Digital Financial Assets Law – Preparing for your Application

Signed by Governor Newsom on October 13, 2023, the Digital Financial Assets Law creates a robust regulatory framework, including licensure and enforcement authority, for certain crypto activities. This law creates a comprehensive regulatory program for many crypto companies, requires DFPI to license and supervise many crypto asset-related companies that serve California residents, and provides important consumer protections for users. Furthermore, DFAL requires additional obligations for crypto kiosks operating in California.

If you engage in digital financial business activity with or on behalf of a California resident and are not otherwise exempt, you will need to submit a DFAL license application by July 1, 2026 in order to continue serving California residents.

Financial Code section 3203(a) lists items that must be included in a DFAL license application. In addition, an application must include any other information the DFPI may require by rule. You may find additional information about the DFPI’s DFAL rulemaking process, and refer to the Nationwide Multistate Licensing System (NMLS) checklist.

Once you have submitted a complete application, which includes all of the information required and the initial, non-refundable application fee, the DFPI is required to investigate whether your application satisfies each of the six standards set forth at Financial Code section 3203(b). To satisfy these standards, an applicant must have:

• sound financial condition, competence, and responsibility to engage in digital financial business activity.
• relevant financial and business experience, good character, and general fitness.
• complied with Chapter 5 (commencing with Section 3501) and Chapter 6 (commencing with Section 3601).
• a reasonable promise of success in engaging in digital financial business activity.

In addition, each executive officer, responsible individual, and person that has control of the applicant must have competence, experience, good character, and general fitness.

Finally, to meet the licensing standards, it must be reasonable for the DFPI to believe that the applicant, if licensed, will engage in digital financial business activity in compliance with all applicable provisions of the DFAL and any regulation or order issued pursuant to this division.

Prospective applicants will need to demonstrate that they are able to effectively manage the risks of the business activity they conduct. (See, e.g., Fin. Code § 3207(b) [licensee must provide information to the DFPI as to its “specific risks” related to “financial integrity” and “ongoing operations”].)

To help you better prepare for licensing, consult the DFAL text, FAQs, and the below materials. You may also reach out to the DFPI at [email protected].

An Effective Anti-Money Laundering Program

A risk-based, data-driven anti-money laundering program is essential to managing the risks related to digital financial asset activity.

Governance processes:

7. Maintain up-to-date Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) policies
8. Employ an experienced BSA Compliance Officer
9. Adequately oversee and manage your BSA, AML, Office of Foreign Assets Control (OFAC) and Anti-Fraud Programs
10. Conduct compliance training for all employees at onboarding and annually
11. Maintain a process to ensure customer protection from digital asset scams and frauds
12. Maintain a data-driven risk assessment that covers all of your business activities

Know-your-customer (KYC) processes:

1. Identify and verify the identity of your customers
2. Maintain an effective process to address high-risk customer attributes
3. Maintain a risk-based process for identifying and verifying beneficial owners
4. Maintain a process for updating a customer’s KYC information
5. Maintain processes to perform customer due diligence and enhanced due diligence, where necessary Maintain effective transaction monitoring (either manual or automated)

Sanctions screening and related compliance:

1. Maintain effective transaction monitoring
2. Leverage blockchain analytics to prevent the use of your services for terrorist financing, sanctions, darknet market transactions, child sexual abuse material, scams, and ransomware
3. Maintain written policies for investigating suspicious activities and filing Suspicious Activity Reports and Currency Transaction Reports (CTRs)
4. Maintain a process to comply with the Travel Rule
5. Maintain a sanctions compliance policy and program that prevents and detects transactions with sanctioned parties
6. Conduct sanctions screening of all customers at onboarding and risk-based rescreening in line with your size and complexity

Fraud prevention and anti-money laundering:

1. Maintain an effective anti-fraud program
2. Maintain a process to prevent scams and frauds, including elder abuse
3. Maintain a Fraud Risk Assessment and controls that include methods of detecting market manipulation, any form of insider trading, and periodic evaluations of the Anti-Fraud program
4. Conduct independent testing of your anti-money laundering program

Cyber and Operational Security

As part of the application process, you must provide and describe your Cyber and Operational Security Program and Policies. The following information is intended to help you prepare for licensing.

Cyber and Operational Security Safeguards

1. Program oversight: Designate a qualified individual responsible for developing, implementing, and maintaining the information security program. Ensure that this individual has the authority and resources to manage cybersecurity risks effectively in accordance with Financial Code section 3701 (h).
2. Risk Assessment: Conduct a documented risk assessment that identifies internal and external threats to non-public personal information and digital financial assets, likelihood and potential impact of those threats, and effectiveness of current controls. Update the risk assessment regularly or when significant changes occur.
3. Access Controls: implement role-based access, least privilege principle, and multi-factor authentication (MFA) for all systems handling sensitive data.
4. Encryption: implement strong encryption protocols to protect sensitive data in transit and at rest, ensuring confidentiality and integrity of non-public personal information and digital financial assets. Encryption measures should align with industry standards, be regularly reviewed for effectiveness, and support secure key management practices to mitigate risks of unauthorized access or data breaches.
5. Secure Software Development: apply secure coding practices, conduct code reviews, and scan for vulnerabilities in internally developed or customized applications.
6. Change Management: implement a change management process to control and manage changes to systems and processes to ensure security and prevent disruptions.
7. Data Retention and Disposal: establish policies and procedures for securely retaining and disposing of sensitive data in accordance with legal, regulatory, and business requirements. Ensure data is stored only as long as necessary, with appropriate access controls, and disposed of using secure methods to prevent unauthorized recovery or disclosure.
8. Physical Security: restrict access to data centers, servers, and hardware wallets using badge systems, biometric controls, or other physical barriers.
9. Monitoring and Logging: implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access. Maintain logs to support audits and investigations.
10. Incident Response Plan: maintain a written incident response plan that includes roles and responsibilities, detection and containment procedures, communication and regulatory notification protocols, post-incident review and remediation. Test the plan at least annually through tabletop exercises or simulations.
11. Business Continuity Plan: develop and implement a business continuity plan that identifies key risks and critical functions, outlines recovery strategies and timelines, defines roles and communication protocols, and includes regular testing and updates to ensure continuity of essential operations during disruptions.
12. Disaster Recovery Plan: establish and implement a plan that addresses the restoration of IT systems and data following a disruption, including identification of critical infrastructure, recovery objectives and procedures, assigned responsibilities, communication protocols, and regular testing to ensure timely and effective recovery.
13. Testing the safeguards: conduct independent assessments of information security controls to evaluate their effectiveness, identify vulnerabilities, verify compliance with policies and standards, and ensure timely remediation. Testing should be performed regularly and documented to support continuous improvement.
14. Training: provide security awareness training to all employees and specialized trainings for employees and service providers with hands-on responsibility for carrying out your information security program.
15. Third-party risk management: select, monitor, and periodically assess your third-party service providers to ensure that they maintain appropriate safeguards as outlined in the service agreements.
16. Adjusting program based on risk: update your information security program based on changes to your operations and risk assessment results.

Digital Financial Asset Business Specific Safeguards (if applicable)

1. Smart Contract use: establish governance and security protocols for the development, deployment, and monitoring of smart contracts. Implement safeguards to prevent unauthorized modifications and support mechanisms for dispute resolution and contract updates.
2. Blockchain platform review: conduct regular assessments of blockchain platforms used for digital financial asset operations for their information security posture, including consensus mechanism integrity, resistance to known attack vectors (e.g., 51% attacks, Sybil attacks), smart contract security features, and data confidentiality controls. Reviews should support informed decision-making and risk management related to platform selection and ongoing use.
3. Custody management: establish and maintain secure custody procedures for digital financial assets. Implement multi-layered safeguards such as multi-signature authorization, secure key storage (e.g., hardware security modules or cold wallets), access controls, and monitoring systems to prevent unauthorized access or asset loss. Custody procedures should be regularly reviewed, tested, and aligned with industry standards and regulatory expectations.
4. Key management: implement secure key management procedures, including backup and recovery mechanisms, to mitigate risks of key compromise or loss. Use industry-standard methods such as hardware security modules, secure key generation, access controls, and key rotation policies.

Alignment with NIST CSF 2.0

To help DFPI assess whether your organization’s information security and operational security programs meet Financial Code section 3701, subdivision (b), we will be evaluating each applicant’s Cyber and Operational Security Evaluation Programs and Policies following the NIST Cybersecurity Framework (CSF) 2.0, a globally recognized model for managing cyber and operational security risks. Notably, the NIST CSF facilitates mapping (referred to as “informative references”) to other common risk frameworks (such as ISO 27001 and COBIT), making it easier for organizations already using those frameworks to demonstrate alignment.

Categories, Subcategories, and Applicability

Within each Function (Govern, Identify, Detect, Protect, Respond, and Recover), the evaluation framework is organized into Categories and Subcategories, which describe specific outcomes and activities (e.g., supplier inventory management, incident response planning, smart contract security review). Applicants should expect to complete a business activity questionnaire early in the evaluation process of your programs and policies  to help DFPI tailor specific operational and cyber security expectations to your business model.

Evidence and Flexibility

Your organization will be expected to provide evidence—such as documentation, procedures, assessments, and/or operational samples—demonstrating that your organization achieves the outcomes described in the relevant Categories and Subcategories. The Cyber and Operational Security Evaluation framework allows flexibility to accommodate varying approaches, provided that the risks are substantively addressed.

As part of the application process, your organization should be prepared to demonstrate its maturity within each of the following functions:

Govern

1. Understanding and management of legal, regulatory, and contractual cybersecurity requirements, including privacy and civil liberties
2. Establishment, communication, and enforcement of cybersecurity risk management policy
3. Secure management of secrets and digital asset transaction signing (where applicable)

Identify

1. Maintenance of inventories for key suppliers and services
2. Identification, validation, and documentation of vulnerabilities
3. Assessment of threats, risks, and critical suppliers
4. Establishment and maintenance of relevant incident response and cybersecurity plans
5. Evaluation of blockchain platforms and periodic assessments of smart contracts (where applicable)

Protect

1. Management and proofing of identities and credentials for users, services, and devices
2. Policy-driven access management, including least privilege and separation of duties
3. Protection of data at rest and in transit
4. Regular backups and continuous logging
5. Protection of networks, environments, and (where relevant) blockchain nodes, smart contract management, (where relevant) threshold cryptography, and blockchain/wallet address verification

Detect

1. Monitoring of computing environments for adverse events
2. Timely declaration of incidents when criteria are met
3. Continuous review and testing of smart contract code (where applicable)
4. Security and response measures for blockchain networks

Respond

1. Analysis of incidents to determine what has occurred and root causes identified
2. Effective containment of incidents

Recover

1. Execution and prioritization of recovery actions
2. Verification of the integrity of backups and restored assets before use
3. Restoration of normal operating status and communication of recovery progress to internal stakeholders and, where appropriate, public updates

Capital and Liquidity Evaluation

In accordance with the capital and liquidity requirements of California Financial Code 3207, all licensees are required to maintain sufficient capital and liquidity levels to ensure their financial integrity and the continuity of their operations. These requirements are determined by the Department based on an assessment of the specific risks applicable to each licensee.

To assist you in preparing for this requirement, the Department is providing the following guidance:

1. Understand the framework used to evaluate Capital and Liquidity
   The Department will evaluate your capital and liquidity adequacy based on a range of factors, including but not limited to: 
   • Asset Composition: Size, quality, liquidity, risk exposure, and volatility of your assets.
   • Liability Composition: Size and repayment timing of your liabilities.
   • Business Activity: Actual and expected volume of digital financial business activities.
   • Leverage: Reliance on debt or other forms of borrowing to finance operations.
   • Liquidity Position: Amount and quality of liquid assets available to meet obligations
   • Customer Protection Measures: Amount of surety bond coverage.
   • Customer Base and Services: Types of entities served and the services offered.
   • Insolvency Protections: Arrangements in place for the protection of customer funds in the event of insolvency.
2. Minimum Tangible Net Worth Expectation
   The Department expects an initial amount of $100,000 in tangible net worth as part of the DFAL license application. DFPI will determine a final tangible net worth amount in accordance with Financial Code section 3207, subdivision b, later in the application process.If you believe that a $100,000 initial tangible net worth amount is inappropriate for your own business, please separately contact DFPI’s Digital Financial Assets Law staff as specified in DFPI’s DFAL FAQ section 13: Can I ask DFPI whether I will need a license or about the conditions of licensure that may be applied to me if apply for a license?Tangible net worth is defined as:The aggregate assets of a licensee, excluding all intangible assets, less liabilities, as determined in accordance with United States generally accepted accounting principles (GAAP). 

   Applicants are encouraged to assess their financial position and ensure they meet or exceed this threshold.

3. Maintain Qualifying Liquid Assets
   Liquid assets must be held in one or more of the following forms: 
   • Cash
   • Digital financial assets (excluding those held on behalf of residents under Section 3503)
   • High-quality, liquid assets as defined in 12 CFR § 249.20(a)

   The Department will determine the appropriate proportions of each asset type based on your risk profile.

Surety Bond Requirements

Adequate surety bond coverage is essential to protect customers in the event the business fails to meet its obligations such as misappropriation of funds, insolvency, or fraud. It also serves as a critical safeguard for the public and the state by providing a mechanism for restitution when a business causes harm or violates applicable laws.

Applicants are required to either obtain a surety bond or fund a trust account to safeguard customer interests, in accordance with Financial Code 3207(a). The required amount depends on the applicant’s business type and activities, and may be adjusted based on the financial condition, scale, nature, and risk profile of their operations.

Surety Bond Amount

A $500,000 surety bond, furnished and submitted by a surety company authorized to conduct business in California, is the initial amount that DFPI expects to be submitted as part of the DFAL license application.  The DFPI will determine a final surety bond amount in accordance with Financial Code 3207(a) later in the application review process. Applicants should anticipate and be prepared to respond to follow-up or clarification requests.

Upon the determination and communication of a final surety bond amount, licensees are required to make these updates no later than 30 days after notice for the increase under Financial Code 3207(a)(1)(4),

If you believe that a $500,000 initial electronic surety bond is inappropriate for your own business, please separately contact DFPI’s Digital Financial Assets Law staff in as specified in  FAQ Question 13: Can I ask DFPI whether I need a license, or about the conditions of licensure that may be applied to me if I apply for a license?

For Digital Financial Asset Transaction Kiosk Applicants

The surety bond amount will be based on virtual currency transaction volume. Applicants must prepare and submit a report detailing virtual currency transaction volumes by month for the last twelve consecutive months conducted by California consumers. Additionally, the applicant must provide the total annual volume for those transactions.

For Digital Financial Asset Exchange and/or Custodian Applicants

The surety bond amount will be based on custodial funds due to consumer obligations. Applicants must prepare and submit a report detailing the custodial funds due to consumer obligation balances by month for the last twelve consecutive months for funds held for California consumers.

Cumulative Surety Bond Requirements for Multi-Activity Operators

Surety bond requirements are cumulative for applicants operating both digital financial asset transaction kiosks and digital financial asset exchange and/or custodial services. If a company operates as both an exchange and a custodian, a single surety bond amount will apply. However, if the company also operates transaction kiosks in addition to exchange and/or custodial services, the required bond amounts for each activity must be combined to determine the total surety bond obligation.

Ongoing Monitoring

The Department will continue to assess the adequacy of the surety bond amount following licensure. Licensees must be prepared to respond to and comply with any information requested by the Department. If it is determined that an increase in bond coverage is warranted, the licensee will be required to obtain additional coverage and submit proof of the updated bond amount.

Best Practices

The following represents the core functional areas that collectively ensure a business maintains effective, compliant and risk-aware surety bond practices.

Governance Processes

• Assign a responsible designee to oversee bonding requirements, renewals, and regulatory filings.
• Maintain surety bond policies and procedures that reflect California digital asset regulations.
• Document a process for evaluating bond adequacy in relation to custodial funds due to consumer obligations asset custody and virtual currency transaction volume.
• Establish internal controls to prevent lapses in bond coverage.

Risk Management and Monitoring

• Conduct periodic internal reviews to validate bond coverage and ensure alignment with business growth and regulatory changes.
• Establish a process for increasing surety bond coverage in the event the Department determines an adjustment is necessary.
• Align bond coverage with your financial condition, ensuring sufficient liquidity and capital in combination with surety coverage.
• Implement a third-party risk management process to assess, monitor, and mitigate risks associated with vendors, ensuring they are reputable, comply with DFAL and maintain strong financial and cybersecurity controls.

Regulatory Compliance and Reporting

• Ensure bond amounts meet or exceed minimums.
• Promptly notify regulators of any changes to bond coverage, including new sureties, revised amounts, or cancellations.
• Ensure timely response to bond-related inquiries from regulators, including claim status, bond sufficiency, or compliance audits.
• Maintain a record of all regulatory filings related to bonding, including submission confirmations and correspondence.

Guidance on Consumer Protection Policy

Pursuant to California Financial Code §3701(g)

Purpose

This guidance outlines the expectations for licensees under the Digital Financial Assets Law (DFAL) to establish and maintain a Consumer Protection Policy that ensures fair, secure, and transparent treatment of California residents engaging in digital financial asset business activity.

Required Elements of the Consumer Protection Policy

1. Compliance with Applicable Laws §3701(g)(1):
   Include any action or system of records required to comply with this division and other applicable state laws.The Consumer Protection Policy should include: 
   • procedures and systems of records that are designed to comply with this division and other applicable state laws with respect to digital financial asset business activity with, or on behalf of, a resident.
2. Dispute Resolution Procedure §3701(g)(2):
   Establish a procedure for resolving disputes between the licensee and a resident.The procedure should include: 
   • Timeframes for response and resolution
   • Escalation paths (e.g., internal review, third-party mediation)
   • Communication protocols
3. Reporting Unauthorized or Mistaken Transactions §3701(g)(3):
   Establish a procedure for residents to report unauthorized, mistaken, or accidental transactions.The procedure should include: 
   • Clear definition of unauthorized, mistaken, and accidental transactions
   • Time limits for reporting
   • Investigation and resolution steps
   • Provide confirmation and status updates to the affected residents.
4. Complaint Filing and Resolution Procedure §3701(g)(4):
   Establish a procedure for residents to file complaints and receive fair, timely resolution with notice.The procedure should include: 
   • Acknowledgment of receipt
   • Investigation timeline
   • Criteria for resolution
   • Notification of outcome and rationale
   • Maintain a complaint log for internal and regulatory review.

   Additionally, licensees should consider the following when implementing the Consumer Protection Policy:

   • Train staff on handling disputes, complaints, and transaction errors.
   • Review and update the policy regularly to reflect changes in law and business practices.
   • Document all procedures and changes as required under §3701(g).