A new Automated Clearing House (ACH) data security rule to protect electronically stored sensitive financial information has come into force in the United States.
As of June 30, the ACH Security Framework now requires large, non-financial-institution (Non-Fi) originators, third-party service providers (TPSPs) and third-party senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
First introduced in April 2020, the new rule specifically applies to entities sending payments (ACH originators) and third parties that process in excess of six million ACH payments per year.
Account numbers used for any ACH payment, whether consumer or corporate, are impacted by the new rule.
By making it a requirement for sensitive financial information to be unreadable in digital storage, the new rule aims to lower the risk of data theft should unauthorized access or a data breach cause that information to be exposed.
The new regulation that went into force on June 30 represents the first phase of a two-phase program. Part two, which comes into effect in precisely one year’s time, will see the rule be applied to originators, TPSPs, and TPSs with an annual ACH volume of 2 million or more transactions.
Originally, phase one was going to be implemented in 2020. However, Nacha (National Automated Clearing House Association) extended each of the two effective dates by one year “in response to requests from some covered parties during 2020 for additional time to come into compliance with the rule requirements.”
What methods organizations use to obscure the sensitive information is up to them.
Nacha said: “The rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for originators and third parties to consider.”
While Non-Fi originators and third parties with volumes below the threshold are not currently impacted by the new rule, Nacha said that it “strongly encourages voluntary adoption of this data security standards as a sound business practice.”