In December of 2018, the Senate confirmed Kathy Kraninger as the second Director of the Consumer Financial Protection Bureau (“CFPB”). The path Director Kraninger will chart is uncertain, but the CFPB has already begun initiating changes to which the financial services industry should pay attention. For instance, in mid-December 2018, the CFPB issued a proposed rule to modify its No-Action Letter Program (the “Program”) and to establish a regulatory “sandbox” (a formal process to temporarily exempt companies from certain statues and regulations so they can test new products with consumers). Below, we provide a brief history of the Program as well as a discussion of the key elements of the proposed rule.
THE CFPB’S NO-ACTION LETTER PROGRAM
In 2016, the CFPB established the Program to provide limited enforcement relief to financial institutions attempting to develop “consumer-friendly innovations” for “emerging products or services” where the regulatory implications to the product or service are uncertain . Through the Program, financial institutions submitted applications to the CFPB describing, among other things, their product; the product’s substantial potential benefit to consumers (that are not provided by pre-existing products), the potential consumer risks, and the need for a No-Action Letter (“Letter”) in light of substantial regulatory uncertainty. If the CFPB accepted the application, it would issue a Letter informing the applicant that it had no present intention to initiate an enforcement or supervisory action with respect to the specified products or services. A Letter did not, however, constitute a safe harbor for the recipient, or the CFPB’s interpretation or official policy regarding the statutes and regulations cited in the application. Moreover, the CFPB reserved the right to conduct supervisory activities, to investigate a recipient’s compliance with the terms of the Letter, and to modify or revoke the Letter at its discretion. In exchange for a Letter, the recipient agrees to provide the CFPB with data relevant to the activity described in the Letter, upon request.
The CFPB issued its first and, to-date, only Letter in September of 2017 to Upstart Network, Inc (“Upstart”). Upstart is a FinTech company that provides an online lending platform to connect credit-thin consumers to its bank partner. For credit-thin consumers, Upstart may use alternative date in addition to consumers’ traditional data to evaluate credit risk through an automated underwriting model, enabling its bank partner to more accurately price credit for these consumers. The company sought a Letter with respect to its potential liability under the Equal Credit Opportunity Act (“ECOA”) and Regulation B in light of its use of alternative data. As a condition of granting the Letter, the CFPB required Upstart to share its lending and compliance information to “mitigate risk to consumers and aid the Bureau’s understanding of the real-world impact of alternative data on lending decision-making.”  The Letter expires in three years, but Upstart may seek a renewal.
THE LIMITATIONS OF THE FORMER NO-ACTION LETTER PROGRAM
The Program has been criticized as inadequate for a variety of reasons. First, the Letters do not bind the CFPB, other regulators, or the courts, so they provide limited protection or risk mitigation to the applicant. Notably, the CFPB can modify or rescind a Letter at any point and for any reason. Moreover, Letters are not safe harbors and do not protect recipients from future investigations, or enforcement or supervisory actions, by the CFPB (or any other regulatory body). Letters will also not preclude lawsuits by private parties. Second, the Letters do not provide much, if any authority, since they do not constitute a determination by the CFPB or its staff regarding the relevant statutes and regulations, or an interpretation of those laws. Third, the Letters are intended to be issued on a narrow basis, applying only to the facts, circumstances, and product uses specifically outlined in the application and only with respect to the specific statutes and regulations cited in the application. Any deviation is not subject to the CFPB’s assurance that it has no present intention to bring an enforcement action. Fourth, the CFPB requires data in exchange for the Letter, thereby subjecting recipients to an additional on-going administrative obligation. Fifth, if a recipient violates the terms of the Letter, the CFPB has the right to initiate retrospective enforcement or supervisory actions. Sixth, by design, the CFPB intends to issue very few Letters per year. The Program, therefore, is not tailored to address the actual number of innovative products in any given year.
As noted above, the CFPB received only one application for the Program, likely due to the various limitations and protections offered by the Program. To promote greater participation, in the fall of 2018, the CFPB announced its intent to modify the Program.
THE CFPB’S PROPOSED RULE TO MODIFY THE NO-ACTION LETTER POLICY AND TO IMPLEMENT A REGULATORY SANDBOX
No-Action Letter Program Modification
Led by the Office of Innovation, the CFPB published a proposed rule and policy describing the revamped Program in the Federal Register on December 13, 2018. According to the proposal, the Program did not provide firms with “sufficient incentives to seek [Letters].”  To remedy this problem, the CFPB proposes to “bring certain aspects of the [Program] into alignment with [similar] programs offered by other Federal regulators.”  Specifically, the CFPB proposes several key changes.
First, under the proposal, the CFPB will agree to refrain from making supervisory findings or initiating supervisory or enforcement actions with respect to the activity covered in a Letter under any statute or regulation that it can enforce (including its authority under Dodd-Frank to bring enforcement actions to curtail unfair, deceptive, or abusive acts and practices (“UDAAP”)), subject to the recipient’s good faith and substantial compliance with the terms of the Letter. Moreover, the CFPB will not initiate an enforcement action for a recipient’s activities while the Letter was in effect, if the CFPB rescinds the Letter for any reason other than the recipient’s failure to substantially comply with the Letter in good faith. Previously, there was some ambiguity as to whether and to what extent the CFPB was willing to issue a Letter that covered its UDAAP authority, and this change makes the Letter’s protections more concrete.
Second, the Program will not be restricted to a few Letters per year, and Letters will not be issued with an expiration date. This proposed policy change expands the benefits of the Program to potentially all industry participants, rather than restricting it to the few who submit their applications the quickest.
Third, the Program will accept applications from trade associations, service providers, and other third-parties. Previously, the CFPB stated it would not issue a Letter if the application was submitted by a trade association. This change would expand the Program’s reach, and would allow more stakeholders to participate.
Fourth, recipients of a Letter would not be required to share data with the CFPB, thereby minimizing the costs of obtaining a Letter.
Fifth, when issuing a Letter, the CFPB will coordinate, as appropriate under the Dodd-Frank Act, with other federal and state regulators. The CFPB will explore engaging in agreements with State regulators that issue similar no-action relief documents. This proposal would expand the protections the Program provides, potentially minimizing a recipient’s exposure to federal and state laws.
The proposed rule would also streamline the application itself, reducing the number of questions and asking for less information. If issued as proposed, the CFPB would determine whether to grant a Letter based on the benefit of the product or service to consumers, the extent to which the applicant can control risk, and the extent to which relief is actually needed. Letters would still be published publicly, but the CFPB will make a more concrete effort to prevent the disclosure of confidential information and would allow applicants to withdraw their application if they believe confidential information would be disclosed.
In addition to revamping the Program, the CFPB has proposed creating a product sandbox (“Sandbox”) to provide three types of relief from statutory and/or regulatory provisions: (1) no action under the Program, (2) an “approval,” or (3) an “exemption.” This relief would extend up to two years, subject to further extension.
An “approval” would apply the safe harbors under the Truth-in-Lending Act, the ECOA, and the Electronic Fund Transfer Act, as applicable, to the recipient’s product or service, thereby immunizing the recipient from federal or state enforcement actions and private litigation. A recipient must, however, comply, in good faith, with the terms and conditions of the approval for the safe harbors to apply.
An “exemption” is a statement by the CFPB that the recipient need not comply with, or is in compliance with, statutory or regulatory provisions under which the CFPB is statutorily authorized to issue an exemption, and regulatory provisions under which the CFPB can issue an exemption. Like an approval, an exemption would protect a recipient from federal or state enforcement actions and private litigation, provided it complies, in good faith, with the CFPB’s terms and conditions.
The CFPB proposes to grant applications to participate in the Sandbox on the same basis as it proposes to grant Letters. Participants must report information about how its relevant product or service is affecting “complaint patterns, default rates, or similar metrics” so the CFPB can measure “tangible harm to consumers.”  Additionally, participants are required to compensate consumers for “material, quantifiable, economic harm” resulting from the covered products and services.  The CFPB will not initiate an enforcement action for a recipient’s activities while the Letter was in effect, if the CFPB rescinds the Letter for any reason other than the recipient’s failure to substantially comply with the Letter in good faith. Moreover, it will coordinate its efforts with other federal and state regulators.
2019 has just begun, but the CFPB is already posed to make important changes under its new leadership. As industries subject to the Dodd-Frank Act develop and implement objectives for the year, industry participants and other stakeholders should seriously consider submitting comments to the proposed rule to reform the Program and to implement a Product Sandbox. The public comment period ends on February 11, 2019. The eventual final rule and policy change to the Program may have significant implications for the financial services industry, as the proposed Program reform could provide important statutory and/or regulatory relief to industry participants.
 CFPB Announces First No-Action Letter to Upstart Network, Press Release, Consumer Financial Protection Bureau (Sept. 14, 2017), https://www.consumerfinance.gov/about-us/newsroom/cfpb-announces-first-no-action-letter-upstart-network/ (last accessed Jan. 4, 2019).
 Upstart No Action Letter, Consumer Financial Protection Bureau (Sept. 14, 2017), https://files.consumerfinance.gov/f/documents/201709_cfpb_upstart-no-action-letter.pdf (last accessed Jan. 4, 2019).
 83 Fed. Reg. 64036, 64036 (Dec. 13, 2018).
 Id. at 64040.