Through this policy, and anticipated NACHA Rules changes that will implement it, ACH participants at all levels will be required to review and address:
Each Originating Bank is responsible for ensuring that the Bank, its Originating Companies, and their respective Third Party Service Providers adopt and implement commercially reasonable policies, procedures, and systems to receive, store, transmit, and destroy consumer-level ACH data in a secure manner and to protect against data breaches.
Detection, Investigation, and Escalation
Originating Banks, Originating Companies, and their respective Third Party Service Providers must also implement commercially reasonable policies, procedures, and systems to detect the occurrence of a data breach within their respective organizations. If a data breach is known or suspected, these parties should immediately investigate the circumstances to determine (1) if a data breach has actually occurred, (2) the scope of the data breach, including the type and amount of data affected, (3) the risk that the affected data will be misused, and (4) what steps are necessary to prevent further unauthorized access to consumer-level ACH data.
ACH Network Notification
Under the interim policy, the Originating Bank is required to notify NACHA and/or the affected Receiving Bank(s) if it knows or reasonably suspects (1) that consumer-level ACH data has been lost, stolen, or otherwise subject to authorized access, and (2) that misuse of such information has occurred or is reasonably possible.
NACHA is implementing these requirements to further manage risk and increase the security of the ACH Network. The reports of actual or potential data breaches may be used to increase transaction monitoring and provide additional early warning and alert services to Network participants. NACHA will attempt to keep the reported information confidential, to the extent that it can do so while still managing risk in the Network.