Announcements

The ACH Security Framework Rule goes into effect September 20th. Three different components comprise this rule: Self-Assessment DFIs and Third-Party Senders are required to audit themselves to validate that appropriate security measures have been established to protect data and access controls, similar to the requirements of the Privacy Act or Gramm-Leach-Bliley Act. Verification of Originators and Third-Party Senders ODFIs and Third-Parties are required to know with whom they are doing business by conducting due diligence on each Originator, similar to Customer Identification Program (CIP) for compliance with BSA/AML. Protection of Sensitive Data and Access Controls New action steps also require the ODFI to educate its customers/members. The ODFI will need to make some business decisions as to how it will maintain compliance and update current ACH Policy and procedures to address the Protection of Sensitive Date and Access Controls with Originators and Third-Party Senders. How do I Maintain Compliance? The ODFI is already required [See ACH Rules Section 2.1 and Appendix 8.4.n] to keep Originators and Third-Party Senders informed of their responsibilities under the ACH Rules. Some common methods currently being utilized to meet this requirement include: Send customers/members a letter and the ACH Rules Corporate Edition CD on an annual basis Conduct on-site visits, or a sales call, to discuss business needs Conduct on-site audits to verify compliance to the Origination Agreement and the ACH Rules Distribute EPCOR’s Inside Origination newsletter Send a checklist or questionnaire to validate ACH procedures ODFIs may further consider requiring Originators to reply with a confirmation that the annual communication was received and understood. Several members have stated that internal auditors and examiners are requesting documented proof that the Originator and Third-Party Senders have acknowledged their responsibilities. ODFIs will need to expand their current communication to include education of the ACH Security Framework Rule, especially the protection of sensitive data and access controls. Originators and Third-Party Senders must know that they are responsible for all ACH data, in paper form or electronic media, while at rest, while in transit while being stored and when being destroyed. Originators and Third-Party Senders should be reminded that ACH data in paper form, now termed “Protected Information”, including the Receiver’s authorization and printed ACH File confirmation reports, need to be secure in a locked drawer. Electronic ACH data should only be accessible by appropriate staff. Passwords and security tokens should not be shared or accessible to others. ACH data should be destroyed by shredding documents or erasing electronic media properly and securely. ODFIs should also encourage their customers/members to have written policies or procedures with regard to Protected Information. Large corporate clients should already have such policies and procedures in place. Smaller entities however, will likely look to the ODFI for more guidance. The key to the ACH Security Framework Rule is that ODFIs, Originators and Third-Party Senders ensure the protection of all ACH data. EPCOR is working with NACHA on a tool to help you meet the compliance requirements of the new ACH Security Framework Rule. The new Security Checklists are coming soon and will be available at www.epcor.org and www.nacha.org. EPCOR's ODFI Audit Checklist for Originators and Third-Party Senders is also being updated. Stay tuned to News You Can Use and the EPCOR Online Store for more information.