Illinois Adopts Regulatory Regime for Digital Assets

On August 18, 2025, Illinois enacted Senate Bill 1797, the Digital Assets and Consumer Protection Act (the “Act”), establishing a regulatory framework designed to enhance customer protections for digital asset activities and to position the state as a well-regulated environment for digital asset innovation.¹

Similar to other states’ digital asset regulatory regimes, such as New York’s BitLicense, Louisiana’s Virtual Currency Businesses Act and California’s soon-to-be-effective Digital Financial Assets Law, the Act requires digital asset businesses—such as exchanges, custodians and issuers—to register with the Illinois Department of Financial and Professional Regulation (IDFPR) and grants the IDFPR authority to supervise and regulate such registrants. The Act is intended to create “strong customer protections in line with those that currently apply to traditional financial services,”² including investment disclosures and financial adequacy, risk management and customer service standards akin to those of other regulated financial institutions.

While much of the focus of the Act is on customer protection and the regulatory regime applicable to digital asset businesses that are not already traditional financial institutions, such as banks or trust companies, the Act also includes a less headline-grabbing, but potentially exciting series of amendments to the Illinois Corporate Fiduciary Act. These amendments establish a framework for a new type of special purpose trust company (“SPTC”) empowered to provide fiduciary custodial services or similar services as permitted by IDFPR, with a focus on the custody, safekeeping and management of emerging digital assets.

In this Legal Update, we describe key parts of the Act and discuss its implications for the digital asset sector.

Who Must Register Under the Act?

The Act requires anyone that engages in, or holds itself out as being able to engage in, digital asset business activity with or on behalf of an Illinois resident (including both individuals and businesses) to register with the IDFPR, unless an exemption applies. Failure to register can result in, among other things, civil penalties of up to $100,000 per day. Further, a person who does not comply with the registration requirement may not bring an action in court to collect compensation for digital asset activity conducted while unregistered, even if they cure the registration failure at a later date.

The Act exempts certain persons from the registration and substantive requirements of the Act. These include:

• Federal, state, local and foreign governments;
• Federally insured depository institutions and credit unions;
• Corporate fiduciaries engaged in fiduciary activities;
• Merchants who use digital assets solely for the purchase or sale of goods or services that are not digital assets in the ordinary course of business;
• Persons who use digital assets solely for the purchase or sale of goods or services for their own personal, family, or household purposes;
• Persons who contribute connectivity software or computing power or otherwise participate in the process of securing a network;
• Persons who record digital asset transactions to a network or protocol governing the transfer of the digital representation of value; and
• Persons who develop, publish, constitute, administer, maintain, or otherwise distribute software relating to a network, so long as the person does not control transactions of digital assets on the network.

The Act also excludes certain digital asset activities from its scope, regardless of who they are conducted by. These include the exchange, transfer, or storage of a digital asset or to digital asset administration to the extent that:

• Such activity is governed by the Securities Exchange Act of 1934 or Illinois Securities Law of 1953 as a security transaction and regulated by the Securities and Exchange Commission (SEC) or Illinois Secretary of State; or
• Such activity is governed by the Commodity Exchange Act and involves futures contracts, commodity options, or swaps regulated by the Commodity Futures Trading Commission (CFTC).

What Customer Protections are Required?

The Act establishes a number of customer protections for residents of Illinois engaging in digital asset transactions, including customer disclosure requirements, requirements related to custody and protection of customers’ digital assets, requirements for certain digital asset exchanges and requirements for customer service availability and quality.

Disclosures

Registrants must provide a separate, clear, conspicuous, and retainable disclosure prior to engaging in digital asset business activity with an Illinois resident that must include, among other things, information on:

• Fees and fee calculation information;
• Information on insurance coverage, if any, including a requirement to disclose FDIC insurance or similar federal protections or a clear and conspicuous statement that no such insurance is available;
• A statement on the irrevocability of a transfer or exchange and any exception to irrevocability;
• A statement that no digital asset is currently recognized as legal tender by the State of Illinois or the United States, as well as a separate, prominent, bolded disclosure that the State of Illinois has not approved or endorsed any digital assets or determined if the customer disclosure is truthful or accurate;
• A description of the customer liability and error resolution rights in connection with unauthorized, mistaken, or accidental transfers, and revocation of preauthorized transfers or payments; and
• Information on historical downtime and service limitations.

Once a registrant has completed a digital asset transaction with a resident, they must provide a receipt that includes contact information and minimum data fields on the transaction (e.g., type, value, date, precise time, and amount). They also must provide a customer service toll-free phone number that is staffed by live customer service agents.

Material changes to the fee structure or terms of service require at least 14 days’ advance notice to customers.

Custody and Protection of Customer Assets

Registrants must comply with custody and safekeeping requirements for any digital assets that it stores, holds, maintains, or controls for a customer. These include a 1-to-1 reserves obligation for each type of digital asset held, segregation requirements, and a prohibition on pledging or rehypothecation. While not strictly a requirement, the Act provides that digital assets held for a customer do not become the property of the registrant and are not subject to claims of creditors, even if commingled with the registrant’s other assets.

Covered Exchange Requirements

Registrants that are covered exchanges (i.e., exchanges or holds itself out as being able to exchange a digital asset for a resident) must also maintain appropriate risk management practices, and certify their execution each time the exchange intends to list or offer a new digital asset for trading by Illinois residents. This is broadly similar to New York’s certification process under its BitLicense regime, and the Act specifically exempts digital assets that are already allowed (as of the effective date of the Act) for listing by the New York Department of Financial Services (e.g., BTC, ETH and several stablecoins).

Covered exchanges must also take steps to ensure favorable execution of transactions for residents, broadly similar to “best execution” requirements applicable to other regulated markets, and must conduct periodic evaluations of the execution quality of its transactions.

Customer Service Requirements

The Act requires registrants to establish and prominently display to residents a toll-free phone number by which a resident can contact the registrant and receive live customer assistance. Further, the Act requires the registrant implement reasonable policies and procedures for providing customer assistance in a timely manner, including processing, investigating and responding to customer requests for assistance.

What Supervisory Requirements Apply to Registrants?

The Act grants IDFPR comprehensive supervisory authority over registrants and includes requirements for capital and liquidity requirements, examinations, recordkeeping, notifications and approvals for material events, investigation and enforcement authorities. Several of the key requirements are discussed below.

Registrants must maintain a surety bond or trust account for the protection of Illinois residents in a form and amount to be determined by the IDFPR. Registrants also must satisfy minimum capital adequacy and liquidity requirements to be determined by the IDFPR. The capital and liquidity requirements applicable to registrants, and the factors used to determine those requirements by the IDFPR, are broadly similar to those of New York’s BitLicense regime.

Registrants may be examined by the IDFPR to ensure compliance with the Act and other relevant laws, and must permit and assist the IDFPR with examinations of any affiliate of, or service provider to, the registrant. Registrants must maintain a wide variety of records and produce such records upon demand by the IDFPR.

Finally, registrants are required to implement, maintain, update and enforce compliance policies and procedures for anti-money laundering, anti-fraud, cybersecurity, business continuity and disaster recovery, operational security, managing conflict of interest, customer complaint resolution and compliance with other applicable laws. The Act sets forth minimum requirements for certain of these programs, such as anti-fraud, anti-money laundering, cybersecurity and operational security, and the IDFPR may prescribe further rules to detail these obligations.

What About Special Purpose Trust Companies?

The Act establishes a new category of corporate fiduciary, to be known as a special purpose trust company (SPTC). SPTCs may provide fiduciary custodial services and related services for digital assets to customers, separate from the general requirements of the Act. SPTCs are automatically subject to most of the same requirements as Illinois trust companies, but the IDFPR may adopt rules specific to SPTCs. Notably, other authorized corporate fiduciaries may provide the same services without further authorization, and the Act amends the Corporate Fiduciary Act to modernize several definitional and prudential standards applicable to non-depository trust companies and foreign corporate fiduciaries.

By leveraging the trust company framework to provide digital asset services, the Act enables existing Illinois corporate fiduciaries to expand into digital assets within a familiar fiduciary framework. It could also allow national banks, who are already permitted to provide digital asset custody under OCC guidance, to form Illinois SPTC subsidiaries to separate digital asset activities. Similarly, out-of-state state banks can enter Illinois through SPTC subsidiaries without converting their home-state charters.

When Does the Act Take Effect?

The Act is effective immediately. However, a person is not liable for a failure to register until July 1, 2027, and a person is not required to comply with the customer disclosure, custody and safekeeping, and minimum customer service requirements until January 1, 2027. Further, a covered exchange is not required to comply with the new product certification requirement until January 1, 2027.

The IDFPR may prescribe rules that take effect at an earlier date, but not before January 1, 2026.

Does This Matter?

In short, yes. In adopting the Act, Illinois joins with several other large states in establishing comprehensive supervisory and regulatory requirements for digital asset firms, and is the first state in the Midwest to adopt strong customer protections in connection with digital asset activities. Digital asset businesses seeking to engage with Illinois consumers or businesses must comply with these requirements, and businesses that start early stand to gain first-mover advantage in rolling out compliant products and services, and potentially shaping the IDFPR’s approach to its new regulatory responsibilities.

For digital asset businesses that seek to engage in fiduciary custodial activities, the SPTC offers a new regulatory pathway for innovative firms. The establishment of the new SPTC option may support the further growth of the digital assets sector in Illinois, joining Wyoming and Nebraska at the forefront of states willing to expand their existing statutory and regulatory frameworks for traditional financial institutions to attract and grow this emerging industry. The Act also potentially opens another state to stablecoin issuers, reinforcing the nation’s dual banking system and potentially laying the foundation for Illinois to seek certification under the federal GENIUS Act.

Special thank you to summer associate Sneha Sharma for their contributions to this Legal Update.

¹ SB 1797, 104th Gen. Assemb. (2025) (enacted as Pub. Act 104-0428).

² Press Release, Gov. Pritzker Signs Historic Legislation to Protect Consumers from Cryptocurrency Scams (Aug. 18, 2025).