If you operate as a financial institution or a third party payment processor (TPPP) and wish to send money through the U.S.’s Automated Clearing House (ACH), then you must follow the guidelines for knowing and verifying your customers. Older guidelines were centered around Customer Due Diligence (CDD), but more updated measures look to KYC, or the Know Your Customer rule.
Following KYC regulations is required to operate in the U.S., and not following them means that your institution would breach U.S. privacy and security regulations around handling sensitive banking information.
To better understand the KYC regulations in regards to ACH payment, this article will break down:
- What the KYC rule is
- Regulations on data usage and storage under KYC
- US regulations on ACH payment data
- And ways you can ensure KYC compliance for ACH payments
What is the Know Your Customer (KYC) Rule?
The Know Your Customer (KYC) 2090 rule, also referred to as the know your client guidelines, are a set of regulations used in financial services that require an effort to be made by the bank to verify the identity and associated risks with maintaining a business relationship with a customer or client.
While the regulations have changed over the years, the most recent iteration is based on the scope of a bank’s Anti-Money Laundering (AML) policy as a way of ensuring that bank customers are who they say they are and that the bank is not liable for identity theft or financial crime incurred during the process of completing a financial transaction.
KYC requirements ask that banks collect personal information about each client so that identity verification can be processed. KYC compliance is mandatory in order for the bank account to be cleared for ACH payment processing. By doing this “due diligence,” the financial institution is verifying that the bank transfer is less likely to risk the security of the financial institution and other stakeholders.
The breadth of KYC regulations focuses on customer acceptance, customer identification, risk management assessment, and the monitoring of transactions.
KYC regulations are recognized by financial institutions worldwide, but the individual governance procedures will vary based on the country where the financial institution is based. In the U.S., KYC regulations are governed by the USA Patriot Act of 2001 and it also conforms to the customer identification program (CIP), which can be individualized within reason for each bank.
Regulations on Data Usage and Storage Under KYC
Financial institutions are facing increasing pressure to focus on client due diligence as well as to protect their customer’s private data. This means that failing to maintain compliance or verify customer compliance could result in hefty fines.
Due to the sheer number of clients that each bank has, each bank is collecting and storing thousands of pieces of private financial information (also known as personally identifiable information or PII) on their clients. The bank account holder, bank account number, transit number, and routing number are all required to send or receive an ACH transaction. However, if any malicious agent gets a hold of these numbers, then that means that the bank account is compromised.
Because of this responsibility, as well as data protection laws, banks must focus heavily on IT and security. Up to 20% of operating costs might account for security, ensuring that their customer’s personal information is safe and secured.
Furthermore, data privacy regulations in the U.S. require that a high level of cybersecurity and employee monitoring is maintained. However, in the U.S., it’s also important to know exactly what regulations exist around data usage and storage under KYC.
Data usage and storage in the U.S. under KYC is governed by a number of protective regulations, including:
- Regulation E of the Electronic Funds Transfer Act
- The Office of Foreign Assets Control (OFAC) of the U.S. government
- The National Automated Clearing House Association (NACHA) Operating Rules
- CCPA and GDPR, which governs all people and transactions based out of the location of coverage
It is worth noting that customer privacy rights are pervasive. Banks in Europe and in California have established customer privacy laws (the GDPR and the CCPA) that regulate and penalize the misuse of customer data.
U.S. Regulations on ACH Payment Data
Both an ACH debit and ACH credit must move online through the ACH network. Therefore, U.S. regulations around the protection of ACH payment data requires that cybersecurity measures are followed to ensure personal data is accurately protected and that the information is properly and securely stored.
Therefore, for the security of ACH payment data and all electronic payments ledgers, U.S. financial institutions must rely on encryption, authentication, and authorization order to ensure compliance with U.S. regulations and customer privacy laws.
The KYC processes to store sensitive banking information include the following:
- Store data on Payment Card Industry Data Security Standard (PCI DSS) approved hardware and software, typically on hardware on-site first
- KYC data should be sent as an encrypted copy and securely uploaded over a cryptographic HTTPS protocol
- Sensitive data copies are stored in a secure cloud; many banks used Amazon A3 for secure storage
- Create privileged accounts with restricted access via multi factor authentication (MFA)
- If using any outside parties, only use service providers who undergo extensive testing and is marked as a PCI DSS Validated Entity
- Do not store card security number or electronic track data
- Encrypt the electronic storage of all credit card account information and cardholder data
- Encrypt phone recordings containing credit card account information
You can take the appropriate self-assessment questionnaire to see if your storage of payment data is PCI DSS compliant. To stay PCI DSS compliant, you’ll also need to complete the Attestation of Compliance (AOC) form and maintain yearly PCI compliance with the Quality Security Assessor (QSA) and Approved Scanning Vendor (ASV).
How to Ensure KYC Compliance for ACH Payments
KYC procedure requires that banks inform the customer of the regulations and the use of their personal data, seek and verify customer identification, assess the risk management of having a business relationship with that client, and continue monitoring transactions over the ACH Network, among others. It also requires that the bank follows the regulations set out by NACHA, Regulation E of the Electronic Funds Transfer Act, the Office of Foreign Assets Control (OFAC) of the US government, and the GPRA and CCPA.
Banks maintain KYC compliance typically through regular assessments (either with NACHA or OFAC) as well as through regular personal re-assessments. With regular re-assessment, the bank is decreasing its chance of financial risk and it can afford being flagged by any of the regulating bodies.
In order to process an ACH transfer, the bank must provide proof that the personal data is securely stored, that any sharing of the data online is encrypted and securely transferred, and that data processing is protected.
U.S. Know Your Customer (KYC) Regulations and ACH Payments
An ACH payment is an automated payment that moves through the ACH network to get from one bank account to another. ACH payments can be sent as an ACH debit, recurring payment, direct deposit, and much more.
Even as a TPPP or online financial institution entity, it is important to maintain KYC regulations in order to accept ACH transactions. Other forms of sending an ACH payment, such as sending virtual currency in the form of the blockchain, also require that KYC laws are followed.
Usually, if your business provides ACH processing as a valid payment method then you may be operating through a TPPP that is approved to send an ACH transaction or you have your own ACH payment API. An ACH API can accept ACH payments, set recurring payments, and receive ACH transactions and it processes the electronic payment data securely.