Kentucky‘s House Bill 380, a wide-ranging piece of legislation targeting crypto ATM operators, has drawn sharp criticism over a late addition that would require hardware wallet providers to give users a way to reset passwords, PINs, seed phrases, or similar access credentials. The provision, known as Section 33, was inserted as a last-minute floor amendment during House debate. Critics from the crypto industry argue the requirement reflects a fundamental misunderstanding of how self-custody technology works. The bill itself passed the full House chamber 85-0 on March 13 and has since been referred to the Senate Committee on Committees.
Hardware wallets are physical devices that store cryptographic private keys offline, designed so that only the user — not the manufacturer — can access or recover them. Joe Ciccolo, Founder and President of BitAML, told Decrypt that the amendment is “likely far more indicative of a misunderstanding than a deliberate attempt at control.” He noted that unlike traditional financial systems where credential recovery is routine, “there is no central authority capable of resetting access credentials” in a self-custody model. Policymakers, he said, often struggle with this concept.
The Bitcoin Policy Institute described the mandate as “technologically impossible for non-custodial wallets” and announced it is sending a letter to the Kentucky Senate to highlight the dangers of the language. The organization warned that requiring a backdoor mechanism would undermine Bitcoin‘s core security model and push users toward centralized custodians, which are considered more vulnerable to hacks and failures. Conner Brown, Managing Director at the Bitcoin Policy Institute, wrote on X that “Kentucky is suddenly about to ban self-custody.”
Ciccolo warned that complying with the provision would effectively force hardware wallet manufacturers to redesign their products in ways that compromise self-custody, or exit the Kentucky market entirely. He predicted that most non-custodial wallet providers would choose not to operate in the state rather than alter their fundamental security architecture. The consequences for consumers, he said, would include reduced choice and diminished privacy protections. He added that the very users the bill intends to protect would lose access to one of the most secure methods of storing digital assets.
On potential alternatives, Ciccolo pointed to social recovery mechanisms and multi-signature setups as approaches that can reduce risk without introducing centralized control. He emphasized that the best consumer protection lies in ensuring users understand both the advantages and responsibilities that come with self-custody. He also supported the Bitcoin Policy Institute’s decision to engage directly with Kentucky lawmakers, describing education as critical when proposals arise from a knowledge gap. Direct engagement with policymakers, he said, is the most effective path forward when consumer financial autonomy and security are at stake.
The broader bill, introduced in the House on January 14 and reported favorably out of the Banking and Insurance Committee on March 4, focuses on regulating virtual currency kiosk operators. It establishes licensing requirements and sets rules around transaction limits, disclosures, and refunds — provisions that have attracted wide political support and are expected to help the bill advance quickly through the Senate. The contested hardware wallet amendment, however, has introduced a significant point of contention that could complicate that path. Kentucky’s legislative action comes amid a wider national trend, with Connecticut halting Bitcoin Depot for compliance failures and Minnesota considering an outright ban on crypto ATMs.
Originally reported by Decrypt.
