New data security rules instituted for US payment processing system

The ACH Network processed $17.3 trillion in Q1 2021, including 110 million economic impact payments from the federal government.
Written by Jonathan Greig, Contributor

New data security rules governing how money changes hands in the US have gone into effect today, forcing major digital money processors to render deposit account information unreadable in electronic storage.

The National Automated Clearinghouse Association (NACHA), the body that passed the rules, governs the ACH Network, the payment system that drives direct deposits and direct payments for nearly all US bank and credit union accounts. The national automated clearing house processes massive amounts of credit and debit transactions in the US and handles financial transactions for consumers, businesses, and federal, state, and local governments.

Starting on June 30, if an account number is used for any ACH payment -- consumer or corporate -- it must be rendered unreadable while stored electronically, according to NACHA, which added that any place where account numbers related to ACH entries are stored is in the rule's scope.

"This includes systems on which authorizations are obtained or stored electronically, as well as databases or systems platforms that support ACH entries. As an example, for a Third-Party Service Provider whose client is a financial institution, these can include platforms that service ACH transaction warehousing and posting, and client information reporting systems," NACHA explained. 

"For Originators and their Third-Party Service Providers, accounts payables and accounts receivables systems will be impacted, as may be other systems (for example, claims management systems for insurance companies)."

The rule also applies to paper authorizations or other documents containing ACH account numbers that are scanned for electronic record retention and storage purposes.

In 2020, there were almost 27 billion ACH Network payments made at a value of close to $62 trillion. The body processed $17.3 trillion just for Q1 of 2021 and managed the 110 million economic impact payments that came through direct deposit from the federal government.

ACH Network has grown significantly over the years and set a record in February when it averaged more than 118 million payments per day. It set another record in March when ACH volume hit 2.7 billion payments, its largest monthly volume ever. 

In order to keep the data that is flowing through the system safe and secure, Nacha is requiring ACH originators and third parties that process greater than 6 million ACH payments annually to render deposit account information unreadable in electronic storage. 

It suggests organizations do this using encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers.

The first phase of the new rules took effect on June 30 but the second phase, which covers those with ACH volume of 2 million transactions or greater annually, will take effect on June 30, 2022.

Those forced to make the changes initially asked for an extension in 2020 and were granted it. NACHA also said it will not enforce the rule "for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions."

"The new requirement applies to non-consumer Originators that are not Participating Depository Financial Institutions (as defined by the Nacha Operating Rules), and to Third-Party Senders and Third-Party Service Providers that perform any function of ACH processing on behalf of an Originator, Third-Party Sender, ODFI, RDFI, or ACH Operator," NACHA said in a statement. 

"Financial institutions are not included within the scope of the new requirement to render ACH account numbers unreadable when stored electronically because they are already subject to rigorous data security requirements imposed by their regulators." 

NACHA noted that access controls such as passwords do not meet the new standard. Disk encryption is an acceptable protection method only if additional, prescribed physical security steps are taken, the organization added. 

Alex Pezold, CEO of TokenEx, said his company was recently named as a NACHA Preferred Partner for ACH data security and is currently working with organizations to comply with the new rules. 

"In terms of ACH data, we render deposit account information (generally bank account and routing numbers) unreadable via tokenization, which is an example technology referenced by NACHA to help satisfy this new requirement," Pezold told ZDNet. 

"This replaces the deposit account information with an irreversible token that can be safely stored in place of the original number to prevent data theft in the event of an exposure. The motivation for this change is to build on existing requirements to improve the security and efficiency of the ACH Network by introducing specific standards for the protection of deposit account information stored by originators, third-party service providers, and third-party senders."

Pezold added that it is still unclear what the specific fines or penalties will be but if an egregious violation occurs -- a willful or reckless action that involves at least 500 entries or involves multiple entries in the aggregate amount of at least $500,000 -- it can result in a $500,000 fine per occurrence and a suspension of use of the ACH Network.

Some cybersecurity experts, like comforte AG product manager Trevor Morgan, said the best way to follow through with this rule would be through encryption or tokenization. 

The new rules, he said, force organizations to know precisely the data being handled, including ACH account information, and also where it is stored, how it travels, and who accesses it. 

"A complete solution to this problem would entail not only a protection method such as tokenization but also a broader capability to find and classify this type of information. Don't assume that you know where all your sensitive ACH data is!" Morgan said. 

Oliver Tavakoli, CTO of Vectra, said similar rules have applied to banks and other financial institutions for a long time, but they are now being applied to large-scale users of banking services. 

Tavakoli suggested organizations either choose not to keep the data at all or have the financial institutions who are already set up to protect the data store it for them. Enterprises can also encrypt the data before storing it, truncate the data by keeping only the last 4 digits of an account number or obscure the information in some other way. 

Far too often, data troves are stored in clear text, making the new rules pushed by NACHA evermore important, according to Dirk Schrader, a vice president at New Net Technologies.

"Implementing this requirement will likely be an issue for some financial institutions, depending on their data models," Schrader said. "One solution can be based on HSMs, offloading much of the encryption work to specialized hardware."

Other experts said it took NACHA far too long to put rules like this in place. Netenrich threat intelligence advisor John Bambenek said ACH transactions are possible simply by knowing the account information of a person. 

"The fact that it's 2021, and only now is basic security being required on processors of this information, just goes to show how truly insecure our financial transaction systems are," Bambenek said. 

"Arguably, this has already been required by law and regulation for years, however, that it has to be reiterated demonstrates that the many companies processing large amounts of financial transactions are committed to doing absolutely nothing to protect consumers until they are forced to."

Editorial standards