The ACH Security Framework Rule requires non-consumer Originators, Participating DFIs (Depository Financial Institutions), Third Party Service Providers, and Third-Party Senders to establish, implement, and, as appropriate, update security policies, procedures, and systems related to the initiation, processing, and storage of Entries.
These policies, procedures, and systems must:
- Protect the confidentiality and integrity of Protected Information;
- Protect against anticipated threats or hazards to the security or integrity of Protected information; and
- Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person
The amendment defines Protected Information as the non-public personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record. This not only covers financial information, but also includes sensitive non-financial information (such as health information) that may be incorporated into the Entry or any related Addenda Record. This Rule applies to consumer information only, which is consistent with existing regulations and also with the approach of aligning the ACH Security Framework with existing industry regulations and guidance. However, impacted ACH participants may wish to apply the rule so that it covers all customers.
Security policies, procedures, and systems of ACH participants covered by this Rule must include controls on system access that comply with applicable regulatory guidelines. The systems impacted include all systems used by the ACH participate to initiate, process, and store Entries.