What Is DACPA? Illinois’ New Digital Assets Law Explained
Dec 21, 2025
·
15 min read
Contents
Illinois has joined a growing list of states rolling out targeted crypto regulation. Introduced in August 2025, the Digital Assets and Consumer Protection Act (DACPA) is setting the new standard. Signed into law in 2025, DACPA imposes a licensing and compliance framework on digital asset businesses that serve Illinois residents, regardless of where the business is based.
If your company holds, transfers, or facilitates trading in digital assets on behalf of others, DACPA likely applies. The law is especially relevant to almost every fintech firm exploring new asset models that combine crypto with traditional financial services. It also introduces complex requirements, rules, and obligations, bringing crypto infrastructure under state-level supervision.
This article aims to offer a clear, in-depth overview of DACPA for fintech founders, legal teams, and compliance officers. We’ll cover who the law applies to, what it exempts, how to approach registration, and what operational changes may be needed. Now, let’s answer the basic question:
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
What Is DACPA?
The Digital Assets and Consumer Protection Act (DACPA) is Illinois's response to the rising need for state-level oversight of crypto and digital asset activity. It creates a mandatory registration and compliance regime for businesses engaged in what the law defines as digital asset business activity. This includes custody, exchange, transfer, and administration of digital assets on behalf of others.
DACPA treats digital asset businesses more like traditional financial institutions, requiring capital standards, consumer disclosures, and operational safeguards. It doesn’t attempt to regulate everything built on blockchain technology.
Instead, it focuses on companies that act as intermediaries, particularly those that hold custody of user assets or offer services to Illinois residents. This extraterritorial scope puts pressure on fintech firms to assess state-by-state exposure when planning market entry or expansion.
Who Must Comply With DACPA in Illinois?
DACPA compliance hinges on what your business does, not just where it’s located. If your company facilitates crypto transactions or services for Illinois residents, there’s a high chance the law applies. Understanding which activities and entity types are in scope is the starting point for any compliance strategy.
Covered Digital Asset Activities
The law defines “digital asset business activity” broadly. It applies to companies that:
Exchange digital assets between users or for fiat
Transfer digital assets on behalf of others
Safekeep, custody, or store digital assets for customers
Administer digital assets or have authority over user assets
If your platform touches customer funds, even indirectly, you’re likely considered a “covered person” under DACPA. This includes wallets, brokers, custodians, and centralized exchanges. The law is structured to bring these functions under state oversight, even if the company is headquartered elsewhere.
Types of Entities Impacted
DACPA’s reach includes:
Crypto exchanges and token platforms
Custodial wallet providers
Digital asset brokers and liquidity providers that custody or handle customer assets (or otherwise engage in DACPA-defined business activity)
Fintech firms embedding crypto into non-crypto services
Foreign companies serving Illinois customers
Out-of-state entities are not exempt. If you have users in Illinois or market to them, you're subject to the same obligations as local firms. Many startups won’t realize this until it’s flagged by legal or regulators. And by then, it's too late.
Exemptions: What DACPA Does Not Cover
Not every crypto-related activity falls under DACPA. The law was written to avoid unnecessary friction for developers, infrastructure providers, or non-financial use cases. Understanding what’s not covered is just as important as knowing what is.
Startups often assume they need to register when they don’t, or worse, overlook a required exemption. If your company doesn’t handle customer assets or act as a financial intermediary, you may fall outside the scope.
Peer-to-Peer and DeFi Exemptions
DACPA targets centralized entities. It does not apply to peer-to-peer transactions between individuals, including those conducted through decentralized exchanges (DEXs) where no party holds custody or controls the transaction flow.
Examples of excluded activity include:
Using a smart contract to trade directly with another user
Transferring assets wallet-to-wallet without an intermediary
Operating an open-source protocol that doesn’t hold funds
If your platform is fully decentralized and non-custodial, you’re likely outside DACPA’s reach. But partial decentralization, like admin control over keys or trade routing, may trigger compliance.
Software Developers and Node Operators
DACPA also excludes those contributing to blockchain infrastructure. That includes:
Node operators and validators
Miners or stakers supporting consensus
Developers publishing open-source wallets or smart contracts
As long as you’re not controlling digital assets on behalf of others, you’re not in scope. Building tools isn’t the same as offering financial services. This carve-out gives room for technical innovation without unnecessary regulatory exposure.
See also:
Key DACPA Registration Information
If your business is in scope, registration with the Illinois Department of Financial and Professional Regulation (IDFPR) isn’t optional.
Without a valid registration, you won’t be able to serve Illinois customers after mid-2027. Knowing the timeline, application components, and cost structure is critical to planning ahead.
Need help with blockchain compliance?
Fill out the form below and our experts will get back to you.
Key Dates and Milestones
DACPA isn’t being enforced overnight. Illinois introduced a multi-year rollout to give both companies and regulators time to prepare.
Milestone | Date | What It Means |
|---|---|---|
DACPA signed into law | August 18, 2025 | Law is active; rulemaking and infrastructure begins |
Consumer-facing standards go into effect | January 1, 2027 | Disclosures, custody practices, and support must be live |
Registration deadline | July 1, 2027 | Firms must be registered to legally operate in Illinois |
Regulators have authority today, even if enforcement begins later. If your company plans to operate in Illinois, you should be preparing well before 2027. Early preparation will help reduce last-minute application issues and downstream risk.
Step-by-Step Registration Process
Registration with IDFPR under DACPA is not a one-off filing. It’s a structured process that requires thorough preparation across legal, financial, and operational areas. Firms that treat it like a routine form submission will likely hit delays or face compliance gaps.
Here’s a breakdown of how fintech and digital asset companies should approach the registration process:
1. Confirm Applicability and Risk Exposure
Start by assessing whether your business qualifies as a “covered person” engaged in digital asset business activity. If you're providing custodial services, facilitating crypto transactions, or otherwise acting as an intermediary, you're likely in scope.
Companies that serve Illinois residents should be included in this review, even if they serve via:
Websites
APIs
White-labeled infrastructure
Note: Your legal counsel or a compliance partner can help you interpret edge cases and whether you must comply with DACPA.
2. Assemble Required Documentation
This is often the most time-consuming part. DACPA requires a comprehensive application that includes:
Audited or GAAP-compliant financial statements
Corporate formation documents and ownership structure
A list of all control persons and executive officers
Fingerprints and background checks for responsible individuals
Business plans detailing products, services, and delivery channels
Copies of all written compliance policies and procedures
List of vendors and outsourced service providers (e.g., custody platforms, KYC tools)
3. Develop or Upgrade Compliance Programs
You’ll need operational programs that cover DACPA-mandated areas like cybersecurity, AML, fraud prevention, disaster recovery, complaint handling, and conflict-of-interest management.
These policies must be documented and tailored to your business model and not boilerplate templates. You’ll also need to appoint a designated individual responsible for DACPA compliance, typically a Chief Compliance Officer or similar role.
4. Establish Financial Safeguards
All applicants must provide evidence of financial stability. IDFPR requires:
A surety bond or trust account to protect customer assets (amount determined case-by-case)
Proof of sufficient capital and liquidity to meet business obligations
Internal documentation showing capital management practices, including any reserve strategies or liquidity thresholds
IDFPR may request further information depending on your business type and size.
5. Submit Application and Pay Fees
The application is filed with IDFPR, and it includes a nonrefundable $5,000 filing fee. Incomplete or inconsistent applications are likely to be delayed or rejected. The Department may require clarification, follow-up interviews, or supplemental submissions during review.
6. Maintain Readiness for Review and Examination
Once filed, your business is subject to IDFPR examination. This includes onsite or remote inspections, review of books and records, and testing of your compliance infrastructure.
IDFPR examiners will assess:
Operational soundness
Internal controls
Transaction records
Customer safeguards
You must be able to produce key documents, including transaction logs and audit trails, within three business days of request.
7. Prepare for Annual Renewals and Reporting
Registration under DACPA is not permanent. Firms must submit annual renewal filings that update:
Financial and capital information
Business locations and contact details
Compliance program documentation
Any changes to ownership, executive roles, or risk exposure
Annual metrics on volume, assets held, and Illinois-specific activity
Renewal fees will apply (amount TBD), and failure to maintain good standing could trigger enforcement or suspension.
Fees, Examinations, and Penalty Structure
DACPA is funded directly through registrant fees. These include:
$5,000 application fee
Annual renewal fees, to be defined by IDFPR
Examination fees, including a base cost and examiner travel reimbursement
Unregistered activity after the deadline is subject to penalties up to $100,000 per day. Other violations, such as disclosure lapses or improper custody, may trigger additional fines ranging from $25,000 to $75,000 per day.
DACPA’s Core Regulatory Requirements
DACPA moves crypto businesses closer to the operational standards of traditional financial institutions, requiring policies, capital buffers, and customer protections. In other words, covered entities must meet a wide range of ongoing compliance obligations once registered.
Capital and Liquidity Standards
Every DACPA registrant must maintain sufficient financial resources to support ongoing operations.
IDFPR will determine minimum capital and liquidity requirements based on business model, transaction volume, and risk exposure.
Capital adequacy: Firms are expected to maintain enough equity to absorb potential losses. Capital levels must be proportionate to the company’s liabilities, scale, and the volatility of assets handled.
Liquidity management: Businesses must maintain readily available funds to meet customer withdrawal requests or other short-term obligations. These may include fiat reserves or high-quality liquid assets.
Surety bond or trust account: Each registrant must maintain a bond or trust account denominated in US dollars to protect customer funds. The required amount will be determined case-by-case and may be adjusted by the regulator as business risk evolves.
These standards are designed to prevent insolvency scenarios similar to those seen in unregulated crypto exchanges and custodians. Firms should be prepared to provide proof of reserves and liquidity metrics during examinations.
Customer Asset Protection Rules
DACPA mandates strict segregation between company and customer assets. Digital assets held on behalf of clients must never be used, pledged, or rehypothecated unless the customer explicitly authorizes it.
Covered firms must:
Maintain a 1:1 reserve for all customer digital assets.
Segregate customer funds from the company’s operational accounts.
Maintain accurate ledgers documenting individual and aggregate holdings.
Ensure that digital assets held for clients do not become company property, even if pooled.
In the event of insolvency, customer assets are treated as held in trust and are not available to satisfy company debts. For fintechs offering custodial or hybrid models, these provisions may require restructuring how digital assets are stored and tracked.
See also:
Disclosure and Transparency Duties
Before offering services to Illinois residents, registered firms must provide clear, written disclosures covering:
All fees and charges, including how they’re calculated.
Whether the company or assets are insured (and the limits of coverage).
That digital assets are not legal tender and that Illinois does not endorse or approve them.
The firm’s liability and error-resolution process.
Details of any service outages or downtime during the previous 12 months.
Each customer must receive these disclosures in a format they can retain, such as a digital or written record. After every transaction, customers must also receive a confirmation showing the transaction details, applicable fees, and total amounts exchanged or transferred.
Digital Asset Exchange Compliance
Crypto exchanges or trading platforms face additional scrutiny under DACPA. Those offering trading or execution services must comply with rules similar to those in regulated securities markets.
Key obligations include:
Asset review and certification: Before listing a new token, the exchange must conduct a formal due diligence review to assess whether it may qualify as a security, evaluate associated risks, and disclose any conflicts of interest.
Ongoing reassessment: Exchanges must periodically review listed assets and establish delisting procedures if risks or legal classifications change.
Best execution policy: Firms must handle customer trades with reasonable diligence to obtain the most favorable terms. Execution quality should be reviewed at least semiannually.
Reciprocity with New York: If a digital asset is already approved under the New York Department of Financial Services (NYDFS) BitLicense regime, Illinois may accept that approval without requiring a separate asset review.
These requirements align Illinois with other advanced state-level frameworks, such as New York’s BitLicense and California’s Digital Financial Assets Law. For exchanges and marketplaces, it formalizes a compliance baseline focused on transparency, customer protection, and risk mitigation.
Required DACPA Compliance Programs
DACPA expects covered entities to operate with the same level of internal control and accountability as other regulated financial institutions.
Before applying for registration, companies must develop a written compliance framework that addresses each of the program areas specified by the IDFPR.
These programs must be active, documented, and auditable, forming the foundation of the firm’s operational integrity and risk management system.
Anti-Money Laundering (AML)
DACPA requires firms to implement an AML program consistent with federal standards under the Bank Secrecy Act and FinCEN guidance. The program should:
Identify and verify customer identities (KYC)
Monitor for suspicious or high-risk activity
Establish reporting procedures for suspicious transactions
Maintain detailed records and audit trails
Businesses must designate a compliance officer responsible for AML oversight and maintain training for relevant employees. IDFPR examiners can review these records and policies at any time, so the program must be kept up to date and demonstrate actual implementation, not just documentation.
Cybersecurity
Because DACPA-regulated entities handle digital assets and sensitive customer data, cybersecurity controls are central to compliance. The cybersecurity program should include:
Access management and authentication protocols
Network and system monitoring for intrusions
Encryption standards for data in transit and at rest
Incident response and recovery plans
Periodic penetration testing and risk assessments
Cybersecurity measures should align with recognized frameworks such as NIST or ISO 27001, and all incidents must be logged, reviewed, and reported as required by the regulator.
Business Continuity
DACPA also mandates a business continuity and disaster recovery plan (BCP/DRP) to minimize operational disruption. The program should document how the company will maintain critical functions during unexpected events such as cyberattacks, infrastructure outages, or market failures.
Key elements include:
Defined recovery time objectives (RTOs) and recovery point objectives (RPOs)
Backup and redundancy procedures for systems and data
Communication plans for customers and regulators during outages
Regular testing of continuity and recovery plans
IDFPR expects firms to test these procedures periodically and update them to reflect technology or business model changes.
Complaint Management and Error Resolution
Customer protection is one of DACPA’s core principles. Every covered business must have a formal process to log, investigate, and resolve customer complaints and transaction errors.
The complaint management policy should include:
A documented intake and tracking process
Defined investigation timelines
Communication protocols for updates and final resolutions
Root-cause analysis for recurring issues
Firms are also required to provide a toll-free phone number and accessible customer support for Illinois residents. IDFPR can request complaint logs during examinations to assess the firm’s responsiveness and control quality.
See also:
DACPA vs. BitLicense (NY) and Other State Laws
For fintech founders familiar with New York’s BitLicense, DACPA will feel conceptually similar but more modernized. Both frameworks aim to regulate digital asset companies at the state level by introducing licensing, capital, and consumer protection standards.
However, DACPA reflects lessons learned from the first decade of crypto regulation and incorporates broader flexibility and reciprocity mechanisms.
Feature / Requirement | DACPA (Illinois) | BitLicense (New York) |
|---|---|---|
Regulator | Illinois Department of Financial and Professional Regulation (IDFPR) | New York Department of Financial Services (NYDFS) |
Effective Year | Enacted in 2025, full compliance by 2027 | Effective in 2015 |
Registration Type | “Digital Asset Business Activity” registration | Virtual Currency Business License (BitLicense) |
Scope | Custody, exchange, transfer, and administration of digital assets | Similar, but narrower definitions originally |
Reciprocity | Allows recognition of NYDFS-approved tokens and potential inter-state reciprocity | No reciprocity; must apply separately |
Capital and Bonding | Risk-based, set by IDFPR | Determined by NYDFS; no fixed minimum |
Custody Rules | Explicit segregation and 1:1 reserves | Requires safekeeping and segregation, but is less prescriptive |
Consumer Disclosures | Mandatory standardized disclosures for fees, insurance, and transaction risk | Required but less uniform |
Exemptions | DeFi, peer-to-peer, and non-custodial software excluded | Limited exemptions, covers some technology providers indirectly |
Illinois’s approach is more scalable and forward-looking. DACPA integrates lessons from the NYDFS experience by balancing consumer protection with operational flexibility.
For example, Illinois explicitly carves out decentralized and non-custodial services, while New York’s law initially created uncertainty for developers and infrastructure providers.
Several states are following similar trajectories:
Louisiana and California have enacted laws requiring digital asset licenses and consumer protections that mirror Illinois's model.
Wyoming and Texas, by contrast, maintain more permissive frameworks focused on innovation, though they may tighten supervision over custodial activity.
DACPA’s reciprocity clause positions Illinois as a potential bridge for multi-state registration, allowing fintech firms to leverage one approved license to streamline others.
For fintech firms operating nationally, DACPA signals that multi-jurisdictional compliance is becoming the norm. Building a compliance infrastructure that satisfies Illinois and New York standards often puts a firm well ahead of other states’ requirements.
Common Compliance Pitfalls Under DACPA
Even well-prepared fintechs can encounter challenges when implementing DACPA requirements. Many early mistakes stem from underestimating the scope of the law or misinterpreting its technical requirements. Identifying these risk areas early can prevent costly delays or penalties later.
Custody Structure Mistakes
One of the most frequent compliance issues is improper custody design. DACPA explicitly requires a 1:1 reserve ratio and segregation between customer and company assets. Firms that maintain omnibus wallets without clear sub-ledgering, or that use pooled funds for liquidity management, risk noncompliance.
Common missteps include:
Commingling operational and customer assets in shared wallets
Failing to maintain real-time visibility into individual customer balances
Using customer-held assets for internal trading or staking without consent
If your firm operates a custodial or hybrid model, review your wallet structure and ledgering system early. Implementing sub-accounting or independent custody verification tools can reduce regulatory exposure once IDFPR examinations begin.
Misunderstanding Exemptions
Another recurring issue involves incorrectly assuming an exemption applies. Many startups believe that being “non-custodial” or “DeFi-aligned” automatically excludes them.
In reality, any service that intermediates or routes customer transactions may fall within DACPA’s definition of digital asset business activity.
Examples of gray areas include:
API-based platforms that initiate transactions on a user’s behalf
Wallets that use smart contracts controlled by the provider
DeFi front-ends that manage order routing or liquidity aggregation
Legal counsel or a compliance advisor should review product design before launch. The cost of early clarification is minor compared to potential penalties or forced suspension of service.
Errors in Asset Segregation
Even firms that comply with custody requirements can struggle with segregation and reconciliation. DACPA expects detailed recordkeeping to verify that customer holdings match on-chain and off-chain balances at all times.
Typical pain points include:
Inconsistent internal reconciliation between wallet balances and accounting systems
Weak documentation of asset movement between internal and external wallets
Over-reliance on third-party custodians without sufficient oversight
IDFPR examiners can request reconciliation records during reviews, and the firm must be able to produce them within three business days. Maintaining automated reconciliation processes and independent audits can help meet this expectation without excessive manual work.
DACPA Registration Readiness Checklist
Preparing for DACPA registration requires more than collecting forms. A readiness review helps identify gaps before formal submission and streamlines the review process with the IDFPR.
Below is a structured checklist to guide fintech teams through internal preparation:
Legal and Applicability
Confirm that your activities qualify as “digital asset business activity.”
Identify whether exemptions apply (e.g., DeFi, non-custodial, or developer tools).
Map Illinois customer exposure (direct or via third parties).
Corporate Documentation
Gather formation and ownership documents.
Prepare executive and control person disclosures.
Complete fingerprinting and background checks.
Financial Readiness
Prepare audited or GAAP-compliant financials.
Determine the required bond or trust account amount.
Document liquidity and reserve management processes.
Compliance Programs
Finalize written AML, cybersecurity, and fraud prevention programs.
Designate a compliance officer responsible for DACPA oversight.
Develop policies for complaint handling, business continuity, and conflicts of interest.
Operational Controls
Implement systems for segregating and tracking customer assets.
Establish reconciliation procedures and record retention for five years.
Integrate compliance monitoring tools into core operations.
Consumer Disclosures
Draft standardized disclosures for fees, risk, insurance, and transaction details.
Implement a process for customer confirmations and notices of policy changes.
Application Submission
Complete the IDFPR registration form.
Pay the $5,000 nonrefundable application fee.
Prepare to respond to regulator inquiries promptly.
Ongoing Compliance
Schedule periodic policy reviews.
Prepare for annual renewals and examinations.
Document all regulator correspondence.
A structured readiness plan reduces application friction and helps demonstrate good faith compliance. Firms that maintain documented readiness records tend to move faster through the review phase and handle IDFPR examinations more efficiently.
—
The Digital Assets and Consumer Protection Act (DACPA) marks a significant evolution in how Illinois regulates digital asset businesses. It bridges the gap between innovation and accountability by setting clear expectations around registration, capital adequacy, and consumer protection.
For fintechs, DACPA is a signal that state regulators expect crypto operations to meet the same standards as other financial institutions. Companies that approach compliance proactively can use it as a competitive advantage, positioning themselves as credible, well-managed operators in a tightening regulatory environment.
Whether you’re preparing for DACPA registration, revising your custody model, or aligning multi-state operations, InnReg’s fintech-specialized team can help you structure a compliance framework that scales with your business.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with blockchain compliance, reach out to our regulatory experts today:
Published on Dec 21, 2025
Last updated on Dec 21, 2025
Related Articles
Featured LinkedIn Posts
