Skip to content

Cryptocurrency licensing

Do I need a California DFAL license?

Reviewed July 2026

Short answer

If your business exchanges, transfers, or stores digital assets with or for California residents, you generally need a DFAL license once the law takes effect, unless an exemption applies. Whether your activity is covered depends on your model, so it should be confirmed with an independent licensing attorney before you file.

Whether the California Digital Financial Assets Law applies to your business comes down to what you do with customer assets and for whom. The law reaches digital financial asset business activity conducted with or on behalf of a California resident. If your business exchanges, transfers, or stores digital assets with or for Californians, you generally need a DFAL license once the law takes effect, unless an exemption applies. Because the answer is fact-specific, it should be confirmed with an independent licensing attorney before you file.

The activity that usually brings you in

The clearest trigger is custody. When your business holds, controls, or safeguards a customer's digital assets, you are doing the kind of activity the DFAL was written to cover. Exchanging one digital asset for another or for fiat on a customer's behalf, and transferring digital assets for customers, generally fall inside the law as well. If your model touches customer funds or assets in these ways, plan on being covered until an attorney tells you otherwise.

By contrast, building software that never holds or controls customer assets may fall outside the law. A pure technology provider that gives users tools to manage their own self-custodied assets, without ever taking control of them, sits in a different position from a custodial exchange. The distinction between custodial and non-custodial models is often the hinge on which coverage turns.

Why the resident, not your location, controls

The law follows the California resident. It does not matter that your company is headquartered elsewhere; what matters is that you are conducting covered activity with or for someone in California. A business based across the country that serves California customers can be covered, while a company physically in California that carefully excludes California residents may not be. This is the same activity-follows-the-customer logic that runs through state financial licensing generally, which we describe in aligning licenses with where you operate.

Exemptions and edge cases

The statute carries exemptions, and they matter because they can move a business from covered to not covered. Some entities are excluded based on their charter or their existing regulation, and certain activities may be carved out. The presence of exemptions is exactly why you should not self-diagnose. Two businesses that look similar from the outside can land on opposite sides of the line depending on how assets flow, who holds them, and which exemption might reach the entity. An independent licensing attorney assesses that against the actual statutory text.

How to run the assessment

The practical first step is not filing; it is analysis. Before you commit to an NMLS application, map your activity against the law:

  • Document exactly how customer assets move through your platform and who controls them at each step.
  • Identify whether you take custody at any point, even briefly.
  • List the California resident touchpoints in your product.
  • Check whether any statutory exemption could apply to your entity or activity.
  • Have counsel confirm the classification in writing before you build the filing.

Getting this order right saves real work. Filing for a license you do not need wastes months; skipping one you do need creates enforcement risk once the law is in force.

What being covered means for you

If the assessment says you are covered, the DFAL license comes with financial standards, custody and consumer protections, and an AML program, and it is filed through the Nationwide Multistate Licensing System. Those requirements take lead time to satisfy, which is why the assessment should happen well before the effective date. We describe the license itself in what the California DFAL license is and the deadline in when the California DFAL deadline falls. Related federal obligations may also apply, which we cover in whether you need a money transmitter license for crypto.

Models that sit near the line

Some business models resolve easily, and some sit close enough to the boundary that reasonable people disagree until counsel weighs in. A centralized exchange that holds customer balances is plainly custodial. A pure wallet application that only helps users manage keys they alone control is plainly non-custodial. The harder cases live in between: a service that briefly routes assets through an account it controls during a swap, a staking arrangement where control of assets is ambiguous, a platform that holds assets only in narrow circumstances, or a business that mixes custodial and non-custodial features in one product. In those cases the flow of control at each step, not the marketing label, decides coverage.

The practical lesson is that self-classification based on how you describe the product is risky. Two founders can describe similar services as non-custodial while one of them actually takes control of assets at a moment that brings the business inside the law. Documenting the real asset flow and having counsel test it against the statute is what turns a guess into a defensible position.

What changes if your model evolves

A coverage answer is a snapshot of your current activity, and digital asset businesses change quickly. Adding custody to a previously non-custodial product, opening a new service that touches customer assets, or beginning to serve California residents you previously excluded can move you from outside the law to inside it. Treat the classification as something to revisit whenever the product or the customer base shifts materially, rather than a one-time determination. The same discipline applies to product changes generally, which we discuss in whether a new product requires a new license.

Documenting your position so it holds up

A coverage determination is only as good as the record behind it. If a regulator later asks why you did or did not apply, you want a written analysis that shows the reasoning, not a recollection. That record starts with a clear description of how customer assets move through your product and who controls them at each step, then applies the statute to those facts, then captures counsel's conclusion. Keeping that file current as the product changes turns a one-time judgment into a defensible, dated position.

The same record does double duty if you decide you are covered. Much of what supports a coverage analysis, the asset-flow description, the custody model, the resident touchpoints, feeds directly into the application, so nothing is wasted. A business that documents its position carefully is already partway to a complete filing, and it has the evidence to explain its choices if the treatment of its model is ever questioned. We connect this to broader assessment discipline in legal assessments of licensing obligations.

When to get help

Because the classification is fact-specific and the exemptions are technical, the most useful thing we do is help you map your activity against the law before you spend on a filing, then prepare the DFPI application where the license actually applies. See our California DFAL license and cryptocurrency licensing pages, and contact our team to start the assessment.

Related

More questions and answers

Browse more questions and answers.