NACHA - New: Supplementing Data Security Requirements

The Change: The existing ACH Security Framework, including its data protection requirements, will be supplemented to explicitly require large non-FI Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.

Implementation begins with the largest originators and TPSPs (including TPSs), and initially applies to those with ACH volume of 6 million transactions or greater annually. A second phase applies to those with ACH volume of 2 million transactions or greater annually.

The Impact: Implementation for those originators and Third-Parties that currently would not be compliant.

The Timing:

• Phase 1: June 30, 2020 for originators and Third-Parties with ACH volume greater than 6 million in 2019
• Phase 2 :June 30, 2021 for originators and Third-Parties with ACH volume greater than 2 million in 2020