CUNA Regulatory Comment Call


June 9, 2003

ACH Requirements for Internet and Social Security Number Security
(A MAJOR RULE)

EXECUTIVE SUMMARY

NACHA-The Electronic Payments Association has issued a request for comments on a proposal that would enhance the Internet data security requirements for all automated clearing house (ACH) transactions, not just Internet Initiated (WEB) Entries. In addition, NACHA has issued a Request For Information regarding how NACHA should change the NACHA Operating Rules (Rules) to comply with state laws that forbid the mailing of social security numbers. Comments on the Request For Comment and Information are due by July 15, 2003 to NACHA and June 30 to CUNA. Both Requests are summarized below.

The Request for Comment would make the following changes:

Please send your comments to CUNA by June 30, 2003. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.coop and Assistant General Counsel Michelle Profit at mprofit@cuna.coop; or mail them to Mary or Michelle c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, D.C. 20004.

In addition, CUNA recommends that all credit unions respond directly to NACHA because NACHA tabulates results to its surveys. If you would like to respond directly to NACHA and copy CUNA you may do so by using the NACHA survey forms here. Comments sent directly to NACHA should be sent to Maribel Bondoc, Network Services Assistant, NACHA, 13665 Dulles Technology Drive, Suite 300, Herndon, VA 20171, fax: (703) 787-0996 or email: mbondoc@nacha.org, no later than Tuesday, July 15, 2003. Please provide CUNA a copy by sending your comments to Mary Dunn at mdunn@cuna.coop and Michelle Profit at mprofit@cuna.coop.

BACKGROUND

Recently, a law was enacted in California that restricts the appearance of a social security number (SSN) on any document (such as periodic account statements) sent from financial institutions to their members or customers via the U.S. Mail. NACHA has been discussing the California law and its possible impact on the ACH Network, keeping in mind that several other jurisdictions also have pending legislation on the same issue. NACHA has identified several scenarios related to the usage of a consumer’s SSN which are detailed with the Request for Information.

The Request for Information is intended to assist NACHA in determining whether the NACHA Operating Rules should be amended to address the inclusion of a consumer’s SSN within an ACH entry. Various alternatives being considered include amending the NACHA Operating Rules to:

_____ A. Explicitly prohibit an Originator from including a consumer’s SSN within any ACH record. Such an amendment would likely include a new ODFI warranty addressing this requirement.

_____ B. Explicitly prohibit an Originator from including a consumer’s SSN within any field for which the contents of that field may be printed to the consumer’s bank account statement. Such an amendment would likely include a new ODFI warranty addressing this requirement.

_____ C. Require that an Originator populate an indicator field, with the Entry Detail Record, to indicate the presence of a consumer’s SSN within any ACH record. Such a rule would require RDFIs to make software changes that allow their processing systems to recognize this field indicator and react properly.

_____ D. Require that any SSN used within any ACH Record be truncated or masked in such a way that the data, which appears in the ACH entry, is unrecognizable as a SSN. Truncation of the SSN could include the letter “x” representing the initial five digits of the SSN, revealing only the last four digits (similar to debit card/ATM receipts). Masking the SSN could involve substitution of letters or other characters for certain digits of the SSN. Such a rule would require an IDFI to establish a method to ensure either truncation or random masking of the SSN within an ACH entry.

_____ E. Amend the NACHA Operating Rules to explicitly prohibit an RDFI from printing any SSN contained within an ACH entry to the consumer’s bank account statement. Such a rule would require an RDFI to establish a method to identify the account holder’s SSN within an ACH entry and exclude any such data from the bank account statement.

The information collected from the Request For Information will provide NACHA with data concerning the current use of SSNs for ACH processing and to help identify the potential impacts of any rule change limiting the use of such numbers within ACH payments. The information collected from this survey will be used by NACHA in its evaluation of this issue and determination as to whether any changes to the Rules may be appropriate. In the event that NACHA subsequently recommends any amendments to the Rules, those proposed changes would be distributed under the NACHA Rule Making Process in form of a Request for Comment.

QUESTIONS REGARDING THE PROPOSAL

  1. Does your credit union support the requirement that all banking information (i.e., ACH entries, entry data, routing numbers, account numbers, PINS or other identification symbols etc) that is transmitted or exchanged between ACH participants via an Unsecured Electronic Network either be encrypted using a commercially reasonable security technology or a secure session that is the equivalent of 128-bit RC4 encryption technology? Please explain.













  2. Does your credit union support the requirement that an ODFI take commercially reasonable steps to establish the identity of each Originator that uses an Unsecured Electronic Network to enter into a contractual relationship with the ODFI for the origination of ACH transactions? Please explain.













  3. Does your credit union support the expansion of ODFI and RDFI audit requirements to include checks on the secure transmission of banking information between ACH participants when Unsecured Electronic Networks are used? Please explain.













  4. Do you support March 12, 2004 as the effective date for these requirements? If not, what date do you support?













  5. Would this proposal result in costs or benefits to your organization? Please explain.













  6. Please place a check by any Rules change(s) that you support for complying with the California law that prohibits dissemination of social security numbers. Please explain.













    _____ A. Explicitly prohibit an Originator from including a consumer’s SSN within any ACH record. Such an amendment would likely include a new ODFI warranty addressing this requirement.

    _____ B. Explicitly prohibit an Originator from including a consumer’s SSN within any field for which the contents of that field may be printed to the consumer’s bank account statement. Such an amendment would likely include a new ODFI warranty addressing this requirement.

    _____ C. Require that an Originator populate an indicator field, with the Entry Detail Record, to indicate the presence of a consumer’s SSN within any ACH record. Such a rule would require RDFIs to make software changes that allow their processing systems to recognize this field indicator and react properly.

    _____ D. Require that any SSN used within any ACH Record be truncated or masked in such a way that the data, which appears in the ACH entry, is unrecognizable as a SSN. Truncation of the SSN could include the letter “x” representing the initial five digits of the SSN, revealing only the last four digits (similar to debit card/ATM receipts). Masking the SSN could involve substitution of letters or other characters for certain digits of the SSN. Such a rule would require an IDFI to establish a method to ensure either truncation or random masking of the SSN within an ACH entry.

    _____ E. Amend the NACHA Operating Rules to explicitly prohibit an RDFI from printing any SSN contained within an ACH entry to the consumer’s bank account statement. Such a rule would require an RDFI to establish a method to identify the account holder’s SSN within an ACH entry and exclude any such data from the bank account statement.

    Please submit your address and phone number.













Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com