The state's Department of Financial Protection and Innovation has begun accepting licence applications under DFAL, the most comprehensive state-level crypto regulatory framework in the United States.
California's Department of Financial Protection and Innovation began accepting applications on 9 March for licences under the Digital Financial Assets Law, a sweeping regulatory framework that will require any business exchanging, transferring, or holding digital assets on behalf of a California resident to obtain state-level authorisation by 1 July 2026. The law, originally signed by Governor Gavin Newsom in October 2023 as Assembly Bill 39 and Senate Bill 401, represents the most ambitious attempt by any US state to impose comprehensive oversight on the cryptocurrency industry.
With fewer than 90 days until enforcement begins, the compliance scramble is intensifying across the sector. Industry lawyers say the law's broad definition of covered activity — which extends beyond traditional exchanges to include custody services, stablecoin issuers, and even crypto kiosk operators — means hundreds of businesses face the prospect of either obtaining a licence or withdrawing from the California market entirely. For an industry that has operated largely under a patchwork of federal guidance and state money transmitter laws, DFAL marks a step change in regulatory expectations.
Scope and Requirements
DFAL covers what it defines as digital financial asset business activity, a deliberately expansive category that encompasses exchanging, transferring, or storing digital financial assets; holding electronic precious metals or certificates of digital financial assets; and exchanging digital financial assets for monetary value. The law applies to any entity conducting these activities with or on behalf of a California resident, regardless of where the business is headquartered.
Licence applicants must submit through the Nationwide Multistate Licensing System, the same federal platform used for mortgage lenders, money service businesses, and other regulated financial entities. The application requires detailed disclosures about the applicant's business model, custody arrangements, cybersecurity protocols, and financial condition. Applicants must also demonstrate adequate capital reserves and maintain a surety bond, the size of which is determined by the DFPI based on the scope and risk profile of the applicant's operations.
For crypto kiosk operators — a segment that has drawn particular regulatory attention due to consumer protection concerns — the law imposes additional requirements. Operators must register each physical location, cap daily customer transactions at $1,000, limit fees to no more than 15 percent, and provide clear receipts and disclosures at the point of sale.
The Compliance Challenge
Jones Day, the global law firm advising several major crypto exchanges on their DFAL applications, noted in a February client alert that the compressed timeline between the application window opening and the enforcement date leaves little margin for error. The DFPI has not publicly disclosed how long it expects the review process to take, raising the prospect that some applicants may still be awaiting approval when enforcement begins on 1 July.
The law does provide a conditional operating provision for businesses that have submitted a complete application before the deadline, allowing them to continue operations while the DFPI processes their filing. However, any business that fails to apply by 1 July faces potential enforcement action, including cease-and-desist orders and civil penalties.
Smaller operators face a disproportionate burden. The compliance costs associated with the licence application, ongoing reporting requirements, and mandatory cybersecurity standards are substantial relative to the revenue of early-stage crypto businesses. Several industry groups, including the Blockchain Association and the Chamber of Digital Commerce, have urged the DFPI to implement a tiered licensing structure that scales requirements to the size of the applicant, though no such accommodation has been announced.
National Implications
California's approach is being closely watched by other states considering their own crypto-specific licensing regimes. New York's BitLicense, introduced in 2015, was the first state-level crypto licence and has been criticised for its onerous requirements and slow approval process — factors that drove several major exchanges to exit the New York market. California's law attempts to learn from that experience by using the existing NMLS infrastructure, which streamlines the application process and allows for reciprocity with other states that use the same system.
The timing is significant. At the federal level, the SEC and CFTC have recently issued a joint five-category crypto taxonomy and the SEC has advanced its Reg Crypto framework to the White House for review. If federal legislation establishing a comprehensive market structure for digital assets is enacted before or shortly after DFAL takes effect, the interaction between state and federal requirements could create additional compliance complexity — or, in a best-case scenario, federal preemption could simplify the landscape.
For now, California's framework exists as the de facto standard for state-level crypto regulation. Given the state's outsized role in the technology economy — home to major exchanges Coinbase and Kraken, as well as hundreds of blockchain startups — the success or failure of DFAL will likely shape how other states approach the question of digital asset oversight.
Industry Response and Outlook
Coinbase chief legal officer Paul Grewal said in a March statement that the company supports sensible state-level regulation but cautioned that overlapping federal and state requirements risk creating a compliance maze that disadvantages American firms relative to offshore competitors. Kraken has taken a similar position, noting in a blog post that it intends to apply for a DFAL licence while continuing to advocate for federal preemption of state-by-state crypto regulation.
Consumer advocacy groups have broadly welcomed the law. The Consumer Federation of California described DFAL as a necessary safeguard for the estimated 6.4 million Californians who hold digital assets, pointing to the string of exchange failures and custodial losses that have eroded public trust in the sector since 2022.
The Road to July
With the application window now open and the enforcement date approaching, the next three months will test both the industry's capacity to meet California's requirements and the DFPI's ability to process what is expected to be a surge of applications. The regulator has added staff to its digital assets division but has not disclosed specific capacity targets or expected processing times.
For the broader crypto industry, DFAL represents a clear signal that the era of operating in regulatory grey zones is ending — at least in the United States' largest state by population and economic output. Whether the law ultimately serves as a model for national regulation or a cautionary tale about state-level overreach will depend on how effectively it balances consumer protection with the innovation that the sector's proponents argue is at stake.
