OSTRMTACH08

Office of the State Treasurer

ACH Security Guidelines

Introduction

This guidance is intended for all agency customers involved in processing, transmitting and/or storing Automated Clearing House transactions. Failure to adequately protect Automated Clearinghouse (ACH) detailed transaction information may unnecessarily expose the state and agency customers to loss due to financial fraud or identity theft and may result in fines and other penalties.Additionally, Treasury reserves the right to revoke the agencies authority to originate ACH transactions.

Security Frameworks

There are four security frameworks that are directly applicable to ACH transactions. The first is the National Automated Clearinghouse Association (NACHA) Operating Rules,(See Appendix A);the second is the requirements of the OST DataSecurity Policy 02.18.13;the third is the requirements of the Oregon Consumer Identity Theft Protection Act; and the fourth is the DAS Statewide Security Policies.

Roles

DAS/ESO:

Department of Administrative Services/Enterprise Security Office provides security resources for state agencies and is responsible for ensuring agencies are in compliance with state security requirements.

DCBS:

The Oregon Consumer Identity Theft Protection Act assigns responsibility for adopting rules for the purpose of carrying out the provisions of the act to the Department of Consumer and Business Services. As such the legislature has designated DCBS as the agency responsible for oversight of personally identifiable information in the State of Oregon.

OST:

As the Cash Management Officer for the state, The Office of the State Treasurer is responsible for ensuring Agencies employ the principles, standards and related financial and banking requirements as prescribed by the State Treasurer. In order to originate ACH transactions, each state agency is required to enter into an Interagency ACH Agreement with the Office of the State Treasurer. This agreement binds the agency to OST Policies and the NACHA Operating Rules.

Appendix A: Articles 1, 2 , 3 and 6 of the NACHA Operating Rules are provided here as a resource for Originators and cover ACH Origination and Returns. State Agencies are bound to all applicable NACHA Operating Rules in their interagency agreement with OST.

NACHA Operating Rules –

  • Article I – General
  • Article II – Origination of Entries
  • Article III – Obligations of Originators
  • Article VI – Return, Adjustment, Correction