2020 NACHA ACH Data Security Rule Changes

The National Automated Clearing House Association (NACHA) is a non-profit organization that manages the United States ACH Network, as well as a large portion of financial data exchange around the world. The ACH Network is a payment system that universally connects U.S. bank accounts and facilitates the movement of money and information. The ACH Network processed 24.7 billion payments in 2019 totaling an estimated 56 trillion dollars in value. NACHA is responsible for developing rules, standards, governance, and education related to the processing of electronic payments domestically within the United States, as well as abroad.

 

This year, NACHA is rolling out specific changes in regards to ACH data security that directly impact the storage of sensitive bank account information for organizations who processed a high volume of ACH transactions in 2019. 

 

Who is affected and when? 

Phase 1: Third-party service providers and third-party senders that processed an ACH volume of 6 million transactions or greater in 2019 will need to be compliant by June 30, 2020 

Phase 2: Third-party service providers and third-party senders that processed an ACH volume of 2 million transactions or greater in 2020 will need to be compliant by June 30, 2021 

 

(Note: NACHA’s best practice recommendation is for organizations to encrypt ACH banking information regardless of transaction volume).

 

Why is this change occurring? Why are they affected?

To protect the confidentiality and integrity of sensitive banking information against potential threats or hazards to the security or integrity of the protected (non-public) information and to protect against unauthorized use of banking information that could result in substantial harm to a person or organization. 

 

What are the specific changes that need to be made so that organizations ensure Compliance? 

Organizations must protect depository account information used in the initiation of ACH transactions by rendering it unreadable when stored electronically (does not apply to paper or phone documents or transactions). The existing ACH Security Framework requires that all financial institutions, originators, third-party service providers, and third party senders must establish, implement, and update security policies, procedures and systems related to the initiation, processing, and storage of ACH entries. The rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction or having a financial institution store, host or tokenize account numbers are among options to consider, but each party will need to make its own business decision in consultation with its legal counsel and technology providers. 

 

The encryption requirements must be employed prior to the key-entry and through the transmission of any banking information exchanged over an Unsecured Network. 

 

How does NACHA ensure organizations are compliant with the new rules? 

Each DFI, Third-Party Service Provider, and Third-Party Sender must verify, as part of the requirements for an annual ACH Rules Compliance Audit, that it has established, implemented, and updated the data security policies, procedures, and systems required by the Rules. 

As with all provisions of the Rules, the annual Rules Compliance Audit applies only to DFI, Third- Party Service Providers, and Third-Party Senders, but not directly to Originators. Originators are bound to the NACHA Operating Rules through their Origination Agreements with the ODFI’s. As such, Originators must ensure that they have existing policies, procedures, and systems in place that will ensure compliance with the ACH security framework. 

 

For additional information, and to discuss your Treasury Advisory needs, contact [email protected]