Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:
- The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
- Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
- Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type
The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.
These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.
Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.
Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.
This overview supports the Payment Lifecycle and Security Profile for the Automated Clearing House (ACH) Payment Type.
Automated Clearing House Definition: An ACH payment (credit or debit) may include direct deposit payroll, Social Security payments, tax refunds, person-to-person (P2P) payments and the direct payment of business-to-business and consumer bills. Within the ACH system, the originator is the entity that originates transactions, and the receiver is the entity that receives the credit or debit payment (i.e. the payment is credited to or debited from their transaction account). The transactions pass through sending and receiving financial institutions that are authorized to use the ACH system.Overview of Laws, Regulations and References on Payment Security (Including Challenges and Improvement Opportunities)
Legal and Regulatory References
Regulation E: Electronic Fund Transfer Act (EFTA) (Consumer ACH), 15 U.S. Code (U.S.C.) § 1693, et seq.; Reg E: 12 Code of Federal Regulations (CFR) § 1005.2, et seq.
Uniform Commercial Code Article 4A: Funds Transfers (as adopted by the states) (Non-Consumer ACH)
Financial Crimes Enforcement Network (FinCEN) Bank Secrecy Act, 31 U.S.C. § 5311, et seq.; 31 CFR § 1010.100, et seq. (implementing regulations); Federal Financial Institutions Examination Council (FFIEC), Bank Secrecy Act/Anti-Money Laundering Examination Manual (2014)
Customer Identification Program (CIP), 31 CFR § 1020.220, et seq.
Identity Theft Red Flags Rules, 12 CFR § 41.90 (OCC); 12 CFR § 222.90 (FRB); 12 CFR § 334.90 (FDIC); 12 CFR § 717.90 (NUCA); 16 CFR § 681.1 (FTC); 17 CFR § 162.30 (CFTC); 17 CFR § 248.201 (SEC)
Office of the Comptroller of the Currency (OCC), 2006-39 and 2008-12
OCC, Third-Party Relationships, OCC Bulletin 2013-29 (Oct. 30, 2013): Risk management guidance directed at outsourcing and third-party relationship management, a key focus of the guidance is on requirements to adopt processes to manage third-parties in manner commensurate with risks over the full lifecycle of those relationships.
OCC, Supplemental Examination Procedures for Risk Management of Third-Party Relationships, OCC Bulletin 2017-7 (Jan. 24, 2017)
Board of Governors of the Federal Reserve System, Guidance on Managing Outsourcing Risk (Dec. 5, 2013) – FRB SR 13-19: Third-party oversight guidance, set of cyber-risk oversight activities which includes reporting and expectations for Boards of Directors and Senior Management.
FFIEC IT Exam Handbooks: Some of the handbooks are more frequently a factor in exams, but they all contain provisions that impact payments compliance in the areas of confidentiality, availability, data integrity, privacy and third-party oversight.
- FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
- FFIEC, IT Examination Handbook, Retail Payment Systems (Apr. 2016)
- FFIEC, IT Examination Handbook, Supervision of Technology Service Providers (Oct. 2012)
FFIEC, Authentication in an Internet Banking Environment (Oct. 12, 2005); FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)
FFIEC, Cybersecurity Assessment Tool (CAT) (June 2015): The CAT is a support tool issued by the FFIEC to assist financial organizations with managing cyber-risk. CAT is strongly encouraged by some US states, but in general it is based on existing guidance and thus does not constitute new regulation.
Gramm-Leach-Bliley Act (1999), 15 U.S.C. § 6801, et seq.
Regulation P, Privacy of Consumer Financial Information 12 CFR 1016.1, et seq. – enacted to control how financial institutions manage the private information of individuals. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information include provisions associated with the role of risk management, boards and third-party oversight.
Federal Trade Commission Act (1914), 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”); 16 CFR § 314.3 (requiring companies to develop written information security programs to protect customer information)
Consumer Financial Protection Act of 2010, 15 U.S.C. § 5531, et seq. (prohibiting “unfair, deceptive, or abusive act[s] or practice[s]. . .” in consumer finance)
State-based cybersecurity and breach laws: A challenge due to the variation among those sets of regulation which include:
- All 50 States address unauthorized access, malware and viruses
- 20 States address spyware
- 23 States address phishing
Source: National Conference of State Legislatures
International cybersecurity regulations and related data-protection laws: Vary widely and continue to evolve, e.g. European Union General Data Protection Regulations (May 2018); Japan: The Act on the Protection of Information (May 2017).
Federal Reserve Operating Circular 4 – Automated Clearing House Items
Federal Reserve Operating Circular 5 – Electronic Access
Office of Foreign Assets Control (OFAC)/Sanction Screening
Other References
American National Standards Institute (ANSI) X9.119-2 Tokenization (NACHA Payment Alliance is analyzing tokenization for ACH payments – OF and RAFI options, complex)
ANSI X9.122 Secure Consumer Authentication for Internet Debit Transactions (draft currently out for comment):
- The internet provides a ubiquitous, but insecure, channel that is susceptible to eavesdropping, phishing, man-in-the-middle, counterfeit websites and system intrusions including malware, spyware, screen scraping, key stroke loggers, mouse monitors, and man-in-the-browser attacks. Consequently, secure authentication methods for internet payment transactions are paramount. This standard addresses common and discrete requirements for over-the-internet authentication methods which remain compatible with traditional payment authentication techniques.
International Organization for Standardization (ISO) 12812/X US version (mobile financial services)
Online initiation for generic browser-based authentication (in progress)
ACH transactions can also be initiated from a mobile phone, so standards for mobile payments may apply.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
NIST Special Publication 800-53
National ACH Association (NACHA) Operating Rules/Guidelines govern ACH standards
- ODFIs and RDFIs cannot use ACH Network without being members and following rules for formats, information passed, authentication, etc. governed by NACHA. There are only two ACH Operators in the United States, the Federal Reserve and the Electronic Payments Network (EPN), through which all transactions flow.
- NACHA operating rules require users to register/authenticate by providing username, password, financial institution details (e.g. checking account number), routing transit number (RTN). Validation of financial institution RTN number is also required.
- TEL and WEB (Internet via PC or mobile device) transactions (i.e. similar to CAP): Originator must use commercially reasonable methods to verify identity of customer before processing T/C. These could include collecting/verifying driver’s license or social security number, using third-party ID services, asking customers to confirm test deposit amounts (See NACHA WEB Proof of Authorization Industry Practices). Originator must also use commercially reasonable methods to identify fraudulent transactions to prevent them from entering the ACH Network for processing.
- NACHA rules require ACH participants, including merchants, to protect financial/other sensitive ACH data.
- New rule 2017: OFIs must register/authenticate third-party originators and notify NACHA
- Section 1.2.4 (OR1) Risk Assessments
- Subsection 1.4.4 (OR3) Electronic Signatures
- Section 1.6 (OR 3) Security Requirements
- Section 1.7 (OR3) Secure Transmission of ACH Information via Unsecured Electronic Networks
- Section 2.2.1 ODFI Verification of Originator or Third-Party Sender Identity
- Section 2.2.3 ODFI Risk Management (requiring ODFI to perform due diligence sufficient to form a belief that the originator or TPS has capacity to perform its obligations under the NACHA Operating Rules; requires risk assessments; exposure limits to be set and monitored; returns to be monitored, etc.)
- Section 2.3 (OR6-OR9) Authorization and Notice of Entries
- Section 2.3.4 (OR9) Restrictions on Data Passing
- Section 2.4 General Warranties and Liabilities of ODFIs (warranties of authorization of account holder, timeliness, entry carries required information, etc.)
- Section 2.5 Provisions for Specific Types of Entries (provisions specific to each different SEC Code)
- Section 2.17.1 ODFI Reporting: Direct Access Registration
- Section 2.17.2 ODFI Reporting: ODFI Return Rate Reporting
- Section 2.17.3 ODFI Reporting: Third-Party Sender Registration (effective September 29, 2017)
- Section 4.1.4 (OR54) ACH Operator Must Conduct Risk Management OG22 – Risk Assessments
- OG22 – Electronic Signatures and Records
- OG24-26 – ACH Data Security Requirements
- OG26 – Commercially Reasonable Standard
- OG27 – ODFI ACH Data Security
- OG33 – Additional warranties for WEB
- OG35 – ODFI Data Security Requirements
- OG36 – Data Passing
- OG46 – ODFI Data Security
- OG63-64 – Originator Data Security
- OG65-69 – Authorization Requirements / Consumer Receivers
- OG72-73 – Originating WEB Entries
- OG75 – Originator ACH Data Security Requirements
- OG89 – Third-Party ACH Data Security
- OG90-91 – Third-Party Sender Risk Assessments
- OG91-92 – RDFI ACH Data Security
- OG92-93 – RDFI and Consumer Receivers
- OG120 – Operator ACH Data Security
- OG236-250 – WEB Entries – Includes Background/Overview of Initiation, Unsecured Electronic Network, Commercially Reasonable, Single-Entry v. Recurring, Obligations of Originators, Risk Management, ODFI Responsibilities, RDFI Responsibilities
- OG297-300 – Guidelines for Consumer Authentication
Challenges and Improvement Opportunities
ACH rules require transmission of customer financial institution information to be encrypted using “commercially reasonable” encryption technology if transmitting over an unsecured network.
Move to same-day settlement just beginning, with evaluation of impacts to follow (including risks).
If ACH moves to tokenization, an applicable protocol, specification or standard needs to be identified. There should be consideration given on the need to be interoperable with card-based tokens.
Is “commercially reasonable” well-defined? Is a real standard (e.g. with minimally acceptable security) needed instead?
ACH transactions can also be initiated from a mobile phone, so standards for mobile payments may apply.
Regulatory requirements and ACH compliance rules may be viewed as redundant by financial institutions.
Greater focus on development and adoption of risk-based cybersecurity rules, frameworks and open standards could enhance security.
Last Updated: 02/21/2018