Request for Information - Account Information Security

DEADLINE: Friday, August 4, 2017. NACHA has issued this Request for Information to obtain industry feedback on an approach for additional information security requirements to further protect ACH-related information when held by end-users.
 
NACHA revisits ACH data security rules and practices as warranted from time to time
. The NACHA Operating Rules were last modified regarding data security requirements in 2013 to establish an “ACH Security Framework.” The framework established new data security requirements for financial institutions, end-users and third-parties to protect ACH data.

Responses from the industry are requested by Friday, August 4, 2017.

The survey should be completed online via (https://www.surveymonkey.com/r/2WK532V). For convenience, a document can be found in the Related Materials section of this page that contains the survey questions to assist respondents in gathering information from within their organizations.  Comment letters are also welcome.

Detail Icon

Detailed Information

The concepts being assessed in this Request for Information are in 3 parts:
 

  • This RFI seeks input regarding a potential supplement to the ACH Security Framework to require that large ACH Originators and Third-Parties encrypt, mask or remove/replace (as appropriate) ACH-related account information that is held at rest

  • This RFI also requests feedback on whether there is interest and benefit in defining and enabling an ACH “Compromise Notification Entry” by which an ODFI/Originator could notify an RDFI that specific account information has been compromised

  • Lastly, this RFI requests feedback on whether and how RDFIs could use the existing Notification of Change process to provide Originators with substitute account information


Details on each of these concepts can be found in the Request For Information – Account Information Security document in the Related Materials section of this page. 

The ACH Security Framework, which became effective in 2013, established the following requirements:

  • Financial institutions, Originators, and Third-Parties are required to establish, implement and update, as appropriate, security policies, procedures, and systems related to the initiation, processing and storage of ACH transactions

  • These policies, procedures, and systems must:

    • Protect the confidentiality and integrity of Protected Information - "the non-public personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record" 

    • Protect against anticipated threats or hazards to the security or integrity of Protected Information; and

    • Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person

Why look at account information security now?

  • Data breaches are a continuing threat; ACH participants need to be constantly looking at the data security environment, and engaging in a cycle of continuous improvement

  • There is also concern by some that the rollout of EMV for card point-of-sale transactions could move fraud activity to other channels, and/or make large repositories of deposit account information more attractive to fraudsters

  • NACHA has received and assessed a Rules proposal submission regarding the tokenization of ACH transactions (substituting account tokens for actual account numbers) 

Additional information regarding account information security can be found in the Request For Information – Account Information Security document in the Related Materials section of this page.