Interpreting DFPI Compliance Rules: What the FIPVCC Actually Requires

California's Fair Investment Practices by Venture Capital Companies Law has been on most VC firms' radar since SB 54 passed in 2023, but the amendment via SB 164 changed the law in ways that matter — and with deadlines now weeks away, the details deserve careful attention. The DFPI compliance framework is more nuanced than most summary guides suggest, and a surface-level reading can leave firms exposed in ways they won't realize until it's too late.

The DFPI Took Over — and the Portal Still Isn't Ready

SB 164 transferred administration and enforcement from the California Civil Rights Department to the California Department of Financial Protection and Innovation. That transfer matters for how covered entities should think about their obligations, because the DFPI operates as a financial regulator with examination authority, not just a civil rights enforcement body. It can require production of records, demand written answers, and pursue penalties the way other financial regulators do.

What makes the current moment unusual is that the DFPI's registration portal is still under development as of this writing. The reporting form and the standardized demographic survey have been published, but the mechanism for meeting the March 1, 2026 registration deadline doesn't yet exist. Covered entities should be monitoring the DFPI's VCC Reporting Program page directly and frequently — the portal is expected before the deadline, but firms need to be ready to move quickly once it opens.

Who Is Actually Covered: The Three-Part Test

There's a common misconception that FIPVCC coverage is straightforward. It isn't. An entity must pass a three-part test before any obligations attach.

First, the entity must qualify as a "venture capital company" under Section 260.204.9 of the California Code of Regulations. That definition has three independent paths: an entity where at least 50% of assets (valued at cost, excluding short-term investments) are venture capital investments in any annual period; a "venture capital fund" under SEC Rule 203(l)-1 under the Investment Advisers Act of 1940; or a "venture capital operating company" under ERISA. A "venture capital investment" is defined as an acquisition of securities in an operating company where the adviser or an affiliate has or obtains management rights — meaning the contractual or ownership-based right to substantially participate in, influence, or provide guidance on management, operations, or business objectives. Board seats and observer seats routinely satisfy this. Notably, this analysis happens at the individual fund level, not at the adviser level, so a manager must run this analysis separately for each vehicle it advises.

Second, the entity must primarily engage in the business of investing in or providing financing to startup, early-stage, or emerging growth companies. "Startup" and "early-stage" are undefined in the law. "Emerging growth" is also undefined in the FIPVCC itself, though the JOBS Act definition — companies with annual gross revenues under $1.235 billion — provides some reference. Managers should look at how they've characterized their funds in offering documents and investor reports when making this determination.

Third, the entity must have a California nexus. This is where the law becomes surprisingly broad. Nexus can be established in four independent ways: being headquartered in California; having a significant presence or operational office in the state (both terms undefined, and whether California-based remote employees qualify is an open question awaiting DFPI guidance); making even a single venture capital investment in a California-based or California-operating business with no minimum threshold; or soliciting or receiving investments from a single California resident. That last prong is particularly significant — it means a fund with no California offices and no California portfolio companies is still a covered entity if it has even one California LP. The law is effectively national in scope for any fund that markets to California investors.

Registration: What Must Be Filed by March 1

The registration obligation is relatively straightforward in terms of content. Each covered entity must submit its name, the name, title, and email address of its designated point of contact, and the entity's email address, phone number, physical address, and website. This must be kept current — updates are required as part of each annual report filing. Failure to update triggers the same notice-and-cure mechanics as a missed report.

The wrinkle is that this must be done at the individual fund level. A single investment manager advising five funds may have all five qualify as covered entities, each requiring its own registration. The law does permit a controlling entity to file a consolidated report on behalf of multiple covered entities, but "control" is not defined, so managers should consult counsel when structuring their reporting approach.

The Annual Report: What Must Be Filed by April 1

The annual report is significantly more involved than the registration. It covers the prior calendar year — meaning the first report, due April 1, 2026, covers investments made throughout 2025. If a firm hasn't already been tracking the required investment-level data for its 2025 portfolio, it needs to start immediately.

The report has three distinct components. The first is aggregated founding team demographic data across eight categories: gender identity (including nonbinary and gender-fluid identities), race, ethnicity, disability status, LGBTQ+ identification, veteran or disabled veteran status, California residency, and whether any founding team member declined to provide any of the above. This data is reported only to the extent founders voluntarily provided it via the required survey — but the obligation to report exists regardless of survey response rates.

The second component is diverse founder investment metrics. For each demographic category, the report must state the number of investments made in businesses "primarily founded by diverse founding team members" as a percentage of total investments, and the total dollar amount of those investments as a percentage of total investment dollars. "Primarily founded by diverse founding team members" has a specific meaning: more than half of the founding team members must have responded to the survey, and at least half of respondents must self-identify as belonging to one or more diverse categories. This definition is response-rate dependent, which creates a subtle planning consideration.

The third component is investment-level data — the total dollar amount invested in each portfolio company and each company's principal place of business. This portion is not optional and does not depend on founder survey participation. Even if every founding team member at every portfolio company declines the survey, the covered entity must still file an annual report containing this investment-level information.

The Survey: Where Most Firms Will Encounter Problems

The DFPI has published a standardized survey form, and covered entities must use it — no custom versions. The survey can only be distributed after two conditions are met: the investment agreement has been executed and the first transfer of funds has occurred. Pre-investment survey distribution is not permitted.

The anti-influence prohibition is absolute. Neither the covered entity nor the DFPI may encourage, incentivize, or attempt to influence a founding team member's decision to participate in any way. The survey must disclose that participation is voluntary, that no adverse action will result from declining, and that only aggregated data will be reported.

The most technically demanding requirement is anonymization. Covered entities must collect and report survey data in a manner that does not associate responses with any individual founding team member. This is not a procedural requirement — it's an architectural one. A Google Form sent to founders routes identifiable responses directly to whoever controls the form. A spreadsheet where someone manually inputs survey answers creates an inherently identifiable record. The law requires that the system itself prevent re-identification, which is a fundamentally different standard than simply promising to keep data confidential.

This is compounded by the small-population problem. A portfolio company with a single founder makes anonymization structurally impossible with standard tools — any reported data is automatically re-identifiable. The compliance architecture needs to account for this, which is why the DFPI, and several major law firm analyses, have recommended using third-party survey tools that aggregate data before it ever reaches the deal team.

Record Retention and Examination Authority

Covered entities must retain all records related to each report for at least five years after submitting it. The DFPI has examination authority: it can require production of documents, demand written answers, and assess compliance against the retained records. This creates a documentation requirement that runs parallel to the anonymization requirement — firms need records sufficient to demonstrate compliance, without those records creating the identity linkages the law prohibits.

Penalties and the 60-Day Cure Period

DFPI compliance failures follow a notice-and-cure structure. If a covered entity misses the April 1 filing deadline, the DFPI must provide written notice and allow 60 days to file without penalty. The same applies to failures to update registration information. After the cure period, the DFPI can pursue injunctive relief, recovery of reasonable attorneys' fees and investigative expenses, and civil monetary penalties up to $5,000 per day of non-compliance. For reckless or knowing violations, penalties can exceed that ceiling.

When determining penalty amounts, the DFPI Commissioner considers mitigating factors including the entity's financial standing, assets under management, the nature of the non-compliance, available financial resources, and history of prior violations. The Commissioner may also compromise or remit penalties already ordered.

Worth noting: reports are published publicly on the DFPI's website. The financial penalty for non-compliance is real, but for many firms, the reputational exposure from being publicly listed as a firm that failed to file — or filed incorrectly — is the more consequential risk.

What the Law Doesn't Require

Given the sensitivity of what's being collected, it's worth being precise about what FIPVCC does not do. It does not require firms to make investments based on founder demographics. It does not mandate any particular diversity outcome. It is a disclosure law, not a quota or mandate. That distinction matters both for understanding the law's actual scope and for communicating about it accurately to LPs, portfolio companies, and founders.

The law is not without legal uncertainty — some commentators believe it overreaches with respect to entities that have only minimal California contacts, and constitutional challenges remain possible. The consistent recommendation across legal practitioners, however, is to comply unless and until enforcement is legally stayed.

For covered entities working through their first reporting cycle, the complexity is real but manageable with the right preparation. The technical challenge isn't understanding what the law requires — it's building infrastructure that can collect sensitive demographic data without ever storing it in identifiable form. Standard tools like Google Forms and spreadsheets create exactly the kind of identity linkage the law prohibits, and attempting to manually anonymize responses introduces compliance risk that scales with every portfolio company added. Firms need purpose-built infrastructure that aggregates responses in real-time, architecturally separates the invitation system from the survey system, and automatically shields solo-founder companies from re-identification through small-population inference. If this reporting is required, compliance should be possible without forcing each VC firm to become a sensitive-data processor. Learn more about automated FIPVCC compliance at ComplywithVCC.com.