New York's Open Banking Bill Will Force Every Bank's Hand on Data Sharing

While the federal open banking rule remains mired in litigation and regulatory uncertainty, New York isn't waiting. Last week, legislators in both the state assembly and senate introduced a bill that would require every financial institution serving New York residents to make consumer and small business financial data available — for free, in machine-readable format — to any authorized third party the customer designates.

If this bill becomes law, it won't matter where your bank is chartered. If you serve a single customer who lives in New York, you'll be covered.

The bill is deliberately broader than the CFPB's Section 1033 rulemaking. It avoids the legal ambiguities that have stalled the federal rule. It explicitly names the entities it covers, the data they must share, the format requirements, and the fee prohibition. And it has teeth.

What the Bill Requires

The New York Financial Data Rights Act mandates that covered financial institutions provide the following data upon customer request:

• Transaction information: Amounts, dates, payment types, pending or authorized status, and payee or merchant names for at least 24 months preceding the request
• Account balance information: Real-time or near-real-time balances
• Payment initiation information: Account numbers and routing information necessary to initiate payments to or from covered accounts
• Terms and conditions: Interest rates, credit limits, overdraft coverage, rewards programs, and fee schedules
• Upcoming bill information: Amounts and due dates for scheduled payments
• Identity verification data: Name, address, and contact information

This data must be provided in a secure, machine-readable electronic format at no cost to the consumer, small business, or their authorized representative.

Who's Covered — And It's Everyone

The bill's scope is intentionally expansive. "Covered financial institutions" include:

• All banks, trust companies, private bankers, and savings banks chartered in New York
• All savings and loan associations and credit unions in New York
• Out-of-state banks — including nationally chartered banks and federal savings associations — that serve New York residents
• Any entity "acting as a custodian for financial assets"
• Any other "data provider regulated by the department that maintains a financial product or service for a resident" of New York

Read that last bullet again. The bill covers any regulated entity holding financial data for a New York resident. A community bank in Oklahoma with a single business customer who has a New York office? Covered. A credit union in Iowa with an online savings product that a New York resident signed up for? Covered.

New York is the nation's financial center. Approximately 8.3 million people live in New York City alone, with another 11.5 million in the broader metro area. The practical reality is that almost every bank of significant size in the country serves at least some New York residents.

The Fee Fight Is Over (in New York)

The single biggest point of contention in the federal open banking debate has been fees. Banks — led by JPMorgan Chase — argue they should be compensated for the cost of building and maintaining data-sharing infrastructure. Fintechs and data aggregators argue that the data belongs to the customer and should be free to access.

The CFPB's original 1033 rule prohibited fees. JPMorgan proceeded to charge Plaid for data access anyway, and Plaid agreed to pay. The result: a de facto fee regime that contradicts the rule's intent but operates in regulatory gray space while the rule is litigated.

New York's bill cuts through this with statutory clarity: no fees. Period. The prohibition is in the text of the bill, not in regulatory interpretation. If the bill becomes law and survives legal challenge, it will be extremely difficult for banks to charge for data access to New York customers.

For community banks, this has direct economic implications. Data-sharing infrastructure isn't free to build or maintain. API development, security testing, vendor integration, ongoing monitoring — these costs are real. If you can't pass them to data requestors through fees, they come out of your operating margin.

The Authorized Representative Framework

The bill's treatment of "authorized representatives" — the third parties that access data on behalf of customers — is carefully drafted to avoid the ambiguities that have plagued the federal rule.

An authorized representative is defined as "any person or entity, other than the financial institution holding the data, that seeks to access covered data with the consumer's or small business's consent." This includes:

• Data aggregators (Plaid, MX, Yodlee, Finicity)
• Fintech apps (Venmo, Cash App, budgeting tools)
• Other financial institutions
• Accounting software providers
• Any other entity the customer designates

Authorized representatives must:

1. Obtain express, informed consent before accessing data
2. Provide a simple mechanism for customers to view and revoke data-sharing authorizations
3. Limit data collection to what is "reasonably necessary" for the requested service
4. Maintain an information security program meeting Gramm-Leach-Bliley Act standards

These requirements are reasonable and familiar to any bank compliance team. The key innovation is the statutory clarity: there's no ambiguity about whether aggregators can access the data, under what conditions, or with what safeguards. It's all in the bill.

Why This Matters Beyond New York

Even if you serve zero New York customers, this bill matters for your bank's strategic planning.

State-level momentum is building. New York is not the first state to pursue open banking legislation, but it is the most influential. If New York enacts this bill, expect California, Illinois, Texas, and other major states to follow within 12–18 months. A patchwork of state-level data-sharing requirements is the worst-case scenario for banks — multiple compliance frameworks, multiple technical standards, multiple legal regimes.

The federal rule is uncertain. The CFPB's 1033 rulemaking has been in limbo since 2024. The current administration has not indicated whether it will finalize, revise, or abandon the rule. Bank trade groups' lawsuit challenging the rule remains pending. In this vacuum, states are acting. If enough states enact their own versions, the eventual federal rule will likely adopt the most restrictive state requirements as a baseline.

Customer expectations are shifting. Your customers already share their financial data — with Mint, YNAB, Plaid-connected apps, and their accountant. They expect this to work seamlessly. When it doesn't — when screen-scraping breaks their connection, when your bank blocks aggregator access, when data arrives incomplete or delayed — they blame you. Open banking legislation simply formalizes what customers already expect.

The Technology Challenge

For community banks, the technical requirements of open banking are the most daunting aspect.

Building and maintaining a compliant data-sharing API is not trivial. It requires:

• API infrastructure: RESTful APIs conforming to industry standards (likely FDX — Financial Data Exchange — as the de facto standard)
• Authentication and authorization: OAuth 2.0-based consent management that allows customers to grant and revoke access to specific data categories
• Data standardization: Normalizing your core system's data formats to the required machine-readable output
• Security: Encryption in transit and at rest, access logging, anomaly detection, and incident response procedures
• Monitoring: Ongoing surveillance of data access patterns to detect unauthorized use, data breaches, or consent violations

Most community banks will implement this through their core processor or a specialized vendor. Jack Henry, Fiserv, and FIS all offer open banking API platforms. Smaller banks may work through data aggregators like Plaid or MX, which provide the technical infrastructure in exchange for data access.

The key decision for your bank is whether to build, buy, or partner — and how quickly you need to move.

What Your Board Should Do

1. Inventory your New York exposure. Determine how many of your customers are New York residents. If the number is material — even a few hundred — you're likely covered by this bill if it becomes law. Plan accordingly.

2. Evaluate your data-sharing readiness. Can your core system export the required data categories in machine-readable format? Do you have API infrastructure, or are you still relying on screen-scraping relationships with aggregators? If the latter, you have a technology gap that needs addressing regardless of this bill's outcome.

3. Engage your core processor. Ask your core provider what their open banking API roadmap looks like. If they don't have one, that's a problem. If they do, understand the timeline, cost, and your bank's role in implementation.

4. Budget for compliance. Open banking infrastructure costs money — typically $100,000–$500,000 for a community bank, depending on size and complexity, plus $50,000–$100,000 annually for maintenance and monitoring. These costs need to be in your 2027 budget, even if the New York bill isn't law yet, because the direction of travel is clear.

5. Reframe the opportunity. Open banking isn't just a compliance burden. It's a chance to deepen customer relationships. Banks that proactively offer data-sharing capabilities — letting customers connect their accounts to budgeting apps, accounting software, and financial planning tools — build stickier relationships than banks that make it difficult. The data-sharing mandate is coming regardless. The banks that embrace it first will benefit most.

The Bottom Line

New York's Financial Data Rights Act is the most comprehensive open banking legislation in the United States. If enacted, it will establish the de facto national standard for financial data sharing — not because of its jurisdiction, but because of its reach. Every bank serving New York residents will need to comply, and the requirements will ripple across the industry.

The federal rule may eventually preempt state legislation, but "eventually" could be years away. In the meantime, New York is setting the pace.

Your bank can wait for clarity and scramble to comply when the deadline hits. Or it can start building the infrastructure, training the staff, and establishing the vendor relationships now — so that when open banking becomes mandatory, you're already there.

The data belongs to the customer. The question is how gracefully you hand it over.