Dodd-Frank turned 10 years old recently, an occasion for retrospectives about what the statute has accomplished as implemented, and where it has been found wanting. The retrospectives have established, if we did not already know it, that the meaning of Dodd-Frank was not fixed in stone by Congress in July, 2010, but, rather, can only be understood in the context of the rules written and actions taken by agencies to implement the statute.

Dodd-Frank, as implemented, also tells us that the passage of a statute does not always mean that more regulatory burdens lie ahead. The laissez-faire approach to the financial technology, or fintech, sector is a testament to that. Congress took a hands-off approach to fintechs in the statute, and agencies have done the same thing in the ten years since.

Fintechs can be capaciously defined as businesses seeking to provide financial services via the Internet both within and beyond the banking system. Some do the sorts of things that banks do — a peer to peer lender can help consumers replace their credit card debt with crowd-sourced debt, switching a bank that issues credit cards for a fintech. Sometimes fintechs do things that banks do not do, a crypto exchange might be an example.

But peer to peer lenders and online exchanges existed in 2010, and yet Congress chose not to explicitly relate regulate them in Dodd-Frank. Instead, the statute was passed with three provisions relevant to online firms.

First, in 2011, the Government Accountability Office issued a report on peer to peer lending, as required by section 989F of the statute. The report ambivalently concluded that such firms could be regulated either by having multiple state and federal regulators supervise aspects of what these companies did, or by having one federal regulator like the Consumer Financial Protection Bureau conduct oversight. Since then, the GAO has issued a number of reports on the fintech sector, all noting that divided regulation remains the option selected for fintech firms, and often that other options are available.

Second, the CFPB was created by Dodd-Frank, and given the responsibility to, as the agency puts it, “watch[] out for American consumers in the market for consumer financial products and services.” The CFPB could comprehensively regulate fintechs that market their products to consumers.

But it has not done so. Instead, the CFPB has generally supported the growth of fintechs as “consumer friendly innovation.” The agency created a regulatory sandbox in 2019, over the objections of a number of state attorneys general, for fintech firms. The sandbox was defined in a no action letter to mean that qualifying fintechs could assume that they would not be subject to CFPB enforcement actions for three years, in exchange for data sharing.

Instead of industry-wide regulation, individual firms in the sector have been subject to CFPB enforcement actions on grounds similar to the agency’s enforcement against non-fintechs. For example, LendUp, an online lending company that marketed its loan programs as a mechanism for building up consumer credit, was sued for false advertising. Dwolla, a payments firm, was subject to an enforcement action over the quality of its data security. Because these enforcement actions could be and have been taken against non fintech firms, there is no indication that the CFPB has been prioritizing technology related misconduct.

A third potential mechanism of fintech regulation created by Dodd-Frank would work through the Financial Stability Oversight Council. FSOC could designate a fintech as “systemically important,” which would mean that it would be supervised by the Federal Reserve Board. This sort of thing has happened before. FSOC threatened to designate large money market funds as systemically important; the threat encouraged the Securities and Exchange Commission to improve its own regulatory scheme in that space.

But the council has said that it will only deploy its designation power if the designated firm has the sort of size and interconnectedness necessary to create financial risks for other firms upon its collapse. It is unlikely that any fintech could meet this standard. China’s Ant Financial is the largest fintech in the world by market capitalization, valued at $150 billion (American fintechs are all substantially smaller). But even Ant is small potatoes compared to the banks and financial market utilities that have been subjected to FSOC designation. Fintechs, moreover, are too new to occupy a central position in the plumbing of the financial markets. If one peer-to peer-lender went bust, there is no sense that all the others would, or that, even if that happened, that the broader financial markets would be affected.

Dodd-Frank gave the SEC and the Commodity Futures Trading Commission the power to regulate derivatives, which is relevant for some fintechs. But both regulators have created fintech hubs designed to assist the firms on regulatory compliance, and neither agency has engaged in extensive rulemaking or brought enforcement actions against nonfraudulent fintechs. Most notably, the SEC has used its pre-Dodd-Frank authority to bring a number of enforcement actions against cryptocurrencies whose promoters failed to register with the commission, but it has also issued guidance and no action letters designed to reassure the crypto community that many such coins can be structured to avoid the agency’s registration requirements.

Dodd-Frank expressed a mood about fintech oversight; the mood was “wait and see.” The regulators empowered by Dodd-Frank have uniformly adopted a similar approach. It is fair to say that the hands-off approach qualifies as a strategy taken by both legislature and agency. It is the Dodd-Frank dog that has not barked over the past decade.

David Zaring is a Professor of Legal Studies & Business Ethics at the Wharton School.