How Regulatory Sandbox Programs Can Promote Technological Innovation and Consumer Welfare

Insights from Federal and State Experience

Photo Credit: Getty

Around the world, leading financial centers seek to attract companies capable of developing innovative financial products and services. From blockchain-based payments to alternative credit scoring systems, technological innovation is critical to maintaining a globally competitive financial sector that benefits consumers, investors, and entrepreneurs. However, the financial services industry, especially in the United States, remains heavily regulated. Such cumbersome regulations can deter both established companies and startups from offering innovative financial products and services.[i] Governments can use various policy tools to address this challenge and promote innovation.

Among the options gaining popularity are “regulatory sandbox” programs, which allow companies to test innovative products and services under a modified and frequently lightened regulatory framework for a limited period. These programs allow companies to test new financial products and enable regulators to become more familiar with technological innovation and its impact on businesses. By allowing regulators to evaluate how different rules impact businesses, sandbox programs can provide crucial information to help regulators craft business- and innovation-friendly rules.

Major International and U.S. Sandbox Programs. In 2016, the United Kingdom’s Financial Conduct Authority (FCA) launched the world’s first regulatory sandbox program.[ii] Since then, more than 50 jurisdictions around the world have adopted similar programs, according to the World Bank.[iii] This policy brief draws from regulatory experiences in five jurisdictions—the United States, Australia, Canada, Hong Kong, and the United Kingdom—but focuses on sandbox programs in the United States.[iv]

In the United States, due to the dual state-federal and overlapping financial regulatory authority, federal agencies and state regulators can run separate sandbox programs. The Consumer Financial Protection Bureau (CFPB) runs the Compliance Assistance Sandbox  and the Trial Disclosure Sandbox, which are currently the only federal regulatory sandbox programs in the United States (Table 1). The CFPB can also grant no-action letters stating its intention not to pursue enforcement actions against a particular company if it adheres to specific rules and regulations.[v]

Although the Consumer Financial Protection Bureau’s sandbox and no-action letter programs are reportedly still in operation, their future remains uncertain because of the CFPB’s recent change in regulatory approach. In May 2022, the CFPB formed the Office of Competition and Innovation, replacing the Office of Innovation, which was in charge of the agency’s sandbox programs.[vi] In a press release published on May 24, 2022, the CFPB states:

After a review of these programs, the agency concludes that the initiatives proved to be ineffective and that some firms participating in these programs made public statements indicating that the Bureau had conferred benefits upon them that the Bureau expressly did not.[vii]

In June 2022, a CFPB representative clarified that it would not discontinue these two programs.[viii] Instead, the newly established office—which emphasizes competition as part of a new approach to financial innovation—will encourage companies to submit rulemaking petitions.[ix] Due to the Bureau’s current lack of interest in the no-action letter and sandbox programs, they are unlikely to play any significant role in promoting U.S. financial innovation—unless the CFPB changes course under a future administration or Congress establishes a new federal sandbox regime. 

The lack of an effective federal sandbox program has cleared the way for state governments to play a leading role in creating regulatory sandboxes. In August 2018, Arizona became the first U.S. state to pass legislation creating a financial technology (FinTech) sandbox program,[x] followed by Utah and Kentucky in March 2019.[xi] Although Utah initially created both insurance and FinTech sandboxes, it replaced them in May 2022 with an expanded General Regulatory Sandbox—which targets innovations in multiple industries, including financial services, advanced manufacturing, and life sciences and health care.[xii]

As of August 2022, at least 11 states have established regulatory sandboxes: Arizona, Florida, Hawaii, Kentucky, Nevada, North Carolina, South Dakota, Utah, Vermont, West Virginia, and Wyoming.[xiii]

Among these states, only Arizona, Hawaii, and West Virginia run FinTech sandboxes that have admitted at least one participant as of November 2021 (Table 2). The FinTech sandboxes in Arizona, Hawaii, and West Virginia—along with the CFPB’s Compliance Assistance Sandbox—have admitted 31 companies as of November 2021 (Table 2). The Utah Supreme Court’s legal services sandbox has admitted 31 companies as of September 2021.[xiv] By comparison, 223 companies have participated in the Hong Kong Monetary Authority sandbox, while 178 companies have participated in the two different sandbox programs run by the UK’s Financial Conduct Authority (Table 1). (Unless otherwise indicated, the status of sandbox programs, the number of sandbox participants, and other related data in Tables 1 and 2 reflect information up to date as of November 2021.)   

Considerations for Determining the Appropriate Regulator(s) and Regulatory Relief for Sandbox Programs

Choice of Regulator for Federal Sandbox Programs. In the United States, several scholars and policy makers have suggested the creation of an interagency regulatory body to operate a federal FinTech sandbox.[xv] Due to the division of financial regulatory authority between federal and state regulators, potential financial products and services offered through a regulatory sandbox can be subject to overlapping and dual state-federal jurisdiction.[xvi] For example, a hypothetical robo-advisor sandbox applicant could simultaneously fall under the jurisdiction of the Consumer Financial Protection Bureau and the Securities and Exchange Commission (SEC). If that company were to also offer banking products, it could become subject to regulation by the Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency (OCC), and state banking regulators.[xvii]

Against this backdrop of overlapping state-federal financial jurisdiction, any future federal sandbox legislation will require Congress to create a legal framework that will allow the relevant regulator(s) to provide meaningful regulatory relief.

Regulatory Relief: Challenges for the CFPB’s No-Action Letter and Sandbox Programs. Most cumbersome financial regulations are imposed at the federal level, so a properly designed federal sandbox can be more effective than state-level ones. However, several challenges reduce the efficacy of the CFPB’s no-action letter and sandbox programs. Instead of discontinuing these programs, the CFPB and Congress can take several steps to enable these programs to play a more important role in improving financial innovation and consumer welfare.

First, although the CFPB can waive certain consumer financial protection regulations, it cannot waive other agencies’ rules.[xviii] This inability limits the effectiveness of the CFPB sandbox’s regulatory relief provisions compared to those of similar programs, such as, for example, those in Australia and the UK.

Second, the CFPB’s no-action letter cannot prevent other federal and state agencies from bringing enforcement actions against companies that receive such relief. On the contrary, participating in the CFPB’s sandbox and no-action letter programs can result in increased scrutiny from the Bureau and other federal regulators and thus introduce potential risks for companies.

Such regulatory uncertainties put the CFPB programs at a competitive disadvantage relative to their international counterparts—such as those run by the UK’s Financial Conduct Authority and Hong Kong’s Monetary Authority, which can more easily streamline regulations. Therefore, absent significant reforms to the U.S. financial regulatory system, the CFPB will likely find it difficult to operate a sandbox as effectively as its international counterparts.

However, several reforms can help improve the CFPB’s ability to run more effective sandbox programs within the current national regulatory framework. For example, the CFPB, working with other agencies, could create a mechanism to coordinate regulatory relief for sandbox participants. It could sign agreements with the SEC and the OCC not to bring enforcement actions against CFPB sandbox participants if they meet conditions pre-specified by those agencies. To that end, Congress could introduce legislation to create a mechanism for the CFPB to coordinate with other financial regulators.[xix]

Regulatory Relief: Challenges for State-Level Sandbox Programs. Like the CFPB’s sandbox and no-action letter programs, state-level sandboxes face several challenges arising from the complex U.S. financial regulatory architecture, for two reasons.

First, most financial regulation is federal, so state regulators’ ability to provide meaningful relief through sandbox programs is limited.[xx]

Second, under the U.S. constitutional system, in which federal law is supreme, state regulators cannot nullify enforcement actions by federal agencies against companies that participate in state-level sandboxes. As a result, any no-action letter that state regulators issue during the sandbox test remains of limited value to potential participants.

However, state governments can take several steps to improve the attractiveness of their sandbox programs within the current national regulatory framework:

  1. Negotiate reciprocal agreements with the CFPB so that any firm accepted into a state-level FinTech sandbox is automatically accepted into the Bureau’s sandbox or no-action letter program. Under such an arrangement, the state regulator would remain the firm’s primary regulator, while the CFPB would serve as a secondary regulator. That way, the firm can benefit from the state regulator’s exemptive relief or authorization waiver while enjoying additional opportunities to test innovative products through the CFPB’s sandbox or no-action letter program.[xxi]
  2. Sign reciprocity agreements so that companies participating in a particular state-level sandbox program can more easily offer products and services through other state-level sandboxes.
  3. Work with the CFPB to create mechanisms to improve regulatory coordination and help sandbox participants better navigate the regulatory landscape. Such initiatives can also enable state regulators to exchange information with one another and craft better laws and regulations to promote FinTech innovation.
  4. Sign reciprocal international agreements with foreign regulators as allowed under existing U.S. state-level sandbox legislation and foreign relations laws.[xxii] Such reciprocal arrangements could allow American companies to offer new, innovative products in advanced economies with a well-developed financial sector, such as Germany, Switzerland, and the United Kingdom. Likewise, foreign companies could also use U.S. state sandbox programs to test innovative products and services to the benefit of American consumers and the U.S. economy.

Considerations for Designing More Effective Sandbox Programs

Eligibility and Evaluation Criteria. One of the most important decisions when designing a regulatory sandbox is to set its eligibility requirements and evaluation criteria. Regulators typically select product and firm-specific requirements that potential participants must meet to qualify for the sandbox. These can include whether:

  • The proposed product falls under the regulatory jurisdiction of the sandbox regulator;
  • The proposed business activity requires state licensure;
  • The business is located in the state; and
  • The business owners can demonstrate lack of a criminal record.[xxiii]

Sectoral and Product-Specific Restrictions. Sandbox programs typically introduce sectoral restrictions depending on the regulator’s jurisdictional authority. For example, to participate in the British Financial Conduct Authority’s sandbox, the applicant must be a registered financial services firm offering an innovative product or service within the FCA’s jurisdiction.[xxiv] Likewise, U.S. sandbox regulators restrict potential sandbox products and services to specific areas over which they exercise regulatory authority. For example, the Arizona sandbox is open only to companies offering financial products and services that require state licensure or authorization.[xxv]

Depending on policy objectives, regulators and lawmakers can introduce narrowly defined product-specific eligibility criteria to encourage innovation in specific areas. For example, Hawaii’s digital currency sandbox is designed to promote digital currency innovation and help policy makers determine whether the state should require a money transmitter license for digital currency transactions. Thus, it is open only to companies offering digital, crypto, and virtual currency products and services that would otherwise require a money transmitter license.[xxvi] Such tailored sandboxes can help federal agencies and state governments promote innovation in emerging areas of technology, such as smart contracts, augmented and virtual reality, and biometric payments and security systems. 

Physical Presence Requirement. Some sandbox programs require applicants to establish a physical presence in the state. However, state regulators should consider allowing greater flexibility to attract companies from out of state. For example, as stipulated in the Wyoming legislation establishing the state’s FinTech sandbox, applicants need to demonstrate “a physical presence, other than that of a registered office or agent” in Wyoming.[xxvii] Such requirements can act as a major barrier for potential out-of-state sandbox participants and deter them from applying. In contrast, sandbox programs that have attracted relatively large numbers of participants—like those in Arizona and Hawaii—tend to show greater flexibility in allowing non-resident firms to apply (Table 2).

Innovation Requirement. Many U.S. and international jurisdictions have introduced “innovation” as a criterion for sandbox applicants. However, rapid technological change and the asymmetry of information between FinTech entrepreneurs and regulators can make it challenging to evaluate which products and services are genuinely innovative.[xxviii] Due to such potential challenges, lawmakers and regulators should be cautious not to use an overly rigid definition of innovation for selecting sandbox participants.

A strictly defined innovation criterion can reduce consumer welfare and exacerbate regulatory privilege granted through a sandbox test. For example, a regulator could define innovation criteria in a way that disqualifies some products or services if another firm already offers comparable products or services—even if those products or services are only currently available through the sandbox.[xxix] Under such rules, a new applicant might offer a more affordable or superior version of a product, yet still not qualify because a current sandbox participant is already providing a similar product. By excluding competitors from the sandbox, the regulator risks entrenching regulatory privilege for the sandbox participant at the expense of its competitors, thereby reducing potential benefits to consumers.[xxx]

Size- and Sector-Specific Eligibility Restrictions. Lawmakers and regulators should allow eligible firms of different sizes from various sectors to apply to participate in a sandbox.[xxxi] With such liberal entry criteria, sandbox participants could include enterprises of all sizes, including both community and large banks,

 and both startups and larger tech companies.

Startups, banks, and companies from different sectors often have distinct business models and different innovative products they can offer through the sandbox. Furthermore, working closely with a wide range of firms can help regulators better understand how the same rules affect small businesses, startups, and large businesses differently. Such regulatory insights can be crucial for crafting regulatory frameworks that allow a wider range of companies to offer innovative products in the target industry.

Number of Participating Firms Allowed. Liberal entry criteria and flexible residency requirements can make regulatory sandbox programs more attractive to companies. In the United States, the CFPB and most state regulators do not impose caps on the total number of firms participating in their respective sandboxes.[xxxii] Most state-level sandbox programs have faced the opposite problem, as they have struggled to admit participants. For example, although the Nevada FinTech sandbox began accepting applications in January 2020, it had not admitted a single company as of November 2021.[xxxiii] Likewise, the insurance sandbox programs in Kentucky, South Dakota, Utah, Vermont, and West Virginia did not admit any participants as of November last year (Table 2).

Expanding the eligibility criteria to non-resident firms can help state-level sandbox programs attract potential applicants that might not have the resources or market incentives to relocate to a different state.

Regulators from different states could sign reciprocal agreements so that firms in one sandbox can more readily offer products through another program.

Moreover, as noted, U.S. state legislation typically gives sandbox regulators the authority to sign reciprocal agreements with other regulators, including foreign ones.[xxxiv] State regulators should consider using that authority to negotiate reciprocal arrangements with regulators in jurisdictions such as Australia, Canada, South Korea, and the United Kingdom.

Consumer Protection Provisions.Although regulatory sandboxes are a generally safe policy tool to promote innovation, regulators can take several steps to preempt and minimize potential risks to consumers:

  • Specify which actions would be grounds for removing a company from the sandbox and the consequences for such dismissal.
  • Require participating companies to make adequate disclosures to potential customers regarding product offerings, the terms of their participation in the sandbox, and potential consumer risks.
  • [xxxv]

While such safeguards may be necessary to protect consumers, overly restrictive operational restrictions are often counterproductive. For example, some state-level programs, such as Utah’s former FinTech sandbox and its successor General Regulatory Sandbox, require participating companies to serve only residents of the state.[xxxvi] Such restrictions offer no consumer protection benefit and might reduce the sandbox program’s attractiveness to businesses since they cannot use the sandbox to serve consumers beyond state boundaries.

Other restrictions, such as one-size-fits-all limits on the total value of monetary transactions, would likely be inappropriate for different types of financial products. Instead of mandating such statutory limits, lawmakers should allow regulators the discretion to set such limits on a case-by-case basis, depending on the offered product and its potential consumer risks. Even so, regulators should exercise caution before imposing any such limits.

Duration. Although regulatory sandbox programs are time-limited, the sandbox testing duration varies across jurisdictions. Due to the complex tradeoff between a short and long sandbox duration, state legislatures should not impose a statutory time limit. Instead, lawmakers should allow the appropriate regulator(s) and sandbox participants to decide on a mutually agreeable sandbox testing duration. 

For some financial products, a sandbox test lasting six months to a year might be long enough for businesses to gather enough market data and for regulators to evaluate industry conditions. Other products might need longer for the company to gather enough market data and for the regulator to understand how the existing regulatory framework affects the proposed innovation. A more extended period could also help the company refine its product and allow regulators to pare down excessive red tape. However, to reduce regulatory privilege accorded to a certain firm, regulators need to ensure that similarly situated competitors receive the same regulatory relief and sandbox testing duration.

Application Process. Most aspects of the sandbox application process tend to be generally straightforward. After receiving an application, most state sandbox legislation requires regulators to make a decision within 60 or 90 days unless regulators grant an extension. Sandbox programs typically also require an application fee. Application fees are a needed source of revenue for operating the sandbox program, but regulators need to exercise caution not to set the application fee so high that it deters smaller firms and startups from applying.

Sandbox regulators can choose between an open application period and a cohorts-based model, meaning that participating firms can only apply to the sandbox during specific times of the year. American regulators should continue to accept applications through an open process rather than institute a cohorts-based system.[xxxvii] A cohorts-based approach can allow regulators to tailor the sandbox toward specific themes and target innovation in particular areas. However, regulators can also design such thematic, targeted sandboxes without implementing a cohorts-based model.

An open application process can expand opportunities for firms to participate in the sandbox at any time of year, which can be especially important in rapidly changing industries. Furthermore, smaller, rural states—such as South Dakota, West Virginia, and Wyoming—have struggled to attract potential applicants (Table 2). If the lack of potential applicants results in empty cohorts, it could be particularly detrimental to the sandbox program’s reputation and long-term viability.

Conclusion. As emerging technologies upend existing business models, American lawmakers and regulators need to adopt a more flexible, innovation-friendly regulatory approach. Novel technologies pose distinct opportunities and challenges in different industries, so a codified and one-size-fits-all regulatory approach is unlikely to harness the benefits of technological innovation in various sectors. Instead, regulators need to work with the most innovative companies to understand and update regulations to reflect changing technological development and market realities.[xxxviii]

Ultimately, such a strategy will require a coordinated effort from Congress, federal agencies, and state governments. Regulatory sandbox programs can serve as a much-needed tool in a broader effort to craft market-friendly regulatory frameworks at the federal and state levels. As federal agencies and state governments launch new sandbox programs, the insights contained in this report can help American lawmakers design more effective sandboxes that will promote technological innovation and improve consumer welfare.

[i] For an overview of the U.S. financial regulatory system, see Marc Labonte, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework (Congressional Research Service, 2020),

[ii] The United Kingdom Financial Conduct Authority (FCA), “Regulatory Sandbox,” May 10, 2015,

[iii] World Bank, Global Experiences from Regulatory Sandboxes (Washington, DC: World Bank Group, 2020), pp. 56–62,

[iv] Ibid., pp. 56–62.

[v] Bureau of Consumer Financial Protection, “Policy on No-Action Letters,” Docket No. CFPB-2018-0042, 12 CFR Chapter X, accessed May 17, 2022,

[vi] Consumer Financial Protection Bureau, “CFPB Launches New Effort to Promote Competition and Innovation in Consumer Finance,” Press Release, May 24, 2022,

[vii] Ibid.

[viii] Alan S. Kaplinsky, “CPFB states that it did not scrap no-action letter and compliance assistance sandbox programs in connection with its overhaul of its Office of Innovation and Operation Catalyst,” Consumer Finance Monitor, Ballard Spahr LLP, June 7, 2022,

[ix] Ibid.

[x] Aaron Stanley, “Arizona Becomes First U.S. State to Launch Regulatory Sandbox for Fintech,” Forbes, March 23, 2018, Anthony Kaye, “Utah’s New Regulatory Sandbox,” Consumer Finance Monitor, June 11, 2019,

[xi] The governor of Utah signed H.B. 378 on March 25, 2019, while the governor of Kentucky signed H.B. 386 on March 26, 2019. H.B. 378 – Regulatory Sandbox, 63rd Utah State Legislature, 2019 General Session, H.B. 386, Kentucky General Assembly, 2021 Regular Session, Akin Gump, “Kentucky Adopts First Legislation Creating an InsurTech Innovation ‘Sandbox,’” JD Supra, April 5, 2019,

[xii] Utah Governor’s Office of Economic Opportunity, “Targeted Industry,” accessed July 8, 2022, H.B. 243 – Regulatory Sandbox Program Amendments, 64th Utah State Legislature, 2022 General Session, Utah Code § 13-41 (Effective 5/14/2019, Repealed 5/4/2022),

[xiii] Libertas Institute, “Opportunity Sandboxes,” accessed October 12, 2021,

[xiv] Based on email correspondence with the Utah Supreme Court’s Office of Legal Services Innovation on September 24, 2021. For a less comprehensive but publicly available list, see: Utah Office of Legal Services Innovation, “Authorized Entities,” accessed October 12, 2021,

[xv] Hilary Allen, “Regulatory Sandboxes,” The George Washington Law Review, Vol. 87, No. 3 (May 2019), pp. 618–619, H.R. 6117 – Financial Services Innovation Act of 2016, 114th Congress, Second Session,

[xvi] Marc Labonte, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework (Congressional Research Service, 2020),

[xvii] Allen, pp. 618–619.

[xviii] Bureau of Consumer Financial Protection, “Policy on the Compliance Assistance Sandbox,” Docket No. CFPB-2018-0042, 12 CFR Chapter X, accessed May 17, 2022,

[xix] Several experts and legal scholars, such as Hilary Allen of American University’s Washington College of Law, have made similar arguments. Allen, pp. 620–622.

[xx] Paul Watkins, Evan Daniels, and Stuart Slayton, “First in the Nation: Arizona’s Regulatory Sandbox,” Stanford Law and Policy Review, Vol. 29 (December 14, 2018),

[xxi] The author thanks former CFPB Office of Innovation Director Paul Watkins for this insight.

[xxii] For example, see H.B. 2434 – Financial Products: Regulatory Exemption Program, 53rd Arizona State Legislature, 2018 Second Regular Session,

[xxiii] Ibid. Hawaii Technology Development Corporation, “FAQs – HTDC,” accessed October 15, 2021,

[xxiv] UK Financial Conduct Authority, “Sandbox Eligibility Criteria,” accessed October 14, 2021,

[xxv] H.B. 2434 – Financial Products: Regulatory Exemption Program, 53rd Arizona State Legislature, 2018 Second Regular Session.

[xxvi] Hawaii Technology Development Corporation, “FAQs – HTDC.”

[xxvii] Wyo. Stat. § 40-29-103(c) (2022),

[xxviii] Allen, p. 626.

[xxix] For example, the statute for West Virginia’s insurance sandbox states that the commissioner must determine that the “application proposes an innovation that is not substantially similar to another innovation: (i) That has been previously beta tested; or (ii) Proposed in an application that is currently pending with the commissioner.”  WV Code § 33-60-3(c)(2)(E) (2022), Most other programs in the United States lack similar provisions. The definition of innovation in Florida’s FinTech sandbox law includes the clause “not known to have a comparable offering in this state outside the Financial Technology Sandbox.” [Emphasis added]. § 559.95(3)(h), Fla. Stat. (2022),

[xxx] Brian Knight and Trace Mitchell, The Sandbox Paradox: Balancing the Need to Facilitate Innovation with the Risk of Regulatory Privilege (Mercatus Center, 2020), pp. 22–24,

[xxxi] Allen, pp. 628–629.

[xxxii] The Nevada FinTech sandbox appears to be the only sandbox program that imposes a cap on the maximum number of sandbox companies at a given time. Nevada Department of Business & Industry, “Nevada Sandbox FAQs,” accessed October 23, 2021,

[xxxiii] According to a phone conversation with a representative from the Nevada Department of Business and Industry on September 14, 2021, only one application had been submitted but that application was denied because it was outside the agency’s regulatory purview.

[xxxiv] H.B. 2434 Financial Products: Regulatory Exemption Program, 53rd Arizona State Legislature, 2018 Second Regular Session,

[xxxv]  For example, see H.B. 378 – Regulatory Sandbox, 63rd Utah State Legislature, 2019 General Session. H.B. 386, Kentucky General Assembly, 2021 Regular Session. Hawaii Department of Commerce and Consumer Affairs, “Frequently Asked Questions about the Digital Currency Innovation Lab (DCIL),”, August 26, 2021,

[xxxvi] H.B. 378 – Regulatory Sandbox, 63rd Utah State Legislature, 2019 General Session. The program was repealed in May 2022 and replaced with the multi-sector General Regulatory Sandbox. Utah Code § 13-41 (Effective 5/14/2019, Repealed 5/4/2022),

H.B. 217 – Regulatory Sandbox Program Amendments, 64th Utah State Legislature, 2021 General Session.

[xxxvii] Among U.S. sandbox programs, only Hawaii appears to have implemented a cohorts-based model. Hawaii Department of Commerce and Consumer Affairs, “Frequently Asked Questions about the Digital Currency Innovation Lab (DCIL).”

[xxxviii] Knight and Mitchell, The Sandbox Paradox, pp. 9–10, 24. Allen, pp. 642–643.