Regulatory and Compliance

NACHA Releases Interim Policy on Data Breaches

RESTON, Va. — NACHA–the Electronic Payments Association–has issued an interim policy to deal with security breaches of the automated clearinghouse system.The key points of the Operations Bulletin are that an Originating Depository Financial Institution must notify NACHA of a breach of consumer-level data and the ODFI must also make information about the breach available to the affect Receiving Depository Financial Institutions. The interim policy became effective Sept. 28, however NACHA will not enforce it until a final rule is adopted.The NACHA Operations Bulletin stated, “The policy is a statement of NACHA’s expectation that ODFIs and their Originators and Third Parties will have appropriate procedures in place to prevent, detect, and investigate ACH data breach events, to report such events to NACHA, and to make information about such events available to affected RDFIs.”The policy outlines what a data breach event is and defines consumer-level ACH data as including a bank account number or a customer’s name together with their Social Security number. The ODFI is responsible for ensuring the protection of the data and that it and its third-party providers implement commercially reasonable policies, procedures and systems to detect the occurrence of a data breach within their respective organizations.If a breach is detected, the ODFI is expected to “immediately commence and diligently pursue” an investigation. This pursuit should aim to determine (i) if a data breach has actually occurred, (ii) the scope of the data breach, including the type and amount of data affected, (iii) the risk that the affected data will be misused, and (iv) what steps are necessary to prevent further unauthorized access to Consumer-Level ACH Data, NACHA said. While the ODFI is required to report various aspects to NACHA, such as the cause and scope of the breach, NACHA may withhold the names of the organizations involved in the breach at the request of the ODFI.