Nacha's Supplementing Data Security Requirements Rule
4/20/2021
Nacha’s Supplementing Data Security Requirements rule expands the existing ACH Security Framework to explicitly require large, non-financial institution Originators, Third-Party Service Providers, and Third-Party Senders to protect account numbers (consumer and non-consumer) used in the initiation of ACH entries by rendering them unreadable when stored electronically.
The rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations. The rule also does not apply to depository financial institutions when acting as internal Originators, as they are covered by existing FFIEC and similar data security requirements and regulations.
The Nacha Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider, but each Originator, Third-Party Service Provider, or Third-Party Sender will need to make its own business decision in consultation with its legal counsel and technology providers.
Nacha is implementing this rule in two phases. Phase 1 begins with the largest Originators, Third-Party Service Providers, and Third-Party Senders and initially applies to those with ACH volume of 6 million transactions or greater annually. Phase 2 applies to those with ACH volume of 2 million transactions or greater annually.
Effective Dates:
- Phase 1: Any Originator, Third-Party Service Provider, or Third-Party Sender that originated 6 million or more ACH transactions during the 2019 calendar year must be compliant by June 30, 2021.
- Phase 2: Any Originator, Third-Party Service Provider, or Third-Party Sender that originated 2 million or more ACH transactions during the 2020 calendar year must be compliant by June 30, 2022.
Going forward after the 2020 calendar year, any Originator, Third-Party Service Provider, or Third-Party Sender that originates 2 million or more ACH transactions in any calendar year 2020 or beyond must be compliant with the rule by June 30 of the following calendar year in which the 2 million-entry volume threshold was met.
Impact to Participants
Originators, Third-Party Senders, and Third-Party Service Providers
Any of these ACH Network participants that are not currently compliant with this rule will need to implement changes to bring their systems into compliance. If needed, contact your ODFI to determine if this Nacha rule requirement applies to your business.
ODFIs
ODFIs should provide internal training to ensure applicable personnel understand the Nacha requirements surrounding this rule. ODFIs should review ACH transaction volumes originated during 2019 and 2020 to determine if it has any Originators and/or Third-Parties that met the Nacha described thresholds. For ODFI’s that have Originators and/or Third-Parties that met the described thresholds, inform and educate the identified Originators and/or Third-Parties of their direct compliance obligation with respect to this rule and update ACH origination agreements, as needed. For 2021 and beyond, ODFIs should continue to monitor its Originators and/or Third-Parties ACH transaction volumes originated during each calendar year to determine if it has any Originators and/or Third-Parties that met the 2 million-entry volume threshold and enforce this rule on identified participants.
RDFIs
RDFIs are not impacted by this rule.
For more information, you can visit Nacha’s website.
Questions?
Staying in compliance can be challenging, so if you have any questions or need assistance, email paymentadvisors@saltmarshcpa.com or a member of our Financial Institutions Team so we can help.
About the Bank Advisors
The Bank Advisors at Saltmarsh have provided audit, tax and consulting services to a wide range of financial institutions since our founding in 1944, making it the firm’s largest specialty practice and industry of focus. Our Financial Institution Advisory Group has the talent, expertise and insight to help you and your institution thrive. Our team members are also industry leaders who have the knowledge and experience to provide you with unparalleled service and guidance.
Related Posts
- Safeguarding Against ACH Fraud: Ten Essential Steps for Financial Institutions and Businesses
- ICYMI: An Important Reminder About the CRA Public File, and More
- Understanding ACH Risk Assessments: A Crucial Requirement of the Nacha Rules
- Nacha's Updated Written Statement of Unauthorized Debit: Should You Update Your WSUD Forms?
- Saltmarsh Hosts 18th Annual BankTalk
- Jay Newsome Joins Financial Institution Consulting Group & Expands Firm's Alabama Market Presence
- Best Practice Ideas from the Asset-Liability Management Trenches
- Managing Risk: Fraud Deterrence Is Always a Priority
- Webinar on Demand: Getting to Know FedNow, Now
- Nacha's 2023 Rules Updates: Are You Affected?
- Do I Need an ACH Audit?
- Webinar Recording: Top 8 ACH Audit Findings You Should Be Aware Of
- Think CECL Is Only for Banks? Not So Fast!
- Saltmarsh Hosts 17th Annual Community BankTalk Event
- Preparing for $500 Million in Assets
- Secure Exchange of Standardized Letters of Indemnity
- Best Practice Suggestions for Back-Testing Asset-Liability Management (ALM) Models for Accuracy
- Words to Live By
- Webinar Materials: The New ACH Rules on Micro-Entries
- Nacha Micro Entry-Rule
- Elder Financial Exploitation by the Numbers
- CECL: What About Credit Losses on Debt Securities?
- Supplementing Data Security Requirements Rule Phase 2
- Webinar Materials: ODFIs - How Do You Keep Your ACH Clients Informed?
- Webinar Materials: CFO Symposium Update
- View All Articles
