United States of America: Implemented obligations for depository institutions that hold at least USD 10 billion in total assets outlined in Rule on Personal Financial Data Rights

On 1 April 2027, the final rule on personal financial data rights came into force for depository institutions that hold at least USD 10 billion in total assets but less than USD 250 billion or non-depository institutions that did not generate USD 10 billion in revenue. The rule mandates financial institutions to provide consumers with their data in a secure and usable format upon request. The rule provides consumers with the ability to switch to financial services that offer superior rates and services without incurring associated fees. Furthermore, the rule enforces privacy protections, requiring explicit consumer consent for data sharing and establishing mechanisms for revoking consent. The rule prohibits the unauthorised use of data and also prohibits the practice of "screen scraping." It is obligatory for financial providers to comply with the stipulated security and performance standards for data access. The rule applies to a range of financial products, including bank accounts, credit cards and payment apps, with compliance to be achieved in phases based on the size of the financial institution.