California Fines Coinhub $675K as Fee Caps and Limits Become the Crypto ATM Battleground

California just turned crypto ATM policy into enforcement reality. The Department of Financial Protection and Innovation (DFPI) penalized Coinhub $675,000 for breaching the state’s Digital Financial Assets Law (DFAL), including $105,000 in restitution to Californians who were overcharged. The message is less about one operator and more about the rules that will govern cash-to-crypto ramps: fee caps, daily limits, and pre-transaction disclosures.

Regulators said that since 2024, LSGT Services, LLC—operating as Coinhub—exceeded maximum allowed markups, accepted cash transactions above the $1,000 daily cap, omitted required receipt details, and failed to present mandated disclosures before a sale. DFPI framed the action as a warning shot: legit operators are welcome, but those disregarding safeguards should expect consequences. It’s the agency’s fourth recent move against crypto ATM firms under DFAL; in June, DFPI fined Coinme $300,000, with $51,700 directed to California customers.

The core issue worth focusing on is the role of “fraud friction” baked into the ATM flow. Fee ceilings, hard cash caps, and prominent disclaimers are not box-checking; they are behavioral speed bumps designed to break scam scripts. Urgency scams—jury-duty threats, “pay this utility bill now,” or “release bail immediately”—depend on uninterrupted funnels. A $1,000 cash limit slows multi-hop laundering. A bold, pre-transaction warning interrupts compliance-by-intimidation. Transparent receipts create an audit trail that deters repeat abuse.

Technically, these safeguards are straightforward. Server-side pricing engines can enforce dynamic fee ceilings by jurisdiction; firmware can reject over-cap inputs; a policy layer can require a disclosure acknowledgment before any QR code is scanned; and network-wide velocity checks can block the same phone, wallet, or ID from fragmenting a large payment across machines. Tamper-evident logging and immutable receipt detail (amount, fee, effective rate, timestamp) reduce disputes and evidentiary gaps. None of this is exotic compared to the cost of armored cash cycles and liquidity hedging that ATM operators already manage.

The business tension is obvious: route density is expensive, cash handling is messy, and spreads fund the whole operation. When margins compress under caps, some operators are tempted to stretch fees or relax controls, especially when customers value speed over nuance. That’s a short-term win with long-term regulatory, reputational, and ultimately existential risk. Put differently: compliance is becoming the moat. Operators that codify DFAL rules at the edge, market fee transparency as a feature, and invest in scam-interrupt UX will consolidate market share as weaker players exit.

Policymakers are widening the perimeter. Spokane’s city council unanimously banned crypto kiosks over scam and crime concerns. New Zealand prohibited them in July, citing similar risks. In August, FinCEN issued an urgent alert about Bitcoin ATM–enabled scams, with particular harm to older Americans. An FBI report estimates that elderly victims lost nearly $3 billion to crypto fraud in 2024, despite being roughly 17% of the population. Local signals are flashing, too: Massachusetts police warned residents this week after two people collectively lost nearly $7,000 through a “missed jury duty” ruse that funneled payments into Bitcoin ATMs. These data points make it harder for regulators to ignore the channel’s misuse.

DFPI and Coinhub representatives did not immediately respond to requests for comment. Regardless, the direction of travel is clear. If crypto kiosks are going to remain part of the on-ramp stack, the industry will need to treat fee governance, cash limits, and disclosures as product features—not compliance chores. Operators that turn these levers into code and adopt network-wide anti-scam controls will survive the scrutiny; those leaning on opacity will keep running into fines and bans.