Breaking down Nacha’s ACH supplemental security requirements for data at rest
This blog series aims to make it easier for product managers, developers, and business owners to understand the new Automated Clearing House (ACH) security requirements for data at rest. Starting June 30, 2022, qualifying organizations will be required to “protect deposit account information by rendering it unreadable when stored electronically.”
What is ACH?
The Automated Clearing House (ACH) connects nearly all banks and credit unions in the United States. The bank transfer network offers businesses and consumers a dynamic and inexpensive way to move money from one financial institution to another. According to Nacha, the governing and enforcement body of ACH, the network processed nearly 27 billion bank transfers totaling just under $62 trillion in total value in 2020.
What is deposit account information, and why does it matter?
Better known to most as a bank account number, deposit account information refers to the unique ID associated with an account at a given bank or credit union.
Each ACH transaction includes the sender and receiver’s account numbers, their respective financial institutions’ routing numbers, an amount to be deposited and credited, and other pieces of information. A financial institution lumps all its originators' transactions into an ACH file and sends it to an ACH Operator.
The ACH Operator uses the routing and account numbers to instruct the corresponding financial institutions which account to credit or debit. This system works well when you provide and authorize employers, billers, and companies to use it. Unfortunately, it doesn't work well when bad guys capture account numbers.
While many controls and protections make it difficult to abuse these numbers, ACH fraud is notoriously more difficult to deal with than credit or debit card fraud. For example, a stolen card can be reprovisioned digitally in seconds. Some businesses, like Netflix, even automatically update your existing subscription with the new card number.
Still, business is booming. ACH has grown year-over-year by 8% since 2011. In addition, new fintechs, like Stripe and Dwolla, have made integrating ACH into consumer apps, like YNAB and Coinbase, super easy. Nacha also began rolling out Same Day ACH in 2016, providing an affordable way to bypass the wait times of two to three business days of traditional ACH, as well as the more costly push-to-debit option.
With volume and fraud on the rise, Nacha modernized its security compliance requirements for account numbers at rest in 2020.
What are Nacha’s security compliance rules for data at rest?
Nacha now requires that account numbers must be “unreadable when stored electronically.” The implementation of this rule is broken into two phases:
- Phase 1: ACH Originators and Third-Parties with more than 6 million ACH payments annually. This rule came into effect on June 30, 2021.
- Phase 2: ACH Originators and Third-Parties with more than 2 million ACH payments annually. This rule will come into effect on June 30, 2022.
How do I know if I must follow Nacha’s rule for data at rest?
Understanding a given role in ACH can be notoriously tricky. So instead of defining the terms used in Article One, Section 1.6, we thought of two simple questions to ask your organization:
- First, “Are we storing bank or credit union account numbers?"
- Second, “Do we use those bank or credit union account numbers to initiate around 2 million* ACH transactions per year?”
If you answered “Yes,” to both of those questions, then it’s likely the rule applies to your organization.
*Nacha will look at the total of all debit and credit ACH transactions originated by an entity across all its financial partners.
Which “deposit account information” must be unreadable?
To this point, we've used the term bank account numbers instead of the formal term, deposit account information. They are the same. It's these 5-to-17 digits that appear on a paper check that Nacha requires to be unreadable. It's important to note that the rule extends to images (e.g., authorization forms or scans of checks) too.
Other financial information, like account name, amount, and routing numbers, can be stored in plain text at this time.
Naturally, situations exist where using bank account numbers is part of daily operations. Nacha refers to this temporary usage as “active” and does not apply the rule. For example, the fraud department can view an account number as part of an investigation.
“Active” doesn’t mean safe, so Nacha still requires this information to be behind a set of controls (like passwords, logging, etc.). Basis Theory provides many of these controls, like aliasing or masking, as part of its services.
A few months ago, Nacha announced Basis Theory as a preferred partner for data tokenization and encryption. Since then, we have worked with several companies to help them follow these rules. After several conversations, a few themes have surfaced:
You are not alone
Most companies are currently working on assuring compliance to the Nacha rule. However, don’t feel like you are the only company working on this. Asking peers in the industry may be a good idea to fast-track the initiative.
It doesn’t have to be a roadmap-destroying exercise
Some companies want to use the ruling as an opportunity to rethink their entire payments stack. Most, however, are looking to follow the rule without disrupting operations. Don't buy into the marketing and over-invest if you don't need to.
Businesses are going above and beyond to secure the data
Many firms we speak to believe these measures will extend further in the near future. They're taking a proactive approach and extending Nacha’s scope to other details in the financial transaction, like name, amount, or entire addendums.
You still have time
Solutions like Basis Theory offer low-code solutions and easy interoperability with a company’s existing tech stack. As a result, many can get a working proof-of-concept completed in less than one sprint. Skip the long sales cycles and development timeframes. Using Basis Theory, development teams can get your bank data into compliance in a matter of days, not weeks.
In the next part of the series we'll discuss your options for securing ACH bank account numbers at rest, including tokenization. However, if you'd like to get a jump start, contact us or pass our secure bank accounts guide onto your developers.