The cryptocurrency enforcement landscape is undergoing a fundamental realignment. While Federal agencies that historically dominated digital asset oversight have shifted enforcement priorities away from licensing and registration violations toward fraud-based offenses, state regulators are aggressively enforcing cryptocurrency licensing requirements. Recent enforcement actions and proposed legislation signal escalating civil penalties, criminal prosecutions in some jurisdictions and retroactive prosecution of historical conduct. Recent developments in New York and California signal a pronounced shift in cryptocurrency enforcement at the state level, creating heightened compliance risks for digital asset businesses.
New York’s proposed CRYPTO Act would criminalize unlicensed virtual currency operations, with felony penalties of up to 15 years’ imprisonment for transactions exceeding $1 million annually, layering criminal sanctions on top of existing civil enforcement mechanisms. California’s DFPI secured a $500,000 settlement with Nexo Capital for operating a crypto-backed lending program without required state licensing, affecting over 5,400 California residents and demonstrating aggressive enforcement of existing financial services laws. Contrasting with New York and California, Federal enforcement agencies have deprioritized registration violations, with the SEC’s cryptocurrency enforcement actions dropping 60% in 2025, creating a regulatory vacuum that states are moving to fill. What does this mean for digital asset firms? Businesses should conduct jurisdiction-specific compliance analyses before offering products or services to U.S. residents, as state regulators increasingly treat digital asset activities involving lending, custody or exchange functions as triggering traditional financial services licensing obligations.
The proposed legislation establishes graduated penalties scaled to transaction volume. Businesses conducting cryptocurrency transactions below $1 million annually would face misdemeanor charges, while those exceeding the $1 million threshold over a 12-month period could be charged with a Class C felony, carrying potential prison sentences ranging from five to 15 years. This represents a dramatic escalation from New York’s current civil enforcement regime, which imposes monetary penalties but no criminal liability. Senator Myrie noted that if passed, New York would become the 19th state to explicitly criminalize unlicensed crypto transactions.
In January 2026, the California Department of Financial Protection and Innovation announced a consent order requiring Nexo Capital Inc. to pay $500,000 in penalties for operating a crypto-backed lending program without required state licensing. The enforcement action carries a critical message: regulators will pursue historical violations years after conduct occurs. Nexo allegedly offered crypto-backed consumer and commercial loans to at least 5,456 California residents between July 2018 and December 2022 without obtaining a required California Financial Law (CFL) license. The four-year gap between the end of unlicensed conduct and regulatory enforcement demonstrates that statutes of limitations provided limited protection – companies cannot assume that past compliance gaps have been forgiven or overlooked.
The settlement reflects California regulators’ expansive interpretation of existing financial services laws. The DFPI determined that Nexo’s crypto-collateralized lending constituted “finance lending” requiring state licensing, regardless of the digital nature of the collateral. This interpretive approach signals that novel technology does not create regulatory exemptions. State authorities now assert jurisdiction over cryptocurrency custody services, exchange functions, stablecoin payments and even crypto ATMs—any activity involving holding, transferring or facilitating exchange of customer assets.
The convergence of retroactive enforcement (demonstrated by Nexo) and proposed criminalization (New York’s CRYPTO Act) creates an unprecedented risk environment for digital asset firms. Companies that operated without required licenses years ago—believing civil penalties manageable or federal clarity imminent—now face potential criminal prosecution. Eighteen states have already criminalized unlicensed cryptocurrency transactions to varying degrees. Criminal exposure creates qualitatively different consequences than civil enforcement.
Criminal charges carry reputational damage potentially affecting executives’ ability to serve in leadership roles, obtain professional licenses or secure financing. Defense costs for criminal proceedings substantially exceed civil regulatory matters. And the prospect of incarceration—up to 15 years for felony violations under New York’s proposal—transforms risk calculations entirely. Critically, criminal statutes create individual liability for executives, compliance officers, general counsels, chief compliance officers and board members who approved or directed unlicensed operations. While civil regulatory actions typically target corporate entities, criminal prosecutions charge individuals personally, creating personal financial and reputational consequences separate from corporate liability.
The state enforcement actions in New York and California exemplify a broader trend: digital asset businesses face an increasingly complex web of state-by-state licensing requirements with limited prospects for federal preemption or harmonization. As of 2025, cryptocurrency companies engaged in transmitting, exchanging, or storing digital assets must obtain money transmitter licenses in nearly every state where they serve customers—49 states, with only Montana exempting such activities, though specific requirements may still apply. This regulatory patchwork imposes substantial compliance burdens. State licensing requirements vary widely in application fees ($375 to $15,000), surety bond amounts ($10,000 to $7 million), minimum net worth thresholds ($100,000 to $500,000+), and processing timelines (3 to 24 months). Companies serving customers nationally must navigate these divergent requirements simultaneously, often maintaining separate legal and compliance teams for multi-state coordination.
New York’s BitLicense remains among the most demanding, requiring comprehensive cybersecurity programs, capital adequacy assessments and ongoing supervisory examinations with associated fees. California’s Digital Financial Assets Law (DFAL), which becomes effective July 1, 2026, will create another comprehensive licensing regime specifically for digital asset businesses, complementing the state’s existing money transmitter and lending laws. Firms must obtain DFAL licenses or submit applications before the July 2026 deadline to continue serving California customers.
Digital asset businesses should undertake these measures to mitigate state enforcement risks. Conduct Comprehensive Multi-State Licensing Analysis. Perform jurisdiction-by-jurisdiction reviews to identify required licenses (e.g., money transmitter, lending or DFAL) based on business model and customer locations. Prioritize high-volume aggressive states like New York and California.
Evaluate Historical Compliance Gaps. Review past operations for unlicensed periods, assess exposure from retroactive enforcement (as in Nexo), and explore mitigation options such as disclosures or license applications. Consult counsel on statutes of limitations or defenses. Implement Robust State Compliance Programs. Establish systems including geolocation controls to block unlicensed jurisdictions, transaction monitoring for state-specific rules (e.g., California kiosk limits), regular audits of bonding/capital/reserve compliance and ongoing tracking of regulatory changes.
Engage Proactively with State Regulators. Seek informal guidance, no-action letters or preliminary determinations for unclear activities to demonstrate good faith. For delayed licensing, adopt phased approaches restricting service to licensed states while pursuing additional approvals. Monitor California’s DFAL Implementation. Prioritize DFAL licensing ahead of the July 1, 2026 deadline to continue serving California residents. Applications require extensive documentation on finances, compliance and management; processing may take months.
Plan for Continued State-Level Fragmentation. Avoid relying on imminent federal preemption. Build adaptable multi-state compliance models, noting limited preemption under the GENIUS Act and uncertainty around broader legislation like the CLARITY Act. Conclusion. State regulators are intensifying enforcement of cryptocurrency licensing requirements as federal agencies shift focus to fraud and national security. New York’s proposed CRYPTO Act (criminalizing unlicensed operations with felony penalties) and California’s retroactive actions (e.g., Nexo settlement) signal that states are aggressively filling the regulatory gap with civil penalties, historical liability and potential criminal exposure. Digital asset businesses can no longer treat state licensing as optional or civil fines as manageable costs. Proactive multi-state compliance, jurisdiction-specific analysis and regulator engagement are essential to avoid substantial penalties, operational restrictions and personal liability risks.
Leave a Reply