Background

On 13 October 2023, Governor Newsom signed Assembly Bill 39 and Senate Bill 401, together called the Digital Financial Assets Law (DFAL) (California Statutes 2023, Chapter 792; California Statutes 2023, Chapter 871). On 29 September 2024, Governor Newsom signed Assembly Bill 1934, extending the date of licensure under the DFAL from 1 July 2025 to 1 July 2026 (California Statutes 2024, Chapter 945; California Financial Code Section 3201). The DFAL establishes a licensing and supervision framework for certain crypto-related activities with or on behalf of California residents (California Financial Code Section 3201). Certain consumer protection rules for digital financial asset transaction kiosks apply earlier, including daily transaction limits from 1 January 2024 and fee caps and disclosures from 1 January 2025 (California Financial Code Sections 3902, 3904 and 3905). The Department of Financial Protection and Innovation (DFPI) has announced that it will begin accepting DFAL licence applications through the Nationwide Multistate Licensing System (NMLS) from 9 March 2026 (DFPI Monthly Bulletin – March 2026).

Under the Money Transmission Act, a person generally may not engage in the business of money transmission in California, or hold itself out as providing money transmission, unless licensed or exempt (California Financial Code Section 2030). Assembly Bill 39 creates a parallel prohibition for “digital financial asset business activity” with or on behalf of a California resident unless the person is licensed, has a timely application pending, or is exempt (California Financial Code Sections 3201 and 3103).

Senate Bill 401 adds consumer protection requirements for operators of digital financial asset transaction kiosks (broadly, crypto “ATMs”) located in California, including location reporting, daily transaction limits, fee caps, disclosures and receipts (California Financial Code Sections 3901–3907).

Application: AB 39

The DFAL prohibits a person from engaging in digital financial asset business activity, or holding itself out as being able to engage in digital financial asset business activity, with or on behalf of a California resident unless licensed, a timely applicant, or exempt (California Financial Code Section 3201). “Digital financial asset business activity” includes, among other activities, (i) exchanging, transferring or storing a digital financial asset; (ii) digital financial asset administration (issuing a digital financial asset with the authority to redeem it for legal tender, bank or credit union credit, or another digital financial asset); and (iii) certain precious metals certificate activity (California Financial Code Section 3102(h) and Section 3102(i)).

This headline prohibition turns on two key defined terms: first, “digital financial asset” and, second, “digital financial asset business activity” (California Financial Code Section 3102(g) and Section 3102(i)).

Part 1: “What is a Digital Financial Asset Under the DFAL?”

California Financial Code Section 3102(g)(1) defines “digital financial asset” as a digital representation of value used as a medium of exchange, unit of account or store of value, and that is not legal tender, whether or not denominated in legal tender. The definition is intentionally broad, but it is narrowed by specific exclusions (see below) and by the commissioner’s ability, by regulation or order, to exempt persons, transactions or classes of persons/transactions where in the public interest.

It is helpful to analyse these categories in light of the stated exclusions, which are: (A) a transaction in which a merchant grants, as part of an affinity or rewards programme, value that cannot be taken from or exchanged with the merchant for legal tender, bank or credit union credit, or a digital financial asset; (B) a digital representation of value issued by or on behalf of a publisher and used solely within an online game, game platform, or family of games sold by the same publisher or offered on the same game platform; and (C) a security registered with or exempt from registration with the US Securities and Exchange Commission or a security qualified with or exempt from qualification with the department (California Financial Code Section 3102(g)(2)(A)–(C)).

Factoring in the exclusions, one of the most clearly in-scope categories of assets are “stablecoins” (eg USDC). For the DFAL’s stablecoin chapter, a “stablecoin” is a digital financial asset pegged to USD or another national currency and marketed so as to create a reasonable expectation that it will retain a stable nominal value.

Note, the DFAL also contains stablecoin-specific restrictions. From 1 July 2026, a covered person generally must not exchange, transfer, or store a stablecoin (or engage in digital financial asset administration relating to a stablecoin) unless the issuer is appropriately licensed (or otherwise eligible) and maintains eligible securities with an aggregate market value at least equal to its outstanding stablecoins (California Financial Code Sections 3601(a) and 3605).

Apart from being a reference, stablecoins easily qualify under this definition. They act as a functional proxy for money in many contexts and would easily qualify as a medium of exchange (and potentially also a unit of account and store of value), while not constituting legal tender. As a practical matter, businesses already registered as a money services business with FinCEN and licensed in one or more states as a money transmitter may find that DFAL compliance builds on existing consumer protection and anti-money laundering controls .

The application of the DFAL to other digital assets is less clear-cut, however. The DFAL’s core definition focuses on how the token is used (medium of exchange, unit of account or store of value), but those labels can be contestable in practice. Almost any fungible asset could, in theory, be used as a medium of exchange; similarly, many networks use a native token for accounting and fee payment (which may point towards “unit of account” status, at least within the digital asset’s network). Finally, while “store of value” has a commonly understood meaning in finance, many (if not the vast majority) digital assets exhibit significant volatility.

In practice, firms should expect the classification exercise to be fact-dependent and, in some cases, uncertain. It would be cautious to assume that any fungible digital asset that is not covered by an exclusion falls within the DFAL’s definition of a “digital financial asset” for these purposes, as illustrated by the following analyses of some exemplary classes of digital assets.

Layer-1 blockchain native tokens

Bitcoin illustrates both the breadth and the ambiguity of the “medium of exchange/unit of account/store of value” language. Bitcoin is used as a means of exchange in some contexts, but price volatility may make it an inefficient one, and similarly an unstable unit of account in everyday pricing. It is also widely used as an investment asset and could be viewed as a store of value, albeit one with significant volatility.

Within a given network, a “native” token may also function as a unit of account for network activity (eg, Bitcoin transaction fees are denominated in BTC; Ethereum gas fees are denominated in ETH). Outside the network, the same asset may be used as a unit of account in limited contexts, but again, volatility constrains the practicality of day-to-day pricing use.

This suggests that many (if not most) Layer-1 native tokens could, at least in principle, fall within the definition by functioning as a unit of account (and, at least with respect to payments to node operators and other network infrastructure providers, a medium of exchange) within their own networks. However, practical classification will remain fact-dependent and may turn on how the asset is used, marketed and held by consumers.

Other fungible tokens

Other fungible digital assets built on top of Layer-1 networks, such as Ethereum network ERC-20 tokens, present a more challenging case. Some are intended to operate as governance mechanisms, others as consumptive goods, and others as payment or settlement instruments. The variability is too broad to analyse globally. Persons handling such tokens should therefore assess whether the token is reasonably characterised as a medium of exchange, unit of account or store of value. Questions to ask might include:

• Is there a stated intent to function as one of these categories in the issuer’s documents, such as its “whitepaper”?
• Does the digital asset have any function other than acting as a medium of exchange, unit of account or store of value? (This will not be dispositive, as there is no explicit carve-out for “utility” tokens, but it may be relevant to the overall characterisation.)
• Is the digital asset a “tokenised” version of an asset that is commonly used as a medium of exchange, unit of account or store of value (much as USDC is, to some extent, a tokenised version of the US dollar)?

If the answer is unclear, and the asset in question is divisible and fungible (thus at least amenable to use as a medium of exchange or unit of account), it may be defensive to assume coverage and proceed to an analysis of the activity in question.

Non-fungible tokens

Non-fungible tokens (or NFTs) might seem unlikely to qualify, but this may not be the case. To start, fine art is often considered a store of value and, for a time, NFT artworks sold for prices comparable to those of renowned historical artists – most of which rapidly lost that valuation. Does this mean that, for a limited time, limited edition NFTs were a store of value, but are no longer because they have subsequently proved to perform poorly financially? Perhaps, but this is not obvious, and would imply that digital assets may come and go from the statute. Moreover, an NFT that represented a real-world asset which was itself a store of value may also qualify.

NFTs are less likely to implicate mediums of exchange (given their non-fungibility), but many “series” NFTs (series of multiple substantially similar or identical NFTs) could be a unit of account as a consumable asset within a platform or network.

Much as with fungible, layer-2 tokens, persons engaging in digital financial asset business activity with non-fungible tokens will need to evaluate whether it may be covered by the statute – although such person may not get a clear answer.

Securities exclusion – a cautionary note

The securities exclusion is a potentially appealing tool given recent enforcement history in the blockchain space. However, many tokens may not clearly be “securities” for purposes of the DFAL even if their distribution implicates securities laws (eg, a token’s initial distribution may raise securities law issues even if the token later functions primarily as a consumptive or governance instrument), especially in the case of tokens that were not explicitly structured as a standard class of conventional securities, such as tokenised stock. An issuer’s public positioning, distribution practices, and (where available) regulator views on whether its outstanding token constitutes a security may therefore be relevant both for ensuring securities compliance and for analysing whether the DFAL’s securities exclusion is available.

Part 2: “What is Licensable Digital Financial Asset Business Activity Under the DFAL?”

California Financial Code Section 3102(i) defines “digital financial asset business activity” to include:

• persons (whether an individual or company) who engage in, or hold themselves out as engaging in, the exchange, transfer, or storage of digital financial assets with, or on behalf of, California residents (California Financial Code Section 3102(i)(1)); with respect to the transfer, exchange, or storage of digital financial assets, the DFAL applies if a provider exerts control over another person’s digital financial assets; 
• persons who engage in digital financial asset administration (issuing a digital financial asset with the authority to redeem the digital financial asset for legal tender, bank or credit union credit, or another digital financial asset) (California Financial Code Section 3102(h) and Section 3102(i)(1));
• persons who issue electronic certificates representing interests in precious metals or who hold such certificates for others (California Financial Code Section 3102(i)(2)); and
• persons who exchange certain digital representations of value used within online games for either (i) a digital financial asset offered by or on behalf of the same publisher, or (ii) legal tender or bank or credit union credit outside the relevant game ecosystem (California Financial Code Section 3102(i)(3)).

There is a common thread of “access” or “custody” that runs through the first three examples, including custody by virtue of ability to redeem a token for value. One potential area of ambiguity relates to back-end controls and authority over the code governing tokens, or smart contract systems established to enable otherwise user-driven activity which might be licensable if conducted by a centralized person or group of persons. Practitioners should carefully examine so-called administrative or upgrade-only keys and authorities with respect to such systems, as retention of back-end permissions could implicate sufficient authority over the assets redemption, or control over the activity enabled by the smart contract system, to implicate licensure under the DFAL.

Statutory exclusions

California Financial Code Section 3103 sets out a number of exclusions from DFAL licensure. These exemptions include various governmental bodies, banks and credit unions, certain trust companies, and a range of Commodity Futures Trading Commission- and SEC-registered entities, as well as limited-purpose exemptions for certain service providers and de minimis activity. Additionally, the following exemptions (drawn from California Financial Code Section 3103(b)(5), (7), (8), (9), (13) and (17)) are relevant to technology and infrastructure providers:

“(5) A person whose participation in a payment system is limited to providing processing, clearing, or performing settlement services solely for transactions between or among persons that are exempt from the licensing requirements of this division.”

[Note: This provision parallels the payment processor exclusion for money transmission activity and its equivalent under the California MTA.]

“(7) A person that is any of the following:

(A) A person that contributes only connectivity software or computing power to securing a network that records digital financial asset transactions or to a protocol governing transfer of the digital representation of value.

(B) A person that provides only data storage or security services for a business engaged in digital financial asset business activity and does not otherwise engage in digital financial asset business activity on behalf of another person.

(C) A person that provides only to a person otherwise exempt from this division a digital financial asset as one or more enterprise solutions used solely among each other and that does not have an agreement or a relationship with a resident that is an end user of a digital financial asset.”

[Note: This set of provisions is essential to both node operators/validators on open networks and software and infrastructure providers in the sector, but care should be given to any effective relationship with end users.]

(8) A person using a digital financial asset, including creating, investing, buying or selling, or obtaining a digital financial asset as payment for the purchase or sale of goods or services, solely on the person’s own behalf for personal, family, or household purposes or for academic purposes.

(9) A person whose digital financial asset business activity with, or on behalf of, residents is reasonably expected to be valued, in the aggregate, on an annual basis at USD50,000 or less, measured by the USD equivalent of digital financial assets.

(13) A person that does not receive compensation, either directly or indirectly, for providing digital financial asset products or services or for conducting digital financial asset business activity or that is engaged in testing products or services with the person’s own funds.

(17) A merchant that accepts a digital financial asset as payment for the purchase or sale of goods or services, where the goods or services do not include digital financial assets.

[Note: The inclusion of the terminal caveat ensures that any business exchanging one digital financial asset for another, or legal tender for digital financial assets and the reverse, is covered by the statute.]

Industry case study: web3 gaming

The DFAL’s definition of “digital financial asset business activity” includes certain exchanges of in-game value for legal tender or bank or credit union credit outside the relevant game ecosystem (California Financial Code Section 3102(i)(3)). However, the definition of “digital financial asset” excludes a digital representation of value issued by or on behalf of a publisher and used solely within an online game, game platform or family of games sold by the same publisher or offered on the same game platform (California Financial Code Section 3102(g)(2)(B)). In short, the exclusion appears oriented towards assets like “gold” in World of Warcraft that are transferred only in-game. Many web3 gaming tokens, by design, are transferable and usable outside a single publisher-controlled environment, which can push them back into scope.

Some web3 gaming tokens may be argued to fall within the securities exclusion, but this is often a contested determination. An SEC allegation that a token was offered or sold as an unregistered security does not, by itself, establish that the token is within the exclusion. For example, in its complaint against Coinbase filed on 6 June 2023, the SEC alleged that Axie Infinity Shards (AXS) were offered and sold as an investment contract (SEC v Coinbase, Inc, Complaint (SDNY, Case 1:23-cv-04738, filed 6 June 2023)).

Part 3: Licensure Requirements

Among other requirements, the DFAL requires licensees to maintain specified books and records for at least five years after the relevant activity, including a general ledger posted at least monthly listing assets, liabilities, capital, income and expenses (California Financial Code Section 3303). Applicants must also establish (and, during licensure, maintain) written policies and procedures addressing, among other things, information security and operational security programmes (California Financial Code Section 3701).

The application for a licence must include detailed information about the applicant, its business, key individuals, litigation and bankruptcy history, and financial condition (California Financial Code Section 3203). The DFPI investigates the applicant’s financial condition, competence, experience and character and issues a licence only if statutory criteria are satisfied (California Financial Code Sections 3203 and 3209). Licensees must also maintain a surety bond or trust account and sufficient capital and liquidity, in forms and amounts determined by the DFPI, to protect California residents and support ongoing operations (California Financial Code Section 3207).

The DFAL requires a covered person, before engaging in digital financial asset business activity with a resident, to make specified disclosures, including a schedule of fees and charges, the manner by which fees and charges will be calculated if they are not set in advance, and the timing of the fees and charges (California Financial Code Section 3501).

Digital asset transaction kiosks

The DFAL imposes additional requirements on a specific category of applicants, namely digital asset kiosk operators. From 1 January 2024, an operator of a digital financial asset transaction kiosk (an electronic information processing device capable of accepting or dispensing cash in exchange for a digital financial asset) must not accept or dispense more than USD1,000 in a day from or to a customer via a kiosk (California Financial Code Sections 3901(b) and 3902). From 1 January 2025, an operator must not collect charges (directly or indirectly) in a single transaction exceeding the greater of USD5 or 15% of the USD equivalent of the digital financial assets involved, calculated by reference to the market price on a licensed digital financial asset exchange at the time the customer initiates the transaction (California Financial Code Sections 3901(a) and 3904).

Since 1 January 2024, an operator must provide the DFPI with various information, such as the locations of all digital financial asset transaction kiosks (California Financial Code Section 3906). From 1 January 2025, before a digital financial asset transaction, an operator must provide a clear written disclosure in English and in the same language principally used by the operator to advertise, solicit, or negotiate with a customer. The disclosure must include, at a minimum, the amount of the digital financial asset involved and the amount (in USD) of any fees, expenses and charges collected by the operator (California Financial Code Section 3905(a)).

Brief Note on Jurisdiction and California Nexus

California takes an expansive approach to the scope of DFAL coverage. California Financial Code Section 3103(a) provides that the DFAL governs the digital financial asset business activity of a person doing business in California or, wherever located, who engages in or holds itself out as engaging in the activity with, or on behalf of, a resident. For example, so-called white-labelled services offered through a third party to California residents which would otherwise be covered by the DFAL are likely to trigger licensure obligations; market participants relying on these business models would be well-advised to ensure that their agreements provide sufficient visibility into their partners’ end users to ensure they can identify and comply with DFAL licensure and, if licensed, record-keeping and other regulatory obligations as they arise.

In practical terms, the DFAL can therefore apply to firms with limited physical presence in California if they serve California residents or market DFAL-covered services into California. From 1 July 2026, a covered person must be licensed, have a timely application pending, or qualify for an exemption (California Financial Code Section 3201).