CUNA Comment Letter
ACH Data Security Requirements
July 15, 2003
Ms. Maribel Bondoc
Network Services Assistant
13665 Dulles Technology Drive
Herndon, Virginia 20171
Dear Ms. Bondoc:
The Credit Union National Association appreciates this opportunity to comment on the request for comments regarding NACHAs proposal to enhance Internet data security requirements for all automated clearing house (ACH) transactions, not just Internet-initiated (WEB) Entries. The proposed changes would apply to any banking information (including ACH entries, ACH entry data, routing numbers, account numbers and PINs or other personal identification symbols) that is transmitted or exchanged between ACH participants via an Unsecured Electronic Network. CUNA, a national trade association, represents more than 90 percent of the nations 10,000 state and federal credit unions. This letter reflects the views of CUNAs Payment Systems Subcommittee, whose chair is Terry West of VyStar Credit Union, Jacksonville, Florida.
CUNA strongly supports efforts to maintain the security and integrity of the ACH network. ACH data transmitted via the Internet without an appropriate level of security protection is vulnerable to unauthorized access. Unauthorized changes to ACH data jeopardize the integrity of the ACH network, which could negatively impact credit unions in terms of member relations as well as cost. A credit union member who finds incorrect ACH debit(s) and/or credit(s) posted to their account will certainly contact the credit union displeased with the electronic payment error. The credit union would then have to expend resources to investigate the claim. Moreover, if credit union members have such experience with inaccurate electronic payments, they may decide to utilize other forms of payment, such as paper checks, which are more expensive to process.
CUNA supports the proposed requirement that an originating depository financial institution (ODFI) take commercially reasonable steps to establish the identity of each Originator that uses an Unsecured Electronic Network to enter into a contractual relationship with the ODFI for the origination of ACH transactions. In addition, CUNA supports the expansion of originating depository financial institution (ODFI) and receiving depository financial institution (RDFI) audit requirements to include checks on the secure transmission of banking information between ACH participants when Unsecured Electronic Networks are used. Verifying the identity of Originators and enhancing audit requirements both contribute to enhancing the security and integrity of the ACH network.
CUNA does have two recommendations with respect to this proposal. CUNA recommends that the definition of banking information be modified to cover only ACH-related transmissions. Under the proposal, the definition of banking information would include not only transmissions regarding ACH entries and ACH entry data but also account numbers, routing numbers and PINs exchanged between ACH participants regardless of whether they are being transmitted to initiate or receive or otherwise process ACH data. There may be instances when two financial institutions that happen to be ACH participants need to exchange member/customer information, such as matters related to Regulation E (Electronic Funds Transfer), that are not related to processing items through the ACH Network. We believe the rule should not apply in such instances.
Finally, the proposed effective date of March 12, 2004 is appropriate. However, NACHA may find after surveying financial institutions that the compliance date should be extended. Financial institutions, especially smaller institutions, may require programming changes to their systems to implement encryption software equivalent to 128-bit RC4 encryption technology to comply with the rule. The proposed effective date may not provide adequate time for the institutions data processors/vendors to complete necessary development and testing of such system changes. Therefore, CUNA suggests a later compliance date for institutions, such as 1 year, in order to provide sufficient time for all institutions to meet the new requirements.
Thank you for the opportunity to share our comments. If you have any further questions, please contact Mary Dunn (firstname.lastname@example.org) or Catherine Orr (email@example.com) at our e-mail addresses or at (202) 638-5777.
Mary Mitchell Dunn
Associate General Counsel
Senior Regulatory Counsel