STATE OF NEW YORK
________________________________________________________________________
10640
IN ASSEMBLY
March 13, 2026
___________
Introduced by M. of A. VANEL -- read once and referred to the Committee
on Banks
AN ACT to amend the banking law, in relation to the accessibility of
consumer financial data and the prohibition of fees for the transfer
of such data to authorized parties
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "New York financial data rights act".
3 § 2. The banking law is amended by adding a new article 14-C to read
4 as follows:
5 ARTICLE 14-C
6 CONSUMER AND SMALL BUSINESS FINANCIAL DATA RIGHTS
7 Section 800. Definitions.
8 801. Consumer and small business right to data portability.
9 802. Prohibition of fees for data access.
10 803. Authorized representative obligations.
11 804. Security standards.
12 805. Enforcement and penalties.
13 § 800. Definitions. As used in this article, the following terms shall
14 have the following meanings:
15 1."Authorized representative" means any person or entity, other than
16 the financial institution holding the data, that seeks to access covered
17 data with the consumer's or small business's consent pursuant to section
18 eight hundred three of this article.
19 2. "Consumer" means an individual who resides in the state of New
20 York.
21 3. "Financial institution" means:
22 (a) a banking organization as defined in subdivision eleven of section
23 two of this chapter;
24 (b) any out-of-state state bank as defined in subdivision two of
25 section two hundred twenty-two of this chapter that maintains a finan-
26 cial product or service for a resident in this state;
27 (c) any person or entity acting as a custodian for financial assets as
28 described in section 11-1.9 of the estates, powers and trusts law; and
29 (d) any other data provider regulated by the department that maintains
30 a financial product or service for a resident of this state.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD15201-02-6
A. 10640 2
1 4."Covered data" means the following information relating to a consum-
2 er or small business in the control or possession of a financial insti-
3 tution:
4 (a) Transaction information, including amounts, dates, payment types,
5 pending or authorized status, and payee or merchant names, for at least
6 twenty-four months preceding the request;
7 (b) Account balance information;
8 (c) Information to initiate payment to or from a covered account,
9 including account numbers;
10 (d) Terms and conditions of the consumer or small business, financial
11 product or service, including interest rates, credit limits, overdraft
12 coverage, rewards, and fee schedules;
13 (e) Upcoming bill information, including amounts and due dates; and
14 (f) Account and identity verification information, including name,
15 address, and contact information.
16 5. "Exempt data" means information that a financial institution is not
17 required to make available, subject to the requirements in subdivision
18 two of section eight hundred one of this article, consisting of:
19 (a) Any confidential commercial information, including proprietary
20 algorithms used to derive credit or risk scores;
21 (b) Information collected solely for the purpose of preventing fraud
22 or money laundering;
23 (c) Information required to be kept confidential by any other
24 provision of law; and
25 (d) Any information the financial institution cannot retrieve in the
26 ordinary course of business.
27 § 801. Consumer and small business right to data portability. 1. Upon
28 the request of a consumer, small business, or their authorized represen-
29 tative, a financial institution shall make available all covered data
30 they have requested in a secure, electronic, and machine-readable format
31 by which the consumer, small business, or authorized representative can
32 retrieve, retain, and transfer such data for processing into a separate
33 information system.
34 2. Financial institutions shall maintain a developer interface, such
35 as a standardized application programming interface, to receive and
36 respond to requests for access to covered data as set forth in subdivi-
37 sion one of this section.
38 3.(a) A financial institution shall not engage in or be a party to any
39 unreasonable denial or impairment of access by a consumer, a small busi-
40 ness, or authorized representative, including without limitation any
41 denial or impairment related to risk or security standards.
42 (b) Unreasonable denial or impairment under paragraph (a) of this
43 subdivision includes conduct that:
44 (i) Is likely to evade or unreasonably delay compliance with, or
45 interfere with, prevent, or materially discourage access of covered data
46 by a consumer, a small business, or an authorized representative;
47 (ii) Degrades, impairs, or creates barriers that would restrict or
48 systematically impede access to covered data by a consumer, a small
49 business or authorized representative; or
50 (iii) Is applied to a consumer, a small business, or authorized repre-
51 sentative in a discriminatory manner.
52 (c) A financial institution is not engaged in or a party to an unrea-
53 sonable denial of access by an authorized representative by denying
54 access if the denial:
55 (i) Is necessary to ensure compliance with specific safety and sound-
56 ness obligations of the financial institution's prudential regulator,
A. 10640 3
1 and is based on standardized safety and soundness criteria available to
2 authorized representatives upon request; or
3 (ii) To comply with applicable law.
4 (d) A financial institution shall bear the burden of demonstrating
5 that a denial of access under paragraph (c) of this subdivision is
6 reasonable based on a specific, known risk likely to cause substantial
7 injury to consumers or small businesses, and that such denial is applied
8 consistently to authorized representatives facing the same or materially
9 similar risk.
10 (e) A financial institution shall provide prompt notice of any denial
11 of access to a consumer, small business, or authorized representative.
12 § 802. Prohibition of fees for data access. No financial institution
13 shall directly or indirectly impose a fee, assessment, or any other
14 charge to a consumer, small business, or authorized representative in
15 connection with receiving requests for or making available covered data
16 as required by section eight hundred one of this article. This prohibi-
17 tion applies to the establishment, maintenance, and usage of the devel-
18 oper interface.
19 § 803. Authorized representative obligations. 1. An authorized repre-
20 sentative must obtain express, informed consent from a consumer or small
21 business in order to request access to covered data on the consumer's or
22 small business's behalf.
23 2. Authorized representatives shall provide a simple and transparent
24 mechanism for a consumer or small business to view and revoke any
25 authorizations for data sharing at any time.
26 3. An authorized representative must limit its collection, use, and
27 retention of covered data to what is reasonably necessary to provide the
28 consumer's or small business's requested product or service.
29 4. An authorized representative must apply to its systems for the
30 collection, use, and retention of covered data an information security
31 program that satisfies the applicable rules issued pursuant to section
32 five hundred one of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) or, if
33 the authorized representative is not subject to section five hundred one
34 of the Gramm-Leach-Bliley Act, the third party shall apply to its
35 systems for the collection, use, and retention of covered data the
36 information security program required by the federal trade commission's
37 standards for safeguarding customer information, 16 CFR part 314.
38 § 804. Security standards. For the purpose of authenticating a consum-
39 er's or small business's request pursuant to subdivision one of section
40 eight hundred one of this article, financial institutions shall use, at
41 a minimum, the same processes and information that they rely upon to
42 authenticate a consumer or small business for their online banking
43 portals.
44 § 805. Enforcement and penalties. 1. The superintendent of financial
45 services shall have the power to enforce the provisions of this article.
46 2. Any financial institution found to be in violation of this article,
47 including the improper charging of fees or the restrictions set forth in
48 subdivision three of section eight hundred one of this article, shall be
49 subject to a civil penalty of not more than ten thousand dollars per
50 violation.
51 § 3. This act shall take effect on the sixtieth day after it shall
52 have become a law.
