Roadmap to DACPA: The Time to Prepare and Engage Is Now

If your business is connected in any way to the digital asset industry, then you should pay attention to Illinois’ new law regulating digital assets.

Illinois recently passed the Digital Assets and Consumer Protection Act (DACPA), which gives the Illinois Department of Financial and Professional Regulation (IDFPR) sweeping authority over businesses engaged in “digital asset business activity” with Illinois residents.

By engaging early with IDFPR and the rulemaking process now, you can shape the scope of DACPA.

Who Should Care About DACPA and Why?

DACPA applies to any person or entity engaged in, or holding itself out as being able to engage in, “Digital Asset Business Activity” with or on behalf of an Illinois resident. In other words, even if you have no Illinois presence at all, you still need to comply with DACPA if you are conducting business with Illinois residents.

The statute defines “Digital Asset Business Activity” as (1) exchanging, transferring or storing a digital asset, (2) engaging in digital asset administration or (3) any other business activity involving digital assets designated by rule by IDFPR. This includes exchanges that buy, sell, trade or convert, on behalf of a resident, either (1) a digital asset for fiat currency or one or more forms of digital assets, or (2) fiat currency for one or more forms of digital assets.

That definition is as broad as it seems, but DACPA does include exclusions to the definition of “Digital Asset Business Activity.” The most significant exclusion is for activities already regulated by the SEC or CFTC, other than activities only subject to their anti-manipulation and anti-fraud enforcement authority. Given that the scope of the SEC and CFTC’s regulatory authority is unsettled, and that market structure legislation may not come up for a vote in the Senate until after the midterm elections, the scope of this exclusion remains uncertain.

The term “Digital Asset Business Activity” has a number of other notable exclusions, including peer-to-peer exchanges or transfers of digital assets; decentralized exchanges facilitating peer-to-peer exchanges or transfers solely through use of an automated computer program or transaction protocol; issuance of NFTs; the development and dissemination of software in and of itself; and validating a digital asset transaction, operating a node or engaging in similar activity. But terms such as “peer-to-peer exchanges or transfers,” “decentralized exchanges” and “validating a digital asset transaction” are all conspicuously undefined in the statute, leaving room for rulemaking to determine how broad or narrow the exclusions are.

Any entity that qualifies as a digital asset business or exchange engaged in a digital asset business activity must register with IDFPR by July 1, 2027. IDFPR will investigate the entity’s financial condition, character and the competence of its officers to decide whether to grant a registration or subsequently revoke or suspend an entity’s registration.

DACPA also gives IDFPR significant enforcement power. IDFPR can, among other things, subpoena documents and witnesses, examine the books and records of every covered person, entity, affiliate or service provider, and impose fees, fines and civil penalties of up to $25,000 for each day of violation or each act or omission in violation (not to exceed $75,000 per day). Most significantly, DACPA allows IDFPR to enlarge its authority through rulemaking with few limitations.

Accordingly, anyone who could be subject to DACPA should be concerned about its broad scope.

The Importance of Rulemaking: Where the Rubber Will Meet the Road

DACPA leaves room for the details of its implementation to be ironed out through the rulemaking process, in which digital asset businesses can and should participate.

Two entities will be responsible for the rulemaking process: IDFPR and the Joint Committee on Administrative Rules (JCAR). IDFPR regulates professionals from doctors to barbers on the one hand and the financial services industry on the other. The Division of Banking (DOB) and Division of Financial Institutions (DFI) handle the latter, and they will be responsible for enforcing DACPA with input from IDFPR’s Office of Innovation, which is led by the Regulatory Innovation Officer.

Implementing DACPA will be one of the most complicated things IDFPR has ever done. IDFPR will need time to build up the necessary internal processes and hire personnel to enforce the law, particularly given their limited resources and lack of expertise in digital assets. Currently, IDFPR views digital assets with suspicion, fueled by narratives from elected officials and consumer advocacy groups that digital assets pose a threat to consumers. The rulemaking process can provide an avenue to engage with IDFPR and dispel unfounded suspicion.

Now is the ideal time for you to engage with IDFPR and help guide their decision-making early on. Over time, IDFPR will publish the text of its proposed rules and may hold public hearings and accept public comment. Then, the agency can decide whether to make any changes to the proposed rules in response to public comment.

From there, the rules will be filed with JCAR for review. JCAR is a quasi-legislative bipartisan body made up of members of the Illinois House and Senate. The members of JCAR are charged with understanding DACPA deeply and ensuring that rulemaking aligns with the law’s purpose. As a bipartisan group, JCAR will likely try to strike a balance between consumer protection and promoting innovation.

JCAR and the agency proposing a rule — IDFPR in this case — will often agree to make changes to rulemaking or will make further agreements regarding action the agency will take after this rulemaking is adopted. Ultimately, JCAR members can decide whether to let a rule proceed or not, making industry engagement with JCAR particularly important.

That engagement should not end once rulemaking is over. Digital asset businesses should regularly communicate with IDFPR. It is always better to have ongoing conversations on the front end rather than deal with an investigation or enforcement action on the back end.

There are a lot of nuances that are not spelled out in DACPA and will be developed through rulemaking. To shape the direction DACPA takes, it will be essential for the industry to engage early, engage often and engage at all levels, including with IDFPR, JCAR staff and JCAR members of the Illinois legislature.

How Should You Prepare Now?

In the meantime, the sooner you prepare for DACPA’s explicit requirements, the better.

DACPA imposes substantial requirements that mirror the regulation of traditional financial institutions. For example, digital asset businesses and exchanges must implement, update and enforce written compliance policies and procedures for addressing critical risks, including cybersecurity, business continuity and anti-money laundering. DACPA also requires digital asset businesses to hold adequate financial resources and provide detailed disclosures to customers. The time is now to ensure your compliance program can meet DACPA’s high demands.

Although DACPA was effective immediately upon becoming law, regulated entities have time to become compliant. While they must register by July 1, 2027, covered persons must already be in compliance with certain sections of DACPA by Jan. 1, 2027, and covered exchanges specifically must make certain certifications by then.

We regularly engage with IDFPR and work with former IDFPR officials. We also have extensive experience advising companies regarding how to proactively meet the requirements of shifting regulatory requirements relating to the digital asset industry. If you have any questions about DACPA or would like help engaging with the rulemaking process, please do not hesitate to contact us.