Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

ACH Topics: The details on data security

By Jen Kirk, AAP, EPCOR, Vice President, Education

In 2013, NACHA introduced a new rule that requires financial institutions, Originators and Third-Party Service Providers (including Third-Party Senders) to effectively protect ACH data when it is being stored by the party. This rule does not specifically say HOW to comply but simply states that anyone who collects and stores specific ACH data, including account information, needs to have procedures in place regarding how they are adequately storing this information to prevent it from getting into the wrong hands. Many have taken specific Payment Card Industry (PCI) compliance requirements and adapted them to the ACH information being stored.

ACH Resources for your credit union

For your convenience, Corporate One has a robust ACH resource section with a number of educational, on-demand webinars in our Member Resource Center within Members Only. If you would like to review any of the available topics and don’t have access to Members Only, visit our Knowledge Center to fill out a webinar request form.

While this type of data security was not new to financial institutions, the fact that this rule applied downstream to Originators and Third-Parties collecting ACH data made it the first rule of its kind in the ACH Network.

Now, NACHA is expanding the rule to specifically say that large Originators and Third-Parties (including Third-Party Senders) who store ACH information electronically are required to render account numbers unreadable when they are being stored. Once again, the ACH Rules do not prescribe a specific manner in how this must be done. Originators could truncate account numbers, use encryption software for account number storage, or use some other suitable means of storage.

Implementation is as follows:

  • Phase 1—Effective June 30, 2020— Applies to Originators who transmit six million or more transactions per year 2019.
  • Phase 2—Effective June 30, 2021— Applies to Originators with two million or more transactions per year 2021.

It is important to note that these are the number of individual transactions, not the dollar amount originated in a calendar year.

But, what does that mean for the rest of the Originators? While this new rule may protect ACH data from the largest Originators getting into the wrong hands, even smaller Originators have a responsibility to protect ACH data gathered to pay employees or collect money from clients. The current data security requirements still apply but rendering ACH account information unreadable when stored electronically should still be considered a best practice.

While breaches from the largest Originators such as Target, Marriott, and Orbitz have made the national news, a breach of bank account information from a smaller-scale company could severely harm its reputation.