NACHA Logo
Money

Councils & Programs

Main Title Bar 

- ACH Rules News
- Rule Making Process
- Pilots
- National System of Fines
- NOC Brochure
- Payment Association Stats

REQUEST FOR COMMENT
RULES WORK GROUP #32
ACH DATA SECURITY REQUIREMENTS

This Request For Comment has been developed by Rules Work Group #32, ACH Data Security Requirements, under the solution creation step in the NACHA Rule Making Process. Rules Work Group #32 is co-sponsored by Bank of America and the Upper Midwest ACH Association and is composed of 124 volunteers. As part of the solution creation step, Rules Work Group #32 examined the unique nature, risks, and opportunities associated with ACH payments and payment information that is transmitted or exchanged between ACH participants via an Unsecured Electronic Network (for example, the Internet) and has developed a proposed rules framework to support a more secure ACH payment environment for transactions involving such communication media.

ACH participants must understand, when responding to this Request For Comment, that the proposed recommendations extend beyond the current requirements of the NACHA Operating Rules, which today address data security requirements only for Internet-Initiated (WEB) Entries, where the consumer's authorization for ACH activity is provided via the Internet. Changes proposed within this Request For Comment will apply to any banking information that is transmitted or exchanged between ACH participants via an Unsecured Electronic Network regardless of Standard Entry Class (SEC) Code.  The term "banking information" includes, but is not limited to, ACH entries, ACH entry data, routing numbers, account numbers, and PINs or other personal identification symbols.  This Request For Comment is being sent to ACH participants in order to obtain their input on the recommended solution and is comprised of the following segments:

(1)        the recommendations of Rules Work Group #32,
(2)        draft modifications to the NACHA Operating Rules, and
(3)        Attachment A: an ACH Participant Survey.

ACTION REQUESTED

ACH participants are encouraged to comment on the proposal and to include specific information pertaining to the anticipated impact of the proposed changes by completing the attached ACH Participant Survey. Participants are also encouraged to comment on the draft changes to theNACHA Operating Rules. This Request For Comment is being distributed for a comment period ending Tuesday, July 15, 2003. Comments should be sent to the attention of Maribel Bondoc, Network Services Assistant, NACHA, 13450 Sunrise Valley Drive, Suite 100, Herndon, VA 20171, fax: (703) 787-0996, E-mail: mbondoc@nacha.org. Questions should be directed to Deborah Shaw, AAP, Senior Director of Network Services, at (703) 561-3919, Julie Hedlund, Senior Director of Electronic Commerce at (703) 561-3915, or Cari Conahan, AAP, Director, Network Services, at (703) 561-3921.

RULES WORK GROUP OBJECTIVE

In Spring 1997, NACHA established Rules Work Group #32 to examine whether a need existed to amend the NACHA Operating Rules to specifically address issues involving ACH transactions involving the Internet.  At that time, the Rules Work Group determined that developing specific rules for Internet-based ACH payments would be premature, as technical solutions to support such payments were in their infancy and, at that time, few companies expressed an interest in offering ACH as a payment option over the Internet.

Within a few years, however, many companies with an Internet presence began offering ACH payment options or expressed a strong interest in using the ACH Network as a payment option. Marketplace demand for electronic payment options was rising, and there was an urgent need to facilitate the use of the ACH Network for Internet-based payments while, at the same time, minimize risks to the Network. In response to these issues, Rules Work Group #32 developed, as a first step, an amendment to the NACHA Operating Rules that promoted more secure ACH payments involving consumer accounts when the authorization for such transactions was provided by the consumer via the Internet.  This amendment established a new Standard Entry Class (SEC) Code, WEB, which defines a minimum level of security requirements for consumer ACH debits authorized over the Internet.

The Rules Work Group's current focus has been to re-examine the impact of the Internet and other communication networks on all ACH payments, and to identify, on a broad level, ACH security issues or concerns related to the use of such communication methods in exchanging or transmitting payment data between ACH participants.  As a result of its examination, the Rules Work Group has developed a set of recommendations for new security requirements involving all ACH applications, regardless of Standard Entry Class (SEC) Code, that involve the exchange or transmission of banking information via Unsecured Electronic Networks.  For purposes of this Request For Comment, an Unsecured Electronic Network is defined as a public or private network that is not located entirely within a single, contiguous, physical facility and any part of which that has not implemented security technologies that provide a level of security that, at a minimum, is equivalent to 128-bit RC4 encryption technology.

RECOMMENDED SOLUTION

This Request for Comment contains the recommendation that the NACHA Operating Rules be amended to:

  • Add a definition of an Unsecured Electronic Network to the Rules to address a network, public or private, that is not located entirely within a single, contiguous, physical facility and any part of which has not implemented security technologies that provide a level of security that, at a minimum, is equivalent to 128-bit RC4 encryption technology.
     
  • Require that all banking information (i.e., ACH entries, entry data, routing numbers, account numbers, PINs or other identification symbols, etc.) that is transmitted or exchanged between ACH participants via an Unsecured Electronic Network either be (1) encrypted using a commercially reasonable security technology that, at a minimum, is equivalent to 128-bit RC4 encryption technology, or (2) transmitted via a secure session that utilizes a commercially reasonable security technology that provides a level of security that, at a minimum, is equivalent to 128-bit RC4 encryption technology.
     
  • Require ODFIs to take commercially reasonable steps to establish the identity of each Originator that uses an Unsecured Electronic Network to enter into a contractual relationship with the ODFI for the origination of ACH transactions.
     
  • Expand the ODFI and RDFI audit requirements to address the secure transmission of banking information between ACH participants when Unsecured Electronic Networks are used.
     
  • Remove redundant provisions in the Rules related to the WEB SEC code, as these provisions will now be addressed more broadly for any relevant Standard Entry Class Codes.

The Rules Work Group is recommending an implementation date of March 12, 2004 for this proposed amendment.

CURRENT MARKETPLACE

Current NACHA Operating Rules

Currently the NACHA Operating Rules specifically define data security requirements only for the WEB Standard Entry Class Code, which addresses debits to consumer accounts where the authorization for the debit was provided by the Receiver via the Internet.  The Rules do not currently address the need for data security in other situations in which banking information may be transmitted or exchanged between ACH participants via an Unsecured Electronic Network (i.e., the Internet), such as when an Originator e-mails to the ODFI a file of payment information.

Background & Business Case

While the WEB rules were a critical first step toward addressing security issues related to consumer ACH debits authorized over the Internet, use of the Internet for the exchange of payment information in general raises security concerns for the ACH Network that go beyond the authorization of consumer payments.   For example, any financial institution or Originator with a web server must be aware of potential vulnerabilities that could impact the security and integrity of any or all ACH information stored on that server.  In addition, both financial institutions and Originators must consider the security of transmissions of ACH files between themselves and Third Party Service Providers. These security concerns exist regardless of whether the payment information was obtained via the Internet or not.  Finally, the proper authentication of all ACH payments, where applicable, must also be fully considered.

Secure Internet Session

When the NACHA Operating Rules for WEB entries were implemented, they imposed a requirement for Originators to establish a secure Internet session with each consumer before he or she key enters any sensitive financial information. In today's environment, an Internet session is defined as secure if it utilizes a commercially reasonable security technology that provides a level of security that, at a minimum, is equivalent to 128-bit RC4 encryption technology. The secure session must remain in place from the time the consumer enters his or her banking information over the Internet, through transmission to the Originator.

The rule amendment proposed by this Request For Comment would expand existing data security requirements, which apply specifically only to WEB entries, to require that all banking information transmitted or exchanged between any ACH participants via an Unsecured Electronic Network such as the Internet be either (1) encrypted using a commercially reasonable security technology that, at a minimum, is equivalent to 128-bit RC4 encryption technology, or (2) transmitted via a secure session that utilizes a commercially reasonable security technology that provides a level of security that, at a minimum, is equivalent to 128-bit RC4 encryption technology.  An application where the Originator obtains information from the Receiver by another means (such as the telephone) and then key-enters the information via the Internet would, for example, be subject to these security requirements.

Commercially Reasonable Identification of Originators

Currently under the NACHA Operating Rules, ODFIs are required to utilize commercially reasonable methods to establish the identity of Originators of WEB Entries.  However, because of the increased potential for risk and fraud that is associated with the use of both single-entry transactions and remotely originated payments, the Rules Work Group is recommending that the NACHA Operating Rules be expanded to require all ODFIs to utilize commercially reasonable methods to establish the identity of each Originator that uses an Unsecured Electronic Network such as the Internet to enter into a contractual relationship with the ODFI for the origination of ACH transactions.  This requirement would apply regardless of the type of payments (i.e., SEC Code) initiated by the Originator.  (Note: Language specific to the requirement to use commercially reasonable methods to establish the identity of Originators of WEB entries will be removed to avoid redundancies within the Rules.)

Benefits

This proposed amendment, which establishes specific data security requirements for all participants utilizing the Internet to transmit ACH payment information, would help to ensure the integrity of the ACH Network and confidence in ACH payments by minimizing the potential for fraud to be conducted using this avenue of communication.  Such a change would serve not only to minimize the potential for identity theft, but also to minimize the ability for ACH information to be compromised in transit, helping to protect the safety and soundness of the Network overall.

IMPACT TO PARTICIPANTS

All Participants (Originators, ODFIs, ACH Operators, RDFIs, Third-Party Service Providers)

All ACH participants will need to ensure that any banking information (i.e., ACH entries, entry data, account numbers, routing numbers, PINs or other identification symbols, etc.) transmitted or exchanged between them via an Unsecured Electronic Network (such as the Internet) is either (1) encrypted using a commercially reasonable security technology that, at a minimum, is equivalent to 128-bit RC4 encryption technology, or (2) transmitted via a secure session that, prior to the key entry and through transmission of any banking information, utilizes a commercially reasonable security technology that provides a level of security that, at a minimum, is equivalent to 128-bit RC4 encryption technology.

ODFIs

In addition to the impacts defined above, ODFIs should also be aware that they must utilize a commercially reasonable method to establish the identity of each Originator that uses an Unsecured Electronic Network (such as the Internet) to enter into a contractual relationship with the ODFI for the origination of ACH transactions.

TECHNICAL SUMMARY OF PROPOSED SOLUTION

The following modifications to the NACHA Operating Rules are proposed by the rule:

  • Adds Article One, Section 1.5 (Transmission of ACH Information Via Unsecured Electronic Networks) to specify that, in any case where banking information is transmitted or exchanged between ACH participants via an Unsecured Electronic Network, such information must either be encrypted or exchanged via an encrypted session;
     
  • Adds Article Two, Subsection 2.2.1.6 (Transmission of ACH Information Via Unsecured Electronic Networks) to specify that, in any case where banking information is transmitted or exchanged between ACH participants via an Unsecured Electronic Network, such information must either be encrypted or exchanged via an encrypted session;
     
  • Adds Article Two, Subsection 2.2.1.7 (Verification of Identity of Originator) to specify that, in any case where an Originator enters into a contractual relationship with an ODFI, via an Unsecured Electronic Network, for the origination of ACH transactions, the ODFI must utilize commercially reasonable methods to establish the identity of the Originator;
     
  • Modifies Article Two, Subsection 2.10.2.2 (ODFI Exposure Limits) to remove reference to utilizing a commercially reasonable method to establish the identity of the Originator as this provision is now addressed within Article Two, Subsection 2.2.1.7;
     
  • Removes Article Two, Subsection 2.10.2.4 (Security of Internet Session) as this provision is now addressed in Article Two, Subsection 2.2.1.6;
     
  • Adds Article Three, Section 3.3 (Transmission of ACH Information Via Unsecured Electronic Networks) to specify that, in any case where banking information is transmitted or exchanged between ACH participants via an Unsecured Electronic Network, such information must either be encrypted or exchanged via an encrypted Internet session.
     
  • Adds Article Thirteen, Subsection 13.1.64 (Unsecured Electronic Network) to define an Unsecured Electronic Network; and
     
  • Expands the ODFI and RDFI audit requirements to address the secure transmission of banking information between ACH participants when Unsecured Electronic Networks are used, to address the ODFI unitizing a commercially reasonable method to establish the identity of the Originator when a contractual relationship is entered into via an Unsecured Electronic Network, and removed redundant provisions related to WEB Entries.

RECOMMENDED IMPLEMENTATION DATE:                         MARCH 12, 2004

Home | Site MapNACHA Inquiries
Copyright ©2003 by NACHA - The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171  (703) 561-1100