California’s Digital Financial Assets Law (DFAL) is the new state-level licensing regime for companies that exchange, transfer, store, issue, or administer digital financial assets for California residents. It was enacted as Assembly Bill 2269 in 2023, amended by AB 1934 in 2024, and is administered by the Department of Financial Protection and Innovation (DFPI). The compliance deadline is July 1, 2026. From that date forward, covered companies must hold a DFAL license, have an application on file, or qualify for a statutory exemption. DFAL is its own substantive licensing regime and runs separately from the existing California money transmitter license framework, the NYDFS BitLicense regime in New York, and federal MSB registration. This guide walks through what DFAL covers, who needs to license, what DFPI reviews, what to expect from the NMLS filing process, and where applications most often slow down.

Executive Summary

• DFAL is California’s licensing regime for digital financial asset activity, enacted as AB 2269 in 2023, amended by AB 1934 in 2024, and administered by DFPI.
• The compliance deadline is July 1, 2026. Covered companies must hold a license, have an application on file, or qualify for an exemption by that date.
• Covered activities include exchanging, transferring, storing, issuing, and administering digital financial assets, including stablecoins and other reserve-backed instruments.
• Applications run through the Nationwide Multistate Licensing System (NMLS), using the MU1 form for the company and the MU2 form for control persons, executive officers, qualifying individuals, and certain owners.
• DFPI’s published guidance signals an initial expectation of $100,000 in tangible net worth and a $500,000 starting surety bond, both subject to later adjustment based on activity volume, asset mix, leverage, liquidity, and customer protection considerations.
• The application is heavy on financial evidence, including audited financial statements where available, current unconsolidated statements, pro forma projections, an organization chart, credit reports, resumes, and personal financial statements for directors and officers.
• Reporting does not stop at approval. DFAL licensees retain records in regulator-ready form, file renewal reports with reviewed or audited annual financial statements, and report material changes promptly. Stablecoin issuers in scope under AB 1934 also file a monthly reserve compliance report.

Why This Matters Now

California is one of the largest fintech and digital asset markets in the United States, and from July 1, 2026, the rules of access change. DFAL adds a state-level licensing layer to companies that exchange, store, transfer, issue, or administer digital financial assets for California residents. Companies that already hold a California money transmitter license, a federal MSB registration, or an out-of-state crypto license such as the NYDFS BitLicense are not automatically covered. The DFAL framework is its own licensing regime with its own substantive review, and operating unlicensed digital financial asset activity in California after the deadline carries real consequences, comparable in nature to the penalties for operating an unlicensed MSB or money transmitter.

For founders evaluating where to focus attention in the months leading up to the deadline, the practical signal from DFPI has been consistent. Apply early. Use NMLS as designed. Take advantage of the agency’s training resources and pre-filing meetings. Treat the application as a substantive demonstration of business and financial readiness rather than a paperwork drill, because that is how DFPI approaches review. For broader context on how state and federal financial services regimes interact, see our regulatory lifecycle guide for U.S. digital money services.

What DFAL Is and Why California Passed It

DFAL is the working name for California Financial Code provisions added by Assembly Bill 2269 in 2023. The law was conceived as a state-level analog to bank and money-transmitter style supervision for digital financial asset businesses, on the view that consumers transacting in stablecoins, tokenized assets, and crypto exchange products deserved the same baseline protections as customers of traditional financial firms. AB 1934, signed into law in 2024, refined the original framework and added a monthly reserve compliance reporting requirement for stablecoin issuers operating in California.

The structural goal of DFAL is to ensure that companies offering digital asset products to Californians can demonstrate sound financial condition, adequate consumer protection, operational resilience, and the ability to meet customer obligations, including, where applicable, redemption commitments on reserve-backed instruments. DFPI is empowered to review applicants for these characteristics, license those that qualify, supervise them post-license, and take enforcement action against unlicensed activity.

For founders, the practical takeaway is straightforward. DFAL is not a registration regime. It is a substantive licensing regime. DFPI evaluates the applicant’s business model, finances, governance, and risk management before granting authority to operate, and that review is comparable in depth to a state money transmitter or trust company licensing review. For a closer look at the broader licensing landscape and how states compare on application difficulty, see our easiest states to get a money transmitter license overview and our state-by-state MTL requirements guide.

Who Must License Under DFAL

DFAL applies to companies engaging in “digital financial asset business activity” with California residents. The covered activities, as set out in the statute, include the following:

• Exchange. Exchanging digital financial assets for legal tender, bank credit, or other digital financial assets.
• Transfer. Transferring digital financial assets from one person to another.
• Custody and storage. Storing, holding, or maintaining custody or control of digital financial assets on behalf of others.
• Issuance. Issuing digital financial assets, including stablecoins and other reserve-backed instruments.
• Administration. Administering a digital financial asset, including managing the conditions under which the asset can be transferred, redeemed, or used.

The reach of these definitions is broader than many founders initially expect. A company that does not custody assets but moves them between user wallets may still be in scope under the transfer prong. A company that issues a tokenized representation of a fiat balance may be in scope under both the issuance prong and the custody prong. A non-custodial protocol with a centralized front end may face activity questions even where the underlying smart contract logic is decentralized. None of these questions resolves cleanly without a careful review of the actual product, custody model, contract architecture, and funds flow. For a focused look at where tokenization activity sits within state and federal licensing frameworks, see does tokenization require an MSB or MTL license in the US?

The statute also contemplates exemptions. Banks and certain federally regulated entities are excluded by definition. Activity that is incidental to securities-registered functions, certain investment advisory work, and a narrow set of merchant payment acceptance scenarios may also fall outside the scope. Founders should not assume an exemption applies based on business-model framing alone. The DFPI staff has consistently pointed applicants toward formal applicability analysis with counsel rather than self-determination, particularly for hybrid business models and for protocols whose governance structures do not map cleanly onto traditional company forms. The same applicability questions apply more broadly across the U.S. money services landscape, and our overview of who needs a money transmitter license walks through the parallel analysis for that regime.

It is also common for a single business model to fall under more than one regime. A company that holds customer fiat balances and moves money on behalf of customers may need both a California money transmitter license and a DFAL license. A stablecoin issuer that also operates an exchange front end may have separate considerations under each pillar of DFAL plus the federal MSB framework. The mapping work is substantive, and it is best done before drafting any application. For digital asset companies whose business model touches multiple regimes, our CFO for DeFi, stablecoin payments, and crypto fintech deep dive covers the financial and operational implications in more depth.

The Application Package: What DFPI Requires

DFPI’s investigative scope under DFAL is broad. Once a complete application is filed, the agency reviews whether the applicant has sound financial condition, competence, responsibility, and a reasonable promise of success. It separately evaluates the competence, experience, character, and general fitness of every executive officer, responsible individual, and control person. It also asks the applicant to demonstrate the ability to manage the specific risks of its activities, covering financial integrity, anti-money laundering, cybersecurity, and operational resilience.

The proposed DFAL application rules require a detailed package, including:

• A business plan describing proposed activities, products, services, marketing approach, fee structures, and customer decision flow
• Audited financial statements for the most recent fiscal year and the two prior years, where available
• Current unconsolidated financial statements as of a recent date
• An organization chart and a description of intercompany structure
• MU2 filings for executive officers, control persons, and responsible persons
• Credit-report authorizations
• Resumes for executive officers and responsible individuals
• Personal financial statements for directors, officers, and control persons
• Documentation showing the applicant has the capital and liquidity required for licensure
• A written description of how the applicant will manage the risks of its activities, including financial integrity, AML, cybersecurity, and operational resilience

The MU1 form, which is the company-level filing, must be attested by a duly authorized individual who has filed an MU2. NMLS will not accept an MU1 until the linked MU2 attestations are complete. Filing deficiencies left unaddressed for 60 days can cause an application to be treated as abandoned under the proposed rules, which makes deficiency response speed a meaningful determinant of outcomes.

Applicants should expect DFPI staff to ask supplementary questions during review. These questions are issued through NMLS as license items, and they often request clarifications on projection assumptions, reconciliation of liability balances, additional reserve documentation, updated organizational disclosures, or confirmation of capital deployment plans. The pace at which an applicant responds to license items is one of the most visible inputs into total time-to-license. For applicants who want to assess their position before drafting a filing, the MTL Readiness Tool covers many of the same financial and organizational diagnostic questions DFPI looks at during DFAL review.

Capital, Tangible Net Worth, and Surety Bond Expectations

DFPI’s published guidance signals an initial expectation of $100,000 in tangible net worth and a $500,000 starting surety bond for many DFAL applicants, both subject to later adjustment. The agency has stated that capital and liquidity assessment will consider asset mix, liabilities, expected activity volume, leverage, liquidity, surety coverage, customer base, and insolvency protections.

That phrasing matters. The published numbers are starting points, not ceilings. Applicants with larger projected California activity, complex custody models, reserve-backed redemption promises, or material outstanding customer obligations should expect DFPI to push capital and bond expectations higher during review. Applicants building DFAL forecasts should plan around a range, with conservative high-end scenarios fully modeled, rather than assuming the published baseline is the final answer.

Insolvency protection is a particular point of emphasis. Where customer assets are held by the licensee, directly or through a custody arrangement, DFPI expects clear segregation, accurate liability accounting, and demonstrable ability to meet obligations under stress. The agency’s interest is not abstract. California’s enforcement record over the last several years has consistently focused on situations where licensees were unable to meet outstanding customer obligations, and DFAL is positioned to surface those weaknesses earlier in a company’s lifecycle.

Applicants should also expect DFPI to look closely at the composition of capital. Tangible net worth excludes goodwill, certain intangibles, and amounts due from affiliates that lack collection history. A company that meets the headline net worth number on paper may not meet it after these adjustments, and that distinction often surfaces only when the regulator pushes back on a specific balance sheet line. Modeling the adjusted figure in advance saves a round of license items.

Filing Through NMLS: MU1, MU2, and Attestations

DFAL applications are filed through the Nationwide Multistate Licensing System (NMLS), the same platform used for state money transmitter and mortgage filings. The two core forms are the MU1, which is the company-level filing, and the MU2, which is the individual filing for control persons, executive officers, qualifying individuals, and certain direct and indirect owners.

The MU2 collects personal, employment, regulatory, and disclosure information. The named individual must personally attest before the linked MU1 can be submitted. NMLS treats financial statement submission itself as a legal attestation to every state where the company is applying or licensed, which means the same set of financial documents carries through to all other jurisdictions where the company holds or seeks a license.

License items, the regulator’s mechanism for requesting documentation, conditions, or clarifications, are tracked in NMLS. Unresponsive license items can move filings into Pending-Deficient status, with knock-on consequences for renewal and good standing. For DFAL specifically, the proposed rules go further by tying the MU1 attestation to a duly authorized MU2 individual, and by treating electronic filing through NMLS as legally operative, with electronic signature treated as evidence of legal signature.

This is why naming an officer on a DFAL application is not a clerical exercise. The named individual is personally inside the licensing perimeter, receives regulator inquiries directly, and stands behind the underlying financial submissions. Founders sometimes treat the choice of named officer as a paperwork question to resolve at the end of the drafting process. In practice, it is one of the earlier decisions the regulatory project should make, because the choice influences who participates in building and reviewing the financial package. Companies that also need to staff a dedicated BSA/AML function alongside their finance leadership can refer to our compliance officer services for fintech and crypto.

The Review Process and Common Deficiencies

After submission, a DFAL application enters DFPI’s review queue. The agency may issue license items requesting additional information, clarification, or documentation. It may schedule meetings with the applicant. It may request updated financial statements if the originals become stale during review. The total elapsed time from submission to approval varies based on the completeness of the original package, the speed of the applicant’s responses, and the complexity of the business model.

The most common categories of deficiency, based on patterns across NMLS-administered regimes, fall into a few groups:

• Projection support. Pro forma financial statements that lack documented assumptions, that do not reconcile across periods, or that use volume and pricing inputs that conflict with the business plan narrative.
• Reserve and liability methodology. Insufficient documentation of how outstanding customer obligations are calculated, how reserves are sized, and how reserve composition is monitored over time.
• Organizational disclosures. Incomplete or inconsistent disclosures of control persons, ownership structure, and intercompany relationships, especially where holding companies, foundations, or special-purpose entities sit in the chain.
• Capital composition. Tangible net worth calculations that do not adjust for goodwill, certain intangibles, or affiliate receivables, leading to a gap between the headline number and the regulator’s view of the figure.
• Personal financial statements and credit disclosures. Missing, outdated, or inconsistent submissions from named individuals, which delay MU2 acceptance and therefore the MU1.
• Material change disclosure. Failure to update the application when a director, officer, ownership stake, or key business activity changes during the review period.

None of these are exotic. They are the same categories that surface across money transmitter applications, trust company applications, and other NMLS-administered regimes, and they are the categories DFPI staff has flagged in pre-filing communications. Treating them as known risks during application assembly, rather than discovering them through license items, is what separates applications that close in a predictable window from applications that drag on through multiple deficiency cycles. Companies preparing the underlying internal infrastructure to support a clean review can also reference our scalable internal controls framework for startups.

Post-License Obligations and Recurring Reporting

The licensing burden does not end at approval. The DFAL statute requires retention of records in a form that allows DFPI to determine compliance. The required records include a general ledger posted at least monthly, business call reports, bank statements, and bank reconciliations. The agency may examine these records on schedule or as part of targeted supervision.

The renewal report regime requires recent reviewed or audited annual financial statements, with the level of assurance depending on California revenue volume. Renewal also requires disclosure of specified litigation, regulatory investigations, and security breaches. Material changes, including changes in executive officers and responsible persons, ownership thresholds, or core business activities, must be reported promptly, generally within 15 days of the change.

NMLS adds its own ongoing reporting layer. Annual financial statements must be filed within 90 days of fiscal year-end. Where applicable, quarterly, semiannual, or year-to-date updates are also required. For money services businesses, the NMLS MSB Call Report covers company financials, state-level transactional activity, permissible investment information, and destination-country data, and is due within 45 days of quarter-end. California licensees often submit certain California-specific call-report information directly to DFPI in addition to the NMLS report. Late filings create license items, can trigger regulatory action, and can block renewal.

For stablecoin issuers in scope under AB 1934, an additional monthly reserve compliance report demonstrates that reserve assets remain adequate to back outstanding stablecoins. The cadence is structurally similar to the New York Department of Financial Services framework and the AICPA’s stablecoin assurance criteria, and it imposes a continuous treasury and controllership workload rather than a periodic one. Companies that build their post-license operating model around quarterly cycles often find that the AB 1934 monthly cadence requires a meaningful upgrade to close-and-report capacity. For a deeper look at the underlying treasury and controllership work that supports this kind of recurring reporting, see our CFO responsibilities for crypto exchanges, custodians, and digital asset treasury resource.

Where Applications Slow Down

Reading the DFAL framework end to end, a pattern emerges. The substantive submissions are largely financial. The investigative criteria include capital, liquidity, reserve adequacy, and the experience of named officers. The recurring obligations are financial reporting obligations. Even the AML, cybersecurity, and operational resilience expectations connect back to financial integrity, because that is ultimately what the regime is supervising.

That structure has practical consequences for applicants. Counsel handles the legal applicability analysis and the regulatory framing. Compliance personnel handle AML program design and policies. Technical leadership handles custody architecture and cybersecurity. The financial submissions, however, do not have an obvious default owner in many early-stage and mid-stage companies. Bookkeepers and outsourced accounting providers can prepare statements but generally do not own forecasting assumptions, reserve methodology, or regulator-facing responses. Founders can speak to the business model but typically do not have the time to build and defend the full financial package.

This is the gap where applications slow down. When a license item arrives asking why a particular projection assumption was used, or why a reserve calculation produces the figure it does, or why a balance sheet item should be classified the way it is, someone has to respond with substance. If that responsibility is not clearly assigned, the response cycle stretches, and the application sits longer in the queue. Companies that come into the DFAL process with a clear, accountable owner of the financial package tend to move through review more quickly than companies with the same fundamentals but fragmented ownership.

For many applicants, particularly companies that have not yet hired a full-time chief financial officer, a fractional CFO is a practical way to close that gap. The role provides senior finance ownership for the duration of the licensing project and the early post-license period, without committing to a full-time hire before the business is ready for one. The work covers the financial package itself, the audit coordination with the company’s CPA firm, the regulator response on license items, and the standing up of the post-license reporting calendar. Whether that role is filled by a fractional CFO, a permanent hire, or an existing internal finance leader is a company-by-company question. The relevant point for the application is that the role is filled by someone who actually owns the numbers.

How Ridgeway Financial Services Helps

Ridgeway Financial Services is a CPA-led fractional CFO, accounting, and consulting firm that works with technology, fintech, and digital asset companies. Our team includes experienced CPAs and former Big Four professionals who have supported founders preparing for state and federal regulatory filings, audits, and fundraising events. For California DFAL applicants, we typically support the financial side of the application end to end, including audit coordination, current financial statements, pro forma projection design, reserve and outstanding-liability methodology, NMLS submission support, regulator response on license items, and the post-license reporting calendar.

For more on how we work with fintech and digital asset founders, see our fractional CFO services, our crypto accounting and advisory firm page, our fintech accounting and advisory firm page, our CFO’s role in fintech resource, and our CFO for DeFi, stablecoin payments, and crypto fintech deep dive. Founders preparing for a California filing can also use the MTL Readiness Tool as a starting point.

Frequently Asked Questions

What is California’s Digital Financial Assets Law (DFAL)?

DFAL is the working name for California Financial Code provisions added by Assembly Bill 2269 in 2023 and amended by AB 1934 in 2024. It establishes a state-level licensing regime for companies engaging in digital financial asset business activity with California residents, administered by the Department of Financial Protection and Innovation (DFPI).

When does DFAL take effect?

The compliance deadline is July 1, 2026. From that date, a company engaging in covered digital financial asset activity with California residents must hold a DFAL license, have an application on file, or qualify for an exemption. The application portal is already open, and DFPI is encouraging applicants to submit early and use NMLS training resources.

Who needs a DFAL license?

DFAL applies to companies engaging in digital financial asset business activity with California residents. That includes exchanging digital financial assets, transferring them, storing or holding them on behalf of customers, issuing them in the form of payment instruments or stablecoins, and administering the conditions under which they can be transferred, redeemed, or used. Exemptions exist for certain banks, federally regulated entities, and a narrow set of activities, but applicability is fact-specific and should be confirmed with counsel.

What does DFPI review in a DFAL application?

DFPI reviews the applicant’s sound financial condition, competence, responsibility, and reasonable promise of success, plus the competence, experience, character, and general fitness of executive officers, responsible individuals, and control persons. The submission package includes a detailed business plan, audited and current financial statements, pro forma projections, MU2 filings, credit reports, resumes, and personal financial statements for directors and officers.

What capital does DFPI expect for a DFAL applicant?

DFPI’s published guidance signals an initial expectation of $100,000 in tangible net worth and a $500,000 starting surety bond for many applicants, subject to later adjustment based on activity volume, asset mix, liabilities, leverage, liquidity, surety coverage, customer base, and insolvency protections. Applicants with larger projected California activity or reserve-backed instruments should expect those numbers to move higher during review.

What is an MU1 and an MU2?

The MU1 is the company-level filing in NMLS, and the MU2 is the individual filing for control persons, executive officers, qualifying individuals, and certain owners. The MU2 collects personal, employment, regulatory, and disclosure information and must be personally attested by the named individual before the linked MU1 can be submitted.

How long does DFAL review take?

Total elapsed time varies based on the completeness of the original submission, the speed of applicant responses to license items, and the complexity of the business model. Applications that arrive with well-supported projections, documented reserve methodology, and complete MU2 attestations tend to move through review more quickly than applications that resolve those items through deficiency cycles after submission.

What recurring reports does a DFAL license trigger?

DFAL licensees retain records, including a monthly general ledger, bank statements, and reconciliations, in a form that allows DFPI to determine compliance. Renewal reports require reviewed or audited annual financial statements depending on California revenue volume. NMLS-licensed money services businesses also file the MSB Call Report quarterly within 45 days of quarter-end and annual financial statements within 90 days of fiscal year-end. Stablecoin issuers in scope under AB 1934 file an additional monthly reserve compliance report.

What happens if the application is incomplete or deficient?

NMLS marks filings Pending-Deficient when documents or information are missing, and regulators issue license items the applicant must respond to. Under the proposed DFAL application rules, deficiencies left unaddressed for 60 days can cause the application to be treated as abandoned. This is one of the most common practical reasons applications stall, and the underlying causes typically include weak projections, unsupported reserve methodology, or organizational disclosures that surface late in the process.

Do I need a CFO to apply for a DFAL license?

DFAL does not require a person whose title is “CFO.” It does require sound financial condition, capital and liquidity evidence, audited and current financial statements, pro forma projections, and named executive officers and control persons who can personally attest. In practice, that work is finance work, and most applicants find that having a clear senior owner of the financial package, whether a full-time CFO, a fractional CFO, or an existing internal finance lead, materially affects how quickly the application moves through review.

Reviewed by YR, CPA
Senior Financial Advisor