ACH DATA SECURITY REQUIREMENTS
The NACHA Operating Rules require ACH participants to protect the security and integrity of certain ACH data throughout its lifecycle. The ACH security requirements consist of three elements: (1) the protection of sensitive data and access controls; (2) self-assessment; and (3) verification of the identity of Third-Party Senders and Originators.
Protection of Sensitive Data and Access Controls
All non-consumer Originators, Participating DFIs, Third-Party Service Providers, and Third- Party Senders must establish, implement and, as appropriate, update security policies, procedures, and systems related to the initiation, processing and storage of entries and resulting Protected Information. These security requirements do not apply directly to consumers, who can be Originators of CIE entries. The security requirements do, however, apply to parties originating CIE Entries on behalf of consumers (i.e., the consumer’s financial institution or a Third-Party Sender).
Security policies, procedures, and systems related to the initiation, processing, and storage of entries must:
- Protect the confidentiality and integrity of Protected Information;
- Protect against anticipated threats or hazards to the security or integrity of Protected Information
- Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person.
The Rules define Protected Information as the non- public personal information, including financial information, of a natural person used to create, or contained within, an entry and any related addenda record. The definition of Protected Information not only covers financial information, but also includes sensitive non-financial information (such as non-financial account information contained in addenda records for bill payments) that may be incorporated into the entry or any related addenda record.
By covering natural persons, the rule on the protection of sensitive data applies to consumer information only, which is consistent with existing industry regulations and guidance. However, impacted ACH participants may apply the rule more broadly so that it covers all customers.
The security policies, procedures, and systems of ACH participants must include controls on system access that comply with applicable regulatory guidelines. Impacted systems include all of those used by the ACH participant to initiate, process, and store entries. It is expected that security policies are reviewed and approved at a level of responsibility within an organization that is commensurate with the importance of the subject matter; however, the rules on ACH security do not include specific requirements regarding the level of approval of such policies and procedures, thus providing institutions flexibility to accommodate their respective corporate governance structures.
Business email scams are on the rise! Fraudsters will utilize public information such as a company web page, press releases, social media, and out of office replies with travel schedules learn key details about a company and names and titles of company employees to determine who to impersonate and who to target. Be vigilant in reviewing emails and questioning suspicious requests. A common scan is a fraudster sending an email that appears to be legitimate requesting a wire transfer, or another form of funds movement. If the request seems unusual question it by contacting the requester via phone or in person. Using a known number if possible is best.
If you have received any fictitious or scam emails, file a complaint with Internet Crime Complaint Center (IC3) www.IC3.gov.
Find more ways to protect your privacy and finances below.