This guide is written for crypto founders and compliance professionals who need to translate the Digital Financial Assets Law (DFAL) statute into an execution plan.

What DFAL is (and what it isn’t)

DFAL is California’s Digital Financial Assets Law, enacted through AB 39 and SB 401 and administered by the Department of Financial Protection and Innovation (DFPI).

• AB 1934 moved the effective licensing date: the statute’s licensure date was extended from July 1, 2025 to July 1, 2026.
• DFAL is codified in Financial Code Division 1.25, which contains: definitions and scope, licensure, examinations, enforcement, consumer protections/disclosures, stablecoins, policies/procedures, and a dedicated kiosk chapter.

What DFAL is not: it is not simply a re-labeling of the California Money Transmission Act (MTA). DFAL is its own licensing framework for “digital financial asset business activity,” and DFPI has separately proposed MTA-related clarifications to reduce duplicative regulation for certain activity (more on that below).

The core trigger: “digital financial asset business activity” with or on behalf of a “resident”

1) Who counts as a “California resident” under DFAL?

DFAL defines “Resident” broadly. It includes:

• a person domiciled in California;
• a person physically located in California for more than 183 days of the prior 365;
• a person who has a place of business in California; and
• the legal representative of a California-domiciled person.

A nuance that matters in B2B flows: the definition also says “resident” does not include a DFAL licensee or its affiliate (as defined by cross-reference).

2) What is a “digital financial asset”?

A “digital financial asset” is defined as a digital representation of value used as a medium of exchange, unit of account, or store of value, and not legal tender.

The statute also carves out several things that are not “digital financial assets,” including:

• certain merchant affinity/rewards program value that can’t be taken from or exchanged with the merchant for legal tender/bank credit/another digital financial asset;
• certain in‑game / platform value used solely within a game ecosystem; and
• a security that is registered with (or exempt from registration with) the SEC, or qualified with (or exempt from qualification with) DFPI.

Practical takeaway: don’t treat “token = DFAL” as automatic; classification matters. But also don’t over-read the “security” exclusion—many tokenized instruments are not registered or exempt, which can push you back into DFAL territory depending on facts and counsel’s view.

3) What activities are “digital financial asset business activity”?

DFAL defines “digital financial asset business activity” to include, among other things:

1. Exchanging, transferring, or storing a digital financial asset, or engaging in digital financial asset administration, including through agreements with a “digital financial asset control services vendor.”
2. Holding electronic precious metals (or electronic certificates representing interests) on behalf of another person, or issuing shares/certificates representing interests in precious metals.
3. Certain exchanges involving in‑game / platform value when it is exchanged for a digital financial asset offered by the same publisher or for legal tender/bank credit outside the game ecosystem.

Key definitional hooks for modern product architectures:

• “Exchange” generally involves assuming control of a digital financial asset from or on behalf of a resident—at least momentarily—to sell/trade/convert between crypto and fiat/credit or between crypto assets.
• “Transfer” also hinges on assuming control from or on behalf of a resident and then crediting/moving/relinquishing control.
• “Store” means maintaining control of a digital financial asset on behalf of a resident (i.e., custody).
• “Digital financial asset administration” is basically “issuance with redemption authority” (think: stablecoin-like or redeemable instruments): issuing a digital financial asset with authority to redeem it for legal tender, bank/credit union credit, or another digital financial asset.

Founder lens: DFAL is aimed at the “control points” in crypto businesses—where you take custody/control, facilitate conversion, or issue redeemable value.

Applicability: it can reach out-of-state companies

DFAL governs the digital financial asset business activity of a person doing business in California or, wherever located, who engages in (or holds itself out as engaging in) the activity with or on behalf of a California resident.

So a non-California exchange, wallet provider, or issuer can still be in scope if it serves California residents.

The licensing rule, the transition window, and the “pending application” trap

The baseline rule (statute)

On or after July 1, 2026, a person may not engage in (or “hold itself out” as able to engage in) DFAL-covered activity with or on behalf of a resident unless one of these is true:

• the person is licensed by DFPI; or
• the person submits an application on or before July 1, 2026 and is awaiting approval or denial; or
• the person is exempt under the statute.

DFPI summarizes this as: starting July 1, 2026, companies must be licensed or have applied to operate in California.

The practical trap: DFPI proposed “completed application” language

DFPI’s proposed regulations (PRO 02‑23) include language that, for purposes of the statutory transition in Financial Code § 3201(b), a person may continue operating if it submits a “completed application” (as defined by statute). Finalization is still pending.(DFPI)

Why this matters: if your plan is “we’ll file something by June 30 and keep operating,” you should design to file a complete, decision-ready application, not a placeholder—because that’s the direction DFPI has proposed to formalize. (DFPI)

The application: what DFPI will expect and how it will be filed

DFPI says: apply through NMLS, with materials coming in early 2026

DFPI states that DFAL license applications will be submitted through the Nationwide Multistate Licensing System (NMLS), and that DFPI expects to make application materials (forms, instructions, checklists) available in early 2026.

DFPI has already published proposed application artifacts as part of PRO 02‑23 (including NMLS MU1 and MU2, plus a DFPI Form 2 personal financial statement) on its DFAL regulations page.

Statutory application content (what your package must cover)

Financial Code § 3203 lays out the required contents of a DFAL application. The list is long, but for founders/compliance teams the “big buckets” are:

• Corporate structure & control: legal name, organizational structure, formation docs, jurisdictions, business addresses, and details for executive officers/responsible individuals.
• Financial condition: financial statements and other information DFPI needs to assess financial health.
• Operations & compliance program: a business plan and operating plan, and a plan to meet DFAL “policies and procedures” obligations (Chapter 7).
• AML posture: evidence of FinCEN registration (if applicable) is explicitly called out as an application item.
• Background checks: fingerprints for executive officers and “responsible individuals,” plus investigation authorization.
• CA footprint metrics: application asks for the number of California residents engaged, and volume measures (e.g., USD-equivalent digital assets and legal tender transmission with residents) for the prior year.

DFPI’s approval standard (how the regulator will judge you)

DFPI must investigate the applicant and decide whether the application meets statutory standards (the statute enumerates multiple licensure standards), then approve, approve with conditions, or deny.

Also: conditional approvals can come with a tight response window—if DFPI imposes conditions and you don’t accept them within the statutory window, the application can be deemed withdrawn/denied (depending on context).

Execution advice: treat DFAL licensing like building an auditable operating system. You want your application narrative, policies, and controls to line up cleanly, because DFPI has examination and enforcement authority in the same statutory scheme.

Post-license obligations that change product and ops design

DFPI’s DFAL FAQ highlights core policy goals that translate into operational obligations—e.g., maintaining sufficient capital/liquidity, investigating assets before listing, and holding sufficient digital assets to satisfy resident entitlements.

A few high-impact requirements and where they show up:

1) Capital and liquidity

Financial Code § 3207 requires licensees to maintain capital and liquidity in an amount and form DFPI determines is sufficient, and DFPI can require increases.

2) “Pro rata cost share” payments (ongoing supervisory cost recovery)

Financial Code § 3211 establishes an annual pro rata cost share concept for DFPI’s administration costs, based on the proportion of residents you serve relative to all licensees/applicants operating under DFAL’s transition.

3) Customer disclosures (and they’re not optional fine print)

Financial Code § 3501 requires a “covered person” to provide specified disclosures (and any additional disclosures DFPI requires by rule) when engaging in digital financial business activity with a resident, and DFPI sets the required time and form by rule.

4) Custody/segregation expectation: customer entitlements matter

One of the signature consumer protections is the concept that a covered person with control of customer digital assets must maintain sufficient assets to satisfy aggregate customer entitlements. (This is a key reason custody, omnibus wallet design, and bankruptcy remoteness become compliance issues, not just architecture debates.)

5) Record retention (plan for 5 years)

The DFAL legislative materials and amendments describe a requirement to maintain specified records for DFAL-covered activity with or on behalf of a resident for five years (including maintaining a general ledger at least monthly).

6) Exam readiness isn’t theoretical

DFPI has statutory authority to examine licensees to confirm lawful conduct and proper accounting of DFAL activity.

Operational reality: if you’re building for DFAL, build like you’ll be examined—because you can be.

Kiosk operators: California already has live rules (and they tighten in 2025)

If you operate “crypto ATM” / kiosk infrastructure, SB 401’s kiosk chapter imposes requirements that are already operative, separate from the July 1, 2026 licensing deadline. DFPI summarizes the timeline:

• By January 1, 2024: provide DFPI a list of kiosk locations.
• By January 1, 2024: do not dispense or accept more than $1,000 per day per customer and provide a receipt with specified information.
• Beginning January 1, 2025: provide pre-transaction disclosures, and you’re prohibited from collecting from customers in any single transaction the greater of $5 or 15% of the USD equivalent of the digital assets involved.
• By July 1, 2026: kiosk operators must comply with DFAL licensing requirements.

DFAL vs. the Money Transmission Act (MTA): where dual licensing may (or may not) be avoided

This is one of the most important “architecture questions” for compliance teams: does DFAL replace MTA for your CA-facing activity, or do you need both?

Here’s the most defensible way to say it based on what is published today:

• DFAL is a distinct licensing regime for DFAL-defined digital financial asset business activity.
• DFPI has proposed regulations that would clarify when money transmission of legal tender occurring in/associated with the normal performance of DFAL-defined activity is treated as exempt under the MTA framework.
• Those clarifications were published as proposed regulations under DFPI’s PRO 02‑23 rulemaking track (with multiple rounds of proposed text/modifications).

Compliance takeaway: plan your 2026 posture assuming DFAL is primary for crypto-native activities—but validate any “we don’t need MTA anymore” conclusion against your exact flows (especially if you transmit fiat in ways that are not simply incidental to DFAL-covered activity), and monitor DFPI’s final rule text when adopted.

A practical readiness roadmap for Q1–Q2 2026

DFPI has signaled that application materials arrive early 2026 and licensing is required (or a timely application pending) by July 1, 2026.

If you want to avoid a scramble, a realistic sequencing is:

1) Map your product to DFAL’s “control points”

Inventory every CA-resident touchpoint where you:

• assume control for exchange/transfer, even briefly;
• provide custody/control (including through vendors);
• issue anything redeemable (administration);
• touch kiosk activity (and comply with the live 2024 lists/limits, 2025 disclosures, and the live §3700+ chapter kiosk rules now).

2) Build the “application spine” (a document set you can defend)

Use Financial Code § 3203 as your checklist backbone and pre-build:

• org charts, cap table/control narrative, officer/responsible individual dossiers;
• audited/reviewed financials and a liquidity narrative aligned to § 3207 expectations;
• AML program artifacts (and confirm whether you must show FinCEN registration evidence);
• consumer disclosure drafts aligned to § 3501;
• custody/entitlements controls aligned to the statutory “sufficient assets” concept.

3) Design for “complete application,” not “file something”

Because DFPI’s proposed rule text ties the transition safe harbor to submitting a completed application, you should staff and schedule to file something DFPI can treat as complete.

4) Operationalize examination-readiness and 5-year record retention

Put in place:

• audit logs and a record retention program that can support five-year requirements;
• exam response playbooks and a single source of truth for policies/procedures.

Common mistakes to avoid

1. Assuming “non-custodial” automatically means “out of scope.” DFAL’s definitions hinge on “control” and include activity conducted through control-services vendors—so carefully analyze who has control at each step.
2. Relying on the transition window without a complete package. Proposed regulations point toward “completed application” expectations.
3. Forgetting kiosk rules are already live. Fee limits and disclosure obligations apply starting January 1, 2025; daily limits/receipts applied starting January 1, 2024.
4. Treating DFAL as a pure licensing exercise. DFAL embeds consumer protection, disclosure, capital/liquidity, and custody/entitlements expectations that will force product and ops decisions.
5. Overstating MTA relief before final rules. DFPI has proposed MTA clarifications, but you should not treat proposed language as final compliance posture.

Where to get updates and ask DFPI questions

DFPI’s Digital Financial Assets page invites prospective licensees to join an email list for updates or email [email protected] with questions about how the law affects your business.

DFPI also maintains a dedicated DFAL FAQ and a DFAL rulemaking page (PRO 02‑23) where proposed application forms and rule text are posted.

Final note (practical, not legal advice)

The “DFAL project” goes beyond being a legal workstream; it’s an operating model workstream. For compliance teams: treat DFAL like a combined license + prudential + consumer protection + custody regime, and start building the evidence trail now so you’re not reverse-engineering governance under deadline.

How Brico Helps with DFAL Compliance

Brico is crypto licensing software built for founders and compliance teams tackling California's Digital Financial Assets Law (DFAL) and multi-state regimes. It replaces spreadsheets, scattered PDFs, and email threads with centralized workflows that streamline NMLS-ready applications, track licensing deadlines like July 1, 2026, and generate audit-friendly documentation.

• Automates DFAL application checklists from Financial Code §3203, including corporate structure, financials, AML/FinCEN evidence, and policies for capital/liquidity requirements.
• Maps product flows to DFAL triggers (exchange, transfer, custody, redeemable issuance) and flags California resident touchpoints for exam readiness.
• Handles kiosk rules under SB 401, pro rata cost shares, 5-year record retention, and consumer disclosures under §3501.
• Integrates DFAL with MTA analysis, ensuring dual-licensing clarity as DFPI finalizes PRO 02-23 rules.

Get a demo of Brico and learn how you can scale your licensing engine from chaos to compliance across all 50 states.

‍

Disclaimer: This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Brico is not a law firm and does not provide legal counsel. Licensing requirements vary by state and depend on your specific business model and circumstances. You should consult with qualified legal counsel before making any licensing decisions or taking action based on this content.