Reminder of June 30 Deadline: NACHA Rules Require Enhanced Protection for ACH Authorizations

Privacy & Cybersecurity Newsletter
Spring 2022

Broadly, there are two sets of rules governing obtaining authorizations to debit consumers’ bank accounts. One is Regulation E (12 C.F.R. Part 210). The other are the Operating Rules & Guidelines (the “Nacha Rules”), published by National Automated Clearing House Association (“Nacha”), a national association of regional member clearing house associations, ACH Operators, and participating financial institutions located in the United States.

A company agrees by contract to comply with the Nacha Rules when that company signs what is typically referred to as a Merchant Agreement with that company’s bank that is a member of Nacha.

Among the requirements of the Nacha Rules is that a company must obtain a consumer’s authorization prior to originating a request through its bank to debit that consumer’s bank account. The company originating the request debit to a consumer’s bank account must retain the consumer’s debit authorization for two years from the termination or revocation of that authorization. For recurring payment arrangements, such as for life insurance policies, this retention period could be quite long. The Nacha Rules require that a company provide a copy of a given consumer’s authorization within ten banking days of request, or risk having to return amounts previously debited from the consumer’s account. (Nacha Rule

In 2018, the Nacha Rules were amended to require large non-financial institutions companies that originate debits to consumer accounts to “render unreadable account numbers used for ACH initiation when those numbers are stored electronically.” (Nacha Rule 1.6) This Rule does not apply to paper authorizations containing the bank account numbers. This Rule has a transition phase. Initially, the “render-unreadable” Rule applied to those non-financial institutions companies with more than 6 million ACH transactions annually.

As of June 30, 2022, the Rule will require non-financial institutions companies that originate more than two (2) million transactions annually to “render unreadable account numbers used for ACH initiation when those numbers are stored electronically.” Encrypting the data or having enhanced security for the bank account numbers will not necessarily suffice to meet the Rule.

In some instances where a company uses a third-party processor for initiating ACH transactions, the volumes of that third-party processor’s customers may be aggregated to determine whether the volume threshold is met.

Companies are encouraged to evaluate their ACH volumes and consult with their bank and, most likely, their third party processor, to determine what, if anything needs to be done to comply with this Rule.