Digital Financial Assets Law – Preparing for your Application

Signed by Governor Newsom on October 13, 2023, the Digital Financial Assets Law creates a robust regulatory framework, including licensure and enforcement authority, for certain crypto activities. This law creates a comprehensive regulatory program for many crypto companies, requires DFPI to license and supervise many crypto asset-related companies that serve California residents, and provides important consumer protections for users. Furthermore, DFAL requires additional obligations for crypto kiosks operating in California.

If you engage in digital financial business activity with or on behalf of a California resident and are not otherwise exempt, you will need to submit a DFAL license application by July 1, 2026 in order to continue serving California residents.

Financial Code section 3203(a) lists items that must be included in a DFAL license application. In addition, an application must include any other information the DFPI may require by rule. You may find additional information about the DFPI’s DFAL rulemaking process.

Once you have submitted a complete application, which includes all of the information required and the initial, non-refundable application fee, the DFPI is required to investigate whether your application satisfies each of the six standards set forth at Financial Code section 3203(b). To satisfy these standards, an applicant must have:

• sound financial condition, competence, and responsibility to engage in digital financial business activity.
• relevant financial and business experience, good character, and general fitness.
• complied with Chapter 5 (commencing with Section 3501) and Chapter 6 (commencing with Section 3601).
• a reasonable promise of success in engaging in digital financial business activity.

In addition, each executive officer, responsible individual, and person that has control of the applicant must have competence, experience, good character, and general fitness.

Finally, to meet the licensing standards, it must be reasonable for the DFPI to believe that the applicant, if licensed, will engage in digital financial business activity in compliance with all applicable provisions of the DFAL and any regulation or order issued pursuant to this division.

Prospective applicants will need to demonstrate that they are able to effectively manage the risks of the business activity they conduct. (See, e.g., Fin. Code § 3207(b) [licensee must provide information to the DFPI as to its “specific risks” related to “financial integrity” and “ongoing operations”].)

To help you better prepare for licensing, consult the DFAL text, FAQs, and the below materials. You may also reach out to the DFPI at [email protected].

An Effective Anti-Money Laundering Program

A risk-based, data-driven anti-money laundering program is essential to managing the risks related to digital financial asset activity.

Governance processes:

7. Maintain up-to-date Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) policies
8. Employ an experienced BSA Compliance Officer
9. Adequately oversee and manage your BSA, AML, Office of Foreign Assets Control (OFAC) and Anti-Fraud Programs
10. Conduct compliance training for all employees at onboarding and annually
11. Maintain a process to ensure customer protection from digital asset scams and frauds
12. Maintain a data-driven risk assessment that covers all of your business activities

Know-your-customer (KYC) processes:

1. Identify and verify the identity of your customers
2. Maintain an effective process to address high-risk customer attributes
3. Maintain a risk-based process for identifying and verifying beneficial owners
4. Maintain a process for updating a customer’s KYC information
5. Maintain processes to perform customer due diligence and enhanced due diligence, where necessary Maintain effective transaction monitoring (either manual or automated)

Sanctions screening and related compliance:

1. Maintain effective transaction monitoring
2. Leverage blockchain analytics to prevent the use of your services for terrorist financing, sanctions, darknet market transactions, child sexual abuse material, scams, and ransomware
3. Maintain written policies for investigating suspicious activities and filing Suspicious Activity Reports and Currency Transaction Reports (CTRs)
4. Maintain a process to comply with the Travel Rule
5. Maintain a sanctions compliance policy and program that prevents and detects transactions with sanctioned parties
6. Conduct sanctions screening of all customers at onboarding and risk-based rescreening in line with your size and complexity

Fraud prevention and anti-money laundering:

1. Maintain an effective anti-fraud program
2. Maintain a process to prevent scams and frauds, including elder abuse
3. Maintain a Fraud Risk Assessment and controls that include methods of detecting market manipulation, any form of insider trading, and periodic evaluations of the Anti-Fraud program
4. Conduct independent testing of your anti-money laundering program