Section 3701 - Maintenance of policies and procedures required for activities and programs(a) An applicant, before submitting an application, shall create and, during licensure, maintain in a record policies and procedures for all of the following:(1) An information security program and an operational security program.(2) A business continuity program.(3) A disaster recovery program.(4) An antifraud program.(5) A program to prevent money laundering.(6) A program to prevent funding of terrorist activity.(7)(A) A program designed to ensure compliance with this division and other laws of this state or federal laws applicable to the digital financial asset business activity contemplated by the licensee with, or on behalf of, residents and to assist the licensee in achieving the purposes of other state laws and federal laws if violation of those laws has a remedy under this division.(B) The program described by this paragraph shall specify detailed policies and procedures that the licensee undertakes to minimize the probability that the licensee facilitates the exchange of unregistered securities.(b) A policy required by subdivision (a) shall be in a record and designed to be adequate for a licensee's contemplated digital financial asset business activity with, or on behalf of, residents, considering the circumstances of all participants and the safe operation of the activity. Any policy and implementing procedure shall be compatible with other policies and the procedures implementing them and not conflict with policies or procedures applicable to the licensee under other state law. A policy and implementing procedure may be one in existence in the licensee's digital financial asset business activity with, or on behalf of, residents.(c) A licensee's policy for detecting fraud shall include all of the following: (1) Identification and assessment of the material risks of its digital financial asset business activity related to fraud, which shall include any form of market manipulation and insider trading by the licensee, its employees, or its customers.(2) Protection against any material risk related to fraud identified by the department or the licensee.(3) Periodic evaluation and revision of the antifraud procedure.(d) A licensee's policy for preventing money laundering and financing of terrorist activity shall include all of the following: (1) Identification and assessment of the material risks of its digital financial asset business activity related to money laundering and financing of terrorist activity.(2) Procedures, in accordance with federal law or guidance published by federal agencies responsible for enforcing federal law, pertaining to money laundering and financing of terrorist activity.(3) Filing reports under the Bank Secrecy Act (31 U.S.C. Sec. 5311 et seq.) or Chapter X of Title 31 of the Code of Federal Regulations and other federal or state law pertaining to the prevention or detection of money laundering or financing of terrorist activity.(e) A licensee's information security and operational security policy shall include reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any nonpublic personal information or digital financial asset it receives, maintains, or transmits.(f) A licensee shall file with the department a copy of a report it makes to a federal authority.(g) A licensee's protection policy under subdivision (e) for residents shall include all of the following:(1) Any action or system of records required to comply with this division and other state law applicable to the licensee with respect to digital financial asset business activity with, or on behalf of, a resident.(2) A procedure for resolving disputes between the licensee and a resident.(3) A procedure for a resident to report an unauthorized, mistaken, or accidental digital financial asset business activity transaction.(4) A procedure for a resident to file a complaint with the licensee and for the resolution of the complaint in a fair and timely manner with notice to the resident as soon as reasonably practical of the resolution and the reasons for the resolution.(h) After the policies and procedures required under this section are created by the licensee, the licensee shall engage a responsible individual with adequate authority and experience to monitor each policy and procedure, publicize it as appropriate, recommend changes as desirable, and enforce it.(i) A licensee may request advice from the department as to compliance with this section and, with the department's approval, outsource functions, other than compliance, required under this section, and may request a determination from the department that a policy or procedure is not subject to the disclosure requirement described in subdivision (k) due to potential security risks.(j) Failure of a particular policy or procedure adopted under this section to meet its goals in a particular instance is not a ground for liability of the licensee if the policy or procedure was created, implemented, and monitored properly. Repeated failures of a policy or procedure are evidence that the policy or procedure was not created or implemented properly.(k)(1) Except as provided in paragraph (2), policies and procedures adopted under this section shall be disclosed separately from other disclosures made available to a resident, in a clear and conspicuous manner and in the medium through which the resident contacted the licensee.(2) This subdivision does not apply to either of the following: (A) An adopted information security program or an operational security program described in subdivision (a).(B) Any policy or procedure the department previously determined is not subject to this subdivision due to potential security risks.Added by Stats 2023 ch 792 (AB 39),s 1, eff. 1/1/2024.