Alabama Introduces Sweeping Bitcoin ATM Bill: $1,000 Daily Limits, Mandatory Scam Refunds, Privacy Coin Ban

Alabama Representative Matt Bedsole filed HB 303 on January 21, 2026 — the "Cryptocurrency Kiosk Fraud Prevention Act" — a bill that would impose a $1,000 daily transaction cap on Bitcoin ATMs, require operators to refund scam victims in full, ban privacy coins from kiosks entirely, and mandate that operators share digital receipts directly with the Alabama Securities Commission for every transaction. The bill's fraud prevention intentions are understandable given the current national environment — Attorneys General in Massachusetts, Iowa, DC, and Missouri have filed lawsuits or issued investigative demands against major operators, and FBI data shows Bitcoin ATM fraud hit $333 million in 2025. But HB 303 takes a blanket approach that fails to distinguish between operators who actively harm consumers and those who invest heavily in fraud prevention — and in doing so, it would punish legitimate users, particularly the unbanked and cash-dependent consumers who benefit most from Bitcoin ATM access, while doing little to stop determined scammers from migrating to other payment channels.

$1,000

Proposed Daily Transaction Cap

$10,000

Proposed Monthly Transaction Cap

60 Days

Window to Request Scam Refund

Oct. 1, 2026

Proposed Effective Date

What the Bill Requires

HB 303 is dense legislation that touches nearly every aspect of Bitcoin ATM operations. It was referred to the State Government Committee on first reading. Here are its core provisions:

Key Provisions of Alabama HB 303:

Chart summarizing key sourced metrics. — Key sourced metrics. Visualize the strongest filing metrics as a simple chart. Source: Bitcoin ATM News reporting

$1,000 daily / $10,000 monthly transaction limits per consumer, across all kiosks statewide, enforced through mandatory ID verification on every transaction
Mandatory full refunds for scam victims who report within 60 days and obtain a law enforcement report — including all fees and charges
Privacy coin ban: Operators cannot allow buying, selling, or sending of privacy-enhancing cryptocurrencies (e.g., Monero, Zcash) from kiosks or affiliated online platforms
Blockchain analytics mandate: Operators must use tracing software to block transactions to wallets associated with fraud or criminal activity
Digital receipts to regulators: Every digital receipt must be automatically sent to the Alabama Securities Commission
24/7 U.S.-based customer service with toll-free phone support prominently displayed on every kiosk
Dedicated law enforcement hotline: Operators must maintain a direct communication line for government agencies
Fraud reporting: All consumer fraud calls must be reported to the Commission within two business days; all refund requests within 72 hours
No bank co-location or signage that could make a kiosk appear affiliated with a financial institution
Civil and criminal penalties for violations

The Mandatory Refund Provision Is the Big Story

The most consequential provision in HB 303 is Section (i): the mandatory refund requirement. Under this provision, if a consumer is "fraudulently induced" to use a Bitcoin ATM, the operator must issue a full refund — including all fees — provided the consumer contacts the operator and law enforcement within 60 days and provides a law enforcement report documenting the fraud determination. This goes far beyond any refund requirement for any other payment method — globally. Under Regulation E, the federal framework governing electronic fund transfers, consumers can dispute *unauthorized* transactions through their bank. But Bitcoin ATM scam transactions are not unauthorized in the Reg E sense — the consumer physically walked up to the machine, inserted their own cash, and confirmed the transaction. They were manipulated into doing so, but the transaction itself was voluntary and authorized. No other payment channel in the United States — not wire transfers, not Zelle, not gift cards, not even traditional bank ACH — requires the payment processor to issue a full refund for a transaction the consumer voluntarily authorized simply because they were deceived by a third party. HB 303 would make Bitcoin ATM operators strictly liable for third-party fraud in a way that Western Union, MoneyGram, Visa, Mastercard, and every peer-to-peer payment app are not. This is a draconian standard that would fundamentally reshape operator economics. It transforms every Bitcoin ATM into a machine where the operator bears 100% of fraud risk for crimes committed by unrelated third parties — regardless of what fraud prevention measures the operator deployed. The bill explicitly states that scam victims are eligible for refunds "regardless of whether an operator provided the disclosures" required by the act — meaning operators cannot avoid refund liability by arguing they posted the required warnings. Even if an operator implemented every warning, every delay, and every intervention the bill demands, they still owe the refund if the consumer was scammed. This provision, in our view, will stifle business investment in Alabama. No rational operator will expand into or remain in a market where they face unlimited refund liability for crimes they didn't commit and cannot prevent. The result won't be better-protected consumers — it will be fewer machines, less access, and the remaining operators pricing the risk into even higher fees. And it will limit Alabama consumers' access to Bitcoin — one of the best-performing asset classes of the last decade and a genuine leap forward in financial technology — through a payment channel specifically designed to serve people who lack traditional banking access.

Fee Transparency and Disclosure

HB 303 addresses drip pricing — the practice at the center of multiple state AG lawsuits — by requiring operators to disclose, before a transaction is completed:

The U.S. dollar amount of cryptocurrency involved
A listing, in United States dollars, of all fees and charges
The total transaction amount in both crypto and U.S. dollars
The exchange rate, "clearly showing the difference between the market price of the cryptocurrency and the price of the cryptocurrency charged to the consumer"

That last requirement — showing the spread between market price and the operator's price — is particularly pointed. Multiple AG lawsuits allege operators display a manipulated Bitcoin price that bakes in fees without disclosure. Alabama's bill would require the gap to be shown explicitly. Operators must also obtain affirmative consumer acknowledgment of these disclosures before executing any transaction.

Scam Warning Requirements

The bill mandates two separate full-screen scam warnings before any transaction can proceed, each requiring individual consumer acceptance. The warnings enumerate 11 specific scam scenarios — from romance fraud to government impersonation to fake tech support alerts — and instruct consumers to stop and call law enforcement if they believe they're being scammed. These warnings must appear "in a conspicuous font and a color that contrasts with the background of the kiosk screen." Both must be accepted separately before the transaction executes. This approach mirrors the warning requirements in other recent state bills but is more prescriptive in the specific scam scenarios it names. The bill's list tracks closely with the fraud patterns documented in state AG filings — particularly romance scams, government impersonation, and tech support fraud — which collectively account for the vast majority of Bitcoin ATM-facilitated scams reported by the FBI.

Privacy Coins and Blockchain Analytics

The privacy coin ban is straightforward: operators "shall not permit the buying, selling, or sending of privacy coins from cryptocurrency kiosks or online platforms in any capacity." The bill defines privacy coins as any cryptocurrency "with privacy-enhancing features designed to increase anonymity and reduce or eliminate the ability for the cryptocurrency to be traced." In practice, most major Bitcoin ATM operators already limit their offerings to Bitcoin and a small number of traceable altcoins. But the ban's extension to "online platforms" operated by kiosk companies could affect operators that offer broader crypto exchange services alongside their kiosk business. The blockchain analytics mandate goes further, requiring operators to actively block transactions to wallet addresses flagged for fraud or criminal activity. This is not merely a monitoring requirement — it's a blocking requirement. And at law enforcement's request, operators must hand over their analytics data.

Anti-Evasion Provisions

The bill includes a notable anti-circumvention clause: operators cannot "use any alternative method including, but not limited to, online portals, affiliated kiosks, or over-the-counter transactions, to evade or exceed the limits provided for in this section." This targets the structural workaround where operators might route customers above the daily limit through a web portal or separate business entity. Similarly, the $1,000 daily and $10,000 monthly limits apply per consumer across "one or multiple kiosks in the state," requiring operators to implement cross-network identity verification to enforce compliance.

How Alabama Compares

Alabama's HB 303 lands in the middle of a rapidly expanding patchwork of state-level Bitcoin ATM regulation:

State Bitcoin ATM Regulation Landscape (as of March 2026):

California (SB 401): $1,000 daily limit, fee caps, disclosure requirements — effective 2025
Indiana: Emergency declaration ban on Bitcoin ATMs signed March 10, 2026
Iowa: AG lawsuits against Bitcoin Depot and CoinFlip; $1,000 limit in proposed legislation
Illinois: Registration requirement signed into law August 2025
Alabama (HB 303): $1,000 daily limit plus mandatory refunds, privacy coin ban, and receipt sharing with regulators

What sets Alabama apart is the combination of strict limits with operator accountability mechanisms — particularly the mandatory refund provision, the real-time receipt sharing with regulators, and the anti-evasion clause. Most state proposals pick a few tools; Alabama's bill uses nearly all of them.

The Real Problem: Not All Operators Are the Same

HB 303's fundamental flaw is that it treats the entire Bitcoin ATM industry as a monolith — imposing identical restrictions on every operator regardless of how they actually treat consumers. The reality is that operators vary enormously in their commitment to consumer protection. At one end of the spectrum, state Attorneys General have brought enforcement actions against operators like Bitcoin Depot and CoinFlip for allegedly failing to protect consumers from scams — with the Massachusetts AG alleging that over 80% of customers who spent $10,000 or more at Bitcoin Depot kiosks between August 2023 and January 2025 were scam victims. The Iowa AG has sued both Bitcoin Depot and CoinFlip. The DC AG has sued Athena Bitcoin. These enforcement actions allege that certain operators knew their machines were being used to defraud consumers — disproportionately elderly consumers — and failed to implement adequate safeguards. But at the other end of the spectrum, many operators have invested heavily in fraud prevention, deployed real-time scam warnings, implemented customer callbacks, and maintained clean regulatory records. The operators directory on this site tracks trust scores based on public enforcement records, and the range runs from F to A+ — reflecting genuinely different approaches to consumer protection across the industry. This matters for how regulation should work. Targeting operators who demonstrably fail to protect consumers — through AG enforcement, licensing conditions, and meaningful penalties — is a more effective and more fair approach than blanket caps and mandatory refunds that apply identically to operators with spotless records and operators facing multiple lawsuits. When a state penalizes bad actors specifically, it creates an incentive for the rest of the industry to invest in compliance. When a state imposes blanket restrictions, it punishes good actors and bad actors alike — and removes the competitive advantage that responsible operators have earned. We believe the AG enforcement model already underway in Massachusetts, Iowa, DC, and Missouri — which targets specific operators for specific failures — is a better framework than Alabama's one-size-fits-all approach. Let the operators who protect consumers continue to serve them. Go after the ones who don't.

Well-Intentioned, But Badly Targeted

Let's be direct: Alabama HB 303 is well-meaning legislation that would do real harm to the people it claims to protect, while merely redirecting — not eliminating — the fraud it targets. The bill treats every Bitcoin ATM consumer as a potential victim, imposing a blanket $1,000 daily cap regardless of how long someone has been a customer, how many verified transactions they've completed, or whether they've ever shown a single fraud risk indicator. A person who has used the same Bitcoin ATM every week for two years to convert cash into Bitcoin gets the same restrictions as a confused 75-year-old being coached through their first transaction by a phone scammer. That's not smart regulation. That's a blunt instrument.

The Real Fraud Problem — and Where Limits Actually Help

The data from AG investigations tells a clear story about *where* fraud concentrates: it's in high-value first-time or early transactions. The Massachusetts AG found the median scam victim at Bitcoin Depot was age 67 and overwhelmingly new to the machines. The DC AG's case against Athena Bitcoin found a median victim age of 71. These are not repeat customers. They are people being walked through a kiosk for the first time by a scammer on the phone. This means there's a far more effective and less restrictive approach available: **tiered limits based on customer tenure.** A low cap — say $1,000 — during a new customer's first 48 or 72 hours makes enormous sense. That's the window when scam risk is highest, when someone is most likely to be under active manipulation, and when intervention warnings are most likely to break through. After that initial window, once a customer has had time to reflect and has established a pattern of legitimate use, artificially restricting their transactions to $1,000 per day does almost nothing to prevent fraud. What it does is prevent legitimate economic activity.

Who Gets Hurt: The Unbanked and Cash-Based Economy

Bitcoin ATMs exist because they serve a population that mainstream financial services often don't — the unbanked, the underbanked, immigrants, gig workers, and anyone who operates primarily in cash. For these users, a Bitcoin ATM is one of the few on-ramps to the digital economy that doesn't require a bank account, a credit check, or a two-week waiting period. A $1,000 daily cap permanently imposed on all users doesn't just limit scam risk. It caps the ability of a legitimate cash-based worker to convert their earnings into a digital store of value. It prevents a small business owner from making a time-sensitive purchase. It tells every law-abiding Alabamian that the state trusts them less with their own money at a Bitcoin ATM than it does at a casino, a wire transfer counter, or a check-cashing store — all of which are used in scams at comparable or higher rates with far fewer restrictions.

The Privacy Problem

The bill's requirement that every digital receipt be automatically sent to the Alabama Securities Commission is a surveillance provision, full stop. No other consumer payment channel — not Zelle, not Venmo, not Western Union, not cash — requires that every transaction receipt be automatically forwarded to a state regulator. This isn't periodic reporting. It isn't triggered by suspicious activity. It's blanket, continuous surveillance of every person who uses a Bitcoin ATM in the state. Combined with the privacy coin ban, HB 303 sends a clear message: if you use a Bitcoin ATM in Alabama, the government will see every detail of every transaction you make. There is no presumption of privacy, regardless of whether there is any indication of wrongdoing. The privacy coin ban itself is largely symbolic — virtually no Bitcoin ATMs in the U.S. currently offer Monero or Zcash — but its inclusion in the statute signals a legislative intent to preemptively eliminate any privacy-preserving option from the kiosk ecosystem. That's a concerning policy direction that extends far beyond fraud prevention.

Scams Won't Disappear — They'll Move

History is unambiguous on this point: when you restrict one payment channel used in scams, scammers pivot to another. Gift cards, wire transfers, peer-to-peer payment apps, and even physical cash remain available vectors. The FTC has documented this pattern repeatedly. Reducing the amount a victim can lose at a Bitcoin ATM is worthwhile for the narrow window when they're most vulnerable — but a permanent $1,000 cap doesn't eliminate scam losses. It just shifts them to the Walgreens gift card aisle or the Western Union counter, where there are far fewer fraud warnings, no blockchain analytics, and no refund provisions at all. The irony is that Bitcoin ATMs, with their mandatory KYC, on-camera transactions, blockchain traceability, and now increasingly robust fraud warnings, are actually one of the *more* traceable and interruptible scam payment channels. Overregulating them while leaving less transparent channels untouched doesn't make consumers safer. It makes the regulatory landscape less rational.

What Better Regulation Looks Like

A Smarter Approach to Bitcoin ATM Regulation:

Infographic summarizing key sourced takeaways. — Key sourced takeaways. Summarize 2-4 sourced metrics in a compact infographic. Source: Bitcoin ATM News reporting

Target bad actors, not the entire industry: Enforce aggressively against operators who fail to protect consumers — as AGs in Massachusetts, Iowa, DC, and Missouri are already doing — while allowing compliant operators to continue serving customers without penalty
Tiered transaction limits: Low caps ($500–$1,000) for new customers in their first 48–72 hours, then graduated increases for verified, established users — targeting the actual risk window without permanently restricting legitimate activity
Mandatory real-time scam intervention: Live prompts, delays, and even operator callbacks for transactions that trigger fraud risk indicators — especially first-time high-value transactions
Fee transparency requirements: The bill's disclosure provisions showing market price vs. charged price are genuinely excellent and should be adopted everywhere
Mandatory refund provisions: Reasonable when tied to operator negligence or inadequate fraud prevention — not as strict liability regardless of what the operator did
Suspicious activity reporting to regulators: Yes. Blanket receipt forwarding for every transaction: No. That's surveillance, not fraud prevention.
Sell-side transactions left unrestricted: Virtually all documented scam activity occurs on the buy side (cash in, crypto out). Restricting consumers' ability to sell Bitcoin for cash at an ATM addresses a problem that functionally does not exist.

Alabama's legislators should be credited for taking the fraud problem seriously — and specific provisions like the fee transparency requirements and the 24/7 customer service mandate are genuinely good policy. But the bill as written would restrict legitimate economic activity for hundreds of thousands of Alabamians to address a fraud pattern that primarily affects new, first-time users in their initial hours of interaction. That's a mismatch between the problem and the solution — and it ignores the fact that enforcement tools already exist to hold negligent operators accountable without punishing the entire industry.

What This Means for Alabama Consumers

If HB 303 becomes law, Alabama Bitcoin ATM users would see:

Refund rights: If you're scammed, you can demand a full refund (including fees) from the operator by reporting within 60 days and filing a law enforcement report
Transaction limits: You cannot spend more than $1,000/day or $10,000/month at any combination of Bitcoin ATMs in the state — regardless of how long you've been a customer
No selling Bitcoin for cash above $1,000: The daily limit applies to sell transactions too, even though sell-side scam activity is virtually nonexistent
Clear pricing: Operators must show you the exact market price, the exact fees, and the difference between them before you confirm
No privacy: Every digital receipt is automatically sent to the Alabama Securities Commission
Two scam warnings that you must individually acknowledge before any transaction proceeds
24/7 U.S.-based phone support from every operator, with the number displayed on every machine

The refund provision gives consumers a concrete remedy that doesn't depend on catching the scammer — it puts the financial burden on the operator. That's a meaningful protection, particularly for elderly victims of impersonation scams. But the blanket transaction limits and receipt-forwarding provisions affect all consumers equally, including the cash-based and unbanked users who rely on Bitcoin ATMs for legitimate financial access. If you regularly use a Bitcoin ATM for amounts above $1,000, this bill would permanently restrict your ability to do so — not because you've done anything wrong, but because other people have been victimized at kiosks like the one you use. And in the process, it would limit your ability to invest in an asset class that has outperformed virtually every traditional investment over the past decade. For more on your rights when using Bitcoin ATMs, see our consumer protection resources.

What This Means for Operators

HB 303 would fundamentally reshape the economics of operating Bitcoin ATMs in Alabama — but its impact would fall disproportionately on operators who already invest in compliance:

Mandatory refunds for voluntary transactions: Operators would bear direct financial liability for scam transactions that consumers willingly authorized — a standard that exceeds any refund requirement for any other payment method, including under Regulation E. Critically, this applies equally to an operator with robust fraud prevention and one with none at all. This alone could make Alabama an unviable market for operators with significant transaction volume.
$1,000 daily limits: This matches the strictest tier nationwide (California, Iowa, Maine) and would sharply reduce revenue per kiosk, since high-value transactions drive disproportionate fee income.
Cross-kiosk identity tracking: Enforcing the per-consumer daily and monthly limits across multiple machines statewide requires robust identity verification infrastructure that some operators may not currently have.
Real-time receipt sharing with the Alabama Securities Commission: Every digital receipt goes to the regulator. This is continuous, automatic regulatory surveillance — not periodic reporting or responsive to subpoenas.
Blockchain analytics requirement: Operators must block transactions to flagged wallets and share analytics data with law enforcement on request.
Anti-evasion clause: Operators cannot route transactions through online portals or affiliated entities to bypass limits.
Privacy coin prohibition applies to kiosks and affiliated online platforms.

The proposed effective date of October 1, 2026 provides a compliance runway, but the infrastructure changes required — particularly cross-kiosk identity enforcement and blockchain analytics integration — are not trivial. The broader concern for responsible operators is that bills like HB 303 punish the entire industry for the failures of specific companies. Operators who have maintained clean regulatory records, invested in fraud prevention technology, and cooperated with law enforcement face the same restrictions as operators currently being sued by multiple state AGs for allegedly facilitating fraud. That flattening of accountability removes the competitive incentive to do the right thing. A regulatory framework that holds bad actors accountable — as the AG enforcement wave is doing — while letting compliant operators serve consumers is more effective, more fair, and ultimately better for the consumers Alabama says it wants to protect. Operators can review their current regulatory exposure on our operators directory.

What to Watch

HB 303 was referred to the State Government Committee on first reading. Alabama's 2026 regular session is underway, and the bill would need committee passage, floor votes in both chambers, and the governor's signature to become law by its proposed October 1, 2026 effective date. The bill's sponsor, Representative Bedsole, positioned it squarely as a fraud prevention measure — not a ban. That framing matters politically: Alabama is not following Indiana's path of banning Bitcoin ATMs outright, but rather attempting to regulate them heavily enough to curb scam facilitation while keeping the machines legal. The question for Alabama legislators is whether they'll refine HB 303 into targeted, risk-based regulation — or pass a blunt instrument that treats the industry's worst actors and its best the same. The bill's fee transparency and disclosure provisions are a model for other states. Its blanket surveillance, one-size-fits-all transaction caps, and unprecedented mandatory refund standard for voluntary transactions are not. The AG enforcement actions already underway against specific operators like Bitcoin Depot, CoinFlip, and Athena Bitcoin demonstrate that regulators can hold negligent operators accountable without shutting down access for millions of legitimate consumers. Alabama should build on that model — not replace it with a regulatory sledgehammer that punishes an entire industry for the failures of a few.