California’s Regulation of Digital Assets

With the Digital Financial Assets Law (DFAL) set to become fully effective on 1 July 2026, California continues to deepen its leadership role in the research, recognition and regulation of digital assets. California’s economic scale and its status as a hub for emerging technologies make its business regulations particularly consequential, especially in less-charted financial territories such as cryptocurrency and blockchain. After years of attention and research in the California legislature, the DFAL is the state’s most comprehensive cryptocurrency regulation yet, capturing a wide range of businesses using digital assets in California or with California residents. Coming years after New York’s BitLicense and on the heels of new federal initiatives, the new California law has a deliberately broad reach and must be considered by any business engaging in cryptocurrency transactions within California or with, or on behalf of, residents of the state. While the DFAL will no doubt herald a new era of heightened regulation, it also marks a further legitimisation and institutional acceptance of digital assets as part of the mainstream financial landscape.

History of Digital Asset Regulation

California has been engaged in the regulation of digital assets for over a decade. Putting the DFAL into historical context, the following are some notable actions taken within the State of California since the emergence of crypto.

• In 2015, responding to the popularisation of Bitcoin and other cryptocurrencies in the state, the legislature enacted the California Alternative Currencies Act. This legislation overturned previous long-standing laws that prohibited the use of any currency outside of US dollars in commerce, and stated that the use of digital currency to purchase goods and services did not violate state laws. This was a significant movement in the legitimisation and normalisation of cryptocurrency.
• In 2018, the California Blockchain Working Group was established to evaluate potential uses, risks and legal concerns associated with the use of blockchain. The group was established to consider use cases for blockchain and propose necessary statutory amendments. In 2020, the working group delivered its report, which provided a formal definition of blockchain, potential applications for the use of blockchain and proposed legislation and legislative amendments. The working group was the state’s first formal endeavour to create meaningful state policy on blockchain.
• In 2022, California Governor Gavin Newsom signed an executive order to create a transparent consumer-focused regulatory approach to blockchain and crypto-assets. Addressing both the size of California’s economy and its reputation as a global innovation hub, this executive order proposed a proactive approach to blockchain regulation and set in motion a number of regulatory initiatives through collaboration between various government departments.
• In June 2025, the California State Assembly unanimously passed AB 1180, which would allow state agencies to accept cryptocurrency as payment for any fees required by the DFAL, paving the way for fully on-chain companies to operate in California. This legislation is still pending passage by the State Senate.
• Most recently, in October 2025, California’s Unclaimed Property Law was amended to include digital assets, subjecting dormant crypto held by custodial platforms to the same unclaimed property regime as traditional financial assets.

DFAL

In 2023, California enacted the DFAL, which creates a comprehensive regulatory framework focused on consumer protection for “digital financial asset business activity”. Effective 1 July 2026, businesses engaged in covered digital financial asset activity either in California or with California residents must either hold or have applied for a licence with the California Department of Financial Protection and Innovation (DFPI). The DFAL provides for a holistic licensing framework and raises digital financial asset activity to a similar standard as traditional banking activities.

Who must obtain a DFAL licence

Any business that is engaged in digital financial asset activity in California or with California residents must apply for and obtain a licence. The DFAL defines a digital financial asset as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender”.

Digital financial asset activities covered under the DFAL include exchanging digital financial assets, transferring digital financial assets, storing or custodying digital assets, issuing tokens with redeemable value and operating crypto kiosks (ATMs).

Notably, the DFAL excludes from the definition of digital financial asset any asset deemed to be a security by the SEC. However, following passage of the DFAL, the SEC published guidance in March 2026 stating that, while digital assets may be the subject of an investment contract in certain contexts, the assets themselves are rarely securities. As a result, a single digital asset can be the subject of an investment contract in some contexts and not in others. Given this guidance and the fungible nature of digital assets, it is unlikely that this provision of the DFAL provides a workable exclusion.

Application to decentralised finance (DeFi)

In determining whether a business is exchanging, transferring or storing digital financial assets and is thus subject to licensing requirements, the DFAL considers who is controlling the digital asset. The DFAL defines “control” of digital financial assets as the “power to execute unilaterally or prevent indefinitely a digital financial asset transaction”. This limits the scope of the DFAL and provides clarity that the DFAL licensing requirements are limited to businesses actually exercising control over digital assets, which should be welcome relief to many DeFi protocols and developers.

However, the determination of whether a business controls digital financial assets and is therefore subject to the DFAL requires fact-specific analysis and cannot be applied broadly to different categories of digital asset businesses, including DeFi. For example, smart contracts execute automatically when preset criteria are met, which can suggest that no one possesses sufficient “control” over the resulting transaction. However, the person or team holding the admin key to such smart contracts may retain control to potentially stop, pause or redirect transactions, in which case they may exercise sufficient control to be subject to licensing requirements. Similar questions arise with multi-party computation wallets and multisig wallets, in which the question of control will turn on the practical reality of which party is holding (or not holding) sufficient keys or shards to authorise or stop a transaction. While the concept of “control” will be helpful in limiting the application of the DFAL to certain DeFi applications, the statute still leaves room for uncertainty, and control thresholds will need to be developed over time through the practical application of the DFAL.

Exemptions

The DFAL provides several practical exemptions from its licensing requirement, including:

• banks and other established financial institutions;
• government agencies;
• businesses with less than USD50,000 in annual digital asset activity with California residents; and
• merchants who merely accept digital assets as payment for goods or services.

Additionally, the DFAL allows the DFPI to issue a conditional licence to certain applicants who hold a New York BitLicense.

DFAL licensing

DFAL license applications are filed through the Nationwide Multistate Licensing System (NMLS), which is the system used by state regulators to license certain financial services businesses. Application requirements include:

• identifying information about the business, including control persons, bank information, fingerprints of executive officers and a certificate of good standing;
• details of any other licences that the business holds and any FinCEN registration;
• details regarding the digital financial asset activity that the business engages in, including how many California residents they have done, and intend to do, business with; and
• plans for compliance with the policies required by the DFAL, as described below.

Upon application, the DFPI will investigate the business to determine if it complies with all required criteria under the DFAL, and may be permitted to investigate the business premises. In making a determination, the DFPI will also consider the financial condition of the business, its general fitness for conducting the intended activity and the reasonable likelihood of success.

Businesses currently operating in California who apply for a licence by the 1 July 2026 deadline can continue to operate while their application is under DFPI review.

The DFPI has proposed several regulations under the DFAL to clarify certain components of the licensing framework, so new applicants should review the current regulations in effect at the time of application.

Obligations of DFAL licensees

DFAL licensees and applicants have significant go-forward obligations, similar to those of traditional financial institutions. These obligations include maintaining:

• policies and procedures relating to information security, business continuity, risk management, fraud prevention, prevention of money laundering, prevention of terrorist activities and compliance;
• minimum capital and liquidity amounts;
• a surety bond or trust account; and
• records, preparation of reports, and submission to supervision and examination by the DFPI.

DFAL licensees and applicants will also be required to provide disclosures to California residents. These disclosures include:

• a schedule of fees and charges to be paid by California residents;
• whether the licensee’s products and services are insured;
• whether a licensee is liable for unauthorised, mistaken or accidental transfers or exchanges;
• whether a resident has a right to stop a pre-authorised payment or revoke authorisation for a transfer; and
• a list of instances in the past 12 months when the licensee’s service was unavailable for 10,000 or more customers due to a service outage.

DFAL licensees and applicants will need to consider the interplay of California’s existing Money Transmission Act (MTA) with the DFAL. The MTA provides for California’s general licensing regime for “money transmission” in legal tender, and DFAL licensees and applicants may have dual compliance obligations under the MTA and the DFAL. The DFPI’s proposed regulations under the DFAL exempt most DFAL-covered digital financial asset transactions from additional MTA licensure.

Stablecoins

The DFAL creates more stringent compliance obligations for businesses that exchange, transfer or store stablecoins on behalf of California residents. Businesses must be a DFAL licensee/applicant or an exempt regulatory entity (which includes banks, California-licensed trust companies and national banks with trust power), and they must back outstanding stablecoins with a 1:1 reserve of “eligible securities” (as defined in the DFAL).

However, the federal Guiding and Establishing National Innovation for US Stablecoins Act (the “GENIUS Act”) was enacted on 18 July 2025 and creates federal compliance obligations for payment stablecoin issuers. The GENIUS Act pre-empts state law (including the DFAL) with respect to payment stablecoin issuers who have been federally qualified or subsidiaries of insured depository institutions or credit unions, but does not on the face of it pre-empt the DFAL with respect to exchanges, custodians or ATMs. The GENIUS Act allows payment stablecoin issuers who hold no more than USD10 billion in outstanding payment stablecoins to opt for regulation under state regulations instead of the GENIUS Act, provided the state government submits a certification to the federal government certifying that the state law is substantially similar to the GENIUS Act. The deadline for California to submit such certification with respect to the DFAL is 18 July 2026. As a result, the interplay between the GENIUS Act and the DFAL is not yet settled and will no doubt be an area of ongoing development.

Conclusion

The DFAL represents a significant shift towards normalising and institutionalising digital asset activity in California. By requiring businesses engaged in digital financial asset activity to obtain licensure and to operate in a supervisory and consumer-protection framework, the DFAL signals that this industry is no longer exploratory or speculative but is increasingly comparable to traditional financial services. At the same time, the DFAL leaves important questions open, including how the thresholds for “control” will be applied in practice, which business models may be exempted and how the DFAL will interact with the existing state MTA and the new federal GENIUS Act. Given the size of California’s economy and the DFAL’s reach beyond the state, the impact of the DFAL will undoubtedly reverberate throughout the national economy. Businesses engaging in digital asset activity should take note and be prepared to act by the 1 July 2026 deadline.