Payment Processor Disputes · Memo

California Crypto Exchange Enforcement 2024-2025 and Merchant-Facing Implications

The Department of Financial Protection and Innovation has built a meaningful enforcement record against crypto exchanges and digital-asset platforms in the past two years. I am going to walk through what the actions actually held, how the Digital Financial Assets Law changed the legal terrain, and what this means for merchants relying on crypto rails.

California's Digital Financial Assets Law, AB 39, was enacted in 2023 and went into operative effect in July 2025 with a delayed compliance date that pushed full operational coverage into 2026. The statute is codified at Financial Code section 3101 and following sections. It requires that any person engaged in digital financial asset business activity with or on behalf of a California resident be licensed by the Department of Financial Protection and Innovation. The licensing framework imposes capital requirements, custody standards, disclosure obligations, and operational restrictions on covered exchanges and intermediaries.

The DFPI's enforcement posture in 2024 and 2025 has been more aggressive than the relatively quiet pre-DFAL period. The Department has issued consent orders, desist-and-refrain orders, and enforcement-letter resolutions across the major exchanges and against several smaller platforms. The pattern is consistent: unregistered activity, custody-failure exposure, customer-fund commingling, and inadequate disclosure of risk and fee structures.

What the DFAL actually requires

The DFAL imposes a licensing requirement on any entity engaged in 'digital financial asset business activity,' which Financial Code section 3102(c) defines to include exchanging, transferring, and storing digital financial assets, and certain administrative and exchange-related activities. The licensing requirement applies to platforms doing business with California residents, regardless of where the platform is organized or based.

The substantive obligations of a licensee include: maintaining minimum capital adequate to the activities conducted; maintaining segregation between customer assets and operational assets; providing customers with periodic statements and transaction confirmations; maintaining a cybersecurity program adequate to the activities conducted; providing disclosures of fees, risks, and the platform's operational practices; and complying with the Department's examinations and reporting requirements.

The DFAL is not a complete recodification of the platforms' obligations under other California law. The licensee remains subject to the Unfair Competition Law, the CCPA, and any sector-specific overlay (the Money Transmission Act, the Corporate Securities Law of 1968 for activities that touch on securities, the Financial Information Privacy Act). The DFAL adds a primary licensing and supervisory framework on top of those existing obligations.

The enforcement record through 2025

The DFPI's enforcement actions through 2024 and 2025 have addressed several distinct categories of conduct.

The first category is unregistered activity. The Department has issued cease-and-desist orders against platforms that conducted digital financial asset business activity with California residents without obtaining the required license or filing for a transition-period exemption. The orders have required the platforms to cease operations with California customers, to provide notice to existing California customers of the order, and to wind down with regulatory oversight.

The second category is custody and segregation failures. Several actions have focused on platforms whose internal accounting or custody practices did not maintain adequate segregation between customer funds and operational funds. The findings in these actions have echoed the federal-court findings in bankruptcy proceedings of Voyager, Celsius, and FTX, where customer-asset commingling materially harmed creditors.

The third category is disclosure inadequacy. The Department has cited platforms for fee disclosures that did not accurately reflect the platforms' actual pricing practices, for risk disclosures that understated the operational and market risks customers faced, and for failure to disclose conflicts of interest in market-making or related-party transactions.

The fourth category is the related-party and affiliate-transaction findings. The Department has scrutinized arrangements where exchanges used customer assets to fund affiliate trading operations or to support related-party liquidity provision. The conduct echoes the most damaging findings against FTX and Alameda Research.

Why this matters for merchants

The merchant-facing implications of the enforcement record are several. The most direct: a merchant accepting crypto payments through a California-active exchange or intermediary faces counterparty exposure if the exchange is the subject of an enforcement action. A cease-and-desist order can disrupt the merchant's settlement flow, freeze merchant balances held with the exchange, and impose operational interruptions.

The contractual implication: any merchant agreement with a crypto-payment intermediary should be evaluated against the counterparty's regulatory posture. The standard merchant agreement typically does not address what happens if the intermediary loses its license or becomes the subject of a regulatory action. The drafting should fill this gap.

The contractual moves for merchants accepting crypto

The drafting moves that protect merchants exposed to crypto-intermediary counterparty risk:

1. The settlement-finality clause. The agreement should specify when crypto-payment settlements become final and irrevocable, and what happens if the intermediary cannot complete a settlement because of regulatory action. The merchant should be able to recover funds held on its behalf or, at minimum, have a defined claim against the intermediary.
2. The custody specification. The agreement should specify how the intermediary holds the merchant's crypto balances, whether the holdings are segregated, and whether the merchant has any contractual entitlement that would survive an intermediary bankruptcy. Customer-asset segregation is the regulatory expectation under the DFAL; the merchant contract should match it.
3. The regulatory-action notice. The agreement should require the intermediary to provide prompt notice of any enforcement action, regulatory order, or material change in regulatory status. The merchant needs the information to manage its own risk and to communicate with its customers if necessary.
4. The transition right. The agreement should give the merchant the right to migrate to an alternative payment processor on commercially reasonable terms if the intermediary's regulatory posture materially deteriorates. The standard contract typically gives the intermediary discretion to terminate the merchant but does not give the merchant a reciprocal right when the intermediary's risk profile changes.
5. The disclosure-cooperation clause. The agreement should require the intermediary to cooperate with the merchant's own customer disclosures about how crypto payments are processed, including the risk that a regulatory action could affect the merchant's ability to fulfill orders or process refunds.

The Money Transmission Act overlap

California's Money Transmission Act, codified at Financial Code section 2000 and following sections, has historically required licensing of money transmitters operating with California customers. The DFAL is distinct from the MTA but operates in parallel. The DFPI has, in some cases, brought enforcement actions under both statutes against platforms whose activities crossed into both regulatory regimes (typically, platforms offering both crypto-asset services and traditional money-transmission services).

The drafting implication: a merchant working with a payment intermediary that touches both fiat and crypto rails should evaluate the intermediary's licensing posture under both the MTA and the DFAL. A platform that holds only one type of license may face exposure if its activities cross into the other regime without authorization.

The federal overlay

The federal regulatory environment for crypto exchanges has been more turbulent than the California-specific environment. The Securities and Exchange Commission's enforcement positions through 2023-2024 generated litigation and a series of district court and appellate court decisions that have not fully resolved the question of which digital assets are securities. The Commodity Futures Trading Commission's jurisdiction over digital-asset derivatives has been incrementally clarified through enforcement and rulemaking.

The Department of the Treasury's anti-money-laundering and Bank Secrecy Act obligations apply to many crypto exchanges as money services businesses under FinCEN's regulations at 31 C.F.R. section 1010.100 and following. The merchant's exposure to AML compliance failures of its counterparty is a separate risk category that the merchant contract should address.

The 2025 transition period in federal crypto policy has reduced some of the SEC-led enforcement intensity, but the underlying licensing, custody, and disclosure questions persist. The DFAL is California's response to the federal uncertainty: a state-level licensing regime that does not depend on the federal characterization of any particular digital asset as a security.

The UCL and consumer-side stacking

A merchant whose crypto-payment partner faces a DFPI enforcement action may inherit exposure from its own customers. A customer who paid in crypto and cannot receive a refund because the intermediary is in regulatory disruption may pursue claims against the merchant under the Unfair Competition Law, the Consumer Legal Remedies Act, or contract theories. The merchant's contractual protections against the intermediary do not extinguish the customer-side exposure.

The drafting move that addresses this: the merchant's customer-facing terms should disclose, with appropriate specificity, the role of any third-party intermediary in crypto-payment processing, the merchant's responsibilities and limitations, and the customer's recourse in the event of intermediary disruption. The disclosure does not eliminate the merchant's exposure but reduces the surprise element that drives consumer protection claims.

What I would not assume

The DFAL is new. The full operational record under the statute does not yet exist; the first enforcement actions have produced consent orders rather than fully litigated decisions. The doctrinal interpretation of the statute's scope will develop over the 2026-2028 period. Counsel advising merchants on crypto-counterparty risk should treat the current enforcement posture as a useful guide but not as a complete map of where the regulatory line will eventually settle. The federal landscape adds additional uncertainty. The drafting moves I describe address the risks visible in the current record; they may need refinement as the regulatory record develops. Outcomes in specific matters depend on the intermediary's regulatory posture and the merchant's contractual position at the time disruption occurs.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Past matter outcomes depend on facts and the responding party; nothing here is a prediction of result.