After prolonged deliberation, California has finally decided to enter the virtual currency regulatory arena by adopting two virtual currency regulatory bills into law. The California Digital Financial Assets Law (“DFAL”), originally introduced as Assembly Bill 39 (“AB-39”), and Senate Bill No. 401 (titled “Digital Financial Asset Transaction Kiosks”) were signed into law on October 13, 2023, by Governor Gavin Newsom. The DFAL establishes a virtual currency regulatory regime similar to the New York Department of Financial Services’ (“NYDFS”) Bitlicense framework by instilling regulatory authority, licensing, and oversight in California’s Department of Financial Protection and Innovation (“DFPI”). Meanwhile, the accompanying Digital Financial Asset Transaction law imposes licensing and consumer disclosure requirements on crypto ATM operators in the Golden State. The DFPI is now tasked with regulatory rulemaking and implementation for the next year and a half, with the new virtual currency regulations set to take effect by July 1, 2025.

California Digital Financial Assets Law

Who falls under the new DFAL’s jurisdiction?

The DFAL authorizes DPFI to regulate certain virtual currency activity (referred to in the DFAL as “digital financial asset business activity”) “of a person …who engages in or holds itself out as engaging in [digital financial assets] with or on behalf of a [California] resident.” The DFAL defines “digital financial asset” as “digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender.” Certain activities or entities are explicitly excluded from DFAL’s purview, including, but not limited to:

• • tokens issued as part of a rewards program or used solely in online games (subject to certain conditions);
  • the administration, exchange, transfer, or storage of a digital financial assets already subject to the jurisdiction of the SEC or within the purview of the Electronic Fund Transfer Act of 1978;
  • digital financial asset activity of federal and state government agencies;
  • banks, credit unions, and a digital asset control services vendors (defined as “a person that has control of a digital financial asset solely under an agreement with a person that, on behalf of another person, assumes control of the digital financial asset.”);
  • payment processors and those engaging in clearing and settlement services solely “for transactions between or among persons that are exempt” from DFAL’s licensing requirements;
  • data storage or security service providers who provide their services to a business engaged in digital financial assets, without engaging in digital financial asset business;
  • transactions in digital financial assets as payment for the purchase or sale of goods or services, solely for personal, family, household, or academic purposes;
  • digital financial asset business activity connected to California of less than $50,000 in annual aggregate value; and
  • digital financial asset activity not involving compensation, or that is for testing products or services with a person’s own funds.

What does the DFAL say about stablecoins?

The new California law prohibits exchanging, transferring, or storing of stablecoins unless the stablecoin issuer (i) is a bank or licensed by DPFI, or (ii) “owns eligible securities having an aggregate market value computed in accordance with United States generally accepted accounting principles of not less than the aggregate amount of all of its outstanding stablecoins issued or sold in the U.S.”

What does the DFAL require?

DFPI will establish a regulatory framework, under a statutory construct largely similar to NYDFS’ virtual currency regulation, relating to: (1) licensing those who engage in digital financial asset business; (2) supervising the licensee’s activities; (3) investigating and taking enforcement actions against licensees who fail to abide by DFAL’s requirements and the corresponding regulations to be established by DFPI; (4) coin listing requirements; and (5) consumer disclosure expectations.

A. Licensing Requirements

Effective January 1, 2025, those engaging in digital asset business with or on behalf of a California resident must be licensed with DFPI unless (i) they do not fall under DFAL’s purview, or (ii) they are awaiting approval or denial of an application submitted on or before January 1, 2025. The law includes reciprocity for those who are already licensed with NYDFS as of January 1, 2023, allowing Bitlicensees to receive a conditional license from DFPI provided they satisfy certain fee requirements and comply with DFAL’s requirements. The conditional license expires if (i) an applicant receives approval for its California DFPI digital asset business application, (ii) DFAL denies the application, or (3) NYDFS revokes the applicant’s virtual currency license.

Further, DFAL imposes licensing renewal requirements. A licensee may renew its license annually, on or before of September 15, by paying the required fees and submitting a renewal report to DFPI containing specific Licensee information including, but not limited to, certain financial reports, material changes in business, financial conditions, material litigations, or federal, state investigations, and data security breaches involving licensee. Finally, the new law gives DFPI authority to take enforcement actions against licensees for failing to pay annual renewal fees or to file renewal reports.

B. Supervisory Expectations

The new California law instills DFPI with authority to establish regulatory expectations for its licensees, including adopting rules and regulations to implement the requirements of the DFAL, and authority to conduct announced and unannounced examinations. DFAL also authorizes coordination of joint exams with other states and record and information sharing with certain regulatory agencies. Further, the new law requires the licensee to, among other things:

• • File certain changes with DFPI (e.g., material business changes and changes to executive officers or control persons) within 15 days after their occurrence.
  • Obtain DFPI’s approval for ownership and control changes including filing an application at least 30 days prior to a proposed merger or consolidation with another DFPI licensee.
  • Retain its digital financial asset business records (e.g., customer and transaction information) for 5 years, and make these records readily available upon DFPI’s request.
  • Establish policies and procedures to include, but not be limited to, information and operational security, business continuity plan, disaster recovery plan, anti-money laundering program, Bank Secrecy Act, OFAC compliance, and applicable rules and regulations of federal and state digital asset laws.

C. Enforcement Authority

DFAL authorizes DFPI to issue an enforcement action against a licensee for DFAL violations, violations of DFPI’s rules or regulations, a licensee’s failure to cooperate in investigations or exams, or for engaging in unfair or deceptive practices, or unsafe or unsound acts or practices, among others. Enforcement actions may include suspension, revocation of licenses, issuing a cease and desist order, requesting court appointment of a receiver or issuing a temporary, preliminary, or permanent injunctive relief, assessing a penalty, and seeking restitution, among other measures. The DFAL includes significant penalty provisions for any non-licensees who “has engaged, is engaging or is about to engage in digital financial asset business activity” with a California resident in violation of the DFAL of up to $100,000 per day for violations. Licensees or other covered persons who are found to have materially violated the DFAL can face civil penalties of up to $20,000 per day.

D. Disclosure Requirements

DFAL requires licensees to make certain disclosures to its customers relating to, among others, fees and charges including notice for changes to fees and charges, irrevocability of transfers, and order confirmations (e.g., trade date, value, and associated fees).

E. Listing Requirements

DFAL requires covered exchanges (i.e., exchanged required to obtain a DFPI license) to certify its performance of certain actions to DFPI prior to listing or offering a new coin. However, covered exchanges with digital financial assets approved for listing by NYDFS on or before January 1, 2023, are exempt from this certification requirement. Otherwise, covered exchanges must certify to performing the following,

• • determining the likelihood that a federal or state regulator would deem the digital asset a security;
  • self-disclosing to DFPI, in writing, all material facts relating to conflicts of interest that are associated with the covered exchange and the digital financial asset;
  • conducting a comprehensive risk assessment;
  • establishing policies and procedures “to reevaluate the appropriateness of the continued listing or offering of the digital financial asset, including an evaluation of whether material changes have occurred;” and
  • establishing coin delisting policies.

Digital Financial Asset Transaction Kiosks Law

On the same day that Governor Newsom signed the DFAL into law, he also approved the Digital Financial Asset Transaction Kiosks bill. While the law applies to operators of crypto or Bitcoin ATMs that are not otherwise licensed under the DFAL, operators must disclose the locations of all their kiosks to the DFPI to be published on the Departments website.

The law takes effect on January 1, 2025, and limits an ATM operator from accepting or dispensing more than $1,000 a day to a customer. Charges and fees are capped at the greater of either $5 or 15% of the total dollar equivalent of the transaction. Most notably, ATM operators must provide the terms and conditions of a withdrawal or deposit prior to the transaction and include the following information:

• • The amount of a digital financial asset involved in the transaction;
  • The amount of any fees, expenses, and charges;
  • The difference the value of the digital asset charged to the customer and the price of that asset “as listed by a licensed digital financial asset exchange;” and
  • whether or not the transaction can be reversed, with a warning if the transaction cannot be reversed.

The law further prescribes certain information that must be included in transaction receipts, including:

• • The customer’s name;
  • Basic transaction information;
  • Any charges or fees;
  • The difference or spread between the dollar price of the crypto asset charged to the customer and the price of the asset as listed by a licensed digital financial asset exchange; and
  • The name of the licensed digital financial asset exchange used by the operator to fix that price.

California’s foray into digital assets regulation will likely have a sweeping impact on the digital asset space and touch any crypto company doing business in the United States. While DFPI’s rulemaking process set to take place over the next 18 months will define the exact contours of the regulation, it is not too soon for digital asset businesses to start preparing for compliance under the new regulatory regime.

[View source.]