Update: Governor Newsom signed Assembly Bill 39, establishing the Digital Financial Assets Law on October 13, 2023. In signing, he called for more clarification in the regulatory process and in legislation. See his signing statement here.
The California Department of Financial Protection and Innovation (DFPI) may soon have another regulatory regime under its belt—answering the long-open question of digital asset regulation in California.
California legislators have passed the Digital Financial Assets Law that would require a license to “engage in digital financial asset business activity” with or on behalf of any Californians. Gov. Gavin Newsom is expected to sign it into law. If he does, the law will take effect July 1, 2025.
California will join with New York and Louisiana in requiring licenses for certain digital asset activities
Who Needs a License?
The California bill would require a license to engage in or imply the ability to engage in “digital financial asset business activity,” which the bill defines as:
- Exchanging, transferring or storing a digital financial asset or engaging in digital financial asset administration directly or through a vendor.
- Holding electronic precious metals or electronic certificates representing interests in precious metals on behalf of another person or issuing shares or electronic certificates representing interests in precious metals.
- Exchanging one or more digital representations of value used within one or more online games, game platforms or family of games for:
- A digital financial asset offered by or on behalf of the publisher from which the original digital representation of value was received.
- Legal tender or bank or credit union credit outside the game, platform or family of games offered by or on behalf of the publisher from which the original digital representation of value was received.
Exemptions, Conditional Licenses and Penalties
The proposed bill excludes:
- Most government entities.
- Certain financial institutions.
- Most people who solely provide connectivity software, computing power, data storage or security services.
- People engaging with digital assets for personal, family, household or academic use—or people whose digital financial asset business activity is reasonably expected to be valued at no more than $50,000 per year.
The bill also exempts a significant amount of activity covered by laws such as the Securities Exchange Act of 1934 and the Electronic Fund Transfer Act of 1978.
A conditional license may be available for people who were licensed under New York’s BitLicense regime before January 1, 2023, as long as the person pays all appropriate fees and complies with the Digital Financial Assets Law.
Conditional licenses expire upon issuance of an unconditional license, denial of a license application or certain disapprovals or revocations in connection with New York virtual currency business approvals.
The state may impose civil penalties of up to $100,000 per day for unlicensed activity and $20,000 per day for material violations by a licensee or covered person.
Much of the application process is similar to the process for a money transmitter license—business plan, corporate background information, disclosure questions, personal information about control persons and an application fee.
The law also requires the DFPI to investigate whether the applicant “has a reasonable promise of success in engaging in digital financial business activity” and is likely to comply with applicable laws and regulations.
The law permits use of the Nationwide Multistate Licensing System (NMLS) to collect and maintain records and process fees in connection with the license. As most states use NMLS for money transmission and digital asset licenses, this will likely streamline the application process for an established entity with a robust NMLS profile.
Approvals may be conditional, requiring an applicant to accept conditions the DFPI specifies.
As with money transmission, digital asset licensees must maintain surety bonds and meet capital and liquidity requirements. In addition, a licensee must show compliance with multiple requirements in an annual report and request renewal each fall. Failure to timely comply may lead to enforcement actions, possibly including suspension or revocation of a license.
Licensees will also be subject to periodic examination, at their own expense. The law allows regulators at various agencies to share information with other regulators and regulatory agencies. This information sharing may minimize individual examinations as regulators have been doing in the money transmission space, lessening costs and administrative burdens for both licensees and regulators.
Securing Digital Finance
Following the New York Department of Financial Services’ Cybersecurity Regulations—arguably the most robust state cybersecurity framework imposed on nonbank financial services—California plans to impose a similar expansion of cyber-related requirements on digital finance asset business activity.
Traditional cybersecurity regulations mandate a comprehensive written information security (INFOSEC) program, as in the case of the Digital Financial Assets Law. Unlike other cybersecurity regulations, the California law would focus on the technological aspects of digital assets. It also would require the development and implementation of an operations security (OPSEC) program.
- INFOSEC programs focus on mitigating the risks associated with information technology assets, such as preventing unauthorized access to information systems.
- OPSEC programs integrate daily information technology development and information security processes into a single operational unit. OPSEC programs:
- Focus on collaboration, shared responsibility and agility in applying security concepts to each stage of the software development life cycle.
- Are in the early stages of development in financial services but have been extensively discussed by technology firms and government contractors.
The new law requires a licensee’s information security and operational security policies and programs to:
- Include reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of nonpublic personal information or digital financial assets it receives, maintains or transmits.
- Incorporate traditional cybersecurity goals and objectives instead of the more limited goal of protecting “security” and “confidentiality.” That means INFOSEC programs that only cover data breaches would no longer be compliant.
- Be informed by a “comprehensive risk assessment designed to ensure consumers are adequately protected from cybersecurity risk, risk of malfeasance, including theft, risks related to code or protocol defects, or market-related risks, including price manipulation and fraud.”
- The risk assessment must cover more than just cybersecurity risk; it must also cover concepts such as account takeover and, potentially, fraudulent activity designed to cause a loss of digital assets.
OPSEC programs must:
- Address “code or protocol defects,” i.e., vulnerabilities introduced in development, which can be a critical component of digital asset exchanges.
- Consider digital manipulations that could influence the value of the digital assets.
These concepts are all relatively new, generally untested as to robustness and lacking in any third-party standards, unlike traditional cybersecurity frameworks such as NIST Cybersecurity Framework and ISO 27001.
Finally, in addition to introducing an OPSEC requirement, California has created a catch-all rule, requiring INFOSEC programs to comply with relevant state or federal laws. In other words, the heightened standards of the amended Safeguards Rule will also apply to digital finance asset business activity (the Safeguards Rule requires certain financial institutions to implement measures to keep customer information secure).
All of these new concepts require digital asset businesses to consider investments in cybersecurity processes, infrastructure and people. A failure to fully capture operational and cybersecurity risk and implement reasonable security controls may ultimately put the license at risk.
For companies doing business in digital financial assets, California’s law may help fill the gap between regulating with legislation and with enforcement. However, given the increased scrutiny on digital assets, it remains to be seen whether the law walks the line between regulation that provides a viable way to operate successfully while providing sufficient consumer protection to achieve the state’s goals.