Supplementing Data Security Requirements Rule Phase 2Effective June 30, 2022


Nacha’s Supplementing Data Security Requirements rule expands the existing ACH Security Framework to explicitly require large, non-financial institution Originators, Third-Party Service Providers and Third-Party Senders to protect account numbers (consumer and non-consumer) used in the initiation of ACH entries by rendering them unreadable when stored electronically.

The rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations. The rule also does not apply to depository financial institutions when acting as internal Originators, as they are covered by existing FFIEC and similar data security requirements and regulations.

The Nacha Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction or having the financial institution store, host or tokenize the account numbers, are among options for Originators and Third-Parties to consider, but each Originator, Third-Party Service Provider or Third-Party Sender will need to make its own business decision in consultation with its legal counsel and technology providers.

Effective Dates

Nacha is implementing this rule in two phases. Phase 1 of the rule, which applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, became effective on June 30, 2021, and Phase 2 of the Rule, which applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, will be effective on June 30, 2022.

Going forward, any non-financial-institution Originator, Third-Party Sender or Third-Party Service Provider that meets the 2 million-entry annual origination/transmission volume threshold in calendar year 2020 or beyond will be required to comply with this rule by June 30 of the year following the calendar year in which the 2 million-entry volume threshold was met.

Impact to Participants

Originators, Third-Party Senders and Third-Party Service Providers

Any of these ACH Network participants that are not currently compliant with this rule will need to implement changes to bring their systems into compliance. If needed, contact your ODFI to determine if this Nacha rule requirement applies to your business.


ODFIs should provide internal training to ensure applicable personnel understand the Nacha requirements surrounding this rule. ODFIs should review ACH transaction volumes originated during 2019 and 2020 to determine if it has any Originators and/or Third-Parties that met the Nacha described thresholds.  For ODFI’s that have Originators and/or Third-Parties that met the described thresholds, inform and educate the identified Originators and/or Third-Parties of their direct compliance obligation with respect to this rule and update ACH origination agreements, as needed. For 2021 and beyond, ODFIs should continue to monitor its Originators and/or Third-Parties ACH transaction volumes originated during each calendar year to determine if it has any Originators and/or Third-Parties that met the 2 million-entry volume threshold and enforce this rule on identified participants.  


RDFIs are not impacted by this rule.


For more information, including some frequently asked questions, you can visit Nacha's website. If you have any questions or need assistance, email or a member of our Financial Institutions Team so we can help. 

About the Bank Advisors

The Bank Advisors at Saltmarsh have provided audit, tax and consulting services to a wide range of financial institutions since our founding in 1944, making it the firm’s largest specialty practice and industry of focus. Our Financial Institution Advisory Group has the talent, expertise and insight to help you and your institution thrive. Our team members are also industry leaders who have the knowledge and experience to provide you with unparalleled service and guidance.

Related Posts