In recent months, state regulators have moved aggressively in response to a shift in federal enforcement priorities in the cryptocurrency space. With the U.S. Department of Justice (DOJ), U.S. Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) moving enforcement priorities away from regulatory violations such as failure to register or obtain licenses, states have increased scrutiny of digital asset businesses, particularly those operating without the licenses required under state law. Two recent developments in New York and California highlight this trend, reflecting heightened risk for crypto market participants who have not secured appropriate licensing in each jurisdiction where they operate.
In New York, Manhattan District Attorney Alvin Bragg and State Senator Zellnor Myrie recently announced the proposed Cryptocurrency Regulation Yields Protections, Trust, and Oversight Act (CRYPTO Act), which would criminalize operating a cryptocurrency business without a license. The proposal would effectively layer state criminal penalties on top of the state’s existing civil enforcement tools, raising the stakes for noncompliance. In public remarks, Bragg and Myrie framed the legislation as a necessary step to combat illicit finance, describing cryptocurrency as an “ideal vehicle for money laundering.”
If enacted, the CRYPTO Act would require virtual currency businesses to hold a BitLicense issued by the New York State Department of Financial Services or risk prosecution for “unlicensed virtual currency business activity.” Penalties would scale according to the value of transactions: misdemeanor charges for lesser currency amounts and up to a Class C felony for amounts exceeding $1 million in aggregate over a 12-month period. Felony convictions could carry prison terms ranging from five to 15 years, representing a dramatic escalation in the consequences for unlicensed crypto activity in New York. Myrie noted that if the legislation passes, New York would be the 19th state to explicitly make unlicensed crypto transactions a crime.
California’s Department of Financial Protection and Innovation (DFPI) recently announced a $500,000 settlement with Nexo Capital Inc. (Nexo), a Cayman Islands-based crypto lender. DFPI alleged that Nexo offered consumer and commercial loans to California residents through its crypto-backed lending program without the required California Financing Law (CFL) license. According to the consent order, the credit lines Nexo offers allow borrowers to provide crypto assets as collateral, receive crypto assets or fiat money as loans, and make payments using crypto in accordance with their loan agreements. In addition, DFPI claims that Nexo circumvented its responsibilities under California law to evaluate a borrower’s ability to repay their loan by, instead, requiring borrowers to overcollateralize their loans and use this collateral to cover overdue payments in the event that the borrower defaulted on their loan.
The violations triggered claims under both the CFL and the California Consumer Financial Protection Law and affected more than 5,400 state residents. In addition to the $500,000 penalty, Nexo must transfer all funds belonging to California residents to Nexo Financial LLC, a U.S.-based affiliate that holds a CFL license with the DFPI. The Nexo matter underscores the expanding reach of state regulators into business models that may be viewed as falling outside traditional financial service categories. Activities centered on digital assets, if they involve lending, custodial services, or exchange functions, may trigger state licensing obligations. Failure to comply may lead to substantial penalties and reputational impact, even absent concurrent federal enforcement.
Blockchain businesses should not assume that a shift in federal enforcement activity eliminates enforcement risk. Instead, firms should consider conducting jurisdiction-by-jurisdiction licensing analyses before offering products or services to U.S. residents. State-level enforcements and new laws, such as New York’s proposed CRYPTO Act and California’s enforcement action against Nexo, signal that regulators are prepared to aggressively pursue remedies, including criminal charges in some cases. Robust compliance programs, proactive engagement with licensing authorities, and constant monitoring of regulatory developments may help mitigate exposure.