United States of America: Implemented obligations for depository institutions with at least USD 250 billion in total assets outlined in Rule on Personal Financial Data Rights

On 1 April 2026, the final rule on personal financial data rights came into force for depository institutions with at least USD 250 billion in total assets and non-depository institutions with at least USD 10 billion in revenue. The rule mandates financial institutions to provide consumers with their data in a secure and usable format upon request. The rule provides consumers with the ability to switch to financial services that offer superior rates and services without incurring associated fees. Furthermore, the rule enforces privacy protections, requiring explicit consumer consent for data sharing and establishing mechanisms for revoking consent. The rule prohibits the unauthorised use of data and also prohibits the practice of "screen scraping." It is obligatory for financial providers to comply with the stipulated security and performance standards for data access. The rule applies to a range of financial products, including bank accounts, credit cards and payment apps, with compliance to be achieved in phases based on the size of the financial institution.