Effective June 30, 2020, companies that are not regulated banks who initiated (as debit or credit entries) 6 million or more ACH transactions (with consumers or businesses) in 2019 will need to comply with a new National Automated Clearing House Association (“NACHA”) security rule. The NACHA Rules govern participating banks and their customers and how they initiate auto-payments to and from bank accounts via the automated clearinghouse.
The new data security rule requires rendering “unreadable” the bank account number of the person whose account is debited or credited while that account data is at rest. The rule does not apply to the account data in paper format. It is common practice for companies to scan or image signed ACH authorizations. The electronic record containing that bank account number on the paper authorization is subject to the new rule.
Typically, a company collecting funds from consumers (such as periodic insurance premiums) or paying individuals (such as employers paying employee wages and expense reimbursements) enters an agreement with its bank and in that agreement, the company promises to comply with the NACHA Rules. This is how companies are bound to the NACHA Rules. Sanctions for non-compliance can be significant.
The new data security rule takes effect for high-volume initiators (credits or debits) on June 30, 2020. A company initiating six million or more debits or credits in 2019 is a high-volume initiator. Initiators having an annual volume greater than 2 million transactions in 2020 will need to comply with the new rule by June 30, 2021.
Other NACHA Rules require companies using ACH authorizations to debit a consumer’s account to be able to promptly provide a full copy of the consumer’s signed authorization, or risk forfeiture of the amounts collected via ACH. For this reason, companies will need to render “unreadable” the consumer’s account detail in a way that still enables the company to reproduce that ACH authorization in readable form again, if asked to produce the signed authorization.
The FAQs for the new security rule point to the Payment Card Industry (PCI) Data Security Standards for permissible methods to render the account information “unreadable” through encryption. The PCI standards provide examples of encryption methods and implementation guidance.
The new NACHA Rule applies also to third party service providers in the process of handling ACH transactions. The FAQs for the rule describe how the volumes of a given service provider’s customers are to be aggregated to determine if that service provider exceeds the phase-in threshold of 6 million.
One potential difficulty that organizations may face in implementing the new rule may be to identify where all the ACH authorization data is located, so the appropriate elements can be rendered unreadable. There may be e-discovery tools available that can help.
Implementing the solution to this new rule is also an appropriate time for initiating companies (referred to as “Originators” in NACHA-speak) and third-party service providers alike to revisit their contracting approach to define responsibility for compliance with this new NACHA Rule and the NACHA Rules overall.