Engelman Berger Blogs

The Arizona legislature recently signed into law the nation’s first fintech regulatory sandbox, which started accepting applications on August 3, 2018. Participants in the sandbox will enjoy a reprieve from many of the licensing and regulatory burdens of companies in the financial sector, so the program offers a great incentive for financial technology (aka, “fintech”) companies to settle and operate in Arizona. This is the last of a five part series on how to apply and participate in the sandbox. If you are new to the series, go back and read the first four parts, which discuss the history of sandbox programs, the benefits of participation in the Arizona sandbox, eligibility requirements, and the application process. This part five will explain the rules you will be subject to once in the sandbox. The official website for the fintech sandbox was recently launched and can be viewed HERE, and the full text of the law can be viewed HERE.


Operating restrictions: Sandbox participants are only permitted to test their innovation for a period of 24 months, and only on 10,000 Arizona consumers. If the participant demonstrates “adequate financial capitalization, risk management process and management oversight,” then the AG’s office may agree to expand the size of the participant’s test market to 17,500 consumers. Consumer lenders are permitted to issue consumer loans up to $15,000 (except loans to a single consumer may not exceed $50,000), and money transmitters may engage in transactions up to $2,500 (aggregate of $25,000). Money transmitters that satisfy the capitalization and management requirements to increase the market size to 17,500 may also be eligible to increase their transaction limits to $15,000 (aggregate of $50,000).

Statutory Compliance: As was discussed at greater length in part two, the primary benefit of the sandbox is exemption from all state licensing and regulatory obligations except for the ones specifically identified by the sandbox program. I will not attempt to itemize the specific statutory requirements that continue to apply in the sandbox or their implications for each industry, but suffice to say, participants must take special care that they do not violate the rules they are still subject to. Critically, the sandbox does not exempt participants from federal statutes and regulations.

Document retention and reporting requirements: The recordkeeping requirements normally applicable to companies in the financial sector are replaced by the sandbox’s simpler requirement: participants must retain records, documents and data produced in the ordinary course of business. The sandbox does not currently have a period reporting requirement, but sandbox participants must be ready to disclose records, documents, and data to the AZ AG upon request at any time. The AZ AG will also have the authority to establish a periodic reporting requirement in the future as it sees fit. These records will be used by the AG’s office in connection with their oversight role, and will not be considered public records generally available to the public. However, the records may be disclosed to other state, federal, and even foreign authorities.

Consumer Protection: Sandbox participants will still be required to take certain steps to ensure that their products and services do not harm consumers. For example, if the innovation fails before the end of the testing period, participants are obligated to promptly notify the AG’s office and report on the steps it took to protect its consumers. If the participant becomes aware of a data breach compromising sensitive data, the participant is still subject to the requirements of A.R.S. § 18-545, which requires prompt notice to affected consumers.

Finally, before providing a product or service, participants will need to make a clear and conspicuous disclosure in English and Spanish, and for online transactions the consumer must acknowledge receipt. The disclosure must include five statements: (1) the name, registration number, and contact information for the participant, (2) that the participant does not have an Arizona license but is authorized under the sandbox program, (3) that the state of Arizona does not endorse the innovation, (4) that the product is in a test phase that may terminate upon a specified date, and (5) that consumers can contact the Arizona AG’s office to complain.

Don’t Be A Fraudster: All sandbox participants are still subject to the Arizona Consumer Fraud statute (A.R.S. § 44-1521 et seq.), which generally prohibits false, deceptive, or misleading statements in connection with an advertisement or sale. Violators are subject to civil penalties and may get booted from the program. Unsurprisingly, participants will also get booted from the program for violation of state or federal criminal laws.


Arizona’s fintech sandbox program is a tremendous opportunity for startups as well as established financial services companies that are developing new innovative products. Not only does it provide a safe and less costly way to test your innovation in the marketplace prior to a full launch, but it also puts you in a good position to immediately take advantage of any similar sandbox program launched by the CFPB in the coming years.

About the Author: Michael Rolland is a member of the civil litigation and commercial transactions practice groups with the law firm of Engelman Berger, P.C. Michael has a special interest in the intersection of technology and the law, and writes on tech law issues.


Disclaimer: This blog is not legal advice and is only for general, non-specific informational purposes. It is not intended to cover all the issues related to the topic discussed. If you have a legal matter, the specific facts that apply to you may require legal knowledge not addressed by this blog. If you need legal advice, consult with a lawyer.