Inside California’s new crypto rules: How DFAL and SB 401 will reshape digital asset regulation

California’s Digital Financial Assets Law (DFAL) establishes a statewide framework for regulating digital asset businesses, including cryptocurrency exchanges, wallet providers, and kiosk operators.

Below, we explain the law’s structure, objectives, and regulatory mechanisms, offering clarity to companies, investors, and consumers navigating the new compliance landscape.

Overview of California’s Approach

California’s approach to regulating digital financial assets marks one of the most comprehensive state-level frameworks in the United States. The DFAL was developed to:

• Establish licensing and supervision for crypto and digital asset companies.
• Promote transparency and consumer protection in digital asset transactions.
• Prevent fraudulent or unsafe practices while supporting responsible innovation.

Rather than banning or heavily restricting crypto businesses, California has opted for a measured regulatory model similar to the “BitLicense” system used in New York. It focuses on requiring digital asset companies to obtain a state license, meet capital and cybersecurity standards, and provide clear disclosures to consumers.

Connection Between AB 39, SB 401, and AB 1934

The DFAL framework is built from three related pieces of legislation passed between 2023 and 2024:

• AB 39 (Grayson, 2023): Establishes the Digital Financial Assets Law, creating a licensing requirement for companies that exchange, store, or transfer digital assets on behalf of Californians.
• SB 401 (Limón, 2023): Regulates digital financial asset transaction kiosks, which function like crypto ATMs, adding fee limits and disclosure obligations.
• AB 1934 (Grayson, 2024): Extends DFAL’s licensing deadlines by one year—from July 1, 2025, to July 1, 2026—and clarifies several operational provisions.

Together, these bills provide California with a unified legal foundation for digital asset regulation, ensuring oversight while allowing time for businesses and regulators to adapt before the July 2026 enforcement date.

Background and Legislative Overview

AB 39 (2023): Establishes the DFAL

Assembly Bill 39 created the Digital Financial Assets Law (DFAL), requiring that any person or business conducting “digital financial asset business activity” with California residents must be licensed by the DFPI.
This includes activities such as:

• Exchanging or transferring digital assets like Bitcoin or stablecoins.
• Storing digital assets for others.
• Issuing digital tokens redeemable for value.

The bill defines key terms, sets application and disclosure requirements, and authorizes DFPI to examine licensees, enforce compliance, and issue penalties for violations. It also mandates minimum capital, liquidity, and cybersecurity standards to safeguard consumers and the market.

SB 401 (2023): Regulates Digital Financial Asset Kiosks

Senate Bill 401 complements AB 39 by addressing digital financial asset transaction kiosks—machines where users can buy or sell crypto with cash. The bill:

• Requires kiosk operators to register all kiosk locations with the DFPI.
• Caps transactions at $1,000 per customer per day.
• Limits fees to the greater of $5 or 15% of the transaction’s value.
• Requires receipts and pre-transaction disclosures detailing fees and exchange rates.
• Mandates that kiosk operators ensure compliance with DFAL licensing once it becomes operative.

This ensures both consumers and regulators have visibility into kiosk operations, reducing the risk of fraud and inflated charges.

AB 1934 (2024): Extends Deadlines and Clarifies Provisions

Assembly Bill 1934 is a technical follow-up that primarily:

• Extends the DFAL operative date to July 1, 2026, giving DFPI additional time to finalize rules.
• Aligns stablecoin, kiosk, and disclosure requirements with the new timeline.
• Expands record-keeping requirements for licensees, including monthly compliance reports.
• Clarifies that DFPI may approve stablecoins only if they meet specific safety and redemption criteria.

Legislative Intent and DFPI’s Role

The California Legislature’s intent behind the DFAL is twofold:

1. Consumer Protection: Prevent losses due to fraud, mismanagement, or insolvency among crypto service providers.
2. Market Stability: Introduce predictable, transparent rules that give legitimate digital asset businesses a clear path to compliance.

To achieve this, the Department of Financial Protection and Innovation (DFPI) serves as the implementing agency. It has broad authority to:

• Develop and adopt regulations.
• Issue, suspend, or revoke licenses.
• Approve or deny stablecoin operations.
• Conduct examinations, audits, and enforcement actions.

The DFPI began its rule-making process in late 2023 and has invited public comment twice—first in early 2024 and again in late 2024—to ensure that the final rules are both effective and workable for the crypto industry.

Core Concepts and Definitions

Digital Financial Asset (DFA)

Under California’s Digital Financial Assets Law, a Digital Financial Asset (DFA) is defined as a digital representation of value that functions as a medium of exchange, unit of account, or store of value, and is not legal tender—meaning it is not government-issued currency such as the U.S. dollar.
This definition includes cryptocurrencies like Bitcoin, Ethereum, and certain stablecoins. It specifically excludes:

• Loyalty or rewards program credits that cannot be exchanged for legal tender.
• In-game digital currencies used solely within a publisher’s gaming ecosystem.
• Securities registered with, or exempt from registration by, the U.S. Securities and Exchange Commission or the California.

Digital Financial Asset Business Activity

A digital financial asset business activity refers to providing services that involve the exchange, transfer, storage, or issuance of digital financial assets on behalf of others.
This includes:

• Exchanging crypto for fiat currency or other digital assets.
• Holding or transferring digital assets for clients.
• Issuing redeemable tokens or other digital representations of value.
• Holding electronic precious metals or certificates that represent digital value.

The DFAL applies to any person or business conducting these activities with or on behalf of a California resident, whether or not the business is physically located in the state.

Covered Person, Licensee, and Operator

• A Covered Person is any entity required to obtain a license under the DFAL to engage in digital financial asset business activity.
• A Licensee is a person or business that has successfully received a DFAL license from the DFPI, authorizing it to operate legally within California.
• An Operator refers specifically to a person or company that owns, manages, or operates a digital financial asset transaction kiosk (similar to a cryptocurrency ATM) in California, as defined in SB.

Exempt Activities and Entities

Certain individuals and organizations are exempt from DFAL licensing requirements, including:

• Federal, state, and local government entities.
• Banks, trust companies, and credit unions with insured deposits.
• Registered securities broker-dealers and commodity traders regulated by federal agencies.
• Merchants accepting crypto as payment solely for goods or services.
• Individuals using digital assets for personal or household purposes only.
• Businesses with annual activity totalling less than $50,000 in digital financial asset transactions with California residents.

The DFPI also retains the authority to grant exemptions when regulation is deemed unnecessary for public protection or market integrity.

Licensing and Compliance Framework

Licensing Requirement

Beginning July 1, 2026, any entity conducting digital financial asset business activity with California residents must either:

1. Hold a DFAL license issued by the DFPI, or
2. Have submitted a complete license application that is still under review.

Unlicensed operation after that date will constitute a violation of state financial law, subject to enforcement and civil penalties.

Application Process

Applicants must provide detailed business, financial, and management information, including:

• Corporate identity, ownership, and key personnel details.
• Description of products, services, and marketing plans.
• Financial statements demonstrating adequate capital and liquidity.
• Evidence of cybersecurity, data protection, and operational security programs.
• Background checks and fingerprints for executives and responsible individuals.

The DFPI reviews each application to determine financial soundness, managerial competence, and overall fitness to operate within California’s regulatory environment.

Capital, Liquidity, and Security

Licensees must maintain:

• A surety bond or trust account in U.S. dollars for the protection of California residents.
• Minimum capital and liquidity reserves, proportionate to business risk, transaction volume, and customer exposure.
• High-quality, liquid assets sufficient to ensure solvency and uninterrupted.

Ongoing Reporting and Recordkeeping

Licensees are required to:

• Keep transaction records and ledgers for at least five years.
• Submit annual financial reports and operational disclosures to the DFPI.
• Pay annual regulatory assessments to cover administrative costs.
• Maintain documentation that demonstrates continuing compliance with DFAL rules and DFPI directives.

Failure to file reports, pay assessments, or maintain proper records can result in license suspension or revocation.

Examinations and Enforcement

The DFPI has authority to:

• Conduct on-site or remote examinations of licensees.
• Issue orders, suspend licenses, or impose civil penalties for violations.
• Take action against unlicensed operators conducting business with California residents.

Conditional and Out-of-State Licenses

The Commissioner may issue conditional licenses to certain applicants already licensed in other jurisdictions, such as New York virtual currency businesses, provided they meet equivalent standards and comply with DFAL’s requirements.

Regulatory Oversight

The DFPI’s rule-making authority under DFAL allows it to:

• Set application fees and capital thresholds.
• Define disclosure and reporting formats.
• Issue clarifying guidance and exemptions as market conditions evolve.

This flexible approach is intended to support regulatory clarity and consumer protection while enabling legitimate innovation in California’s digital asset sector.

Stablecoin Regulations

DFPI Approval Requirements for Stablecoins

The Digital Financial Assets Law (DFAL) requires that any person or business seeking to exchange, transfer, or store a stablecoin in California must ensure the stablecoin is approved by the Commissioner of the Department of Financial Protection and Innovation (DFPI). Approval is mandatory for all covered persons who wish to handle stablecoins as part of their digital financial asset business activity.

The DFPI may grant approval only if it determines that the stablecoin’s structure and reserve practices do not compromise the interests of California residents who use the asset for payments or as a store of value.

Criteria for Approval and Potential Restrictions

When evaluating whether to approve a stablecoin, the DFPI Commissioner considers several factors, including:

• Redemption rights available to holders—specifically whether users can redeem the stablecoin for U.S. dollars or equivalent bank or credit union deposits.
• Reserve quality and sufficiency—the nature, amount, and liquidity of the assets backing the stablecoin.
• Custody and ownership arrangements—whether the reserves are held securely and legally accessible in the event of liquidation or insolvency.
• Representations and marketing claims—how the issuer describes the stablecoin’s use, stability, and associated risks.
• Consumer risk exposure—the degree to which market, counterparty, or operational risks may affect users.

The DFPI may impose additional conditions or restrictions on an approved stablecoin, including limitations on redemption frequency, reserve composition, or marketing practices. The Commissioner may also require the issuer itself to obtain a DFAL license if its operations directly affect California residents.

Conditions for Revocation or Suspension of Approval

An approved stablecoin can lose its authorization if the DFPI determines that:

• The issuer misleads the public by suggesting the stablecoin poses no risk beyond that of traditional bank credit or stored-value products.
• The issuer or covered person changes business activities or reserve practices in a way that increases risk to California residents.
• Market conditions or structural issues emerge that could compromise redemption value or liquidity.
• The issuer or covered person violates DFPI-imposed requirements or prohibitions.

If approval is revoked, the stablecoin can no longer be legally exchanged, transferred, or stored under DFAL. All revocations and active approvals are published on the DFPI’s official website to ensure public transparency

Digital Financial Asset Kiosks

Definition of a Kiosk and Operator

A digital financial asset transaction kiosk is an electronic machine—similar to an ATM—that allows customers to buy or sell cryptocurrency for cash.
An operator is any individual or entity that owns, manages, or controls such kiosks in California. These kiosks typically allow direct cash-for-crypto transactions, making them a focal point for consumer protection efforts under DFAL and Senate Bill 401.

Pre-2026 Compliance Obligations

Although DFAL licensing does not take effect until July 1, 2026, kiosk operators are already subject to key requirements under SB 401 to protect consumers and ensure transparency.

1. $1,000 Daily Transaction Limit:

Since January 1, 2024, kiosk operators may not accept or dispense more than $1,000 per customer per day through any single or networked kiosk. This limit is designed to deter money laundering, fraud, and excessive exposure in cash-based digital asset transactions.

2. Fee and Disclosure Requirements:

Beginning January 1, 2025, kiosk operators must:

• Provide pre-transaction written disclosures in English and in the same language used for advertising or negotiation. Disclosures must include the transaction amount, exchange rate, fees, and any difference between the kiosk price and the market price on a licensed digital asset exchange.
• Issue detailed receipts showing the customer’s name, date, time, transaction amount, U.S. dollar equivalent, fee breakdown, and the exchange used to determine the digital asset price.
• Limit total charges (including spreads and fees) to the greater of $5 or 15% of the transaction’s value.

Violating these provisions can lead to administrative penalties and potential suspension of kiosk operations.

Post-2026 Licensing Obligations Under DFAL

Starting July 1, 2026, kiosk operators must also comply with the Digital Financial Assets Law licensing requirement. Operators that directly engage in buying or selling crypto through kiosks must either:

• Hold a DFAL license issued by the DFPI, or
• Partner only with DFAL-licensed entities that facilitate the underlying digital financial asset transactions.

Operators who merely lease or manage kiosks (without directly executing crypto transactions) must verify that any entity conducting those transactions is properly licensed.

Consumer Protections and Enforcement

The kiosk regulations are intended to safeguard customers from hidden fees, misleading pricing, and fraudulent operators. Enforcement authority rests with the DFPI, which can:

• Require operators to submit and update a list of all kiosk locations within California.
• Publish operator information publicly on its website for transparency.
• Conduct examinations and issue penalties for noncompliance.

These kiosk-specific protections remain in effect independently of DFAL licensing timelines, ensuring that California consumers receive accurate information, capped fees, and safer access to digital financial asset transactions well before full DFAL implementation in 2026.

Timeline and Implementation

Chronological Rollout of Requirements

2024: Kiosk Registration and Transaction Limits:

The first phase of implementation focuses on digital financial asset transaction kiosks under SB 401.

• As of January 1, 2024, all kiosk operators must submit to the DFPI a list of every kiosk they own, operate, or manage within California.
• Operators are restricted to no more than $1,000 per customer per day in accepted or dispensed funds through any kiosk.
• This phase establishes baseline monitoring and transaction controls to curb fraud and ensure transparency in crypto-to-cash exchanges.

2025: Disclosure and Fee Cap Requirements:

Effective January 1, 2025, additional consumer protection rules apply to kiosk operators.

• Operators must provide written pre-transaction disclosures that clearly state the total amount of crypto involved, fees charged, and the exchange rate used.
• They must issue detailed receipts after each transaction and limit total fees or spreads to the greater of $5 or 15 percent of the transaction’s dollar value.
• These measures ensure that consumers receive accurate pricing information and are protected from excessive or hidden charges before DFAL licensing begins.

2026: Licensing and Full DFAL Enforcement:

The complete regulatory framework takes effect on July 1, 2026, following the passage of AB 1934, which delayed the original operative date by one year.

• Beginning on this date, all companies conducting digital financial asset business activity—including exchanges, custodians, wallet providers, and stablecoin issuers—must either hold a DFAL license or have a pending license application on file with the DFPI.
• Stablecoins can be used or offered only if they are approved by the DFPI Commissioner and meet reserve, redemption, and disclosure requirements.
• Kiosk operators who execute crypto transactions must either hold a license or partner exclusively with licensed entities.

Violations after this date will expose businesses to civil penalties, suspension, or enforcement action by the DFPI.

DFPI Rulemaking Phases and Public Comment Periods

To prepare for the 2026 rollout, the DFPI is conducting a multi-stage rulemaking process to establish specific application procedures, fee schedules, capital thresholds, and ongoing reporting standards.

1. First Invitation for Comments (Late 2023 – January 2024):
   Gathered input on preliminary topics such as license application design, qualification criteria, and potential treatment of stablecoins.
2. Second Invitation for Comments (October 2 – November 18 2024):
   Requested further stakeholder feedback on application fees, operational disclosures, and transitional compliance issues.
3. Final Rule Development (2025):
   DFPI will draft and publish proposed regulations based on industry feedback, with final adoption expected before the July 1 2026 effective date.

Through this phased process, DFPI aims to balance investor and consumer protection with market innovation, ensuring that licensed entities operate under clear and uniform standards statewide.

Key Impacts by Stakeholder

DFPI Rulemaking Process

Overview of the Process

The Department of Financial Protection and Innovation (DFPI) is responsible for translating the Digital Financial Assets Law (DFAL) into specific administrative rules that define how businesses will apply for licenses, maintain compliance, and report activities.

Rulemaking ensures that the statutory framework created by AB 39, SB 401, and AB 1934 is implemented in a practical, enforceable manner that addresses evolving market conditions in the digital asset sector.

Stages of Rule Development

The DFPI’s regulatory process follows a phased, consultative approach that includes public input and iterative drafting:

1. Preliminary Outreach (Late 2023):
   The DFPI conducted initial outreach to industry stakeholders, legal experts, and consumer protection groups to identify key areas requiring regulatory clarity—such as capital requirements, consumer disclosures, and licensing procedures.
2. First Invitation for Public Comment (Dec 2023 – Jan 2024):
   The first official comment period gathered responses from 18 organizations on topics including the design of the license application, stablecoin oversight, and potential exemptions for small-scale entities.
3. Second Invitation for Comment (Oct 2 – Nov 18 2024):
   A second round of feedback focused on specific operational issues—application fees, data-reporting mechanisms, and ongoing compliance responsibilities for licensees.
4. Draft Regulations and Public Hearing (2025):
   Based on these comments, the DFPI will publish proposed regulations under the California Administrative Procedure Act, allowing for an additional round of review before final adoption.
5. Final Adoption (By Mid-2026):
   The finalized rules are expected before the DFAL’s operative date of July 1, 2026, ensuring that businesses have clear licensing standards and compliance expectations.

Objectives of Rulemaking

The DFPI’s rulemaking priorities are to:

• Ensure consistent consumer protection and financial stability.
• Define measurable licensing standards for capital, liquidity, and security.
• Promote transparency and industry input throughout the process.
• Enable regulatory flexibility to respond to new technologies and business models.

Compliance Checklist

Pre-Licensing Preparation (2024 – 2025)

Businesses intending to operate under DFAL should begin aligning internal policies and documentation well before the July 2026 deadline:

• Review whether activities qualify as “digital financial asset business activity.”
• Establish corporate governance structures and designate responsible individuals.
• Develop written policies for information security, operational risk, and anti-fraud controls.
• Conduct internal audits to verify adequate capital and liquidity positions.
• Assemble required documentation: financial statements, ownership disclosures, and compliance manuals.

Application Stage (2025 – 2026)

When submitting a DFAL application, entities must ensure:

• All forms are complete and accurate per DFPI specifications.
• Fingerprints and background checks for key personnel are provided.
• Proof of a surety bond or trust account is included.
• Application and investigation fees are paid in full.
• A designated compliance officer is identified for DFPI correspondence.

Post-Licensing Obligations (Ongoing)

Licensed entities must maintain continuous compliance through:

• Annual financial reporting and payment of regulatory assessments.
• Five-year record retention for all resident transactions.
• Periodic reviews of cybersecurity and operational integrity.
• Immediate notification to the DFPI of any data breaches or major operational changes.
• Cooperation with DFPI examinations and timely responses to enforcement inquiries.

Recommended Best Practices

• Implement real-time transaction monitoring and suspicious-activity reporting.
• Maintain transparent customer-support procedures for disputes or redemption issues.
• Review DFPI communications regularly for rule updates and interpretive guidance.

Following these steps will help digital-asset firms transition smoothly into the DFAL regulatory framework and reduce the risk of non-compliance penalties.

In Summary

The Digital Financial Assets Law represents a significant evolution in how California regulates cryptocurrency and related digital-asset activities.

Through the combined framework of AB 39, SB 401, and AB 1934, the state has created a comprehensive licensing and oversight system designed to promote innovation while safeguarding consumers and market integrity.

Key milestones include early kiosk oversight in 2024, full disclosure and fee protections in 2025, and the implementation of a statewide licensing regime in 2026. The DFPI’s structured rulemaking process and continued engagement with stakeholders aim to ensure that regulation keeps pace with technological development.

For digital-asset businesses, the DFAL establishes a clear compliance pathway that rewards transparency and accountability. For consumers, it introduces stronger protections, fairer pricing, and increased trust in California’s rapidly expanding digital-finance ecosystem.

Sources and References

This guide draws directly from the official legislative texts that form the foundation of California’s Digital Financial Assets Law (DFAL) and related regulatory measures:

Assembly Bill 39 (2023) — Digital Financial Asset Businesses: Regulatory Oversight

AB 39 established the Digital Financial Assets Law, creating a comprehensive licensing and compliance framework for digital financial asset businesses under the Department of Financial Protection and Innovation (DFPI). It defines covered entities, outlines disclosure and record-keeping requirements, and authorizes DFPI examinations and enforcement actions. The law applies to exchanges, custodians, and wallet providers conducting business with California residents.

Senate Bill 401 (2023) — Digital Financial Asset Transaction Kiosks

SB 401 complements AB 39 by regulating digital financial asset kiosks, limiting cash transaction amounts, and requiring operators to issue clear, bilingual disclosures and transaction receipts. It mandates DFPI registration of kiosk locations and enforces fee caps to protect consumers. The bill ensures that on-site operators and their partners comply with DFAL licensing and transparency rules.

Assembly Bill 1934 (2024) — DFAL Implementation Extension and Stablecoin Oversight

AB 1934 amended the DFAL to extend its operative date from July 1, 2025, to July 1, 2026, giving digital asset businesses more time to obtain licensure and comply with DFPI requirements. It also refined record-keeping standards, clarified kiosk operator obligations, and expanded DFPI authority over stablecoin approvals, ensuring that only commissioner-approved stablecoins can be issued or exchanged in California.

Together, these three statutes establish the state’s regulatory foundation for digital financial asset activity, consumer protection, and stablecoin oversight.