New ACH rule requires companies to hide financial transfer data

When it comes to most financial transactions in the United States, the National Automated Clearing House Association, known as Nacha, sets the rules. Specifically, the association acts as the governing body of the National Automated Clearing House (ACH Network), developing standards for direct payments and deposits between consumers, businesses, and federal, state and local governments. . Today, a new data security rule the proposed association has entered into force, marking the first of a two-pronged approach that will end in 2022.

First introduced in April, the new rule will require more organizations to make deposit account information unreadable in electronic storage. Specifically, the rule applies to both ACH initiators (the entities that send payments) and third parties that process more than six million ACH payments per year. The idea is that by making sensitive financial information unreadable in storage, there is less risk of data theft in the event of a breach or other exposure.

TokenEx Founder and CEO Alex Pezold, who helps companies comply with these rules, told VentureBeat Nacha he introduced the new requirement to “keep pace” and avoid fraud and other cyber- malicious behavior in the context of growing activity on the network.

“As more and more transactions are carried out digitally, the use of the ACH network has increased dramatically – 7.1 billion ACH payments were achieved in the first quarter of 2021 alone, ”he said. “Of course, more transactions create more opportunities for cybercriminals to acquire and profit from compromised account details.”

What this means for businesses

In addition to companies processing more than six million ACH transactions per year, the rule also applies to third parties involved in those transactions. This includes payment processors and providers of fraud prevention and analysis tools, among others. And while it is applicable to all industries, Pezold said those who commonly use direct deposits, wire transfers and electronic checks to send and receive electronic payments will be the most affected. ACH data is commonly used in subscription services, for example.

Pezold recommends that included entities strive to comply as quickly as possible, either by reassessing internal practices or by engaging a third party service. Nacha has provided for fairly severe penalties for non-compliance, including a fine of up to $ 500,000 per event and a suspension of use of the ACH network.

And while it’s currently unaffected, it’s a good idea that all businesses are starting to take notice. Phase two of the rule – which is due to go into effect a year later, on June 30, 2022 – will significantly reduce the threshold. Specifically, it will apply to ACH initiators and third parties with over two million ACH payments per year.

Growing Cybercrime Depends on Data

Increasingly, cybercriminals are relying on data to extort payments – the more valuable the data, the better. In fact, recent research across the cybersecurity industry cites the growing integration of blackmail and extortion techniques into ransomware operations as the most significant threat facing businesses. Acronis, for example, declared “2021 will be the year of extortion.

CrowdStrike also warned that the approach is growing. Criminals want to “steal as much data as possible.” Then they’ll say, ‘If you don’t pay us, we’re going to release all of this sensitive data,’ which could impact reputation or even regulation, ”CrowdStrike senior vice president Adam Meyers said, to VentureBeat earlier this year discussing the 2021 Global Threats Report.

Today, many companies aim to protect their data with next-generation cybersecurity solutions, especially those that use AI and machine learning to detect never-before-seen threats. But cybercriminals are never far behind, and they are continually developing new tools and techniques, and even forming alliances, to strengthen their attacks. Since preventing access to systems alone has not worked well for most organizations, security vulnerabilities have increased by 67% since 2014 – obscuring the data to make it less valuable is a good step.