Supplementing Data Security Requirements Rule Phase 2Effective June 30, 2022

6/13/2022

Nacha’s Supplementing Data Security Requirements rule expands the existing ACH Security Framework to explicitly require large, non-financial institution Originators, Third-Party Service Providers and Third-Party Senders to protect account numbers (consumer and non-consumer) used in the initiation of ACH entries by rendering them unreadable when stored electronically.

The rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations. The rule also does not apply to depository financial institutions when acting as internal Originators, as they are covered by existing FFIEC and similar data security requirements and regulations.

The Nacha Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction or having the financial institution store, host or tokenize the account numbers, are among options for Originators and Third-Parties to consider, but each Originator, Third-Party Service Provider or Third-Party Sender will need to make its own business decision in consultation with its legal counsel and technology providers.

Effective Dates

Nacha is implementing this rule in two phases. Phase 1 of the rule, which applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, became effective on June 30, 2021, and Phase 2 of the Rule, which applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, will be effective on June 30, 2022.

Going forward, any non-financial-institution Originator, Third-Party Sender or Third-Party Service Provider that meets the 2 million-entry annual origination/transmission volume threshold in calendar year 2020 or beyond will be required to comply with this rule by June 30 of the year following the calendar year in which the 2 million-entry volume threshold was met.

Impact to Participants

Originators, Third-Party Senders and Third-Party Service Providers

Any of these ACH Network participants that are not currently compliant with this rule will need to implement changes to bring their systems into compliance. If needed, contact your ODFI to determine if this Nacha rule requirement applies to your business.

ODFIs

ODFIs should provide internal training to ensure applicable personnel understand the Nacha requirements surrounding this rule. ODFIs should review ACH transaction volumes originated during 2019 and 2020 to determine if it has any Originators and/or Third-Parties that met the Nacha described thresholds.  For ODFI’s that have Originators and/or Third-Parties that met the described thresholds, inform and educate the identified Originators and/or Third-Parties of their direct compliance obligation with respect to this rule and update ACH origination agreements, as needed. For 2021 and beyond, ODFIs should continue to monitor its Originators and/or Third-Parties ACH transaction volumes originated during each calendar year to determine if it has any Originators and/or Third-Parties that met the 2 million-entry volume threshold and enforce this rule on identified participants.  

RDFIs

RDFIs are not impacted by this rule.

Questions?

For more information, including some frequently asked questions, you can visit Nacha's website. If you have any questions or need assistance, email paymentadvisors@saltmarshcpa.com or a member of our Financial Institutions Team so we can help. 

About the Bank Advisors

The Bank Advisors at Saltmarsh have provided audit, tax and consulting services to a wide range of financial institutions since our founding in 1944, making it the firm’s largest specialty practice and industry of focus. Our Financial Institution Advisory Group has the talent, expertise and insight to help you and your institution thrive. Our team members are also industry leaders who have the knowledge and experience to provide you with unparalleled service and guidance.

Related Posts

• Safeguarding Against ACH Fraud: Ten Essential Steps for Financial Institutions and Businesses
• ICYMI: An Important Reminder About the CRA Public File, and More
• Understanding ACH Risk Assessments: A Crucial Requirement of the Nacha Rules
• Nacha's Updated Written Statement of Unauthorized Debit: Should You Update Your WSUD Forms?
• Saltmarsh Hosts 18th Annual BankTalk
• Jay Newsome Joins Financial Institution Consulting Group & Expands Firm's Alabama Market Presence
• Best Practice Ideas from the Asset-Liability Management Trenches
• Managing Risk: Fraud Deterrence Is Always a Priority
• Webinar on Demand: Getting to Know FedNow, Now
• Nacha's 2023 Rules Updates: Are You Affected?
• Do I Need an ACH Audit?
• Webinar Recording: Top 8 ACH Audit Findings You Should Be Aware Of
• Think CECL Is Only for Banks? Not So Fast!
• Saltmarsh Hosts 17th Annual Community BankTalk Event
• Preparing for $500 Million in Assets
• Secure Exchange of Standardized Letters of Indemnity
• Best Practice Suggestions for Back-Testing Asset-Liability Management (ALM) Models for Accuracy
• Words to Live By
• Webinar Materials: The New ACH Rules on Micro-Entries
• Nacha Micro Entry-Rule
• Elder Financial Exploitation by the Numbers
• CECL: What About Credit Losses on Debt Securities?
• Supplementing Data Security Requirements Rule Phase 2
• Webinar Materials: ODFIs - How Do You Keep Your ACH Clients Informed?
• Webinar Materials: CFO Symposium Update
• View All Articles

• Blog
  • Audit & Assurance
  • Construction
  • Employee Benefits
  • Financial Institutions
  • Healthcare
  • Human Resources
  • Information Technology
  • Investment Advisory
  • Legal
  • Manufacturing
  • Not For Profit
  • Tax & Accounting
  • What's Happening At Saltmarsh
• Tools & Resources
• Videos