On May 20, 2026, a company called Hermes Bitcoin shut down all 42 of its crypto kiosks in Southern California. Not voluntarily. The California Department of Financial Protection and Innovation (DFPI) gave them until that date to cease operations entirely, and permanently barred them from conducting any digital financial asset business in the state.
It was a hard stop for a company that, by all appearances, had been operating as if the rules didn't fully apply to them. And if you're a compliance officer at any company that touches crypto kiosks (operating them, banking them, or advising them), the Hermes Bitcoin action is worth reading carefully. Not because it's unusual. Because it isn't — and because the federal CLARITY Act is moving closer to making these obligations even harder to sidestep.
What Hermes Bitcoin Actually Did
The DFPI's investigation, which resolved a September 2025 enforcement order, found a pattern of violations going back to at least January 2024. According to the settlement agreement, Hermes Bitcoin:
- Accepted cash from customers in excess of $1,000 per day, violating California's daily transaction cap
- Charged fees above what California law permits
- Failed to provide required pre-transaction disclosures
- Issued receipts missing the required information
- Ran an AML compliance program so deficient that it routinely failed to collect and verify basic customer identification, including, in many cases, customer names
That last one is worth pausing on. Failing to collect a customer's name at a financial services kiosk isn't a gray area or a novel regulatory interpretation. It's one of the most foundational Bank Secrecy Act requirements that exists. It's the starting point of Know Your Customer (KYC) compliance. The fact that it was cited as a "substantial pattern" suggests this wasn't a rounding error in an otherwise functional compliance program. It was a compliance program that wasn't really functioning.
DFPI Commissioner KC Mohseni said the department "will not hesitate to pursue actions against those who defraud Californians and flout our laws." What's notable is that this wasn't even framed as a close call. The violations cited in the settlement are the same ones regulators have been signaling would draw scrutiny since California's Digital Financial Assets Law (DFAL) first took effect.
The Pattern Behind the Headline
The Hermes Bitcoin shutdown was DFPI's fourth major kiosk enforcement action in roughly a year.
In June 2025, DFPI took its first-ever enforcement action under DFAL: a consent order against Coinme, a Seattle-based operator with kiosks in grocery and convenience stores throughout California. Coinme was found to have accepted transactions exceeding the $1,000 daily limit and to have failed to include the required disclosures on receipts. The result: a $300,000 penalty and $51,700 in restitution to affected California consumers.
By October 2025, DFPI was moving against multiple operators simultaneously. Coinhub (operating as LSGT Services, LLC out of Nevada) was ordered to pay $675,000, including $105,000 in consumer restitution. RockItCoin, a Chicago-based operator, was ordered to pay $202,000 in restitution and a $75,000 penalty. In both cases: transaction limit violations, excessive fees, and inadequate AML programs.
What connects all of these is not complexity. The violations are, frankly, basic. Operators exceeded the $1,000 daily cap. They didn't disclose the spread (the difference between the market price of the asset and the price they charged customers) on receipts. They didn't collect identifying information. These aren't edge cases buried in the DFAL text. They're in the opening sections of the kiosk-specific rules that have been in effect since January 1, 2024.
If DFPI's enforcement pattern tells you anything, it's that they're not looking for sophisticated violations. They're looking for operators who thought baseline compliance was optional.
The Federal Obligations That Already Exist
Here's a point that gets underappreciated: the violations described in every one of these DFPI actions aren't just state violations.
FinCEN's position has been clear for years. Crypto ATM operators that accept fiat and exchange it for cryptocurrency are money services businesses (MSBs) under the exchanger category. That means they're required to register with FinCEN (Form 107), maintain a written AML compliance program, designate a compliance officer, file Suspicious Activity Reports, file Currency Transaction Reports for transactions over $10,000, and collect the customer information required under the Bank Secrecy Act.
In August 2025, FinCEN made its concern about the sector even more explicit, issuing Notice FIN-2025-NTC1 specifically focused on illicit finance risks from crypto kiosks. The notice identified fraud, cybercrime, and drug trafficking activity as the primary illicit finance vectors running through these machines, and published a list of red flags for financial institutions, including the basic flag that a kiosk operator isn't registered with FinCEN as an MSB at all.
That flag matters because it's apparently not uncommon. A meaningful number of kiosk operators appear to operate without MSB registration, treating FinCEN's rules as someone else's problem. They're not.
The federal and state violations described in the DFPI consent orders reinforce each other. When Hermes Bitcoin failed to collect customer names, that wasn't just a DFAL violation. It was a Bank Secrecy Act failure. Operating at the intersection of both frameworks means there's no jurisdiction where you're safe if you're non-compliant. And if the CLARITY Act passes in its current form, a third layer — statutory federal registration specifically for kiosk operators — gets added on top.
Related: MSB vs MTL: Federal Registration vs State Licensing Differences
CLARITY Act Section 205: What Congress Is Adding
The CLARITY Act, formally the Digital Asset Market Clarity Act of 2025 (H.R. 3633), is primarily known as a market structure bill, the one that would divide regulatory authority over digital assets between the CFTC and SEC based on whether an asset is a commodity or a security. It passed the House in July 2025 with a 294-134 vote. The Senate Banking Committee advanced it on May 14, 2026, in a 15-9 bipartisan vote.
Most of the bill's attention has gone to the CFTC/SEC jurisdictional question, the stablecoin provisions, and the DeFi treatment. But there's a specific provision, Section 205, that applies directly to crypto kiosk operators.
Section 205 would require kiosk operators to register with the U.S. Treasury as money transmitters. AARP, in a May 13, 2026, letter supporting the provision, called it "a floor, not a ceiling," meaning it explicitly preserves state authority to impose stricter requirements, which California, Iowa, and a growing number of states have already done.
This framing is important. Section 205 wouldn't replace the patchwork of state rules. It would add a mandatory federal registration requirement as a national baseline, and it would do so at the statutory level rather than through agency guidance. That makes it harder for operators to argue that the requirement is ambiguous or open to interpretation.
That said, CLARITY is not law yet. As of mid-May 2026, a merged Senate bill still needs to clear the Senate floor with 60 votes, and any differences with the House version would require reconciliation before a presidential signature. The White House has set a July 4 target date, and prediction markets put odds of passage at roughly 75%. But "likely" isn't "done."
Importantly, none of that changes the compliance obligations that already exist. FinCEN MSB registration is required today under the Bank Secrecy Act. State-level licenses are required in at least 29 states. Section 205, if enacted, would codify what is already expected, but operators who are waiting for CLARITY before taking action have misread the timeline by several years.
The State-Level Wave Is Already Mature
California has gotten the most attention because DFAL is arguably the most comprehensive state crypto licensing regime outside New York's BitLicense. But it's far from alone.
As of mid-2026, 29 states have enacted laws specifically regulating crypto kiosks. Twelve of those laws were passed in 2026 alone. Three states, Indiana, Tennessee, and Minnesota, have banned kiosk operation outright. Iowa's governor signed SF2296 in May 2026, requiring crypto ATM operators to hold money transmission licenses before operating kiosks and establishing civil penalties of up to $100,000 for violations tied to injunctions.
The consumer harm data driving this is stark. In 2025, the FBI received more than 13,460 complaints involving crypto kiosks, with reported losses exceeding $389 million. The FTC has documented that elder fraud accounts for a disproportionate share of those losses, a demographic that has drawn particular attention from state attorneys general and consumer protection agencies.
For multi-state kiosk operators, the practical consequence is that the compliance map is no longer static. A few years ago, the relevant questions were federal (are we registered as an MSB?) and maybe one or two states. Now operators need to track transaction limits, fee caps, disclosure requirements, licensing status, and kiosk location reporting obligations across dozens of states, including three where operating at all is prohibited. The CLARITY Act, if enacted, adds a federal registration floor on top of all of that — it doesn't simplify the map, it extends it.
Related: Louisiana Crypto License: Complete Guide 2026
Related: BitLicense and Crypto License Costs: Complete 2026 Guide
What Compliant Operation Actually Requires
At the federal level, the obligations aren't new, but they're worth restating for operators who've been treating them as background noise:
FinCEN MSB registration is required within 180 days of establishing the business and must be renewed every two years. The written AML program has to actually function, not just exist on paper. KYC data collection needs to include customers' full names at a minimum, and a transaction monitoring program needs to flag structuring, high-frequency activity, and other patterns FinCEN has specifically called out in its kiosk guidance. SAR filing for suspicious transactions and CTR filing for transactions over $10,000 are not optional.
At the California state level under DFAL, the requirements that have generated the most enforcement activity include: the $1,000 daily transaction cap per customer (in effect since January 1, 2024); disclosure of the spread on each receipt; pre-transaction disclosures about fees and conditions; a complete receipt including all required fields; and submission of a kiosk location registry to DFPI within 30 days of any changes.
Other states have their own variants. Iowa's licensing requirement took effect immediately on signing. Several states have implemented daily transaction limits different from California's. Some require operators to provide fraud warnings directly on the kiosk interface. It's genuinely a 50-state map that needs to be maintained and updated.
One thing that cuts across all of them: the violations DFPI has been penalizing are not esoteric. They're the compliance basics, the stuff that should be in place before you plug in a kiosk, not retrofitted after a regulator calls. Getting these right also happens to be the best preparation for whatever the CLARITY Act ultimately requires at the federal level.
The Compliance Implications Are Pretty Straightforward
The kiosk industry grew fast during a period when regulatory oversight was thin. Some operators built real compliance programs. Others launched machines in grocery stores and convenience stores with minimal infrastructure and hoped for the best.
That window has closed. DFPI has now demonstrated willingness to shut operators down entirely: not fine them, not issue a consent order with a payment plan, but pull the license and bar them from the market. The Hermes Bitcoin settlement doesn't leave room to operate. It's a market exit.
For operators who haven't recently audited their licensing status, AML program, and state-by-state compliance obligations, now is the moment to do it. Not when the CLARITY Act passes. Not when the next enforcement action drops. The CLARITY Act's Section 205 would codify a federal registration requirement for all kiosk operators, but the BSA obligations it would reinforce have been on the books for years. Waiting for the bill to become law before acting on them is not a defensible position.
For financial institutions that bank with or process payments for kiosk operators, FinCEN's 2025 advisory made clear that institutions have independent obligations to monitor for red flags, including kiosk operators that lack MSB registration, charge unusual fees, or show transaction patterns inconsistent with their peer group.
And for compliance officers at companies adjacent to this space: the pattern of enforcement here is one of escalating consequences. Coinme got a consent order. RockItCoin got restitution and a penalty. Coinhub paid $675,000. Hermes Bitcoin lost its license entirely.
The direction of travel isn't ambiguous.
Brico helps fintechs and financial institutions manage money transmitter licenses, DFAL licensing, and multi-state compliance obligations across all 50 states. If your organization is navigating crypto licensing requirements or preparing for CLARITY Act compliance, talk to our team.
