Business Security Center
Businesses and business transactions may be at a bigger risk than consumer transactions due to their frequency and monetary value. Businesses may become the victims of account takeovers, unauthorized wire/ACH transfers, and business email compromise. Guidance indicates that businesses should consider enhanced controls over administrative access and business functions (including segregation of duties); understand the security features of software and websites utilized by the business; perform a risk assessment and evaluation of risk controls; and consider layered security processes such as out-of-bank verification, fraud detection/monitoring, and IP reputation-based services. Below are helpful links for businesses.
- Banks Never Ask That
- CISA Resources & Tools
- FTC – Business Center Data Security
- FTC – Small Business
- Better Business Bureau – Data Security
- NACHA – Protecting Consumers
- NACHA – Current Fraud Threats
- Federal Communications Commission – Business Tips
- Small Business Information Security (NIST)
- American Bankers Association – Fraud
- US Chamber of Commerce – Cybersecurity
ACH Security Framework
Data security is an important topic for any business, but it is of particular importance to those businesses who utilize electronic transactions through ACH (Automated Clearing House). NACHA, the electronic payment association, has established ACH rules covering data security. Businesses originating ACH Entries are responsible for complying with the ACH Security Requirements.
Security Requirements
Each Non-Consumer Originator, Participating DFI (CharterWest Bank), Third-Party Service Provider, and Third-Party Sender must establish, implement, and update, as appropriate, policies, procedures, and systems with respect to the initiation, processing, and storage of Entries that are designed to:
- protect the confidentiality and integrity of Protected Information until its destruction;
- protect against anticipated threats or hazards to the security or integrity of Protected Information until its destruction; and
- protect against unauthorized use of Protected Information that could result in substantial harm to a natural person.n
Such policies, procedures, and systems must include controls that comply with applicable regulatory guidelines on access to all systems used by such Non-Consumer Originator, Participating DFI, or Third-Party Service Provider to initiate, process, and store Entries.
Additionally, each Non-Consumer Originator that is not a Participating DFI, each Third-Party Service Provider, and each Third-Party Sender, whose ACH Origination or Transmission volume exceeds 2 million Entries annually to protect DFI Account Numbers used in the initiation of Entries by rendering them unreadable when stored electronically.
Protected Information is defined as the non-public personal information, including financial information of a natural person used to create or contained within an Entry and any related Addenda Record.
ACH Operating Rules
As an ACH Originator you agree to comply and be bound by the NACHA Operating Rules and Guidelines (the Rules). You may obtain access to the Rules by setting up an account at nachaoperatingrulesonline.org. The following is an overview of the important information you should be aware of as an ACH Originator.
- ACH entries are categorized as “Consumer” or “Corporate”
- ACH is a batch system (not real time)
- Once sent to the ACH Operator, Entries are final
- ACH is capable of crediting or debiting checking or savings accounts
- Most banks and credit unions receive ACH Entries
- An ACH Originator is any entity or person that creates an ACH transaction
- ACH stop payments have no expiration date
Governing Rules include:
- NACHA Operating Rules
- Regulation E (for consumer entries)
- UCC4A (for corporate credits)
- CharterWest Bank Deposit Account Agreement
- CharterWest Bank Business Online/ACH Agreement
- Bank/Corporate Agreements
- Customer Authorizations
Your responsibilities include (in accordance with the Rules and CharterWest Bank agreements):
- Maintain a balance of available funds in your account sufficient to cover payment obligations, including returns and adjustments.
- Transmit Entries in accordance with the formatting, medium, and timing requirements. See the Holiday Schedule for non-processing days.
- Make necessary changes to Entry information when notified by CharterWest Bank, cease subsequent Entries when appropriate.
- Initiate reversing Entries when the bank has been notified of an error and has approved the initiation of reversals.
- You may utilize Prenotes ($0 Entries) to verify account information prior to the first live Entry, these should be submitted at least 3 business days prior to the live Entry.
- Retain data related to Entries to permit remaking of such Entries for 2 business days after the Settlement Date.
- Notify the bank if you utilize a Third-Party Service Provider to initiate the origination of ACH Entries or if you are originating ACH Entries on behalf of another business.
- Obtain and retain appropriate authorizations or agreements required by the ACH Entries you are processing.
- Protect the personal and financial information obtained and transmitted as part of the ACH Entry.
- Ensure your devices and you are protected by following security recommendations.
Following the security recommendations below will help to ensure your business is meeting the requirements, and protect your business from fraud or unauthorized activity.
Properly handle, store, and destroy Protected Information
- Establish an Information Security or Privacy Policy and procedure that includes ACH activities
- Paper documents should be shredded
- Electronic documents should be erased or wiped
- Lock sensitive paper documents in cabinets or drawers
- Secure all devices such as computers, laptops, mobile devices, etc. utilized for business purposes (see more information below)
- Limit the number of locations where Protected Information is stored
- Review and limit employee access to Protected Information, including server rooms
- Mask Protected Information in communications, such as phone calls, e-mails and regular mail
- Do not store Protected Information on portable/mobile devices
- Transmit Protected Information over the internet and e-mail in a secure session
- Establish an Acceptable Use Policy for such resources
Protect your accounts
- Never use default passwords – always change vendor supplied passwords
- Use strong passwords or a password phrase that is unique to each user
- Do not share passwords with co-workers
- Change passwords frequently
- Use password-activated screen savers
- Safeguard passwords
Protect your devices and network
- Restrict use of computers for business purposes only
- Protect your IT system and network – encryption, anti-virus/spyware software, firewalls
- Limit or disable unnecessary workstation ports, services, or devices
- Utilize automatic log-outs after a certain amount of inactivity
- Encrypt all data when moved and stored
- Install updates/patches as soon as they are published
- Log off computer or device when not in use
Educate your staff
- Keep Protected Information safe and secure at all times
- Make staff aware of Acceptable Use Policy and Information Security Policy
- Make staff aware of or provide training on security awareness of cybersecurity risks such as phishing scams, corporate account takeover, and vendor/payroll impersonation fraud.
- Notify staff immediately of any potential security breaches
- Establish a Clean Desk Policy
ACH Rules Updates
Links below will redirect you to the NACHA.org website for more details on each Rules update.
2023
March 17, 2023
This Rule will define and standardize practice and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation. This phase of the Rule requires Originators of Micro-Entries to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.
September 30, 2022
Third-Party Sender Roles and Responsibilities
This Rule clarifies the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by addressing the existing practice of Nested Third-Party Sender relationships, and making explicit and clarifying the requirement that a TPS conduct a Risk Assessment.
2022
September 16, 2022
This Rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.
June 30, 2022
Supplementing Data Security Requirements
This rule supplements previous ACH Security Framework data protection requirements by explicitly requiring large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
March 18, 2022
Increasing the Same Day ACH Dollar Limit
This rule will continue to expand the capabilities of Same Day ACH. Increasing the Same Day ACH dollar limit to $1 million per payment is expected to improve Same Day ACH use cases, and contribute to additional adoption
2021
September 17, 2021
These Rules intend to improve and simplify the ACH user-experience by: Facilitating the adoption of new technologies and channels for the authorization and initiation of ACH payments; Reducing barriers to use of the ACH; Providing clarity and increasing consistency around certain ACH authorization processes; and Reducing certain administrative burdens related to ACH authorizations
September 17, 2021
These changes will amend the Nacha Operating Rules (Rules) to address a variety of minor topics related to Meaningful Modernization, an ACH Operator edit and expiration of stop payments on non-consumer accounts.
June 30, 2021
The overarching purpose of these two Rules is to deter and prevent, to the extent possible, the improper use of reversals and the harm it can cause.
The two Rules explicitly address improper uses of reversals, and improve enforcement capabilities for egregious violations of the Rules.
June 30, 2021
The Limitation on Warranty Claims limits the length of time in which an RDFI will be permitted to make a claim against the ODFI’s authorization warranty. The rule will become effective June 30, 2021.
June 30, 2021
Supplementing Data Security Requirements (Phase 1)
The existing ACH Security Framework Rule — including its data protection requirements — will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers and Third-Party Senders to protect deposit account information by rendering it unreadable when it is stored electronically.
April 1, 2021
Differentiating Unauthorized Return Reasons
This rule better differentiates among types of unauthorized return reasons for consumer debits. This differentiation will give ODFIs and their Originators clearer and better information when a customer claims that an error occurred with an authorized payment, as opposed to when a customer claims there was no authorization for a payment. ODFIs and their Originators should be able to react differently to claims of errors, and potentially could avoid taking more significant action with respect to such claims.
March 19, 2021
This rule expands access to Same Day ACH by allowing Same Day ACH transactions to be submitted to the ACH Network for an additional two hours every business day. The new Same Day ACH processing window became effective on March 19, 2021. Learn more about Same Day ACH at the Resource Center.
