On 18 August 2025, Illinois Governor JB Pritzker signed into law the Digital Assets and Consumer Protection Act¹ (the Act), granting the Illinois Department of Financial and Professional Regulation (the Department) supervisory and regulatory authority over digital asset exchanges and businesses related to digital assets. The Act requires certain businesses engaged in digital-asset-related business in the state of Illinois to register with the Department and establishes consumer protections that align with those used for traditional financial services, including specific disclosure and custody requirements and customer service standards. 

On the same day, Governor Pritzker signed into law the Digital Asset Kiosks Act,² which establishes consumer protections for Illinois residents against fraud and scams conducted in connection with digital asset kiosk transactions. Together, the legislation signifies a major step in the regulation of digital assets at the state level. 

What Is Digital Asset Business Activity?

To implicate the Act, there must be “Digital Asset Business Activity,” which refers to:

• The exchange, transfer, or storage of a “Digital Asset” (i.e., a digital representation of value used as a medium of exchange, unit of account, or store of value) as part of a business or on behalf of a customer who has entered into an agreement with a business for its services;
• The administration of Digital Assets; or
• Any other business activity involving Digital Assets as regulated by the Department.

The Act excludes from the definition of Digital Asset Business Activity software development, issuance of non-fungible tokens, and certain decentralized finance and blockchain activities (e.g., peer to peer exchanges or transfers of Digital Assets, including those facilitated by decentralized exchanges solely through the use of an automated computer program or transaction protocol, and activities relating to the operation of a blockchain, including the validation of Digital Asset transactions and node operations). The Act’s definition of Digital Asset excludes fiat currency, loyalty points and reward programs, in game items, prepaid cards, and digital goods with substantial independent value, such as tickets, musical compositions, and literary works. However, the exclusion from “Digital Assets” does not encompass meme-based tokens that do not have intrinsic value or digital representations of value that retain a nominal value that is stable and effectively fixed. 

Who Has to Register?

The Act applies to certain Covered Persons (defined below) engaging in Digital Asset Business Activity in Illinois or with Illinois residents. Covered Persons are required to register with the Department and are subject to the Act’s compliance and other requirements. A “Covered Person” is any person or entity (i) engaged in Digital Asset Business Activity in the state of Illinois; or (ii) who engages in or holds itself out as engaging in Digital Asset Business Activity with or on behalf of residents. Thus, a Covered Person includes out-of-state businesses that interact with “Residents,” or those who (a) are domiciled in Illinois; (b) are physically located in Illinois for more than 183 days within the previous year; (c) have a place of business in Illinois; or (d) are a legal representative of a person domiciled in Illinois. 

Who Does Not Need to Register?

The Act excludes several specific activities and persons. In this regard, it differs significantly from other state digital asset laws, such as New York’s BitLicense regime, which contains limited exclusions. First, the Act excludes the exchange, transfer, or storage of Digital Assets or Digital Asset administration if:

• The activity is a security transaction governed by the Securities Exchange Act of 1934 or the Illinois Securities Law of 1953 and is regulated by the Securities and Exchange Commission or the Illinois Secretary of State; or
• The activity is governed by the Commodity Exchange Act of 1936; is related to a futures contract, an option on a futures contract, or a swap; and is regulated by the Commodity Futures Trading Commission (CFTC).

The exclusion exempts those whose activities are overseen by the SEC or CFTC, meaning that advisers, broker-dealers, exchanges, and clearinghouses regulated by the SEC or CFTC are not in-scope for registration and compliance under the Act. The exclusion does not apply if the activity is solely subject to a financial regulatory agency’s anti-fraud and anti-manipulation enforcement authority. In this regard, the Act appears to be directed at spot digital asset transactions, considering that the CFTC’s jurisdiction over spot digital assets currently is limited to its anti-fraud and antimanipulation authority. 

Second, the Act excludes certain persons, including the federal, state, and foreign governments; federally insured depository institutions; corporate fiduciaries acting in a fiduciary capacity; persons that use Digital Assets for personal, family, or household purposes; merchants that use Digital Assets for the purchase or sale of goods or services in the ordinary course of business (but not the sale or purchase of Digital Assets themselves); and certain credit unions with insured accounts. In addition, the Act excludes persons who administer blockchain operations as long as they do not control transactions of Digital Assets on the network (e.g., persons who (i) contribute connectivity software or computing power to secure a network; (ii) record Digital Asset transactions to the network or protocol governing transfer of value; or (iii) develop, publish, constitute, administer, maintain, or otherwise distribute software relating to the network). 

Third, the Act authorizes the Department to clarify whether certain activity is governed by the Act or money transmission laws.

Fourth, the Act also authorizes the Department to exempt transactions, persons, and Digital Assets from any provision of the Act and any Department rule thereunder as long as the exemption is “necessary or appropriate, in the public interest, and consistent with the protection of [R]esidents.”

Registration and Renewal Requirements

A firm engaging in Digital Asset Business Activity in Illinois must register under the Act, unless it can avail itself of an exemption. Applicants must submit a nonrefundable application fee of US$5,000 and a complete application that includes, among other things, financial statements, fingerprints of each executive officer and responsible individual, and a surety bond or trust account in an amount to be determined by the Department. Once registered, the registration will remain in effect until it expires due to nonrenewal, surrender, or action by the Department. Registrants must renew their registration each year and provide the Department with certain information, which generally includes financial statements; volume and custody metrics; evidence of compliance with custody, capital, and liquidity requirements; and a list of locations where the registrant conducts its Digital Asset Business Activity. 

Compliance Requirements 

Each registrant must have a designated person responsible for compliance with the Act and written compliance policies and procedures. Even prior to applying for registration, a Covered Person must have specific compliance policies and procedures, including:

• A cybersecurity program;
• A business continuity program;
• A disaster recovery program;
• An anti-fraud program;
• An anti-money laundering and countering the financing of terrorism program;
• An operation security program; 
• A program designed to ensure compliance with the Act and other Illinois or federal laws relevant to the specific Digital Asset Business Activity;
• A conflict-of-interest program;
• A request for assistance program to comply with the Act’s customer service requirements; and
• Any other compliance programs established by Department rules. 

The Act outlines specific requirements for cybersecurity, anti-money laundering and countering the financing of terrorism, and anti-fraud programs. 

Covered Persons, as well as their affiliates and, in some cases, service providers, are subject to examination by the Department. Examination may be conducted at any time to investigate the financial condition of a Covered Person, the safety and soundness of its business conduct, its management policies, the lawfulness of its business practices, its accounting practices, or other matters related to the Covered Person’s Digital Asset Business Activity. Examinees will be charged an examination fee of US$150 plus travel costs.

In connection with an examination, Covered Persons must facilitate access to accounts, books, and records to the Department. Registrants must retain records for five years after certain activities, including:

• Details of any transaction with or on behalf of a Resident or for the registrant’s account in Illinois; 
• The aggregate number of transactions and their value for the past year with or on behalf of a Resident;
• Any transaction in which a form of Digital Asset was exchanged for fiat currency or another form of Digital Asset with or on behalf of a Resident;
• A general ledger maintained at least monthly listing all assets, liabilities, capital, income, and expenses of the registrant; and
• A report of any dispute with a Resident.

The registrant generally must make records retained outside Illinois available to the Department within three days of a request. Any records maintained by a registrant, affiliate, or service provider are subject to inspection by the Department. 

Material Business Changes and Control Persons 

A registrant must report to the Department within 15 days any material changes (i) to the information in its application for registration or renewal report; (ii) in the registrant’s business related to its Digital Asset Business Activity; or (iii) in an affiliate, executive officer, responsible person, or other person in control of the registrant. In certain scenarios, the Department’s prior approval is required. For example, in the event of a change of a “control person” (i.e., a person that meets certain voting power thresholds) or a merger or consolidation, a registrant must provide certain information about the new control person or surviving entity in a merger when seeking prior approval.

Capital Requirements

Registrants are required to maintain a surety bond or trust account with a qualified custodian and satisfy ongoing capital and liquidity requirements, all in a form and amount to be determined by the Department. The Department may increase the amount of security deposit for each registrant, which would be required to be deposited by the registrant no later than 15 days after the registrant receives notice of the increase. 

While the Act does not prescribe a minimum amount, the Department may set this threshold and also increase the amount of capital or liquidity (i.e., cash or high-quality liquid assets) required for each registrant. The Department may consider various factors and specific risks applicable to a registrant when establishing capital requirements. These factors include the composition of the registrant’s assets; its total liabilities; the actual and expected volume of the registrant’s Digital Asset Business Activity; the registrant’s liquidity position; and the types of products or services offered by the registrant. 

Customer Protection Obligations

The Act requires Covered Persons to adhere to certain customer protection obligations designed to protect Residents and their Digital Assets, including disclosure requirements, custody and asset protection requirements, and customer service standards. Covered Persons are subject to the Department’s enforcement authority for violations of such requirements. 

Custody and Protection of Assets

The Act prescribes requirements for Covered Persons that store, hold, or maintain custody of a Digital Asset for one or more persons. Digital Assets that are subject to the Act’s custody requirements are not considered property of a Covered Person. Pursuant to the Act’s custody requirements, a Covered Person must: (i) maintain at all times an amount of each Digital Asset sufficient to meet aggregate entitlements of the persons to the type of Digital Asset; (ii) segregate those Digital Assets from the Covered Person’s own assets; and (iii) refrain from selling, transferring, pledging, lending, or otherwise encumbering a person’s Digital Assets, except at the person’s direction. 

If a Covered Person violates the Act’s custody requirements, customers have pro rata property interests in the relevant Digital Asset type. In the event of insolvency, commingled customer assets are held in trust for customers and are shielded from attachment or levy by others. The Act authorizes the Department to adopt additional customer protection rules. 

Disclosure

Before engaging in a Digital Asset Business Activity with a Resident, a Covered Person generally must disclose, in a clear and conspicuous manner, in a record the Resident may keep:

• Fee schedules;
• Information related to the Covered Person’s insurance status and terms;
• Service outage history over the past year;
• A bold-font statement that Illinois has not approved or endorsed any Digital Assets or determined if the Covered Person’s customer disclosure is truthful or complete;
• The irrevocability of transfers; 
• Liability and error resolution frameworks; 
• At least 14 days’ prior notice of changes to terms or conditions of a Digital Asset transaction that may materially impact the Digital Asset Business Activity; and 
• Residents’ rights to stop preauthorized payments.

Confirmations

A Covered Person must provide Residents with a transaction confirmation after all transactions or, instead, provide a single, daily confirmation as long as it discloses that it is electing to do so. A transaction confirmation must include the Covered Person’s name and contact information; the type, value, date, time, and amount of the transaction; and the fees charged for the transaction.

Customer Service

Covered Persons must make available to Residents live customer support and provide a prominently displayed toll free number on their websites for a Resident to contact for assistance. Covered Persons must also implement reasonable policies for timely handling of requests for assistance, disputes, unauthorized or mistaken transactions, and complaints. The resolution of a Resident’s complaint must be accompanied by a notice of resolution and the reasons for the resolution. Additionally, no unregistered Covered Person may bring or maintain an action in court to collect compensation for its services that would require registration, unless the Covered Person proves it was validly registered at all relevant times. 

Obligations for Covered Exchanges

The Act introduces additional requirements for Covered Persons that exchange or hold themselves out as being able to exchange a Digital Asset for a Resident or on behalf of a customer who has entered into an agreement with a business for the exchange of a Digital Asset (Covered Exchange).

Before listing or offering a Digital Asset, a Covered Exchange must certify, on a form provided by the Department, that it has:

• Evaluated the status of the Digital Asset as a “security”;
• Disclosed conflicts of interest; 
• Performed a comprehensive risk assessment to ensure protections against risks related to cybersecurity, malfeasance, protocol defects, market manipulation and fraud, and other material risks;
• Adopted policies to reevaluate the appropriateness of continued offering and listing of Digital Assets; and 
• Created delisting procedures and related notification procedures. 

For any Digital Asset that has been approved by the New York Department of Financial Services (DFS), certification is not required. The Department may order delisting and pursue enforcement if it finds a Covered Exchange has listed or offered a Digital Asset without certification or that it made misrepresentations during the certification process. 

Covered Exchanges must promptly execute customer requests and use reasonable diligence to obtain outcomes as favorable to the customer as possible. Such “reasonable diligence” will be evaluated by factors enumerated in the Act, such as the size and time of the relevant transaction, market characteristics for the Digital Asset, and accessibility of appropriate pricing. Covered Exchanges must periodically (at least every six months) review execution quality relative to accessible markets and promptly remedy any issues identified in the review. If a Covered Exchange cannot execute directly with a market and employs other means to ensure an execution advantageous to the Resident, the burden is on the Covered Exchange to demonstrate acceptable circumstances for doing so. 

The Department’s Enforcement Power

The Department has the authority to issue, revoke, or suspend registrations, as well as conduct investigations and enforce compliance with the Act through various means, including civil penalties, subpoenas, and enforcement actions. 

The Department may impose civil penalties up to US$100,000 per day for Digital Asset Business Activity conducted by unregistered Covered Persons and up to US$25,000 per day for other violations, but not in excess of US$75,000 per day where a violation relates to fraud, misrepresentation, deceit, or negligence. 

Compliance Dates and Next Steps

An unregistered Covered Person engaging in Digital Asset Business Activity will not be deemed in violation of the Act until 1 July 2027. However, Covered Persons must comply with the customer protection obligations (e.g., disclosure, custody requirements, and customer service standards) by 1 January 2027. Covered Exchanges have until 1 January 2027 to comply with their obligations under the Act.

Anyone engaging with Digital Assets should analyze whether their activities are in-scope for the Act and begin taking measures to comply with the Act’s registration and other obligations. Alternatively, newly minted “Covered Persons” could lobby the state and the Department for an exemption or for rules that are harmonized with other state digital asset laws and regulations, such as the New York DFS BitLicense Regulation. It bears keeping in mind that Congress is considering a market structure bill (i.e., the CLARITY Act), which may affect the Act’s impact on Covered Persons.

Footnotes