The upcoming effective dates for the ACH Data Security Rule changes have been extended by one year, to June 30, 2021 and June 30, 2022. The effective dates for other upcoming NACHA rule changes remain unchanged.
The National Automated Clearing House Association (NACHA) is a non-profit organization that manages the United States ACH Network, as well as a large portion of financial data exchange around the world. The ACH Network is a payment system that universally connects U.S. bank accounts and facilitates the movement of money and information. The ACH Network processed 24.7 billion payments in 2019 totaling an estimated 56 trillion dollars in value. NACHA is responsible for developing rules, standards, governance, and education related to the processing of electronic payments domestically within the United States, as well as abroad.
In 2021, NACHA is requiring specific changes regarding ACH data security that directly impact the storage of sensitive bank account information for organizations who process a high volume of ACH transactions annually.
Who is affected and when?
Phase 1: Third-party service providers and third-party senders that processed an ACH volume of 6 million transactions annually will need to be compliant by June 30, 2021
Phase 2: Third-party service providers and third-party senders that process an annual ACH volume of 2 million transactions or greater will need to be compliant by June 30, 2022
(Note: NACHA’s best practice recommendation is for organizations to encrypt ACH banking information regardless of transaction volume).
Why is this change occurring? Why are they affected?
To protect the confidentiality and integrity of sensitive banking information against potential threats or hazards to the security or integrity of the protected (non-public) information and to protect against unauthorized use of banking information that could result in substantial harm to a person or organization.
What are the specific changes that need to be made so that organizations ensure Compliance?
Organizations must protect depository account information used in the initiation of ACH transactions by rendering it unreadable when stored electronically (does not apply to paper or phone documents or transactions). The existing ACH Security Framework requires that all financial institutions, originators, third-party service providers, and third party senders must establish, implement, and update security policies, procedures and systems related to the initiation, processing, and storage of ACH entries. The rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction or having a financial institution store, host or tokenize account numbers are among options to consider, but each party will need to make its own business decision in consultation with its legal counsel and technology providers.
The encryption requirements must be employed prior to the key-entry and through the transmission of any banking information exchanged over an Unsecured Network.
How does NACHA ensure organizations are compliant with the new rules?
Each DFI, Third-Party Service Provider, and Third-Party Sender must verify, as part of the requirements for an annual ACH Rules Compliance Audit, that it has established, implemented, and updated the data security policies, procedures, and systems required by the Rules.
As with all provisions of the Rules, the annual Rules Compliance Audit applies only to DFI, Third- Party Service Providers, and Third-Party Senders, but not directly to Originators. Originators are bound to the NACHA Operating Rules through their Origination Agreements with the ODFI’s. As such, Originators must ensure that they have existing policies, procedures, and systems in place that will ensure compliance with the ACH security framework.
For additional information, and to discuss your Treasury Advisory needs, contact [email protected]
Read the full ACH Operations Bulletin #4-2020 Here.