Contact us
Careers
Locations
Help
Effective: 2021-06-30
Details
The existing ACH Security Framework including its data protection requirements will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
Implementation begins with the largest Originators and TPSPs (including TPSs) and initially applies to those with ACH volume of 6 million transactions or greater annually. A second phase applies to those with ACH volume of 2 million transactions or greater annually.
Technical
This Rule modifies the following areas of the Nacha Operating Rules:
Article One, Section 1.6 (Security Requirements) to require each Non-Consumer Originator that is not a Participating DFI, each Third-Party Service Provider, and each Third-Party Sender, whose ACH Origination or Transmission volume exceeds 6 million Entries annually to protect DFI Account Numbers used in the initiation of Entries by rendering them unreadable when stored electronically.
The Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider.
Impact
Effective Dates:
Phase 1 – June 30, 2021 for Originators and Third-Parties with ACH volume greater than 6 million in 2019
Phase 2 – June 30, 2022 for Originators and Third-Parties with ACH volume greater than 2 million in 2020
Potential Impacts:
Implementation for those Originators and Third-Parties that currently would not be compliant
For ODFIs, informing Originators of their direct compliance obligations
Effective Date: 2021-06-30 12:00 am