House Bill 617 (Idaho) adds a new chapter to Title 28 that defines "programmable money," removes programmable money from existing statutory definitions of "money" and certain deposit-account rules, and restricts how entities that issue programmable money may control transactions. The bill bars requiring programmable money without a free non-digital alternative, forbids denying transactions on a long list of lawful activities (including political speech, medical history, and purchases), and creates a process for consumers to demand a written explanation for denials.
The measure pairs civil remedies (actual and punitive damages, attorney fees, injunctive relief and potential revocation of Idaho business authorization for knowing or repeated violations) with criminal exposure—a misdemeanor carrying up to $10,000 per violation and up to one year imprisonment. It also preserves narrow exceptions for declines tied to criminal activity and says it does not prevent buying or selling cryptocurrency or other assets.
At a Glance
What It Does
The bill defines "programmable money" and carves it out of statutory definitions of "money" and "deposit account." It prohibits issuers from forcing programmable-money-only transactions, forbids denials based on enumerated lawful behaviors, requires issuers to provide written reasons on request, and establishes civil and criminal penalties.
Who It Affects
The law targets any person or entity the bill calls an "issuer"—anyone who creates, controls, or distributes programmable money—plus merchants, payment processors, and platforms that integrate programmable-money rails. State regulators and courts would enforce the new private right of action.
Why It Matters
This is an early state-level attempt to regulate automated controls built into programmable payments rather than market conduct alone. For firms experimenting with conditional or rule-based currency features, it imposes compliance design constraints, adds litigation risk, and creates potential licensing consequences for repeat or intentional misconduct.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a legal category called "programmable money"—money encoded with rules that can automatically approve, deny, expire, restrict by time, location, or party, or be used to implement social-credit-like controls. By expressly excluding programmable money from the UCC definition of "money" and from the statutory definition of "deposit account," the drafters signal that programmable-money instruments will not automatically receive the same treatment as traditional cash or bank deposits in secured-transaction rules and related areas of Idaho commercial law.
Substantively, the bill prohibits several issuer behaviors. Issuers may not require payment in programmable money without offering a free non-digital alternative; they may not deny transactions based on an enumerated set of lawful personal characteristics or activities (race, political speech, medical history, browsing or purchasing history, geolocation, profession, or the application of a social-credit-style evaluation); and they may not effect such denials through direct action, embedded automation, or programming.
The bill's definition of "social credit score system" is broad and lists example inputs (firearm purchases, fossil-fuel activities, participation in DEI or other social programs) to capture systems that place behavioral constraints on access to funds.The bill builds in a two-step transparency process around denials: an affected party has 90 days to request a "statement of specific reason" after a denial, and the issuer must reply within 30 days with a detailed reason, the specific terms of service relied on, contact information, and a copy of the relevant terms. That requirement creates a record that plaintiffs and regulators can use in litigation or administrative review, and it pushes issuers to document the logic and policies driving automated controls.Enforcement combines private litigation and criminal sanction.
An aggrieved party can sue for injunctive or declaratory relief and recover actual and punitive damages; the statute also mandates attorney fees for prevailing parties. If the court finds intentional or repeated violations by a preponderance, it may revoke the defendant's Idaho authorization to do business.
Separately, the bill makes each unjustified denial a misdemeanor punishable by up to $10,000 per violation and up to one year in jail. Narrow exceptions permit declines tied to criminal offenses and explicitly preserve the ability of public and private parties to buy or sell cryptocurrency or other assets.
The Five Things You Need to Know
The bill amends the UCC-style definition of "money" (28-1-201) to exclude programmable money, signaling different legal treatment for programmable instruments.
Issuers must offer a non-digital alternative free of charge if they require or prefer programmable-money payments.
Denials of transactions based on a long list of lawful factors (including political views, medical history, browsing/purchase history, geolocation, profession, or application of a social-credit system) are expressly forbidden, and using automated logic to produce such denials is covered.
Affected consumers have 90 days after a denial to request a written "statement of specific reason;" the issuer must provide that statement within 30 days and include the terms of service and contact details relied upon.
Remedies include actual and punitive damages, statutory attorney fees, injunctive relief, potential revocation of Idaho business authorization for knowing or repeated violations, and criminal misdemeanor exposure of up to $10,000 and one year imprisonment per offense.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Carves programmable money out of the UCC 'money' definition
The amendment to 28-1-201 keeps the existing UCC-style definition of "money" but adds an explicit exclusion: "money" does not include programmable money. Practically, that means instruments that meet the bill's "programmable" definition will not automatically be treated as "money" for purposes of commercial rules that depend on that classification—affecting attachment, priority, defenses, and other UCC concepts. Firms should map where state UCC provisions currently treat "money" (attachment, proceeds, deposit-account rules) and evaluate how this carveout changes secured-transaction and payment risk.
Excludes programmable money from the 'deposit account' definition
The 28-9-102 change removes programmable money from the statutory definition of "deposit account." That exclusion means deposit-account protections and filing/priority rules under chapter 9 won't automatically apply to programmable-money holdings characterized as something other than a deposit. Lenders, processors, and custodians need to reassess repo, lien, and collateral regimes for programmable assets that clients or counterparties treat as deposits.
Definitions — issuer, programmable money, and social credit score
This section sets the technical scope: an "issuer" is any entity that creates, controls, or distributes programmable money; "programmable money" covers currency encoded with rules that can deny/approve transactions, restrict by location/time/identity, expire or diminish, or be used to implement social-credit mechanisms. The "social credit score system" term is deliberately examples-driven and lists candidate inputs (firearms purchases, fossil-fuel activity, advocacy, DEI participation) that would trigger protections. The breadth of these definitions controls who must comply and what systems are captured—both broad (any control/distribution counts) and specific (enumerated programmable features).
Prohibitions on issuer behavior and notice procedure for denials
Section 5402 makes three core prohibitions: requiring programmable money without a free non-digital option, denying transactions based on enumerated lawful activities, and causing such denials through automation or programming. It also creates a practical disclosure mechanism: a customer has 90 days to request a "statement of specific reason" and the issuer must respond within 30 days with a detailed reason, citation to the precise terms of service relied on, contact channels, and a copy of the terms. That mechanism imposes operational burdens—issuers must log denial reasons, maintain accessible TOS archives, and staff response channels to meet a 30-day deadline.
Civil remedies, attorney fees, and business revocation
This provision authorizes private suits seeking declaratory or injunctive relief and recovery of actual and punitive damages; it makes prevailing plaintiffs eligible for reasonable attorney fees on each cause of action. Importantly, if a court finds the issuer acted intentionally, knowingly, or repeatedly, it may revoke the issuer's authorization to do business in Idaho—an enforcement tool that goes beyond money damages and targets market access for systemic misconduct. Companies should anticipate increased litigation exposure and potential regulatory removal for repeat offenders.
Criminal penalties and narrow exceptions
Section 5404 makes each unjustified denial or failed transaction a separate misdemeanor offense punishable by up to $10,000 per violation, up to one year imprisonment, or both. The statute carves out two key limits: issuers may decline transactions that would constitute criminal activity, and the statute does not prohibit buying or selling cryptocurrency or other assets. The per-violation framing raises the stakes for high-volume automated declines because each automated refusal could be treated as an independent criminal count.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers concerned about behavioral gating: Individuals gain a clear statutory shield against automated denial of payment for lawful activities and a defined path (90/30 rule) to demand reasons and terms.
- Privacy and civil-rights advocates: The ban on denial based on political views, medical history, or other personal attributes provides a statutory hook to challenge discriminatory algorithmic controls.
- Small merchants and offline vendors: The requirement to offer a free non-digital alternative prevents merchant lock-in to programmable-money-only systems, preserving access to customers who cannot or will not use programmable rails.
- State enforcement and plaintiffs' attorneys: The combination of private rights of action, attorney-fee shifting, and potential revocation creates a durable enforcement apparatus for public interest litigation.
Who Bears the Cost
- Issuers (crypto firms, fintechs, platform operators): They must redesign product rules, retain denial logs, publish and archive terms of service, and staff compliance and consumer-response functions to meet the bill's disclosure and non-discrimination requirements.
- Payment integrators and merchants using programmable features: Those who rely on programmatic controls to restrict refunds, merchant flows, or conditional payments will need compliance controls and alternative payment rails, increasing integration and operational costs.
- Idaho courts and regulators: Private litigation and revocation proceedings could create a new docket of algorithmic-denial cases and administrative reviews, requiring resource allocation for enforcement and adjudication.
- Technology teams and third-party auditors: Developers will need to build explainability, audit trails, and opt-out or alternative pathways, and third-party auditors may be engaged to certify compliance, raising vendor and implementation costs.
Key Issues
The Core Tension
The central dilemma is balancing consumer protection from discriminatory or opaque automated controls against lawful business needs to detect fraud, enforce sanctions, and manage risk: imposing strict anti-denial rules and per-denial criminal exposure reduces the risk of behavioral gating, but it also constrains legitimate screening and creates significant operational and legal exposure for firms that rely on automated decisioning.
The bill is aggressive in scope but leaves major implementation questions. "Issuer" is defined broadly as anyone who creates, controls, or distributes programmable money, but that raises uncertainty for decentralized protocols, custodial wallets, middleware payment processors, and open-source token projects: who is the legal issuer when control is distributed? The statute's reliance on the terms-of-service citation in denial notices forces issuers to maintain clear, contemporaneous TOS records, but it does not calibrate the level of technical detail required to explain automated decision logic—so responses could be routine TOS citations unless courts demand algorithmic explainability.
Enforcement will be shaped by two practical tensions. First, the criminal provision treats each denial as a discrete offense, which could convert routine, high-volume transaction filtering (for fraud or compliance) into massive exposure unless issuers implement exception logic and careful logging.
Second, excluding programmable money from "money" and "deposit account" definitions alters commercial-characterization rules but does not create a parallel statutory framework for custody, priority, or insolvency treatment; that omission may produce uncertainty in secured-financing and bankruptcy contexts, where creditors and custodians must know how to treat programmable instruments during distress. Finally, the bill's broad listing of prohibited denial factors could conflict with narrowly tailored fraud, sanctions, or AML controls that legitimately use some of the same signals—implementing firms will need to reconcile compliance obligations with the new statutory prohibitions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.