This month, Kentucky lawmakers advanced another bill that critics say could make self-custody impossible for hardware wallet manufacturers to deliver without building a backdoor into their products. It comes after passing a bill last year protecting residents’ right to use crypto wallets.
The vehicle is HB 380, a consumer-protection measure aimed at cryptocurrency kiosks. Its core provisions are substantive: a $2,000 daily transaction cap, a $10,500 limit on new-user accounts, a 72-hour cancellation window, fee caps, mandatory scam warnings, and defined refund rights for fraud victims.
The FBI’s 2024 Internet Crime Complaint Center report documented 10,956 complaints tied to crypto kiosks, resulting in $246.7 million in losses, a 31% rise from 2023. Victims over 60 accounted for roughly $107.2 million of that total.
However, what lawmakers inserted was House Floor Amendment 3, filed Mar. 12, one day before the House passed HB 380 85-0.
Section 33 of that amendment requires any “hardware wallet provider” to supply live customer service and “provide a mechanism for, and assistance with, resetting any password, PIN, seed phrase, or other similar information” needed to access the wallet.
Violations of the Kentucky consumer protection law carry consequences for unfair and deceptive trade practices.
The contradiction in the face of state law
HB 701, signed in March 2025, defined a hardware wallet as a device that stores private keys offline and allows the owner to retain independent control.
The bill also defined a self-hosted wallet in identical terms, such as ownership, independence, and private keys, while explicitly stating that an individual shall not be prohibited from using a wallet.
Kentucky’s legislature wrote those definitions to protect the very architecture that Section 33 now asks hardware wallet providers to circumvent.
| Topic | HB 701 (2025) | HB 380 + HFA 3 / Section 33 (2026) |
|---|---|---|
| Wallet philosophy | User retains independent control | Provider must assist with access reset |
| Hardware wallet definition | Stores private keys offline | Treated like a serviceable consumer product |
| Self-hosted wallet principle | User controls assets and keys | Provider may need recovery path |
| State posture | Protects wallet use | Expands deceptive-trade-practice exposure |
| Practical effect | Reinforces self-custody | Critics say it pressures recoverability/backdoor design |
A seed phrase functions as the master cryptographic credential from which every private key in a non-custodial wallet derives. Anyone who holds it holds the assets. That is precisely why standard non-custodial design gives the seed phrase to the user at setup and then destroys any manufacturer copy.
Trezor states plainly that without a wallet backup, users cannot recover their wallet, and that if the backup is lost, the wallet becomes inaccessible. That deliberate design choice means recovery is entirely the user’s responsibility.
Ledger offers an optional paid recovery service, Ledger Recover, that allows subscribers to reconstruct a seed phrase using identity-verified fragments stored with third parties.
The firm maintains that non-subscribers continue to manage the seed phrase themselves, and that the recovery flow requires a subscription, on-device physical consent, and identity verification.
Section 33 treats voluntary opt-in recovery and mandatory manufacturer assistance as equivalent obligations. As written, it would require every hardware wallet provider operating in Kentucky to make that recovery mechanism available to every user, regardless of whether the user wants it.
The Bitcoin Policy Institute said exactly that in a Mar. 20 letter to the Senate. Complying with Section 33 would mean either storing seed phrases on the server side or implementing a remote reconstruction path, which would result in a “cryptographic backdoor.” The letter then urged the Senate to remove the provision before any floor action.
What happens if the Senate acts on the bill as written
HB 380 cleared the House and arrived in the Senate on Mar. 16. As of Mar. 23, the chamber had adjourned until Mar. 24, with HB 380 not listed among posted orders for passage.
The Kentucky session runs legislative days through Mar. 27, with a concurrence window Mar. 31 through Apr. 1 before the veto period closes and the legislature adjourns sine die on Apr. 15. The Senate has a narrowing window.
If the chamber passes HB 380 with Section 33 intact, the immediate effect falls on manufacturers.
Pure non-custodial vendors, whose products are designed so that only the user ever holds the seed phrase, face exposure to deceptive trade practices that they cannot cure without redesigning their products.
Potential outcomes include some absorbing that exposure, while others will decide Kentucky is not worth the compliance cost and pull back from the market or restrict sales to residents.
Either outcome degrades the self-custody options available to Kentuckians, exactly counter to what HB 701 was written to protect.
Section 33 distributes compliance burden unevenly across hardware wallet makers.
Vendors that already offer optional recovery products, such as Ledger, are closer to compliance than vendors that have never stored a seed phrase or built a recovery path.
A state mandate that rewards recoverable architecture and penalizes pure self-custody architecture is, in effect, a regulatory thumb on the product market.
What a Senate correction would preserve
The more direct resolution is a targeted amendment.
If the Senate strips Section 33 entirely, or narrows the language to exclude self-hosted and non-custodial devices as defined in HB 701, Kentucky will keep its anti-fraud kiosk framework without reversing its own two-year-old policy on wallet sovereignty.
The consumer-protection core of daily caps, refund windows, scam warnings, and fee limits survives intact under either approach.
That path also aligns Kentucky with the direction the Office of the Comptroller of the Currency sketched in its Mar. 2 stablecoin custody proposal, which explicitly excluded from custody requirements any entity that merely provides hardware or software facilitating a person’s self-custody of private keys or payment stablecoins.
Meanwhile, Washington is carving space for self-custody tools, and Tennessee moved in a harder direction on kiosks, enacting a 2026 bill that would make operating a virtual currency kiosk a Class A misdemeanor.
Both data points frame Kentucky as a live test case, without resolving which direction it will take.
Kentucky’s kiosk problem is real, the legislative response largely proportionate, and the consumer-protection instinct behind HB 380 defensible on the merits. Section 33 operates at a different layer, as it imposes an affirmative design duty on a class of products defined in Kentucky’s own prior law by the absence of exactly that duty.
The Senate can resolve that contradiction cleanly before the session closes.
Leave Section 33 intact, and the state’s 2025 commitment to wallet sovereignty and its 2026 deceptive-trade-practice expansion pull in opposite directions, leaving manufacturers to decide which law to navigate around.
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Solana 
TRON 
Lido Staked Ether 
Figure Heloc 