AB 39 & SB 401: An Analysis Of Pending California…
In the heart of Sacramento, a quiet drama unfolds. As California’s legislative session concludes, two pivotal crypto regulatory bills, AB 39 and SB 401, stand on the cusp of becoming state law. These developments carry profound implications for the bitcoin and broader crypto industry, transcending California’s borders to influence future regulatory paths across other states in the United States, continuing the Golden State’s role as a bellwether for regulatory oversight.
Based here in Sacramento, we at BitAML have been on the frontlines, engaging elected officials and other key stakeholders in and around the Capitol. It has been a humbling and eye-opening experience to be part of the process. We’ve testified in support of consumer protection, sensible regulation, and innovation; educated policymakers about bitcoin and existing regulatory and compliance requirements; and, demystified an industry that many were first introduced to in the form of negative headlines.
What follows is an overview of AB 39 and SB 401, two bills that presently sit on the Governor’s desk, along with our insights and a glimpse into the future for bitcoin financial service providers operating in California.
Note: Both AB 39 and SB 401 were passed in the legislature and now await the signature of Governor Gavin Newsom, the last step before the bills become law. Procedurally, Governor Newsom has until October 14th to either sign or veto all legislative bills that were passed during the most recent session, including AB 39 and SB 401.
AB 39 (Grayson): Digital Financial Asset Businesses: Regulatory Oversight
This bill establishes a state money transmitter licensing framework for exchangers, placing them under the oversight of the California Department of Financial Protection & Innovation (DFPI). Requirements are fairly consistent and on-par with money transmitter licensing requirements in other states (e.g., AML, cybersecurity, business continuity/disaster recovery fraud prevention, and other risk management policies; financial statements or audited financials; fingerprinting of executives, etc.)
Notably, the bill enables the DFPI to grant a “conditional license” to an applicant who already holds a “BitLicense” with the New York Department of Financial Services (NYDFS).
AB-39 also grants the DFPI authority to exempt certain businesses from licensure requirements, and creates a mechanism for businesses to petition the agency in writing.
Additionally, the bill requires issuers of stablecoins to obtain a license, and sets forth an approval process for stablecoins to be exercised by the DFPI.
Effective date: July 1, 2025
Originally, BitAML advocated for a risk-based approach to regulating crypto financial institutions in California, seeking a permission-based license for custodial business models, and a declaratory registration (similar to FinCEN MSB registration) for non-custodial business models. The bill’s author appeared to strike a compromise by including a provision in the bill that enables the DFPI to exempt “…any person or transaction, or class of persons or transactions, if the commissioner finds such action to be in the public interest and that the regulation of such persons or transactions is not necessary…”
Granting a “conditional license” in California for those holding a BitLicense recognizes the extensive requirements and expectations placed on licensees by the NYDFS, which we might add are incredibly more intense than those to be expected of applicants in the Golden State under AB 39. Moreover, and importantly, as was pointed out to us by the bill’s author, this takes the larger players out of the application queue, enabling smaller and more modestly capitalized exchangers to have their applications reviewed and processed sooner.
Regarding stablecoins, we initially believed that a separate bill was warranted due to their unique characteristics and implications for the market. However, the small but impactful section included in AB 39 may prove that ‘less is more.’ It requires those exchanging stablecoins to obtain a license, and sets forth a risk-based approval process for stablecoins to be carried out by the DFPI. In so doing, the bill recognizes and acknowledges the elevated inherent risks associated with stablecoins. (Think Terra Luna collapse and risky algorithmic stablecoins.) We’ll add that in an earlier version of the bill, stablecoins would have only been permissible for state-chartered banks to support. That would have crushed innovation in the crypto space. Thankfully, that provision was struck and revised.
While no legislation can claim to be flawless, this bill manages to strike a reasonable balance between safeguarding consumers and fostering innovation.
We believe, as does the bill’s author, that these two concepts aren’t mutually exclusive.
Our primary concern is not the licensing requirements, and certainly not the licensing of exchangers themselves. Rather, our concern lies with the execution of AB-39 by the DFPI. While the agency appears to have the budget to staff up, as confirmed by the bill’s author, and the charter members of its burgeoning crypto division know their stuff, California is literally going from a dead stop i.e., processing no crypto applications, to being inundated with 100s, maybe 1000s, of applications.
California has to this point not required a money transmitter license for crypto exchangers. This, along with its standing as the 4th largest economy in the world, and the tech capital of the U.S., made California the obvious starting market for exchangers over the past decade plus.
This situation pales in comparison to the NYDFS’s experience with BitLicense applications. Keep in mind that the BitLicense was introduced back in 2015, when there were far fewer crypto companies and significantly less innovation, variation, and complex products and services across the ecosystem. We expect the application volume in California to be exponentially larger, with a greater diversity of unique fact patterns.
In our discussions within the Capitol, we learned that the bill’s author led a visit to the NYDFS to discuss lessons learned from the rollout of the BitLicense. This research and information gathering is great to see; we hope other states undertake similar exercises. However, we think that the NYDFS’ explanation, as reported to us, that they just didn’t staff up properly at the beginning of the BitLicense rollout was a bit of hometown scoring to say the least.
In any case, it ultimately boils down to planning and execution. Plan the work, and work the plan. This is why BitAML and the Digital Currency Traders Alliance (DCTA), a non-profit, pro-crypto consumer advocacy group, advised the bill’s author to compel the DFPI to prepare and publicly disclose a plan for processing license applications. This would deliver transparency to consumers, taxpayers, policymakers, and license applicants, and hold all parties accountable.
It will be interesting to see how and to whom the DFPI may apply its board discretionary exemption clause referenced above. As we understand it, the author had concerns about codifying into law the definitions of, and differences between, custodial and non-custodial business models, as it could give rise to potential loopholes and blind spots. We agree and strongly urge the DFPI to adopt a risk-based approach to licensure, acknowledging the substantial differences in risk profiles between custodial and non-custodial entities.
SB 401 (Limón): Digital Financial Asset Transaction Kiosks
Outlines specific requirements for bitcoin ATM operators, including consumer disclosures, fee and transaction caps, customer transaction receipts, and the reporting of kiosk locations to the DFPI.
Consumer disclosures must include the irreversibility of transactions, as well as the transaction amount in fiat and crypto, which are already common practice in the industry as we understand it. Fees are capped at 15%, and transactions are capped at $1,000 per person, per day. Transaction receipts, notably, must include a citation of the licensed crypto exchange used by the operator to calculate the spread; the cited exchange must be licensed by the DFPI and/or the NYDFS. Additionally, operators are required to disclose their kiosk locations to the DFPI, and provide an update to the regulatory agency within 30 days of changing or adding locations.
Effective date: January 1, 2024; January 1, 2025 (various based on provisions within the bill)
Regrettably, we believe that the bill’s original goal of consumer protection may have been overshadowed. Rather than mandating any number of consumer protection safeguards proposed by BitAML, bitcoin ATM operators, and industry organizations, such as scam warning screens, customer service expectations, and contact information, to name a few, the bill’s author believes that the $1,000 transaction cap would be a more effective deterrent. We disagree.
We at BitAML and others explained on several occasions, including in testimony before the Committee, that the arbitrary threshold would do little to prevent scams and could lead to a host of unintended consequences. Scammers would likely adapt by simply instructing their victims to transact below the cap, and send them to multiple kiosks maintained by different operators.
What’s more, a $1,000 cap will result in less information getting into the hands of law enforcement, as the SAR filing threshold is $2,000. (Essentially, this means a scam victim would unnecessarily have to be revictimized before a SAR is filed with law enforcement.)
Further, customer taxpayer identification numbers would not be collected, as the threshold is $3,000, denying law enforcement (and tax authorities, we might add) valuable investigatory information. Existing KYC thresholds such as this are a mix of hard-and-fast rules from the federal government and compliance best practices that have been in place and reinforced through Title 31 IRS examinations for decades.
Regarding the fee cap, the author stated that if a customer could buy crypto online for 0-2% then they should be able to do so at a kiosk. This, despite on numerous occasions being presented with the costs associated with operating a kiosk and facilitating transaction services.
On a positive note, the initial bill capped the fee at 2%, while the end result was a 15% cap. This is a significant victory for kiosk operators, as many expressed business feasibility concerns for a cap under 15%.
Irrespective of the transaction fee assessed, operators must disclose the crypto exchange used to calculate the spread on the transaction receipt. This is a welcome provision, ensuring that consumers are aware of the exact cost of their transaction.
It is our hope that this provision might help curb “hidden fees” in the form of an egregious premium applied to the price of the purchased bitcoin or other crypto asset. For example, a kiosk operator might advertise and apply a 10% fee to the transaction amount, but then also quote a price of the crypto asset e.g., BTC at a substantial premium such that the effective fee is actually closer to 25%. This is disingenuous, and costly to the customer who believes they are only paying 10% for their purchase of the crypto.
As compliance professionals well know, federally, the Consumer Financial Protection Bureau (CFPB) is actively investigating “hidden” fees and, where necessary, engaging in enforcement actions. We expect that this will continue to be a regulatory point of emphasis both at the federal-and state-level, especially in California.
Separately, one of the more contentious provisions in a previous iteration of the bill which read “…kiosk operators must provide an option for customers to exchange any amount of crypto for fiat…” was thankfully struck. Initially, the bill’s author took the view that because the majority of kiosks are one-way machines it somehow ‘trapped’ the consumer into holding crypto.
We successfully explained that because one-way (i.e., customer’s buying crypto in exchange for cash) generally constitutes well north of 95% of transactions, operators are purchasing fewer and fewer of these more expensive two-way machines, recognizing the absence of marketplace demand. As well, we pointed out the many user-friendly options consumers have for divesting of cryptocurrency through various registered and regulated exchangers.
Finally, requiring the operator to disclose their bitcoin ATM locations to the DFPI, and provide any update to the regulatory agency within 30 days of changing or adding locations, aligns with existing regulatory best practices and advance change notification expectations. Regulators should have the most up-to-date information as it pertains to those they regulate. The bill also mandates that the DFPI publish this list on its website. Again, transparency and timely information for regulators and consumers is a win-win.
From the outset, with a few exceptions, bitcoin ATM operators have acknowledged and accepted state licensing for their business. (By the way, they’re covered in AB-39.) The real issue is with the feasibility of remaining in business based on the application of the arbitrary fee cap and transaction cap.
We here at BitAML are compliance professionals, so the financial viability of implementing these caps is outside the scope of our analysis. However, we can’t help but wonder if enough kiosk operators close up shop, given the limited alternatives to purchasing bitcoin with cash, it could lead to the emergence of gray or black market alternatives.
These alternatives might evade AML & KYC requirements, escape FinCEN and state regulatory examinations, avoid cooperation with law enforcement, and operate in less secure, less visible environments, ultimately replacing registered and regulated kiosk operators.
As it pertains to the transaction cap, this is a relatively weak mitigating control if the goal is to curtail scammers from directing their victims to a kiosk. In our experience, the scam warning screens deployed by bitcoin ATM operators, well-trained customer service frontline personnel, and conspicuous operator contact information displayed on the terminal screen, are the most effective mitigating controls. Furthermore, we are concerned that the $1,000 per person, per day cap may result in law enforcement receiving less information, effectively requiring victims to be revictimized before a SAR is initiated.
History has shown that scammers adapt to circumvent controls such as daily transaction limits. Conversely, these criminals cannot prevent potential victims from unseeing conspicuous scam warnings on the bitcoin ATM screen, but we digress. We’re concerned that illicit actors will transact more frequently and utilize multiple kiosks maintained by different operators, adding unnecessary layers of complexity that would hamper law enforcement investigations.
Finally, there is no established channel yet for bitcoin ATM operators to provide a list of all their locations to the DFPI, nor is there a publicly available plan for publishing each operator’s locations on the agency’s website. While preparing a list of locations is simple and can be assembled with a few clicks of the mouse, the operators don’t yet know where to send it. The DFPI must create a safe, secure channel and publicly share this with bitcoin ATM operators as soon as possible through various industry media outlets.
The future of these pivotal bills now rests in the hands of Governor Newsom, who bears the responsibility of making a significant decision with a deadline set for October 14th.
It’s a period of heightened anticipation, as the bitcoin community closely observes these developments, understanding that key regulatory foundations are being formed before our eyes. With each passing day, the stakes grow, and the implications ripple across not only the Golden State but the entire nation, as California often sets the standard for state-level regulatory oversight.
Joe Ciccolo is the Founder & President of BitAML, a compliance advisory firm exclusively serving the Bitcoin and cryptocurrency market. Founded in 2015, BitAML has served hundreds of innovative clients including bitcoin ATM operators, exchanges, OTC desks, trading platforms, DeFi projects, NFT marketplaces, bitcoin hedge funds, prepaid crypto cards, and lenders.
He serves on the Board of Directors of the Digital Currency Traders Alliance (DCTA), a non-profit, pro-crypto consumer advocacy group.
Joe testified before the California Assembly and California Senate on AB 39 and SB 401, and met with members of the Assembly and Senate throughout the 2023 legislative session, advocating for regulation that balanced innovation with consumer safeguards for the long-term betterment of the bitcoin ecosystem.
This is a guest post by Joe Ciccolo. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.