The National Automated Clearing House Association (NACHA) has implemented new data security rules that require electronic payment processors to render as unreadable any electronically stored deposit account information.
Effective as of June 30, 2021, this new rule extends to any place where account numbers related to automated clearing house (ACH) transactions are stored. As NACHA explains, "[t]his includes systems on which authorizations are obtained or stored electronically, as well as databases or systems platforms that support ACH entries." Additionally, the rule applies to physical documents containing ACH account numbers that are scanned for electronic storage.
In a FAQ issued with the new rule, NACHA clarified that "[t]he new requirement applies to non-consumer Originators that are not Participating Depository Financial Institutions (as defined by the Nacha Operating Rules), and to Third-Party Senders and Third-Party Service Providers that perform any function of ACH processing on behalf of an Originator, Third-Party Sender, ODFI, RDFI, or ACH Operator." Noticeably absent from this list, however, are financial institutions, which are not included within the scope of the new rule as a result of NACHA's recognition that "they are already subject to rigorous data security requirements imposed by their regulators."
NACHA plans a phased implementation of this new rule, initially applying it to third-party service providers who process six million or more transactions annually, with a second phase of implementation a year from now for those with ACH volume of two million or more annual transactions. For now, however, NACHA has committed to not enforcing the rule for "one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions."