The CFPB’s post-sandbox fintech approach

The first company to receive a no-action letter from the CFPB pulled out of the program after the agency declared it ineffective.

A "CFPB" sign next to an American flag

The AI lender Upstart has split from the CFPB immunity program.

Photo: Getty Images

The mutual split between AI-driven lender Upstart and the Consumer Financial Protection Bureau offers a look inside the agency's fast-evolving approach to fintech.

The CFPB last week revoked a no-action letter granting limited regulatory immunity to Upstart, a publicly traded fintech company whose AI-driven underwriting in 2021 helped originate nearly $12 billion in loans through lending partners, according to the CFPB. CFPB Director Rohit Chopra had recently declared no-action letters and the agency’s related fintech sandbox program “ineffective.”

Upstart said it requested the letter’s termination in response to “changing priorities” at the agency, as well as the “need to keep our risk models accurate and up-to-date during a period of significant economic change,” Nat Hoopes, Upstart’s vice president and head of public policy and regulatory affairs, said in a company blog post.

Rigorous evaluation

The CFPB under the Trump administration planned to help bring new products to market by issuing no-action letters to certain businesses and by launching a regulatory sandbox within the agency’s innovation office. In May, Chopra, who was nominated to the agency by President Joe Biden, said the CFPB would reorganize that office and shift away from efforts that place "special regulatory treatment on individual companies.”

Upstart was granted the agency’s first-ever no-action letter in 2017 and had it extended for three years in 2020. The letter provided assurance that the CFPB would not pursue a fair-lending action against the company during that time.

Weeks before that announcement, Upstart had notified the CFPB that it planned to add new variables to its underwriting and pricing model—notice the company was required to give under the terms of the letter. The CFPB said it needed time to “rigorously evaluate" those changes. Part of the regulator’s concern was how the no-action letter could be seen by the public.

"In light of the risk that the [no-action letter] is misconstrued as an endorsement, the CFPB would need to perform more rigorous monitoring and assessment of Upstart’s model and any changes to the model," according to a notice of termination signed by Chopra.

Upstart "correctly identified" that this review would prevent the company from making quick business decisions, the notice added. On May 27, Upstart asked to have its no-action letter expiration moved up by 18 months, from Nov. 30, 2023 to the end of May.

The CFPB under its prior leadership had promoted the results of the sandbox program. In 2019, the agency’s blog re-published results from an Upstart-run analysis — which was required for the no-action letter — that found its lending model expanded access to credit when compared to traditional lending, though the CFPB made clear it had not replicated the results and does not promote the product.

The next sandbox

While the CFPB is still taking applications for the sandbox and no-action letter programs, it is encouraging companies to instead file formal rule-making petitions when seeking regulatory clarity. The CFPB's sandbox was not widely used — only four other companies received a no-action letter — but it was the most prominent effort on the federal level. There are 11 states with some form of regulatory sandboxes, a concept first tested in the U.K.

The recently proposed cryptocurrency regulation bill from Sens. Cynthia Lummis and Kirsten Gillibrand calls for a federal regulatory sandbox, which would allow crypto companies to test new products across state lines. Lummis hopes the sandbox will help innovation “flourish in its early stages.”

Proponents of sandboxes, including Republicans on the House Committee on Financial Services, say the CFPB's move will make it harder to bring new products to market. But consumer watchdog groups, which widely opposed the CFPB's sandbox when it was first proposed, say the agency is right to shift away from the effort.

"Regulatory processes already allow for all stakeholders to 'kick the tires' of new proposed rules to ensure they are fit for purpose," said Mark Hays, a senior policy analyst on fintech at Americans for Financial Reform.

Widespread state-level sandbox programs, such as the one proposed in the crypto bill, “could simply create a race to the bottom,” Hays added.

Fintech focus

Along with reorganizing the innovation office, Chopra’s CFPB has pushed to expand its oversight authority over non-bank institutions, including technology providers for the financial industry. The agency has announced probes of employer-driven debt and “buy now, pay later” companies while warning about the risks of bias from algorithms used by financial institutions.

"Tech, fintech and the use of data more generally are a clear priority of the bureau, based not only on the experience at the FTC that Rohit Chopra has, but it's very timely [with] the growth of fintech," Michael Gordon, an attorney with Ballard Spahr and former top CFPB official, said on a podcast analyzing Chopra's first six months in office. That interest will likely involve the agency bringing more enforcement actions, he added.

Upstart declined to comment about what the absence of a no-action letter means for its business, but the firm cited the loss of the letter among risk factors for investors in its most recent earnings report. The company said it will “continue to rigorously test" its loan applications for fairness and hopes to work closely with the CFPB’s new Office of Competition and Innovation.

“Effective cooperation between the government and financial technology innovators remains critical to improving financial access for the millions of borrowers left behind by America’s current credit system,” wrote Hoopes.


Niantic’s future hinges on mapping the metaverse

The maker of Pokémon Go is hoping the metaverse will deliver its next big break.

Niantic's new standalone messaging and social app, Campfire, is a way to get players organizing and meeting up in the real world. It launches today for select Pokémon Go players.

Image: Niantic

Pokémon Go sent Niantic to the moon. But now the San Francisco-based augmented reality developer has returned to earth, and it’s been trying to chart its way back to the stars ever since. The company yesterday announced layoffs of about 8% of its workforce (about 85 to 90 people) and canceled four projects, Bloomberg reported, signaling another disappointment for the studio that still generates about $1 billion in revenue per year from Pokémon Go.

Finding its next big hit has been Niantic’s priority for years, and the company has been coming up short. For much of the past year or so, Niantic has turned its attention to the metaverse, with hopes that its location-based mobile games, AR tech and company philosophy around fostering physical connection and outdoor exploration can help it build what it now calls the “real world metaverse.”

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

Supreme Court takes a sledgehammer to greenhouse gas regulations

The court ruled 6-3 that the EPA cannot use the Clean Air Act to regulate power plant greenhouse gas emissions. That leaves a patchwork of policies from states, utilities and, increasingly, tech companies to pick up the slack.

The Supreme Court struck a major blow to the federal government's ability to regulate greenhouse gases.

Eric Lee/Bloomberg via Getty Images

Striking down the right to abortion may be the Supreme Court's highest-profile decision this term. But on Thursday, the court handed down an equally massive verdict on the federal government's ability to regulate greenhouse gas emissions. In the case of West Virginia v. EPA, the court decided that the agency has no ability to regulate greenhouse gas pollution under the Clean Air Act. Weakening the federal government's powers leaves a patchwork of states, utilities and, increasingly, tech companies to pick up the slack in reducing carbon pollution.

Keep Reading Show less
Brian Kahn

Brian ( @blkahn) is Protocol's climate editor. Previously, he was the managing editor and founding senior writer at Earther, Gizmodo's climate site, where he covered everything from the weather to Big Oil's influence on politics. He also reported for Climate Central and the Wall Street Journal. In the even more distant past, he led sleigh rides to visit a herd of 7,000 elk and boat tours on the deepest lake in the U.S.


Can crypto regulate itself? The Lummis-Gillibrand bill hopes so.

Creating the equivalent of the stock markets’ FINRA for crypto is the ideal, but experts doubt that it will be easy.

The idea of creating a government-sanctioned private regulatory association has been drawing more attention in the debate over how to rein in a fast-growing industry whose technological quirks have baffled policymakers.

Illustration: Christopher T. Fong/Protocol

Regulating crypto is complicated. That’s why Sens. Cynthia Lummis and Kirsten Gillibrand want to explore the creation of a private sector group to help federal regulators do their job.

The bipartisan bill introduced by Lummis and Gillibrand would require the CFTC and the SEC to work with the crypto industry to look into setting up a self-regulatory organization to “facilitate innovative, efficient and orderly markets for digital assets.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at or via Google Voice at (925) 307-9342.


Alperovitch: Cybersecurity defenders can’t be on high alert every day

With the continued threat of Russian cyber escalation, cybersecurity and geopolitics expert Dmitri Alperovitch says it’s not ideal for the U.S. to oscillate between moments of high alert and lesser states of cyber readiness.

Dmitri Alperovitch (the co-founder and former CTO of CrowdStrike) speaks at RSA Conference 2022.

Photo: RSA Conference

When it comes to cybersecurity vigilance, Dmitri Alperovitch wants to see more focus on resiliency of IT systems — and less on doing "surges" around particular dates or events.

For instance, whatever Russia is doing at the moment.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at

Latest Stories