Colorado Fintech Trends 2026: A State Preview of the Next Phase of Regulation

Over the past several years, Colorado has become one of the more consequential state jurisdictions for understanding where fintech regulation is headed. What makes Colorado notable is not simply the volume of legislative or regulatory activity, it is the way Colorado’s recent developments illustrate three larger shifts occurring across the market: states are beginning to regulate the technology on which fintech products depend, to test legal assumptions that have long supported national lending models, and to use general consumer protection and consumer credit authority to shape conduct in real time.

Colorado now sits at the centre of each of those developments. Its artificial intelligence law moves automated decision-making in consequential contexts, including lending, toward a formal governance regime. Its 2023 opt-out legislation under the Depository Institutions Deregulation and Monetary Control Act of 1980, together with the Tenth Circuit’s 10 November 2025 decision in National Association of Industrial Bankers v Weiser, has introduced meaningful uncertainty into the bank–fintech partnership structures on which many digital lending programmes rely. Further, as federal priorities continue to shift, Colorado’s existing consumer-protection and consumer credit framework remains a reminder that state enforcement is often the mechanism through which new theories are first tested.

Taken together, these developments show Colorado moving closer to the systems, structures, and supervisory tools that increasingly define how fintech is regulated in practice. That is what makes the state worth watching. Colorado is not simply producing more activity. It is surfacing some of the questions most likely to matter next.

Artificial intelligence moves from product feature to governance

Colorado’s artificial intelligence law reflects a broader regulatory shift away from viewing automated tools simply as product enhancements and toward treating them as governance problems. Senate Bill 24-205 requires developers and deployers of “high-risk” artificial intelligence systems to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. The law places enforcement authority with the Colorado Attorney General, treats violations as deceptive trade practices, and is scheduled to take effect on 30 June 2026.

The statute is broader than financial services, but its relevance to fintech is obvious. It applies to “high-risk” systems used to make, or used as a substantial factor in making, “consequential decisions”, and those decisions include financial or lending services alongside employment, housing, insurance, healthcare, education, legal services, and certain government services. In practical terms, that means automated underwriting, fraud detection, pricing tools, risk scores, and other model-driven systems may fall within a framework that treats the method of decision-making, not merely the outward form of the product, as the object of regulation.

The obligations imposed by the law reinforce that shift. Developers must provide deployers with documentation concerning intended uses, foreseeable risks of algorithmic discrimination, and information needed to complete impact assessments. Deployers must implement a risk-management policy and programme, complete impact assessments, review deployment annually, and disclose the use of high-risk systems. The statute also requires disclosure when a consumer is interacting with an artificial intelligence system if that fact would not otherwise be obvious.

For financial services companies, the importance of Colorado’s law lies in what it changes about the regulatory inquiry. A lender can no longer assume that scrutiny will begin and end with the terms of a product or the face of a disclosure. The statute asks how a decision was produced, what data it relied on, how the system is monitored, and what mechanisms exist to identify and correct problematic outputs. Artificial intelligence, in other words, is no longer treated simply as a tool for refining products, it is treated as part of the institution’s governance architecture.

Colorado’s approach to artificial intelligence matters for another reason: it shows Colorado is moving upstream. The same instinct appears elsewhere in Colorado’s fintech posture. The state has not confined itself to policing the terms on which products are offered; it has also shown increasing interest in the systems and legal structures that make those products possible in the first place.

Colorado is testing the legal architecture of bank–fintech lending

Colorado’s role in the law of bank–fintech lending did not begin with its recent litigation under DIDMCA. It was already a significant player in this area by 2020, when the Colorado Administrator of the Uniform Consumer Credit Code and the Colorado Attorney General entered into an Assurance of Discontinuance with Avant of Colorado, LLC, Marlette Funding, LLC, WebBank, Cross River Bank, and related parties. The agreement resolved an investigation into compliance with Colorado consumer credit law and then established a detailed “safe harbour” for specified loans to Colorado residents made through the online bank–partnership programmes covered by the settlement.

The 2020 settlement is important not because it settled the “true lender” question in the abstract: it did not. Its significance lies in what it shows about Colorado’s approach. The state was willing to examine bank–partnership lending at the level of programme design and to impose conditions on the covered lending models rather than treat the presence of a bank in the structure as the end of the inquiry. Colorado was therefore already pressing on the legal architecture of bank–fintech lending before the more recent DIDMCA dispute emerged. That history makes the state’s later opt-out legislation look less like an isolated confrontation and more like the next stage of the same project.

DIDMCA, through 12 U.S.C. § 1831d, generally allows a state-chartered, federally insured bank to charge interest at the rate permitted by the law of the state where the bank is located, even when lending to borrowers in states with lower caps. Congress, however, preserved an opt-out mechanism for states as to certain loans “made in” the state. In 2023, Colorado exercised that authority through House Bill 23-1229. The bill summary states that, for consumer credit transactions made or renewed on or after 1 July 2024, Colorado opted out of specified federal amendments and provided that rates established under the Colorado Uniform Consumer Credit Code would apply to consumer credit transactions in the state.

The litigation that followed turned on a question that sounds narrow until its consequences come into view: in an interstate and increasingly digital lending market, when is a loan “made in” Colorado? In National Association of Industrial Bankers et al. v Weiser, industry plaintiffs challenged Colorado’s law and obtained a preliminary injunction in the district court. On 10 November 2025, the United States Court of Appeals for the Tenth Circuit reversed. The court described the issue as one of first impression and held that the phrase “loans made in such State” refers to loans in which either the lender or the borrower is located in the opt-out state. On that reading, once Colorado opted out, Section 1831d no longer pre-empted Colorado’s interest rate caps for loans made by out-of-state state banks to Colorado borrowers.

The significance of that holding lies in what it unsettles. For years, a substantial share of interstate lending has rested on the assumption that a state-chartered bank can rely on the law of its home state to export rates into more restrictive jurisdictions without substantial interference from the borrower’s state. Weiser does not eliminate that framework entirely, but it makes clear that borrower location cannot simply be assumed when a state has made full use of DIDMCA’s opt-out mechanism. The dissent captured the stakes by warning that the majority’s interpretation risks creating a patchwork difficult to administer in interstate and online banking.

The reaction to the panel decision underscores its importance. On 17 December 2025, the Office of the Comptroller of the Currency announced that it had filed an amicus brief urging rehearing en banc, stating that the panel’s decision undermines the federal interest rate framework Congress granted to state banks and places them at a significant competitive disadvantage relative to national banks. Even without it, Colorado’s dispute has already become one of the clearest current tests of how durable federal rate exportation assumptions remain in a market built on interstate digital lending.

Colorado’s importance in this area lies in the combination of the two episodes: (i) The 2020 Assurance of Discontinuance addressed the internal structure of bank–fintech programmes, and (ii) the DIDMCA litigation addresses the outer boundary of federal pre-emption on which many interstate programmes depend. Together, they show a state willing to test both the design of bank–partnership lending and the legal assumptions that support it.

State Attorney General enforcement remains central to the practical regulation of fintech

If the artificial intelligence statute and the DIDMCA litigation show Colorado moving upstream toward decision systems and legal architecture, the state’s consumer credit machinery shows how that analysis returns to ground level. The Colorado Attorney General’s published guidance on the Uniform Consumer Credit Code states that the Code regulates the terms and conditions of consumer credit in the state, sets maximum rates and charges, requires disclosure of the cost of credit, and provides remedies for consumers on default. With limited exceptions for first-mortgage residential acquisition and refinance loans, most consumer credit transactions remain subject to that regime. Through the Administrator of the Uniform Consumer Credit Code, the Attorney General investigates complaints, licenses non-bank lenders, and may take disciplinary or legal action when a creditor violates the law.

That framework matters because it allows Colorado to move quickly from the market language surrounding a product to its economic and legal substance. A company may describe an offering in terms of software, embedded functionality, speed, or customer experience. Colorado’s consumer credit regime invites a different set of questions. Does the product, in substance, extend consumer credit? Is a licence required? Are the charges imposed authorised by law? Are the disclosures adequate? Does the structure function to evade rate or fee limits? These questions are not relics displaced by technology. In Colorado, these concepts remain the legal tools through which newer products are analysed and, where necessary, constrained.

Colorado’s participation in the recent multi-state “buy now, pay later” investigation offers a concrete example of how that posture operates in practice. On 1 December 2025, Colorado joined Connecticut, California, Illinois, Minnesota, North Carolina, and Wisconsin in sending letters to the six largest buy now, pay later providers seeking detailed information about pricing and repayment structures, consumer contracts, user agreements, and disclosures. The inquiry was designed to assess whether those products comply with consumer-protection laws and whether they may be placing consumers at financial risk.

The letters themselves reveal the character of the inquiry. They ask about billing disputes, customer-service channels, ability-to-repay procedures, accepted payment devices, credit reporting, delinquencies and defaults, merchant relationships, checkout disclosures, and efforts to comply with Subpart B of the Truth in Lending Act. What emerges is not a single doctrinal challenge but a style of supervision: concrete, operational, and attentive to how a product is actually structured and experienced. That is often how state regulation develops before a comprehensive federal framework arrives.

Colorado’s role in that inquiry also reinforces a larger point running through this article. The state’s importance lies not only in statutes and appellate decisions, but also in its willingness to use familiar supervisory tools to press on newer products. That is one reason state enforcement remains so important in fintech. The practical boundaries of a market are often shaped first through investigations, information requests, and negotiated outcomes rather than through fully matured federal rules.

Conclusion

Colorado’s recent fintech developments matter because they reveal a regulatory pattern that is likely to become more familiar elsewhere. The state is not relying on a single master theory of fintech regulation. It is proceeding by accumulation: governance rules for high-risk decision systems, renewed pressure on the assumptions underlying interstate lending, and enforcement tools flexible enough to be applied to products that are technologically new but legally familiar.

That pattern is what makes Colorado instructive. The state offers a concrete view of how the next phase of fintech regulation may be built: not by replacing older legal frameworks wholesale, but by repurposing them, supplementing them, and using them to reach deeper into the systems and structures on which modern financial products depend. Colorado’s privacy law and its targeted regulation of virtual-currency kiosks point in the same direction. They suggest a state increasingly willing to impose specific operational duties where technology, finance, and consumer risk intersect.