New York Proposes Open Banking-Style Financial Data Access Legislation

Federal rulemaking implementing Section 1033 of the Consumer Financial Protection Act remains stalled by litigation over the legality of the Consumer Financial Protection Bureau's 2024 "open banking" final rulemaking and the CFPB's pending proposal to rewrite the rule. Stepping into the breach, New York lawmakers are advancing legislation that would establish a state-level financial data access regime. Companion bills introduced in the New York State Assembly and Senate—A10640 and S9483—signal the state's intent to step into the regulatory gap caused by this uncertainty. If enacted, the legislation would require affirmative data access and sharing and impose pricing restrictions on financial institutions operating in New York.

The bills are sponsored by prominent New York legislators—Assemblyman Clyde Vanel, Chair of the Assembly Banks Committee, and Senator Rachel May, Chair of the Senate Consumer Protection Committee—and currently sit in each chamber's Banks Committee.

Key Takeaways

• First-in-the-nation state open banking-style regime: While many states have developed comprehensive data protection laws, giving consumers privacy rights over their personal data, New York would be the first to adopt a law focused specifically on consumer access to their financial data. If enacted, the legislation could provide a template for the next wave of state laws focused on financial data access.
• Similarity to Section 1033: The bills propose a streamlined framework that closely mirrors core concepts underlying Section 1033, including consumer control over their financial data and third-party access rights. The legislation would require financial institutions to provide developer interface-based access to consumer financial data and prohibit unreasonable barriers to data sharing.
• Broad coverage beyond consumers: The proposal would go further than Section 1033 and grant data access rights to small businesses as well as consumers.
• Strict limitation on fees: The bills would prohibit fees for accessing or transferring covered data. The bills surpass Section 1033 in expressly prohibiting fees associated with the establishment, maintenance, and usage of the developer interface.
• Liability for each violation: Unlike the CFPB's 2024 rulemaking (which did not include specified amounts for violations), New York's proposed legislation would impose a significant maximum penalty of $10,000 for each violation of the law.

Status of Section 1033 Rulemaking

Section 1033 of the CFPA directs the CFPB to promulgate rules requiring financial institutions to make consumer financial data available to consumers and authorized third parties. Despite years of industry anticipation, a comprehensive rule implementing these requirements remains unsettled.

After the change in administration in January 2025, the CFPB announced a reexamination of its 2024 Final Rule. At the same time, enforcement of the rule was stayed due to ongoing litigation. On August 22, 2025, the CFPB released an Advance Notice of Proposed Rulemaking requesting comment on several questions. The comment period for the ANPR has concluded, but there is no clear timeline for next steps in the rulemaking. The court in the litigation has stayed further proceedings pending the CFPB's revised rulemaking.

The absence of a definitive and enforceable federal rule on consumer financial data access and sharing has created uncertainty for financial institutions, fintech companies, and data aggregators, while also prompting states—such as New York—to take more proactive roles in defining the consumer-permissioned access space.

Key Provisions of the New York Bills

The proposed New York Financial Data Rights Act would create a new Article 14-C of the New York Banking Law establishing a comprehensive financial data access regime.

Right to Access and Share Covered Data

The proposed legislation would grant consumers, small businesses, and authorized representatives the right to request access to "covered data" from a "financial institution" in a secure, electronic, and machine-readable format and transfer the data into a separate information system.

The bills would define "covered data" as:

• Transaction information, including amounts, dates, payment types, pending or authorized status, and payee or merchant names, for at least 24 months preceding the request;
• Account balance information;
• Information to initiate payment to or from a covered account, including account numbers;
• Terms and conditions of the consumer or small business financial product or service, including interest rates, credit limits, overdraft coverage, rewards, and fee schedules;
• Upcoming bill information, including amounts and due dates; and
• Account and identity verification information, including name, address, and contact information.

The law would exempt from consumer access or transfer any confidential commercial information, including proprietary algorithms used to derive credit or risk scores; information collected solely for the purpose of preventing fraud or money laundering; information required to be kept confidential by any other provision of law; and any information the financial institution cannot retrieve in the ordinary course of business.

A "financial institution" would be defined as a New York bank, an out-of-state state bank that maintains a financial product or service for a New York resident, any person or entity acting as a custodian for financial assets under the Estates, Powers & Trust Law, and any other data provider regulated by the New York State Department of Financial Services that maintains a financial product or service for a New York resident.

Mandatory Developer Interface Access

Financial institutions would be required to maintain a developer interface, like a standardized application programming interface, to facilitate secure data sharing. Like the CFPB's 2024 rule, the bills would not expressly prohibit screen scraping. Financial institution APIs would be required to apply the same security standards that they use to authenticate a consumer or small business accessing their online banking portals.

The proposed legislation is less prescriptive than the CFPB's 2024 rule regarding technical and operational attributes of the developer interface or the function of standard-setting bodies.

Prohibition on Unreasonable Denials or Impairment of Access

The bills would prohibit unreasonably denying or impairing consumer or small business access to data and require financial institutions to provide prompt notice of any denial to a consumer, small business, or authorized representative. Financial institutions would have the burden of demonstrating that a denial is reasonable based on a specific, known risk likely to cause substantial injury to consumers or small businesses. Financial institutions would also be required to show that a denial is applied consistently to authorized representatives facing the same or materially similar risk.

Prohibition on Fees

The proposal would prohibit financial institutions from charging fees for access to covered data or for the establishment, maintenance, and usage of the developer interface.

Standards for Authorized Representatives

The bills would establish various requirements and restrictions for authorized representatives. Authorized representatives would be required to obtain express, informed consent from a consumer or small business and provide a simple and transparent mechanism for a consumer or small business to revoke consent. Data access, use, and retention by authorized representatives would also be limited to what is reasonably necessary to provide the requested product or service. Lastly, authorized representatives would be required to maintain an information security program that satisfies Regulation P, for financial institutions, or the Federal Trade Commission's Standards for Safeguarding Consumer Information, for nonfinancial institutions.

Enforcement

The legislation would authorize the NY DFS to take enforcement actions for violations of the statute. Financial institutions would be subject to a civil penalty of up to $10,000 per violation.

Our Take

New York's proposed legislation represents a significant first step toward state-led regulation of consumer financial data access. The proposal incorporates key concepts contemplated under Section 1033, while extending access rights to small businesses as well. The proposal also takes a more proscriptive stance on issues like fees and liability, underscoring state-level efforts to fill the void left by the CFPB. Significant questions remain as to how a state and federal structure for consumer-permissioned data rights would work. While the bills are vague as to which banks or other financial institutions would be covered, we expect federal preemption arguments to be made during the legislative process.

For industry participants, the message is clear: Even in the absence of a federal rule, regulatory expectations around consumer-permissioned data sharing are continuing to evolve. We intend to monitor developments in New York closely, as the state's approach could serve as a model for other jurisdictions—and potentially influence the eventual contours of federal regulation.

+++

Melissa Baal Guidorizzi and Bill Schuerman are partners, and Michael Treves and Paige Knight are associates in the Washington, D.C. office of DWT. If you have any questions or need assistance, please contact the authors or another member of our financial services and technology + privacy & security teams. To stay informed, sign up for our alerts.