California Passes Expansive “Crypto” (Digital Financial Asset) Licensing and Compliance Law

Key Highlights

• A new “crypto” law in California comes into effect on July 1, 2025 that will impose licensing requirements on broad categories of digital financial asset business activity.
• The law provides for significant per-day penalties that may be assessed for unlicensed activities and other noncompliance.
• Important exemptions under the law exist for banks, broker-dealers, network/technology providers and other types of entities.
• The law also implements consumer protection measures, including fee and risk disclosures and complaint mechanisms.
• Licensees under the law will have financial stability requirements, including capital reserves and anti-money laundering requirements.

Introduction

Overview of the Digital Financial Assets Law

On October 13, 2023, California enacted the Digital Financial Assets Law (“DFAL”). The new law, which takes effect on July 1, 2025, establishes a comprehensive framework for the licensing and oversight of businesses that engage in “digital financial asset” (“DFA”) business activities with or on behalf of California residents.¹

Under the DFAL, DFA business activities are broadly defined and include exchanging, transferring, or storing a DFA, engaging in DFA administration, holding electronic precious metals or certificates, or exchanging certain digital representations of value used within online games or platforms. While there are important exemptions under the DFAL for both persons/entities and activities/transactions that limit the new law’s application, the DFAL is likely to disproportionately impact companies that are early-stage or do not have robust compliance infrastructure.

The DFAL will require those under its jurisdiction to obtain a license from the California Department of Financial Protection and Innovation ("DFPI"). This new law will impose various obligations and standards on licensees, such as maintaining records, disclosing fees and risks, providing security and protection for customers’ assets, and complying with anti-fraud and anti-money laundering rules. The DFAL also contains specific provisions on the issuance, use, and storage of stablecoins.

In this Legal Update, we offer insight on the nature and scope of the DFAL requirements and provide some practical thoughts on how businesses may need to adapt their digital asset activities in the face of the DFAL.

Significance of the DFAL

The broad and comprehensive regime established by the DFAL makes it one of the most significant state-specific digital asset laws in the United States. Alongside the New York Department of Financial Services, the new law will likely put the DFPI into a leading role for regulating digital assets activity at the state level.

It’s important to note, however, that California has signaled a willingness to further refine the scope and terms of the DFAL before it takes effect. There remains an opportunity for stakeholders to work with the state to provide for further clarity as it implements the DFAL.

Who Does the DFAL Affect?

Which persons and activities are subject to the DFAL?

On its face, the DFAL applies broadly to the DFA business activity of any person or entity that engages in—or holds itself out as engaging in—a DFA business activity with, or on behalf of, a California resident.

In order for the DFAL to apply, the person or entity must be engaging in a “DFA business activity,” which means:

• exchanging, transferring, or storing a DFA;
• engaging in DFA administration;
• holding electronic precious metals or certificates; or
• exchanging digital representations of value used within online games or platforms.

Which persons are exempt from the DFAL?

The DFAL exempts significant categories of individuals and entities from its requirements, including:

• banks, credit unions, and trust companies;
• government agencies;
• providers of connectivity software or computing power to secure a network or of storage or security services;
• entities registered under the federal Commodity Exchange Act, or registered as a securities broker-dealer under applicable securities laws;
• those whose DFA business activity is expected to be valued at $50,000 or less per year; and
• merchants who accept DFAs as payment for goods and services that do not include DFAs themselves.

The DFPI may also exempt certain individuals, entities, or transactions from the scope of all or part of the DFAL—either by regulation or order—if the DFPI finds such action to be in the public interest. This is expected to be the “innovation” part of the DFAL—i.e., the DFPI has the flexibility to provide a regulatory supervision framework to novel or experimental products and services.

What is a DFA under the DFAL?

DFAs are defined broadly as digital representations of value that are used as a medium of exchange, unit of account, or store of value and that are not legal tender.

However, certain types of digital representations of value—which would include tokens—are not considered “DFAs” and are therefore exempt from the DFAL, including:

• tokens issued as part of a rewards or affinity program, as long as they cannot be exchanged with the issuer for cash, credit, or a DFA;
• tokens issued by game publishers used solely within a “closed loop” online game, game platform, or family of games sold by the same publisher, as long as they cannot be exchanged with the issuer for cash, credit, or a DFA; and
• tokens that are securities registered, or exempt from registration, with the U.S. Securities and Exchange Commission.

What Does the DFAL Require?

Starting July 1, 2025, no person or entity within the scope of the DFAL is permitted to engage, or hold themselves out as being able to engage, in DFA business activities with, or on behalf of, a California resident, unless such person or entity obtains a license from the DFPI or has an application pending as of such date.

What is the process for obtaining a license from the DFPI?

An applicant for a license under the DFAL must submit an application, in a form and medium prescribed by the DFPI, and provide information and records relevant to its proposed DFA business activity, such as its financial statements, executive officers, criminal history, litigation history, bank accounts, sources of funds, scope of insurance coverage, business interruption, and security bond or trust accounts.

The DFPI will conduct an investigation of the applicant and its executive officers, responsible individuals, and persons in control and may also conduct an inspection of the applicant’s business premises. Following the investigation, the DFPI will approve, conditionally approve, or deny the application based on criteria such as the applicant’s financial condition, competence, experience, character, fitness, and compliance with the DFAL and other applicable laws.

A conditional license may be issued by the DFPI to an applicant that holds or maintains a license or charter to conduct virtual currency business activity in New York, or to an applicant pending compliance with the criminal history check requirements. (As noted above, New York also has a comprehensive digital financial asset law in place.)

What are the ongoing requirements to maintain a license from the DFPI?

A licensee under the DFAL must comply with various obligations and duties, such as:

• maintaining sufficient capital and liquidity, and a surety bond or trust account;
• maintaining certain records of all DFA business activity with or on behalf of residents for five years after the date of the activity;
• submitting an annual report to the DFPI, and paying an annual pro rata cost share of all costs and expenses reasonably incurred in the administration of the DFAL;
• reporting certain material changes to the DFPI and obtaining the DFPI’s prior approval for certain corporate reorganizations or changes in control;
• providing certain disclosures to residents before and after engaging in DFA business activity with them, such as a schedule of fees and charges, whether the product or service is covered against loss and whether the transfer or exchange is irrevocable; and
• maintaining in its control an amount of each type of DFA sufficient to satisfy the aggregate entitlements of the persons to the type of DFA, for the benefit of the persons entitled to the DFA, and not subject to the claims of creditors of the licensee.

What are the Penalties for Unlicensed Activity and Noncompliance?

The DFAL provides the DFPI with significant enforcement powers and measures, including: suspending or revoking a license, ordering a person to cease and desist from engaging in DFA business activity, appointing a receiver for the assets of a person engaging in DFA business activity, seeking injunctive relief, assessing civil penalties, recovering on the security bond or trust account, seeking restitution, and entering into consent orders.

Examples of when the DFPI may take enforcement measures

The DFPI may take an enforcement measure against a licensee or a person who is not a licensee—but has engaged, is engaging, or is about to engage in DFA business activity with or on behalf of a California resident—in various instances, such as:

• material violation of the DFAL or other applicable laws;
• failure to cooperate in a DFPI examination or investigation, pay a fee, or submit a report or documentation;
• action by an agency of the federal government or another state that would constitute an enforcement measure if the DFPI had taken the action; or
• the licensee or person:
  • engages in an unsafe or unsound act or practice, an unfair or deceptive act or practice, fraud or intentional misrepresentation, or misappropriation;
  • is convicted of a crime related to its DFA business activity involving fraud or felonious activity;
  • becomes insolvent; or
  • makes a material misrepresentation to the DFPI.

Potential for significant civil penalties

The DFPI may assess significant civil penalties, including:

• for a non-licensee—$100,000 per day for each day the non-licensee is in violation of the DFAL; or
• for licensees or other “covered persons”—$20,000 for each day of a material violation of, or for each act or omission that materially violates, the DFAL.

Potential for an enforcement action by a California resident

The DFAL does not expressly provide California residents with the right to bring an action to enforce the DFAL or any other law; however, it also does not prevent such individual enforcement action. Importantly, the DFAL also does not affect the application of any other law.

What Does the DFAL Say about Stablecoins?²

The DFAL requires a stablecoin issuer:

• to be a bank or trust company or licensed by DFPI (or applying for a license); and
• to at all times own “eligible securities”³ having an aggregate market value (computed under US GAAP) at least equal to the aggregate amount of all of its outstanding stablecoins issued or sold.

Key Takeaways – What Does The DFAL Mean For Digital Assets Activities In California?

Significant businesses/activities will be exempt from the DFAL

• Given the broad categories of DFAL exemptions for banks and other regulated financial institutions, one goal of this law appears to be putting a regulatory perimeter around digital asset activities that are not otherwise subject to licensure and/or oversight. Given the importance of California in the technology and business sectors in the United States, the DFAL will require companies engaging in a broad array of in-scope activities to develop compliance infrastructure that may not have been previously required in connection with their activities.
• On the other hand, certain businesses that provide services for banks and other financial institutions may already have internal compliance systems that are required by those relationships and that go some way to facilitating compliance with the new law. Those companies—including fintechs—will need to assess the compliance gap (if any) between their current practices and those required by the DFAL.
• In addition, also exempt from the DFAL are companies that use DFAs as payment for non-crypto goods or services and companies that provide services such as connectivity software, data storage or security, or certain enterprise solutions. These exemptions appear to acknowledge two things:
  • that the specific focus of the DFAL is not companies that have incidental contact with DFAs or that merely accept DFAs as payment; and
  • that broader jurisdiction of the DFAL would likely make the law impractical to administer, particularly as it relates to miners and blockchain developers, which is an important win for industry lobbyists that have advocated against these ecosystem participants from being unduly burdened with obligations that provide no real protective benefit.

At the same time, the DFAL is likely to have a significant impact on certain businesses

• Companies will need to assess whether their current or proposed DFA business activities will run afoul of the new law. A company that may potentially be implicated should commence preparations to:
  • apply for the license (including mapping out potential required disclosures);
  • implement an appropriate compliance infrastructure; and
  • assess potential associated licensing and compliance costs.
• As the DFAL comes into effect, early-stage and emerging growth companies that engage in DFA business activities are likely to face difficult choices about their allocation of often limited business and financial resources. For example, certain companies may have to decide whether to ringfence their business activities to exclude California residents.
• In particular, video game developers that intend to allow players to trade in-game assets for cash, credit, or DFAs will be subject to the DFAL and its licensing requirements, which are very uncommon in the video game industry. This may have a chilling effect on certain types of game innovation that are gaining in popularity involving true player ownership of in-game assets.

Penalties are noteworthy and may foreshadow enforcement priorities

• Proposed penalties for noncompliance with the DFAL include fines assessed on a per-day basis or per-action basis, which can quickly add up.
• While the severity of potential fines may be intended to cause businesses to take the new law seriously, they may also foreshadow a tool to be used by the DFPI if it believes market-wide efforts to comply with the DFAL are insufficiently robust.

The goalposts for DFAL compliance may shift

• As with any new law, interpretations are likely to develop and evolve as we approach the DFAL’s effective time of July 1, 2025, approximately 18 months from now.
• In his own announcement of signing the DFAL, Governor Gavin Newsom acknowledges that certain terms in the DFAL are ambiguous, and that the scope of the law will require further refinement in its implementation.
• This underscores the need for any compliance program to be consistently evaluated as regulatory requirements evolve and change over time.

 

---

¹ The DFAL defines “resident” to include (a) a person domiciled in California or who is physically located in California for more than 183 days over a 365-day period, (b) a person who has a place of business in California, or (c) a legal representative of a person domiciled in California.

² The DFAL defines “stablecoins” as DFAs that are pegged to the United States dollar or another national currency and are marketed in a manner that intends to establish a reasonable expectation or belief among the general public that the instrument will retain a nominal value that is so stable as to render the nominal value effectively fixed.

³ The DFAL defines “eligible securities” to include insured deposits, US treasury or agency bonds, and rated US state bonds or commercial paper.