California Becomes Latest State to Regulate Digital Assets

California Governor Gavin Newsom signed the California Digital Financial Assets Law (DFAL) and Senate Bill 401 on October 13, 2023, which together will regulate virtual currency activities within the state when the laws become effective on July 1, 2025. The laws establish license requirements, compliance obligations, and stablecoin approvals, among other guidelines.

California is the third state to introduce a license regime for those engaged in cryptocurrency activity, following New York and Louisiana.

Under the DFAL, a person (as detailed below) is prohibited from engaging in, or holding itself out as being able to engage in, digital financial asset business activity with or on behalf of a resident if such person does not meet certain criteria and obtain a license from the California Department of Financial Protection and Innovation (DFPI). Similar to New York’s BitLicense regulation, the DFAL’s definitions are key to understanding the scope of the law.

CRITICAL DEFINITIONS AND CARVEOUTS

• Digital financial asset is defined as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated as legal tender,” and provides for exclusions for reward points and value issued and usable only within an online gaming platform, similar to the New York BitLicense regulation’s carveout. In addition, digital assets that are securities registered, or exempt from registration, with the US Securities and Exchange Commission (SEC) are also not considered “digital financial assets” under the DFAL.
• Digital financial asset business activity means any of the following:
  • Exchanging, transferring, or storing a digital financial asset or engaging in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor (i.e., a person that has control of a digital financial asset solely under an agreement with a person that, on behalf of another person, assumes control of the digital financial asset).
  • Holding electronic precious metals or electronic certificates representing interests in precious metals on behalf of another person or issuing shares or electronic certificates representing interests in precious metals.
  • Exchanging one or more digital representations of value used within one or more online games, game platforms, or family of games for either of the following: (1) a digital financial asset offered by or on behalf of the same publisher from which the original digital representation of value was received; or (2) legal tender or bank or credit union credit outside of the online game, game platform, or family of games offered by or on behalf of the same publisher from which the original digital representation of value was received. This implies that if in-game tokens can be redeemed for a digital financial asset or cash, it may be within the scope of the licensing requirement.
• The DFAL explicitly does not apply to the activity by 17 categories of persons, including, among others, banks, certain trust companies and credit unions, and, notably
  • persons that provide processing, clearing, or settlement services solely for transactions between or among persons that are exempt from the DFAL licensing requirements;
  • persons using a digital financial asset or obtaining a digital financial asset as payment solely for the person’s behalf for personal, family, or household purposes or academic purposes;
  • a merchant that accepts a digital financial asset as payment for the purchase or sale of goods or services, provided that the goods or services do not include digital financial assets;
  • persons registered as a securities broker-dealer under federal or state securities laws to the extent of its operation as a broker-dealer;
  • those whose digital financial asset business activity with, or on behalf of, California residents does not exceed $50,000 per annum;
  • persons that (1) contribute only connectivity software or computing power to securing a network that records digital financial asset transactions or to a protocol governing transfer of digital representation of value; (2) provide only data storage or security services for those engaged in digital financial asset business activity; or (3) provide only to those who are exempt from the DFAL a digital financial asset as one or more enterprise solutions used solely among each other, with no agreement or relationship with a resident that is an end user of a digital financial asset.
• The DFAL provides that the DFPI commissioner may exempt any class of persons or transactions if the commissioner finds the exemption to be in the interest of the public.

LICENSE REQUIREMENTS

The application requirements for a license, while described as similar to those for a traditional money transmitter license, will impose on applicants enhanced requirements such as maintaining internal controls and related policies and insurance obligations.

Those already licensed by the New York Department of Financial Services (DFS) may have an advantage. While an application is pending with the DFPI, applicants that hold a license to conduct virtual currency business activity pursuant to the New York BitLicense regulations may be issued a conditional license, provided that the New York license was issued or approved no later than January 1, 2023.

ONGOING COMPLIANCE OBLIGATIONS

Licensees will be subject to myriad compliance requirements under the DFAL. Dual licensees subject to both the DFAL and New York’s BitLicense regime may discover that the DFAL is more onerous, as described in more detail below.

Covered Persons Must Control Digital Financial Assets

The DFAL contains many customer protections. A covered person (i.e., a person required to obtain a license) that has control over a digital financial asset for one or more persons is required to maintain in its control an amount of each type of digital financial asset sufficient to satisfy the aggregate entitlements of such persons.

To comply with this criterion, a covered person must hold the digital financial asset for the persons entitled to the digital financial asset. Thus, no digital financial asset held in such manner may be the property of the covered person or subject to the claims of the covered person’s creditors. To comply with these “control” requirements, a covered person may include in its contract with California residents a provision that states all of the following:

• A digital financial asset controlled by the covered person on behalf of the resident will be treated as a financial asset under Division 8 (commencing with Section 8101) of the Commercial Code.
• The covered person is a securities intermediary under Division 8 of the Commercial Code with respect to any digital financial assets under control of the covered person on behalf of the resident.
• The resident’s account or wallet provided by or through the covered person is a securities account under Division 8 of the Commercial Code.

The “control” requirements have been designed to protect customer assets and mitigate against a digital asset exchange changing its terms and conditions to obtain control over customer assets after having established a customer relationship.

Exchange Listing Requirements

Before listing or offering a digital financial asset, a covered exchange (i.e., a covered person that exchanges or holds itself out as being able to exchange a digital financial asset for a California resident) must certify to the DFPI that it has done the following:

• Identified the likelihood of whether the digital financial asset would be deemed a security by federal or California regulators. The California requirement to identify the “likelihood” that a digital financial asset would be deemed a security is more burdensome than the New York BitLicense coin listing policy guidance, which requires that a licensee consider regulatory risks before listing a coin, including whether a regulator has determined that the coin is a security. It is currently unclear whether the use of the term “likelihood” requires a California licensee to consider clear determinations where a token has been deemed to be a security, such as successful SEC enforcement actions, or whether a licensee must consider tokens identified in pending SEC complaints against crypto exchanges for unlawful securities offerings. Licensees will need to carefully craft their policies in this respect and make sure that they adhere to these policies.
• Conducted a comprehensive risk assessment designed to ensure consumers are adequately protected from cybersecurity risk, risk of malfeasance (including theft), risks related to code or protocol defects, or market-related risks (including price manipulation and fraud).
• Established policies and procedures to reevaluate the appropriateness of the continued listing or offering of the digital financial asset, including an evaluation of whether material changes have occurred.
• Established policies and procedures to cease listing or offering the digital financial asset, including notification to affected consumers and counterparties.
• Provided, in writing, full and fair disclosure of all material facts relating to conflicts of interest that are associated with the covered exchange and the digital financial asset.

Transaction Recordkeeping

The DFAL sets forth extensive recordkeeping requirements applicable to licensees, and licensees must maintain such records for five years after the date of the digital financial asset business activity to which the records relate. In addition to detailed transaction records, licensees must maintain general ledger records and reports of disputes with California residents.

Annual Report

Licensees will be subject to an annual report requirement, which includes financial statements and a description of material changes in the licensee’s financial condition; material litigation related to its digital financial asset business and involving the licensee or an executive officer or responsible individual of the licensee; any international, federal, state, or local investigation of the licensee (where permitted by applicable law); any data security breach or cybersecurity event of the licensee; the number of digital financial asset transactions with California residents since the prior annual report; the US dollar equivalent of such transactions; a list of all locations where the licensee engages in its digital financial asset business activity; and the number of California residents with whom the licensee engaged in digital financial asset business activity during the reporting timeframe.

Ad Hoc Reporting

Upon certain events, a licensee has 15 days to report the event to the DFPI. These events include material changes to application information or the annual report and a change of executive officer or responsible individual or change of control.

In addition, a licensee must report a change in digital financial asset business activity that may raise a legal or regulatory issue about the permissibility of such activity, may raise safety and soundness or operational concerns, or may cause the activity to be materially different from that identified in the licensee’s application.

M&A Approval

A licensee must seek DFPI approval before a proposed merger or consolidation, and the DFPI is not permitted to approve the merger or consolidation unless the DFPI commissioner finds that (1) the merger or consolidation will not result in a monopoly, (2) the surviving entity’s financial condition will be satisfactory, and (3) the surviving entity’s executive officers satisfy DFPI standards (i.e., they are of good character and sound financial standing, competent to engage in digital financial business activity), among other things.

Disclosure Requirements

Licensees will also be required to adhere to various disclosure requirements before engaging in digital financial business activity, including disclosure of fees, information regarding whether the product or service is insured against loss, recognition that the transaction is irrevocable, liability for unauthorized transactions, and disclosure of a California resident’s right to at least 14 days’ prior notice of a change in a fee schedule, among other disclosures.

Policies and Procedures

Licensees must establish and maintain various policies and procedures, including an information security program and operational security program, business continuity program, disaster recovery program, antifraud program, program to prevent money laundering, program to prevent funding of terrorist activity, and a program designed to ensure compliance with other state and federal laws, including detailed policies and procedures to minimize the probability that a licensee will facilitate the exchange of unregistered securities.

Enforcement

Persons that are not licensees engaging or about to engage in digital financial business activity with, or on behalf of, a resident can be charged a civil penalty of up to $100,000 per day. Similarly, if a licensee or covered person materially violates the DFAL, the DFPI can assess a civil penalty of up to $20,000 per day.

There is no private right of action under the DFAL except under a narrow carveout related to a covered person’s obligation to hold digital financial assets on behalf of California residents pursuant to the state Uniform Commercial Code.

STABLECOIN IMPLICATIONS

Notably, the DFAL prohibits a covered person from exchanging, transferring, or storing stablecoin where the issuer of such stablecoin is not a bank, trust company, or national association authorized under federal law to engage in a trust banking business or licensed under the DFAL. The DFAL imposes some requirements on stablecoin issuers, including that an issuer must own eligible securities on a one-to-one basis with its outstanding stablecoin.

The commissioner of the DFPI must approve a stablecoin before it can be exchanged, transferred, or stored in California or with California residents. The commissioner may approve a stablecoin if it determines that the stablecoin does not compromise the interests of the California residents who may use it as a payment for goods and services or as a store of value.

The following factors are considered when making this determination:

• Any legally enforceable rights provided by the issuer of the stablecoin to holders of the stablecoin, including rights to redeem the stablecoin for legal tender or bank or credit union credit;
• The amount, nature, and quality of assets owned or held by the issuer of the stablecoin that may be used to fund any redemption requests from California residents;
• Any risks related to how the assets are owned or held by the issuer that may weaken the ability of the issuer to meet any redemption requests from California residents;
• Any representations made by the issuer of the stablecoin related to its potential uses and risks of using the stablecoin as payment for goods and services or as a store of value; and
• Any other factors deemed material by the commissioner.

If the commissioner approves the stablecoin, a covered person may exchange, transfer, or store a digital financial asset or engage in digital financial asset administration with respect to such stablecoin.

The DFAL is not as detailed as New York’s stablecoin standards or its guidance (as explained below), but issuers should expect the DFPI to be familiar with the DFS guidance and adopt regulations or guidance that impose more robust requirements on stablecoin issuers than what the DFAL currently provides. By becoming familiar with the DFS requirements, an issuer subject to the DFAL will have taken the first step to set itself up for compliance with the future regime.

The New York DFS is responsible for approving stablecoin issued by state limited purpose trust companies or those with a BitLicense. Shortly after the collapse of an algorithmic stablecoin, TerraUSD, DFS issued guidance on US dollar–backed stablecoin issuances subject to DFS approval, focusing on redemptions, reserves, and attestations about the reserves. Pursuant to the guidance, a stablecoin is to be backed by a reserve with a market value of all outstanding units of the stablecoin at the end of each business day.

An issuer must also redeem stablecoin not more than two business days after a redemption request (i.e., it must “timely” redeem stablecoin except in extraordinary circumstances where a redemption could jeopardize the reserve requirement and DFS allows the exception). The reserves must be segregated from the issuer’s proprietary assets, held in custody with an appropriate custodian, and consist of eligible assets.

DFS also requires an independent certified public accountant to examine management’s assertions on a monthly basis and make its own attestations about these assertions. Although the guidance focused on these topics, other requirements apply to issuers, including cybersecurity, anti-money laundering and sanctions compliance, consumer protection, and other requirements.

REQUIREMENTS APPLICABLE TO DIGITAL FINANCIAL ASSET KIOSKS

The State Senate bill supplements the DFAL by prohibiting an operator of a digital financial asset kiosk from accepting or dispensing more than $1,000 a day from or to a customer through a kiosk.

Further, this law requires operators to provide certain written disclosures to a customer before the digital financial asset transaction takes place, including disclosure of terms and conditions of the transaction, whether the operator provides a method to reverse or refund a transaction (including any warnings if such transaction is final and cannot be reversed), the amount of the digital financial asset involved, and the amount of fees and other charges in US dollars, among other disclosures.

The law includes various customer protections and prohibits an operator from charging fees that exceed the greater of $5.00 or 15% of the US dollar equivalent of the digital financial assets involved in the transaction based on the market price of that same asset quoted by a licensed digital financial asset exchange.

WHAT’S NEXT?

The enactment of the new laws is significant as it pushes California to the forefront of the digital asset regulatory landscape with other states that have enacted similar requirements and effectively ends the ability of companies to freely engage in digital asset activities in California without adhering to a state regulatory framework. The new laws will require companies engaging in digital asset activities in California to evaluate whether their activities bring them within the scope of these laws and be prepared to apply for any necessary licenses.

Although a company that has already received a virtual currency business activity license from New York may receive a conditional license pending its application with California, there are aspects of the California requirements that differ from New York’s, and companies will have to assess what additional policies and procedures are necessary to ensure compliance in both states.

For example, while New York requires a licensee to consider whether a regulator has deemed a digital asset to be a security before listing the digital asset, the California law requires that a digital financial asset exchange identify the likelihood that a digital financial asset would be deemed a security under federal or state law. Given the SEC’s current posture that virtually all digital assets may be deemed securities, companies may find it difficult to identify digital financial assets that do not pose regulatory risk under the federal securities laws when complying with the DFAL.

Moreover, in light of the acknowledgment from Governor Newsom that certain aspects of the laws are ambiguous, as well as the legal complexity of engaging in digital assets activities throughout the United States, we expect further refinement of the DFAL requirements as the DFPI introduces regulations or guidance to supplement the law.

Law clerk Ann Reynolds contributed to this LawFlash.