Do US banks have to comply with GDPR?

Asked by: Jana Kuhlman  |  Last update: April 25, 2026
Score: 4.9/5 (67 votes)

Yes, US banks must comply with the GDPR if they process the personal data of individuals in the European Union, regardless of the bank's location, due to GDPR's broad, extraterritorial reach. This applies even if they only have a website that an EU resident visits, requiring adherence to principles like data minimization, transparency, and upholding EU data subject rights, often alongside US laws like GLBA.

Does GDPR apply to US banks?

The short answer is yes, the GDPR can apply to US companies. Article 3 of the regulation establishes its territorial scope and makes it clear that the location of one's company doesn't determine applicability.

Is GDPR compliance mandatory in the USA?

Yes, the EU's GDPR (General Data Protection Regulation) applies to U.S. companies and organizations if they offer goods or services to, or monitor the behavior of, individuals located in the European Union (EU), even if the company is based in the U.S. and data processing occurs in the U.S. It has extraterritorial scope, meaning it protects EU residents' data wherever the processing happens, requiring U.S. entities to comply with EU data protection standards and grant EU individuals specific rights. 

What are the GDPR rules for banks?

Banks must adhere to GDPR principles such as lawfulness, fairness, transparency, and data minimization, as well as uphold customers' rights, including access to, rectification, and erasure of personal data.

What is the $3,000 bank rule?

The "3000 bank rule" refers to U.S. Treasury regulations under the Bank Secrecy Act (BSA) requiring financial institutions to record and report specific information for certain transactions over $3,000, mainly involving cash or monetary instruments, to combat money laundering, including identifying the payer, recipient, and transaction details for five years. This rule covers purchases of cashier's checks, money orders, and wire transfers above this amount, mandating verification of identity and detailed record-keeping for law enforcement. 

What are the 7 principles of GDPR?

20 related questions found

Is depositing $2000 in cash suspicious?

Depositing $2,000 in cash isn't inherently suspicious, but it can attract scrutiny if it seems unusual for you or if it's part of a pattern to avoid reporting thresholds (like the $10,000 limit for Currency Transaction Reports), with banks potentially filing a Suspicious Activity Report (SAR) for amounts over $5,000 or for structuring. To avoid issues, have clear records of the cash's legitimate source (e.g., business invoices, pay stubs) and avoid breaking up larger amounts into smaller deposits to hide them (structuring). 

How much money can you put in a bank without being questioned?

Key Takeaways. Banks must report cash deposits of $10,000 or more. Don't think that breaking up your money into smaller deposits will allow you to skirt reporting requirements.

Who does the GDPR not apply to?

Some of the key exemptions from GDPR compliance include personal or household activities, government agencies and law enforcement, and the processing of personal data by Member States.

What is Section 47 of the banking Act?

Section 47 of the Act provides that customer information shall not, in any way, be disclosed by a bank (holding a valid banking licence in Singapore or the branches and offices located within Singapore of such a bank incorporated outside Singapore) or its officers to any other person except as expressly provided in the ...

What regulations do banks have to comply with?

Bank Regulatory Compliance in the USA

It's guided by federal and state laws like Dodd-Frank (consumer protection, systemic risk), BSA/AML (anti-money laundering), and GLBA (data privacy). Oversight from the Federal Reserve, OCC, and FDIC ensures banks operate safely, follow regulations, and maintain public trust.

What is GDPR called in the USA?

What is the US equivalent of the GDPR? The US equivalent of the GDPR is the CCPA or California Consumer Privacy Act. It was inspired by the GDPR, and both laws protect the personal data of consumers.

What happens if I don't comply with GDPR?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.

Does GDPR apply to US customers?

Understanding the reach of GDPR is crucial for any organization handling personal data. Essentially, GDPR applies to any organization, regardless of its location, that processes the personal data of individuals residing in the EU. This means GDPR's scope is extraterritorial, reaching beyond the borders of the EU.

Is GDPR compliance mandatory in the US?

Yes, the EU's GDPR (General Data Protection Regulation) applies to U.S. companies and organizations if they offer goods or services to, or monitor the behavior of, individuals located in the European Union (EU), even if the company is based in the U.S. and data processing occurs in the U.S. It has extraterritorial scope, meaning it protects EU residents' data wherever the processing happens, requiring U.S. entities to comply with EU data protection standards and grant EU individuals specific rights. 

Do bank details fall under GDPR?

This information is considered special category data in accordance with Article 9 of the UK GDPR. Economic and financial data – data relating to an individual's or group of individual's credit card, bank account, or other financial data. This could include information such as pay or rates of benefits they receive.

What are the 5 key areas of compliance in banking?

Key Bank Compliance Policies for 2025

  • Bank Secrecy Act Policy. The Bank Secrecy Act policy remains a cornerstone of anti-money laundering (AML) efforts in 2025. ...
  • Data Protection and Privacy Policy. ...
  • Anti-Bribery and Corruption Policy. ...
  • Environmental and Social Risk Management Policy. ...
  • Cybersecurity and Fraud Prevention Policy.

What is Section 69 of the banking Act?

Section 69 of the Banking Act identifies unclaimed money as all principal, interest, dividends, bonuses, profits and sums of money legally payable by the ADI, but where the time limit for commencing proceedings for recovery of these funds has expired.

Are banks bound by confidentiality?

As noted in the advisory and the relevant rules and regulations, except in very limited circumstances, financial institutions are prohibited by law from disclosing their CAMELS or RFI rating and other nonpublic supervisory information to nonrelated third parties without written permission from the appropriate federal ...

What is section 52 of the Banks Act?

Section 52 of the Banks Act lists various corporate activities within or outside the Republic, such as the establishment of subsidiaries, the opening of branch offices, the acquisition of an interest in a foreign undertaking, the creation of a trust, etc., into which banks and bank controlling companies may not expand ...

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

What is not protected under the GDPR?

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Which countries do not follow GDPR?

List of Non-GDPR European Countries

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Kosovo.
  • Moldovia.
  • Montenegro.
  • North Macedonia.
  • Russia.

What is the $3000 rule in banking?

The "3000 bank rule" refers to U.S. Treasury regulations under the Bank Secrecy Act (BSA) requiring financial institutions to record and report specific information for certain transactions over $3,000, mainly involving cash or monetary instruments, to combat money laundering, including identifying the payer, recipient, and transaction details for five years. This rule covers purchases of cashier's checks, money orders, and wire transfers above this amount, mandating verification of identity and detailed record-keeping for law enforcement. 

Where do millionaires keep their money if banks only insure $250k?

Millionaires keep their money beyond the $250k FDIC limit by diversifying into investments like stocks, bonds, real estate, and <<a>>money market funds; using private banking services; splitting funds across multiple banks or ownership categories (e.g., joint accounts); utilizing deposit networks like IntraFi; or holding assets in less-insured vehicles like <<a>>safe deposit boxes. They often rely less on bank insurance for large sums and more on diverse asset classes for wealth preservation and growth. 

What is the $10,000 bank rule?

The "$10,000 bank rule" refers to federal requirements under the Bank Secrecy Act (BSA) for financial institutions to report cash transactions (deposits, withdrawals, exchanges) over $10,000 to the Financial Crimes Enforcement Network (FinCEN) using a Currency Transaction Report (CTR). This applies to both banks and businesses (using IRS Form 8300) and helps combat money laundering, tax evasion, and terrorist financing, but it doesn't mean the transaction is illegal if the funds are legitimate; banks simply record the details like name, address, and ID.