California Enacts Landmark Digital Assets Licensing Law
On October 13, California Governor Gavin Newsom signed AB 39, called the Digital Financial Assets Law (DFAL), to regulate companies engaged in digital asset activities in California. The DFAL is a comprehensive regulatory framework for digital asset companies, including licensing, disclosure, reporting and recordkeeping requirements, establishment of examination and enforcement powers, and other requirements with significant implications for California digital asset companies as well as out-of-state companies that engage in a digital asset business in California. The law requires virtual currency exchanges and other businesses engaged in digital asset activities to take measures to protect consumers. The law becomes effective on July 1, 2025. California simultaneously passed SB 401, which regulates digital asset ATMs.
California is the third state to introduce a license framework for companies engaged in the digital asset business, following New York and Louisiana. In June of 2015, the New York State Department of Financial Services (NYDFS) issued the first-in-the-nation virtual currency regulation (BitLicense). Until the DFAL was enacted, California had not taken a definitive position on whether digital asset firms were subject to California’s existing money transmission regulatory framework, and digital asset firms had not been required to obtain a money transmission license to operate in California, as required by other states. Many requirements imposed by the DFAL, such as disclosure, various policies and procedures (including antifraud, disaster recovery, and anti-money laundering programs), and capital requirements are similar to those required by the BitLicense regime. This Advisory provides an overview of the DFAL, a comparison with the NYDFS BitLicense regulation, and includes key takeaways and other considerations for institutions that would be covered by the DFAL.
Covered Institutions and Activities
The DFAL applies broadly to any person or entity that engages in, or holds itself out as engaging in, a “digital financial asset business activity” with, or on behalf of, a California resident. “Digital financial asset business activity” is broadly defined to include:
- Exchanging, transferring, or storing a digital financial asset or engaging in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor
- Holding electronic precious metals or electronic certificates representing interests in precious metals on behalf of another person or issuing shares or electronic certificates representing interests in precious metals
- Exchanging one or more digital representations of value used within one or more online games, game platforms, or family of games for either a digital financial asset offered by or on behalf of the same publisher or legal tender or bank or credit union credit outside the online game, game platform, or family of games offered by or on behalf of the same publisher
Notably, the third provision above implies that if in-game virtual currencies or tokens can be redeemed for a digital financial asset or cash, such activity may be within the scope of the DFAL licensing requirement.
“Digital financial asset” (DFA) means a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender. DFA expressly excludes reward points and value issued and usable only within an online gaming platform, similar to carveouts under the NYDFS BitLicense regulation. The definition of DFA also excludes securities that are registered, or exempt from registration, with the U.S. Securities and Exchange Commission (SEC).
The DFAL explicitly does not apply to the activity by certain persons, including government agencies, banks, certain trust companies and credit unions, and notably:
- Persons whose participation in a payment system is limited to providing processing, clearing, or performing settlement services solely for transactions between or among persons that are exempt from the licensing requirements
- Providers of connectivity software or computing power to secure a network or of storage or security services
- Persons using a digital financial asset or obtaining a digital financial asset as payment solely for the person’s behalf for personal, family, or household purposes or academic purposes
- Persons whose digital financial asset business activity with, or on behalf of, California residents is reasonably expected to be valued, in the aggregate, on an annual basis at $50,000 or less
- Merchants who accept a DFA as payment for goods or services that do not include DFAs themselves
- Entities registered under the federal Commodity Exchange Act (CEA) to the extent activities are conducted under the CEA, are actually regulated by the Commodity Futures Trading Commission, and are entitled to preemption
- Persons registered as a securities broker-dealer under federal or state securities laws to the extent of their operation as broker-dealers
In addition to the enumerated exemptions, the DFAL authorizes the Commissioner of the California Department of Financial Protection and Innovation (DFPI) to further exempt any class of persons or transactions either by regulation or order, if the Commissioner finds such action to be in the public interest.
The DFAL Licensing Requirements
Effective July 1, 2025, covered persons must be licensed or have submitted a licensing application. While the application requirements under the DFAL are similar to those for a traditional money transmitter, the requirements go further, requiring applicants to have policies and procedures to address business continuity, disaster recovery, and an anti-fraud and general compliance program. In addition, the applicant must provide insurance coverage information, information about licenses held in other states, and information about the controlling persons of the applicant.
The DFAL allows for conditional licensure for an applicant with a pending license application, if that applicant holds a BitLicense with the NYDFS or is chartered as a New York State limited purpose trust company with approval to conduct a virtual currency business in New York issued on or before January 1, 2023.
The DFAL subjects licensees to extensive ongoing compliance obligations, which largely track the requirements of the NYDFS BitLicense regulation. Key obligations under the DFAL include:
- Maintaining sufficient capital and liquidity, and a surety bond or trust account in the amount as determined by the DFPI
- Maintaining comprehensive records of all DFA business activity with or on behalf of residents for five years after the date of the activity
- Submitting an annual report to the DFPI, including, among other things, financial statements, descriptions of material changes in various aspects of business operations, data security breach or cybersecurity events, and transaction data
- Obtaining DFPI approval for certain corporate reorganizations or changes in control, including merger or consolidation
- Providing required disclosures to residents before and after engaging in DFA business activity with them, including, among other things, disclosure of fees, information regarding whether the product or service is insured against loss, recognition that the transaction is irrevocable, liability for unauthorized transactions, and disclosure of a California resident’s right to at least 14 days’ prior notice of a change in a fee schedule
- Maintaining an amount of each type of DFA, which must be in its control and sufficient to satisfy the aggregate entitlements of such persons and not subject to the claims of the licensee’s creditors1
- Establishing and maintaining various policies and procedures, including, among other things, business continuity program, disaster recovery program, anti-fraud program, anti-money laundering and counter-terrorism program, information security program, and operational security program
The DFAL prohibits a person from exchanging, transferring, or storing stablecoins unless (1) the stablecoin issuer is an applicant, licensee, bank, or trust company and (2) the issuer at all times holds eligible securities with an aggregate market value of no less than the value of outstanding stablecoins issued or sold. The DFPI has discretion in approving which stablecoins are approved for exchange, transfer, or storage, looking at enumerated factors such as “any legally enforceable rights provided by the issuer of the stablecoin to holders of the stablecoin” and “amount, nature, and quality of assets owned or held by the issuer of the stablecoin that may be used to fund any redemption requests from residents.” In addition, the DFAL provides that the DFPI may require issuers of stablecoins to be licensed by the DFPI prior to issuing certain stablecoins.
Similar to the requirements imposed under the NYDFS BitLicense regulation, the DFAL imposes specific obligations on exchanges. Among other things, an exchange must certify that it has done the following:
- Identified the likelihood that the DFA would be deemed a security by federal or California regulators
- Conducted a comprehensive risk assessment designed to ensure consumers are adequately protected from cybersecurity risk, risk of malfeasance, including theft, risks related to code or protocol defects, or market-related risks, including price manipulation and fraud
- Established policies and procedures to reevaluate the appropriateness of the continued listing or offering of the DFA and to cease listing or offering the DFA
Notably, certification is not required for any DFA-approved for listing on or before January 1, 2023, under the BitLicense regulation.
The DFPI may take an enforcement action against a licensee or a person who is not a licensee but has engaged in DFA business activity in various instances, including, among other things, material violation of the DFAL or other applicable laws, failure to cooperate in a DFPI examination or investigation, and engaging in an unsafe or unsound act of practice. Persons that are not licensees engaging in DFA business activity with, or on behalf of, a California resident can be charged a civil penalty of up to $100,000 per day. In addition, the DFPI can assess a civil penalty of up to $20,000 per day for a material violation of, or for each act of omission that materially violates, the DFAL.
Comparison to NYDFS BitLicense Regime
While modeled after NYDFS’ BitLicense regime, the DFAL includes a few different requirements. Notably, under the DFAL, the definitions of exchange, transfer, or storage of a DFA require the assumption or maintenance of “control” of the asset. Control is defined as the power to “execute unilaterally or prevent indefinitely” a DFA transaction. In other words, a person cannot be engaged in the exchange, transfer, or storage of a DFA under the DFAL unless the person has the ability to execute unilaterally or prevent indefinitely a DFA transaction. On the other hand, the BitLicense regulation does not define the term “control,” even though the term is used several times in its definition of covered activities, leaving uncertainties as to the exact scope of covered activities. This difference opens the question whether decentralized exchanges, which perform the exchange of DFAs without taking possession or custody of the assets, could be subject to licensing requirements under the BitLicense regulation, but would not be subject to licensing requirements under the DFAL.
Under the DFAL, an exchange must certify to the DFPI that it has identified the likelihood that the DFA would be deemed a security by federal or California regulators before listing or offering it. This requirement to identify the “likelihood” that a DFA would be deemed a security appears to be more onerous than the BitLicense regulation’s requirement that a licensee consider regulatory risks before listing or offering a digital asset, including whether a regulator has determined that the digital asset is a security. Determining the likelihood that a DFA would be deemed a security may be extra burdensome to licensees, especially considering the current regulatory uncertainties regarding whether a digital asset is a security and ongoing SEC litigation against cryptocurrency companies.
In addition, the stablecoin-specific requirements under the DFAL are not as detailed as the NYDFS’s Guidance on the Issuance of U.S. Dollar-Backed Stablecoins. For example, the NYDFS guidance imposes more stringent reserve and redemption requirements than what the DFAL currently provides. Stablecoin issuers should keep in mind that the DFPI may adopt regulations or guidance that impose more robust requirements on stablecoin issuers, similar to the NYDFS guidance.
Digital asset companies that have already received a BitLicense from the NYDFS have distinct advantages in complying with the DFAL. The requirements under the DFAL largely track the requirements under the NYDFS BitLicense regulation. In addition, companies that hold a BitLicense may receive a conditional license from the DFPI while their application is pending before the DFPI.
While the DFAL does not take effect until July 1, 2025, institutions engaging in or planning to engage in digital asset activities in California should begin evaluating whether their current or planned activities will be subject to the DFAL. In addition, digital asset companies should pay attention to future developments regarding the DFAL, as the DFPI is likely to introduce implementing regulations and guidance prior to the law’s effective date.
While similar to the BitLicense regulation, the DFAL includes different requirements, which institutions looking to engage in DFA business activities in California will have to assess to determine what additional compliance measures are necessary to ensure regulatory compliance with both states.
Companies seeking a license under the DFAL should expect an extended application process if recent experience with the NYDFS is any indication.
A company is not required to be located in California, have California employees, or even be registered to do business in California in order to become subject to the DFAL. Merely engaging in business with California residents is sufficient. Continuing to engage in a DFA business with California residents without a license under the DFAL will likely subject that company to potential enforcement action, similar to actions taken by the NYDFS.
Institutions interested in how the DFAL may impact their businesses may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services team would be pleased to assist with any questions about the DFAL or digital asset regulation in general.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.