Often for small to medium businesses and even some larger businesses, it is not economical to have your own merchant account and be a merchant service provider. That’s why third-party payment processors are a great solution – instead of having a merchant account which comes with high set up costs, a business will work with a third party who has their own relationship with a merchant services provider. Third party payment processors frequently offer their clients payment services via the Automated Clearing House (ACH) network, which is convenient, but also comes with its own set of rules and requirements to avoid fraud and other problems.
For businesses and other third-party senders who process ACH transactions, there are a number of security requirements required by NACHA (National Automated Clearinghouse Association). These rules apply to any business that processes ACH transactions in either direction, whether to pay employees or vendors or to accept payments. Most business owners either have an ACH merchant account to process ACH transactions or use a third-party system to process ACH transactions.
Businesses that use third-party vendors need to maintain a level of security to make sure the process goes through accurately and sensitive ACH data stays protected. The business itself is responsible for the security of the data and must put access controls, including data encryption and firewalls, in place to safeguard sensitive information. Third party venders process on behalf of their different clients and use their deposit accounts to conduct the payment process.
From the business owner’s perspective, the ACH rules require any transmission of banking information, such as a customer’s bank account and routing number, be encrypted using “commercially reasonable” encryption technology if transmitted via an unsecured network, like the Internet. Regular email or insecure web forms are not an acceptable way to send personal and sensitive information. So if you use a third-party software solution for transmitting ACH, ensure that the company you choose has the most up-to-date encryption available.
From the bank perspective, businesses that use third-party vendors also have to comply with the security procedures outlined by NACHA. To maintain security and assure validity of the items on ACH files, these procedures should be followed:
- The business is responsible for security of sending ACH items to the bank, and the bank is responsible for the security of processing and transmitting the ACH item to the Federal Reserve.
- When the ACH files are received by the bank, they are processed exactly as they are received. Dates cannot be modified after the receipt of files.
- If a file has been processed by the bank, the bank will reverse files or entries only after receiving a Reversal Request through Business Online Banking from any two authorized users that have the authority.
- If the file has not been processed by the bank, the bank will delete the entire file after receiving a written, signed request from any two authorized signers. The bank will verify that the person signing the request is authorized to do so.
- When a business submits transactions through Business Online Banking, this will be considered a valid transaction by the bank – no additional verification will be performed. This is the main reason that only granting Business Online Banking access to necessary people is so important.
- The business is responsible for establishing the Business Online Banking access IDs and passwords. Only employees responsible for ACH transmissions should have access to this information.
- The business is responsible for ensuring that passwords are secure by changing them on a regular basis, especially in the event of an employee termination.
- The business is responsible for notifying the bank if unauthorized personnel may have gained access to the Business Online Banking platform.
- Both the business and the bank agree that all telephone conversations, emails, and data transmissions are secure and are only shared with the necessary people, but they may also be electronically recorded and retained by either party.
If your company processes ACH transactions, make sure to stay on top of all the latest rules and procedures as established by NACHA. Visit their website for the most up-to-date information.