Bill Text: CA AB39 | 2023-2024 | Regular Session | Enrolled

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Digital financial asset businesses: regulatory oversight.

Spectrum: Partisan Bill (Democrat 4-0)

Status: (Passed) 2023-10-13 - Chaptered by Secretary of State - Chapter 792, Statutes of 2023. [AB39 Detail]

Download: California-2023-AB39-Enrolled.html

Enrolled  September 18, 2023
Passed  IN  Senate  September 12, 2023
Passed  IN  Assembly  September 14, 2023
Amended  IN  Senate  September 08, 2023
Amended  IN  Senate  September 01, 2023
Amended  IN  Senate  July 13, 2023
Amended  IN  Senate  July 06, 2023
Amended  IN  Senate  June 12, 2023
Amended  IN  Assembly  May 18, 2023
Amended  IN  Assembly  April 26, 2023
Amended  IN  Assembly  January 30, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill
No. 39


Introduced by Assembly Member Grayson
(Principal coauthor: Assembly Member Petrie-Norris)
(Principal coauthor: Senator Limón)
(Coauthor: Senator Atkins)

December 05, 2022


An act to add Division 1.25 (commencing with Section 3101) to the Financial Code, relating to financial regulation.


LEGISLATIVE COUNSEL'S DIGEST


AB 39, Grayson. Digital financial asset businesses: regulatory oversight.
Existing law, the Money Transmission Act, generally prohibits a person from engaging in the business of money transmission, as defined, without a license from the Commissioner of Financial Protection and Innovation.
This bill, the Digital Financial Assets Law, would, on and after July 1, 2025, prohibit a person from engaging in digital financial asset business activity, or holding itself out as being able to engage in digital financial asset business activity, with or on behalf of a resident unless any of certain criteria are met, including the person is licensed with the Department of Financial Protection and Innovation, as prescribed. The bill would define “digital financial asset” to mean a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified. The bill would exempt activity by specified entities, and would authorize the commissioner, by regulation or order, to further exempt any person or transaction, if the commissioner finds the exemption to be in the public interest, as provided.
This bill would, among other things, authorize the department to conduct examinations of a licensee, as prescribed, and would require a licensee to maintain, for all digital financial asset business activity with, or on behalf of, a resident for 5 years after the date of the activity, certain records, including a general ledger maintained at least monthly that lists all assets, liabilities, capital, income, and expenses of the licensee.
This bill would authorize the department to take an enforcement measure against a licensee or person that is not a licensee but has engaged, is engaging, or is about to engage in digital financial asset business activity with, or on behalf of, a resident in any of certain instances, including the licensee or person materially violates the provisions of the bill, a rule adopted or order issued under the bill, or a law of this state other than the bill that applies to digital financial asset business activity of the violator with, or on behalf of, a resident. The bill would prescribe certain civil penalties for violations of its provisions.
This bill would require a covered person, before engaging in digital financial asset business activity with a resident, to make certain disclosures to the resident, including a schedule of fees and charges the covered person may assess, the manner by which fees and charges will be calculated if they are not set in advance and disclosed, and the timing of the fees and charges. The bill would define “covered person” to mean a person required to obtain a license under the Digital Financial Assets Law.
This bill would require an applicant, before submitting an application, to create and, during licensure, maintain in a record policies and procedures for, among other things, an information security program and an operational security program.
This bill would become operative only if SB 401 of the 2023–24 Regular Session is enacted and takes effect on or before January 1, 2024.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Division 1.25 (commencing with Section 3101) is added to the Financial Code, to read:

DIVISION 1.25. Digital Financial Assets Businesses

CHAPTER  1. General Provisions

3101.
 This division shall be known as the Digital Financial Assets Law.

3102.
 For purposes of this division:
(a) “Applicant” means a person that applies for a license under this division.
(b) “Bank” means a bank, savings bank, savings and loan association, savings association, or industrial loan company chartered under the laws of this state or any other state or under the laws of the United States.
(c) “Control” means both of the following:
(1) When used in reference to a transaction or relationship involving a digital financial asset, power to execute unilaterally or prevent indefinitely a digital financial asset transaction.
(2) When used in reference to a person, the direct or indirect power to do either of the following:
(A) Vote 25 percent or more of any class of the voting securities issued by a person.
(B) Direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract, other than a commercial contract for goods or nonmanagement services, or otherwise, if no individual is deemed to control a person solely on account of being a director, officer, or employee of such person.
(d) “Covered person” means a person required to obtain a license pursuant to this division.
(e) “Credit union” means a credit union licensed under the laws of this state, or any other state, or a federal credit union chartered under the laws of the United States.
(f) “Department” means the Department of Financial Protection and Innovation.
(g) (1) “Digital financial asset” means a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender.
(2) “Digital financial asset” does not include any of the following:
(A) A transaction in which a merchant grants, as part of an affinity or rewards program, value that cannot be taken from or exchanged with the merchant for legal tender, bank or credit union credit, or a digital financial asset.
(B) A digital representation of value issued by or on behalf of a publisher and used solely within an online game, game platform, or family of games sold by the same publisher or offered on the same game platform.
(C) A security registered with or exempt from registration with the United States Securities and Exchange Commission or a security qualified with or exempt from qualifications with the department.
(h) “Digital financial asset administration” means issuing a digital financial asset with the authority to redeem the digital financial asset for legal tender, bank or credit union credit, or another digital financial asset.
(i) “Digital financial asset business activity” means any of the following:
(1) Exchanging, transferring, or storing a digital financial asset or engaging in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor.
(2) Holding electronic precious metals or electronic certificates representing interests in precious metals on behalf of another person or issuing shares or electronic certificates representing interests in precious metals.
(3) Exchanging one or more digital representations of value used within one or more online games, game platforms, or family of games for either of the following:
(A) A digital financial asset offered by or on behalf of the same publisher from which the original digital representation of value was received.
(B) Legal tender or bank or credit union credit outside the online game, game platform, or family of games offered by or on behalf of the same publisher from which the original digital representation of value was received.
(j) “Digital financial asset control services vendor” means a person that has control of a digital financial asset solely under an agreement with a person that, on behalf of another person, assumes control of the digital financial asset.
(k) “Exchange,” when used as a verb, means to assume control of a digital financial asset from, or on behalf of, a resident, at least momentarily, to sell, trade, or convert either of the following:
(1) A digital financial asset for legal tender, bank or credit union credit, or one or more forms of digital financial assets.
(2) Legal tender or bank or credit union credit for one or more forms of digital financial assets.
(l) “Executive officer” includes, but is not limited to, an individual who is a director, officer, manager, managing member, partner, or trustee of a person that is not an individual, or any other person who performs similar policymaking or policy implementation functions.
(m) “Insolvent” means any of the following:
(1) Having generally ceased to pay debts in the ordinary course of business other than as a result of a bona fide dispute.
(2) Being unable to pay debts as they become due.
(3) Being insolvent within the meaning of federal bankruptcy law.
(n) “Legal tender” means a medium of exchange or unit of value, including the coin or paper money of the United States, issued by the United States or by another government.
(o) “Licensee” means a person licensed or conditionally licensed under this division.
(p) (1) “Person” means an individual, partnership, estate, business or nonprofit entity, or other legal entity.
(2) “Person” does not include a government-sponsored enterprise, government, or governmental subdivision, agency, or instrumentality.
(q) “Record” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.
(r) (1) “Resident” means any of the following:
(A) A person who is domiciled in this state.
(B) A person who is physically located in this state for more than 183 days of the previous 365 days.
(C) A person who has a place of business in this state.
(D) A legal representative of a person that is domiciled in this state.
(2) Notwithstanding paragraph (1), “resident” does not include a licensee or an affiliate, as defined in subdivision (a) of Section 90005, of a licensee.
(s) “Responsible individual” means an individual who has direct control over, or significant management policy and decisionmaking authority with respect to, a licensee’s digital financial asset business activity in this state.
(t) “SAFE Act” means the federal Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (Public Law 110-289).
(u) “Sign” means, with present intent to authenticate or adopt a record, either of the following:
(1) To execute or adopt a tangible symbol.
(2) To attach to, or logically associate with, the record an electronic symbol, sound, or process.
(v) “State” means a state of the United States, the District of Columbia, Puerto Rico, the United States Virgin Islands, or any territory or insular possession subject to the jurisdiction of the United States.
(w) “Store,” except in the phrase “store of value,” means to maintain control of a digital financial asset on behalf of a resident by a person other than the resident. “Storage” and “storing” have corresponding meanings.
(x) “Transfer” means to assume control of a digital financial asset from, or on behalf of, a resident and to subsequently do any of the following:
(1) Credit the digital financial asset to the account of another person.
(2) Move the digital financial asset from one account of a resident to another account of the same resident.
(3) Relinquish control of a digital financial asset to another person.
(y) “United States dollar equivalent of digital financial assets” means the equivalent value of a particular digital financial asset in United States dollars shown on a digital financial asset exchange based in the United States for a particular date or period specified in this division.

3103.
 (a) Except as otherwise provided in subdivision (b), this division governs the digital financial asset business activity of a person doing business in this state or, wherever located, who engages in or holds itself out as engaging in the activity with, or on behalf of, a resident.
(b) This division does not apply to activity by any of the following:
(1) The United States, a state, political subdivision of a state, agency, or instrumentality of federal, state, or local government, or a foreign government or a subdivision, department, agency, or instrumentality of a foreign government.
(2) A bank that is one of the following:
(A) A commercial bank or industrial bank, the deposits of which are insured by the Federal Deposit Insurance Corporation or its successor.
(B) A foreign (other nation) bank that is licensed under Chapter 20 (commencing with Section 1750) of Division 1.1 or that is authorized under federal law to maintain a federal agency or federal branch office in this state.
(C) An association or federal association, as defined in Section 5102, the deposits of which are insured by the Federal Deposit Insurance Corporation or its successor.
(3) A trust company licensed pursuant to Section 1042 or a national association authorized under federal law to engage in a trust banking business.
(4) A federally chartered or state-chartered credit union, with an office in California, the member accounts of which are insured or guaranteed as provided in Section 14858.
(5) A person whose participation in a payment system is limited to providing processing, clearing, or performing settlement services solely for transactions between or among persons that are exempt from the licensing requirements of this division.
(6) A person engaged in the business of dealing in foreign exchange to the extent the person’s activity meets the definition in Section 1010.605(f)(1)(iv) of Title 31 of the Code of Federal Regulations.
(7) A person that is any of the following:
(A) A person that contributes only connectivity software or computing power to securing a network that records digital financial asset transactions or to a protocol governing transfer of the digital representation of value.
(B) A person that provides only data storage or security services for a business engaged in digital financial asset business activity and does not otherwise engage in digital financial asset business activity on behalf of another person.
(C) A person that provides only to a person otherwise exempt from this division a digital financial asset as one or more enterprise solutions used solely among each other and that does not have an agreement or a relationship with a resident that is an end user of a digital financial asset.
(8) A person using a digital financial asset, including creating, investing, buying or selling, or obtaining a digital financial asset as payment for the purchase or sale of goods or services, solely on the person’s own behalf for personal, family, or household purposes or for academic purposes.
(9) A person whose digital financial asset business activity with, or on behalf of, residents is reasonably expected to be valued, in the aggregate, on an annual basis at fifty thousand dollars ($50,000) or less, measured by the United States dollar equivalent of digital financial assets.
(10) An attorney to the extent of providing escrow services to a resident.
(11) A title insurance company to the extent of providing escrow services to a resident.
(12) A secured creditor under Division 9 (commencing with Section 9101) of the Commercial Code or a creditor with a judicial lien, or lien arising by operation of law, on collateral that is a digital financial asset, if the digital financial asset business activity of the creditor is limited to enforcement of the security interest in compliance with Division 9 (commencing with Section 9101) of the Commercial Code or lien in compliance with the law applicable to the lien.
(13) A person that does not receive compensation, either directly or indirectly, for providing digital financial asset products or services or for conducting digital financial asset business activity or that is engaged in testing products or services with the person’s own funds.
(14) Any entity or futures commission merchant, swap dealer, or introducing broker registered under the federal Commodity Exchange Act (7 U.S.C. Sec. 1, et seq.) to the extent those activities are conducted under authority of that act, are actually regulated by the Commodity Futures Trading Commission, and are entitled to preemption.
(15) A person registered as a securities broker-dealer under federal or state securities laws to the extent of its operation as a broker-dealer.
(16) A person that provides clearance or settlement services pursuant to a registration as a clearing agency or an exemption from registration granted under the federal securities laws to the extent of its operation as such a provider.
(17) A merchant that accepts a digital financial asset as payment for the purchase or sale of goods or services, which does not include digital financial assets.
(c) (1) The commissioner may, by regulation or order, either unconditionally or upon specified terms and conditions or for specified periods, exempt from all or part of this division any person or transaction, or class of persons or transactions, if the commissioner finds such action to be in the public interest and that the regulation of such persons or transactions is not necessary for the purposes of this division.
(2) The commissioner shall post on the commissioner’s internet website a list of all persons, transactions, or classes of person or transactions exempt pursuant to this section, and the part or parts of this division from which they are exempt.
(3) The commissioner may, by regulation or order, amend or rescind any exemption made pursuant to this subdivision.

CHAPTER  2. Licensure

3201.
 On or after July 1, 2025, a person shall not engage in digital financial asset business activity, or hold itself out as being able to engage in digital financial asset business activity, with or on behalf of a resident unless any of the following is true:
(a) The person is licensed in this state by the department under Section 3203.
(b) The person submits an application on or before July 1, 2025, and is awaiting approval or denial of that application.
(c) The person is exempt from licensure under this division pursuant to Section 3103.

3203.
 (a) An application for a license under this division shall meet all of the following requirements:
(1) The application shall be in a form and medium prescribed by the department.
(2) Except as otherwise provided in subdivision (b), the application shall provide all of the following information relevant to the applicant’s proposed digital financial asset business activity:
(A) The legal name of the applicant, any current or proposed business United States Postal Service mailing address of the applicant, and any fictitious or trade name the applicant uses or plans to use in conducting the applicant’s digital financial asset business activity with or on behalf of a resident.
(B) The legal name, any former or fictitious name, and the residential and business United States Postal Service mailing address of any executive officer and responsible individual of the applicant and any person that has control of the applicant.
(C) A description of the current and former business of the applicant for the five years before the application is submitted, or, if the business has operated for less than five years, for the time the business has operated, including its products and services, associated internet website addresses and social media pages, principal place of business, projected user base, and specific marketing targets.
(D) A list of all of the following:
(i) Any financial regulatory license the applicant holds in another state.
(ii) The date the license described in clause (i) expires.
(iii) Any license revocation, license suspension, or other disciplinary action taken against the licensee in any state and any license applications rejected by any state.
(E) A list of any criminal conviction, deferred prosecution agreement, and pending criminal proceeding in any jurisdiction against all of the following:
(i) The applicant.
(ii) Any executive officer of the applicant.
(iii) Any responsible individual of the applicant.
(iv) Any person that has control over the applicant.
(v) Any person over which the applicant has control.
(F) A list of any litigation, arbitration, or administrative proceeding in any jurisdiction in which the applicant or an executive officer or a responsible individual of the applicant has been a party for the 10 years before the application is submitted determined to be material in accordance with generally accepted accounting principles and, to the extent the applicant would be required to disclose the litigation, arbitration, or administrative proceeding in the applicant’s audited financial statements, reports to equity owners and similar statements or reports.
(G) A list of any bankruptcy or receivership proceeding in any jurisdiction for the 10 years before the application is submitted in which any of the following was a debtor:
(i) The applicant.
(ii) An executive officer of the applicant.
(iii) A responsible individual of the applicant.
(iv) A person that has control over the applicant.
(v) A person over which the applicant has control.
(H) The name and United States Postal Service mailing address of any bank in which the applicant plans to deposit funds obtained by its digital financial asset business activity.
(I) The source of funds and credit to be used by the applicant to conduct digital financial asset business activity with, or on behalf of, a resident.
(J) Documentation demonstrating that the applicant has the capital and liquidity required by Section 3207. Documentation shall include, but is not limited to, both of the following:
(i) A copy of the applicant’s audited financial statements for the most recent fiscal year and for the two-year period next preceding the submission of the application, if available.
(ii) A copy of the applicant’s unconsolidated financial statements for the current fiscal year, whether audited or not, and, if available, for the two-year period next preceding the submission of the application.
(K) The United States Postal Service mailing address and email address to which communications from the department can be sent.
(L) The name, United States Postal Service mailing address, and email address of the registered agent of the applicant in this state.
(M) A copy of the certificate, or a detailed summary acceptable to the department, of coverage for any liability, casualty, business interruption, or cybersecurity insurance policy maintained by the applicant for itself, an executive officer, a responsible individual, or the applicant’s users.
(N) If applicable, the date on which and the state in which the applicant is formed and a copy of a current certificate of good standing issued by that state.
(O) If a person has control of the applicant and the person’s equity interests are publicly traded in the United States, a copy of the audited financial statement of the person for the most recent fiscal year or most recent report of the person filed under Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. Sec. 78m).
(P) If a person has control of the applicant and the person’s equity interests are publicly traded outside the United States, a copy of the audited financial statement of the person for the most recent fiscal year of the person or a copy of the most recent documentation similar to that required in subparagraph (N) filed with the foreign regulator in the domicile of the person.
(Q) If the applicant is a partnership or a member-managed limited liability company, the names and United States Postal Service mailing addresses of any general partner or member.
(R) If the applicant is required to register with the Financial Crimes Enforcement Network of the United States Department of the Treasury as a money service business, evidence of the registration.
(S) A set of fingerprints for each executive officer and responsible individual of the applicant.
(T) If available, for any executive officer and responsible individual of the applicant, for the 10 years before the application is submitted, employment history and history of any investigation of the individual or legal proceeding to which the individual was a party.
(U) The plans through which the applicant will meet its obligations under Chapter 7 (commencing with Section 3701).
(V) The number of residents with whom, or on behalf of, the applicant engaged in digital financial asset business activity in the month preceding the month in which the applicant submits an application for a license under this division to the department.
(W) An estimate of the anticipated number of residents with whom, or on behalf of, the applicant will engage in digital financial asset business activity by October 1 of the year following the year in which the applicant submits an application for a license under this division to the department.
(X) Any other information the department reasonably requires by rule.
(3) The application shall be accompanied by a nonrefundable fee in the amount determined by the department to cover the reasonable costs of application review.
(b) (1) On receipt of a completed application, the department shall investigate whether each of the following criterion is satisfied:
(A) The applicant has the sound financial condition, competence, and responsibility to engage in digital financial business activity.
(B) The applicant has relevant financial and business experience, good character, and general fitness.
(C) Each executive officer, responsible individual, and person that has control of the applicant has competence, experience, good character, and general fitness.
(D) The applicant has complied with Chapter 5 (commencing with Section 3501) and Chapter 6 (commencing with Section 3601).
(E) The applicant has a reasonable promise of success in engaging in digital financial business activity.
(F) It is reasonable to believe that the applicant, if licensed, will engage in digital financial business activity in compliance with all applicable provisions of this division and any regulation or order issued pursuant to this division.
(2) On receipt of a completed application, the department may investigate the business premises of an applicant.
(c) After completing the investigation required by subdivision (b), the department shall send the applicant notice of its decision to approve, conditionally approve, or deny the application. If the department does not receive written notice from the applicant that the applicant accepts conditions specified by the department within 31 days following the department’s notice of the conditions, or if the applicant does not request a hearing on the conditions specified by the department within 31 days after the department’s notice of the conditions, the application shall be deemed withdrawn.
(d) A license issued pursuant to this division shall take effect on the later of the following:
(1) The date the department issues the license.
(2) The date the licensee provides the security required by Section 3207.
(e) In addition to the fee required by paragraph (3) of subdivision (a), an applicant shall pay the reasonable costs of the department’s investigation under subdivision (b).
(f) Information provided pursuant to this section is covered by subdivision (a) of Section 7929.000 of the Government Code.
(g) For purposes of this section, “completed application” means an application that contains the nonrefundable fee required by paragraph (3) of subdivision (a), the information specified in paragraph (2) of subdivision (a), and any additional information required by any regulations of the commissioner.

3205.
 (a) The commissioner may issue a conditional license to an applicant who holds or maintains a license to conduct virtual currency business activity in the state of New York pursuant to Part 200 of Title 23 of the New York Code of Rules and Regulations or a charter as a New York State limited purpose trust company with approval to conduct a virtual currency business under New York law, provided the license was issued or approved no later than January 1, 2023, and the applicant pays all appropriate fees and complies with the requirements of this division.
(b) The commissioner may issue a conditional license to an applicant pending compliance with the requirements of Section 3219 if all of the following conditions are met:
(1) The applicant has supplied all fingerprints required under Section 3219.
(2) The applicant meets all other requirements for licensure.
(3) Notwithstanding the commissioner’s reasonable efforts, the commissioner has been unable to complete the criminal history investigations required by Section 3219 with reasonable speed.
(c) A conditional license issued pursuant to this section shall expire at the earliest of the following:
(1) Upon issuance of an unconditional license.
(2) Upon denial of a license application.
(3) Upon revocation of a license issued pursuant to Part 200 of Title 23 of the New York Code of Rules and Regulations or disapproval or revocation of a charter as a New York State limited purpose trust company with approval to conduct a virtual currency business under New York law.

3207.
 (a) (1) (A) A licensee shall maintain a surety bond or trust account in United States dollars in a form and amount as determined by the department for the protection of residents that engage in digital financial asset business activity with the licensee.
(B) If a licensee maintains a trust account pursuant to this section, that trust account shall be maintained with a bank, trust company, credit union, or federal credit union in the state, subject to the prior approval of the department.
(2) Security deposited under this section shall be payable to this state for the benefit of a claim against the licensee on account of the licensee’s digital financial asset business activity with, or on behalf of, a resident.
(3) Security deposited under this section shall cover claims for a period determined by the department for the protection of residents with whom a licensee engages in digital financial business activity, including for an additional period the department specifies after the licensee ceases to engage in digital financial asset business activity with or on behalf of a resident.
(4) The department may require the licensee to increase the amount of security deposited under this section, and the licensee shall deposit the additional security not later than 30 days after the licensee receives notice in a record of the required increase.
(5) The department may permit a licensee to substitute or deposit an alternate form of security satisfactory to the department if the licensee at all times complies with this section.
(6) A claimant does not have a direct right to recover against security deposited under this section.
(7) Only the department may recover against the security, and the department may retain the recovery for no longer than five years and may process claims and distribute recoveries to claimants in accordance with rules adopted by the commissioner.
(b) In addition to the security required under subdivision (a), a licensee shall maintain at all times capital and liquidity in an amount and form as the department determines is sufficient to ensure the financial integrity of the licensee and its ongoing operations based on an assessment of the specific risks applicable to the licensee. In determining the minimum amount of capital and liquidity that shall be maintained by a licensee, the department may consider factors, including, but not limited to, all of the following:
(1) The composition of the licensee’s total assets, including the position, size, quality, liquidity, risk exposure, and price volatility of each type of asset.
(2) The composition of the licensee’s total liabilities, including the size and repayment timing of each type of liability.
(3) The actual and expected volume of the licensee’s digital financial asset business activity.
(4) The amount of leverage employed by the licensee.
(5) The liquidity position of the licensee.
(6) The financial protection that the licensee provides pursuant to subdivision (a).
(7) The types of entities to be serviced by the licensee.
(8) The types of products or services to be offered by the licensee.
(9) Arrangements adopted by the licensee for the protection of its customers in the event of the licensee’s insolvency.
(c) A licensee shall hold liquid assets required to be maintained in accordance with this section in the form of cash, digital financial assets other than digital financial assets over which it has control for a resident entitled to the protections of Section 3503, or high-quality, liquid assets as defined in subdivision (a) of Section 249.20 of Title 12 of the Code of Federal Regulations in proportions determined by the department.
(d) The department may require a licensee to increase the capital or liquidity required under this section. A licensee shall submit evidence satisfactory to the department that the licensee has additional capital or liquidity required pursuant to this subdivision not later than 30 days after the licensee receives notice in a record of the required increase.

3209.
 (a) The department shall issue a license to an applicant if all of the following conditions are satisfied:
(1) The commissioner finds that all of the criteria described in paragraph (1) of subdivision (b) of Section 3203 are satisfied.
(2) The applicant has complied with this chapter.
(3) The applicant has paid the costs of the investigation under subdivision (e) of Section 3203.
(4) The applicant has paid the initial license fee under paragraph (3) of subdivision (a) of Section 3203.
(b) An applicant may appeal a denial of its application under Section 3203 pursuant to the Administrative Procedure Act, as described in Section 11370 of the Government Code, not later than 30 days after the department notifies the applicant that the application at an address specified under subparagraph (K) of paragraph (2) of subdivision (a) of Section 3203 has been denied or deemed denied.

3211.
 (a) Subject to subdivision (h), between October 1 and November 1 of each year, a licensee shall submit to the department an annual report under subdivision (b).
(b) The annual report required by subdivision (a) shall be submitted in a form and medium prescribed by the department. The report shall contain all of the following:
(1) Either a copy of the licensee’s most recent reviewed annual financial statement, if the gross revenue generated by the licensee’s digital financial asset business activity in this state was not more than two million dollars ($2,000,000) for the fiscal year ending before the anniversary date of issuance of its license under this division, or a copy of the licensee’s most recent audited annual financial statement, if the licensee’s digital financial asset business activity in this state amounted to more than two million dollars ($2,000,000), for the fiscal year ending before the anniversary date.
(2) If a person other than an individual has control of the licensee, a copy of either of the following:
(A) The person’s most recent reviewed annual financial statement, if the person’s gross revenue was not more than two million dollars ($2,000,000) in the previous fiscal year measured as of the anniversary date of issuance of its license under this division.
(B) The person’s most recent audited consolidated annual financial statement, if the person’s gross revenue was more than two million dollars ($2,000,000) in the previous fiscal year measured as of the anniversary date of issuance of its license under this division.
(3) A description of any of the following:
(A) Any material change in the financial condition of the licensee.
(B) Any material litigation related to the licensee’s digital financial asset business activity and involving the licensee or an executive officer or responsible individual of the licensee.
(C) Any international, federal, state, or local investigation of the licensee, where permitted by applicable law.
(D) (i) Any data security breach or cybersecurity event of the licensee.
(ii) A description of a data security breach pursuant to this subparagraph does not constitute disclosure or notification of a security breach for purposes of Section 1798.82 of the Civil Code.
(4) Information or records required by Section 3307 that the licensee has not reported to the department.
(5) The number of digital financial asset business activity transactions with, or on behalf of, residents for the period since, subject to subdivision (h), the later of the date the license was issued or the date the last annual report was submitted.
(6) (A) The amount of United States dollar equivalent of digital financial asset in the control of the licensee at, subject to subdivision (h), the end of the last month that ends not later than 30 days before the date of the annual report.
(B) The total number of residents for whom the licensee had control of United States dollar equivalent of digital financial assets on that date.
(7) Evidence that the licensee is in compliance with Section 3503.
(8) Evidence that the licensee is in compliance with Section 3205.
(9) A list of all locations where the licensee engages in its digital financial asset business activity.
(10) The number of residents with whom, or on behalf of, the licensee engaged in digital financial asset business activity between September 30 of the preceding year and October 1 of the year in which the licensee is submitting the annual report.
(11) Any other information the department requires by rule.
(c) (1) On or before February 28 of each year, a licensee and an applicant operating under this division without a license pursuant to subdivision (b) of Section 3201 shall pay its pro rata cost share of all costs and expenses reasonably incurred in the administration of this division, as estimated by the commissioner, for the ensuing year and any deficit actually incurred or anticipated in the administration of the program in both the year in which the assessment is made and the preceding year.
(2) The pro rata cost share described in paragraph (1) shall be the proportion of residents with whom, or on behalf of, a licensee or an applicant operating under this division without a license pursuant to subdivision (b) of Section 3201 engages in digital financial asset business activity bears to the aggregate residents with whom, or on behalf of, all licensees and applicants operating under this division without a license pursuant to subdivision (b) of Section 3201 engage in digital financial asset business activity, as determined by the commissioner, for the costs and expenses reasonably incurred in the administration of this division, not including any costs covered by the fees or cost recoveries under Section 3203 or cost recoveries under Section 3301.
(3) On or before January 31 of each year, the commissioner shall notify each licensee and applicant operating under this division without a license pursuant to subdivision (b) of Section 3201 of the amount assessed and levied against it.
(4) The commissioner may use funds obtained by the commissioner through the enforcement of this division, including, but not limited to, moneys received through fines, penalties, settlements, or judgements, for the administration of this division, which shall offset amounts assessed and levied against pursuant to this subdivision.
(5) The department may adopt rules that change the calculation of the pro rata cost share and the dates on which assessment notifications and payments are due pursuant to this subdivision, except that the amount of the pro rata cost share shall not exceed the costs and expenses reasonably incurred in the administration of this division.
(d) (1) Following at least five business days’ notice to the licensee, the commissioner may by order summarily suspend or revoke the license of any licensee that fails to comply with subdivisions (a) to (c), inclusive, by March 31 of the year in which an assessment is made pursuant to subdivision (c).
(2) The licensee may request a hearing on the order within 30 days of receipt of the notice.
(3) If the licensee timely requests a hearing on the order and a hearing is not held within 60 days of that request, the order shall be deemed rescinded as of the effective date of the order.
(e) If the department suspends or revokes a license under this division for noncompliance with subdivisions (a) to (c), inclusive, the department may end the suspension or rescind the revocation and notify the licensee of the action if, subject to subdivision (h), not later than 20 days after the license was suspended or revoked, the licensee files an annual report required by subdivision (a), a pro rata cost share required by subdivision (c), and pays any penalty assessed under Section 3407.
(f) The department shall give prompt notice to a licensee of the lifting of a suspension or rescission of a revocation after the licensee complies with subdivision (e).
(g) Suspension or revocation of a license under this section does not invalidate a transfer or exchange of digital financial assets for, or on behalf of, a resident made during the suspension or revocation and does not insulate the licensee from liability under this division.
(h) The department may extend a period under this section.

3213.
 A license under this division is not transferable or assignable.

3215.
 (a) The department may adopt rules necessary to implement this division and may offer informal guidance to any prospective applicant for a license under this division regarding the conditions of licensure that may be applied to that person. The commissioner shall inform any applicant that requests that guidance of the minimum capital and liquidity, and other licensing requirements, that will be required of that applicant, based on the information provided by the applicant concerning the applicant’s plan to conduct business under this division, and the factors used to make that determination as described in Section 3203.
(b) (1) The commissioner may prepare written decisions, opinion letters, and other formal written guidance to be issued to persons seeking clarification regarding the requirements of this division.
(2) The commissioner shall make public on the commissioner’s internet website all written decisions, opinion letters, and other formal written guidance issued to persons seeking clarification regarding the requirements of this division. The commissioner may, at their discretion or upon request by an applicant or licensee, redact proprietary or other confidential information regarding an applicant or licensee from any decision, letter, or other written guidance issued in connection with an applicant or licensee.

3217.
 (a) The commissioner may establish relationships or contracts with the Nationwide Multistate Licensing System and Registry or other entities designated by the Nationwide Multistate Licensing System and Registry to collect and maintain records and process transaction fees or other fees related to licensees or other persons subject to this division.
(b) For the purpose of participating in the Nationwide Multistate Licensing System and Registry, the commissioner may waive or modify, in whole or in part, by rule, regulation, or order, any or all of the requirements of this division and establish new requirements as reasonably necessary to participate in the Nationwide Multistate Licensing System and Registry.
(c) Notwithstanding any other provision of law, the commissioner may use the Nationwide Multistate Licensing System and Registry as a channeling agent between the United States Department of Justice and the commissioner for requesting information from, and distributing information to, the Department of Justice and the United States Department of Justice, including the Federal Bureau of Investigation pursuant to Section 5110 of the SAFE Act, any other governmental agency, or any other source, as directed by the commissioner.
(d) The commissioner shall establish a process through which applicants and licensees may challenge information entered into the Nationwide Multistate Licensing System and Registry by the commissioner.

3219.
 (a) (1) The commissioner shall require the submission of fingerprints for each applicant if the applicant is a natural person, and of each executive officer and responsible individual associated with the applicant, for the purpose of conducting a criminal history search by means of a Federal Bureau of Investigation criminal history record check.
(2) The commissioner shall require the submission of fingerprints for any natural person that has control of the applicant for the purpose of conducting a criminal history search by means of a Federal Bureau of Investigation criminal history record check.
(3) If a person that has control of the applicant is not a natural person, the commissioner shall require a Federal Bureau of Investigation criminal history record check, including the submission of fingerprints, for each executive officer and responsible person associated with that person that has control of the applicant for the purpose of conducting a criminal history search by means of a Federal Bureau of Investigation criminal history record check.
(b) Section 461 of the Business and Professions Code shall not be applicable to the Department of Financial Protection and Innovation when using a national uniform application adopted or approved for use by the Nationwide Mortgage Licensing System and Registry in connection with this division.
(c) Notwithstanding any other provision of law, in connection with an application for a license under this division, the commissioner may require every applicant, at a minimum, to furnish to the Nationwide Mortgage Licensing System and Registry information described under subdivision (a) of this section.
(d) Notwithstanding any other provision of law, the commissioner may ask the Nationwide Mortgage Licensing System and Registry to obtain Federal Bureau of Investigation criminal history record check on individuals described in subdivision (a), pursuant to Section 5110 of the SAFE Act. For the purposes of this section, a Federal Bureau of Investigation criminal history record check shall include forwarding the individual’s fingerprints to the Federal Bureau of Investigation.
(e) Notwithstanding any other provision of law, the commissioner may ask the Nationwide Mortgage Licensing System and Registry to obtain state criminal history background check information on applicants described in subdivision (a) using the procedures set forth in subdivisions (f) and (h).
(f) If the Nationwide Mortgage Licensing System and Registry electronically submits fingerprint images and related information, as required by the Department of Justice, for an applicant under this division for the purposes of obtaining information as to the existence and content of a record of state convictions and state arrests and to the existence and content of a record of state arrests for which the Department of Justice establishes that the person is free on bail or on their recognizance pending trial or appeal, the Department of Justice shall provide an electronic response to the Nationwide Mortgage Licensing System and Registry pursuant to paragraph (1) of subdivision (p) of Section 11105 of the Penal Code, and shall provide the same electronic response to the commissioner.
(g) The Nationwide Mortgage Licensing System and Registry may request from the Department of Justice subsequent arrest notification service, as provided pursuant to Section 11105.2 of the Penal Code, for all individuals described in subdivision (a) of this section. The Department of Justice shall provide the same electronic response to the commissioner.
(h) The Department of Justice shall charge a fee sufficient to cover the reasonable costs of processing the requests described in this section.

3221.
 (a) An applicant shall not be denied a license on the basis of a criminal conviction, or on the basis of acts underlying a criminal conviction, if the convicted person has obtained a certificate of rehabilitation under Chapter 3.5 (commencing with Section 4852.01) of Title 6 of Part 3 of the Penal Code or has been granted clemency or a pardon by a state or federal executive.
(b) An applicant shall not be denied a license on the basis of a conviction that has been dismissed pursuant to Section 1203.4, 1203.4a, 1203.41, or 1203.425 of the Penal Code. An applicant who has a conviction that has been dismissed pursuant to Section 1203.4, 1203.4a, 1203.41, or 1203.425 of the Penal Code shall provide the commissioner with proof of the dismissal if it is not reflected in the applicant’s criminal history record report.
(c) An applicant shall not be denied a license on the basis of an arrest that resulted in a disposition other than a conviction, including an arrest that resulted in an infraction, citation, or juvenile adjudication.
(d) If an applicant is denied a license based solely or in part on conviction history, the applicant shall be notified in writing of all of the following:
(1) The denial or disqualification of licensure.
(2) The procedure for the applicant to challenge the decision or to request reconsideration.
(3) That the applicant has the right to appeal the decision.
(4) The processes to request a copy of the applicant’s complete conviction history and to question the accuracy or completeness of the record.

3223.
 (a) Except as otherwise provided in Section 5111 of the SAFE Act, the requirements under any federal law or the Information Practices Act of 1977 (Chapter 1 (commencing with Section 1798) of Title 1.8 of Part 4 of Division 3 of the Civil Code) regarding the privacy or confidentiality of any information or material provided to the Nationwide Multistate Licensing System and Registry, and any privilege arising under federal or state law, including the rules of any state court, with respect to that information or material, shall continue to apply to the information or material after the information or material has been disclosed to the Nationwide Multistate Licensing System and Registry. The information and material may be shared with all state and federal regulatory officials with industry oversight authority without the loss of privilege or the loss of confidentiality protections provided by federal law or the Information Practices Act of 1977.
(b) Information or material that is subject to a privilege or confidentiality under subdivision (a) shall not be subject to either of the following:
(1) Disclosure under any federal or state law governing the disclosure to the public of information held by an officer or an agency of the federal government or the state.
(2) Subpoena or discovery, or admission into evidence, in any private civil action or administrative process, unless with respect to any privilege held by the Nationwide Multistate Licensing System and Registry with respect to the information or material, the person to whom the information or material pertains waives, in whole or in part, in the discretion of that person, that privilege.
(c) This section shall not apply with respect to the information or material relating to the employment history of, and publicly adjudicated disciplinary and enforcement actions included in, the Nationwide Multistate Licensing System and Registry for access by the public.

3225.
 The commissioner shall regularly report violations of this division, enforcement actions under this division, and other relevant information to the Nationwide Multistate Licensing System and Registry, but only to the extent that the information is publicly available.

CHAPTER  3. Examination

3301.
 (a) (1) (A) The department may, at any time and from time to time, examine the business and any office, within or outside this state, of any licensee, or any agent of a licensee, in order to ascertain whether the business is being conducted in a lawful manner and whether all digital financial asset business activity is properly accounted for.
(B) The directors, officers, and employees of a licensee, or agent of a licensee, being examined by the department shall exhibit to the department, on request, any or all of the licensee’s accounts, books, correspondence, memoranda, papers, and other records and shall otherwise facilitate the examination so far as it may be in their power to do so.
(2) The department may examine a licensee pursuant to this subdivision without prior notice to the licensee.
(b) A licensee shall pay the reasonable and necessary costs of an examination under this section to the commissioner and the commissioner may maintain an action for the recovery of the cost in any court of competent jurisdiction. In determining the cost of the examination, the commissioner may use the estimated average hourly cost for all persons performing examinations of licensees or other persons subject to this division for the fiscal year.

3303.
 (a) A licensee shall maintain, for all digital financial asset business activity with, or on behalf of, a resident for five years after the date of the activity, a record of all of the following:
(1) Any transaction of the licensee with, or on behalf of, the resident or for the licensee’s account in this state, including all of the following:
(A) The identity of the resident.
(B) The form of the transaction.
(C) The amount, date, and payment instructions given by the resident.
(D) The account number, name, and United States Postal Service mailing address of the resident, and, to the extent feasible, other parties to the transaction.
(2) The aggregate number of transactions and aggregate value of transactions by the licensee with, or on behalf of, the resident and for the licensee’s account in this state expressed in United States dollar equivalent of digital financial assets for the previous 12 calendar months.
(3) Any transaction in which the licensee exchanged one form of digital financial asset for legal tender or another form of digital financial asset with, or on behalf of, the resident.
(4) A general ledger maintained at least monthly that lists all assets, liabilities, capital, income, and expenses of the licensee.
(5) Any business call report the licensee is required to create or provide to the department.
(6) Bank statements and bank reconciliation records for the licensee and the name, account number, and United States Postal Service mailing address of any bank the licensee uses in the conduct of its digital financial asset business activity with, or on behalf of, the resident.
(7) A report of any dispute with the resident.
(b) A licensee shall maintain records required by subdivision (a) in a form that enables the department to determine whether the licensee is in compliance with this division, any court order, and the laws of this state.
(c) If a licensee maintains records outside this state that pertain to transactions with, or on behalf of, a resident, the licensee shall make the records available to the department not later than three days after request, or, on a determination by the department, at a later time.
(d) All records maintained by a licensee are subject to inspection by the department.

3305.
 The department may cooperate, coordinate, jointly examine, consult, and share records and other information with a self-regulatory organization, a federal or state agency, law enforcement, or a regulator of a jurisdiction outside the United States, concerning the affairs and conduct of a licensee in this state.

3307.
 (a) A licensee shall file with the department a report of the following, as may be applicable:
(1) A material change in information in the application for a license under this division or the most recent annual report of the licensee under this division.
(2) A change in the licensee’s business for the conduct of its digital financial asset business activity with, or on behalf of, a resident that meets one of the following criteria:
(A) The change may raise a legal or regulatory issue about the permissibility of the licensee’s digital financial business activity.
(B) The proposed change may raise safety and soundness or operational concerns.
(C) The proposed change is to digital financial business activity that may cause such activity to be materially different from that previously listed on the application for licensing by the commissioner.
(3) A change of an executive officer, responsible individual, or person in control of the licensee.
(b) A report required by this section shall be filed not later than 15 days after the change described in subdivision (a).

3309.
 (a) For purposes of this section, “proposed person to be in control” means the person that would control a licensee after a proposed transaction that would result in a change in control of the licensee.
(b) The following rules apply in determining whether a person has control over a licensee:
(1) There is a rebuttable presumption of control if a person directly or indirectly owns, controls, holds with the power to vote, or holds proxies representing, 10 percent or more of the then outstanding voting securities issued by the licensee.
(2) A person has control over a licensee if the person’s voting power in the licensee constitutes or will constitute at least 25 percent of the total voting power of the licensee.
(3) A person has control over a licensee if the person’s voting power in another person constitutes or will constitute at least 10 percent of the total voting power of the other person and the other person’s voting power in the licensee constitutes at least 10 percent of the total voting power of the licensee.
(4) A person does not have control over a licensee solely because that person is an executive officer of the licensee.
(c) Before a proposed change in control of a licensee, the proposed person to be in control shall submit to the department in a record both of the following:
(1) An application in a form and medium prescribed by the department.
(2) The information and records that Section 3203 would require if the proposed person to be in control already had control of the licensee.
(d) The department shall not approve an application unless the commissioner finds all of the following:
(1) The proposed person to be in control and all executive officers of the proposed person to be in control, if any, are of good character and sound financial standing.
(2) The proposed person to be in control is competent to engage in the business of digital financial business activity.
(3) It is reasonable to believe that, if the person acquires control of the licensee, the proposed person to be in control and the licensee will comply with all applicable provisions of this division and any regulation or order issued under this division.
(4) The proposed person to be in control plans, if any, to make any major change in the business, corporate structure, or management of the licensee are not detrimental to the safety and soundness of the licensee.
(e) The department, in accordance with Section 3203, shall approve, approve with conditions, or deny an application for a change in control of a licensee. The department, in a record, shall send notice of its decision to the licensee and the person that would be in control if the department had approved the change in control. If the department denies the application, the licensee shall abandon the proposed change in control or cease digital financial asset business activity with or on behalf of residents.
(f) If the department applies a condition to approval of a change in control of a licensee, and the department does not receive notice of the applicant’s acceptance of the condition specified by the department not later than 31 days after the department sends notice of the condition, the application is deemed denied. If the application is deemed denied, the licensee shall abandon the proposed change in control or cease digital financial asset business activity with, or on behalf of, residents.
(g) The department may revoke or modify a determination under subdivision (d), after notice and opportunity to be heard, if, in its judgment, revocation or modification is consistent with this division.
(h) If a change in control of a licensee requires approval of an agency of the state, and the action of the other agency conflicts with that of the department, the department shall confer with the other agency. If the proposed change in control cannot be completed because the conflict cannot be resolved, the licensee shall abandon the change in control or cease digital financial asset business activity with, or on behalf of, residents.

3311.
 (a) Before a proposed merger or consolidation of a licensee with another person, the licensee shall submit all of the following, as applicable, to the department in a record:
(1) An application in a form and medium prescribed by the department.
(2) The plan of merger or consolidation in accordance with subdivision (e).
(3) In the case of a licensee, the information required by Section 3203 concerning the person that would be the surviving entity in the proposed merger or consolidation.
(b) If a proposed merger or consolidation would change the control of a licensee, the licensee shall comply with Section 3309 and this section.
(c) The department shall not approve the application for a merger or consolidation unless the commissioner finds all of the following:
(1) That the merger or consolidation will not result in a monopoly and will not be in furtherance of any combination or conspiracy to monopolize or to attempt to monopolize digital financial business activity in this state.
(2) That the merger or consolidation will not have the effect in any section of this state of substantially lessening competition, tending to create a monopoly, or otherwise being in restraint of trade, or that the anticompetitive effect is clearly outweighed in the public interest by the probable effect of the merger in meeting the convenience and needs of the community to be served.
(3) That the financial condition of the surviving entity, including its capital and liquidity, will be satisfactorily based on the factors listed in subdivision (b) of Section 3207.
(4) That the executive officers of the surviving entity are of good character and sound financial standing and are competent to engage in digital financial business activity.
(d) The department, in accordance with Section 3203, shall approve, conditionally approve, or deny an application for approval of a merger or consolidation of a licensee. The department, in a record, shall send notice of its decision to the licensee and the person that would be the surviving entity. If the department denies the application, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.
(e) The department may revoke or modify a determination under subdivision (c), after notice and opportunity to be heard, if, in its judgment, revocation or modification is consistent with this division.
(f) A plan of merger or consolidation of a licensee with another person shall do all of the following:
(1) Describe the effect of the proposed transaction on the licensee’s conduct of digital financial asset business activity with, or on behalf of, residents.
(2) Identify each person to be merged or consolidated and the person that would be the surviving entity.
(3) Describe the terms and conditions of the merger or consolidation and the mode of carrying it into effect.
(g) If a merger or consolidation of a licensee and another person requires approval of an agency of this state, and the action of the other agency conflicts with that of the department, the department shall confer with the other agency. If the proposed merger or consolidation cannot be completed because the conflict cannot be resolved, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.
(h) The department may condition approval of an application under subdivision (a). If the department does not receive notice from the parties that the parties accept the department’s condition not later than 31 days after the department sends notice in a record of the condition, the application is deemed denied. If the application is deemed denied, the licensee shall abandon the merger or consolidation or cease digital financial asset business activity with, or on behalf of, residents.
(i) If a licensee acquires substantially all of the assets of a person, whether or not the person’s license was approved by the department, the transaction is subject to this section.

CHAPTER  4. Enforcement

3401.
 For the purpose of this chapter, “enforcement measure” means an action that includes, but is not limited to, all of the following:
(a) Suspend or revoke a license under this division.
(b) Order a person to cease and desist from doing digital financial asset business activity with, or on behalf of, a resident.
(c) Request the court to appoint a receiver for the assets of a person doing digital financial asset business activity with, or on behalf of, a resident.
(d) Request the court to issue temporary, preliminary, or permanent injunctive relief against a person doing digital financial asset business activity with, or on behalf of, a resident.
(e) Assess a penalty under Section 3407.
(f) Recover on the security under Section 3207 and initiate a plan to distribute the proceeds for the benefit of a resident injured by a violation of this division, or law of this state other than this division that applies to digital financial asset business activity with, or on behalf of, a resident.
(g) Impose necessary or appropriate conditions on the conduct of digital financial asset business activity with, or on behalf of, a resident.
(h) Seek restitution on behalf of a resident if the department shows economic injury due to a violation of this division.

3403.
 (a) The department may take an enforcement measure against a licensee or person that is not a licensee but has engaged, is engaging, or is about to engage in digital financial asset business activity with, or on behalf of, a resident in any of the following instances:
(1) The licensee or person materially violates this division, a rule adopted or order issued under this division, or a law of this state other than this division that applies to digital financial asset business activity of the violator with, or on behalf of, a resident.
(2) The licensee or person does not cooperate substantially with an examination or investigation by the department, fails to pay a fee, or fails to submit a report or documentation.
(3) The licensee or person, in the conduct of its digital financial asset business activity with, or on behalf of, a resident, has engaged, is engaging, or is about to engage in any of the following:
(A) An unsafe or unsound act or practice.
(B) An unfair or deceptive act or practice.
(C) Fraud or intentional misrepresentation.
(D) Misappropriation of legal tender, a digital financial asset, or other value held by a fiduciary.
(4) An agency of the United States or another state takes an action against the licensee or person, which would constitute an enforcement measure if the department had taken the action.
(5) The licensee or person is convicted of a crime related to its digital financial asset business activity with, or on behalf of, a resident or involving fraud or felonious activity that, as determined by the department, makes the licensee or person unsuitable to engage in digital financial asset business activity.
(6) Any of the following occurs:
(A) The licensee or person becomes insolvent.
(B) The licensee or person makes a general assignment for the benefit of its creditors.
(C) The licensee or person becomes the debtor, alleged debtor, respondent, or person in a similar capacity in a case or other proceeding under any bankruptcy, reorganization, arrangement, readjustment, insolvency, receivership, dissolution, liquidation, or similar law, and does not obtain from the court, within a reasonable time, confirmation of a plan or dismissal of the case or proceeding.
(D) The licensee or person applies for, or permits the appointment of, a receiver, trustee, or other agent of a court for itself or for a substantial part of its assets.
(7) The licensee or person makes a material misrepresentation to the department.
(b) On application and for good cause, the department may do either of the following:
(1) Extend the due date for filing a document or report under paragraph (2) of subdivision (a).
(2) Waive, to the extent warranted by circumstances, including a bona fide error notwithstanding reasonable procedures designed to prevent error, an enforcement measure issued for a violation described by paragraph (2) of subdivision (a) if the department determines that the waiver will not adversely affect the likelihood of compliance with this division.
(c) In an enforcement action related to operating without a license under this division, it is a defense to the action that the person has in effect a customer identification program reasonably designed to identify whether a customer is a resident that failed to identify the particular customer as a resident.
(d) A proceeding under this division is subject to the Administrative Procedure Act, as described in Section 11370 of the Government Code.

3405.
 (a) Except as provided in subdivision (b), the department may take an enforcement measure only after notice and opportunity for a hearing as appropriate in the circumstances.
(b) (1) (A) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3407, without notice if the circumstances require action before notice can be given.
(B) A person subject to an enforcement measure pursuant to this paragraph shall have the right to an expedited postaction hearing by the department unless the person has waived the hearing.
(2) (A) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3407, after notice and without a prior hearing if the circumstances require action before a hearing can be held.
(B) A person subject to an enforcement measure pursuant to this paragraph shall have the right to an expedited postaction hearing by the department unless the person has waived the hearing.
(3) The department may take an enforcement measure, other than the imposition of a civil penalty under Section 3407, after notice and without a hearing if the person conducting digital financial asset business activity with, or on behalf of, a resident does not timely request a hearing.

3407.
 (a) If a person other than a licensee has engaged, is engaging, or is about to engage in digital financial asset business activity with, or on behalf of, a resident in violation of this division, the department may assess a civil penalty against the person in an amount not to exceed one hundred thousand dollars ($100,000) for each day the person is in violation of this division.
(b) If a licensee or covered person materially violates a provision of this division, the department may assess a civil penalty in an amount not to exceed twenty thousand dollars ($20,000) for each day of violation or for each act or omission in violation.
(c) A civil penalty under this section continues to accrue until the date the violation ceases.

3409.
 (a) Revocation of a license under this division is effective against a licensee one day after the department sends notice in a record of the revocation to the licensee by a means reasonably selected for the notice to be received by the recipient in one day to the address provided for receiving communications from the department.
(b) Suspension of a license under this division or an order to cease and desist is effective against a licensee or other person one day after the department sends notice in a record of the suspension or order to the licensee or other person by a means reasonably selected for the notice to be received by the recipient in one day to the address provided for receiving communications from the department or, if no address is provided, to the recipient’s last known address. A suspension or order to cease and desist remains in effect until the earliest of the following:
(1) Entry of an order by the department under the Administrative Procedure Act, as described in Section 11370 of the Government Code.
(2) Entry of a court order setting aside or limiting the suspension or order to cease and desist.
(3) A date specified by the department.
(c) If, without reason to know of the department’s notice sent under this section, a licensee or other person does not comply in accordance with the notice until the notice is actually received at the address provided, the department may consider the delay in compliance in imposing a sanction for the failure.

3411.
 The department may enter into a consent order with a person regarding an enforcement measure. The order may provide that it does not constitute an admission of fact by a party.

3413.
 Whenever the commissioner deems it necessary for the general welfare of the public, the commissioner has continuous authority to exercise the powers set forth in this division whether or not an application for a license has been filed with the commissioner, any license has been issued, or if issued, has been surrendered, suspended, or revoked.

3415.
 (a) This chapter shall not be construed to provide a private right of action to a resident.
(b) The duties and obligations imposed by this chapter are cumulative with any other duties or obligations imposed under any other law, and shall not be construed to relieve any party from any duties or obligations imposed under any other law.
(c) This section does not preclude an action by a resident to enforce rights under Section 3503.

CHAPTER  5. Disclosures and Protections

3501.
 (a) When engaging in digital financial business activity with a resident, a covered person shall provide to a resident the disclosures required by subdivision (b) and any additional disclosure the department by rule determines reasonably necessary for the protection of residents. The department shall determine by rule the time and form required for disclosure. A disclosure required by this section shall be made separately from any other information provided by the covered person and in a clear and conspicuous manner in a record the resident may keep. A covered person may propose, for the department’s approval, alternate disclosures as more appropriate for its digital financial asset business activity with, or on behalf of, residents.
(b) Before engaging in digital financial asset business activity with a resident, a covered person shall disclose, to the extent applicable to the digital financial asset business activity the covered person will undertake with the resident, all of the following:
(1) A schedule of fees and charges the covered person may assess, the manner by which fees and charges will be calculated if they are not set in advance and disclosed, and the timing of the fees and charges.
(2) Whether the product or service provided by the covered person is covered by either of the following:
(A) A form of insurance or other guarantee against loss by an agency of the United States as follows:
(i) Up to the full United States dollar equivalent of digital financial assets placed under the control of, or purchased from, the covered person as of the date of the placement or purchase, including the maximum amount provided by insurance under the Federal Deposit Insurance Corporation, National Credit Union Share Insurance Fund, or otherwise available from the Securities Investor Protection Corporation.
(ii) If not provided at the full United States dollar equivalent of the digital financial asset placed under the control of or purchased from the covered person, the maximum amount of coverage for each resident expressed in the United States dollar equivalent of the digital financial asset.
(B) (i) Private insurance against theft or loss, including cybertheft or theft by other means.
(ii) Upon request of a resident with whom a covered person engages in digital financial asset business activity, a covered person shall disclose the terms of the insurance policy to the resident in a manner that allows the resident to understand the specific insured risks that may result in partial coverage of the resident’s assets.
(3) The irrevocability of a transfer or exchange and any exception to irrevocability.
(4) A description of all of the following:
(A) The covered person’s liability for an unauthorized, mistaken, or accidental transfer or exchange.
(B) The resident’s responsibility to provide notice to the covered person of an unauthorized, mistaken, or accidental transfer or exchange.
(C) The basis for any recovery by the resident from the covered person in case of an unauthorized, mistaken, or accidental transfer or exchange.
(D) General error resolution rights applicable to an unauthorized, mistaken, or accidental transfer or exchange.
(E) The method for the resident to update the resident’s contact information with the covered person.
(5) That the date or time when the transfer or exchange is made and the resident’s account is debited may differ from the date or time when the resident initiates the instruction to make the transfer or exchange.
(6) Whether the resident has a right to stop a preauthorized payment or revoke authorization for a transfer and the procedure to initiate a stop-payment order or revoke authorization for a subsequent transfer.
(7) The resident’s right to receive a receipt, trade ticket, or other evidence of the transfer or exchange.
(8) The resident’s right to at least 14 days’ prior notice of a change in the covered person’s fee schedule, other terms and conditions that have a material impact on digital financial asset business activity with the resident, or the policies applicable to the resident’s account.
(9) That no digital financial asset is currently recognized as legal tender by California or the United States.
(10) (A) A list of instances in the past 12 months when the covered person’s service was unavailable to 10,000 or more customers seeking to engage in digital financial asset business activity due to a service outage on the part of the covered person and the causes of each identified service outage.
(B) As part of the disclosure required by this paragraph, the covered person may list any steps the covered person has taken to resolve underlying causes for those outages.
(c) Except as otherwise provided in subdivision (d), at the conclusion of a digital financial asset transaction with, or on behalf of, a resident, a covered person shall provide the resident a confirmation in a record which contains all of the following:
(1) The name and contact information of the covered person, including the toll-free telephone number required under Section 3507.
(2) The type, value, date, precise time, and amount of the transaction.
(3) The fee charged for the transaction, including any charge for conversion of a digital financial asset to legal tender, bank credit, or other digital financial asset, as well as any indirect charges.
(d) If a covered person discloses that it will provide a daily confirmation in the initial disclosure under subdivision (c), the covered person may elect to provide a single, daily confirmation for all transactions with, or on behalf of, a resident on that day instead of a per transaction confirmation.

3503.
 (a) (1) A covered person that has control of a digital financial asset for one or more persons shall at all times maintain in its control an amount of each type of digital financial asset sufficient to satisfy the aggregate entitlements of the persons to the type of digital financial asset.
(2) If a covered person violates this subdivision, the property interests of the persons in the digital financial asset are pro rata property interests in the type of digital financial asset to which the persons are entitled without regard to the time the persons became entitled to the digital financial asset or the covered person obtained control of the digital financial asset.
(b) A digital financial asset maintained for purposes of compliance with this section shall meet all of the following criteria:
(1) The digital financial asset shall be held for the persons entitled to the digital financial asset.
(2) The digital financial asset shall not be property of the covered person.
(3) The digital financial asset shall not be subject to the claims of creditors of the covered person.
(c) A covered person may comply with this section by including, and complying with, a provision in its contract with a resident that states all of the following:
(1) That a digital financial asset controlled by the covered person on behalf of the resident will be treated as a financial asset under Division 8 (commencing with Section 8101) of the Commercial Code.
(2) That the covered person is a securities intermediary under Division 8 (commencing with Section 8101) of the Commercial Code with respect to any digital financial assets under control of the covered person on behalf of the resident.
(3) That the resident’s account or wallet provided by or through the covered person is a securities account under Division 8 (commencing with Section 8101) of the Commercial Code.
(d) Even if commingled with other assets of the covered person, digital financial assets maintained for purposes of compliance with this section are deemed to be held in trust for the benefit of the customers of the covered persons’ digital financial asset business activity, in the event of bankruptcy or receivership of the covered person, or in the event of an action by a creditor against the covered person who is not a beneficiary of this statutory trust. Digital financial assets maintained for purposes of compliance with this section or eligible securities impressed with a trust pursuant to this subdivision shall not be subject to attachment, levy of execution, or sequestration by order of any court, except for a beneficiary of this statutory trust.
(e) A covered person shall at all times own eligible securities, as described in subdivision (b) of Section 2082, having an aggregate market value computed in accordance with United States generally accepted accounting principles of not less than the aggregate amount of all of its outstanding United States dollar-denominated liabilities owed to its customers.

3505.
 (a) (1) Except as provided for under paragraph (2), a covered exchange, prior to listing or offering a digital financial asset that the covered exchange can exchange on behalf of a resident, shall certify on a form provided by the department that the covered exchange has done the following:
(A) Identified the likelihood that the digital financial asset would be deemed a security by federal or California regulators.
(B) Provided, in writing, full and fair disclosure of all material facts relating to conflicts of interest that are associated with the covered exchange and the digital financial asset.
(C) Conducted a comprehensive risk assessment designed to ensure consumers are adequately protected from cybersecurity risk, risk of malfeasance, including theft, risks related to code or protocol defects, or market-related risks, including price manipulation and fraud.
(D) Established policies and procedures to reevaluate the appropriateness of the continued listing or offering of the digital financial asset, including an evaluation of whether material changes have occurred.
(E) Established policies and procedures to cease listing or offering the digital financial asset, including notification to affected consumers and counterparties.
(2) Certification by a covered exchange shall not be required for any digital financial asset approved for listing on or before January 1, 2023, by the New York Department of Financial Services pursuant to Part 200 of Title 23 of the New York Code of Rules and Regulations.
(3) The department, after a finding that a covered exchange has listed or offered a digital financial asset without appropriate certification or after a finding that material misrepresentations were made in the certification process, shall require the covered exchange to cease offering or listing the digital financial asset and may assess the civil penalty of up to twenty thousand dollars ($20,000) per day the violation has occurred.
(b) (1) A covered exchange shall make every effort to execute a resident’s request to exchange a digital financial asset that the covered exchange receives fully and promptly.
(2) (A) A covered exchange shall use reasonable diligence to ensure that the outcome to the resident is as favorable as possible under prevailing market conditions. Compliance with this paragraph shall be determined by factors, including, but not limited to, all of the following:
(i) The character of the market for the digital financial asset, including price and volatility.
(ii) The size and type of transaction.
(iii) The number of markets checked.
(iv) Accessibility of appropriate pricing.
(B) At least once every six months, a covered exchange shall review aggregated trading records of residents against benchmarks to determine execution quality, shall investigate the causes of any variance, and shall promptly take action to remedy issues identified in that review.
(3) In a transaction for or with a resident, the covered exchange shall not interject a third party between the covered exchange and the best market for the digital financial asset in a manner inconsistent with this subdivision.
(4) If a covered exchange cannot execute directly with a market and employs other means in order to ensure an execution advantageous to the resident, the burden of showing the acceptable circumstances for doing so is on the covered exchange.
(c) For purposes of this section:
(1) “Conflict of interest” means an interest that might incline a covered exchange or a natural person who is an associated person of a covered exchange to make a recommendation that is not disinterested.
(2) “Covered exchange” means a covered person that exchanges or holds itself out as being able to exchange a digital financial asset for a resident.
(d) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.

3507.
 A covered person shall prominently display on its internet website a toll-free telephone number through which a resident can contact the licensee for customer service issues and receive live customer assistance. The telephone line shall be operative 10 hours per day, Monday through Friday, excluding federal holidays.

3509.
 The requirements imposed on a covered person or a covered exchange under this chapter shall be operative on July 1, 2025.

CHAPTER  6. Stablecoins

3601.
 (a) Except as provided in Section 3603, a covered person shall not exchange, transfer, or store a digital financial asset or engage in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor, if that digital financial asset is a stablecoin unless both of the following are true:
(1) The issuer of the stablecoin is an applicant, is licensed pursuant to this division, or is a bank, a trust company licensed pursuant to Section 1042, or a national association authorized under federal law to engage in a trust banking business.
(2) The issuer of the stablecoin at all times owns eligible securities having an aggregate market value computed in accordance with United States generally accepted accounting principles of not less than the aggregate amount of all of its outstanding stablecoins issued or sold.
(b) For purposes of this chapter:
(1) “Eligible securities” means the United States currency eligible securities described in subdivision (b) of Section 2082 or foreign currency eligible securities described in subdivision (c) of Section 2082 as required by the laws or regulations of other jurisdictions.
(2) “Nominal redemption value” means the value at which a digital financial asset can be readily converted, on demand at the time of issuance, into United States dollars or any other national or state currency or a monetary equivalent or otherwise accepted in payment or to satisfy debts denominated in United States dollars or any national or state currency.
(3) “Stablecoin” means a digital financial asset that is pegged to the United States dollar or another national currency and is marketed in a manner that intends to establish a reasonable expectation or belief among the general public that the instrument will retain a nominal value that is so stable as to render the nominal value effectively fixed.

3603.
 (a) A covered person may exchange, transfer, or store a digital financial asset or engage in digital financial asset administration, whether directly or through an agreement with a digital financial asset control services vendor, if that digital financial asset is a stablecoin approved by the commissioner pursuant to subdivision (b), provided that the covered person complies with any requirements, restrictions, or prohibitions established by the commissioner pursuant to subdivision (c).
(b) (1) The commissioner may approve a stablecoin for exchange, transfer, or storage by a covered person, or for issuance pursuant to digital financial asset administration, if the commissioner determines that the stablecoin does not compromise the interests of residents who may use the stablecoin as a payment for goods and services or as a store of value.
(2) In determining whether to make an approval under paragraph (1), the commissioner shall consider all of the following factors:
(A) Any legally enforceable rights provided by the issuer of the stablecoin to holders of the stablecoin, including, but not limited to, rights to redeem the stablecoin for legal tender or bank or credit union credit.
(B) The amount, nature, and quality of assets owned or held by the issuer of the stablecoin that may be used to fund any redemption requests from residents.
(C) Any risks related to how the assets described in subparagraph (B) are owned or held by the issuer that may impair the ability of the issuer of the stablecoin to meet any redemption requests from residents.
(D) Any representations made by the issuer of the stablecoin related to the potential uses of the stablecoin.
(E) Any representations made by the issuer of the stablecoin related to the risks of using the stablecoin as payment for goods or services or as a store of value.
(F) Any other factors the commissioner deems material to making their determination.
(c) (1) As a condition of providing an approval pursuant to subdivision (b), the commissioner may require the stablecoin issuer to obtain a license under Section 3203 and may impose additional requirements, restrictions, or prohibitions on the activities of the issuer of the stablecoin in order to protect the interests of residents who may use the stablecoin as payment for goods or services or as a store of value.
(2) The commissioner may impose additional requirements, restrictions, or prohibitions on the activities of a covered person exchanging, transferring, or storing an approved stablecoin or engaging in digital financial asset administration of an approved stablecoin, whether directly or through an agreement with a digital financial asset control services vendor, in order to protect the interests of residents who may use the stablecoin as a payment for goods or services or as a store of value.
(d) (1) The commissioner shall revoke an approval under subdivision (b) if, after notice and reasonable opportunity to be heard, the commissioner determines that the issuer of the stablecoin markets the stablecoin in a manner that may create a reasonable expectation or belief among the general public that the stablecoin poses no more risk to a holder or user of the stablecoin than the risks posed to the holder or user of bank credit or a stored value product issued by a person licensed pursuant to Division 1.2.
(2) The commissioner may revoke an approval under subdivision (b) if, after notice and reasonable opportunity to be heard, the commissioner makes any of the following determinations:
(A) Changes in the activities of the covered person or the issuer of the stablecoin relative to the commissioner’s understanding of those activities when the commissioner made the approval may compromise the interests of residents who use or hold the stablecoin.
(B) Changes in market conditions within the financial system or within markets for digital financial assets relative to the commissioner’s understanding of the financial system or the markets when the commissioner made the approval may compromise the interests of residents who use or hold the stablecoin.
(C) The covered person or the issuer violates any requirement, restriction, or prohibition imposed by the commissioner pursuant to subdivision (c) or any other provision, requirement, rule, or regulation under this chapter.
(e) If the commissioner approves a stablecoin pursuant to this section, the commissioner shall make available on the department’s internet website the approval.

3605.
 The requirements imposed by this chapter shall be operative on July 1, 2025.

CHAPTER  7. Policies and Procedures

3701.
 (a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record policies and procedures for all of the following:
(1) An information security program and an operational security program.
(2) A business continuity program.
(3) A disaster recovery program.
(4) An antifraud program.
(5) A program to prevent money laundering.
(6) A program to prevent funding of terrorist activity.
(7) (A) A program designed to ensure compliance with this division and other laws of this state or federal laws applicable to the digital financial asset business activity contemplated by the licensee with, or on behalf of, residents and to assist the licensee in achieving the purposes of other state laws and federal laws if violation of those laws has a remedy under this division.
(B) The program described by this paragraph shall specify detailed policies and procedures that the licensee undertakes to minimize the probability that the licensee facilitates the exchange of unregistered securities.
(b) A policy required by subdivision (a) shall be in a record and designed to be adequate for a licensee’s contemplated digital financial asset business activity with, or on behalf of, residents, considering the circumstances of all participants and the safe operation of the activity. Any policy and implementing procedure shall be compatible with other policies and the procedures implementing them and not conflict with policies or procedures applicable to the licensee under other state law. A policy and implementing procedure may be one in existence in the licensee’s digital financial asset business activity with, or on behalf of, residents.
(c) A licensee’s policy for detecting fraud shall include all of the following:
(1) Identification and assessment of the material risks of its digital financial asset business activity related to fraud, which shall include any form of market manipulation and insider trading by the licensee, its employees, or its customers.
(2) Protection against any material risk related to fraud identified by the department or the licensee.
(3) Periodic evaluation and revision of the antifraud procedure.
(d) A licensee’s policy for preventing money laundering and financing of terrorist activity shall include all of the following:
(1) Identification and assessment of the material risks of its digital financial asset business activity related to money laundering and financing of terrorist activity.
(2) Procedures, in accordance with federal law or guidance published by federal agencies responsible for enforcing federal law, pertaining to money laundering and financing of terrorist activity.
(3) Filing reports under the Bank Secrecy Act (31 U.S.C. Sec. 5311 et seq.) or Chapter X of Title 31 of the Code of Federal Regulations and other federal or state law pertaining to the prevention or detection of money laundering or financing of terrorist activity.
(e) A licensee’s information security and operational security policy shall include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any nonpublic personal information or digital financial asset it receives, maintains, or transmits.
(f) A licensee shall file with the department a copy of a report it makes to a federal authority.
(g) A licensee’s protection policy under subdivision (e) for residents shall include all of the following:
(1) Any action or system of records required to comply with this division and other state law applicable to the licensee with respect to digital financial asset business activity with, or on behalf of, a resident.
(2) A procedure for resolving disputes between the licensee and a resident.
(3) A procedure for a resident to report an unauthorized, mistaken, or accidental digital financial asset business activity transaction.
(4) A procedure for a resident to file a complaint with the licensee and for the resolution of the complaint in a fair and timely manner with notice to the resident as soon as reasonably practical of the resolution and the reasons for the resolution.
(h) After the policies and procedures required under this section are created by the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.
(i) A licensee may request advice from the department as to compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section, and may request a determination from the department that a policy or procedure is not subject to the disclosure requirement described in subdivision (k) due to potential security risks.
(j) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
(k) (1) Except as provided in paragraph (2), policies and procedures adopted under this section shall be disclosed separately from other disclosures made available to a resident, in a clear and conspicuous manner and in the medium through which the resident contacted the licensee.
(2) This subdivision does not apply to either of the following:
(A) An adopted information security program or an operational security program described in subdivision (a).
(B) Any policy or procedure the department previously determined is not subject to this subdivision due to potential security risks.

3702.
 (a) An applicant, before submitting its application, shall establish and maintain in a record a policy or procedure designed to ensure compliance with this division, and law of this state other than this division, if the other law is relevant to the digital financial asset business activity contemplated by the licensee or the scope of this division or this division could assist in the purpose of the other law because violation of the other law has a remedy under this division.
(b) A policy or procedure under subdivision (a) shall be compatible, and not conflict, with requirements applicable to a licensee under other state law or under federal law and may be a policy or procedure in existence for the licensee’s digital financial asset business activity with, or on behalf of, a resident.
(c) After the policies and procedures required under this section are created by the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor any policy or procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.
(d) A licensee may request advice from the department regarding compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section.
(e) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.

CHAPTER  8. Miscellaneous Provisions

3801.
 The provisions of this division are severable. If any provision of this division or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

SEC. 2.

 This act shall become operative only if Senate Bill 401 of the 2023–24 Regular Session is enacted and takes effect on or before January 1, 2024.
feedback