June 2026 marks the moment that two years of U.S. crypto regulatory momentum crystallizes into mandatory compliance obligations with firm deadlines. California — home to the largest concentration of crypto companies in the country — is activating a full state-level licensing regime in 29 days. Simultaneously, Treasury is finalizing the first federal AML framework purpose-built for payment stablecoin issuers, and the comment window is this Monday. Founders who have been watching these developments unfold now need to move. The compliance calendar has shifted from "prepare" to "act."

1. California's DFAL Licensing Deadline: July 1, 2026

What Is the DFAL?

California's Digital Financial Assets Law (DFAL), administered by the California Department of Financial Protection and Innovation (DFPI), requires anyone engaged in "digital financial asset business activity" with a California resident to obtain a license from the DFPI — or to have submitted a complete application — by July 1, 2026.

The DFPI began accepting applications on March 9, 2026, through the Nationwide Multistate Licensing System (NMLS). That four-month application window closes in 29 days.

Who Is Covered

The DFAL's definition of "digital financial asset business activity" is broad. Covered activities include:

• Exchanging digital financial assets — operating or providing an exchange, conversion, or swap service involving crypto assets

• Transferring digital financial assets — facilitating the movement of crypto between wallets or users, including payment processing

• Storing digital financial assets — custodying crypto assets on behalf of California residents, including holding keys

• Issuing digital financial assets — creating and distributing tokens, stablecoins, or other digital instruments

• Administering digital financial assets — managing reserve-backed instruments, including stablecoins

The law applies to any company engaged in these activities with a California resident — regardless of where the company is incorporated or headquartered. A Delaware-incorporated protocol with a Denver office is covered if it serves California users. A New York-based exchange with California customers is covered. The nexus is the California user, not the company's registered address.

What the License Requires

Financial thresholds: The DFPI has signaled an initial expectation of $100,000 in tangible net worth and a $500,000 starting surety bond, subject to upward adjustment based on activity volume, asset mix, leverage, and customer protection exposure.

Consumer protections baked into the license:

1. Licensees must hold sufficient digital financial assets to satisfy all California residents' entitlements in full — the DFAL effectively mandates 1:1 reserve backing for customer-held assets

2. Licensees must investigate digital financial assets before listing them — the DFPI can require disclosure of asset risk, issuer identity, and smart contract audits

3. Licensees must maintain capital and liquidity sufficient to protect the public from scams and fraud

4. Licensees are subject to DFPI examination and supervision on an ongoing basis

Application mechanics: Applications run through NMLS using the MU1 form for the company and MU2 forms for control persons, executive officers, qualifying individuals, and certain owners. Control person background disclosures are required. Incomplete applications will not preserve the July 1 safe harbor — the DFPI requires a substantially complete application, not a placeholder filing.

What Happens After July 1

After July 1, 2026, operating digital financial asset business activity with a California resident without a license — or without a pending substantially complete application — is a violation of the DFAL. The DFPI has enforcement authority to issue cease-and-desist orders, impose civil money penalties, and refer matters for criminal prosecution. For platforms with significant California user bases, unlicensed operation after July 1 is not a technical violation — it is the kind of enforcement exposure that triggers investor questions, triggers counterparty due diligence flags, and exposes founders to personal liability.

Who Should Be Filing Now

• Crypto exchanges and trading platforms serving any California residents

• Custodians and wallet providers holding assets for California users

• Stablecoin issuers distributing to California residents

• Token project teams whose tokens are actively traded or transferred by California users

• Payment processors handling crypto transactions for California merchants or consumers

• DeFi protocols with fiat on-ramps that involve California users in covered activity

If you are not certain whether your activity is covered, the safer analysis is to assume it is and seek counsel before July 1 — not after.

2. GENIUS Act AML/CFT Proposed Rule: Comment Deadline Is June 9

What Is the Proposed Rule?

On April 8, 2026, FinCEN and OFAC issued a joint Notice of Proposed Rulemaking implementing the GENIUS Act's requirement that Permitted Payment Stablecoin Issuers (PPSIs) be treated as financial institutions under the Bank Secrecy Act. Comments are due June 9, 2026 — seven days from today.

What the Rule Would Require

The proposed rule imposes a full BSA AML/CFT program obligation on every PPSI. That means:

1. Written AML program — documented internal controls, risk assessment methodology, and escalation procedures

2. Designated compliance officer — a named individual responsible for day-to-day AML program oversight with the authority and resources to act

3. Ongoing training — documented employee training on AML obligations, updated as the regulatory landscape evolves

4. Independent testing — periodic third-party or internal audit of the AML program's effectiveness

5. Customer identification program (CIP) — Know Your Customer obligations for stablecoin holders, consistent with BSA's financial institution CIP standards

6. Suspicious activity reporting (SAR) — obligation to identify, investigate, and file SARs for transactions that meet the threshold

7. OFAC sanctions compliance program — screening against SDN and other OFAC lists, with documented controls and remediation procedures

Alongside the AML program requirements, the rule proposes that PPSIs maintain an OFAC-aligned sanctions compliance program — not just as a best practice, but as a regulatory mandate with enforcement consequences.

The 60 Open Questions — Why Commenting Matters

FinCEN and OFAC have posed nearly 60 questions in the NPRM on topics that will define how the final rule applies in practice. Several are directly consequential for founders and token projects:

• Secondary market obligations — whether AML/CIP requirements extend to secondary market stablecoin transfers, not just primary issuance

• Foreign stablecoin issuers (FPSIs) — whether the same AML/CFT obligations should be extended to non-U.S. stablecoins that circulate in U.S. markets

• SAR threshold and carve-outs — whether the suspicious activity reporting threshold is appropriately calibrated and whether the secondary market carve-out is appropriately scoped

• Overlap with parent bank obligations — how PPSIs that are subsidiaries of insured depository institutions should coordinate their AML programs with the parent's existing BSA compliance

The comment period closes in seven days. Stablecoin issuers, DeFi protocols with stablecoin integrations, and digital asset businesses with compliance operations affected by the rule's secondary market scope should submit comments if the proposed rule's application to your business raises legitimate compliance design questions. Silence during the comment period means the final rule reflects the proposals as written.

3. How These Two Deadlines Interact

The California DFAL and the GENIUS Act AML rule are not isolated developments — they are two pieces of the same regulatory architecture being built around digital asset businesses in 2026. The DFAL's reserve and consumer protection requirements and the GENIUS Act's AML obligations are converging on the same compliance infrastructure: know your customer, hold adequate reserves, maintain documented internal controls, and submit to regulatory examination.

For stablecoin issuers operating in California, both regimes apply simultaneously. The DFPI will examine licensees on consumer protection and reserve adequacy. FinCEN will examine PPSIs on AML program sufficiency. These are not duplicative — they are additive obligations that will need to be coordinated in a single compliance program that satisfies both regulators.

For founders who have been building out compliance programs in anticipation of one framework or the other, now is the moment to audit whether your program addresses both. The DFAL's July 1 application deadline and the GENIUS Act comment window are this week and next month — not at the end of the year.

4. How Launch Legal Helps

For digital asset businesses assessing DFAL coverage: We help founders and compliance teams determine whether their activity falls within the DFAL's covered categories, evaluate the strongest arguments for exemption or limited-scope licensing, and prepare substantially complete NMLS applications before July 1. The application itself requires legal judgment on control person disclosures, financial thresholds, and activity descriptions — not just form-filling.

For stablecoin issuers responding to the GENIUS Act NPRM: The June 9 comment deadline gives stablecoin projects one week to submit formal comments on the 60 questions FinCEN and OFAC have posed. We help issuers identify the questions most consequential for their specific business model — particularly secondary market scope and CIP design — and draft technically precise, well-supported comment letters that participate meaningfully in shaping the final rule.

For startups building AML/CFT programs in anticipation of the GENIUS Act's final rule: We help design BSA-compliant AML program architectures — written policies, CIP procedures, SAR workflows, sanctions screening integration, and compliance officer mandates — that satisfy both the GENIUS Act's proposed requirements and the related state-level obligations that are already in effect.

For token projects and DeFi protocols navigating both regimes: We advise on the interaction between the DFAL's covered activity definitions and the GENIUS Act's PPSI scope — helping teams understand where their activity falls, what exemptions may apply, and what compliance infrastructure needs to be built or adapted before the deadlines arrive.

What Founders Should Do This Week

Before June 9 — GENIUS Act comment deadline:

• If your stablecoin business model is affected by the secondary market scope question or the foreign issuer question, retain counsel and submit comments before Monday

• If you are building toward PPSI status, begin scoping your AML/CFT program against the proposed rule's requirements — the final rule will likely track the proposed framework closely

• Review the OFAC sanctions compliance program requirements and assess whether your current screening infrastructure meets the proposed standard

Before July 1 — California DFAL deadline:

• Determine whether any of your business activities fall within the DFAL's covered categories and involve California residents

• If covered, begin your NMLS application immediately — substantially complete applications filed before July 1 preserve the safe harbor; incomplete applications do not

• Assess your tangible net worth and surety bond capacity against the DFPI's published thresholds

• Ensure control persons are prepared for the MU2 background disclosure process — delays at this stage are the most common cause of incomplete applications

Strategic Takeaway

Opportunity → The DFAL and GENIUS Act frameworks are being built now, while the regulatory architecture is still taking shape. Companies that engage in the GENIUS Act comment process this week have a direct line to shaping how the final AML rule applies to secondary markets, foreign issuers, and CIP design. Companies that file complete DFAL applications before July 1 enter California's crypto licensing regime in the first cohort — with a compliance posture that differentiates them from competitors who miss the window.

Risk → July 1 is not a soft deadline. The DFPI has enforcement authority and a clear mandate. California is the single largest U.S. state crypto market. A digital asset business that continues operating with California users after July 1 without a license or pending application is exposed to the full weight of DFPI enforcement — cease-and-desist, civil penalties, and the reputational consequence of being named in a DFPI enforcement action.

What Comes Next

Watch for the DFPI's guidance on application completeness standards as July 1 approaches — the DFPI may issue supplemental guidance on what constitutes a "substantially complete" application that preserves the safe harbor. Watch for FinCEN's final rule under the GENIUS Act, expected in the July–August timeframe, which will set the definitive compliance standard for PPSIs. And watch for the GENIUS Act's broader licensing and capital requirement regulations, due by July 18, 2026 — the full statutory regulatory framework is arriving this summer, and the compliance architecture needs to be in place before it lands.

Bottom Line

Two crypto regulatory deadlines are live right now. The GENIUS Act comment window closes in seven days — June 9. California's DFAL licensing deadline arrives in 29 days — July 1. For digital asset businesses that have been tracking these developments, this is the week to move from preparation to action. The compliance calendar is no longer a planning document. It is a countdown.

Learn More

• California DFPI — Digital Financial Assets Licensing

• National Law Review — California's DFAL Requires License Applications by July 1, 2026

• Federal Register — GENIUS Act Proposed Rule: PPSI AML/CFT Requirements

• FinCEN — Treasury Proposes Rule to Implement GENIUS Act Anti-Illicit Finance Requirements

• TRM Labs — What the GENIUS Act PPSI Rule Means for Stablecoin Issuers

• Mayer Brown — Stable Rules for Stablecoins: Treasury Proposes AML and Sanctions Framework

• Latham & Watkins — US Crypto Policy Tracker: Regulatory Developments