Golden State Guidelines: A Deep Dive into California's New Virtual Currency Regulatory Framework

California governor Gavin Newsom signed two bills (Assembly Bill 39 and Senate Bill 401) into law on October 13, 2023ⁱ, that will create an imposing regulatory framework for virtual currency regulation that will rival New York’s “BitLicense” regulatory framework. California is the third state to introduce a licensing regime for virtual currency activity, after New York and Louisiana. 

The first bill, the California Digital Financial Assets Law (DFAL) is a new virtual currency licensing and regulatory framework which requires entities conducting virtual currency business activity to obtain a license similar to New York’s “BitLicense” and to comply with a slew of regulatory requirements such establishing and maintain compliance programs for anti-money laundering (AML), information security, fraud, consumer compliance and more. The second bill, Senate Bill 401, is related to the DFAL and specifically regulates digital financial asset transaction kiosks (e.g. Bitcoin ATMs).

Exemptions

The DFAL exempts several categories of persons including, but not limited to:

• Banks, credit unions, and trust companies
• Payment processors providing processing, clearing, or settlement services solely for transactions between or among persons that are exempt from licensing requirements
• A person whose digital financial asset business activity with, or on behalf of, residents is reasonably expected to be valued, in the aggregate, on an annual basis at fifty thousand dollars ($50,000) or less
• A person registered as a securities broker-dealer under federal or state securities laws to the extent of its operation as a broker-dealer
• A merchant that accepts a digital financial asset as payment for the purchase or sale of goods or services, which does not include digital financial assetsⁱⁱ

Requirements

Licensing

On or before July 1, 2025, any person engaging in digital financial asset business activity must be licensed, have submitted a license application, and are awaiting approval or denial of that application, or otherwise be exempt from licensure.ⁱ

The DFAL states that license applications will require among other things: 

• A description of the current and former business of the applicant for the five years before the application is submitted, or, if the business has operated for less than five years, for the time the business has operated, including its products and services, associated internet website addresses and social media pages, principal place of business, projected user base, and specific marketing targets
• The source of funds and credit to be used by the applicant to conduct digital financial asset business activity with, or on behalf of, a resident
• Documentation demonstrating that the applicant has sufficient capital and which must include, but is not limited to, both of the following:
  • A copy of the applicant’s audited financial statements for the most recent fiscal year and for the two-year period preceding the submission of the application, if available
  • A copy of the applicant’s unconsolidated financial statements for the current fiscal year, whether audited or not, and, if available, for the two-year period preceding the submission of the application
• A copy of the certificate, or a detailed summary acceptable to the department, of coverage for any liability, casualty, business interruption, or cybersecurity insurance policy maintained by the applicant for itself, an executive officer, a responsible individual, or the applicant’s users
• The plans through which the applicant will meet its obligations regarding compliance program, policies, and procedures required by the DFAL ⁱⁱ

Compliance Programs

The DFAL also imposes strict requirements for digital financial asset businesses to adopt and maintain compliance programs for all of the following:

• An information security program and an operational security program
• A business continuity program
• A disaster recovery program
• An antifraud program
• A program to prevent money laundering
• A program to prevent funding of terrorist activity
• A program designed to ensure compliance with the DFPI, and other California or federal laws applicable to the digital financial asset business activity and to assist the licensee in achieving the purposes of other state and federal laws if violation of those laws has a remedy under this division. Such a program must specify detailed policies and procedures that the licensee undertakes to minimize the probability that the licensee facilitates the exchange of unregistered securities ⁱⁱ

Stablecoins

Additional requirements regarding stablecoins require that licensees only store a digital financial asset or engage in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor, if both of the following are true:

• The issuer of the stablecoin is an applicant, licensed with the California Department of Financial Protection (DFPI), a bank, a trust company, or a national association authorized under federal law to engage in a trust banking business.
• The issuer of the stablecoin at all times owns eligible securities having an aggregate market value computed in accordance with United States generally accepted accounting principles of not less than the aggregate amount of all of its outstanding stablecoins issued or sold. ⁱⁱ

In determining whether to make an approval for the issuance of a stablecoin, the DFPI will consider factors such as:

• Any legally enforceable rights provided by the issuer of the stablecoin to holders of the stablecoin, including, but not limited to, rights to redeem the stablecoin for legal tender or bank or credit union credit
• The amount, nature, and quality of assets owned or held by the issuer of the stablecoin that may be used to fund any redemption requests from residents
• Any risks related to how the assets are owned or held by the issuer that may impair the ability of the issuer of the stablecoin to meet any redemption requests from California residents
• Any representations made by the issuer of the stablecoin related to the potential uses of the stablecoin
• Any representations made by the issuer of the stablecoin related to the risks of using the stablecoin as payment for goods or services or as a store of value ⁱⁱ

Coin Listing

Similar to the New York State Department of Financial Services's (NYDFS’s) coin listing requirements, licensed exchanges under the DFAL, prior to listing or offering a digital financial asset, must certify on a form provided by the DFPI that the covered exchange has done the following:

• Identified the likelihood that the digital financial asset would be deemed a security by federal or California regulators
• Provided, in writing, full and fair disclosure of all material facts relating to conflicts of interest that are associated with the covered exchange and the digital financial asset
• Conducted a comprehensive risk assessment designed to ensure consumers are adequately protected from cybersecurity risks, risk of malfeasance, including theft, risks related to code or protocol defects, or market-related risks, including price manipulation and fraud
• Established policies and procedures to reevaluate the appropriateness of the continued listing or offering of the digital financial asset, including an evaluation of whether material changes have occurred
• Established policies and procedures to cease listing or offering the digital financial asset, including notification to affected consumers and counterparties ⁱⁱ

Reporting

The DFAL also includes several financial reporting requirements for digital financial asset businesses. Licensees are required to maintain, for all digital financial asset business activity with, or on behalf of, a California resident for five years after the date of the activity, records such as:

• All transactions with, or on behalf of a California resident or for the licensee’s account in California
• The aggregate number of transactions and aggregate value of transactions for the previous 12 calendar months
• Any transaction in which the licensee exchanged one form of digital financial asset for legal tender or another form of digital financial asset with, or on behalf of a California resident
• A general ledger maintained at least monthly that lists all assets, liabilities, capital, income, and expenses of the licensee
• Any business call report the licensee is required to create or provide to the DFPI
• Bank statements and bank reconciliation records for the licensee and the name, account number, and United States Postal Service mailing address of any bank the licensee uses in the conduct of its digital financial asset business activity with, or on behalf of a California resident
• A report of any dispute with a California resident ⁱⁱ

Consumer Protections and Disclosures

The DFAL also includes multiple consumer protection and disclosure requirements for digital financial asset businesses. 

As part of its consumer protection responsibilities, covered exchanges must ensure they are using reasonable diligence to ensure that the outcome to a California resident is as favorable as possible under prevailing market conditions, with compliance determined by factors such as:

• The character of the market for the digital financial asset, including price and volatility.
• The size and type of transaction.
• The number of markets checked.
• Accessibility of appropriate pricing.

Covered exchanges must, at least once every six months, review aggregated trading records of California residents against benchmarks to determine execution quality, shall investigate the causes of any variance, and shall promptly take action to remedy issues identified in that review. If a covered exchange cannot execute directly with a market and employs other means in order to ensure an execution advantageous to a California resident, the burden of showing the acceptable circumstances for doing so is on the covered exchange. ⁱⁱ

Licensed entities in California must also ensure that they provide a number of consumer protection-related disclosures. Examples of some of the disclosures required by the DFAL are: 

• A schedule of fees and charges the covered person may assess, the manner by which fees and charges will be calculated if they are not set in advance and disclosed, and the timing of the fees and charges.
• Whether a covered entity’s product or service is covered by either of the following:
  • A form of insurance or other guarantee against loss by an agency of the United States as follows:
    • Up to the full United States dollar equivalent of digital financial assets placed under the control of, or purchased from, the covered person as of the date of the placement or purchase, including the maximum amount provided by insurance under the Federal Deposit Insurance Corporation, National Credit Union Share Insurance Fund, or otherwise available from the Securities Investor Protection Corporation.
    • If not provided at the full United States dollar equivalent of the digital financial asset placed under the control of or purchased from the covered person, the maximum amount of coverage for each California resident expressed in the United States dollar equivalent of the digital financial asset.
• Private insurance against theft or loss, including cyber theft or theft by other means. Upon request of a resident with whom a covered person engages in digital financial asset business activity, a covered person shall disclose the terms of the insurance policy to the resident in a manner that allows the resident to understand the specific insured risks that may result in partial coverage of the resident’s assets.
• The irrevocability of a transfer or exchange and any exception to irrevocability.
• A description of all of the following:
  • The covered person’s liability for an unauthorized, mistaken, or accidental transfer or exchange.
  • A California resident’s responsibility to provide notice to the covered person of an unauthorized, mistaken, or accidental transfer or exchange.
  • The basis for any recovery by a California resident from the covered person in case of an unauthorized, mistaken, or accidental transfer or exchange.
  • General error resolution rights are applicable to an unauthorized, mistaken, or accidental transfer or exchange.
  • The method for a California resident is to update the resident’s contact information with the covered person.
• The date or time when the transfer or exchange is made and the resident’s account is debited may differ from the date or time when the resident initiates the instruction to make the transfer or exchange.
• Whether the resident has a right to stop a preauthorized payment or revoke authorization for a transfer and the procedure to initiate a stop-payment order or revoke authorization for a subsequent transfer.
• The resident’s right to receive a receipt, trade ticket, or other evidence of the transfer or exchange.
• The resident’s right to at least 14 days prior notice of a change in the covered person’s fee schedule, other terms and conditions that have a material impact on digital financial asset business activity with the resident, or the policies applicable to the resident’s account.
• A list of instances in the past 12 months when the covered person’s service was unavailable to 10,000 or more customers seeking to engage in digital financial asset business activity due to a service outage on the part of the covered person and the causes of each identified service outage.
• The conclusion of a digital financial asset transaction must provide a California resident with a confirmation in a record which contains all of the following:
  • The name and contact information of the covered person, including the toll-free telephone number required by the DFAL.
  • The type, value, date, precise time, and amount of the transaction.
  • The fee charged for the transaction, including any charge for conversion of a digital financial asset to legal tender, bank credit, or other digital financial asset, as well as any indirect charges. ⁱⁱ

Digital Financial Asset Transaction Kiosks

The second bill signed includes provisions for digital financial asset transaction kiosks, which are defined as electronic information processing devices that are capable of accepting or dispensing cash in exchange for a digital financial asset. 

Daily limits of one thousand dollars ($1,000) for accepting or dispensing cash will be required as well as limits on the amount of fees that can be charged. Fees must be limited to the greater of the following, five dollars ($5), or 15% of the United States dollar equivalent of digital financial assets involved in the transaction. The bill also includes customer disclosure requirements and regulatory reporting requirements. ⁱⁱⁱ

Penalties

The DFPI can assess a civil penalty of up to $20,000 per day to licensees or covered persons who materially violate the DFAL. Additionally, unlicensed entities engaging in digital financial business activity can be charged a civil penalty of up to $100,000 per day. ⁱⁱ  These civil monetary penalties are significantly higher than those in most states.

Ramifications

This new development in virtual currency regulation will create sweeping new requirements for virtual currency businesses in the state of California. The good news is that many of the requirements such as the establishment and maintenance of an AML program and InfoSec program are compliance requirements that many virtual currency companies already have in place. However, new requirements such as financial reporting, the assessment of whether a digital financial asset would be deemed a security by federal or California regulators, comprehensive risk assessment of cybersecurity, malfeasance, or market-related risks, and the myriad consumer protection disclosures needed to be provided to customers, will require many companies to implement significant new policies, procedures, and processes to ensure compliance. 

Additionally, the DFAL prohibits a covered person from engaging in digital financial business activity with an issuer of a stablecoin, if it is not a bank, trust company, or national association authorized under federal law to engage in a trust banking business or is licensed under the DFAL, which could potentially restrict the number of stablecoin issuers a licensed entity could work with once the DFAL comes into effect. 

Conclusion

For any digital financial asset service providers that want to get a head-start on beginning their digital financial asset license applications and building their compliance programs for the state of California, Ankura’s team of licensing, maintenance, and compliance professionals has extensive experience in assisting companies with licensing and regulatory compliance for all U.S. states and territories, including New York and California. Ankura has successfully assisted numerous cryptocurrency startups obtain licenses in the state of New York whose “BitLicense” licensing and regulatory framework bears many similarities to the one proposed by California’s DFAL. 

The DFAL provides the California Department of Financial Protection and Innovation (DFPI) with rule-making authority and an operative date of July 1, 2025. The DFPI will be charged with creating the regulatory framework to balance the needs of consumer protection with the needs of the crypto asset industry. This gives the industry some time to interpret the statute and any subsequent regulations that are written to ensure that they have implemented the required provisions of the DFAL in a timely manner. 

^{[i] Digital Financial Assets Law. Official website of the State of California. https://dfpi.ca.gov/dfal/#:~:text=Beginning%20July%201%2C%202025%2C%20companies,a%20license%20from%20the%20DFPI}

^{[ii] AB-39 Digital financial asset businesses: regulatory oversight. California Legislative Information. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB39}

^{[iii] SB-401 Digital financial asset transaction kiosks. California Legislative Information. https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB401}

^{© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}