Business Security
Guard Your Business
Businesses and business transactions may be at a bigger risk than consumer transactions due to their frequency and monetary value. Businesses may become the victims of account takeovers, unauthorized wire/ACH transfers, and business email compromise. Guidance indicates that businesses should consider enhanced controls over administrative access and business functions (including segregation of duties); understand the security features of software and websites utilized by the business; perform a risk assessment and evaluation of risk controls; and consider layered security processes such as out-of-bank verification, fraud detection/monitoring, and IP reputation-based services.
Below are helpful links for businesses.
ACH Security Framework
Data security is an important topic for any business, but it is of particular importance to those businesses who utilize electronic transactions through ACH (Automated Clearing House). NACHA, the electronic payment association, has established ACH rules covering data security. Businesses originating ACH Entries are responsible for complying with the ACH Security Requirements.
Security Requirements
Each Non-Consumer Originator, Participating DFI (CharterWest Bank), Third-Party Service Provider, and Third-Party Sender must establish, implement, and update, as appropriate, policies, procedures, and systems with respect to the initiation, processing, and storage of Entries that are designed to:
Protect the confidentiality and integrity of Protected Information until its destruction
Protect against anticipated threats or hazards to the security or integrity of Protected Information until its destruction
Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person
Such policies, procedures, and systems must include controls that comply with applicable regulatory guidelines on access to all systems used by such Non-Consumer Originator, Participating DFI, or Third-Party Service Provider to initiate, process, and store Entries.
Additionally, each Non-Consumer Originator that is not a Participating DFI, each Third-Party Service Provider, and each Third-Party Sender, whose ACH Origination or Transmission volume exceeds 2 million Entries annually to protect DFI Account Numbers used in the initiation of Entries by rendering them unreadable when stored electronically.
Protected Information is defined as the non-public personal information, including financial information of a natural person used to create or contained within an Entry and any related Addenda Record.
ACH Operating Rules
ACH entries are categorized as “Consumer” or “Corporate”
ACH is a batch system (not real time)
Once sent to the ACH Operator, Entries are final
ACH is capable of crediting or debiting checking or savings accounts
Most banks and credit unions receive ACH Entries
ACH stop payments have no expiration date
Governing Rules Include
- NACHA Operating Rules
- Regulation E (for consumer entries)
- UCC4A (for corporate credits)
- CharterWest Bank Deposit Account Agreement
- CharterWest Bank Business Online/ACH Agreement
- Bank/Corporate Agreements
- Customer Authorizations
Your Responsibilities Include
(in accordance with the Rules and CharterWest Bank agreements)
Maintain a balance of available funds in your account sufficient to cover payment obligations, including returns and adjustments.
Make necessary changes to Entry information when notified by CharterWest Bank, cease subsequent Entries when appropriate.
You may utilize Prenotes ($0 Entries) to verify account information prior to the first live Entry, these should be submitted at least 3 business days prior to the live Entry.
Notify the bank if you utilize a Third-Party Service Provider to initiate the origination of ACH Entries or if you are originating ACH Entries on behalf of another business.
Ensure your devices and you are protected by following security recommendations.
Transmit Entries in accordance with the formatting, medium, and timing requirements. See the Holiday Schedule for non-processing days.
Initiate reversing Entries when the bank has been notified of an error and has approved the initiation of reversals.
Retain data related to Entries to permit remaking of such Entries for 2 business days after the Settlement Date.
Obtain and retain appropriate authorizations or agreements required by the ACH Entries you are processing.
Protect the personal and financial information obtained and transmitted as part of the ACH Entry.
Following the security recommendations below will help to ensure your business is meeting the requirements, and protect your business from fraud or unauthorized activity.
Properly Handle, Store, and Destroy Protected Information
- Establish an Information Security or Privacy Policy and procedure that includes ACH activities
- Paper documents should be shredded
- Electronic documents should be erased or wiped
- Lock sensitive paper documents in cabinets or drawers
- Secure all devices such as computers, laptops, mobile devices, etc. utilized for business purposes (see more information below)
- Limit the number of locations where Protected Information is stored
- Review and limit employee access to Protected Information, including server rooms
- Mask Protected Information in communications, such as phone calls, e-mails and regular mail
- Do not store Protected Information on portable/mobile devices
- Transmit Protected Information over the internet and e-mail in a secure session
- Establish an Acceptable Use Policy for such resources
Educate Your Staff
- Keep Protected Information safe and secure at all times
- Make staff aware of Acceptable Use Policy and Information Security Policy
- Make staff aware of or provide training on security awareness of cybersecurity risks such as phishing scams, corporate account takeover, and vendor/payroll impersonation fraud.
- Notify staff immediately of any potential security breaches
- Establish a Clean Desk Policy
Protect Your Accounts
- Never use default passwords – always change vendor supplied passwords
- Use strong passwords or a password phrase that is unique to each user
- Do not share passwords with co-workers
- Change passwords frequently
- Use password-activated screen savers
- Safeguard passwords
Protect Your Devices and Network
- Restrict use of computers for business purposes only
- Protect your IT system and network – encryption, anti-virus/spyware software, firewalls
- Limit or disable unnecessary workstation ports, services, or devices
- Utilize automatic log-outs after a certain amount of inactivity
- Encrypt all data when moved and stored
- Install updates/patches as soon as they are published
- Log off computer or device when not in use
ACH Rule Updates
The links below will redirect you to the NACHA.org website for more details on each Rules update.
2026
June 19, 2026
RISK MANAGEMENT TOPICS – (Fraud Monitoring Phase 2) →
These Rule amendments related to monitoring for fraud become effective on June 19, 2026 and are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
Included in this portion of the Risk Management Rule amendments are the Phase Two requirements related to:
- Fraud Monitoring by Originators, Third-Party Service Providers/Third Party Senders and ODFIs; and
- ACH Credit Monitoring by RDFIs.
March 20, 2026
RISK MANAGEMENT TOPICS – Company Entry Descriptions →
These two Rule amendments on Company Entry Descriptions become effective on March 20, 2026 and are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
Standardized uses of the Company Entry Description can help parties in the ACH Network identify, monitor and count the volume of payments for specific purposes; and can help manage risk.
Included in this portion of the Risk Management Rule amendments are two new defined Company Entry Descriptions PAYROLL and PURCHASE.
RISK MANAGEMENT TOPICS – (Fraud Monitoring Phase 1) →
These Rule amendments related to monitoring for fraud become effective on March 20, 2026 and are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
Included in this portion of the Risk Management Rule amendments are the Phase One requirements related to:
- Fraud Monitoring by Originators, Third-Party Service Providers/Third Party Senders and ODFIs; and
- ACH Credit Monitoring by RDFIs.
2025
This portion of a recent Rule amendment becomes effective on April 1, 2025 and requires an RDFI to advise the ODFI of the status of a Request for Return within ten (10) banking days of receipt of the ODFI’s request.
2024
These Rule amendments are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
June 21, 2024
These changes will amend the Rules to address a variety of minor topics. Minor changes to the Rules are expected to have little-to-no impact on ACH participants and no significant processing or financial impact.
2023
This Rule will define and standardize practice and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation. This phase of the Rule requires Originators of Micro-Entries to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.
2022
September 30, 2022
Third-Party Sender Roles and Responsibilities →
This Rule clarifies the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by addressing the existing practice of Nested Third-Party Sender relationships, and making explicit and clarifying the requirement that a TPS conduct a Risk Assessment.
September 16, 2022
This Rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.
June 30, 2022
Supplementing Data Security Requirements →
This rule supplements previous ACH Security Framework data protection requirements by explicitly requiring large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
March 18, 2022
Increasing the Same Day ACH Dollar Limit →
This rule will continue to expand the capabilities of Same Day ACH. Increasing the Same Day ACH dollar limit to $1 million per payment is expected to improve Same Day ACH use cases, and contribute to additional adoption
2021
September 17, 2021
These Rules intend to improve and simplify the ACH user-experience by: Facilitating the adoption of new technologies and channels for the authorization and initiation of ACH payments; Reducing barriers to use of the ACH; Providing clarity and increasing consistency around certain ACH authorization processes; and Reducing certain administrative burdens related to ACH authorizations
September 17, 2021
These changes will amend the Nacha Operating Rules (Rules) to address a variety of minor topics related to Meaningful Modernization, an ACH Operator edit and expiration of stop payments on non-consumer accounts.
June 30, 2021
The overarching purpose of these two Rules is to deter and prevent, to the extent possible, the improper use of reversals and the harm it can cause.
The two Rules explicitly address improper uses of reversals, and improve enforcement capabilities for egregious violations of the Rules.
June 30, 2021
Limitation on Warranty Claims →
The Limitation on Warranty Claims limits the length of time in which an RDFI will be permitted to make a claim against the ODFI’s authorization warranty. The rule will become effective June 30, 2021.
June 30, 2021
Supplementing Data Security Requirements (Phase 1) →
The existing ACH Security Framework Rule – including its data protection requirements – will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers and Third-Party Senders to protect deposit account information by rendering it unreadable when it is stored electronically.
April 1, 2021
Differentiating Unauthorized Return Reasons →
This rule better differentiates among types of unauthorized return reasons for consumer debits. This differentiation will give ODFIs and their Originators clearer and better information when a customer claims that an error occurred with an authorized payment, as opposed to when a customer claims there was no authorization for a payment. ODFIs and their Originators should be able to react differently to claims of errors, and potentially could avoid taking more significant action with respect to such claims.
March 19, 2021
This rule expands access to Same Day ACH by allowing Same Day ACH transactions to be submitted to the ACH Network for an additional two hours every business day. The new Same Day ACH processing window became effective on March 19, 2021. Learn more about Same Day ACH at the Resource Center.