- within Energy and Natural Resources topic(s)
On October 6, the DFPI issued a Desist and Refrain Order against a digital-asset ATM operator for alleged violations of the California Digital Financial Assets Law (DFAL) and the California Consumer Financial Protection Law (CCFPL). The DFPI alleged that the company, which operates cryptocurrency kiosks throughout Northern California, repeatedly accepted and transmitted cash in excess of statutory transaction limits, charged unlawful fees, and failed to provide required disclosures and receipts to consumers in connection with the purchase and sale of digital assets.
The DFPI further alleged that the company's operations lacked basic anti-money laundering controls and failed to verify customer identities as required under the Bank Secrecy Act.
According to the Department, these failures resulted in widespread noncompliance with the DFAL and constituted unlawful acts and practices under the CCFPL.
The DFPI's order outlines several categories of alleged misconduct, including:
- Transaction limit violations. The company allegedly permitted customers to deposit or withdraw more than the daily transaction limit on at least 99 occasions.
- Excessive fees and charges. The DFPI claimed that, since January 2025, the operator charged consumers transaction fees exceeding the DFAL's fee cap on more than 2,700 occasions.
- Missing pre-transaction disclosures. The DFPI alleged that the kiosks failed to provide required consumer disclosures, including digital-asset prices, total fees, and refund warnings, before completing transactions.
- Incomplete receipts. The DFPI stated that over 10,000 transaction receipts omitted information identifying the licensed digital-asset exchange used to calculate price spreads.
- Deficient AML compliance. The DFPI alleged that the operator failed to collect and verify sufficient identifying information from customers, in violation of federal anti–money laundering requirements.
The Commissioner ordered the company to cease the alleged conduct, provide restitution to affected consumers, and face potential administrative penalties of $497 million. The proposed amount reflects the statutory maximum penalty of $2,500 per violation, based on thousands of alleged instances of noncompliance.
Putting It Into Practice: The DFPI's action follows a broader enforcement trend targeting crypto kiosks and ATM operators for consumer-protection and licensing violations (previously discussed here). As more states enforce digital-asset transaction limits, fee caps, and disclosure requirements, kiosk operators and money services businesses should review their compliance programs under both the DFAL and the Bank Secrecy Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
