New data security rules governing how money changes hands in the United States came into effect today, requiring major digital currency processors to make deposit account information unreadable in electronic storage.
The National Automated Clearinghouse Association (NACHA), the body that adopted the rules, governs the ACH Network, the payments system that handles direct deposits and direct payments for nearly all accounts of U.S. banks and credit unions. The National Automated Clearinghouse processes massive amounts of credit and debit transactions in the United States and manages financial transactions for consumers, businesses, and federal, state, and local governments.
As of June 30, if an account number is used for an ACH payment – consumer or business – it must be rendered unreadable when stored electronically, according to NACHA, which added that any place where account numbers linked to ACH entries that are stored is within the scope of the rule.
“This includes systems on which authorizations are obtained or stored electronically, as well as databases or system platforms that support ACH entries. For example, for a third party service provider whose customer is a financial institution, these may include platforms that serve ACH’s warehousing and posting of transactions and customer information reporting systems, ” NACHA explained.
“For principals and their third party service providers, accounts payable and accounts receivable systems will be affected, as will other systems (eg, claims management systems for insurance companies). “
The rule also applies to paper authorizations or other documents containing ACH account numbers that are scanned for the purpose of maintaining and storing electronic records.
In 2020, nearly 27 billion ACH network payments were made with a value of almost $ 62 trillion. The treated body $ 17.3 trillion in the first quarter of 2021 alone and managed the $ 110 million in economic impact payments that came from direct deposit from the federal government.
The ACH network has grown considerably over the years and set a record in February while it averaged over 118 million payments per day. It set a new record in March when ACH’s volume hit 2.7 billion payments, its highest monthly volume on record.
In order to ensure the security of data flowing through the system, Nacha requires ACH initiators and third parties who process more than 6 million ACH payments per year to render deposit account information unreadable in electronic storage.
He suggests organizations do this by using encryption, truncation, tokenization, destruction or by asking the financial institution to store, host or tokenize account numbers.
The first phase of the new rules went into effect on June 30, but the second phase, which covers those with ACH volume of 2 million or more transactions per year, will take effect on June 30, 2022.
Those who were forced to make the changes initially requested an extension in 2020 and got it. NACHA also said it would not apply the rule “for an additional period of one year from the effective date with respect to covered entities that work in good faith on compliance, but which require additional time to implement solutions “.
“The new requirement applies to non-consumer originators who are not participating depository financial institutions (as defined by Nacha’s operating rules), as well as to third-party shippers and third-party service providers who perform an ACH processing function on behalf of an Author, Third Party Sender, ODFI, RDFI, or ACH Operator, “NACHA said in a statement.
“Financial institutions are not included in the scope of the new requirement to make ACH account numbers unreadable when stored electronically, as they are already subject to stringent data security requirements imposed by their regulators. . ”
NACHA noted that access controls such as passwords do not meet the new standard. Disk encryption is only an acceptable method of protection if additional and prescribed physical security measures are taken, the organization added.
Alex Pezold, CEO of TokenEx, said his company was recently named NACHA’s Preferred Partner for ACH Data Security and is currently working with organizations to comply with the new rules.
“In terms of ACH data, we make deposit account information (typically bank account and routing numbers) unreadable through tokenization, which is an example of technology referenced by NACHA to help meet this new requirement,” said Pezold told ZDNet.
“This replaces the deposit account information with an irreversible token that can be securely stored in place of the original number to prevent data theft if exposed. The motivation for this change is to build on existing requirements to improve the security and efficiency of the ACH network by introducing specific standards for the protection of deposit account information stored by originators, third party service providers and third party senders. “
Pezold added that it is still not clear what the specific fines or penalties will be, but whether a flagrant violation occurs – a deliberate or reckless action that involves at least 500 entries or involves multiple entries for a total amount of ‘at least $ 500,000 – this can result in a fine of $ 500,000 per event and suspension of use of the ACH network.
Some cybersecurity experts, like Trevor Morgan, product manager of comforte AG, said the best way to comply with this rule would be through encryption or tokenization.
The new rules, he said, require organizations to know precisely what data is being processed, including ACH account information, as well as where it is stored, how it travels and who is accessing it.
“A complete solution to this problem would involve not only a method of protection such as tokenization, but also a broader capacity to find and classify this type of information. Don’t assume you know where all of your sensitive ACH data is! Morgan said.
Oliver Tavakoli, CTO of Vectra, said similar rules have long applied to banks and other financial institutions, but are now applied to large-scale users of banking services.
Tavakoli suggested that organizations choose not to keep data at all or have financial institutions already configured to protect data to store it for them. Businesses can also encrypt data before storing it, truncate the data by keeping only the last 4 digits of an account number, or hide the information in some other way.
All too often, treasures of data are stored in clear text, which makes the new rules imposed by NACHA increasingly important, according to Dirk Schrader, vice president of New Net Technologies.
“Implementing this requirement will likely be a problem for some financial institutions, depending on their data models,” Schrader said. “A solution can be HSM-based, offloading a lot of the encryption work to specialized hardware. “
Other experts said it took far too long for NACHA to put such rules in place. Netenrich threat intelligence adviser John Bambenek said ACH transactions are possible simply by knowing a person’s account information.
“The fact that we are in 2021, and only now that basic security is required on the processors of this information, shows how insecure our financial transaction systems really are,” Bambenek said.
“Arguably this has already been required by law and regulation for years, however, it needs to be reiterated shows that the many companies dealing with large amounts of financial transactions commit to doing nothing to protect consumers until that they are forced to do so. “