California’s long‑anticipated digital asset licensing regime has finally arrived. Beginning today – Monday, March 9, 2026 – the California Department of Financial Protection and Innovation (“DFPI”) will be accepting license applications under the state’s Digital Financial Assets Law (“DFAL”). This marks the true operational start of California’s digital asset regulatory framework, and the beginning of the compliance clock for companies operating in California, placing the DFPI alongside the New York State Department of Financial Services as one of the most consequential state crypto regulators in the country.
By July 1, 2026, any company or individual engaging in covered crypto‑related activities involving Californians must either hold a DFAL license, have a completed DFAL application on file, or qualify for an exemption. All others risk being forced to pause their activity in the state or exit the California market completely.
A Long Road to Implementation
It has taken quite a while to get to this point. The DFAL, which created a standalone licensing framework for digital asset businesses operating in California, was signed into law in October 2023, and although it was originally scheduled to take effect on July 1, 2025, implementation was later delayed to July 1, 2026. This additional year gave both regulators and the industry much needed additional runway to prepare, but that runway is now ending.
Who Needs to Pay Attention
The DFAL establishes a stand‑alone licensing regime for entities engaged in “digital financial asset business activity” in California. While the statute and regulations contain nuance, the scope of the law is quite broad. At a high level, the DFAL will capture businesses that:
- exchange digital financial assets,
- transfer digital financial assets,
- custody or store digital financial assets on behalf of others,
- administer or control digital financial assets to or for others, or
- otherwise facilitate transactions involving digital financial assets.
The definition of a “digital financial asset” is similarly expansive, covering most cryptocurrencies, such as Bitcoin and Ether, as well as stablecoins, certain tokenized assets, and other digital representations of value used as a medium of exchange, units of account, or store of value.
Like New York’s BitLicense regime, the DFAL is aimed primarily at non‑bank digital asset businesses, while providing exemptions for banks, credit unions, trust companies, and certain limited or de minimis activities. But for most non‑bank crypto platforms, wallet providers, custodians, and intermediaries, the DFAL will be directly relevant. If your business touches California users and involves receiving, holding, moving, or facilitating crypto or crypto transactions on their behalf, DFAL should be a top priority on your compliance roadmap.
Core DFAL Application and Compliance Requirements
While the DFPI retains discretion in how it evaluates applications, the DFAL sets out a comprehensive set of baseline requirements. At a practical level, applicants should expect close scrutiny of:
- organizational and ownership structure, including background checks for control persons,
- financial condition, supported by financial statements and minimum surety bonding,
- AML, KYC, and sanctions compliance aligned with Bank Secrecy Act standards,
- cybersecurity and operational resilience, including documented policies and incident response planning, and
- consumer disclosures, transaction receipts, and complaint handling procedures.
DFPI is also empowered to impose ongoing supervisory conditions, conduct examinations, and take enforcement action for violations of the statute or unsafe practices.
What Companies Should Be Doing Now
March 9th is not the deadline – it is the starting line.
Between now and July 1, 2026, covered entities must be prepared to demonstrate that they are either licensed, have a completed license application on file, or clearly qualify for an exemption. For many firms, that will require meaningful internal work before the deadline.
In practical terms, companies should already be:
- assessing whether their current or planned activities fall within the DFAL’s scope,
- mapping existing compliance, custody, and operational controls against the DFAL’s requirements and expectations,
- identifying gaps in governance, documentation, cybersecurity, or consumer disclosures, and
- preparing licensing materials early enough to engage constructively with the DFPI.
Ultimately, the DFPI licensing process will be detailed and documentation‑heavy. Firms that wait to engage risk unnecessary regulatory disruption to their California operations.
