On June 25, the California DFPI announced that it had finalized a consent order with a cryptocurrency kiosk operator, alleging violations of the Digital Financial Assets Law (DFAL) and the California Consumer Financial Protection Law (CCFPL). The action marks the DFPI’s first enforcement under the DFAL, which took effect on January 1, 2024.
The DFPI found that the operator repeatedly processed transactions exceeding the DFAL’s $1,000 per-day limit for individual customers and failed to print the required exchange-pricing information on customer receipts. The agency further alleged that these practices amounted to unlawful, unfair, or deceptive conduct under the CCFPL.
Specifically, the consent order imposes the following obligations:
- Monetary penalties and consumer restitution. The company must pay $300,000 in total relief, including $51,700 directed toward restitution for affected California consumers.
- Cease and desist order. The operator must immediately stop processing over-limit transactions and issuing noncompliant receipts.
- Compliance program reforms. The company is required to implement internal controls to prevent future violations of the DFAL and CCFPL.
- Ongoing reporting obligations. For one year, the operator must submit written compliance updates to the DFPI every 60 days.
Putting It Into Practice: This DFAL enforcement action illustrates the layered framework California will use to govern consumer-facing crypto activity. Kiosk operators should expect heightened scrutiny and should update compliance programs to align with both DFAL disclosure mandates and broader CCFPL requirements.