TodayFriday, July 03, 2026

California’s Crypto Licensing Law Is Now in Force. Unlicensed Platforms Risk $100,000 a Day.

The Digital Financial Assets Law now requires every exchange, custodian, and Bitcoin ATM operator serving California residents to hold a state license. The penalty for operating without one is $100,000 per day.
July 3, 2026
A Bitcoin ATM machine at Northgate Mall in San Rafael, California, February 2026
A Bitcoin ATM at Northgate Mall in San Rafael, California, February 2026. California's DFAL now requires Bitcoin ATM operators to hold a state license. [Image Source: Getty Images]

SAN FRANCISCO — Every cryptocurrency exchange, stablecoin issuer, and Bitcoin ATM operator that serves California residents without a state license is now in violation of California law. The Digital Financial Assets Law, signed by Governor Gavin Newsom in October 2023 and delayed once by the legislature, activated its full licensing requirement at midnight on July 1. The California Department of Financial Protection and Innovation can now pursue civil penalties of up to $100,000 per day against any unlicensed entity engaging in covered activity with the state’s 39 million residents.

The stakes are not hypothetical. The DFPI has already demonstrated a willingness to use penalty authority against unlicensed crypto operators. On June 25, 2025, it entered a consent order with Coinme Inc., a Seattle-based Bitcoin ATM company, in what the department called the first enforcement action under the DFAL. Coinme agreed to a $300,000 penalty and $51,700 in restitution to an elderly California resident. In January 2026, the department levied a $500,000 penalty against Nexo Capital Inc. for violating California’s lender licensing requirement and consumer protection law. The pattern is clear: DFPI intends to enforce.

The DFAL covers exchanges, custodians, transfer services, and stablecoin issuers — any entity that exchanges, transfers, stores, or administers digital financial assets on behalf of California customers. Traditional banks, credit unions, SEC-registered securities firms, CFTC-registered entities, and merchants that accept crypto solely as payment for goods and services are generally exempt. So are entities whose annual California activity falls below $50,000. For everyone else, the question is simple: did you file a completed application through the National Multi-State Licensing System before midnight on July 1? If not, you are now operating outside the law.

DFPI Commissioner KC Mohseni stated publicly in late 2025 that the department was positioned to protect California consumers independently of what happens at the federal level — a pointed reference to the prolonged and often contradictory federal approach to crypto regulation. The GENIUS Act, signed in July 2025, created the first federal framework for payment stablecoins. A broader crypto market structure bill has been moving through the Senate. But those federal timelines run into 2027 at the earliest. California is not waiting.

The implications extend beyond compliance teams. California is the world’s fifth-largest economy and home to roughly one in eight Americans. A company that stops serving California users to avoid the licensing requirement is cutting itself off from the most valuable consumer market in the United States. A company that continues serving them without a license is accruing a potential liability of $100,000 per day. Neither choice is comfortable, which is why the application window that opened March 9 on the NMLS system mattered so much. Companies that filed by July 1 can continue operating while their applications are reviewed; those that did not face an immediate compliance gap.

A sign advertising a Bitcoin ATM at a gas station in Pasadena, California
A Bitcoin ATM sign at a gas station in Pasadena, California, July 2025. Kiosk operators are among the businesses required to obtain a DFAL license under California law. [Image Source: Getty Images]

Ripple, the company behind the XRP token and the RLUSD stablecoin, submitted comments to the DFPI in early 2026 indicating its intent to comply with the deadline. No confirmed public record of a completed NMLS filing appeared in publicly available records before July 1, though NMLS filings are not always immediately reflected in public databases. What is clear is that the RLUSD stablecoin functions are central to Ripple’s California operations. RLUSD transfer and issuance services fall squarely within the DFAL’s scope. If Ripple did not file a completed application, its California stablecoin activity is currently unlicensed under state law.

The DFAL is not identical to the European Union’s Markets in Crypto-Assets regulation, which came into mandatory compliance in 2026 and covers the EEA broadly. But both regimes reflect the same regulatory direction: major crypto jurisdictions are building licensing frameworks that require companies to demonstrate capital adequacy, anti-money-laundering controls, cybersecurity policies, and consumer-protection disclosures before serving retail customers. The difference is scope: MiCA is a passporting regime that lets a firm licensed in one EU state operate across all 27. DFAL is California-only, which means a firm may hold licenses in New York, Florida, and a dozen other money-transmitter states and still be unregistered in California.

The unlicensed-versus-licensed gap will probably not resolve uniformly. Some operators will file and receive provisional status quickly. Others will exit California rather than meet the DFAL’s requirements — which include audited financial statements, surety bonding, FBI background checks on principals, and annual comprehensive reports. A third group will continue serving California users while hoping that enforcement actions are slow and that a settlement, when it comes, costs less than compliance. That gamble is, at least historically, a losing one: both the Coinme and Nexo actions resulted in fines plus compliance overhauls, not just fines.

What the DFPI has not yet specified publicly is whether it will initiate enforcement immediately against unlicensed platforms or extend an informal grace period to companies that filed incomplete applications or missed the deadline by days. The department issued no such grace-period announcement before the law’s effective date. DFPI did not respond to a request for comment on its immediate post-July-1 enforcement posture before publication.

California has now set the terms. Every crypto company serving the state’s consumers either holds a DFAL license, has a pending application on file, or is currently in violation. The department that enforced against Coinme and Nexo before the law was even fully in effect has shown it is not waiting for companies to self-report. The clock started July 1.

Economy Desk

Economy Desk

Covering markets, economic policy, inflation, and business news that shapes financial decisions.

Leave a Reply

Don't Miss