By Irene Lau

On September 29, 2025, DFPI published a modification of proposed regulation that expands its enforcement regime for digital financial assets (cryptocurrency). DFPI’s initial statement of reasons from April 4, 2025, only required licensing and regulation of cryptocurrency exchanges. DFPI expands its regime from a one-time licensing requirement to an ongoing licensing requirement, such that every particular digital financial asset must be pre-approved or be in violation of Digital Financial Asset Law (DFAL). The current federal regulatory regime for investor protections of cryptocurrency remains ambiguous. Therefore, DFAL may represent the primary regulatory protection for California residents with respect to cryptocurrency investments.

DFAL, created by AB 39 (Grayson) (Chapter 792, Statutes of 2023) and augmented by SB 401 (Limón) (Chapter 871, Statutes of 2023), authorizes DFPI to regulate digital financial assets and their exchanges, if they serve California residents. DFPI posted its initial draft of the proposed regulation establishing the licensing framework on April 4, 2025. [see 30:2 CRLR 149]. After a 45-day public comment period, DFPI published its revised version to add details to DFPI’s framework. This comment period ended on October 15, 2025.

The initial and modified regulations both require an officer of each cryptocurrency exchange to sign and certify the following attestations regarding tokens offered, in order to solicit investment from California residents:

1. The likelihood of the token would be deemed a security by federal or California regulators.
2. The applicant/licensee has disclosed, in writing, all material facts relating to conflicts of interest associated with the cryptocurrency exchange and the token.
3. The applicant/licensee has conducted a comprehensive risk assessment to ensure consumers are protected from both technology-related risks like cybersecurity and code-related defects, as well as, market-risks such as price manipulation and fraud.
4. The applicant/licensee has established procedures to evaluate material changes and to assess the token’s continued appropriateness to be listed.
5. The applicant/licensee has established procedures to cease listing the token.

The modified proposal expands the quantity of certification and disclosure events from a one-time snapshot of token listings expected to be offered at time of license application, to a pre-certification regime for any token the exchange offers going forward. The DFPI’s enforcement posture towards newly issued tokens goes from reactive to proactive and requires pre-clearance.

This modified version of the proposed regulation is designed to reduce information asymmetry between investors and cryptocurrency exchanges. The clear, trackable record of certification per token introduces a strict liability standard for uncertified cryptocurrency assets, and mandatory disclosures for assets that are certified. In the absence of a consolidated federal regime for consumer protection of cryptocurrency investments, this modified proposed regulation would be the only meaningful backstop for California residents investing in cryptocurrency.