California’s Digital Financial Assets Law (“DFAL”) is about to become a much bigger issue for the crypto industry. Beginning July 1, 2026, certain companies serving California residents may not engage in covered digital financial asset business activity unless they are licensed by the California Department of Financial Protection and Innovation (“DFPI”), exempt, or have submitted a completed application on or before July 1, 2026 and are awaiting approval or denial. The law is not limited to large exchanges. Depending on the business model, it can affect crypto trading platforms, custodians, transfer services, stablecoin-related businesses, and digital asset transaction kiosk operators, including so-called crypto ATMs.
For California businesses, the message is straightforward: July 1, 2026 is not a soft milestone. It is the date on which the state’s licensure framework becomes operational for many digital asset businesses. For consumers, the law is also significant because it creates disclosure, custody, and conduct rules aimed at a market that has too often been defined by opacity, operational failures, and fraud.
What is California’s Digital Financial Assets Law?
California’s Digital Financial Assets Law, often called the DFAL, was created by AB 39 and SB 401, both signed in October 2023. AB 1934 later extended the licensure date from July 1, 2025 to July 1, 2026. In practical terms, the DFAL is California’s attempt to build a broad regulatory structure for many crypto businesses that serve Californians, while also imposing special rules on crypto kiosk operators.
The statute defines a digital financial asset broadly as a digital representation of value used as a medium of exchange, unit of account, or store of value, subject to specified carve-outs. It also defines digital financial asset business activity broadly enough to include exchanging, transferring, or storing digital financial assets, as well as certain administration activities. That means many companies that do not think of themselves as traditional financial institutions may still need to analyze whether they fall within the statute.
Just as important, the law is not confined to businesses physically located in California. If a company engages in covered activity with, or on behalf of, a California resident, the business should not assume it falls outside the statute merely because its headquarters are located elsewhere. Out-of-state and offshore crypto businesses therefore need to examine California exposure carefully, especially where the company offers custodial, exchange, transfer, or hosted-wallet services to California users.
Which crypto businesses should be paying attention now?
The short answer is that almost any company that exchanges, stores, or transfers crypto for Californians should be reviewing the law now. Companies that provide hosted wallets, custodial services, trading or exchange functions, or transfer services are the most obvious candidates for scrutiny. Businesses involved in stablecoin issuance or administration, or that provide infrastructure that effectively controls customer access to digital assets, should also be evaluating the statute carefully.
The statutory exemptions are important, but they should be read carefully rather than assumed. Certain banks, trust companies, and credit unions are excluded. The law also excludes a person using digital assets solely on that person’s own behalf for personal, family, or household purposes. There are also exemptions for a merchant accepting digital assets as payment for goods or services and for a person whose California-related digital financial asset business activity is reasonably expected to total $50,000 or less annually. But the closer a company gets to custody, exchange, or transfer activity for others, the less likely it can safely assume it falls outside the statute.
As a practical matter, businesses should be asking three threshold questions right now. First, are we engaging in activity that looks like exchange, custody, transfer, or administration of digital assets? Second, are we doing that with or on behalf of California residents? Third, are we clearly within a statutory exemption, or are we simply hoping that we are? The companies that delay that analysis risk finding themselves behind schedule as the July 1, 2026 deadline approaches.
What does the DFAL require from covered businesses?
The DFAL is not simply a licensing statute. It also imposes operational and consumer-protection obligations that go directly to how a covered business conducts itself. Applicants must satisfy standards related to financial condition, responsibility, competence, experience, good character, and fitness. In addition, the DFPI expects applicants to demonstrate that they can identify, manage, and mitigate risk. For many businesses, that means compliance work in areas such as governance, anti-money laundering controls, OFAC screening, fraud prevention, customer service, cybersecurity, and internal policies.
Covered businesses should also expect a formal application process. DFPI has directed prospective applicants to an NMLS-based process and has published application-preparation guidance focusing on governance, risk management, licensing standards, and consumer protection. Companies that have grown quickly without mature compliance functions may find that they need far more preparation than expected before they are ready to apply for a California license.
The statute also requires pre-transaction disclosures. Before engaging in covered activity with a California resident, a covered person generally must disclose applicable fees and charges, whether any insurance or guarantee applies, whether a transaction is irrevocable, whether there are stop-payment or revocation rights, whether the customer will receive a receipt or confirmation, and whether there have been material changes to fees or terms. The law also requires disclosure that digital financial assets are not currently recognized as legal tender by California or the United States. In certain situations, the law also requires disclosure of major service outages affecting large numbers of customers.
At the conclusion of a transaction, covered persons generally must provide a confirmation containing key details, including the name and contact information of the covered person, the type and amount of the transaction, and the fees charged, including indirect charges. Covered businesses must also prominently display a toll-free customer-service number and provide live customer assistance for at least 10 hours per day, Monday through Friday, excluding federal holidays. These obligations matter because they signal that California expects customer-facing crypto businesses to operate with a level of transparency and accessibility more consistent with regulated financial services than with the crypto industry’s historical informality.
Custody, Customer Entitlement, and Exchange Listing Obligations
Perhaps the most consequential part of the statute for customers is its custody framework. A covered person that controls digital assets for others must maintain sufficient amounts of each type of digital financial asset to satisfy aggregate customer entitlements. The statute also provides that such assets are held for the persons entitled to them, are not property of the covered person, and generally are not subject to claims of the covered person’s creditors. In certain insolvency or receivership scenarios, the statute treats those assets as being held in trust for customers.
That language is significant. One of the most persistent concerns in the digital asset space has been whether customer assets are truly segregated and whether customers stand ahead of the business’s general creditors if the platform fails. California’s statute attempts to address that concern directly. For custodial exchanges and wallet providers, that means asset segregation, reserve management, reconciliation, and recordkeeping are not just internal controls; they are core legal issues.
Covered exchanges also face asset-listing obligations. Before listing or offering a digital financial asset to California residents, a covered exchange generally must certify that it has evaluated securities-law risk, disclosed material conflicts, conducted a risk assessment addressing cybersecurity, code or protocol defects, fraud, price manipulation, and similar concerns, and adopted procedures for reevaluating and potentially delisting assets when warranted. For crypto businesses that have historically used informal or lightly documented listing processes, this is a major operational shift.
Stablecoins Deserve Special Attention
Stablecoins are not treated as an afterthought under California’s framework. In general, a covered person may not exchange, transfer, or store a stablecoin unless the issuer is an applicant, licensee, bank, certain trust company, or qualifying national association, and unless the issuer maintains eligible securities with market value at least equal to the amount of all outstanding stablecoins issued or sold. The commissioner also has authority to approve a stablecoin subject to additional conditions, restrictions, or prohibitions.
For businesses dealing with stablecoins, the compliance issues are therefore not limited to marketing or product design. Reserve quality, redemption mechanics, disclosure language, customer expectations, and regulatory approval questions all move to the center of the analysis. Businesses with any meaningful stablecoin exposure should expect California to view those operations through a consumer-protection and prudential-risk lens rather than as a purely technical product line.
Crypto ATM and Kiosk Operators Face Separate and Immediate Obligations
Crypto kiosk operators should not wait until late June 2026 to take California’s law seriously. Some kiosk-specific requirements have already been operative for more than a year. Beginning January 1, 2024, operators had to provide the DFPI with a list of all kiosk locations in California, could not accept or dispense more than $1,000 in a day to or from a single customer, and had to provide receipts containing specified information. Beginning January 1, 2025, operators also became subject to additional pre-transaction disclosure rules and fee restrictions. By July 1, 2026, kiosk operators that wish to continue doing business in California must have submitted a completed DFAL application if they are engaged in covered activity.
One of the most important kiosk rules is the fee cap. The DFPI has explained that, beginning January 1, 2025, an operator may not collect from a customer in a single transaction more than the greater of $5 or 15 percent of the U.S. dollar equivalent of the digital financial assets involved in the transaction. That detail matters because high-fee crypto ATMs have been a recurring area of consumer harm, especially in fraud scenarios involving elderly or otherwise vulnerable victims.
Operators should therefore be reviewing not only whether they need a license, but also whether their kiosk fleet, disclosures, fee calculations, receipt practices, customer-support procedures, and location reporting are already fully aligned with California law. Businesses that treat the kiosk rules as merely technical risk controls may miss the fact that these requirements are plainly aimed at a category of transactions regulators already view as high-risk from a fraud-prevention standpoint.
Operators should also take enforcement risk seriously. In 2025 and 2026, the DFPI publicly announced enforcement and refund activity involving Coinme relating to crypto kiosk violations. Those actions are a reminder that California is not simply publishing guidance and waiting to see what happens. The agency has already signaled that it expects kiosk operators to comply and is prepared to pursue enforcement where they do not.
What should consumers know before July 1, 2026?
For consumers, the DFAL does not eliminate crypto risk. It does, however, create a more structured framework that should make some parts of the market less opaque. Californians using custodial exchanges, hosted wallets, or crypto ATMs should pay close attention to transaction fees, spread disclosures, account confirmations, insurance or guarantee statements, customer-service access, and whether the business appears to be preparing for DFPI licensure.
Consumers should also avoid assuming that a business is trustworthy simply because it uses crypto-related branding or references compliance language. Fraud in the digital asset space remains heavily driven by impersonation, social engineering, fake support channels, and fabricated urgency. The existence of a licensing framework does not stop bad actors from pretending to be legitimate exchanges or wallet providers. If anything, scammers may misuse regulatory jargon to sound more credible.
That means basic safeguards still matter. Consumers should independently verify customer-support contact information, avoid sending additional funds to release supposedly frozen crypto, confirm whether the platform actually controls the assets in question, and slow down before using crypto kiosks or transfer services in response to unsolicited instructions. The more urgent the demand, the more skeptical the consumer should be.
What crypto businesses should do right now?
For crypto businesses serving California, the immediate task is not panic. It is triage. The companies most likely to be exposed are those that exchange, store, transfer, or administer digital assets for Californians while treating licensure as something they can solve later. July 1, 2026 is close enough that businesses should already be mapping product lines against the statute, evaluating exemptions, reviewing customer disclosures, assessing custody practices, and preparing application materials.
A good starting point is an internal gap assessment. Businesses should identify all California touchpoints, inventory customer-facing products, determine which entities in the corporate structure actually perform the regulated activity, review whether the company controls private keys or otherwise has custody-related exposure, and test its current disclosures against statutory requirements. They should also evaluate whether incident-response and outage-reporting practices are sufficiently mature.
For kiosk operators, the to-do list is even more concrete: verify daily transaction limits, fee calculations, receipt language, kiosk-location reporting, and application readiness. For exchanges and custodians, the focus should include disclosures, asset-listing procedures, customer-entitlement accounting, reserve practices, customer-support obligations, and any stablecoin-related activity. Businesses that start this work now will be in a far stronger position than businesses that wait until the final weeks before July 1, 2026.
Why this matters for enforcement and litigation risk?
California’s law matters not only because it creates licensing obligations, but also because it increases the legal significance of how crypto businesses document and explain their conduct. A company that lacks required disclosures, cannot explain its custody practices, fails to track customer entitlements accurately, or operates kiosks in violation of fee or transaction limits may face regulatory exposure and private litigation risk at the same time.
For lawyers, compliance personnel, and business owners, that means DFAL readiness is not just a licensing issue. It is part of a broader risk-management and litigation-readiness analysis. If a dispute arises over frozen funds, account access, misleading platform statements, or questionable kiosk transactions, the company’s compliance record will matter. Businesses that have already aligned their disclosures, procedures, and customer-service practices with California requirements will be in a better position than businesses that are still trying to explain why they did not prepare sooner.
Frequently Asked Questions
Who needs a California DFPI crypto license? In general, any person engaging in covered digital financial asset business activity with, or on behalf of, a California resident should evaluate whether a DFPI license is required unless a statutory exemption clearly applies.
Do crypto ATM operators need a license by July 1, 2026? Operators engaged in covered activity generally must be licensed, exempt, or have submitted a completed application by July 1, 2026. They also need to comply with the kiosk-specific rules that already took effect in 2024 and 2025.
Does the law only apply to California companies? No. The statute is not limited to businesses headquartered in California. Companies outside California that serve California residents may still fall within the law’s scope.
Does the DFAL make crypto safe for consumers? No. The law creates more structure, more disclosures, and more accountability, but it does not eliminate fraud, platform failure, social engineering, or market risk.
Final Takeaway
California is not banning crypto. It is doing something more consequential: building a detailed state-level licensing and consumer-protection framework for businesses that serve Californians. For legitimate crypto companies, July 1, 2026 is a real compliance deadline. For crypto ATM operators, it is the next phase of a framework that is already reshaping how those businesses operate. And, for consumers, it is a reminder that California increasingly expects digital asset businesses to operate with transparency, accountability, and basic guardrails.
Businesses that exchange, store, transfer, or administer digital assets for California residents should be using this period to review whether the DFAL applies, whether a statutory exemption truly fits, and whether the company’s disclosures, custody practices, and customer-facing procedures are ready for regulatory scrutiny. Consumers, meanwhile, should continue treating digital asset transactions with caution, even as the legal framework becomes more structured. The companies that prepare now will be in a far better position than those that wait and hope the deadline moves again. So, if your business exchanges, stores, transfers, or administers digital assets for California residents, now is the time to review whether the Digital Financial Assets Law applies to your operations, disclosures, custody practices, and licensing obligations before July 1, 2026.
Internet Lawyer Blog
