This month, lawmakers in Kentucky introduced a new bill that critics say could make self-custody impossible for hardware wallet makers without building a backdoor into their products. It comes after the passage of a bill last year to protect residents’ right to use crypto wallets.
The vehicle is HB 380, a consumer protection measure targeting cryptocurrency kiosks. The core provisions are substantive: a $2,000 daily transaction limit, a $10,500 limit for new user accounts, a 72-hour cancellation period, fee caps, mandatory scam warnings, and defined refund rights for fraud victims.
The FBI’s 2024 Internet Crime Complaint Center report documented 10,956 complaints related to crypto kiosks, resulting in $246.7 million in losses, a 31% increase from 2023. Victims over 60 accounted for about $107.2 million of that total.
What lawmakers inserted, however, was House Floor Amendment 3, filed on March 12, one day before the House passed HB 380 85-0.
Section 33 of that amendment requires any “hardware wallet provider” to provide live customer service and “provide a mechanism for and assistance in resetting any password, PIN, seed phrase or other similar information” needed to access the wallet.
Violations of Kentucky’s consumer protection law have consequences for unfair and deceptive trade practices.
The contradiction in the light of constitutional law
HB 701, signed in March 2025, defined a hardware wallet as a device that stores private keys offline and allows the owner to maintain independent control.
The bill also defined a self-hosted wallet in identical terms, such as ownership, independence and private keys, while explicitly stating that an individual should not be prohibited from using a wallet.
The Kentucky Legislature wrote these definitions to protect the very architecture that Section 33 now asks hardware wallet providers to circumvent.
| Subject | HB 701 (2025) | HB 380 + HFA 3 / Section 33 (2026) |
|---|---|---|
| Wallet philosophy | User retains independent control | The provider should assist in resetting access |
| Definition of hardware wallet | Stores private keys offline | Treated as a usable consumer product |
| Self-hosted wallet principle | The user manages assets and keys | The provider may require a recovery path |
| State posture | Protects wallet use | Increase exposure to deceptive business practices |
| Practical effect | Strengthens self-control | Critics say this puts a strain on repairability and backdoor design |
A seed phrase acts as the master cryptographic reference from which every private key in a non-custodial wallet arises. Anyone who owns it owns the assets. That’s exactly why the default no-save design gives the basic phrase to the user upon installation and then destroys any copy from the manufacturer.
Trezor clearly states that without a wallet backup, users will not be able to restore their wallet, and if the backup is lost, the wallet will become inaccessible. This conscious design choice means that repair is entirely the responsibility of the user.
Ledger offers an optional paid recovery service, Ledger Recover, which allows subscribers to reconstruct a seed phrase using identity-verified snippets stored with third parties.
The company claims that non-subscribers will continue to manage the seed phrase themselves, and that the recovery flow will require a subscription, physical consent on the device, and identity verification.
Section 33 treats voluntary opt-in recovery and mandatory manufacturer assistance as equivalent obligations. As written, any hardware wallet provider operating in Kentucky should make this recovery mechanism available to every user, regardless of whether the user wants it.
The Bitcoin Policy Institute said just that in a March 20 letter to the Senate. Complying with Section 33 would mean storing the seed sentences on the server or implementing a remote reconstruction path, which would result in a ‘cryptographic backdoor’. The letter then urged the Senate to remove the provision before taking any substantive action.
What happens if the Senate acts on the bill as written?
HB 380 cleared the House and arrived in the Senate on March 16. As of March 23, the chamber was adjourned until March 24, with HB 380 not listed among the passing orders posted.
The legislative session in Kentucky runs through March 27, with a consensus period from March 31 through April 1 before the veto period expires and the Legislature adjourns on April 15. The Senate has a narrower window.
If the chamber passes HB 380 with Section 33 intact, the immediate impact falls on manufacturers.
Pure, non-custodial sellers, whose products are designed so that only the user ever controls the basic sense, are exposed to deceptive business practices that they cannot cure without redesigning their products.
Possible outcomes include some taking on that exposure, while others will decide that Kentucky is not worth the compliance costs and withdraw from the market or limit sales to residents.
Both outcomes degrade the self-determination options available to Kentuckians, precisely contrary to what HB 701 was written to protect.
Section 33 distributes the compliance burden unevenly among hardware wallet makers.
Vendors that already offer optional recovery products, such as Ledger, are closer to compliance than vendors that have never saved a seed sentence or built a recovery path.
A state mandate that rewards remediable architecture and punishes pure self-restraint architecture is essentially a regulatory thumb on the product market.
Which would keep a correction in the Senate
The more direct resolution is a targeted amendment.
If the Senate eliminates Section 33 entirely, or narrows the language to exclude self-hosted and non-custodial devices, as defined in HB 701, Kentucky will retain its anti-fraud kiosk framework without rolling back its own two-year-old wallet sovereignty policy.
The core consumer protections of daily limits, refund windows, scam alerts and rate caps remain intact under both approaches.
That path also puts Kentucky in line with the direction outlined by the Office of the Comptroller of the Monetary Fund in its March 2 stablecoin custodial proposal, which explicitly excluded from the custodial obligation any entity that merely provides hardware or software that facilitates a person’s self-custody of private keys or payment stablecoins.
Meanwhile, Washington is making room for self-custody tools, and Tennessee has taken a harder line on kiosks, introducing a 2026 bill that would make operating a virtual currency kiosk a Class A misdemeanor.
Both data points consider Kentucky a live test case, without determining which direction it will go.
Kentucky’s kiosk problem is real, the legislative response is largely proportionate, and the consumer protection instinct behind HB 380 is defensible on the merits. Section 33 operates at a different level, as it imposes an affirmative design duty on a class of products defined in Kentucky’s own prior law by the absence of precisely that duty.
The Senate can neatly resolve that contradiction before the session closes.
If Section 33 remains intact, the state’s 2025 commitment to pocketbook sovereignty and the 2026 expansion of deceptive trade practices will work in opposite directions, leaving manufacturers to decide which law to circumvent.