Text

ACH Rules Change: Supplementing Data Security Requirements Phase Two
Amy Donaghue

By: Karen Sylvester, AAP, APRP, CAMS, CRCM, NCP, Senior Director, Compliance Education

Want to Stay Up to Date on Compliance and Fraud Issues?

Stay on top of the latest compliance and fraud issues currently impacting the payment space with our Quarterly Compliance and Fraud Review webinar series. Together, we will examine the latest threats and challenges circulating the payments industry so that your organization can plan a proactive response. Current fraud schemes, compliance considerations and mitigation techniques will be discussed. Our third quarter webinar is happening on September 7th. Register now!

Ransomware, business email compromise, phishing, account takeover…the list goes on and on! Within the ACH Network, the industry has done a great job of protecting data, but unfortunately, fraud is ever-present.

  1. The ACH Security Framework Rule was implemented in 2013 requiring ODFIs, Originators, TPSPs and TPSs to have policies, procedures and systems in place to:
    protect non-public personal information used to create ACH entries until destruction (e.g., routing number, account number, SSN),
  2. protect that data from being breached and
  3. protect it from being used in fraudulent transactions.

Policies, procedures and systems must include controls that comply with applicable regulatory guidelines.

As fraud continued to increase, the industry adopted enhancements to ACH Security Framework, coined Supplementing Data Security Requirements. This two-phased approach aligns with the existing language contained in Payment Card Industry (PCI) requirements. Although the Rule does not apply to the storage of ACH account information in physical, paper form, the requirement to render the account information unreadable DOES apply if these paper authorizations or other documents containing ACH account numbers are scanned for electronic record retention and storage purposes.

The ACH Rules are neutral about specific methods or technologies; however, they must be commercially reasonable. Examples include encryption, truncation, tokenization, masking or destruction to name a few methods.

Phase One impacted ACH Originators/TPSPs/TPSs with an ACH volume of six million entries or greater annually and went into effect on June 30, 2021. Phase Two impacts ACH Originators/TPSPs/TPSs with an ACH volume of two million entries or greater annually and goes into effect on June 30, 2022.

Though there are not currently plans to impact ACH Originators/TPSPs/TPSs under two million entries annually, this is a great reminder to organizations of all sizes of the importance of data security. At the end of the day, we all need to protect our data and the data of our clients.