NACHA Rule Change

September 2007: Interim Policy for Reporting Data Breach of Consumer Account Data

The National Automated Clearing House Association (NACHA) has issued an interim policy effective September 28, 2007 concerning notifications to the ACH network of breaches that occur on consumer-level ACH data. The policy defines consumer-level ACH data as a consumer's bank account number together with a bank routing number, or the consumer's name together with a social security number.

Through this policy, and anticipated NACHA Rules changes that will implement it, ACH participants at all levels will be required to review and address:

  • Prevention of data breaches;
  • Detection, investigation, and escalation of data breaches; and
  • Notification of actual or possible breaches to the ACH network.

Each Originating Bank is responsible for ensuring that the Bank, its Originating Companies, and their respective Third Party Service Providers adopt and implement commercially reasonable policies, procedures, and systems to receive, store, transmit, and destroy consumer-level ACH data in a secure manner and to protect against data breaches.

Detection, Investigation, and Escalation
Originating Banks, Originating Companies, and their respective Third Party Service Providers must also implement commercially reasonable policies, procedures, and systems to detect the occurrence of a data breach within their respective organizations. If a data breach is known or suspected, these parties should immediately investigate the circumstances to determine (1) if a data breach has actually occurred, (2) the scope of the data breach, including the type and amount of data affected, (3) the risk that the affected data will be misused, and (4) what steps are necessary to prevent further unauthorized access to consumer-level ACH data.

ACH Network Notification
Under the interim policy, the Originating Bank is required to notify NACHA and/or the affected Receiving Bank(s) if it knows or reasonably suspects (1) that consumer-level ACH data has been lost, stolen, or otherwise subject to authorized access, and (2) that misuse of such information has occurred or is reasonably possible.

NACHA is implementing these requirements to further manage risk and increase the security of the ACH Network. The reports of actual or potential data breaches may be used to increase transaction monitoring and provide additional early warning and alert services to Network participants. NACHA will attempt to keep the reported information confidential, to the extent that it can do so while still managing risk in the Network.

Important Legal Disclosures and Information

Read a summary of privacy rights for California residents which outlines the types of information we collect, and how and why we use that information.