Phase Two of Nacha’s Supplementing Data Security Rule will be implemented June 30, and Third-Party Senders, Third-Party Service Providers, and Originators should be preparing for compliance.

The Nacha Operating Rule requires that account information be rendered unreadable when stored electronically. In the first phase, which was effective in 2021, organizations originating at least 6 million ACH payments annually were covered. Now it will extend to organizations with at least 2 million ACH payments originated a year.

Only ACH entries are covered by this Rule; other payment methods are not impacted. 

While the Rule does not include financial institutions—which are already covered by similar strict rules imposed by their regulators—Originating Depository Financial Institutions (ODFIs) have some work to do.

“ODFIs should be thinking about which of their customers will now be covered by the Rule and communicating to them so they are aware,” said Debbie Barr, Nacha Senior Director, ACH Network Rules Process & Communications. 

The Rule is neutral to the technology used for compliance, with Barr noting there are “several ways to accomplish this, including tokenization, encryption, truncation, or having a financial institution or vendor handle it.” An Originator or Third-Party that originated 2 million or more ACH transactions in calendar year 2020 will need to be compliant by June 30, 2022.

While there will still be many Originators and Third-Party Senders with fewer than 2 million ACH payments annually, and therefore not subject to the Rule, Barr suggested they might want to think about the benefits of following the Rule for safety’s sake. 

Nacha’s Supplementing Data Security Requirements Rule page has helpful information as well as a video.

An End-user Briefing on the Supplementing Data Security Requirement Rule is available for download as a PDF.