Account Information Security Requirements (Phase 2)
Effective Date - June 30, 2022
Details
In response to requests from some covered parties in 2020 for additional time to come into compliance with the Rule requirements, Nacha extended each of the two effective dates by one year; Phase 1 of the Rule, which applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, became effective on June 30, 2021, and Phase 2 of the Rule, which applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, will be effective on June 30, 2022.
This effective date was affirmed in ACH Operations Bulletin #7-2020. Nacha will not enforce this rule for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions. This applies to both phases of this rule. Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.
Technical
Phase 2 of this Rule modifies the following areas of the Nacha Operating Rules:
Article One, Section 1.6 (Security Requirements) to require each Non-Consumer Originator that is not a Participating DFI, each Third-Party Service Provider, and each Third-Party Sender, whose ACH Origination or Transmission volume exceeds 2 million Entries annually to protect DFI Account Numbers used in the initiation of Entries by rendering them unreadable when stored electronically.
The Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider.
Impact
Effective Date: Phase 2 – June 30, 2022 for Originators and Third-Parties with ACH volume greater than 2 million in 2020
Potential Impacts:
- Implementation for those Originators and Third-Parties that currently would not be compliant
- For ODFIs, informing Originators of their direct compliance obligations
For FAQs visit Nacha.