ACH Data Breach Notification Requirements For Participating Depository Financial Institutions

Posted August 28, 2007

Issued: August 28, 2007
Effective: September 28, 2007

EXECUTIVE SUMMARY
This ACH Operations Bulletin describes NACHA’s Interim Policy on ACH Data Breach Notification Requirements (“Interim Policy”), identifies the policy’s requirements for Originating Depository Financial Institutions (“ODFI”s), and provides guidance to Receiving Depository Financial Institutions (“RDFI”s).

The Interim Policy, which is attached to the bulletin, contains two major features, which are described in more detail below:

  • An ODFI is required to notify NACHA of a breach of consumer-level ACH data;
  • An ODFI is required to make information about such a breach available to affected RDFIs.

NACHA strongly encourages all RDFIs to ensure that they can receive or access electronic communications from their ACH Operator(s), so that they can be notified in the event that they are affected by a reported breach of ACH data.

The Interim Policy is effective on September 28, 2007 until replaced or superseded by changes to the NACHA Operating Rules (“Rules”).  The policy is a statement of NACHA’s expectation that ODFIs and their Originators and Third Parties will have appropriate procedures in place to prevent, detect, and investigate ACH data breach events, to report such events to NACHA, and to make information about such events available to affected RDFIs.

NACHA CONTACTS

Questions about this ACH Operations Bulletin should be submitted via info@nacha.org

ODFIs can report a breach of ACH data using the form available on NACHA's web site.  All participating DFIs can also use this web page to submit questions related to a reported breach to NACHA’s risk department.

* * * *

SECTION 1. NACHA’s Interim Policy on ACH Data Breach Notification

Requirements

WHY DID NACHA ADOPT AN INTERIM POLICY?
Breaches of consumer account, transaction and other personal information continue to make headline news and attract the scrutiny of regulators and lawmakers at both the state and federal levels.  Businesses, financial institutions and other organizations have experienced significant damage to their reputations when they are seen to be negligent or deficient in their preparedness and/or response to a data breach.

Currently, ODFIs and their Originators and Third Parties that experience a breach of Consumer- Level ACH Data are not required by the Rules to report the incident to NACHA or affected RDFIs.  The current lack of reporting requirements and knowledge of events that impact the ACH Network represent a significant risk to the entire ACH Network.

WHAT IS A DATA BREACH?
The Interim Policy defines a “data breach” as the loss, theft or unauthorized access of Consumer- Level ACH Data by or from any ODFI or Originator or any of their respective third-party service providers using the ACH Network, or any affiliate of the foregoing, under circumstances indicating that the misuse of such information has occurred or is reasonably possible.

WHAT IS CONSUMER-LEVEL ACH DATA?
Consumer-Level ACH Data (“ACH Data”) means the following information with respect to customers of an RDFI gathered by an ODFI or Originator or any of their respective third-party service providers for the purpose of initiating ACH transactions:

1. A bank account number together with a bank routing number; or
2. The customer’s name together with the customer’s social security number.

WHAT DOES THE POLICY NOT COVER OR REQUIRE?

  • The Interim Policy does not apply to information that is received for any other purpose, such as bank routing numbers and account numbers that are used in check processing (although check conversion or truncation transactions that use the ACH Network are covered);
  • The policy does not supersede any other data breach notification requirements to which ACH Network participants may be subject under applicable law or regulation;
  • The policy does not supersede any other provision of the Rules;
  • Compliance with the policy does not impact or alter ODFI warranties;
  • The policy does not require ODFIs to use the RDFI reporting mechanism through NACHA, or limit the method(s) by which ODFIs can make information available to RDFIs;
  • The policy does not require ODFIs to provide consumer DDA information to NACHA;
  • Consumer DDA information will not be posted on any web site;
  • The policy does not require RDFIs to notify their customers.

SECTION 2. Requirements for ODFIs

WHAT ARE THE RESPONSIBILITIES OF ODFIS?
The Interim Policy states that ODFIs are responsible for ensuring that they, their Originators, and their respective third party service providers adopt and implement commercially reasonable policies, procedures and systems to:

  • Receive, store, transmit and destroy ACH Data in a secure manner and to protect against data breaches;
  • Detect the occurrence of a data breach within their respective organizations;
  • Escalate knowledge of the breach to appropriate personnel within the organization in a timely fashion, and in the case of Originators and third party service providers, promptly notify the designated security contact at the ODFI;
  • Immediately commence and diligently pursue an investigation of the circumstances of the breach.

WHAT ARE ODFIS REQUIRED TO DO?
Under the Interim Policy, and ODFI is required to notify NACHA if it knows or reasonably suspects (i) that ACH Data in its control or the control of one of its Originators or third party services providers has been lost, stolen or otherwise subject to unauthorized access, and (ii) that misuse of such information has occurred or is reasonably possible.  The ODFI must provide NACHA with:

1.   The approximate cause(s) of the breach incident;
2.   The approximate date of the breach incident;
3.   The approximate size of the affected population (victims);
4.   The type of data exposed;
5.   The routing and transit numbers (“RTN”s) of the affected RDFI accounts;
6.   The ODFI’s designated security contact for inquiries from RDFIs;
7.   Organizations that are involved in the breach.

ODFIs should report a breach of ACH data using the form provided on NACHA’s web site.

When reporting the information, the ODFI will indicate that it is either electing to use the mechanism provided by NACHA to make this information available to affected RDFIs, or that it will make such notifications itself.  ODFIs electing to make the notifications directly to each affected RDFI must do so as soon as reasonably possible.

WHAT WILL NACHA DO WITH THE INFORMATION?
NACHA will use reports of actual or potential ACH data breach incidents to further meet its responsibility to manage risk in the ACH Network.  This could include, but is not limited to, additional monitoring of transaction reports and providing additional early warning and alert services to Network participants.  NACHA will endeavor to keep reported information confidential to the greatest extent possible consistent with its obligations to manage risk in the Network.

When an ODFI elects to use the mechanism provided by NACHA to make the reported information available to affected RDFIs, NACHA will do so via electronic notification methods used by the ACH Operators to communicate with their financial institution customers.

SECTION 3. Guidance for RDFIs

HOW WILL AN RDFI BE NOTIFIED THAT ITS RTN WAS INVOLVED IN A BREACH OF ACH DATA?
There are two ways that an RDFI could be notified that an ACH data breach event has occurred:

1.   If the ODFI elects to use the reporting mechanism offered by NACHA, the RDFI would receive a notification from its ACH Operator(s) via an electronic method that a breach of ACH Data has been reported, and that it should check the list of RTNs affected by the breach.  If affected, the RDFI can use the ODFI security contact information provided to get more information about the breach.
2.   If the ODFI elects to notify RDFIs itself, the RDFI would be contacted directly from the ODFI that has experienced the data breach.

As previously noted, NACHA strongly encourages all RDFIs to ensure that they can receive or access electronic communications from their ACH Operator(s), so that they can be notified in the event that they are affected by a reported breach of ACH data.

RDFIs can also use NACHA’s web page to submit questions to NACHA’s risk department regarding a reported breach.

Section 4. Attachment

NACHA’s Interim Policy on ACH Data Breach Notification Requirements is attached to this ACH Operations Bulletin.

 

Access: Public