'People are getting scammed': A top California regulator has major crypto worries

Suzanne Martindale, who leads California’s financial consumer-protection efforts, sees the industry moving fast and regular people getting hurt.

Suzanne Martindale

Suzanne Martindale told Protocol why regulating crypto has become critical and challenging.

Photo: DFPI

Suzanne Martindale, head of California’s Division of Consumer Financial Protection, had just joined the state’s financial regulatory body in early 2021 when crypto suddenly became a serious consumer concern.

Crypto’s explosive growth sparked heightened worries about consumers dabbling in a volatile market and getting ripped off in the process.

“I would say that 2021 really was the year that everything seemed to get turbocharged,” Martindale, a senior deputy commissioner at California's Department of Financial Protection and Innovation as well as head of the financial protection division, told Protocol.

“We are getting complaints where people are just straight-up being defrauded,” she said.

The resulting push to regulate crypto has kept Martindale busy.

She began the week by studying a new bill — AB 2269, filed by Assemblymember Timothy Grayson — that would require crypto companies offering financial products in California to register with the DFPI.

Martindale described the proposal as “a massive new bill that would create a new kind of crypto native licensing program in California.” It would be a big change for a state that’s taken a mostly hands-off approach, even as San Francisco’s become a hub for the crypto industry and Sand Hill Road has raised billions to invest in startups.

In an interview with Protocol, Martindale discussed why regulating crypto has become critical and challenging, given the industry’s rapid expansion, and how California can play an important role in this effort.

This interview has been edited for brevity and clarity.

What would California’s AB 2269 do if passed?

By and large, it is a bill that would create a new licensing regime for crypto finance. It would direct our department to stand up a new licensing program over crypto finance. It would sweep up a lot of the crypto-asset-related financial products out there and subject them to required licensing and examination. It is designed to be a consumer protection bill, to establish minimum standards for various crypto-related products and services.

What is in place now? What are crypto companies required to do given the current laws?

There’s no one-size-fits-all answer at this point. We've had discussions over the last several years. The term “fintech” has become popular, and you have tech companies wading into the financial services market.

You can talk about technology all day long, but when it comes to consumer finance, there are four kinds of activities people engage in: They're spending, they're saving, they're borrowing or they're investing. That's always where I start: What kind of activity are we talking about?

Because in some cases, some products and services that may be marketed as tech may still fall squarely under one of those buckets: “Oh, it looks like a deposit account. It looks like a form of payment. It looks like a loan or it looks like an investment product.”

What we look at is really the activity. There are different kinds of products out there. There's a wallet where you can hold assets. You may send money to a friend. You may be borrowing against your bitcoin, using it as collateral or you might be taking on an investment product.

There may be a different answer depending on the use case for what laws may or may not apply. That's the debate that everyone is having right now.

We're trying to take a measured approach. We don't want to go too slow or too fast. We want to do it right with the explosion in these offerings and the increasing activity at the retail customer level.

We know we need to act, but we want to do it right. We are getting complaints where people are just straight-up being defrauded. We know that there are people that are just outright just getting scammed, and so we don't want to move too slow either.

If this bill passes, what would be the next step for the DFPI?

We would have to put in a budget request to hire a bunch of new staff to implement this. We would have to pivot quite substantially to implement a new licensing program that may indeed override some of the work that we were contemplating doing on the regulatory and administrative level.

Wouldn’t it help provide clarity, or create more confusion potentially?

We need to analyze it. I'm someone who likes to be plain-speaking and give clear, your-grandma-can-understand kind of answers. Part of the challenge, part of the vexing challenge with crypto — and this has been the case for years in the area where crypto meets finance — even getting stakeholders to use a common set of terms, we're not even there yet.

You have people that are still saying “crypto assets” or “cryptocurrency.” In the Biden executive order, they use the term “digital asset.” By and large, in our executive order, we have “crypto assets and related” financial products and services.

People use different terms and have different kinds of preconceived notions in their heads about what this may or may not be. We need to all be speaking the same language as regulators and as stakeholders in this process so that we can be on the same page to even have coherent policy debates. And that's part of the challenge here.

New York introduced its own crypto licensing program a few years ago. What have been the big lessons from that experience?

I can't speak for New York. To create a crypto-specific licensing regime, that's one approach.

What we're doing right now is taking a look at the laws we already have. We have this new California Consumer Financial Protection Law that passed in 2020. That's modeled after Dodd-Frank. That gives us broad and flexible general authority over financial products and services.

We already have statutory authority, and a broad definition of financial product and service where we could leverage the existing tools we have to establish supervision and examination and potentially draft rules of the road through regulation for financial products and services.

There's an open question: Do you craft an entirely new bucket that's for crypto? Or do you leverage the existing laws that you already have and just clarify when a company that is engaging in financial products and services, XYZ-product features, you know, does it already fit under an existing bucket? Or do you have to create a new bucket?

That's kind of the open question that we're now going to be facing, particularly with this legislation now being introduced.

So, there's still a debate.

Very much so. Absolutely, there's a debate.

Coinbase wants a separate regulator for crypto.

Right. I understand that people get frustrated all the time with the fact that technology outpaces the law. The California Consumer Financial Protection Law gives us broad definitional jurisdiction over financial products and services. You can call yourself whatever you want, but what we're going to ask is: What are you doing?

Are you offering a product or service that facilitates deposit taking? Does it look a lot like banking? Are you offering some sort of product that looks like an investment? Are you maybe a security? Are you offering a way to send or receive funds? Does that look like payments? Or are you offering something that gives people an advance on funds that kind of sounds like credit or loans?

Again, the four pillars of consumer finance are spending, saving, borrowing and investing. So we're going to look at the activity first. So I'm always going to ask the question: Do we need a new law? Do we need a new licensing regime? Or are these products, all things being equal, already covered by existing financial laws?

Maybe those financial laws aren't good enough. Maybe they don't quite fit. But let's start with what authority do we already have before we're looking at whether there are actual changes [we need to make] or you need a new license, or you need a new regulator completely to somehow handle these products and services.

All of those things you mentioned many crypto companies are doing.

Yeah. If there is something in a particular statute that just doesn't quite fit, let's have a conversation about it. But I think starting at the high level, I am not someone who says, “Oh, there's a new technology involved. Therefore, we need entirely new laws.”

That may or may not actually be the case. You really have to drill down, look at the facts and circumstances, look at what these companies are actually offering. Again, there's no one-size-fits-all answer in this.

That's why the executive order in California includes extensive stakeholder engagement. We published our invitation to comment a few days ago. We asked a series of questions about approaches to regulating this space. We're also directed to develop consumer protection principles.

At a very high level, if you want to be a good guy, here's the kinds of things you should be thinking about.

A lot of it's going to be pretty common sense, like truth in advertising, good customer service and a way to have error resolution procedures so people can fix problems, have a way to handle complaints — stuff that traditional companies have long been required to do under various laws.

We're going to be having meetings with various stakeholders and various industry segments and obviously with community groups and people who are using these products as retail customers to get a better sense for where the biggest risks are and where we should be allocating our resources to really provide some sanity to what is still an increasingly growing and often volatile ecosystem.

What are the most common consumer complaints you’ve received?

Some of it's been customer service issues. Some of it's been criminal fraud: the romance scams and affinity scams. It's — often, unfortunately — heartbreaking that there's just really very little we can do.

How do you compare the need to regulate crypto with the way other past trends or technologies had to be regulated?

It's moving very fast. I would say that 2021 really was the year that everything seemed to get turbocharged. For a while, it was just some early adopters and people that had money to burn. It was folks that were kind of crypto enthusiasts who were comfortable with the speculative nature of it. It was a relatively small pool of people, largely in the tech world, who are engaging.

But last year was the first year that we started getting complaints from regular folks that were saying, “Hey, I saw what I think was going to be a great deal and I thought, ‘Oh, this would be an alternative to traditional banks, and I could put my savings in it’ and, oops, my account got wiped out by a hacker and now I have no money.”

Last year was the first year we really heard that.

It's still an emerging issue. It doesn't quite compare to — I'm remembering back in the years building up to the foreclosure crisis, where community groups and advocates are sounding the alarm bell: “This is a ticking time bomb; you're putting people in mortgages they can't afford.” Then we hit that precipice and the global collapse of the financial system.

I don't think that we're there, in part because this has become a parallel system, right? These folks, by and large, are not in the banking system. So it's not quite the same thing as the real estate bubble of the 2000s or anything like that.

It still feels like early days. But it also feels like the pace is so much faster. It does feel like the next year to two years are going to be very critical for regulators across jurisdictions to start to put down some guardrails where the law is clear, where [if] there are obvious violations really start to draw some lines in the sand, like, “No, this is clearly illegal.”

The next year or two I think is going to be critical.

Another trend is the growing interest of institutional investors in crypto, highlighted by Fidelity’s announcement that it plans to allow retirement account holders to invest in bitcoin.

Certainly, we're seeing a lot of capital flowing. That certainly is going to be of interest to us. We're not necessarily going to say that a lot of investment in a particular space is an unqualified good or unqualified bad.

We need to take a look at what's going on and get the best information and then just make sure that we are adaptive. People may find this odd coming from a regulator, but we're trying to be nimble here. We're trying to get in front of these emerging issues so that we're not waiting until after everyone's been ripped off, or you and the bad actors have made good money and the good actors have been outcompeted. We don't want that to happen.

Again, we have to balance that with: If we rush in too fast before we have good information, we could potentially make the wrong call. We don't want to make the wrong call.

Where the money flows may or may not be indicative of what actually is responsible. It just indicates stakeholder interest, and it means that we need to be where those conversations are happening.

California, historically, has been known to set the pace for different areas of regulations. How do you view efforts to regulate crypto in Washington and other states?

Well, California, on its own, is the fifth-largest economy in the world. Often, businesses and industries often start and grow here. We are a resource-rich state in more ways than one. In many instances, where California goes, so goes the nation. We do think we have a responsibility to play a leadership role in this space.

Washington can't do everything from Washington. We strongly believe that there is an important role for states to play in regulating industries and protecting our residents. So we’re doing this all in concert with our federal partners. We don't want to create conflicting rules that don't make sense.

Every day, millions of us press the “order” button on our favorite coffee mobile application. When we arrive at the coffee shop, we expect that our chosen brew will be on the counter a few minutes later. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as streaming data “in motion” instantaneously, you, and millions of customers, won’t have the in-the-moment experiences we all expect.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

How the internet got privatized and how the government could fix it

Author Ben Tarnoff discusses municipal broadband, Web3 and why closing the “digital divide” isn’t enough.

The Biden administration’s Internet for All initiative, which kicked off in May, will roll out grant programs to expand and improve broadband infrastructure, teach digital skills and improve internet access for “everyone in America by the end of the decade.”

Decisions about who is eligible for these grants will be made based on the Federal Communications Commission’s broken, outdated and incorrect broadband maps — maps the FCC plans to update only after funding has been allocated. Inaccurate broadband maps are just one of many barriers to getting everyone in the country successfully online. Internet service providers that use government funds to connect rural and low-income areas have historically provided those regions with slow speeds and poor service, forcing community residents to find reliable internet outside of their homes.

Keep Reading Show less
Aditi Mukund
Aditi Mukund is Protocol’s Data Analyst. Prior to joining Protocol, she was an analyst at The Daily Beast and NPR where she wrangled data into actionable insights for editorial, audience, commerce, subscription, and product teams. She holds a B.S in Cognitive Science, Human Computer Interaction from The University of California, San Diego.

How I decided to exit my startup’s original business

Bluevine got its start in factoring invoices for small businesses. CEO Eyal Lifshitz explains why it dropped that business in favor of “end-to-end banking.”

"[I]t was a realization that we can't be successful at both at the same time: You've got to choose."

Photo: Bluevine

Click banner image for more How I decided series

Bluevine got its start in fintech by offering a modern version of invoice factoring, the centuries-old practice where businesses sell off their accounts receivable for up-front cash. It’s raised $767 million in venture capital since its founding in 2013 by serving small businesses. But along the way, it realized it was better to focus on the checking accounts and lines of credit it provided customers than its original product. It now manages some $500 million in checking-account deposits.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at

The Roe decision could change how advertisers use location data

Over the years, the digital ad industry has been resistant to restricting use of location data. But that may be changing.

Over the years, the digital ad industry has been resistant to restrictions on the use of location data. But that may be changing.

Illustration: Christopher T. Fong/Protocol

When the Supreme Court overturned Roe v. Wade on Friday, the likelihood for location data to be used against people suddenly shifted from a mostly hypothetical scenario to a realistic threat. Although location data has a variety of purposes — from helping municipalities assess how people move around cities to giving reliable driving directions — it’s the voracious appetite of digital advertisers for location information that has fueled the creation and growth of a sector selling data showing who visited specific points on the map, when, what places they came from and where they went afterwards.

Over the years, the digital ad industry has been resistant to restrictions on the use of location data. But that may be changing. The overturning of Roe not only puts the wide availability of location data for advertising in the spotlight, it could serve as a turning point compelling the digital ad industry to take action to limit data associated with sensitive places before the government does.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories