Supplementing Data Security Requirements
Effective Date – June 30, 2021
The upcoming effective dates of the Rule on Supplementing Data Security Requirements are extended by one year, to June 30, 2021 and June 30, 2022, respectively.
In response to requests from some covered parties for additional time to come into compliance with the Rule requirements, Nacha is extending each of the two effective dates by one year; Phase 1 of the Rule, which applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, is now effective on June 30, 2021, and Phase 2 of the Rule, which applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, is now effective on June 30, 2022.
This effective date was recently affirmed in ACH Operations Bulletin #7-2020. Nacha will not enforce this rule for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions. This applies to both phases of this rule. Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.
The existing ACH Security Framework including its data protection requirements will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
Implementation begins with the largest Originators and TPSPs (including TPSs) and initially applies to those with ACH volume of 6 million transactions or greater annually. A second phase applies to those with ACH volume of 2 million transactions or greater annually.
This Rule modifies the following areas of the Nacha Operating Rules:
Article One, Section 1.6 (Security Requirements) to require each Non-Consumer Originator that is not a Participating DFI, each Third-Party Service Provider, and each Third-Party Sender, whose ACH Origination or Transmission volume exceeds 6 million Entries annually to protect DFI Account Numbers used in the initiation of Entries by rendering them unreadable when stored electronically.
The Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider.
- Phase 1 – June 30, 2021 for Originators and Third-Parties with ACH volume greater than 6 million in 2019
- Phase 2 – June 30, 2022 for Originators and Third-Parties with ACH volume greater than 2 million in 2020
- Implementation for those Originators and Third-Parties that currently would not be compliant
- For ODFIs, informing Originators of their direct compliance obligations
To learn more or access the FAQs visit: www.nacha.org.