$10,000 per violation. That’s the penalty in New York Assembly Bill 10640, filed March 13. An automated API can generate thousands of data access requests per minute; at $10,000 each, the math compounds faster than any compliance team can respond.
The bill, and a companion Senate measure filed March 17, covers all consumer financial products and extends data access rights to small businesses — both broader than the federal framework it’s designed to replace. Enforcement falls to the Superintendent of Financial Services.
The federal void is what drove Albany to act. The CFPB’s Section 1033 rules are on the books but unenforceable: a Kentucky federal court blocked the bureau last October, finding the rules likely exceeded statutory authority. The Sixth Circuit appeal is stayed while the CFPB rewrites. The agency is signaling a revised rule that would allow data providers to charge fees after a free-access threshold, a narrow concession on a large unresolved framework. Revised rules could arrive in July.
If New York passes this bill, every state financial regulator will be watching. New York has a history of drafting financial rules other states adapt, and $10,000-per-violation penalties on automated products are exactly the kind of number that travels. The CFPB’s reconsideration process also may leave state attorneys general positioned to argue they can enforce existing Dodd-Frank authority independently of whatever the bureau produces. For financial institutions and fintechs, a patchwork of state open banking laws is a worse outcome than a flawed federal rule.
Both bills sit in committee. The CFPB’s July window is the next date that matters.
Marcus Webb