3101.

 This division shall be known as the Digital Financial Assets Law.

3102.

 For purposes of this division:

(a) “Applicant” means a person that applies for a license under this division.

(b) (1) “Bank” means a federally chartered or state-chartered depository institution or holder of a charter granted by the Office of the Comptroller of the Currency to a person engaged in the business of banking other than deposit-taking.

(2) “Bank” does not include either of the following:

(A) An industrial loan company, state-chartered trust company, or a limited purpose trust company, unless incorporated as a bank or the department has authorized the company to engage in digital financial asset business activity.

(B) A trust company or limited purpose trust company chartered by a state with which this state does not have a reciprocity agreement governing trust company activities.

(c) “Control” means both of the following:

(1) When used in reference to a transaction or relationship involving a digital financial asset, power to execute unilaterally or prevent indefinitely a digital financial asset transaction.

(2) When used in reference to a person, the direct or indirect power to direct the management, operations, or policies of the person through legal or beneficial ownership of voting power in the person or under a contract, arrangement, or understanding.

(d) “Covered person” means a person required to obtain a license pursuant to this division.

(e) “Credit union” means a credit union licensed under the laws of this state, or any other state, or a federal credit union chartered under the laws of the United States.

(f) “Department” means the Department of Financial Protection and Innovation.

(g) (1) “Digital financial asset” means a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender.

(2) “Digital financial asset” does not include either of the following:

(A) A transaction in which a merchant grants, as part of an affinity or rewards program, value that cannot be taken from or exchanged with the merchant for legal tender, bank or credit union credit, or a digital financial asset.

(B) A digital representation of value issued by or on behalf of a publisher and used solely within an online game, game platform, or family of games sold by the same publisher or offered on the same game platform.

(h) “Digital financial asset administration” means issuing a digital financial asset with the authority to redeem the digital financial asset for legal tender, bank or credit union credit, or another digital financial asset.

(i) “Digital financial asset business activity” means any of the following:

(1) Exchanging, transferring, or storing a digital financial asset or engaging in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor.

(2) Holding electronic precious metals or electronic certificates representing interests in precious metals on behalf of another person or issuing shares or electronic certificates representing interests in precious metals.

(3) Exchanging one or more digital representations of value used within one or more online games, game platforms, or family of games for either of the following:

(A) A digital financial asset offered by or on behalf of the same publisher from which the original digital representation of value was received.

(B) Legal tender or bank or credit union credit outside the online game, game platform, or family of games offered by or on behalf of the same publisher from which the original digital representation of value was received.

(j) “Digital financial asset control services vendor” means a person that has control of a digital financial asset solely under an agreement with a person that, on behalf of another person, assumes control of the digital financial asset.

(k) “Exchange,” when used as a verb, means to assume control of a digital financial asset from, or on behalf of, a resident, at least momentarily, to sell, trade, or convert either of the following:

(1) A digital financial asset for legal tender, bank or credit union credit, or one or more forms of digital financial assets.

(2) Legal tender or bank or credit union credit for one or more forms of digital financial assets.

(l) “Executive officer” means an individual who is a director, officer, manager, managing member, partner, or trustee of a person that is not an individual.

(m) “Insolvent” means any of the following:

(1) Having generally ceased to pay debts in the ordinary course of business other than as a result of a bona fide dispute.

(2) Being unable to pay debts as they become due.

(3) Being insolvent within the meaning of federal bankruptcy law.

(n) “Legal tender” means a medium of exchange or unit of value, including the coin or paper money of the United States, issued by the United States or by another government.

(o) “Licensee” means a person licensed or conditionally licensed under this division.

(p) (1) “Person” means an individual, partnership, estate, business or nonprofit entity, or other legal entity.

(2) “Person” does not include a public corporation, government-sponsored enterprise, government, or governmental subdivision, agency, or instrumentality.

(q) “Record” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.

(r) “Resident” means any of the following:

(1) A person who is domiciled in this state.

(2) A person who is physically located in this state for more than 183 days of the previous 365 days.

(3) A person who has a place of business in this state.

(4) A legal representative of a person that is domiciled in this state.

(s) “Responsible individual” means an individual who has direct control over, or significant management policy and decisionmaking authority with respect to, a licensee’s digital financial asset business activity in this state.

(t) “Sign” means, with present intent to authenticate or adopt a record, either of the following:

(1) To execute or adopt a tangible symbol.

(2) To attach to, or logically associate with, the record an electronic symbol, sound, or process.

(u) “State” means a state of the United States, the District of Columbia, Puerto Rico, the United States Virgin Islands, or any territory or insular possession subject to the jurisdiction of the United States.

(v) “Store,” except in the phrase “store of value,” means to maintain control of a digital financial asset on behalf of a resident by a person other than the resident. “Storage” and “storing” have corresponding meanings.

(w) “Transfer” means to assume control of a digital financial asset from, or on behalf of, a resident and to subsequently do any of the following:

(1) Credit the digital financial asset to the account of another person.

(2) Move the digital financial asset from one account of a resident to another account of the same resident.

(3) Relinquish control of a digital financial asset to another person.

(x) “United States dollar equivalent of digital financial assets” means the equivalent value of a particular digital financial asset in United States dollars shown on a digital financial asset exchange based in the United States for a particular date or period specified in this division.

3103.

 (a) Except as otherwise provided in subdivision (b) or (c), this division governs the digital financial asset business activity of a person doing business in this state or, wherever located, who engages in or holds itself out as engaging in the activity with, or on behalf of, a resident.

(b) (1) This division does not apply to the exchange, transfer, or storage of a digital financial asset or to digital financial asset administration to the extent the Securities Exchange Act of 1934 (15 U.S.C. Sec. 78a et seq.) or the Corporate Securities Law of 1968 (Division 1 (commencing with Section 25000) of Title 4 of the Corporations Code) govern the activity.

(2) This division does not apply to the exchange, transfer, or storage of a digital financial asset or to digital financial asset administration to the extent the application of this division conflicts with the Electronic Fund Transfer Act of 1978 (15 U.S.C. Sec. 1693 et seq.).

(c) This division does not apply to activity by any of the following:

(1) The United States, a state, political subdivision of a state, agency, or instrumentality of federal, state, or local government, or a foreign government or a subdivision, department, agency, or instrumentality of a foreign government.

(2) A bank, including a trust company that is incorporated as a bank.

(3) A credit union.

(4) A person whose participation in a payment system is limited to providing processing, clearing, or performing settlement services solely for transactions between or among persons that are exempt from the licensing requirements of this division.

(5) A person engaged in the business of dealing in foreign exchange to the extent the person’s activity meets the definition in Section 1010.605(f)(1)(iv) of Title 31 of the Code of Federal Regulations.

(6) A person that is any of the following:

(A) A person that contributes only connectivity software or computing power to securing a network that records digital financial asset transactions or to a protocol governing transfer of the digital representation of value.

(B) A person that provides only data storage or security services for a business engaged in digital financial asset business activity and does not otherwise engage in digital financial asset business activity on behalf of another person.

(C) A person that provides only to a person otherwise exempt from this division a digital financial asset as one or more enterprise solutions used solely among each other and that does not have an agreement or a relationship with a resident that is an end user of a digital financial asset.

(7) A person using a digital financial asset, including creating, investing, buying or selling, or obtaining a digital financial asset as payment for the purchase or sale of goods or services, solely on the person’s own behalf for personal, family, or household purposes or for academic purposes.

(8) A person whose digital financial asset business activity with, or on behalf of, residents is reasonably expected to be valued, in the aggregate, on an annual basis at fifty thousand dollars ($50,000) or less, measured by the United States dollar equivalent of digital financial assets.

(9) An attorney to the extent of providing escrow services to a resident.

(10) A title insurance company to the extent of providing escrow services to a resident.

(11) A securities intermediary, as defined in Section 8102 of the Commercial Code, or a commodity intermediary, as defined in Section 9102 of Commercial Code, that meets both of the following criteria:

(A) The securities intermediary or commodity intermediary does not engage in the ordinary course of business in digital financial asset business activity with, or on behalf of, a resident, in addition to maintaining securities accounts or commodities accounts and is regulated as a securities intermediary or commodity intermediary under federal law, state law other than this division, or the law of another state.

(B) The securities intermediary or commodity intermediary affords a resident protections comparable to those set forth in Section 3503.

(12) A secured creditor under Division 9 (commencing with Section 9101) of the Commercial Code or a creditor with a judicial lien, or lien arising by operation of law, on collateral that is a digital financial asset, if the digital financial asset business activity of the creditor is limited to enforcement of the security interest in compliance with Division 9 (commencing with Section 9101) of the Commercial Code or lien in compliance with the law applicable to the lien.

(13) A digital financial asset control services vendor.

(14) A person that does not receive compensation, either directly or indirectly, for providing digital financial asset products or services or for conducting digital financial asset business activity or that is engaged in testing products or services with the person’s own funds.

3201.

 On or after January 1, 2025, a person shall not engage in digital financial asset business activity, or hold itself out as being able to engage in digital financial asset business activity, with or on behalf of a resident unless any of the following is true:

(a) The person is licensed in this state by the department under Section 3203.

(b) The person submits an application on or before January 1, 2025, and is awaiting approval or denial of that application.

(c) The person is exempt from licensure under this division pursuant to Section 3103.

3203.

 (a) An application for a license under this division shall meet all of the following requirements:

(1) The application shall be in a form and medium prescribed by the department.

(2) Except as otherwise provided in subdivision (b), the application shall provide all of the following information relevant to the applicant’s proposed digital financial asset business activity:

(A) The legal name of the applicant, any current or proposed business United States Postal Service mailing address of the applicant, and any fictitious or trade name the applicant uses or plans to use in conducting the applicant’s digital financial asset business activity with or on behalf of a resident.

(B) The legal name, any former or fictitious name, and the residential and business United States Postal Service mailing address of any executive officer and responsible individual of the applicant and any person that has control of the applicant.

(C) A description of the current and former business of the applicant for the five years before the application is submitted, or, if the business has operated for less than five years, for the time the business has operated, including its products and services, associated internet website addresses and social media pages, principal place of business, projected user base, and specific marketing targets.

(D) A list of all of the following:

(i) Any money service or money transmitter financial regulatory license the applicant holds in another state.

(ii) The date the license described in clause (i) expires.

(iii) Any license revocation, license suspension, or other disciplinary action taken against the licensee in any state and any license applications rejected by any state.

(E) A list of any criminal conviction, deferred prosecution agreement, and pending criminal proceeding in any jurisdiction against all of the following:

(i) The applicant.

(ii) Any executive officer of the applicant.

(iii) Any responsible individual of the applicant.

(iv) Any person that has control over the applicant.

(v) Any person over which the applicant has control.

(F) A list of any litigation, arbitration, or administrative proceeding in any jurisdiction in which the applicant or an executive officer or a responsible individual of the applicant has been a party for the 10 years before the application is submitted determined to be material in accordance with generally accepted accounting principles and, to the extent the applicant would be required to disclose the litigation, arbitration, or administrative proceeding in the applicant’s audited financial statements, reports to equity owners and similar statements or reports.

(G) A list of any bankruptcy or receivership proceeding in any jurisdiction for the 10 years before the application is submitted in which any of the following was a debtor:

(i) The applicant.

(ii) An executive officer of the applicant.

(iii) A responsible individual of the applicant.

(iv) A person that has control over the applicant.

(v) A person over which the applicant has control.

(H) The name and United States Postal Service mailing address of any bank in which the applicant plans to deposit funds obtained by its digital financial asset business activity.

(I) The source of funds and credit to be used by the applicant to conduct digital financial asset business activity with, or on behalf of, a resident.

(J) Documentation demonstrating that the applicant has the net worth and reserves capital and liquidity required by Section 3207.

(K) The United States Postal Service mailing address and email address to which communications from the department can be sent.

(L) The name, United States Postal Service mailing address, and email address of the registered agent of the applicant in this state.

(M) A copy of the certificate, or a detailed summary acceptable to the department, of coverage for any liability, casualty, business interruption, or cybersecurity insurance policy maintained by the applicant for itself, an executive officer, a responsible individual, or the applicant’s users.

(N) If applicable, the date on which and the state in which the applicant is formed and a copy of a current certificate of good standing issued by that state.

(O) If a person has control of the applicant and the person’s equity interests are publicly traded in the United States, a copy of the audited financial statement of the person for the most recent fiscal year or most recent report of the person filed under Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. Sec. 78m).

(P) If a person has control of the applicant and the person’s equity interests are publicly traded outside the United States, a copy of the audited financial statement of the person for the most recent fiscal year of the person or a copy of the most recent documentation similar to that required in subparagraph (N) filed with the foreign regulator in the domicile of the person.

(Q) If the applicant is a partnership or a member-managed limited liability company, the names and United States Postal Service mailing addresses of any general partner or member.

(R) If the applicant is required to register with the Financial Crimes Enforcement Network of the United States Department of the Treasury as a money service business, evidence of the registration.

(S) A set of fingerprints for each executive officer and responsible individual of the applicant.

(T) If available, for any executive officer and responsible individual of the applicant, for the 10 years before the application is submitted, employment history and history of any investigation of the individual or legal proceeding to which the individual was a party.

(U) The plans through which the applicant will meet its obligations under Chapter 7 (commencing with Section 3701).

(V) Any other information the department reasonably requires by rule.

(3) The application shall be accompanied by a nonrefundable fee in the amount determined by the department to cover the reasonable costs of regulation.

(b) (1) On receipt of a completed application, the department shall investigate all of the following: whether each of the following criterion is satisfied:

(A) The applicant has the sound financial condition condition, competence, and responsibility of the applicant. to engage in digital financial business activity.

(B) The applicant has relevant financial and business experience, good character, and general fitness of the applicant. fitness.

(C) The Each executive officer, responsible individual, and person that has control of the applicant has competence, experience, good character, and general fitness of each executive officer, each responsible individual, and any person that has control of the applicant. fitness.

(D) Compliance The applicant has complied with Chapter 5 (commencing with Section 3501) and Chapter 6 (commencing with Section 3601).

(2) On receipt of a completed application, the department may investigate the business premises of an applicant.

(c) After completing the investigation required by subdivision (b), the department shall send the applicant notice of its decision to approve, conditionally approve, or deny the application. If the department does not receive written notice from the applicant that the applicant accepts conditions specified by the department within 31 days following the department’s notice of the conditions, or if the applicant does not request a hearing on the conditions specified by the department within 31 days after the department’s notice of the conditions, the application shall be deemed withdrawn.

(d) A license issued pursuant to this division shall take effect on the later of the following:

(1) The date the department issues the license.

(2) The date the licensee provides the security required by Section 3207.

(e) In addition to the fee required by paragraph (3) of subdivision (a), an applicant shall pay the reasonable costs of the department’s investigation under subdivision (b).

(f) Information provided pursuant to this section is covered by subdivision (a) of Section 7929.000 of the Government Code.

3205.

 (a) The commissioner may issue a conditional license to an applicant who holds or maintains a license to conduct virtual currency business activity in the state of New York pursuant to Part 200 of Title 23 of the New York Code of Rules and Regulations or a charter as a New York State limited purpose trust company with approval to conduct a virtual currency business under New York law, provided the license was issued or approved no later than January 1, 2023, and the applicant pays all appropriate fees and complies with the requirements of this division.

(b) A conditional license issued pursuant to this section shall expire at the earliest of the following:

(1) Upon issuance of an unconditional license.

(2) Upon denial of a license application.

(3) Upon revocation of a license issued pursuant to Part 200 of Title 23 of the New York Code of Rules and Regulations or disapproval or revocation of a charter as a New York State limited purpose trust company with approval to conduct a virtual currency business under New York law.

3207.

 (a) (1) (A) A licensee shall maintain a surety bond or trust account in United States dollars in a form and amount as determined by the department for the protection of residents that engage in digital financial asset business activity with the licensee.

(B) If a licensee maintains a trust account pursuant to this section, that trust account shall be maintained with a bank, trust company, national bank, savings bank, savings and loan association, federal savings association, credit union, or federal credit union in the state, subject to the prior approval of the department.

(2) Security deposited under this section shall be payable to this state for the benefit of a claim against the licensee on account of the licensee’s digital financial asset business activity with, or on behalf of, a resident.

(3) Security deposited under this section shall cover claims for the period the department specifies by rule and a period determined by the department for the protection of residents with whom a licensee engages in digital financial business activity, including for an additional period the department specifies after the licensee ceases to engage in digital financial asset business activity with or on behalf of a resident.

(4) For good cause, the The department may require the licensee to increase the amount of security deposited under this section, and the licensee shall deposit the additional security not later than 15 days after the licensee receives notice in a record of the required increase.

(5) For good cause, the The department may permit a licensee to substitute or deposit an alternate form of security satisfactory to the department if the licensee at all times complies with this section.

(6) A claimant does not have a direct right to recover against security deposited under this section.

(7) Only the department may recover against the security, and the department may retain the recovery for no longer than five years and may process claims and distribute recoveries to claimants in accordance with rules adopted by the commissioner.

(b) In addition to the security required under subdivision (a), a licensee shall maintain at all times capital and liquidity in an amount and form as the department determines is sufficient to ensure the financial integrity of the licensee and its ongoing operations based on an assessment of the specific risks applicable to the licensee. In determining the minimum amount of capital and liquidity that shall be maintained by a licensee, the department may consider factors, including, but not limited to, all of the following:

(1) The composition of the licensee’s total assets, including the position, size, quality, liquidity, risk exposure, and price volatility of each type of asset.

(2) The composition of the licensee’s total liabilities, including the size and repayment timing of each type of liability.

(3) The actual and expected volume of the licensee’s digital financial asset business activity.

(4) The amount of leverage employed by the licensee.

(5) The liquidity position of the licensee.

(6) The financial protection that the licensee provides pursuant to subdivision (a).

(7) The types of entities to be serviced by the licensee.

(8) The types of products or services to be offered by the licensee.

(9) Arrangements adopted by the licensee for the protection of its customers in the event of the licensee’s insolvency.

(c) A licensee shall hold capital liquidity required to be maintained in accordance with this section in the form of cash, digital financial assets, or high-quality, highly liquid, investment grade assets, in proportions determined by the department.

(d) (1) A licensee may include in its calculation of net worth the value of digital financial assets other than the digital financial assets over which it has control for a resident entitled to the protections of Section 3503.

(2) For purposes of this subdivision, the value of digital financial assets shall be the average value of the digital financial assets in United States dollar equivalent during the prior six months.

3209.

 (a) Absent good cause, the The department shall issue a license to an applicant if the applicant complies with this chapter and pays the costs of the investigation under subdivision (e) of Section 3203 and the initial licensee fee under paragraph (3) of subdivision (a) of Section 3203 in an amount specified by the department. all of the following conditions are satisfied:

(b) An applicant may appeal a denial of its application under Section 3203 pursuant to the Administrative Procedure Act, as described in Section 11370 of the Government Code, not later than 30 days after the department notifies the applicant that the application at an address specified under subparagraph (K) of paragraph (2) of subdivision (a) of Section 3203 has been denied or deemed denied.

3211.

 (a) Subject to subdivision (g), on or before September March 15 of each year, a licensee may apply for renewal of the license by paying a renewal fee determined by the department, not to exceed the reasonable costs of regulation, and submitting to the department a renewal report under subdivision (b). (b) and, on or before September 15 of each year, paying a renewal fee determined by the department, not to exceed the reasonable costs of regulation.

(b) A renewal report required by subdivision (a) shall be submitted in a form and medium prescribed by the department. The report shall contain all of the following:

(1) Either a copy of the licensee’s most recent reviewed annual financial statement, if the gross revenue generated by the licensee’s digital financial asset business activity in this state was not more than two million dollars ($2,000,000) for the fiscal year ending before the anniversary date of issuance of its license under this division, or a copy of the licensee’s most recent audited annual financial statement, if the licensee’s digital financial asset business activity in this state amounted to more than two million dollars ($2,000,000), for the fiscal year ending before the anniversary date.

(2) If a person other than an individual has control of the licensee, a copy of either of the following:

(A) The person’s most recent reviewed annual financial statement, if the person’s gross revenue was not more than two million dollars ($2,000,000) in the previous fiscal year measured as of the anniversary date of issuance of its license under this division.

(B) The person’s most recent audited consolidated annual financial statement, if the person’s gross revenue was more than two million dollars ($2,000,000) in the previous fiscal year measured as of the anniversary date of issuance of its license under this division.

(3) A description of any of the following:

(A) Any material change in the financial condition of the licensee.

(B) Any material litigation related to the licensee’s digital financial asset business activity and involving the licensee or an executive officer or responsible individual of the licensee.

(C) Any federal or state international, federal, state, or local investigation involving the licensee.

(D) (i) Any data security breach or cybersecurity event involving the licensee.

(ii) A description of a data security breach pursuant to this subparagraph does not constitute disclosure or notification of a security breach for purposes of Section 1798.82 of the Civil Code.

(4) Information or records required by Section 3307 that the licensee has not reported to the department.

(5) The number of digital financial asset business activity transactions with, or on behalf of, residents for the period since, subject to subdivision (g), the later of the date the license was issued or the date the last renewal report was submitted.

(6) (A) The amount of United States dollar equivalent of digital financial asset in the control of the licensee at, subject to subdivision (g), the end of the last month that ends not later than 30 days before the date of the renewal report.

(B) The total number of residents for whom the licensee had control of United States dollar equivalent of digital financial assets on that date.

(7) Evidence that the licensee is in compliance with Section 3503.

(8) Evidence that the licensee is in compliance with Section 3205.

(9) A list of any location all locations where the licensee operates its digital financial asset business activity.

(c) If a licensee does not timely comply with subdivision (a), the department may use enforcement measures provided under Chapter 4 (commencing with Section 3401). Notice or hearing is not required for a suspension or revocation of a license under this division for failure to pay a renewal fee or file a renewal report.

(d) If the department suspends or revokes a license under this division for noncompliance with subdivision (a), the department may end the suspension or rescind the revocation and notify the licensee of the action if, subject to subdivision (g), not later than 20 days after the license was suspended or revoked, the licensee files a renewal report and a renewal fee and pays any penalty assessed under Section 3407.

(e) The department shall give prompt notice to a licensee of the lifting of a suspension or rescission of a revocation after the licensee complies with subdivision (d).

(f) Suspension or revocation of a license under this section does not invalidate a transfer or exchange of digital financial assets for, or on behalf of, a resident made during the suspension or revocation and does not insulate the licensee from liability under this division.

(g) For good cause, the The department may extend a period under this section.

(h) A licensee that does not comply with this section shall cease operations with, or on behalf of, a resident on or before the anniversary date of issuance of its license under this division.

(i) A licensee shall pay the reasonable and necessary costs of the department’s investigation under this section.

3213.

 A license under this division is not transferable or assignable.

3215.

 (a) The department may adopt rules necessary to implement this division and may offer informal guidance to any prospective applicant for a license under this division regarding the conditions of licensure that may be applied to that person. The commissioner shall inform any applicant that requests that guidance of the minimum net worth, and other licensing requirements, that will be required of that applicant, based on the information provided by the applicant concerning the applicant’s plan to conduct business under this division, and the factors used to make that determination as described in Section 3203.

(b) (1) The commissioner may prepare written decisions, opinion letters, and other formal written guidance to be issued to persons seeking clarification regarding the requirements of this division.

(2) The commissioner shall make public on the commissioner’s internet website all written decisions, opinion letters, and other formal written guidance issued to persons seeking clarification regarding the requirements of this division. The commissioner may, at their discretion or upon request by an applicant or licensee, redact proprietary or other confidential information regarding an applicant or licensee from any decision, letter, or other written guidance issued in connection with an applicant or licensee.

3217.

 (a) The commissioner may establish relationships or contracts with the Nationwide Multistate Licensing System and Registry or other entities designated by the Nationwide Multistate Licensing System and Registry to collect and maintain records and process transaction fees or other fees related to licensees or other persons subject to this division.

(b) For the purpose of participating in the Nationwide Multistate Licensing System and Registry, the commissioner may waive or modify, in whole or in part, by rule, regulation, or order, any or all of the requirements of this division and establish new requirements as reasonably necessary to participate in the Nationwide Multistate Licensing System and Registry.

(c) The commissioner may use the Nationwide Multistate Licensing System and Registry as a channeling agent for requesting information from, and distributing information to, the Department of Justice, any other governmental agency, or any other source, as directed by the commissioner.

(d) The commissioner shall establish a process through which applicants and licensees may challenge information entered into the Nationwide Multistate Licensing System and Registry by the commissioner.

3219.

 (a) Except as otherwise provided in Section 1512 of the SAFE Act (12 U.S.C. Sec. 5111(a)), the requirements under any federal law or the Information Practices Act of 1977 (Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code) regarding the privacy or confidentiality of any information or material provided to the Nationwide Multistate Licensing System and Registry, and any privilege arising under federal or state law, including the rules of any state court, with respect to that information or material, shall continue to apply to the information or material after the information or material has been disclosed to the Nationwide Multistate Licensing System and Registry. The information and material may be shared with all state and federal regulatory officials with industry oversight authority without the loss of privilege or the loss of confidentiality protections provided by federal law or the Information Practices Act of 1977.

(b) Information or material that is subject to a privilege or confidentiality under subdivision (a) shall not be subject to either of the following:

(1) Disclosure under any federal or state law governing the disclosure to the public of information held by an officer or an agency of the federal government or the state.

(2) Subpoena or discovery, or admission into evidence, in any private civil action or administrative process, unless with respect to any privilege held by the Nationwide Multistate Licensing System and Registry with respect to the information or material, the person to whom the information or material pertains waives, in whole or in part, in the discretion of that person, that privilege.

(c) This section shall not apply with respect to the information or material relating to the employment history of, and publicly adjudicated disciplinary and enforcement actions included in, the Nationwide Multistate Licensing System and Registry for access by the public.

3221.

 The commissioner shall regularly report violations of this division, enforcement actions under this division, and other relevant information to the Nationwide Multistate Licensing System and Registry, but only to the extent that the information is publicly available.

3301.

 (a) (1) (A) The department may, at any time and from time to time, examine the business and any office, within or outside this state, of any licensee, or any agent of a licensee, in order to ascertain whether the business is being conducted in a lawful manner and whether all digital financial asset business activity is properly accounted for.

(B) The directors, officers, and employees of a licensee, or agent of a licensee, being examined by the department shall exhibit to the department, on request, any or all of the licensee’s accounts, books, correspondence, memoranda, papers, and other records and shall otherwise facilitate the examination so far as it may be in their power to do so.

(2) The department may examine a licensee pursuant to this subdivision without prior notice to the licensee.

(b) A licensee shall pay the reasonable and necessary costs of an examination under this section to the commissioner and the commissioner may maintain an action for the recovery of the cost in any court of competent jurisdiction. In determining the cost of the examination, the commissioner may use the estimated average hourly cost for all persons performing examinations of licensees or other persons subject to this division for the fiscal year.

3303.

 (a) A licensee shall maintain, for all digital financial asset business activity with, or on behalf of, a resident for five years after the date of the activity, a record of all of the following:

(1) Any transaction of the licensee with, or on behalf of, the resident or for the licensee’s account in this state, including all of the following:

(A) The identity of the resident.

(B) The form of the transaction.

(C) The amount, date, and payment instructions given by the resident.

(D) The account number, name, and United States Postal Service mailing address of the resident, and, to the extent feasible, other parties to the transaction.

(2) The aggregate number of transactions and aggregate value of transactions by the licensee with, or on behalf of, the resident and for the licensee’s account in this state expressed in United States dollar equivalent of digital financial assets for the previous 12 calendar months.

(3) Any transaction in which the licensee exchanged one form of digital financial asset for legal tender or another form of digital financial asset with, or on behalf of, the resident.

(4) A general ledger posted at least monthly that lists all assets, liabilities, capital, income, and expenses of the licensee.

(5) Any business call report the licensee is required to create or provide to the department.

(6) Bank statements and bank reconciliation records for the licensee and the name, account number, and United States Postal Service mailing address of any bank the licensee uses in the conduct of its digital financial asset business activity with, or on behalf of, the resident.

(7) A report of any dispute with the resident.

(b) A licensee shall maintain records required by subdivision (a) in a form that enables the department to determine whether the licensee is in compliance with this division, any court order, and the laws of this state.

(c) If a licensee maintains records outside this state that pertain to transactions with, or on behalf of, a resident, the licensee shall make the records available to the department not later than three days after request, or, on a determination of good cause by the department, at a later time.

(d) All records maintained by a licensee are subject to inspection by the department.

3305.

 The department may cooperate, coordinate, jointly examine, consult, and share records and other information with the appropriate regulatory agency of another state, a self-regulatory organization, a federal or state regulator of banking or nondepository providers, agency, law enforcement, or a regulator of a jurisdiction outside the United States, concerning the affairs and conduct of a licensee in this state.

3307.

 (a) A licensee shall file with the department a report of the following, as may be applicable:

(1) A material change in information in the application for a license under this division or the most recent renewal report of the licensee under this division.

(2) A material change in the licensee’s business for the conduct of its digital financial asset business activity with, or on behalf of, a resident.

(3) A change of an executive officer, responsible individual, or person in control of the licensee.

(b) Absent good cause, a A report required by this section shall be filed not later than 15 days after the change described in subdivision (a).

3309.

 (a) For purposes of this section, “proposed person to be in control” means the person that would control a licensee after a proposed transaction that would result in a change in control of the licensee.

(b) The following rules apply in determining whether a person has control over a licensee:

(1) There is a rebuttable presumption of control if the person’s voting power in the licensee constitutes or will constitute at least 25 percent of the total voting power of the licensee.

(2) There is a rebuttable presumption of control if the person’s voting power in another person constitutes or will constitute at least 10 percent of the total voting power of the other person and the other person’s voting power in the licensee constitutes at least 25 percent of the total voting power of the licensee.

(3) There is no presumption of control solely because an individual is an executive officer of the licensee.

(c) At least 30 days before a proposed change in control of a licensee, the proposed person to be in control shall submit to the department in a record all both of the following:

(1) An application in a form and medium prescribed by the department.

(2) The information and records that Section 3203 would require if the proposed person to be in control already had control of the licensee.

(d) The department, in accordance with Section 3203, shall approve, approve with conditions, or deny an application for a change in control of a licensee. The department, in a record, shall send notice of its decision to the licensee and the person that would be in control if the department had approved the change in control. If the department denies the application, the licensee shall abandon the proposed change in control or cease digital financial asset business activity with or on behalf of residents.

(e) If the department applies a condition to approval of a change in control of a licensee, and the department does not receive notice of the applicant’s acceptance of the condition specified by the department not later than 31 days after the department sends notice of the condition, the application is deemed denied. If the application is deemed denied, the licensee shall abandon the proposed change in control or cease digital financial asset business activity with, or on behalf of, residents.

(f) The department may revoke or modify a determination under subdivision (d), after notice and opportunity to be heard, if, in its judgment, revocation or modification is consistent with this division.

(g) If a change in control of a licensee requires approval of an agency of the state, and the action of the other agency conflicts with that of the department, the department shall confer with the other agency. If the proposed change in control cannot be completed because the conflict cannot be resolved, the licensee shall abandon the change in control or cease digital financial asset business activity with, or on behalf of, residents.

3311.

 (a) At least 30 days before a proposed merger or consolidation of a licensee with another person, the licensee shall submit all of the following, as applicable, to the department in a record:

(1) An application in a form and medium prescribed by the department.

(2) The plan of merger or consolidation in accordance with subdivision (e).

(3) In the case of a licensee, the information required by Section 3203 concerning the person that would be the surviving entity in the proposed merger or consolidation.

(b) If a proposed merger or consolidation would change the control of a licensee, the licensee shall comply with Section 3309 and this section.

(c) The department, in accordance with Section 3203, shall approve, conditionally approve, or deny an application for approval of a merger or consolidation of a licensee. The department, in a record, shall send notice of its decision to the licensee and the person that would be the surviving entity. If the department denies the application, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.

(d) The department may revoke or modify a determination under subdivision (c), after notice and opportunity to be heard, if, in its judgment, revocation or modification is consistent with this division.

(e) A plan of merger or consolidation of a licensee with another person shall do all of the following:

(1) Describe the effect of the proposed transaction on the licensee’s conduct of digital financial asset business activity with, or on behalf of, residents.

(2) Identify each person to be merged or consolidated and the person that would be the surviving entity.

(3) Describe the terms and conditions of the merger or consolidation and the mode of carrying it into effect.

(f) If a merger or consolidation of a licensee and another person requires approval of an agency of this state, and the action of the other agency conflicts with that of the department, the department shall confer with the other agency. If the proposed merger or consolidation cannot be completed because the conflict cannot be resolved, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.

(g) The department may condition approval of an application under subdivision (a). If the department does not receive notice from the parties that the parties accept the department’s condition not later than 31 days after the department sends notice in a record of the condition, the application is deemed denied. If the application is deemed denied, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.

(h) If a licensee acquires substantially all of the assets of a person, whether or not the person’s license was approved by the department, the transaction is subject to this section.

3401.

 For the purpose of this chapter, “enforcement measure” means an action that includes, but is not limited to, all of the following:

(a) Suspend or revoke a license under this division.

(b) Order a person to cease and desist from doing digital financial asset business activity with, or on behalf of, a resident.

(c) Request the court to appoint a receiver for the assets of a person doing digital financial asset business activity with, or on behalf of, a resident.

(d) Request the court to issue temporary, preliminary, or permanent injunctive relief against a person doing digital financial asset business activity with, or on behalf of, a resident.

(e) Assess a penalty under Section 3407.

(f) Recover on the security under Section 3203 and initiate a plan to distribute the proceeds for the benefit of a resident injured by a violation of this division, or law of this state other than this division that applies to digital financial asset business activity with, or on behalf of, a resident.

(g) Impose necessary or appropriate conditions on the conduct of digital financial asset business activity with, or on behalf of, a resident.

(h) Seek restitution on behalf of a resident if the department shows economic injury due to a violation of this division.

3403.

 (a) The department may take an enforcement measure against a licensee or person that is not a licensee but is engaging in digital financial asset business activity with, or on behalf of, a resident in any of the following instances:

(1) The licensee or person materially violates this division, a rule adopted or order issued under this division, or a law of this state other than this division that applies to digital financial asset business activity of the violator with, or on behalf of, a resident.

(2) The licensee or person does not cooperate substantially with an examination or investigation by the department, fails to pay a fee, or fails to submit a report or documentation.

(3) The licensee or person, in the conduct of its digital financial asset business activity with, or on behalf of, a resident, engages in any of the following:

(A) An unsafe or unsound act or practice.

(B) An unfair or deceptive act or practice.

(C) Fraud or intentional misrepresentation.

(D) Misappropriation of legal tender, a digital financial asset, or other value held by a fiduciary.

(4) An agency of the United States or another state takes an action against the licensee or person, which would constitute an enforcement measure if the department had taken the action.

(5) The licensee or person is convicted of a crime related to its digital financial asset business activity with, or on behalf of, a resident or involving fraud or felonious activity that, as determined by the department, makes the licensee or person unsuitable to engage in digital financial asset business activity.

(6) Any of the following occurs:

(A) The licensee or person becomes insolvent.

(B) The licensee or person makes a general assignment for the benefit of its creditors.

(C) The licensee or person becomes the debtor, alleged debtor, respondent, or person in a similar capacity in a case or other proceeding under any bankruptcy, reorganization, arrangement, readjustment, insolvency, receivership, dissolution, liquidation, or similar law, and does not obtain from the court, within a reasonable time, confirmation of a plan or dismissal of the case or proceeding.

(D) The licensee or person applies for, or permits the appointment of, a receiver, trustee, or other agent of a court for itself or for a substantial part of its assets.

(7) The licensee or person makes a material misrepresentation to the department.

(b) On application and for good cause, the department may do either of the following:

(1) Extend the due date for filing a document or report under paragraph (2) of subdivision (a).

(2) Waive, to the extent warranted by circumstances, including a bona fide error notwithstanding reasonable procedures designed to prevent error, an enforcement measure issued for a violation described by paragraph (2) of subdivision (a) if the department determines that the waiver will not adversely affect the likelihood of compliance with this division.

(c) In an enforcement action related to operating without a license under this division, it is a defense to the action that the person has in effect a customer identification program reasonably designed to identify whether a customer is a resident that failed to identify the particular customer as a resident.

(d) A proceeding under this division is subject to the Administrative Procedure Act, as described in Section 11370 of the Government Code.

3405.

 (a) Except as provided in subdivision (b), the department may take an enforcement measure only after notice and opportunity for a hearing as appropriate in the circumstances.

(b) (1) (A) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3407, without notice if the circumstances require action before notice can be given.

(B) A person subject to an enforcement measure pursuant to this paragraph shall have the right to an expedited postaction hearing by the department unless the person has waived the hearing.

(2) (A) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3407, after notice and without a prior hearing if the circumstances require action before a hearing can be held.

(B) A person subject to an enforcement measure pursuant to this paragraph shall have the right to an expedited postaction hearing by the department unless the person has waived the hearing.

(3) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3407, after notice and without a hearing if the person conducting digital financial asset business activity with, or on behalf of, a resident does not timely request a hearing.

3407.

 (a) If a person other than a licensee engages in digital financial asset business activity with, or on behalf of, a resident in violation of this division, the department may assess a civil penalty against the person in an amount not to exceed one hundred thousand dollars ($100,000) for each day the person is in violation of this division.

(b) If a licensee or covered person materially violates a provision of this division, the department may assess a civil penalty in an amount not to exceed twenty thousand dollars ($20,000) for each day of violation or for each act or omission in violation.

(c) A civil penalty under this section continues to accrue until the date the violation ceases.

3409.

 (a) Revocation of a license under this division is effective against a licensee one day after the department sends notice in a record of the revocation to the licensee by a means reasonably selected for the notice to be received by the recipient in one day to the address provided for receiving communications from the department.

(b) Suspension of a license under this division or an order to cease and desist is effective against a licensee or other person one day after the department sends notice in a record of the suspension or order to the licensee or other person by a means reasonably selected for the notice to be received by the recipient in one day to the address provided for receiving communications from the department or, if no address is provided, to the recipient’s last known address. A suspension or order to cease and desist remains in effect until the earliest of the following:

(1) Entry of an order by the department under the Administrative Procedure Act, as described in Section 11370 of the Government Code.

(2) Entry of a court order setting aside or limiting the suspension or order to cease and desist.

(3) A date specified by the department.

(c) If, without reason to know of the department’s notice sent under this section, a licensee or other person does not comply in accordance with the notice until the notice is actually received at the address provided, the department may consider the delay in compliance in imposing a sanction for the failure.

3411.

 The department may enter into a consent order with a person regarding an enforcement measure. The order may provide that it does not constitute an admission of fact by a party.

3413.

 (a) This chapter does not provide a private right of action to a resident.

(b) This section does not preclude an action by a resident to enforce rights under Section 3503.

3501.

 (a) When engaging in digital financial business activity with a resident, a covered person shall provide to a resident the disclosures required by subdivision (b) and any additional disclosure the department by rule determines reasonably necessary for the protection of residents. The department shall determine by rule the time and form required for disclosure. A disclosure required by this section shall be made separately from any other information provided by the covered person and in a clear and conspicuous manner in a record the resident may keep. A covered person may propose, for the department’s approval, alternate disclosures as more appropriate for its digital financial asset business activity with, or on behalf of, residents.

(b) Before engaging in digital financial asset business activity with a resident, a covered person shall disclose, to the extent applicable to the digital financial asset business activity the covered person will undertake with the resident, all of the following:

(1) A schedule of fees and charges the covered person may assess, the manner by which fees and charges will be calculated if they are not set in advance and disclosed, and the timing of the fees and charges.

(2) Whether the product or service provided by the covered person is covered by either of the following:

(A) A form of insurance or other guarantee against loss by an agency of the United States as follows:

(i) Up to the full United States dollar equivalent of digital financial assets placed under the control of, or purchased from, the covered person as of the date of the placement or purchase, including the maximum amount provided by insurance under the Federal Deposit Insurance Corporation or otherwise available from the Securities Investor Protection Corporation.

(ii) If not provided at the full United States dollar equivalent of the digital financial asset placed under the control of or purchased from the covered person, the maximum amount of coverage for each resident expressed in the United States dollar equivalent of the digital financial asset.

(B) (i) Private insurance against theft or loss, including cybertheft or theft by other means.

(ii) Upon request of a resident with whom a covered person engages in digital financial asset business activity, a covered person shall disclose all material terms of the insurance policy to the resident in a manner that allows the resident to understand the specific insured risks and any maximum coverage amounts that may result in partial coverage of the resident’s assets.

(3) The irrevocability of a transfer or exchange and any exception to irrevocability.

(4) A description of all of the following:

(A) The covered person’s liability for an unauthorized, mistaken, or accidental transfer or exchange.

(B) The resident’s responsibility to provide notice to the covered person of an unauthorized, mistaken, or accidental transfer or exchange.

(C) The basis for any recovery by the resident from the covered person in case of an unauthorized, mistaken, or accidental transfer or exchange.

(D) General error resolution rights applicable to an unauthorized, mistaken, or accidental transfer or exchange.

(E) The method for the resident to update the resident’s contact information with the covered person.

(5) That the date or time when the transfer or exchange is made and the resident’s account is debited may differ from the date or time when the resident initiates the instruction to make the transfer or exchange.

(6) Whether the resident has a right to stop a preauthorized payment or revoke authorization for a transfer and the procedure to initiate a stop-payment order or revoke authorization for a subsequent transfer.

(7) The resident’s right to receive a receipt, trade ticket, or other evidence of the transfer or exchange.

(8) The resident’s right to at least 14 days’ prior notice of a change in the covered person’s fee schedule, other terms and conditions that have a material impact on digital financial asset business activity with the resident, or the policies applicable to the resident’s account.

(9) That no digital financial asset is currently recognized as legal tender by California or the United States.

(10) (A) A list of instances in the past 12 months when the covered person’s service was unavailable to 10,000 or more customers seeking to engage in digital financial asset business activity due to a service outage on the part of the covered person and the causes of each identified service outage.

(B) As part of the disclosure required by this paragraph, the covered person may list any steps the covered person has taken to resolve underlying causes for those outages.

(c) Except as otherwise provided in subdivision (d), at the conclusion of a digital financial asset transaction with, or on behalf of, a resident, a covered person shall provide the resident a confirmation in a record which contains all of the following:

(1) The name and contact information of the covered person, including the toll-free telephone number required under Section 3507.

(2) The type, value, date, precise time, and amount of the transaction.

(3) The fee charged for the transaction, including any charge for conversion of a digital financial asset to legal tender, bank credit, or other digital financial asset, as well as any indirect charges.

(d) If a covered person discloses that it will provide a daily confirmation in the initial disclosure under subdivision (c), the covered person may elect to provide a single, daily confirmation for all transactions with, or on behalf of, a resident on that day instead of a per transaction confirmation.

3503.

 (a) (1) A covered person that has control of a digital financial asset for one or more persons shall at all times maintain in its control an amount of each type of digital financial asset sufficient to satisfy the aggregate entitlements of the persons to the type of digital financial asset.

(2) If a covered person violates this subdivision, the property interests of the persons in the digital financial asset are pro rata property interests in the type of digital financial asset to which the persons are entitled without regard to the time the persons became entitled to the digital financial asset or the covered person obtained control of the digital financial asset.

(b) A digital financial asset maintained for purposes of compliance with this section shall meet all of the following criteria:

(1) The digital financial asset shall be held for the persons entitled to the digital financial asset.

(2) The digital financial asset shall not be property of the covered person.

(3) The digital financial asset shall not be subject to the claims of creditors of the covered person.

(c) A covered person may comply with this section by including, and complying with, a provision in its contract with a resident that states all of the following:

(1) That a digital financial asset controlled by the covered person on behalf of the resident will be treated as a financial asset under Division 8 (commencing with Section 8101) of the Commercial Code.

(2) That the covered person is a securities intermediary under Division 8 (commencing with Section 8101) of the Commercial Code with respect to any digital financial assets under control of the covered person on behalf of the resident.

(3) That the resident’s account or wallet provided by or through the covered person is a securities account under Division 8 (commencing with Section 8101) of the Commercial Code.

3505.

 (a) (1) Except as provided for under paragraph (2), a covered exchange, prior to listing or offering a digital financial asset that the covered exchange can exchange on behalf of a resident, shall certify on a form provided by the department that the covered exchange has done the following:

(A) Identified the likelihood that the digital financial asset would be deemed a security by federal or state regulators.

(B) Provided, in writing, full and fair disclosure of all material facts relating to conflicts of interest that are associated with the covered exchange and the digital financial asset.

(C) Conducted a comprehensive risk assessment designed to ensure consumers are adequately protected from cybersecurity risk, risk of malfeasance, including theft, risks related to code or protocol defects, or market-related risks, including price manipulation and fraud.

(D) Established policies and procedures to reevaluate the appropriateness of the continued listing or offering of the digital financial asset, including an evaluation of whether material changes have occurred.

(E) Established policies and procedures to cease listing or offering the digital financial asset, including notification to affected consumers and counterparties.

(2) Certification by a covered exchange shall not be required for any digital financial asset approved for listing on or before January 1, 2023, by the New York Department of Financial Services pursuant to Part 200 of Title 23 of the New York Code of Rules and Regulations.

(3) The department, after a finding that a covered exchange has listed or offered a digital financial asset without appropriate certification or after a finding that material misrepresentations were made in the certification process, shall require the covered exchange to cease offering or listing the digital financial asset and may assess the civil penalty of up to twenty thousand dollars ($20,000) per day the violation has occurred.

(b) (1) A covered exchange shall make every effort to execute a resident’s request to exchange a digital financial asset that the covered exchange receives fully and promptly.

(2) A covered exchange shall use reasonable diligence to ascertain the best market for a digital financial asset and exchange it in that market so that the outcome to the resident is as favorable as possible under prevailing market conditions. Compliance with this paragraph shall be determined by factors, including, but not limited to, all of the following:

(A) The character of the market for the digital financial asset, including price and volatility.

(B) The size and type of transaction.

(C) The number of markets checked.

(D) Accessibility of appropriate pricing.

(3) In a transaction for or with a resident, the covered exchange shall not interject a third party between the covered exchange and the best market for the digital financial asset in a manner inconsistent with this subdivision.

(4) If a covered exchange cannot execute directly with a market and employs other means in order to ensure an execution advantageous to the resident, the burden of showing the acceptable circumstances for doing so is on the covered exchange.

(c) For purposes of this section:

(1) “Conflict of interest” means an interest that might incline a covered exchange or a natural person who is an associated person of a covered exchange to make a recommendation that is not disinterested.

(2) “Covered exchange” means a covered person that exchanges or holds itself out as being able to exchange a digital financial asset for a resident.

(d) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.

3507.

 A licensee shall prominently display on its internet website a toll-free telephone number through which a resident can contact the licensee for customer service issues and receive live customer assistance. The telephone line shall be operative 10 hours per day, Monday through Friday, excluding federal holidays.

3601.

 (a) A covered person shall not exchange, transfer, or store a digital financial asset or engage in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor, if that digital financial asset is a stablecoin unless both of the following are true:

(1) The issuer of the stablecoin is an applicant, licensed pursuant to this division, or is a bank.

(2) The issuer of the stablecoin at all times owns eligible securities having an aggregate market value computed in accordance with United States generally accepted accounting principles of not less than the aggregate amount of all of its outstanding stablecoins issued or sold in the United States.

(b) For purposes of this section:

(1) “Eligible securities” means the United States currency eligible securities described in subdivision (b) of Section 2082.

(2) “Nominal redemption value” means the value at which a digital financial asset can be readily converted, on demand at the time of issuance, into United States dollars or any other national or state currency or a monetary equivalent or otherwise accepted in payment or to satisfy debts denominated in United States dollars or any national or state currency.

(3) “Stablecoin” means a digital financial asset that is denominated in United States dollars or pegged to the United States dollar or denominated in or pegged to another national or state currency and is issued with a fixed nominal redemption value with the intent of establishing a reasonable expectation or belief among the general public that the instrument will retain a nominal redemption value that is so stable as to render the nominal redemption effectively fixed.

3701.

 (a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record policies and procedures for all of the following:

(1) An information security program and an operational security program.

(2) A business continuity program.

(3) A disaster recovery program.

(4) An antifraud program.

(5) A program to prevent money laundering.

(6) A program to prevent funding of terrorist activity.

(7) (A) A program designed to ensure compliance with this division and other laws of this state or federal laws that are relevant to the digital financial asset business activity contemplated by the licensee with, or on behalf of, residents and to assist the licensee in achieving the purposes of other state laws and federal laws if violation of those laws has a remedy under this division.

(B) The program described by this paragraph shall specify detailed policies and procedures that the licensee undertakes to minimize the probability that the licensee facilitates the exchange of unregistered securities.

(b) A policy required by subdivision (a) shall be in a record and designed to be adequate for a licensee’s contemplated digital financial asset business activity with, or on behalf of, residents, considering the circumstances of all participants and the safe operation of the activity. Any policy and implementing procedure shall be compatible with other policies and the procedures implementing them and not conflict with policies or procedures applicable to the licensee under other state law. A policy and implementing procedure may be one in existence in the licensee’s digital financial asset business activity with, or on behalf of, residents.

(c) A licensee’s policy for detecting fraud shall include all of the following:

(1) Identification and assessment of the material risks of its digital financial asset business activity related to fraud, which shall include any form of market manipulation and insider trading by the licensee, its employees, or its customers.

(2) Protection against any material risk related to fraud identified by the department or the licensee.

(3) Periodic evaluation and revision of the antifraud procedure.

(d) A licensee’s policy for preventing money laundering and financing of terrorist activity shall include all of the following:

(1) Identification and assessment of the material risks of its digital financial asset business activity related to money laundering and financing of terrorist activity.

(2) Procedures, in accordance with federal law or guidance published by federal agencies responsible for enforcing federal law, pertaining to money laundering and financing of terrorist activity.

(3) Filing reports under the Bank Secrecy Act (31 U.S.C. Sec. 5311 et seq.) or Chapter X of Title 31 of the Code of Federal Regulations and other federal or state law pertaining to the prevention or detection of money laundering or financing of terrorist activity.

(e) A licensee’s information security and operational security policy shall include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any nonpublic personal information or digital financial asset it receives, maintains, or transmits.

(f) A licensee is not required to file with the department a copy of a report it makes to a federal authority unless the department specifically requires filing.

(g) A licensee’s protection policy under subdivision (e) for residents shall include all of the following:

(1) Any action or system of records required to comply with this division and other state law applicable to the licensee with respect to digital financial asset business activity with, or on behalf of, a resident.

(2) A procedure for resolving disputes between the licensee and a resident.

(3) A procedure for a resident to report an unauthorized, mistaken, or accidental digital financial asset business activity transaction.

(4) A procedure for a resident to file a complaint with the licensee and for the resolution of the complaint in a fair and timely manner with notice to the resident as soon as reasonably practical of the resolution and the reasons for the resolution.

(h) After the policies and procedures required under this section are created and approved by the department and the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.

(i) A licensee may request advice from the department as to compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section, and may request a determination from the department that a policy or procedure is not subject to the disclosure requirement described in subdivision (k) due to potential security risks.

(j) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.

(k) (1) Except as provided in paragraph (2), policies and procedures adopted under this section shall be disclosed separately from other disclosures made available to a resident, in a clear and conspicuous manner and in the medium through which the resident contacted the licensee.

(2) This subdivision does not apply to either of the following:

(A) An adopted information security program or an operational security program described in subdivision (a).

(B) Any policy or procedure the department previously determined is not subject to this subdivision due to potential security risks.

3702.

 (a) An applicant, before submitting its application, shall establish and maintain in a record a policy or procedure designed to ensure compliance with this division, and law of this state other than this division, if the other law is relevant to the digital financial asset business activity contemplated by the licensee or the scope of this division or this division could assist in the purpose of the other law because violation of the other law has a remedy under this division.

(b) A policy or procedure under subdivision (a) shall be compatible, and not conflict, with requirements applicable to a licensee under other state law or under federal law and may be a policy or procedure in existence for the licensee’s digital financial asset business activity with, or on behalf of, a resident.

(c) After the policies and procedures required under this section are created by the licensee and approved by the department, licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor any policy or procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.

(d) A licensee may request advice from the department regarding compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section.

(e) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.

3801.

 (a) This division applies to digital financial asset business activity with, or on behalf of, a resident on and after January 1, 2025.

(b) A person is deemed to be conducting unlicensed digital financial asset business activity with, or on behalf of, a resident in violation of this division if the person engages in digital financial asset business activity on or after January 1, 2025, and the person does not hold a license issued or recognized under this division, is not exempt from this division, and has not applied for a license.

3802.

 The provisions of this division are severable. If any provision of this division or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.