California's Department of Financial Protection and Innovation has ordered Anh Management, LLC dba Hermes Bitcoin to cease all digital financial asset business activity in California by 5:00 PM Pacific Daylight Time on May 20, 2026, under a settlement agreement that imposes a suspended $9.9 million administrative penalty and finds Hermes violated the state's Digital Financial Assets Law (DFAL), the California Consumer Financial Protection Law (CCFPL), and federal Bank Secrecy Act anti-money laundering rules.
The settlement, signed April 30, 2026 by DFPI Commissioner Khalil Mohseni and Hermes CEO Harry Anh, resolves a September 18, 2025 Desist and Refrain Order and Notice of Intent to Issue Administrative Penalties. For California consumers and operators, it is the most concrete enforcement of California's new kiosk rules to date — and the first to result in a Southern California operator being forced out of the state absent a DFAL license.
Case: In the Matter of the Commissioner of Financial Protection and Innovation v. Anh Management, LLC dba Hermes Bitcoin
Forum: California Department of Financial Protection and Innovation
Settlement Signed: April 30, 2026
California Operations Cease: 5:00 PM PDT, May 20, 2026
Suspended Penalty: $9,900,000
Legal Basis: Cal. Fin. Code §§ 90003(a)(1)–(2), 3902, 3904, 3905(a), 3905(b); 31 C.F.R. § 1022.210
What DFPI Found
The settlement recites the Commissioner's findings that Hermes — which marketed itself on hermesbitcoin.com as "Southern California's premier Bitcoin ATM company" and published instructions titled "HOW TO BUY BITCOIN ANONYMOUSLY IN THE SAFEST WAY POSSIBLE" — violated every major operator-facing requirement under the DFAL since the law's phased rollout began in 2024.
The DFAL Provisions Hermes Violated
The DFAL took effect in phases. As of January 1, 2024, Financial Code section 3902 prohibits any operator from accepting or dispensing more than $1,000 per day per customer at a kiosk. As of January 1, 2025, two additional sets of obligations apply:
DFAL § 3904 — Fee Cap: Operators cannot collect direct or indirect charges on a single transaction exceeding the greater of $5 or 15% of the U.S. dollar equivalent of the digital asset (priced against a licensed digital asset exchange at the time the customer initiates the transaction).
DFAL § 3905(a) — Pre-Transaction Disclosure: Before any transaction, the operator must give the customer a clear, conspicuous, written disclosure of the asset amount, all fees in U.S. dollars, the price charged versus the listed exchange price, and a warning that transactions are final and non-refundable if no refund mechanism exists.
DFAL § 3905(b) — Receipt Contents: Every receipt must include, among other items, the customer's name and the licensed exchange used to calculate the spread between the price charged and the listed market price.
According to the settlement findings, Hermes failed each of these requirements. It exceeded the $1,000 daily cap 29 times since January 2024, charged more than the statutory fee ceiling on more than 3,006 transactions since January 2025, omitted the required pre-transaction disclosure on those same 3,006-plus transactions, and printed more than 14,120 receipts missing the customer name or the exchange used to calculate the spread.
The BSA/AML Failures
The findings on customer identification are arguably more damaging. Hermes maintained a written 2024 "Know Your Customer (KYC)/Customer Due Diligence (CDD) Policy" that, on its face, required collection of the customer's full name even for transactions of $1,000 or less and stated that "Hermes Bitcoin will not grant any exceptions."
The Commissioner found Hermes did not follow its own policy. In 2024, customer names were missing from over 30% of processed transactions. Between January 1 and April 30, 2025, that rate worsened to more than 60%. DFPI characterized this not just as a recordkeeping problem but as the operation of an AML program that was not commensurate with risk, in violation of 31 C.F.R. § 1022.210(a), (b), and (d)(1)(i).
"Since January 1, 2024, Hermes conducted at least 4,163 California transactions in which it failed to collect sufficient identifying information from its customers to know or verify the identities of those customers… In 2024, Hermes failed to collect customer names for over 30% of its processed transactions. Between January 1 and April 30, 2025, the issue worsened, with customer names missing from more than 60% of the transactions."
— Commissioner's Findings, Settlement Agreement ¶ GG
What the Settlement Actually Does
The structure of the settlement is important. The $9.9 million penalty is not paid up front. Under Paragraph 5, the penalty is imposed under Financial Code § 90012(c) but becomes "due and payable" only if Hermes fails to comply with the settlement. The operative remedy is a forced exit from California:
Operative Terms of the Settlement
Notably, Paragraph 19 specifies that Hermes's signature "does not constitute admission or denial of any of the allegations." The findings are recited as the Commissioner's, not stipulated facts. But Paragraph 18 makes them admissible against Hermes in any future licensing or enforcement proceeding involving the company.
Why This Matters: California's First DFAL Kiosk Exit
The DFAL, enacted in 2023, layers operator obligations onto kiosks in stages. Registration of kiosk locations, the $1,000 daily cap, and receipt-content requirements applied beginning January 1, 2024. The 15% fee cap and pre-transaction written disclosure requirements applied beginning January 1, 2025. Full DFAL licensing under § 3201 is required for ongoing covered business with California residents on or after July 1, 2026.
The Hermes settlement is the clearest signal yet that DFPI intends to enforce the existing conduct rules now — not wait until the July 2026 licensing trigger. It also confirms how DFPI reads the statute: the $1,000 cap is per customer per day per operator (not per transaction), the 15% fee cap is tied to the U.S. dollar equivalent of the asset priced at a licensed exchange (not to the cash tendered), and the receipt-name requirement applies even to small transactions an operator might consider "Tier 1."
It also sits alongside DFPI's earlier consent orders against Coinhub and RockItCoin, indicating that California is now reaching beyond the largest national operators to regional players.
What This Means for Hermes Customers
If you use a Hermes Bitcoin kiosk in California:
- Hermes must cease California operations at 5:00 PM PDT on May 20, 2026. Kiosks should stop accepting California transactions after that deadline unless Hermes obtains a DFAL license.
- If you sent money to a scammer through a Hermes kiosk on or after January 1, 2024, the DFPI findings — including more than 4,000 transactions with inadequate customer identification — may be relevant to any complaint or recovery action. File a complaint with DFPI and review our consumer protection resources.
- The settlement does not provide direct consumer restitution. The $9.9 million penalty is suspended and paid to the state only if Hermes violates the settlement.
- Hermes transactions are typically irreversible. Do not send cryptocurrency to anyone you have not met in person, regardless of which operator's kiosk you are using.
What This Means for Operators
The Hermes findings read as a compliance checklist for any operator still doing business with California residents:
- The $1,000 daily cap is hard. DFPI counted each of 29 transactions over the cap as a discrete violation. Operators relying on "Tier 1 / Tier 2" structures that allow customers to exceed $1,000 with additional verification are out of compliance.
- The 15% fee cap is calculated on the asset, not the cash. DFPI has previously warned that some operators misapply the 15% to cash tendered. The Hermes finding of 3,006-plus fee violations confirms DFPI is auditing fee math, not just disclosures.
- KYC must match policy. Maintaining a strict written KYC policy and then routinely waiving it — Hermes missed customer names on 60%+ of early-2025 transactions despite a written "no exceptions" rule — is treated as both a recordkeeping failure and an ineffective-program failure under 31 C.F.R. § 1022.210(a) and (b).
- Receipt content is enforced line-by-line. Missing the customer name or the name of the licensed exchange used to calculate spread is independently actionable under DFAL § 3905(b)(1) and (8).
- Suspended-penalty structures are now in DFPI's toolkit. The Commissioner extracted a market exit, not a check. Operators facing similar investigations should expect to be offered the same trade: cease California operations or pay.
Operators continuing to serve California residents past July 1, 2026 without a DFAL license — or a complete license application on file — face the same exposure Hermes faced, with the added problem that the Hermes settlement is now a public benchmark for the size of penalty DFPI considers appropriate. Trust scores and enforcement histories for operators in California and nationwide are tracked in the operators directory.
What to Watch Next
Three things bear watching after May 20. First, whether Hermes files a DFAL license application — the settlement does not bar one, though Paragraph 18 ensures the findings will be on the record if it does. Second, whether DFPI uses the same suspended-penalty structure against other operators with pending investigations in California. And third, whether the July 1, 2026 licensing deadline produces a wave of additional exits from California, as smaller operators conclude that DFAL compliance — and the threat of multi-million-dollar suspended penalties — is no longer compatible with their business model.