Written By JiJi Bahhur, Regulatory Compliance Counsel
Last week, NACHA released proposed amendments to the NACHA Operating Rules that are aimed at protecting the security and integrity of certain ACH data. The proposal addresses several areas of concern – protection of ACH sensitive data, access controls, self-assessments, and verification of third-party senders and originators – known as the “Security Framework.”
I will touch very briefly on each of these elements, but please note that the executive summary and proposal go into far more detail on what is expected.
Protection of ACH Sensitive Data
The proposal would require non-Consumer Originators, Participating DFIs, Third-Party Service Providers, and Third-Party Senders to establish, implement, and as appropriate, update security policies, procedures, and systems related to the initiation, processing, and storage of Entries.
The security policies, procedures, and systems must include controls on access to all systems used by the ACH participant. The level of controls is not defined by the proposal.
The proposal would require an audit provision be incorporated into the rule. In other words, those affected by the proposal would be required to verify, as part of their annual ACH audit, that it has established, implemented, and updated the data security policies, procedures, and systems required by the proposal.
Verification of Third-Party Senders and Originators
The proposal would require an ODFI to use commercially reasonable methods to establish the identity of each non-Consumer Originator or Third-Party Sender with which it enters into an Origination Agreement.
For further detail on the proposed modifications, view the proposal here. Note that the executive summary and the proposal are both short, but very informative, reads.
Our Regulatory Affairs team is in the process of putting together a Regulatory Alert on the NACHA proposal which will be available for download here.