Updates About COVID-19 (Coronavirus) - Learn More

Nacha's Supplementing Data Security Requirements Rule

4/20/2021 - By Janice Weisz, AAP

Nacha’s Supplementing Data Security Requirements rule expands the existing ACH Security Framework to explicitly require large, non-financial institution Originators, Third-Party Service Providers, and Third-Party Senders to protect account numbers (consumer and non-consumer) used in the initiation of ACH entries by rendering them unreadable when stored electronically.  

The rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations.  The rule also does not apply to depository financial institutions when acting as internal Originators, as they are covered by existing FFIEC and similar data security requirements and regulations.

The Nacha Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider, but each Originator, Third-Party Service Provider, or Third-Party Sender will need to make its own business decision in consultation with its legal counsel and technology providers.

Nacha is implementing this rule in two phases.  Phase 1 begins with the largest Originators, Third-Party Service Providers, and Third-Party Senders and initially applies to those with ACH volume of 6 million transactions or greater annually.  Phase 2 applies to those with ACH volume of 2 million transactions or greater annually.  

Effective Dates:

  • Phase 1:  Any Originator, Third-Party Service Provider, or Third-Party Sender that originated 6 million or more ACH transactions during the 2019 calendar year must be compliant by June 30, 2021.
  • Phase 2:  Any Originator, Third-Party Service Provider, or Third-Party Sender that originated 2 million or more ACH transactions during the 2020 calendar year must be compliant by June 30, 2022. 

Going forward after the 2020 calendar year, any Originator, Third-Party Service Provider, or Third-Party Sender that originates 2 million or more ACH transactions in any calendar year 2020 or beyond must be compliant with the rule by June 30 of the following calendar year in which the 2 million-entry volume threshold was met.

Impact to Participants

Originators, Third-Party Senders, and Third-Party Service Providers

Any of these ACH Network participants that are not currently compliant with this rule will need to implement changes to bring their systems into compliance.  If needed, contact your ODFI to determine if this Nacha rule requirement applies to your business.

ODFIs

ODFIs should provide internal training to ensure applicable personnel understand the Nacha requirements surrounding this rule.  ODFIs should review ACH transaction volumes originated during 2019 and 2020 to determine if it has any Originators and/or Third-Parties that met the Nacha described thresholds.  For ODFI’s that have Originators and/or Third-Parties that met the described thresholds, inform and educate the identified Originators and/or Third-Parties of their direct compliance obligation with respect to this rule and update ACH origination agreements, as needed.  For 2021 and beyond, ODFIs should continue to monitor its Originators and/or Third-Parties ACH transaction volumes originated during each calendar year to determine if it has any Originators and/or Third-Parties that met the 2 million-entry volume threshold and enforce this rule on identified participants.  

RDFIs

RDFIs are not impacted by this rule.

For more information, you can visit Nacha’s website

Staying in compliance can be challenging, if you have any questions or need assistance preparing for these new Nacha Rules, email me or a member of our Financial Institutions Team so we can help. 


Related Posts

Contact Us

FORT WALTON BEACH
(850) 243-6713

ORLANDO
(407) 203-8990

NASHVILLE
(615) 661-0885

PENSACOLA
(850) 435-8300

TAMPA
(813) 287-1111

info@saltmarshcpa.com
(800) 477-7458

2020 Saltmarsh, Cleaveland & Gund • Privacy Policy

Stay Connected

Sign up to receive updates and important information from Saltmarsh!

FIRM FAST FACTS