The state's Digital Financial Assets Law took full effect on 1 July, forcing exchanges, custodians and wallet issuers to be licensed or face cease-and-desist orders and $100,000-per-day penalties.
California's Digital Financial Assets Law took full effect on Wednesday, and any crypto exchange, custodian, wallet issuer or stablecoin operator that did not submit a complete DFPI licence application by 1 July can no longer serve residents of the state. This is the first hard deadline of a licensing regime that state regulators have been building since Governor Gavin Newsom signed AB 39 into law in October 2023.
The Department of Financial Protection and Innovation began accepting applications through the Nationwide Multistate Licensing System on 9 March. It has been a slow four months. Applications are $7,500 upfront and the DFPI can charge "reasonable costs" of reviewing them, which industry lawyers have quietly warned clients could add tens of thousands of dollars per firm depending on the complexity of the business model. Most large exchanges filed months ago; the concerning number is how many mid-tier firms did not.
The rule is broadly drafted on purpose. DFAL covers "digital financial asset business activity" — the exchanging, transferring, storing or issuing of digital assets — and it applies to any person doing business with a California resident, regardless of where that person is located. A Cayman-domiciled exchange serving a Los Angeles trader is in scope. So is a Delaware LLC running a wallet application on the App Store, if any of its users live in California. Enforcement will not fall entirely on the small number of firms that have opted to make San Francisco or Palo Alto their home.
The exemptions are narrower than the industry wanted. FDIC-insured banks, state and federally chartered credit unions with California offices, and California-licensed trust companies are out of scope entirely. CFTC-regulated entities and SEC-registered broker-dealers get partial exemptions but only when acting in their regulated capacity, which means Robinhood Crypto and Coinbase Prime are not simply covered by their parent companies' licences. There is a de minimis carve-out for firms whose California-facing business is reasonably expected to be under $50,000 a year in aggregate, but that number is small enough to catch essentially every serious operator.
The safety valve is that a firm which submitted a complete application by 1 July can continue operating while the DFPI works through the review. That is why the day matters so much. A bare-bones filing does not count. The DFPI has been explicit that placeholder applications will be rejected, and rejection means the firm was not on the whitelist as of the deadline — which means it needs to stop serving California residents until it files a real application and gets processed.
For the industry, this is the first time a US state has imposed a full BitLicense-style regime on top of federal law since New York in 2015. New York's BitLicense produced a well-documented exodus — Kraken pulled out of the state within months, ShapeShift refused to apply, and years of case law followed. California's DFAL is broader in scope and easier to trigger, and the state's residents represent roughly 12 per cent of US crypto users. Firms that decide to withdraw rather than comply will be leaving material revenue on the table.
The list of firms known to have filed publicly is short. Coinbase, Kraken, Circle, Gemini and Robinhood Crypto all confirmed submissions in the second quarter — the exchange majors got in early. What the industry does not yet know is how many of the middle-tier firms — the DEX front-ends, the wallet-with-swap providers, the smaller stablecoin issuers — filed by the deadline. Any that did not are already operating in violation.
The other question is how DFAL interacts with the CLARITY Act, which passed Senate Banking Committee on 14 May and is currently sitting on the Senate calendar. If CLARITY becomes law, most digital-commodity spot-market oversight will move to the CFTC, and states will be pre-empted from imposing conflicting frameworks. But DFAL is not going anywhere until federal law says it must, and California legislators drafted it specifically to survive the range of federal outcomes.
There is one detail worth flagging. The DFPI has not yet published a list of firms that made the 1 July window. It has said it will do so in "the coming weeks", which industry counsel translate as "when the political optics are useful". The absence of a public list means that Californian retail users cannot easily verify whether the exchange they use has filed — a small design flaw in a regime meant to protect them.
Enforcement powers under DFAL are broad: cease-and-desist orders, restitution, civil penalties of up to $100,000 per violation per day. Firms that ignore the deadline and get caught are not looking at slap-on-the-wrist fines. The DFPI's enforcement history under its predecessor consumer-lending statutes suggests the agency will pick a couple of high-profile targets first to establish credibility, and work down the queue from there.
The industry has known this date was coming since AB 1934 extended it from July 2025 to July 2026 in September 2024. Anyone who missed the deadline chose to.