Do you accept ACH payments from customers? If so, you should be aware of the Operating Rules issued annually by the National Automated Clearinghouse Association (NACHA). The NACHA rules and requirements oversee every ACH payment and provide exact guidelines for securely storing, accessing, and transmitting sensitive customer information.
You should have a basic knowledge of NACHA requirements even if you use a third-party payment processing system like PaySimple. It’s your responsibility to know these ACH rules and make sure your business is compliant.
You can get a copy of ACH rules directly from NACHA. They release an updated publication each year, so familiarize yourself with the most recent NACHA requirements and updates.
What is NACHA?
NACHA is a non-profit, and not a federal agency, but it works closely with the Federal Reserve, the U.S. Treasury and state banking agencies. It manages the ACH network, the payment system that drives safe, smart, and fast direct deposits and direct payments for all U.S. bank and credit union accounts.
Some of the group’s responsibilities are:
- Translating federal legislation and executive rules into clear guidance for member banks and ACH network participants;
- Enforcing those rules for all 10,000+ member banks and network participants;
- Driving development and adoption of the ACH system; and
- Acting as a trade organization (e.g., education, advocacy, roundtables, etc.)
What are NACHA requirements?
NACHA requirements are meant to safeguard your customers’ sensitive financial and non-financial data and ensure that all ACH transactions are handled smoothly and securely. Sensitive information includes things like bank account and routing numbers, social security numbers, driver’s license numbers, and more.
If you collect and store non-public sensitive information like this, then you must to comply with NACHA requirements. Here’s a brief overview of the main principles behind NACHA Rules:
Ensure Secure Transmission and Storage of Sensitive Data
Any time you send, receive, or store sensitive information online, it must be encrypted. NACHA requirements prohibit the use of unencrypted email or insecure web forms, for example. To ensure that your business is compliant, only transmit sensitive information through secure web forms and encrypted email like Microsoft Office 365 Message Encryption. If you use PaySimple to process ACH transactions, you’re already covered by our strong web and database encryption.
Safely Store Paper Documents
If you collect hard copies of customer data, then you must ensure they are stored securely. You should keep these documents in a safe location, like a locked file drawer or safe, and only allow employee access for legitimate business purposes.
Validate Routing Numbers
NACHA requirements say that you have to take reasonable steps to make sure customers’ routing numbers are valid. A reputable payment processing system, like PaySimple, will do this automatically by checking the routing number against a database of valid possibilities.
Verify Customer Identity
ACH rules require you to make reasonably sure a customer is who they say they are. Whether a transaction is authorized online or by phone, you must do what you can to ensure it’s coming from a valid source. You could check the person’s driver’s license number, use a third-party verification service, or deposit test amounts into a customer’s bank account. You can also authenticate users via a user ID and password, or through a known IP address. A good payment processing system will take care of customer identification for you.
Be Vigilant About Possible Fraud
You are responsible for detecting possible fraud. You have to do what’s “commercially reasonable” to make sure the ACH transactions you initiate aren’t fraudulent. Your payment processing system should have robust fraud detection capabilities, which may include flagging duplicate transactions or suspicious activity or deploying complex algorithms that can pick up on fraudulent patterns.
Outline a Clear Security Policy
You should have a clear written policy that governs how you protect sensitive data. This policy should outline how you transmit, access, store, and protect confidential data from various threats and unauthorized use. If you already accept credit card payments and are PCI Compliant, then you likely have a clear set of security policies in place, so all you need to do is expand them to include ACH transactions. Remember to add a section about how you validate a customer’s identity for telephone and web transactions. As part of your security policy, ensure that your third-party processing software is also compliant with ACH rules (PaySimple is!).
Stay Compliant with NACHA Requirements
NACHA requirements extend far beyond what we’ve outlined here, so be sure to get the latest copy of the NACHA rules publication. You should always follow the best practices and regulations for ACH transactions. For example, you should obtain proper authorization for all ACH transactions, whether they’re one-time or recurring. If you’re changing the charge amount or date that the transaction occurs, you should notify customers several days in advance. And of course, if a customer asks to cancel their ACH payments, you have to do so as soon as they request it. These ACH best practices will not only help you be compliant with NACHA Rules, but maintain great customer relationships.
We hope that this guide gave you a helpful overview of ACH rules and how to make sure you comply with NACHA requirements. Of course, this isn’t a substitute for the published rules that NACHA releases each year, so be sure you check their website for the latest information and rule updates.
Finally, if you’d like more insights on securing customer data and complying with NACHA Rules, check out our post on ACH security requirements for merchants.
Start a 14 day Free Trial and streamline your business with PaySimple:
Start My Free Trial