INSIGHT

California digital assets compliance roadmap: Licensing and annual requirements 

August 1, 2025

Industries: Blockchain & Digital Assets

---

Who this applies to: Any business exchanging, transferring, storing, or issuing digital assets for California residents must obtain licensing by July 1, 2026, under California’s Digital Financial Assets Law (DFAL). This includes centralized exchanges, custodial wallet providers, stablecoin issuers, and crypto broker-dealers. 

What you need to know: The law establishes comprehensive licensing requirements, ongoing compliance obligations, and annual reporting standards that will fundamentally reshape how digital asset businesses operate in California’s market. 

If your digital asset business serves California residents, the clock is ticking. California’s Digital Financial Assets Law will take effect July 1, 2026, creating one of the most comprehensive state-level regulatory frameworks for cryptocurrency and digital asset businesses in the United States. 

With California representing roughly 12% of the U.S. population and a significant portion of crypto adoption, compliance isn’t optional—it’s essential for maintaining access to this critical market. The law affects everyone from major exchanges to smaller custodial services, and the penalties for noncompliance are substantial, including fines up to $100,000 per day. 

Understanding California’s digital asset licensing requirements 

Who needs a license 

The DFAL casts a wide net over “digital financial asset business activity,” which includes: 

• Exchange services – Converting crypto-to-crypto or crypto-to-fiat for customers 
• Transfer services – Facilitating digital asset transactions between parties 
• Storage and custody – Holding digital assets on behalf of customers 
• Stablecoin issuance – Creating tokens designed to maintain stable value against fiat currency 

If your business engages in any of these activities with California residents, you’ll likely need a license from the Department of Financial Protection and Innovation (DFPI). 

Key exemptions to know about 

The law provides exemptions for 17 categories of entities, including: 

• FDIC-insured banks and federal credit unions  
• Licensed trust companies 
• Merchants accepting crypto solely as payment for goods and services  
• Businesses with annual California transaction volumes under $50,000  
• Pure technology providers offering only connectivity or data storage services 

However, these exemptions are narrow. Most businesses actively facilitating digital asset transactions for customers will need to pursue licensing. 

Conditional licensing pathway 

If you already hold a New York BitLicense or limited purpose trust company charter (issued before January 1, 2023), you may qualify for conditional licensing. This provides a streamlined path while your full California application is under review, but you’ll still need to pay all fees and submit required documentation. 

Building your compliance framework 

Required policies and procedures 

Before submitting your license application, you must establish comprehensive programs covering: 

Information security and operational security Your cybersecurity framework must address the unique risks of digital asset custody and transaction processing, including multi-signature controls, cold storage protocols, and incident response procedures. 

Business continuity and disaster recovery These programs must address both traditional business disruptions and crypto-specific scenarios, such as blockchain network outages or smart contract failures. 

Anti-fraud and AML/CFT programs Your anti-money laundering program must comply with both federal BSA/FinCEN requirements and California-specific obligations, including robust customer identification, transaction monitoring, and suspicious activity reporting. 

Legal compliance program This should address evolving federal and state regulations affecting digital assets, including securities law considerations for token listings. 

Financial requirements and consumer protections 

Licensed entities must maintain adequate capital and liquidity as determined by DFPI regulation. More importantly, you must hold all customer assets—both digital and fiat—in segregated statutory trusts, fully reserved to meet customer withdrawal demands at any time. 

This “full reserve” requirement represents a significant departure from traditional fractional reserve banking and requires careful cash flow management and balance sheet planning. 

Navigating token listing requirements 

Before offering any new digital asset to customers, you must certify to the DFPI that you’ve completed several critical assessments: 

• Securities analysis – Evaluate whether the asset might be deemed a security by federal or California regulators  
• Conflict disclosure – Provide written disclosure of any material conflicts of interest  
• Comprehensive risk assessment – Address cybersecurity risks, theft potential, code defects, and market manipulation risks  
• Ongoing monitoring procedures – Establish policies for reevaluating and potentially delisting assets 

Violations of listing requirements can result in penalties of $20,000 per day, making thorough due diligence processes essential. 

Annual reporting and assurance requirements 

Financial reporting obligations 

Between October 1 and November 1 each year, you must submit detailed reports to the DFPI including: 

• Audited financial statements (if California digital asset revenue exceeds $2 million) or CPA-reviewed statements (for smaller operations)  
• Documentation of any material changes in financial condition  
• Details on litigation, investigations, and regulatory actions  
• Transaction volume and customer count data  
• Evidence of compliance with reserve and capital requirements 

Required professional services 

The annual reporting requirements create ongoing needs for specialized professional services: 

GAAP financial audit or review Licensed businesses need either full audited financial statements or CPA-reviewed statements, depending on revenue thresholds. These engagements must properly account for digital asset holdings and customer liabilities under evolving accounting standards. 

AML program testing Independent testing of your anti-money laundering controls helps demonstrate ongoing compliance with federal and state requirements, covering customer identification, transaction monitoring, and sanctions screening. 

Proof-of-reserve attestation CPA examination or agreed-upon procedures engagements verify that your on-chain crypto and fiat reserves match customer liabilities, providing regulatory evidence of full-reserve compliance. 

Special considerations for stablecoin issuers 

Stablecoin issuance faces additional scrutiny under the DFAL. Only licensed entities, regulated banks and trust companies, or issuers with explicit DFPI approval can issue stablecoins in California. 

Reserve requirements for stablecoins 

Stablecoin issuers must maintain 100% backing in high-quality liquid assets, including: 

• Insured bank deposits  
• U.S. Treasury securities or agency bonds 
• Rated U.S. state and municipal bonds 

The DFPI commissioner must approve each stablecoin before it can be exchanged, transferred, or held in custody, considering factors such as redemption rights, asset quality, and issuer representations about risks and uses. 

Preparing for DFPI examination and oversight 

The DFPI has broad examination authority over licensees, with power to conduct on-site or remote examinations at any time. Licensed entities will also pay annual assessments to fund the department’s oversight activities. 

Building examination readiness into your compliance framework from the start will help streamline future regulatory interactions and demonstrate your commitment to ongoing compliance. 

Taking action on California compliance 

The 18-month implementation period provides time to prepare, but the comprehensive nature of these requirements means starting your compliance planning now is critical. Key immediate steps include: 

• Conducting a gap analysis against current operations to identify needed changes  
• Engaging qualified legal counsel specializing in digital asset regulation  
• Building relationships with CPAs experienced in crypto accounting and attestation services 
• Developing detailed implementation timelines to meet the July 2026 deadline 

California’s Digital Financial Assets Law represents a significant step toward comprehensive digital asset regulation. While compliance will require substantial investment in systems, controls, and professional services, it also provides regulatory clarity that can support business growth and customer confidence. 

The firms that proactively address these requirements will be best positioned to thrive in California’s regulated digital asset marketplace, while those that delay may find themselves scrambling to maintain market access or facing significant penalties. 

Ready to navigate California’s digital asset compliance requirements? BPM’s digital asset practice helps cryptocurrency businesses build robust compliance frameworks and meet ongoing regulatory obligations. Contact us today to discuss how we can support your California licensing and annual compliance needs.