Do you accept ACH payments from customers? If so, you should be aware of the NACHA Operating Rules issued annually by NACHA (National Automated Clearinghouse Association). The NACHA Rules govern every ACH payment and provide exact guidelines for securely storing, accessing and transmitting sensitive customer information.
You should have a working knowledge of NACHA requirements even if you use a third-party payment processing system like PaySimple. It’s your responsibility to know these ACH rules and make sure your business is compliant.
So what are the NACHA requirements? We’ll give you an overview of the most salient NACHA Rules here, but you should get a copy of all the ACH rules directly from NACHA. They release a new publication each year, so be sure you review it to familiarize yourself with the most recent NACHA requirements and updates.
An Overview of NACHA requirements
NACHA Rules are meant to safeguard your customers’ sensitive financial and non-financial data and ensure that all ACH transactions are handled smoothly and securely. Sensitive information includes things like bank account numbers and routing numbers, social security numbers, driver’s license numbers, and more.
If you collect and store non-public sensitive information like this, then you need to comply with NACHA requirements. Here’s a brief overview of the main principles behind NACHA Rules:
Ensure Secure Transmission and Storage of Sensitive Data
Any time you send, receive, or store sensitive information online, it must be encrypted. NACHA requirements prohibit the use of unencrypted email or insecure web forms, for example. To ensure that your business is compliant, only transmit sensitive information through secure web forms and encrypted email like Microsoft Office 365 Message Encryption. If you use PaySimple to process ACH transactions, you’re already covered by our strong web and database encryption.
Safely Store Paper Documents
If you collect hard copies of sensitive customer data, then you have to take reasonable precautions to ensure they are stored securely. You should keep these documents in a safe location, like a locked file drawer, and only allow employee access for legitimate business purposes.
Validate Routing Numbers
NACHA requirements say that you have to take reasonable steps to make sure customers’ routing numbers are valid. A reputable payment processing system, like PaySimple, will do this automatically by checking the routing number against a database of valid possibilities.
Verify Customer Identity
ACH rules require you to make reasonably sure a customer is who they say they are. Whether a transaction is authorized online or by phone, you must do what you can to ensure it’s coming from a valid source. You could check the person’s driver’s license number, use a third-party verification service, or deposit test amounts into a customer’s bank account. You can also authenticate users via a user ID and password, or through a known IP address. A good payment processing system will take care of customer identification for you.
Be Vigilant About Possible Fraud
NACHA Rules put the onus on you to detect possible fraud. You have to do what’s “commercially reasonable” to make sure the ACH transactions you initiate aren’t fraudulent. Your payment processing system should have robust fraud detection capabilities, which may include flagging duplicate transactions or suspicious activity or deploying complex algorithms that can pick up on fraudulent patterns.
Outline a Clear Security Policy
You should have a clear written policy that governs how you protect sensitive data. This policy should outline how you transmit, access, store, and protect confidential data from various threats and unauthorized use. If you already accept credit card payments and are PCI Compliant, then you likely have a clear set of security policies in place, so all you need to do is expand them to include ACH transactions. Remember to add a section about how you validate a customer’s identity for telephone and web transactions. As part of your security policy, ensure that your third-party processing software is also compliant with ACH rules (PaySimple is!).
Make Sure You’re Compliant with All NACHA Requirements
NACHA requirements extend far beyond what we’ve outlined here, so be sure to get the latest copy of the NACHA Rules publication. You should always follow the best practices and regulations for ACH transactions. For example, you should obtain proper authorization for all ACH transactions, whether they’re one-time or recurring. If you’re changing the charge amount or date that the transaction occurs, you should notify customers several days in advance. And of course, if a customer asks to cancel their ACH payments, you have to do so as soon as they request it. These ACH best practices will not only help you be compliant with NACHA Rules, but maintain great customer relationships.
We hope that this guide gave you a helpful overview of ACH rules and how to make sure you comply with NACHA requirements. Of course, this isn’t a substitute for the published rules that NACHA releases each year, so be sure you check their website for the latest information and rule updates.
Finally, if you’d like more insights on securing customer data and complying with NACHA Rules, check out our post on ACH security requirements for merchants.
Start a 14 day Free Trial and streamline your business with PaySimple:
Start My Free Trial