September 2013: ACH Security Framework

The ACH Security Framework Rule requires non-consumer Originators, Participating DFIs (Depository Financial Institutions), Third Party Service Providers, and Third-Party Senders to establish, implement, and, as appropriate, update security policies, procedures, and systems related to the initiation, processing, and storage of Entries.

These policies, procedures, and systems must:

• Protect the confidentiality and integrity of Protected Information;
• Protect against anticipated threats or hazards to the security or integrity of Protected information; and
• Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person

The amendment defines Protected Information as the non-public personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record. This not only covers financial information, but also includes sensitive non-financial information (such as health information) that may be incorporated into the Entry or any related Addenda Record. This Rule applies to consumer information only, which is consistent with existing regulations and also with the approach of aligning the ACH Security Framework with existing industry regulations and guidance. However, impacted ACH participants may wish to apply the rule so that it covers all customers.

Security policies, procedures, and systems of ACH participants covered by this Rule must include controls on system access that comply with applicable regulatory guidelines. The systems impacted include all systems used by the ACH participate to initiate, process, and store Entries.

Each Participating DFI, Third-Party Service Provider, and Third-Party Sender is required under the amendment to verify, as part of its annual ACH Rules Compliance Audit, that it has established, implemented, and updated the data security policies, procedures, and systems required by the ACH Security Framework Rule.

The annual Rules Compliance Audit applies directly to DFIs, Third-Party Providers and Senders, but not directly to Originators. Originators are bound to the NACHA Operating Rules through their origination agreements with their ODFIs. Therefore, the Originators must ensure that they have existing policies, procedures, and systems in place that will enable compliance with the ACH Security Framework.

This Rule requires ODFIs to use a commercially reasonable methods to establish the identity of each non-consumer Originator or Third-Party Sender with whom the ODFI enters into an origination agreement at the time the agreement is created.

If you are an Originator, Third-Party Senders, or Third Party Service Providers, it is your responsibility to determine if existing policies, procedures, and systems are sufficient to comply with the ACH Security Framework Rule. If you do not have such policies, procedures and systems in place, you will need to establish and/or update policies, procedures, and systems to ensure compliance. Additionally, if you are Third-Party Sender or Third-Party Service Provider, you will need to add such verification to your annual Rules Compliance audit.

For additional information regarding this Rule change, or to request a copy or access to the latest ACH Rules from PNC, please contact your Treasury Management representative to request an access code to achrulesonline.org.