Bill > HB2232

This bill requires any person operating a cryptocurrency kiosk, which is a machine that allows users to buy or sell digital currencies like Bitcoin, to obtain a license from the state's Department of Insurance and Financial Institutions (DIFI) by January 1, 2027. Applicants must submit detailed information about their ownership and management, undergo a criminal background check including fingerprinting, and pass a financial audit and review of their past financial and regulatory history. The bill also outlines strict verification procedures for all cryptocurrency kiosk transactions, including scanning government-issued identification, capturing live facial images to match the ID, performing two-factor authentication via phone and device, and verifying customer addresses. For transactions over $300, customers must certify the transaction's purpose and complete a fraud questionnaire. The bill prohibits anonymous or unverifiable transactions and mandates that suspicious transactions be frozen for at least 72 hours. Operators must maintain continuous video and audio recordings, GPS logs, facial capture logs, and transaction logs for at least seven years, and report any suspected fraud or coercion to authorities within fifteen minutes of discovery. There are also limitations on transaction amounts, with a maximum of $2,000 per customer in a 24-hour period, and prohibitions against knowingly assisting in fraud or disabling surveillance equipment. Each kiosk must prominently display and audibly play a warning about the irreversibility of cryptocurrency transactions and the potential for scams, with this warning needing to be shown for at least ten seconds, posted physically, provided in English and Spanish, and read aloud before any transaction. All customer information and transaction data are considered confidential and can only be shared with law enforcement, regulatory agencies, courts, or federal agencies involved in specific investigations. The bill also establishes civil penalties for violations, ranging from fines up to $100,000 for failing to implement surveillance, and criminal penalties for serious offenses like failing to report fraud or knowingly assisting in illegal activities. A new "Digital Asset Oversight Fund" will be established to hold civil penalties collected, and the DIFI is appropriated $4 million to administer these new regulations.

Budget and Finance, Business and Industry

https://apps.azleg.gov/BillStatus/BillOverview/83962