Bill Text: CA AB2269 | 2021-2022 | Regular Session | Enrolled
Bill Title: Digital financial asset businesses: regulation.
Spectrum: Partisan Bill (Democrat 4-0)
Status: (Vetoed) 2022-09-23 - Vetoed by Governor. [AB2269 Detail]
Download: California-2021-AB2269-Enrolled.html
Enrolled
September 01, 2022 |
Passed
IN
Senate
August 29, 2022 |
Passed
IN
Assembly
August 30, 2022 |
Amended
IN
Senate
August 22, 2022 |
Amended
IN
Senate
August 11, 2022 |
Amended
IN
Senate
June 30, 2022 |
Amended
IN
Senate
June 27, 2022 |
Amended
IN
Senate
June 06, 2022 |
CALIFORNIA LEGISLATURE—
2021–2022 REGULAR SESSION
Assembly Bill
No. 2269
Introduced by Assembly Member Grayson (Coauthors: Assembly Members Quirk and Stone) (Coauthor: Senator Limón) |
February 16, 2022 |
An act to amend Section 4052 of, and to add Division 1.25 (commencing with Section 3101) to, the Financial Code, relating to financial regulation.
LEGISLATIVE COUNSEL'S DIGEST
AB 2269, Grayson.
Digital financial asset businesses: regulation.
Existing law, the Money Transmission Act, generally prohibits a person from engaging in the business of money transmission, as defined, without a license from the Commissioner of Financial Protection and Innovation.
This bill, the Digital Financial Assets Law, would, on and after January 1, 2025, prohibit a person from engaging in digital financial asset business activity, or holding itself out as being able to engage in digital financial asset business activity, with or on behalf of a resident unless any of certain criteria are met, including the person is licensed with the Department of Financial Protection and Innovation, as prescribed. The bill
would define “digital financial asset” to mean a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified.
This bill would, among other things, authorize the department to conduct examinations of a licensee, as prescribed, and would require a licensee to maintain, for all digital financial asset business activity with, or on behalf of, a resident for 5 years after the date of the activity, certain records, including a general ledger posted at least monthly that lists all assets, liabilities, capital, income, and expenses of the licensee.
This bill would authorize the department to take an enforcement measure against a licensee or person that is not a licensee but is engaging in digital financial asset business activity with, or on behalf of, a resident in any of certain instances,
including the licensee or person materially violates the provisions of the bill, a rule adopted or order issued under the bill, or a law of this state other than the bill that applies to digital financial asset business activity of the violator with, or on behalf of, a resident. The bill would prescribe certain civil penalties for violations of its provisions.
This bill would require a licensee, before engaging in digital financial asset business activity with a resident, to make certain disclosures to the resident, including a schedule of fees and charges the licensee may assess, the manner by which fees and charges will be calculated if they are not set in advance and disclosed, and the timing of the fees and charges.
This bill would require an applicant, before submitting an application, to create and, during licensure, maintain in a record policies and procedures for, among other things, an information security program
and an operational security program.
Existing law, the California Financial Information Privacy Act (CFIPA), generally regulates the disclosure by a financial institution, as defined, of a consumer’s nonpublic personal information.
This bill would include a person licensed under its provisions in the definition of “financial institution” and would include digital financial asset business activity in the definition of “financial product or service” for the purposes of the CFIPA.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Division 1.25 (commencing with Section 3101) is added to the Financial Code, to read:DIVISION 1.25. Digital Financial Assets Businesses
CHAPTER 1. General Provisions
3101.
This division shall be known as the Digital Financial Assets Law.3102.
For purposes of this division:(a) “Applicant” means a person that applies for a license under this division.
(b) (1) “Bank” means a federally chartered or state-chartered depository institution or holder of a charter granted by the Office of the Comptroller of the Currency to a person engaged in the business of banking other than deposit-taking.
(2) “Bank” does not include either of the following:
(A) An industrial loan company, state-chartered trust company, or a limited purpose trust
company, unless incorporated as a bank or the department has authorized the company to engage in digital financial asset business activity.
(B) A trust company or limited purpose trust company chartered by a state with which this state does not have a reciprocity agreement governing trust company activities.
(c) “Control” means both of the following:
(1) When used in reference to a transaction or relationship involving a digital financial asset, power to execute unilaterally or prevent indefinitely a digital financial asset transaction.
(2) When used in reference to a person, the direct or indirect power to direct the management, operations, or policies of the person
through legal or beneficial ownership of voting power in the person or under a contract, arrangement, or understanding.
(d) “Credit union” means a credit union licensed under the laws of this state, or any other state, or a federal credit union chartered under the laws of the United States.
(e) “Department” means the Department of Financial Protection and Innovation.
(f) (1) “Digital financial asset” means a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender.
(2) “Digital financial asset” does not include either of the following:
(A) A transaction in which a merchant grants, as part of an affinity or rewards program, value that cannot be taken from or exchanged with the merchant for legal tender, bank or credit union credit, or a digital financial asset.
(B) A digital representation of value issued by or on behalf of a publisher and used solely within an online game, game platform, or family of games sold by the same publisher or offered on the same game platform.
(g) “Digital financial asset administration” means issuing a digital financial asset with the authority to redeem the digital financial asset for legal tender, bank or credit union credit, or another digital financial asset.
(h) “Digital financial asset business activity” means any of the following:
(1) Exchanging, transferring, or storing a digital financial asset or engaging in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor.
(2) Holding electronic precious metals or electronic certificates representing interests in precious metals on behalf of another person or issuing shares or electronic certificates representing interests in precious metals.
(3) Exchanging one or more digital representations of value used within one or more online games, game platforms, or family of games for either of the following:
(A) A digital financial asset offered by or on behalf of the same publisher from which the original digital representation of value was received.
(B) Legal tender or bank or credit union credit outside the online game, game platform, or family of games offered by or on behalf of the same publisher from which the original digital representation of value was received.
(i) “Digital financial asset control services vendor” means a person that has control of a digital financial asset solely under an agreement with a person that, on behalf of another person, assumes control of the digital financial asset.
(j) “Exchange,” when used as a verb, means to assume control of
a digital financial asset from, or on behalf of, a resident, at least momentarily, to sell, trade, or convert either of the following:
(1) A digital financial asset for legal tender, bank or credit union credit, or one or more forms of digital financial assets.
(2) Legal tender or bank or credit union credit for one or more forms of digital financial assets.
(k) “Executive officer” means an individual who is a director, officer, manager, managing member, partner, or trustee of a person that is not an individual.
(l) “Insolvent” means any of the following:
(1) Having generally ceased to pay debts in the ordinary
course of business other than as a result of a bona fide dispute.
(2) Being unable to pay debts as they become due.
(3) Being insolvent within the meaning of federal bankruptcy law.
(m) “Legal tender” means a medium of exchange or unit of value, including the coin or paper money of the United States, issued by the United States or by another government.
(n) “Licensee” means a person licensed under this division.
(o) (1) “Person” means an individual, partnership, estate, business or nonprofit entity, or other legal entity.
(2) “Person” does not include a public corporation, government, or governmental subdivision, agency, or instrumentality.
(p) “Record” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.
(q) “Resident” means any of the following:
(1) A person who is domiciled in this state.
(2) A person who is physically located in this state for more than 183 days of the previous 365 days.
(3) A person who has a place of business in this state.
(4) A
legal representative of a person that is domiciled in this state.
(r) “Responsible individual” means an individual who has direct control over, or significant management policy and decisionmaking authority with respect to, a licensee’s digital financial asset business activity in this state.
(s) “Sign” means, with present intent to authenticate or adopt a record, either of the following:
(1) To execute or adopt a tangible symbol.
(2) To attach to, or logically associate with, the record an electronic symbol, sound, or process.
(t) “State” means a state of the United States, the District of Columbia,
Puerto Rico, the United States Virgin Islands, or any territory or insular possession subject to the jurisdiction of the United States.
(u) “Store,” except in the phrase “store of value,” means to maintain control of a digital financial asset on behalf of a resident by a person other than the resident. “Storage” and “storing” have corresponding meanings.
(v) “Transfer” means to assume control of a digital financial asset from, or on behalf of, a resident and to subsequently do any of the following:
(1) Credit the digital financial asset to the account of another person.
(2) Move the digital financial asset from one account of a resident to another
account of the same resident.
(3) Relinquish control of a digital financial asset to another person.
(w) “United States dollar equivalent of digital financial assets” means the equivalent value of a particular digital financial asset in United States dollars shown on a digital financial asset exchange based in the United States for a particular date or period specified in this division.
3103.
(a) Except as otherwise provided in subdivision (b) or (c), this division governs the digital financial asset business activity of a person doing business in this state or, wherever located, who engages in or holds itself out as engaging in the activity with, or on behalf of, a resident.(b) (1) This division does not apply to the exchange, transfer, or storage of a digital financial asset or to digital financial asset
administration to the extent the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.) or the Corporate Securities Law of 1968 (Division 1 (commencing with Section 25000) of Title 4 of the Corporations Code) govern the activity.
(2) This division does not apply to the exchange, transfer, or storage of a digital financial asset or to digital financial asset administration to the extent the application of this division conflicts with the Electronic Fund Transfer Act of 1978 (15 U.S.C. 1693 et seq.).
(c) This division does not apply to activity by any of the following:
(1) The United States, a state, political subdivision of a state, agency, or instrumentality of federal, state, or
local government, or a foreign government or a subdivision, department, agency, or instrumentality of a foreign government.
(2) A bank, including a trust company that is incorporated as a bank.
(3) A credit union.
(4) A person whose participation in a payment system is limited to providing processing, clearing, or performing settlement services solely for transactions between or among persons that are exempt from the licensing requirements of this division.
(5) A person engaged in the business of dealing in foreign exchange to the extent the person’s activity meets the definition in Section 1010.605(f)(1)(iv) of Title 31 of the Code of Federal Regulations.
(6) A person that is any of the following:
(A) A person that contributes only connectivity software or computing power to securing a network that records digital financial asset transactions or to a protocol governing transfer of the digital representation of value.
(B) A person that provides only data storage or security services for a business engaged in digital financial asset business activity and does not otherwise engage in digital financial asset business activity on behalf of another person.
(C) A person that provides only to a person otherwise exempt from this division a digital financial asset as one or more enterprise solutions used solely among each
other and that does not have an agreement or a relationship with a resident that is an end user of a digital financial asset.
(7) A person using a digital financial asset, including creating, investing, buying or selling, or obtaining a digital financial asset as payment for the purchase or sale of goods or services, solely on the person’s own behalf for personal, family, or household purposes or for academic purposes.
(8) A person whose digital financial asset business activity with, or on behalf of, residents is reasonably expected to be valued, in the aggregate, on an annual basis at fifty thousand dollars
($50,000) or less, measured by the United States dollar equivalent of digital financial assets.
(9) An attorney to the extent of providing escrow services to a resident.
(10) A title insurance company to the extent of providing escrow services to a resident.
(11) A securities intermediary, as defined in Section 8102 of the Commercial Code, or a commodity intermediary, as defined in Section 9102 of Commercial Code, that meets both of the following criteria:
(A) The securities intermediary or commodity intermediary does not engage in the ordinary course of business in digital financial asset business activity with, or on behalf of, a
resident, in addition to maintaining securities accounts or commodities accounts and is regulated as a securities intermediary or commodity intermediary under federal law, state law other than this division, or the law of another state.
(B) The securities intermediary or commodity intermediary affords a resident protections comparable to those set forth in Section 3501.5.
(12) A secured creditor under Division 9 (commencing with Section 9101) of the Commercial Code or a creditor with a judicial lien, or lien arising by operation of law, on collateral that is a digital financial asset, if the digital financial asset business activity of the creditor is limited to enforcement of the security interest in compliance with Division 9 (commencing with Section 9101) of the
Commercial Code or lien in compliance with the law applicable to the lien.
(13) A digital financial asset control services vendor.
(14) A person that does not receive compensation, either directly or indirectly, for providing digital financial asset products or services or for conducting digital financial asset business activity or that is engaged in testing products or services with the person’s own funds.
CHAPTER 2. Licensure
3201.
On or after January 1, 2025, a person shall not engage in digital financial asset business activity, or hold itself out as being able to engage in digital financial asset business activity, with or on behalf of a resident unless any of the following is true:(a) The person is licensed in this state by the department under Section 3202.
(b) The person submits an application on or before January 1,
2025, and is awaiting approval or denial of that application.
(c) The person is exempt from licensure under this division pursuant to Section 3103.
3202.
(a) An application for a license under this division shall meet all of the following requirements:(1) The application shall be in a form and medium prescribed by the department.
(2) Except as otherwise provided in subdivision (b), the application shall provide all of the following information relevant to the applicant’s proposed digital financial asset business activity:
(A) The legal name of the applicant, any current or proposed business United States Postal Service address of the applicant, and any fictitious or trade name the applicant uses or
plans to use in conducting the applicant’s digital financial asset business activity with or on behalf of a resident.
(B) The legal name, any former or fictitious name, and the residential and business United States Postal Service address of any executive officer and responsible individual of the applicant and any person that has control of the applicant.
(C) A description of the current and former business of the applicant for the five years before the application is submitted, or, if the business has operated for less than five years, for the time the business has operated, including its products and services, associated internet website addresses and social media pages, principal place of business, projected user base, and specific marketing targets.
(D) A list of all of the following:
(i) Any money service or money transmitter license the applicant holds in another state.
(ii) The date the license described in clause (i) expires.
(iii) Any license revocation, license suspension, or other disciplinary action taken against the licensee in any state and any license applications rejected by any state.
(E) A list of any criminal conviction, deferred prosecution agreement, and pending criminal proceeding in any jurisdiction against all of the following:
(i) The applicant.
(ii) Any executive officer of the applicant.
(iii) Any responsible individual of the applicant.
(iv) Any person that has control over the applicant.
(v) Any person over which the applicant has control.
(F) A list of any litigation, arbitration, or administrative proceeding in any jurisdiction in which the applicant or an executive officer or a responsible individual of the applicant has been a party for the 10 years before the application is submitted determined to be material in accordance with generally accepted accounting principles and, to the extent the applicant would be required to disclose the
litigation, arbitration, or administrative proceeding in the applicant’s audited financial statements, reports to equity owners and similar statements or reports.
(G) A list of any bankruptcy or receivership proceeding in any jurisdiction for the 10 years before the application is submitted in which any of the following was a debtor:
(i) The applicant.
(ii) An executive officer of the applicant.
(iii) A responsible individual of the applicant.
(iv) A person that has control over the applicant.
(v) A person over which the applicant has control.
(H) The name and United States Postal Service address of any bank in which the applicant plans to deposit funds obtained by its digital financial asset business activity.
(I) The source of funds and credit to be used by the applicant to conduct digital financial asset business activity with, or on behalf of, a
resident.
(J) Documentation demonstrating that the applicant has the net worth and reserves required by Section 3204.
(K) The United States Postal Service address and email address to which communications from the department can be sent.
(L) The name, United States Postal Service address, and email address of the registered agent of the applicant in this state.
(M) A copy of the certificate, or a detailed summary acceptable to the department, of coverage for any liability, casualty, business interruption, or cybersecurity insurance policy maintained by the applicant for itself, an executive officer, a responsible individual, or the applicant’s
users.
(N) If applicable, the date on which and the state in which the applicant is formed and a copy of a current certificate of good standing issued by that state.
(O) If a person has control of the applicant and the person’s equity interests are publicly traded in the United States, a copy of the audited financial statement of the person for the most recent fiscal year or most recent report of the person filed under Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. Sec. 78m).
(P) If a person has control of the applicant and the person’s equity interests are publicly traded outside the United States, a copy of the audited financial statement of the person for the most recent fiscal year of the person or a copy
of the most recent documentation similar to that required in subparagraph (N) filed with the foreign regulator in the domicile of the person.
(Q) If the applicant is a partnership or a member-managed limited liability company, the names and United States Postal Service addresses of any general partner or member.
(R) If the applicant is required to register with the Financial Crimes Enforcement Network of the United States Department of the Treasury as a money service business, evidence of the registration.
(S) A set of fingerprints for each executive officer and responsible individual of the applicant.
(T) If available, for any executive officer and
responsible individual of the applicant, for the 10 years before the application is submitted, employment history and history of any investigation of the individual or legal proceeding to which the individual was a party.
(U) The plans through which the applicant will meet its obligations under Chapter 7 (commencing with Section 3701).
(V) Any other information the department reasonably requires by rule.
(3) The application shall be accompanied by a nonrefundable fee in the amount determined by the department to cover the reasonable costs of regulation.
(b) (1) On receipt of a completed application, the department shall investigate
all of the following:
(A) The financial condition and responsibility of the applicant.
(B) The relevant financial and business experience, character, and general fitness of the applicant.
(C) The competence, experience, character, and general fitness of each executive officer, each responsible individual, and any person that has control of the applicant.
(2) On receipt of a completed application, the department may investigate the business premises of an applicant.
(c) After completing the investigation required by subdivision (b), the department shall send the applicant notice of its decision to
approve, conditionally approve, or deny the application. If the department does not receive notice from the applicant that the applicant accepts conditions specified by the department within 31 days following the department’s notice of the conditions, the application shall be deemed withdrawn.
(d) A license issued pursuant to this division shall take effect on the later of the following:
(1) The date the department issues the license.
(2) The date the licensee provides the security required by Section 3204.
(e) In addition to the fee required by paragraph (3) of subdivision (a), an applicant shall pay the reasonable costs of the department’s
investigation under subdivision (b).
(f) Information provided pursuant to this section is covered by paragraph (1) of subdivision (d) of Section 6254 of the Government Code.
3203.
(a) (1) (A) A licensee shall maintain a surety bond or trust account in United States dollars in a form and amount as determined by the department for the protection of residents that engage in digital financial asset business activity with the licensee. (B) If a licensee maintains a trust account pursuant to this section, that trust account shall be maintained with a bank, trust company, national bank, savings bank, savings and loan association, federal savings association, credit union, or federal credit union in the state, subject to the prior approval of the department.
(2) Security deposited under this section shall be payable to this state for the benefit of a claim against the licensee on account of the licensee’s digital financial asset business activity with, or on behalf of, a resident.
(3) Security deposited under this section shall cover claims for the period the department specifies by rule and for an additional period the department specifies after the licensee ceases to engage in digital financial asset business activity with or on behalf of a resident.
(4) For good cause, the department may require the licensee to increase the amount of security deposited under this section, and the licensee shall deposit the additional security not later than 15 days after the licensee receives notice in a record of the required increase.
(5) For good cause, the department may permit a licensee to substitute or deposit an alternate form of security satisfactory to the department if the licensee at all times complies with this section.
(6) A claimant does not have a direct right to recover against security deposited under this section.
(7) Only the department may recover against the security, and the department may retain the recovery for no longer than five years and may process claims and distribute recoveries to claimants in accordance with rules adopted by the department under the Money Transmission Act (Division 1.2 (commencing with Section 2000)).
(b) In addition to the security
required under subdivision (a), a licensee shall maintain at all times capital in an amount and form as the department determines is sufficient to ensure the financial integrity of the licensee and its ongoing operations based on an assessment of the specific risks applicable to the licensee. In determining the minimum amount of capital that shall be maintained by a licensee, the department may consider factors, including, but not limited to, all of the following:
(1) The composition of the licensee’s total assets, including the position, size, liquidity, risk exposure, and price volatility of each type of asset.
(2) The composition of the licensee’s total liabilities, including the size and repayment timing of each type of liability.
(3) The actual and expected volume of the licensee’s digital financial asset business activity.
(4) The amount of leverage employed by the licensee.
(5) The liquidity position of the licensee.
(6) The financial protection that the licensee provides pursuant to subdivision (a).
(7) The types of entities to be serviced by the licensee.
(8) The types of products or services to be offered by the licensee.
(9) Arrangements adopted by the licensee for the protection of its customers in the event of the licensee’s insolvency.
(c) A licensee shall hold capital required to be maintained in accordance with this section in the form of cash, digital financial assets, or high-quality, highly liquid, investment grade assets, in proportions determined by the department.
(d) (1) A licensee may include in its calculation of net worth the value of digital financial assets other than the digital financial assets over which it has control for a resident entitled to the protections of Section 3501.5.
(2) For purposes of this subdivision, the value of digital financial assets shall be the average value of the digital financial assets in United States dollar equivalent during the prior six months.
(e) (1) For good cause, the department may require a licensee
to increase the net worth or reserves required under this section.
(2) A licensee shall submit to the department evidence that it has additional net worth or reserves required pursuant to this subdivision not later than 15 days after the licensee
receives notice in a record of the required increase.
3204.
(a) Absent good cause, the department shall issue a license to an applicant if the applicant complies with this chapter and pays the costs of the investigation under subdivision (e) of Section 3202 and the initial licensee fee under paragraph (3) of subdivision (a) of Section 3202 in an amount specified by the department.(b) An applicant may appeal a denial of its application under Section 3202 pursuant to the Administrative Procedure Act, as described in Section 11370 of the Government Code, not later than 30 days after the department notifies the applicant that the application has been denied or deemed denied.
3205.
(a) Subject to subdivision (g), on or before September 15 of each year, a licensee may apply for renewal of the license by paying a renewal fee determined by the department, not to exceed the reasonable costs of regulation, and submitting to the department a renewal report under subdivision (b).(b) A renewal report required by subdivision (a) shall be submitted in a form and medium prescribed by the department. The report shall contain all of the following:
(1) Either a copy of the licensee’s most recent reviewed annual financial statement, if the gross revenue generated by the licensee’s digital
financial asset business activity in this state was not more than two million dollars ($2,000,000) for the fiscal year ending before the anniversary date of issuance of its license under this division, or a copy of the licensee’s most recent audited annual financial statement, if the licensee’s digital financial asset business activity in this state amounted to more than two million dollars ($2,000,000), for the fiscal year ending before the anniversary date.
(2) If a person other than an individual has control of the licensee, a copy of either of the following:
(A) The person’s most recent reviewed annual financial statement, if the person’s gross revenue was not more than two million dollars ($2,000,000) in the previous fiscal year measured as of the anniversary date of
issuance of its license under this division.
(B) The person’s most recent audited consolidated annual financial statement, if the person’s gross revenue was more than two million dollars ($2,000,000) in the previous fiscal year measured as of the anniversary date of issuance of its license under this division.
(3) A description of any of the following:
(A) Any material change in the financial condition of the licensee.
(B) Any
material litigation related to the licensee’s digital financial asset business activity and involving the licensee or an executive officer or responsible individual of the licensee.
(C) Any federal or state investigation involving the licensee.
(D) (i) Any data security breach involving the licensee.
(ii) A description of a data security breach pursuant to this subparagraph does not constitute disclosure or notification of a security breach for purposes of Section 1798.82 of the Civil Code.
(4) Information or records required by Section 3305 that the licensee has not reported to the department.
(5) The number of digital financial asset business activity transactions with, or on behalf of, residents for the period since, subject to subdivision (g), the later of the date the license was issued or the date the last renewal report was submitted.
(6) (A) The amount of United States dollar equivalent of digital financial asset in the control of the
licensee at, subject to subdivision (g), the end of the last month that ends not later than 30 days before the date of the renewal report.
(B) The total number of residents for whom the licensee had control of United States dollar equivalent of digital financial assets on that date.
(7) Evidence that the licensee is in compliance with Section 3501.5.
(8) Evidence that the licensee is in compliance with Section 3203.
(9) A list of any location where the licensee operates its digital financial asset business activity.
(c) If a licensee does not timely comply with subdivision (a), the
department may use enforcement measures provided under Chapter 4 (commencing with Section 3401). Notice or hearing is not required for a suspension or revocation of a license under this division for failure to pay a renewal fee or file a renewal report.
(d) If the department suspends or revokes a license under this division for noncompliance with subdivision (a), the department may end the suspension or rescind the revocation and notify the licensee of the action if, subject to subdivision (g), not later than 20 days after the license was suspended or revoked, the licensee files a renewal report and a renewal fee and pays any penalty assessed under Section 3404.
(e) The department shall give prompt notice to a licensee of the lifting of a suspension or rescission of a revocation after the licensee
complies with subdivision (d).
(f) Suspension or revocation of a license under this section does not invalidate a transfer or exchange of digital financial assets for, or on behalf of, a resident made during the suspension or revocation and does not insulate the licensee from liability under this division.
(g) For good cause, the department may extend a period under this section.
(h) A licensee that does not comply with this section shall cease operations with, or on behalf of, a resident on or before the anniversary date of issuance of its license under this division.
(i) A licensee shall pay the reasonable and necessary costs of the department’s investigation under
this section.
3207.
A license under this division is not transferable or assignable.3208.
The department may adopt rules necessary to implement this division and issue guidance as appropriate.CHAPTER 3. Examination
3301.
(a) (1) (A) The department may, at any time and from time to time, examine the business and any office, within or outside this state, of any licensee, or any agent of a licensee, in order to ascertain whether the business is being conducted in a lawful manner and whether all digital financial asset business activity is properly accounted for.(B) The directors, officers, and employees of a licensee, or agent of a licensee, being examined by the department shall exhibit to the department, on request, any or all of the licensee’s accounts, books, correspondence, memoranda, papers, and other records and shall otherwise
facilitate the examination so far as it may be in their power to do so.
(2) The department may examine a licensee pursuant to this subdivision without prior notice to the
licensee.
(b) A licensee shall pay the reasonable and necessary costs of an examination under this section.
3302.
(a) A licensee shall maintain, for all digital financial asset business activity with, or on behalf of, a resident for five years after the date of the activity, a record of all of the following:(1) Any transaction of the licensee with, or on behalf of, the resident or for the licensee’s account in this state, including all of the following:
(A) The identity of the resident.
(B) The form of the transaction.
(C) The amount, date, and payment instructions given by the resident.
(D) The account number, name, and United States Postal Service address of the resident, and, to the extent feasible, other parties to the transaction.
(2) The aggregate number of transactions and aggregate value of transactions by the licensee with, or on behalf of, the resident and for the licensee’s account in this state expressed in United States dollar equivalent of digital financial assets for the previous 12 calendar months.
(3) Any transaction in which the licensee exchanged one form of digital financial asset for legal tender or another form of digital financial asset with, or on behalf of, the resident.
(4) A general ledger posted at least monthly that
lists all assets, liabilities, capital, income, and expenses of the licensee.
(5) Any business call report the licensee is required to create or provide to the department.
(6) Bank statements and bank reconciliation records for the licensee and the name, account number, and United States Postal Service address of any bank the licensee uses in the conduct of its digital financial asset business activity with, or on behalf of, the resident.
(7) A report of any dispute with the resident.
(b) A licensee shall maintain records required by subdivision (a) in a form that enables the department to determine whether the licensee is in compliance with this
division, any court order, and the laws of this state.
(c) If a licensee maintains records outside this state that pertain to transactions with, or on behalf of, a resident, the licensee shall make the records available to the department not later than three days after request, or, on a determination of good cause by the department, at a later time.
(d) All records maintained by a licensee are subject to inspection by the department.
3303.
The department may cooperate, coordinate, jointly examine, consult, and share records and other information with the appropriate regulatory agency of another state, a self-regulatory organization, federal or state regulator of banking or nondepository providers, or a regulator of a jurisdiction outside the United States, concerning the affairs and conduct of a licensee in this state.3305.
(a) A licensee shall file with the department a report of the following, as may be applicable:(1) A material change in information in the application for a license under this division or the most recent renewal report of the licensee under this division.
(2) A material change in the licensee’s business for the conduct of its digital financial asset business activity with, or on behalf of, a resident.
(3) A change of an executive officer, responsible individual, or person in control of the licensee.
(b) Absent good cause, a report required by this section shall be filed not later than 15 days after the change described in subdivision (a).
3306.
(a) For purposes of this section, “proposed person to be in control” means the person that would control a licensee after a proposed transaction that would result in a change in control of the licensee.(b) The following rules apply in determining whether a person has control over a licensee:
(1) There is a rebuttable presumption of control if the person’s voting power in the licensee constitutes or will constitute at least 25 percent of the total voting power of the licensee.
(2) There is a rebuttable presumption of control if the person’s voting
power in another person constitutes or will constitute at least 10 percent of the total voting power of the other person and the other person’s voting power in the licensee
constitutes at least 25 percent of the total voting power of the licensee.
(3) There is no presumption of control solely because an individual is an executive officer of the licensee.
(c) At least 30 days before a proposed change in control of a
licensee, the proposed person to be in control shall submit to the department in a record all of the following:
(1) An application in a form and medium prescribed by the department.
(2) The information and records that Section 3202 would require if the proposed person to be in control already had control of the licensee.
(3) A license application under Section 3202 by the proposed person to be in control.
(d) The department, in accordance with Section 3202, shall approve, approve with conditions, or deny an application for a change in control of a licensee. The department, in a record, shall send notice of its decision to the licensee
and the person that would be in control if the department had approved the change in control. If the department denies the application, the licensee shall abandon the proposed change in control or cease digital financial asset business activity with or on behalf of residents.
(e) If the department applies a condition to approval of a change in control of a licensee, and the department does not receive notice of the applicant’s acceptance of the condition specified by the department not later than 31 days after the department sends notice of the condition, the application is deemed denied. If the application is deemed denied, the licensee
shall abandon the proposed change in control or cease digital financial asset business activity with, or on behalf of, residents.
(f) Submission in good faith of records required by subdivision (c) relieves the proposed person to be in control from any obligation imposed by this section other than subdivisions (d), (e), and (h) until the department has acted on the application.
(g) The department may revoke or modify a determination under subdivision (d), after notice and opportunity to be heard, if, in its judgment, revocation or modification is consistent with this division.
(h) If a change in control of a licensee requires approval of an agency of the state, and the action of the other agency
conflicts with that of the department, the department shall confer with the other agency. If the proposed change in control cannot be completed because the conflict cannot be resolved, the licensee shall abandon the change in control or cease digital financial asset business activity with, or on behalf of, residents.
3307.
(a) At least 30 days before a proposed merger or consolidation of a licensee with another person, the licensee shall submit all of the following, as applicable, to the department in a record:(1) An application in a form and medium prescribed by the department.
(2) The plan of merger or consolidation in accordance with subdivision (e).
(3) In the case of a licensee, the information required by Section 3202 concerning the person that would be the surviving entity in the proposed merger or consolidation.
(b) If a proposed merger or consolidation would change the control of a licensee, the licensee
shall comply with Section 3306 and this section.
(c) The department, in accordance with Section 3202, shall approve, conditionally approve, or deny an application for approval of a merger or consolidation of a licensee. The department, in a record, shall send notice of its decision to the licensee and the person that would be the surviving entity. If the department denies the application, the licensee
shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.
(d) The department may revoke or modify a determination under subdivision (c), after notice and opportunity to be heard, if, in its judgment, revocation or modification is consistent with this division.
(e) A plan of merger or consolidation of a licensee with another person shall do all of the following:
(1) Describe the effect of the proposed transaction on the licensee’s conduct of digital financial asset business activity with, or on behalf of, residents.
(2) Identify each person to be merged or consolidated and the person
that would be the surviving entity.
(3) Describe the terms and conditions of the merger or consolidation and the mode of carrying it into effect.
(f) If a merger or consolidation of a licensee and another person requires approval of an agency of this state, and the action of the other agency conflicts with that of the department, the department shall confer with the other agency. If the proposed merger or consolidation cannot be completed because the conflict cannot be resolved, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.
(g) The department may condition approval of an application under subdivision (a). If the department does
not receive notice from the parties that the parties accept the department’s condition not later than 31 days after the department sends notice in a record of the condition, the application is deemed denied. If the application is deemed denied, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.
(h) If a licensee acquires substantially all of the assets of a person, whether or not the person’s license was approved by the department, the transaction is subject to this section.
(i) Submission in good faith of the records required by subdivision (e) relieves the proposed surviving entity from any obligation imposed by this section, other than subdivisions (c), (f), and (g), until the
department has acted on the application.
CHAPTER 4. Enforcement
3401.
For the purpose of this chapter, “enforcement measure” means an action that includes, but is not limited to, all of the following:(a) Suspend or revoke a license under this division.
(b) Order a person to cease and desist from doing digital financial asset business activity with, or on behalf of, a resident.
(c) Request the court to appoint a receiver for the assets of a person doing digital financial asset business activity with, or on behalf of, a resident.
(d) Request the court to issue temporary,
preliminary, or permanent injunctive relief against a person doing digital financial asset business activity with, or on behalf of, a resident.
(e) Assess a penalty under Section 3404.
(f) Recover on the security under Section 3203 and initiate a plan to distribute the proceeds for the benefit of a resident injured by a violation of this division, or law of this state other than this division that applies to digital financial asset business activity with, or on behalf of, a resident.
(g) Impose necessary or appropriate conditions on the conduct of digital financial asset business activity with, or on behalf of, a resident.
(h) Seek restitution on behalf of a
resident if the department shows economic injury due to a violation of this division.
3402.
(a) The department may take an enforcement measure against a licensee or person that is not a licensee but is engaging in digital financial asset business activity with, or on behalf of, a resident in any of the following instances:(1) The licensee or person materially violates this division, a rule adopted or order issued under this division, or a law of this state other than this division that applies to digital financial asset business activity of the violator with, or on behalf of, a resident.
(2) The licensee or person does not cooperate substantially with an examination or investigation by the
department, fails to pay a fee, or fails to submit a report or documentation.
(3) The licensee or person, in the conduct of its digital financial asset business activity with, or on behalf of, a resident, engages in any of the following:
(A) An unsafe or unsound act or practice.
(B) An unfair or deceptive act or practice.
(C) Fraud or intentional misrepresentation.
(D) Misappropriation of legal tender, a digital financial asset, or other value held by a fiduciary.
(4) An agency of the United States or another state takes an action against
the licensee or person, which would constitute an enforcement measure if the department had taken the action.
(5) The licensee or person is convicted of a crime related to its digital financial asset business activity with, or on behalf of, a resident or involving fraud or felonious activity that, as determined by the department, makes the licensee or person unsuitable to engage in digital financial asset business activity.
(6) Any of the following occurs:
(A) The licensee or person becomes insolvent.
(B) The licensee or person makes a general assignment for the benefit of its creditors.
(C) The licensee or person becomes the debtor, alleged debtor, respondent, or person in a similar capacity in a case or other proceeding under any bankruptcy, reorganization, arrangement, readjustment, insolvency, receivership, dissolution, liquidation, or similar law, and does not obtain from the court, within a reasonable time, confirmation of a plan or dismissal of the case or proceeding.
(D) The licensee or person applies for, or permits the appointment of, a receiver, trustee, or other agent of a court for itself or for a substantial part of its assets.
(7) The licensee or person makes a material misrepresentation to the department.
(b) On application and for good cause, the department may do either
of the following:
(1) Extend the due date for filing a document or report under paragraph (2) of subdivision (a).
(2) Waive, to the extent warranted by circumstances, including a bona fide error notwithstanding reasonable procedures designed to prevent error, an enforcement measure issued for a violation described by paragraph (2) of subdivision (a) if the department determines that the waiver will not adversely affect the likelihood of compliance with this division.
(c) In an enforcement action related to operating without a license under this division, it is a defense to the action that the person has in effect a customer identification program reasonably designed to identify whether a customer is a resident that
failed to identify the particular customer as a resident.
(d) A proceeding under this division is subject to the Administrative Procedure Act, as described in Section 11370 of the Government Code.
3403.
(a) Except as provided in subdivision (b), the department may take an enforcement measure only after notice and opportunity for a hearing as appropriate in the circumstances.(b) (1) (A) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3404, without notice if the circumstances require action before notice can be given.
(B) A person subject to an enforcement measure pursuant to this paragraph shall have the right to an expedited postaction hearing by the department unless the person has waived the hearing.
(2) (A) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3404, after notice and without a prior hearing if the circumstances require action before a hearing can be held.
(B) A person subject to an enforcement measure pursuant to this paragraph shall have the right to an expedited postaction hearing by the department unless the person has waived the hearing.
(3) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3404, after notice and without a hearing if the person conducting digital financial asset business activity with, or on behalf of, a resident does not timely request a
hearing.
3404.
(a) If a person other than a licensee engages in digital financial asset business activity with, or on behalf of, a resident in violation of this division, the department may assess a civil penalty against the person in an amount not to exceed one hundred thousand dollars ($100,000) for each day the person is in violation of this division.(b) If a licensee materially violates a provision of this division, the department may assess a civil penalty in an amount not to exceed twenty thousand dollars ($20,000) for each day of violation or for each act or omission in violation.
(c) A civil penalty under this
section continues to accrue until the date the violation ceases.
3405.
(a) Revocation of a license under this division is effective against a licensee one day after the department sends notice in a record of the revocation to the licensee by a means reasonably selected for the notice to be received by the recipient in one day to the address provided for receiving communications from the department.(b) Suspension of a license under this division or an order to cease and desist is effective against a licensee or other person one day after the department sends notice in a record of the suspension or order to the licensee or other person by a means reasonably selected for the notice to be received by the recipient in one day to
the address provided for receiving communications from the department or, if no address is provided, to the recipient’s last known address. A suspension or order to cease and desist remains in effect until the earliest of the following:
(1) Entry of an order by the department under the Administrative Procedure Act, as described in Section 11370 of the Government Code.
(2) Entry of a court order setting aside or limiting the suspension or order to cease and desist.
(3) A date specified by the department.
(c) If, without reason to know of the department’s notice sent under this section, a licensee or other person does not comply in accordance with the notice
until the notice is actually received at the address provided, the department may consider the delay in compliance in imposing a sanction for the failure.
3406.
The department may enter into a consent order with a person regarding an enforcement measure. The order may provide that it does not constitute an admission of fact by a party.3407.
(a) This chapter does not provide a private right of action to a resident.(b) This section does not preclude an action by a resident to enforce rights under Section 3501.5.
CHAPTER 5. Disclosures and Protections
3501.
(a) When engaging in digital financial business activity with a resident, a licensee shall provide to a resident the disclosures required by subdivision (b) and any additional disclosure the department by rule determines reasonably necessary for the protection of residents. The department shall determine by rule the time and form required for disclosure. A disclosure required by this section shall be made separately from any other information provided by the licensee and in a clear and conspicuous manner in a record the resident may keep. A licensee may propose, for the department’s approval, alternate disclosures as more appropriate for its digital financial asset business activity with, or on behalf of, residents.(b) Before engaging in digital financial asset business activity with a resident, a licensee shall disclose, to the extent applicable to the digital financial asset business activity the licensee will undertake with the resident, all of the following:
(1) A schedule of fees and charges the licensee may assess, the manner by which fees and charges will be calculated if they are not set in advance and disclosed, and the timing of the fees and charges.
(2) Whether the product or service provided by the licensee is covered by either of the following:
(A) A form of insurance or other guarantee against loss by an agency of the United States as follows:
(i) Up to the full United States dollar equivalent of digital financial assets placed under the control of, or purchased from, the licensee as of the date of the placement or purchase, including the maximum amount provided by insurance under the Federal Deposit Insurance Corporation or otherwise available from the Securities Investor Protection Corporation.
(ii) If not provided at the full United States dollar equivalent of the digital financial asset placed under the control of or purchased from the licensee, the maximum amount of coverage for each resident expressed in the United States dollar equivalent of the digital financial asset.
(B) (i) Private insurance against theft or loss, including cybertheft
or theft by other means.
(ii) Upon request of a resident with whom a licensee engages in digital financial asset business activity, a licensee shall disclose all material terms of the insurance policy to the resident in a manner that allows the resident to understand the specific insured risks and any maximum coverage amounts that may result in partial coverage of the resident’s assets.
(3) The irrevocability of a transfer or exchange and any exception to irrevocability.
(4) A description of all of the following:
(A) The licensee’s liability for an unauthorized, mistaken, or accidental transfer or exchange.
(B) The resident’s responsibility to provide notice to the licensee of an unauthorized, mistaken, or accidental transfer or exchange.
(C) The basis for any recovery by the resident from the licensee in case of an unauthorized, mistaken, or accidental transfer or exchange.
(D) General error resolution rights applicable to an unauthorized, mistaken, or accidental transfer or exchange.
(E) The method for the resident to update the resident’s contact information with the licensee.
(5) That the date or time when the transfer or exchange is made and the resident’s account is debited may differ from the date or time when the resident initiates the
instruction to make the transfer or exchange.
(6) Whether the resident has a right to stop a preauthorized payment or revoke authorization for a transfer and the procedure to initiate a stop-payment order or revoke authorization for a subsequent transfer.
(7) The resident’s right to receive a receipt, trade ticket, or other evidence of the transfer or exchange.
(8) The resident’s right to at least 14 days’ prior notice of a change in the licensee’s fee schedule, other terms and conditions that have a material impact on digital financial asset business activity with the resident, or the policies applicable to the resident’s account.
(9) That no digital
financial asset is currently recognized as legal tender by California or the United States.
(10) (A) A list of instances in the past 12 months when the licensee’s service was unavailable to 10,000 or more customers seeking to engage in digital financial asset business activity due to a service outage on the part of the licensee and the causes of each identified service outage.
(B) As part of the disclosure required by this paragraph, the licensee may list any steps the licensee has taken to resolve underlying causes for those outages.
(c) Except as otherwise provided in subdivision (d), at the conclusion of a digital financial asset transaction with, or on behalf of, a resident, a licensee shall
provide the resident a confirmation in a record which contains all of the following:
(1) The name and contact information of the licensee, including the toll-free telephone number required under Section 3503.
(2) The type, value, date, precise time, and amount of the transaction.
(3) The fee charged for the transaction, including any charge for conversion of a digital financial asset to legal tender, bank credit, or other digital financial asset, as well as any indirect charges.
(d) If a licensee discloses that it will provide a daily confirmation in the initial disclosure under subdivision (c), the licensee may elect to provide a single, daily
confirmation for all transactions with, or on behalf of, a resident on that day instead of a per transaction confirmation.
3501.5.
(a) (1) A licensee that has control of a digital financial asset for one or more persons shall at all times maintain in its control an amount of each type of digital financial asset sufficient to satisfy the aggregate entitlements of the persons to the type of digital financial asset.(2) If a licensee violates this subdivision, the property interests of the persons in the digital financial asset are pro rata property interests in the type of digital financial asset to which the persons are entitled without regard to the time the persons became entitled to the digital financial asset or the licensee
obtained control of the digital financial asset.
(b) A digital financial asset maintained for purposes of compliance with this section shall meet all of the following criteria:
(1) The digital financial asset shall be held for the persons entitled to the digital financial asset.
(2) The digital financial asset shall not be property of the licensee.
(3) The digital financial asset shall not be subject to the claims of creditors of the licensee.
(c) A licensee may comply with this section by including, and complying with, a provision in its contract with a resident that states all of
the following:
(1) That a digital financial asset controlled by the licensee on behalf of the resident will be treated as a financial asset under Division 8 (commencing with Section 8101) of the Commercial Code.
(2) That the licensee is a securities intermediary under Division 8 (commencing with Section 8101) of the Commercial Code with respect to any digital financial assets under control of the licensee on behalf of the resident.
(3) That the resident’s account or wallet provided by or through the licensee is a securities account under Division 8 (commencing with Section 8101) of the Commercial Code.
3502.
(a) (1) A covered licensee or natural person who is an associated person of a covered licensee, when making a recommendation related to a digital financial asset or investment strategy involving digital financial assets to a resident shall act in the best interest of the resident at the time the recommendation is made without placing the financial or other interest of the licensee or natural person who is an associated person of a covered licensee making the recommendation ahead of the interest of the resident.(2) A covered licensee or natural person who is an associated person of a covered licensee shall be deemed in compliance with this
subdivision if all of the following are true:
(A) The covered licensee or natural person who is an associated person of a covered licensee, before or at the time of the recommendation, provides the resident, in writing, full and fair disclosure of all material facts relating to conflicts of interest that are associated with the recommendation.
(B) The covered licensee or natural person who is an associated person of a covered licensee, in making the recommendation, exercises reasonable diligence, care, and skill to do all of the following:
(i) Understand the potential risks, rewards, and costs associated with the recommendation and have a reasonable basis to believe that the recommendation could be in the best interest of at
least some residents.
(ii) Have a reasonable basis to believe that the recommendation is in the best interest of a particular resident based on that resident’s investment profile and the potential risks, rewards, and costs associated with the recommendation and does not place the financial or other interest of the covered licensee or natural person ahead of the interest of the resident.
(iii) Have a reasonable basis to believe that a series of recommended transactions, even if in the resident’s best interest when viewed in isolation, is not excessive and is in the resident’s best interest when taken together in light of the resident’s investment profile and does not place the financial or other interest of the covered licensee or natural person making the series of recommendations
ahead of the interest of the resident.
(C) The covered licensee establishes, maintains, and enforces written policies and procedures reasonably designed to do all of the following:
(i) Identify and, at a minimum, disclose, in accordance with subparagraph (A), or eliminate, all conflicts of interest associated with a recommendation.
(ii) Identify and mitigate any conflicts of interest associated with recommendations that create an incentive for a natural person who is an associated person of a covered licensee to place the interest of the covered licensee or natural person ahead of the interest of the resident.
(iii) Identify and disclose any material
limitations, including offering only proprietary or other limited range of products, placed on the digital financial assets or investment strategies involving digital financial assets that may be recommended to a resident and any conflicts of interest associated with those limitations and prevent the limitations and associated conflicts of interest from causing the covered licensee or a natural person who is an associated person of the covered licensee to make recommendations that place the interest of the covered licensee or natural person ahead of the interest of the resident.
(iv) Identify and eliminate any sales contests, sales quotas, bonuses, and noncash compensation that are based on the sales of specific digital financial assets or specific types of digital financial assets within a limited period of time.
(D) The covered licensee, in making a decision related to listing a specific digital financial asset or types of digital financial assets as available to exchange with or by the covered licensee, exercises reasonable diligence, care, and skill to evaluate the following criteria to determine whether listing the digital financial asset or type of digital financial asset is in the best interest of residents:
(i) The probability that a state or federal court or regulator will deem the digital financial asset a security.
(ii) If, and to what degree, the digital financial asset offers any utility or potential utility other than as a method for speculative investment.
(iii) If, and to what degree, the technical design of the digital financial asset is vulnerable to hacks or exploits that would cause the digital financial asset to rapidly lose value.
(iv) If the issuer of the digital financial asset is subject to United States law.
(v) If any key individual involved with the design, management, or promotion of the digital financial asset has been convicted for violations of laws related to fraud or malfeasance.
(E) The covered licensee establishes, maintains, and enforces written policies and procedures reasonably designed to prevent any person from exchanging, either directly or indirectly, a digital financial asset or entering into a derivative contract related to the price
of a digital financial asset based on nonpublic information about the covered licensee’s plans to list the digital financial asset as available to exchange with or by the covered licensee.
(F) In addition to the policies and procedures required by subparagraph (C), the covered licensee establishes, maintains, and enforces written policies and procedures reasonably designed to achieve compliance with this section.
(b) (1) A covered licensee shall make every effort to execute a resident’s request to exchange a digital financial asset that the covered licensee receives fully and promptly.
(2) A covered licensee shall use reasonable diligence to ascertain the best market for a digital financial asset and exchange it in
that market so that the outcome to the resident is as favorable as possible under prevailing market conditions. Compliance with this paragraph shall be determined by factors, including, but not limited to, all of the following:
(A) The character of the market for the digital financial asset, including price and volatility.
(B) The size and type of transaction.
(C) The number of markets checked.
(D) Accessibility of appropriate pricing.
(3) In a transaction for or with a resident, the covered licensee shall not interject a third party between the covered licensee and the best market for the
digital financial asset in a manner inconsistent with this subdivision.
(4) If a covered licensee cannot execute directly with a market and employs other means in order to ensure an execution advantageous to the resident, the burden of showing the acceptable circumstances for doing so is on the covered licensee.
(c) For purposes of this section:
(1) “Conflict of interest” means an interest that might incline a covered licensee or a natural person who is an associated person of a covered licensee to make a recommendation that is not disinterested.
(2) “Covered licensee” means a licensee that exchanges or holds itself out as being able to exchange a digital
financial asset for a resident.
(3) “Resident’s investment profile” includes, but is not limited to, the resident’s age, other investments, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the resident discloses to the covered licensee or a natural person who is an associated person of a covered licensee in connection with a recommendation.
(d) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure
was not created or implemented properly.
3503.
A licensee shall prominently display on its internet website a toll-free telephone number through which a resident can contact the licensee for customer service issues and receive live customer assistance. The telephone line shall be operative 24 hours per day, Monday through Sunday, excluding federal holidays.3504.
A licensee shall neither accept nor dispense more than one thousand dollars ($1,000) in a day from or to a customer via an electronic information processing device which accepts or dispenses cash when engaging in digital financial asset business activity at the request of the customer.CHAPTER 6. Prohibited Digital Financial Assets
3601.
(a) A licensee shall not exchange, transfer, or store a digital financial asset or engage in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor, if that digital financial asset is a stablecoin unless both of the following are true:(1) The issuer of the stablecoin is licensed pursuant to this division or is a bank.
(2) The issuer of the stablecoin at all times owns eligible securities having an aggregate market value computed in accordance with United States generally accepted accounting principles of not less than the
aggregate amount of all of its outstanding stablecoins issued or sold in the United States.
(b) For purposes of this section:
(1) “Eligible securities” means the United States currency eligible securities described in subdivision (b) of Section 2082.
(2) “Nominal redemption value” means the value at which a digital financial asset can be readily converted, on demand at the time of issuance, into United States dollars or any other national or state currency or a monetary equivalent or otherwise accepted in payment or to satisfy debts denominated in United States dollars or any national or state currency.
(3) “Stablecoin” means a digital financial asset that is denominated
in United States dollars or pegged to the United States dollar or denominated in or pegged to another national or state currency and is issued with a fixed nominal redemption value with the intent of establishing a reasonable expectation or belief among the general public that the instrument will retain a nominal redemption value that is so stable as to render the nominal redemption effectively fixed.
3602.
This chapter shall become inoperative on January 1, 2028.CHAPTER 7. Policies and Procedures
3701.
(a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record policies and procedures for all of the following:(1) An information security program and an operational security program.
(2) A business continuity program.
(3) A disaster recovery program.
(4) An antifraud program.
(5) A program to prevent money laundering.
(6) A program to prevent funding of terrorist activity.
(7) (A) A program designed to ensure compliance with this division and other laws of this state or federal laws that are relevant to the digital financial asset business activity contemplated by the licensee or registrant with, or on behalf of, residents and to assist the licensee or registrant in achieving the purposes of other state laws and federal laws if violation of those laws has a remedy under this division.
(B) The program described by this paragraph shall specify detailed policies and procedures that the licensee undertakes to minimize the probability that the licensee facilitates the exchange of unregistered securities.
(b) A policy required by subdivision (a) shall be in a record and designed to be adequate for a licensee’s contemplated digital financial asset business activity with, or on behalf of, residents, considering the circumstances of all participants and the safe operation of the activity. Any policy and implementing procedure shall be compatible with other policies and the procedures implementing them and not conflict with policies or procedures applicable to the licensee under other state law. A policy and implementing procedure may be one in existence in the licensee’s digital financial asset business activity with, or on behalf of, residents.
(c) A licensee’s policy for detecting fraud shall include all of the following:
(1) Identification and assessment of the material
risks of its digital financial asset business activity related to fraud, which shall include any form of market manipulation and insider trading by the licensee, its employees, or its customers.
(2) Protection against any material risk related to fraud identified by the department or the licensee.
(3) Periodic evaluation and revision of the antifraud procedure.
(d) A licensee’s policy for preventing money laundering and financing of terrorist activity shall include all of the following:
(1) Identification and assessment of the material risks of its digital financial asset business activity related to money laundering and financing of terrorist activity.
(2) Procedures, in accordance with federal law or guidance published by federal agencies responsible for enforcing federal law, pertaining to money laundering and financing of terrorist activity.
(3) Filing reports under the Bank Secrecy Act (31 U.S.C. Sec. 5311 et seq.) or Chapter X of Title 31 of the Code of Federal Regulations and other federal or state law pertaining to the prevention or detection of money laundering or financing of terrorist activity.
(e) A licensee’s information security and operational security policy shall include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any nonpublic personal information
or digital financial asset it receives, maintains, or transmits.
(f) A licensee is not required to file with the department a copy of a report it makes to a federal authority unless the department specifically requires filing.
(g) A licensee’s protection policy under subdivision (e) for residents shall include all of the following:
(1) Any action or system of records required to comply with this division and other state law applicable to the licensee with respect to digital financial asset business activity with, or on behalf of, a resident.
(2) A procedure for resolving disputes between the licensee and a resident.
(3) A procedure for a resident to report an unauthorized, mistaken, or accidental digital financial asset business activity transaction.
(4) A procedure for a resident to file a complaint with the licensee and for the resolution of the complaint in a fair and timely manner with notice to the resident as soon as reasonably practical of the resolution and the reasons for the resolution.
(h) After the policies and procedures required under this section are created and approved by the department and the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.
(i) A licensee may request advice from the department as to compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section.
(j) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
(k) Policies and procedures adopted under this section shall be disclosed separately from other disclosures made available to a resident, in a clear and conspicuous manner and in the medium through which
the resident contacted the licensee.
3702.
(a) An applicant, before submitting its application, shall establish and maintain in a record a policy or procedure designed to ensure compliance with this division, and law of this state other than this division, if the other law is relevant to the digital financial asset business activity contemplated by the licensee or the scope of this division or this division could assist in the purpose of the other law because violation of the other law has a remedy under this division.(b) A policy or procedure under subdivision (a) shall be compatible, and not conflict, with requirements applicable to a licensee under other state law or under federal law and may be a
policy or procedure in existence for the licensee’s digital financial asset business activity with, or on behalf of, a resident.
(c) After the policies and procedures required under this section are created by the licensee and approved by the department, the licensee shall engage a responsible individual with adequate authority and experience to monitor any policy or procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.
(d) A licensee may request advice from the department regarding compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section.
(e) Failure of a particular policy or procedure adopted under this
section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
CHAPTER 8. Miscellaneous Provisions
3801.
(a) This division applies to digital financial asset business activity with, or on behalf of, a resident on and after January 1, 2025.(b) A person is deemed to be conducting unlicensed digital financial asset business activity with, or on behalf of, a resident in violation of this division if the person engages in digital financial asset business activity on or after January 1,
2025, and the person does not hold a license issued or recognized under this division, is not exempt from this division, and has not applied for a
license.
3802.
The provisions of this division are severable. If any provision of this division or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.SEC. 2.
Section 4052 of the Financial Code is amended to read:4052.
For the purposes of this division:(a) “Nonpublic personal information” means personally identifiable financial information (1) provided by a consumer to a financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or (3) otherwise obtained by the financial institution. Nonpublic personal information does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from (1) federal, state, or local government records, (2) widely distributed media, or (3) disclosures to the general public that are required to be made by
federal, state, or local law. Nonpublic personal information shall include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using any nonpublic personal information other than publicly available information, but shall not include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any nonpublic personal information.
(b) “Personally identifiable financial information” means information (1) that a consumer provides to a financial institution to obtain a product or service from the financial institution, (2) about a consumer resulting from any transaction involving a product or service between the financial institution and a consumer, or (3) that the financial institution
otherwise obtains about a consumer in connection with providing a product or service to that consumer. Any personally identifiable information is financial if it was obtained by a financial institution in connection with providing a financial product or service to a consumer. Personally identifiable financial information includes all of the following:
(1) Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service.
(2) Account balance information, payment history, overdraft history, and credit or debit card purchase information.
(3) The fact that an individual is or has been a consumer of a financial institution or has obtained a financial
product or service from a financial institution.
(4) Any information about a financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer.
(5) Any information that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan.
(6) Any personally identifiable financial information collected through an Internet cookie or an information collecting device from a Web server.
(7) Information from a consumer report.
(c) “Financial institution” means any institution the business of which is engaging in financial activities as described in Section 1843(k) of Title 12 of the United States Code and doing business in this state and any person licensed pursuant to Division 1.25 (commencing with Section 3101). An institution that is not significantly engaged in financial activities is not a financial institution. The term “financial institution” does not include any institution that is primarily engaged in providing hardware, software, or interactive services, provided that it does not act as a debt collector, as defined in 15 U.S.C. Sec. 1692a, or engage in activities for which the institution is required to acquire a charter, license, or registration from a state or federal governmental banking, insurance, or securities agency. The term “financial institution” does not include the Federal Agricultural Mortgage
Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et seq.), provided that the entity does not sell or transfer nonpublic personal information to an affiliate or a nonaffiliated third party. The term “financial institution” does not include institutions chartered by Congress specifically to engage in a proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer, as long as those institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party. The term “financial institution” does not include any provider of professional services, or any wholly owned affiliate thereof, that is prohibited by rules of professional ethics and applicable law from voluntarily disclosing confidential client information without the
consent of the client. The term “financial institution” does not include any person licensed as a dealer under Article 1 (commencing with Section 11700) of Chapter 4 of Division 5 of the Vehicle Code that enters into contracts for the installment sale or lease of motor vehicles pursuant to the requirements of Chapter 2B (commencing with Section 2981) or 2D (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3 of the Civil Code and assigns substantially all of those contracts to financial institutions within 30 days.
(d) “Affiliate” means any entity that controls, is controlled by, or is under common control with, another entity, but does not include a joint employee of the entity and the affiliate. A franchisor, including any affiliate thereof, shall be deemed an affiliate of the franchisee for purposes of this
division.
(e) “Nonaffiliated third party” means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of that institution and a third party.
(f) “Consumer” means an individual resident of this state, or that individual’s legal representative, who obtains or has obtained from a financial institution a financial product or service to be used primarily for personal, family, or household purposes. For purposes of this division, an individual resident of this state is someone whose last known mailing address, other than an Armed Forces Post Office or Fleet Post Office address, as shown in the records of the financial institution, is located in this state. For purposes of
this division, an individual is not a consumer of a financial institution solely because the individual is (1) a participant or beneficiary of an employee benefit plan that a financial institution administers or sponsors, or for which the financial institution acts as a trustee, insurer, or fiduciary, (2) covered under a group or blanket insurance policy or group annuity contract issued by the financial institution, (3) a beneficiary in a workers’ compensation plan, (4) a beneficiary of a trust for which the financial institution is a trustee, or (5) a person who has designated the financial institution as trustee for a trust, provided that the financial institution provides all required notices and rights required by this division to the plan sponsor, group or blanket insurance policyholder, or group annuity contractholder.
(g) “Control” means (1) ownership or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, acting through one or more persons, (2) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions, or (3) the power to exercise, directly or indirectly, a controlling influence over the management or policies of a company. However, for purposes of the application of the definition of control as it relates to credit unions, a credit union has a controlling influence over the management or policies of a credit union service organization (CUSO), as that term is defined by state or federal law or regulation, if the CUSO is at least 67 percent owned by credit unions. For purposes of the application of the definition of control to a financial institution subject to regulation by the United States Securities
and Exchange Commission, a person who owns beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of a company is presumed to control the company, and a person who does not own more than 25 percent of the voting securities of a company is presumed not to control the company, and a presumption regarding control may be rebutted by evidence, but in the case of an investment company, the presumption shall continue until the United States Securities and Exchange Commission makes a decision to the contrary according to the procedures described in Section 2(a)(9) of the federal Investment Company Act of 1940.
(h) “Necessary to effect, administer, or enforce” means the following:
(1) The disclosure is required, or
is a usual, appropriate, or acceptable method to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer’s account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes the following:
(A) Providing the consumer or the consumer’s agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product.
(B) The accrual or recognition of incentives, discounts, or bonuses associated with the transaction or communications to eligible
existing consumers of the financial institution regarding the availability of those incentives, discounts, and bonuses that are provided by the financial institution or another party.
(C) In the case of a financial institution that has issued a credit account bearing the name of a company primarily engaged in retail sales or a name proprietary to a company primarily engaged in retail sales, the financial institution providing the retailer with nonpublic personal information as follows:
(i) Providing the retailer, or licensees or contractors of the retailer that provide products or services in the name of the retailer and under a contract with the retailer, with the names and addresses of the consumers in whose name the account is held and a record of the purchases made using the credit
account from a business establishment, including a Web site or catalog, bearing the brand name of the retailer.
(ii) Where the credit account can only be used for transactions with the retailer or affiliates of that retailer that are also primarily engaged in retail sales, providing the retailer, or licensees or contractors of the retailer that provide products or services in the name of the retailer and under a contract with the retailer, with nonpublic personal information concerning the credit account, in connection with the offering or provision of the products or services of the retailer and those licensees or contractors.
(2) The disclosure is required or is one of the lawful or appropriate methods to enforce the rights of the financial institution or of other persons
engaged in carrying out the financial transaction or providing the product or service.
(3) The disclosure is required, or is a usual, appropriate, or acceptable method for insurance underwriting or the placement of insurance products by licensed agents and brokers with authorized insurance companies at the consumer’s request, for reinsurance, stop loss insurance, or excess loss insurance purposes, or for any of the following purposes as they relate to a consumer’s insurance:
(A) Account administration.
(B) Reporting, investigating, or preventing fraud or material misrepresentation.
(C) Processing premium payments.
(D) Processing insurance claims.
(E) Administering insurance benefits, including utilization review activities.
(F) Participating in research projects.
(G) As otherwise required or specifically permitted by federal or state law.
(4) The disclosure is required, or is a usual, appropriate, or acceptable method, in connection with the following:
(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment
means.
(B) The transfer of receivables, accounts, or interests therein.
(C) The audit of debit, credit, or other payment information.
(5) The disclosure is required in a transaction covered by the federal Real Estate Settlement Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order to offer settlement services prior to the close of escrow (as those services are defined in 12 U.S.C. Sec. 2602), provided that (A) the nonpublic personal information is disclosed for the sole purpose of offering those settlement services and (B) the nonpublic personal information disclosed is limited to that necessary to enable the financial institution to offer those settlement services in that transaction.
(i) “Financial product or service” means all of the following:
(1) Any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to a financial activity under subsection (k) of Section 1843 of Title 12 of the United States Code (the United States Bank Holding Company Act of 1956).
(2) A financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(3) Digital financial asset business activity, as defined in Section 3102.
(j) “Clear and conspicuous” means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.
(k) “Widely distributed media” means media available to the general public and includes a telephone book, a television or radio program, a newspaper, or a Web site
that is available to the general public on an unrestricted basis.