Chapter 7Policies and Procedures

Section § 3701

Explanation

This law requires applicants and licensees in digital financial asset businesses to establish and maintain several key programs and policies. These include security, business continuity, disaster recovery, and anti-fraud programs, as well as measures to prevent money laundering and terrorist financing. Licensees must ensure these policies are robust, adapted to their specific business activities, and in sync with other applicable laws.

Fraud detection policies must evaluate risks and undergo regular updates. Anti-money laundering policies should align with federal laws, and information security policies must protect sensitive data. Policies need to be clear to consumers, and a designated person should oversee them.

Licensees can seek guidance from the department on compliance and possibly outsource certain tasks. Failure to meet policy goals doesn't automatically mean liability unless there is evidence of systemic issues. Most policies must be disclosed separately, but those concerning certain security aspects may remain confidential for safety reasons.

(a)CA Financial Code § 3701(a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record policies and procedures for all of the following:
(1)CA Financial Code § 3701(a)(1) An information security program and an operational security program.
(2)CA Financial Code § 3701(a)(2) A business continuity program.
(3)CA Financial Code § 3701(a)(3) A disaster recovery program.
(4)CA Financial Code § 3701(a)(4) An antifraud program.
(5)CA Financial Code § 3701(a)(5) A program to prevent money laundering.
(6)CA Financial Code § 3701(a)(6) A program to prevent funding of terrorist activity.
(7)Copy CA Financial Code § 3701(a)(7)
(A)Copy CA Financial Code § 3701(a)(7)(A) A program designed to ensure compliance with this division and other laws of this state or federal laws applicable to the digital financial asset business activity contemplated by the licensee with, or on behalf of, residents and to assist the licensee in achieving the purposes of other state laws and federal laws if violation of those laws has a remedy under this division.
(B)CA Financial Code § 3701(a)(7)(A)(B) The program described by this paragraph shall specify detailed policies and procedures that the licensee undertakes to minimize the probability that the licensee facilitates the exchange of unregistered securities.
(b)CA Financial Code § 3701(b) A policy required by subdivision (a) shall be in a record and designed to be adequate for a licensee’s contemplated digital financial asset business activity with, or on behalf of, residents, considering the circumstances of all participants and the safe operation of the activity. Any policy and implementing procedure shall be compatible with other policies and the procedures implementing them and not conflict with policies or procedures applicable to the licensee under other state law. A policy and implementing procedure may be one in existence in the licensee’s digital financial asset business activity with, or on behalf of, residents.
(c)CA Financial Code § 3701(c) A licensee’s policy for detecting fraud shall include all of the following:
(1)CA Financial Code § 3701(c)(1) Identification and assessment of the material risks of its digital financial asset business activity related to fraud, which shall include any form of market manipulation and insider trading by the licensee, its employees, or its customers.
(2)CA Financial Code § 3701(c)(2) Protection against any material risk related to fraud identified by the department or the licensee.
(3)CA Financial Code § 3701(c)(3) Periodic evaluation and revision of the antifraud procedure.
(d)CA Financial Code § 3701(d) A licensee’s policy for preventing money laundering and financing of terrorist activity shall include all of the following:
(1)CA Financial Code § 3701(d)(1) Identification and assessment of the material risks of its digital financial asset business activity related to money laundering and financing of terrorist activity.
(2)CA Financial Code § 3701(d)(2) Procedures, in accordance with federal law or guidance published by federal agencies responsible for enforcing federal law, pertaining to money laundering and financing of terrorist activity.
(3)CA Financial Code § 3701(d)(3) Filing reports under the Bank Secrecy Act (31 U.S.C. Sec. 5311 et seq.) or Chapter X of Title 31 of the Code of Federal Regulations and other federal or state law pertaining to the prevention or detection of money laundering or financing of terrorist activity.
(e)CA Financial Code § 3701(e) A licensee’s information security and operational security policy shall include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any nonpublic personal information or digital financial asset it receives, maintains, or transmits.
(f)CA Financial Code § 3701(f) A licensee shall file with the department a copy of a report it makes to a federal authority.
(g)CA Financial Code § 3701(g) A licensee’s protection policy under subdivision (e) for residents shall include all of the following:
(1)CA Financial Code § 3701(g)(1) Any action or system of records required to comply with this division and other state law applicable to the licensee with respect to digital financial asset business activity with, or on behalf of, a resident.
(2)CA Financial Code § 3701(g)(2) A procedure for resolving disputes between the licensee and a resident.
(3)CA Financial Code § 3701(g)(3) A procedure for a resident to report an unauthorized, mistaken, or accidental digital financial asset business activity transaction.
(4)CA Financial Code § 3701(g)(4) A procedure for a resident to file a complaint with the licensee and for the resolution of the complaint in a fair and timely manner with notice to the resident as soon as reasonably practical of the resolution and the reasons for the resolution.
(h)CA Financial Code § 3701(h) After the policies and procedures required under this section are created by the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.
(i)CA Financial Code § 3701(i) A licensee may request advice from the department as to compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section, and may request a determination from the department that a policy or procedure is not subject to the disclosure requirement described in subdivision (k) due to potential security risks.
(j)CA Financial Code § 3701(j) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
(k)Copy CA Financial Code § 3701(k)
(1)Copy CA Financial Code § 3701(k)(1) Except as provided in paragraph (2), policies and procedures adopted under this section shall be disclosed separately from other disclosures made available to a resident, in a clear and conspicuous manner and in the medium through which the resident contacted the licensee.
(2)CA Financial Code § 3701(k)(2) This subdivision does not apply to either of the following:
(A)CA Financial Code § 3701(k)(2)(A) An adopted information security program or an operational security program described in subdivision (a).
(B)CA Financial Code § 3701(k)(2)(B) Any policy or procedure the department previously determined is not subject to this subdivision due to potential security risks.
digital financial asset information security business continuity program disaster recovery anti-fraud program money laundering prevention terrorist financing prevention compliance program fraud detection risk assessment Bank Secrecy Act reporting obligations consumer protection dispute resolution policy transparency
(Added by Stats. 2023, Ch. 792, Sec. 1. (AB 39) Effective January 1, 2024.)

Section § 3702

Explanation

Before applying for a license, businesses must set up and keep a record of policies and procedures ensuring they follow not just this financial regulation but also any other relevant state laws. These policies need to align with both state and federal laws and can be adapted from existing procedures used in digital financial activities.

Once these policies are established, the business must appoint a qualified person to oversee, promote, and enforce them. Businesses can ask for guidance from the department on these policies and can outsource non-compliance tasks if approved. If a policy doesn't work once but was properly made and monitored, the business won't be liable. However, repeated failures suggest the policy was not appropriately handled.

(a)CA Financial Code § 3702(a) An applicant, before submitting its application, shall establish and maintain in a record a policy or procedure designed to ensure compliance with this division, and law of this state other than this division, if the other law is relevant to the digital financial asset business activity contemplated by the licensee or the scope of this division or this division could assist in the purpose of the other law because violation of the other law has a remedy under this division.
(b)CA Financial Code § 3702(b) A policy or procedure under subdivision (a) shall be compatible, and not conflict, with requirements applicable to a licensee under other state law or under federal law and may be a policy or procedure in existence for the licensee’s digital financial asset business activity with, or on behalf of, a resident.
(c)CA Financial Code § 3702(c) After the policies and procedures required under this section are created by the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor any policy or procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.
(d)CA Financial Code § 3702(d) A licensee may request advice from the department regarding compliance with this section and, with the department’s approval, outsource functions, other than compliance, required under this section.
(e)CA Financial Code § 3702(e) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.
digital financial asset compliance business policies and procedures state and federal law alignment responsible individual oversight policy enforcement department advisory request policy outsourcing approval compliance procedure liability monitoring procedure effectiveness financial regulation adaptation repeated policy failure applicant policy requirements licensee digital business activity policy and procedure development non-compliance function outsourcing
(Added by Stats. 2023, Ch. 792, Sec. 1. (AB 39) Effective January 1, 2024.)