to test innovative business models and ideas in the marketplace, on a limited basis, without having to jump through the traditional regulatory hoops and licensing requirements which can often times be burdensome, costly and create barriers to entry.”
Utah’s regulatory sandbox, which is effective as of May 13, is similar in many respects to Arizona’s sandbox, which began accepting applications in August 2018 and now has six participants. Utah’s sandbox allows participants to “temporarily test innovative financial products or services on a limited basis without otherwise being licensed or authorized to act under the laws of the state.” The program will be administered by the Utah Department of Commerce (the Department). Arizona’s program, in contrast, is administered by the Arizona Attorney General.
Similar to the Arizona sandbox law, eligible financial products and services under the Utah sandbox law include those that are “innovative” and either:
- Require state licensure or registration; or
- Involve a business model, delivery mechanism, or element that may require the applicant to be licensed or authorized to act as a financial institution or other entity regulated by the Utah Financial Institutions Act.
Both the Utah and Arizona laws similarly define “Innovative products” as products that use or incorporate new or emerging technology, or use existing technology in a new way to address a problem, provide a benefit, or provide a service not known to be in widespread use in the state. Notably, Utah’s definition expressly includes blockchain technology. While Arizona’s law does not specifically mention blockchain technology, the State’s AG has said “certain blockchain or cryptocurrencies products or services might also be eligible.”
Under the Utah law, applicants must have a physical location in Utah, and must develop and perform all testing of the innovative product or service from that location. Applicants must also agree to retain all records and data concerning the product or service at this location. The requirement of a physical Utah presence varies materially from the Arizona program, which permits participants to operate out of a “physical or virtual location that is adequately accessible to the Attorney General, from which testing will be developed and performed and where all required records, documents and data will be maintained.”
Aside from the physical location requirement, the application process and requirements of Utah’s sandbox are virtually identical to those of Arizona. Applicants must, among other things:
- Demonstrate they have the necessary personnel, financial, and technical expertise, have access to capital, and have developed a plan to test, monitor, and assess the innovative product or service;
- Describe the innovative product or service and its licensing requirements under existing regulations;
- Describe how consumers will benefit and how the product is different from already available products;
- Describe risks to consumers who purchase or use the product or service;
- Explain how participating in the sandbox would enable a successful test of the product or service;
- Detail a proposed testing plan, with timelines;
- Describe how the applicant will perform ongoing duties after the test, including obtaining necessary licenses; and
- Describe procedures for ending the test if the test is not successful.
Under Utah’s program, the Department has 90 days to approve or deny a completed application, but this time period may be extended by mutual agreement of the parties. The Department may deny an application for “any reason, at the [D]epartment’s discretion,” but must provide a written explanation of the basis for a denial. The Arizona AG may deny applications at its discretion as well, but a decision of the Arizona AG is not an appealable agency action. Utah’s legislation appears more favorable to applicants because it does not expressly forbid administrative appeals. Further, by requiring the Department to provide a written explanation of the reasons for a denial, unsuccessful Utah applicants should be able to challenge Department decisions that appear arbitrary or capricious.
The testing period under both the Utah and Arizona programs is two years. Utah provides for an extension of up to six months, and Arizona provides for an extension of up to one year. In Utah, the Department may specify, on a case-by-case basis, the number of consumers who test the product, as well as the maximum amount of any individual consumer loan or aggregate loans that may be issued to an individual consumer. The size of transactions involving money transmission are similarly regulated on a case-by-case basis.
By contrast, in Arizona, a sandbox participant may not transact business with more than 10,000 consumers, but may only be increased to 17,500 consumers upon a showing of adequate financial capitalization, risk management, and oversight. Consumer loans under the Arizona law may not exceed $15,000 per loan, with an aggregate limit of $50,000 per consumer. Arizona also restricts money transmission transactions to $2,500 with an aggregate limit of transactions per consumer capped at $25,000 (potentially increasable to $2,500 and $50,000 upon a showing of adequate financial capitalization, risk management, and oversight). Utah’s law does not have a limit on the value of the proposed transactions.
Like Arizona’s sandbox, an applicant’s admission into the Utah sandbox does not assure the applicant complete freedom from state regulation. In Arizona, the AG may subject participants to specified state regulations at its discretion. In contrast, in Utah, the Department must conduct a cost-benefit analysis. In other words, the Department may require a participant to comply with a specified regulation if it determines that an applicant’s plan does not adequately protect consumers from the harm addressed by the regulation, and the benefits to consumers of applying the law outweigh the potential benefits to consumers from increased competition, innovation, and access. The Department must notify a participant of any specific regulatory provisions with which the participant must comply.
With respect to usury, Utah’s sandbox legislation is silent because Utah does not impose an interest rate ceiling on consumer loans. Unconscionability is the only available challenge to the interest rate governed by Utah law, UCA § 70C-7-106, but participants are exempt from an unconscionability challenge unless the Department determines otherwise applying the cost-benefit analysis described above. By contrast, Arizona imposes various interest rate ceilings on consumer loans, ARS § 6-632, and despite the Arizona AG’s ability to waive compliance with licensing and other requirements, the AG may not exempt participants in Arizona’s sandbox from those ceilings.
Further, neither Utah nor Arizona may exempt participants from compliance with federal laws and regulations. However, both states’ laws provide that by participating in a sandbox, a participant is “deemed to possess an appropriate license under the laws of the state for the purposes of any provision of federal law requiring state licensure or authorization.” Further, both Utah and Arizona permit agreements with federal and state regulators that provide for reciprocity between sandboxes. In other words, Utah and Arizona could agree that participants in their sandboxes may operate in both states.
With respect to consumer disclosures, Utah’s law only differs from Arizona’s in that it requires disclosures just in English, not English and Spanish. Consumers must be notified, in general, that the innovative product or service in question is authorized by the sandbox and, if applicable, that the participant is not licensed or authorized under state law to provide the product or service. Consumers must also be notified, as applicable:
- That the product or service is undergoing testing and may not function as intended or involve financial risk;
- That the participant is not immune from civil liability or damages caused by the product or service;
- That the product or service is not endorsed by the state; and
- The expected end date of the testing period.
A participant’s disclosures must be clear and conspicuous, and if the product or service is internet- or application-based, the consumer must acknowledge receipt of the disclosures before a transaction may be completed.
Utah and Arizona each require a participant to maintain records, documents, and data produced in the ordinary course of business regarding the tested product or service. If the test fails, both states require that regulators be advised of steps taken by the participant to prevent harm to consumers as a consequence of the failure.
The states do differ in the level of confidentiality afforded business records shared with the government. Arizona’s law provides that records submitted by a participant or obtained by the AG pursuant to the statute “are not public records or open for inspection by the public.” The purpose of this restriction is to protect a participant’s trade secrets from disclosure pursuant to state freedom of information laws.
Utah’s sandbox statute does not contain a similar provision, so a player in the Utah sandbox will need to take extra precautions to protect its trade secrets. Under Utah’s freedom of information law, called the Government Records Access and Management Act, UCA § 63G-2-1 et seq. (GRAMA), the public ordinarily has access to documents provided by businesses to the government. An exception exists for trade secrets, UCA § 63G-2-305(1), but it must be affirmatively invoked, § 63G-2-309. A business that discloses trade secrets to a government entity must “provide with the record a written claim of business confidentiality and a concise statement of the reasons supporting the claim of business confidentiality.” The government may grant or deny a request to protect records, and its decision is subject to appeal.
There is every reason to believe that the Department will honor such requests – the sharing of trade secrets is implicit in the nature of a regulatory sandbox established to test innovative products and services. Utah is also home to a thriving technology sector with extensive government support. Nevertheless, an applicant must take care to comply with GRAMA requirements every time it discloses a trade secret to the Department unless the legislation is amended to make the process automatic.
Utah’s statute encourages the Department to establish a program that follows the “best practices” of similar state and federal sandbox programs, including that of the CFPB, and we will monitor these developments closely.