Select Page
California’s Digital Financial Assets Law Takes Effect as Crypto Licensing Deadline Passes

On 1 July 2026, the licensing requirements under California’s Digital Financial Assets Law (DFAL) took effect, requiring cryptoasset businesses conducting covered activities with or on behalf of California residents to hold a licence from the California Department of Financial Protection and Innovation (DFPI), have submitted a completed licence application, or fall within a statutory exemption. The commencement of the regime moves California from targeted enforcement of crypto-related misconduct to direct licensing, supervision and examination of digital financial asset businesses.

The DFPI’s Digital Financial Assets portal confirms that the regime applies to many businesses engaged in exchanging, transferring or storing digital financial assets for California residents. Crypto exchanges, custodians, stablecoin businesses and digital financial asset kiosk operators are among the entities potentially within scope.

The Digital Financial Assets Law

Governor Gavin Newsom signed Assembly Bill 39 and Senate Bill 401 on 13 October 2023. Together, the two statutes established the DFAL.

Assembly Bill 39 introduced the principal licensing and supervisory framework, while Senate Bill 401 established additional requirements for digital financial asset transaction kiosks. Assembly Bill 1934 subsequently extended the licensing commencement date from 1 July 2025 to 1 July 2026.

From 1 July 2026, a person may not engage in, or hold itself out as being able to engage in, digital financial asset business activity with or on behalf of a California resident unless it:

  • holds a DFAL licence;
  • submitted a completed application by 1 July 2026 and is awaiting determination; or
  • qualifies for an exemption.

Under the legislation, an application is complete only where it includes the prescribed information, the non-refundable application fee and any additional information required under the DFPI’s regulations. Merely opening or partially completing an application through the Nationwide Multistate Licensing System would not, by itself, satisfy the statutory transitional condition.

Who falls within the regime?

The DFAL applies to a person doing business in California and to a person located elsewhere that conducts covered activity with or on behalf of a California resident.

Covered digital financial asset business activity includes:

  • exchanging, transferring or storing digital financial assets;
  • issuing a digital financial asset with authority to redeem it for legal tender, bank credit or another digital financial asset;
  • holding or issuing electronic interests in precious metals; and
  • exchanging certain in-game digital representations of value for legal tender or other digital financial assets.

The territorial reach of the DFAL means that an overseas or out-of-state business cannot determine its exposure solely by reference to its place of incorporation or physical offices. The decisive questions include whether it serves California residents, controls their digital assets, facilitates transactions for them or administers redeemable digital financial assets.

The statutory definition of a California resident extends beyond an individual domiciled in the state. It includes a person physically present in California for more than 183 days during the preceding 365 days, a person with a place of business in California and certain legal representatives of California-domiciled persons.

Crypto businesses should therefore review onboarding, geolocation and customer-classification controls rather than relying exclusively on a customer’s stated residential address.

Licensing is a substantive regulatory assessment

The DFAL licence is not a simple registration.

The DFPI is required to examine whether an applicant possesses a sound financial condition, appropriate competence and responsibility, relevant business experience, good character and general fitness. The regulator must also be satisfied that the applicant has a reasonable prospect of operating successfully and will conduct its activities in accordance with the DFAL and applicable regulations.

Applications may require extensive information concerning:

  • ownership and control;
  • executive officers and responsible individuals;
  • regulatory and litigation history;
  • financial statements and sources of funding;
  • capital and liquidity;
  • cybersecurity and operational-risk arrangements;
  • anti-money laundering and sanctions controls;
  • custody and asset-protection systems;
  • complaints and consumer-protection procedures; and
  • the digital financial assets and services the applicant proposes to offer.

The DFPI has published supporting materials including its Consent to Service of Process, Covered Exchange Certification and Personal Financial Statement.

The application process reaches beyond the applicant entity itself. Depending on the business model and regulatory status, the DFPI may require formal submission to its jurisdiction, financial information concerning relevant individuals and certifications relating to digital financial assets proposed to be listed or offered.

The boundary between digital assets and securities

The DFAL does not replace federal or California securities law.

A “digital financial asset” under the DFAL excludes a security registered with, or exempt from registration by, the United States Securities and Exchange Commission, as well as a security qualified with, or exempt from qualification by, the DFPI. That exclusion does not mean that a security token or other investment instrument is unregulated. Rather, the regulatory analysis shifts from the DFAL to the applicable federal and state securities frameworks.

Businesses issuing or offering tokenised investment instruments should therefore assess whether the asset must be registered, qualified or offered under an available exemption. The DFPI’s Securities Frequently Asked Questions and Answers addresses California qualification and notice-filing requirements, including the Section 25102(f) limited offering exemption and state filings connected with federal Rule 506 offerings.

The consequence is that token classification should precede licensing analysis. A firm should not assume that an asset falls outside the DFAL without considering whether the instrument is instead regulated as a security.

Consumer protection and continuing supervision

Licensed businesses will be subject to continuing regulatory obligations rather than a one-time approval process. The DFAL requires, among other matters, sufficient capital and liquidity, appropriate security or bonding arrangements, maintenance of customer asset entitlements, record keeping, regulatory reporting and submission to DFPI examination.

Licensees must also provide disclosures concerning fees, charges, insurance coverage, unauthorised or mistaken transactions and service interruptions. The regime requires weekday live telephone support for California residents and imposes specific safeguards concerning stablecoin offerings.

These requirements place operational resilience, customer service and asset protection within the core licensing framework. They should not be treated as policies to be drafted only after the licence has been granted.

Crypto kiosk obligations

Digital financial asset kiosk operators are subject to additional requirements under Senate Bill 401. Since 1 January 2024, kiosk operators have been required to:

  • report their California kiosk locations to the DFPI;
  • update the location list within 30 days of any change;
  • limit transactions to US$1,000 per customer per day; and
  • provide customers with transaction receipts containing prescribed information.

Since 1 January 2025, kiosk operators have also been required to provide clear pre-transaction disclosures and limit direct and indirect charges connected with a single transaction to the greater of US$5 or 15% of the United States dollar value of the digital financial assets involved.

From 1 July 2026, kiosk operators conducting digital financial asset business activity must also satisfy the DFAL licensing requirement. An operator that permits another person to provide covered services through its kiosks must ensure that the service provider is appropriately licensed.

Implications for crypto businesses

The passing of the licensing deadline changes the nature of the compliance risk. Businesses that submitted applications should verify that the submissions were complete and that any subsequent DFPI information requests are answered accurately and promptly. Firms that did not submit completed applications must determine whether they are exempt or whether California-facing activities should be suspended pending authorisation.

Applicants and existing operators should also review:

  • whether their customer-location controls reliably identify California residents;
  • whether each product falls under the DFAL, securities law or another regulatory framework;
  • whether custody and reserve arrangements match customer entitlements;
  • whether listed assets have undergone documented legal and risk review;
  • whether capital, liquidity and bonding arrangements remain sufficient;
  • whether cybersecurity and incident-response procedures are operational; and
  • whether public disclosures are consistent with the firm’s application and actual business model.

Our observations

The DFAL is significant not simply because California has introduced another crypto licence, but because of the regulatory standard it establishes.

The regime treats crypto exchanges, custodians, administrators and kiosk operators as supervised financial businesses. Licensing decisions will turn on financial condition, management fitness, consumer protection, technological resilience and the ability to demonstrate continuing compliance.

It also creates a dual classification exercise. Firms must first determine whether an instrument is a digital financial asset within the DFAL and must then consider whether federal or California securities, commodities, payments or money-transmission laws apply independently.

For international crypto businesses, the central lesson is direct: access to California residents may create California regulatory jurisdiction even where the business has no physical presence in the state. The appropriate response is not a narrow licence check, but a documented product-by-product, activity-by-activity and customer-by-customer assessment of the firm’s California exposure.

Sources: California Department of Financial Protection and Innovation, Digital Financial Assets; California Digital Financial Assets Law; Senate Bill 401; DFPI licensing publications, forms and securities guidance.