A single paragraph buried deep in a Kentucky bill is shaking the crypto world—and experts say it could fundamentally break how digital wallets work. House Bill 380 is a wide-ranging piece of legislation primarily aimed at putting rules around crypto ATMs. The bill passed the Kentucky House by a unanimous 85-0 vote on March 13.
However, a late addition to the bill, known as Section 33, introduced a provision that has nothing to do with ATMs. It targets hardware wallets that are small, USB-like devices that people use to store their cryptocurrency. They are much like a personal safe that only the owner can open. The amendment requires the companies that manufacture these devices to build a way for users to reset their access credentials, including passwords, PINs, and seed phrases, which are essentially the master keys to a person’s crypto holdings, and to help users do so when needed.
The Bitcoin Policy Institute (BPI), a prominent crypto advocacy group, pushed back vigorously against the amendment, describing the requirement as “technologically impossible.” To understand why, it helps to know how these wallets actually work. Unlike a bank, which can reset a forgotten password because it holds a copy of account information on its servers, hardware wallets are built on an entirely different principle.
The private keys—codes controlling access to cryptocurrency wallets—are stored only on the physical device itself and nowhere else. No server, no company database, and no backup copy exist. The manufacturers have no access to the private keys. This is not a flaw or oversight, as it means that even if a hardware wallet company is hacked, goes bankrupt, or receives a government order, a user’s funds remain protected. Requiring these companies to build a reset mechanism would mean dismantling that very protection.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
“There is no central authority capable of resetting access credentials,” said Joe Ciccolo, founder and president of BitAML. He attributed the amendment to a policy knowledge gap rather than deliberate overreach, warning that forcing wallet providers to build such a backdoor would either gut their core security model or drive them out of Kentucky entirely. “Most non-custodial wallet providers would simply choose not to operate in Kentucky,” he said.
A Contradiction Within Kentucky Law
Critics also point out that the amendment directly contradicts Kentucky’s House Bill 701, which was enacted in March 2025. It explicitly protected self-hosted wallet owners’ rights to control their private keys.
BPI Managing Director Conner Brown put it bluntly on X: “Kentucky is suddenly about to ban self-custody.”
Ciccolo argued that alternatives like social recovery mechanisms and multi-signature setups can adequately protect users without introducing centralized control. He backed BPI’s direct outreach to Kentucky senators, calling education and engagement “the most effective path forward.”
Broader ATM Crackdown
The controversy lands as many states in America tighten scrutiny on crypto kiosks. Minnesota is weighing an outright ban on crypto ATMs following fraud cases targeting elderly residents, while Connecticut already halted Bitcoin Depot over compliance failures.
HB 380 now sits in the Kentucky Senate, where lawmakers still have an opportunity to strip the amendment before a final vote.
