2020 ACH Self Assessment

2020 ACH Self Assessment

Please complete and return the ACH 2020 Company Assessment by email to businessbankers@capfed.com or by fax to 785-274-5670.

Does your company control and protect the information that enters and leaves your computers by maintaining a secure firewall and security suite, including the most current updates and patches?

Blocking intruders and hackers from entering your systems and network is the first line a defense against fraud.  Continuing to update and patch the hardware and software protecting your system is critical.  Don’t forget about the applications that run on the operating system.  Cybercriminals look for opportunities to attack the flaws in widely installed software products like Java, Adobe PDF Reader and Flash. Patches and updates help correct those flaws as they are identified.


CAPITOL FEDERAL® BANK ACH AGREEMENT Section 5b:

The Company is strictly responsible for establishing and maintaining the security measures and for complying with the Security Procedures to safeguard against unauthorized transmissions, network infections, and breaches, as well as protect the confidentiality and integrity of Protected Information until its destruction; protect against anticipated threats or hazards to the security or integrity of Protected Information until its destruction; and protect against the unauthorized use of Protected Information that could result in substantial harm to a natural person. Protected Information means the non-public personal information, including financial information, of a natural person used to create, or contained within and Entry and any related addenda record, as defined in the Rules

CAPITOL FEDERAL BANK ACH AGREEMENT ATTACHMENT 2: Security Measures and Recommendations
SECURITY MEASURES:

The Company, as the originator of Entries, is responsible for strictly establishing and maintaining procedures to safeguard against unauthorized transactions and to protect private information. The Company warrants that no individual will be allowed to view file information or initiate transfers in the absence of proper supervision and safeguards, and agrees to take reasonable steps to maintain the confidentiality of the security procedures and any passwords, codes, Tokens, security devices, and related instructions provided by The Bank. 

Firewalls and a security suite including anti-virus/anti-Spyware software shall be used on all customer terminals accessing Business Online Banking and the ACH service. The Company will maintain their software with the most current updates and patches available.

CASH MANAGEMENT ENROLLMENT FORM:


I understand and agree that the Business is responsible, at its sole cost and expense, for implementing and continually complying with the minimum-security measures identified below and that the Business’s failure to do so will expose the Business to increased risk of financial loss:

• Anti-virus software installed and up to date on all computers accessing Business Online Banking.
• Anti-spyware software installed and up to date on all computers accessing Business Online Banking.
• Firewall installed between business network and public internet.
• Operating system and browser up to date with all security updates and patches.

Do you enforce confidentiality and strong security procedures for employee access which includes prohibiting the sharing of logons and passwords?


There is definite trend in common passwords used around the world.  Just Google “common passwords” and see a list.  Even if you are not using a common password, there are a number of techniques and products available to help crack passwords.  Creating unique passwords and changing them often is the now the minimum standard.  Having strong passwords and a culture with a secure work space will help protect your private information if your network or a computer is ever breached.  At least annually, your company should be providing cybersecurity education, as well as making efforts to promote a secure work environment for your employees.  

CAPITOL FEDERAL BANK ACH AGREEMENT, ATTACHMENT 2: Security Measures and Recommendations
SECURITY MEASURES:
The Company, as the originator of Entries, is responsible for strictly establishing and maintaining procedures to safeguard against unauthorized transactions and to protect private information. The Company warrants that no individual will be allowed to view file information or initiate transfers in the absence of proper supervision and safeguards, and agrees to take reasonable steps to maintain the confidentiality of the security procedures and any passwords, codes, Tokens, security devices, and related instructions provided by The Bank. 

Company Administrator (Admin) will assign specific logons to each user, as well as their access and duties. User logons and passwords must not be shared.

Do you immediately disable access for former employees or those that have changed job duties within the company? 

It’s a best practice to remove both physical and online access to your company when an employee leaves or changes positions in the company and has different access needs.  Have you developed strong procedures to identify and track all means of access each employee has so that they can all be disabled upon notice?  Hackers look for abandoned logons that will allow them to search through your company records for private information, including banking information, for your company and all your customers.

CASH MANAGEMENT ENROLLMENT FORM:


I (Admin User) understand that I will establish online banking users for the Business. I will also establish their user rights and be responsible for the ongoing management of all users.

Are you logging into TBO Business and sending files from a secure and private internet connection and avoiding free or public Wi-Fi?

Many businesses such as coffee shops, hotels, shopping malls, and airports offer their customers free access to public Wi-Fi as a convenience. Cybercriminals have learned how to spy on these public Wi-Fi networks and will attempt to intercept data that is transferred across the link, such as banking credentials, account passwords, and other valuable information.  Never use public Wi-Fi to log on to your online banking.  Use your own VPN (virtual private network) or the network provider for your cell phone.  

CAPITOL FEDERAL BANK ACH AGREEMENT, ATTACHMENT 2: Security Measures and Recommendations
SECURITY MEASURES:
The Company must not access Business Online Banking or transmit an ACH file from a public or free Wi-Fi connection or any other unsecured electronic network.

Do you avoid using the ADMIN User ID for daily use and for the sending of ACH transactions? Note: Not all companies have an ADMIN User ID.

The Admin User ID provided to some companies is a non-unique user identification that has full access to all services and accounts that have been set up with the bank.  If your system were breached and a cybercriminal took over the Admin logon, they could lockout existing users and create new users, turn off security settings, and send money out of the bank accounts using bill pay, ACH or a wire.  They could also access any routing and account numbers for your vendors and customers from your templates or file history.  Every online banking logon should be protected, but the Admin logon should be used rarely, in order to reduce the chances of it becoming compromised. 

CAPITOL FEDERAL BANK ACH AGREEMENT, ATTACHMENT 2:  Security Measures and Recommendations
SECURITY RECOMMENDATIONS:
Additional steps should be taken by the Company to identify and protect against fraudulent or unapproved transactions. The Company understands the risks and assumes all liability if they choose not to implement the following actions.

  • Do not use the Admin logon for daily use and specifically not for approving or transmitting an ACH file or transaction. 

Does your company follow the bank’s dual authorization recommendation that requires two separate users to approve and submit an ACH file?

Requiring two online banking users to send electronic payments is an excellent internal control to monitor all outgoing payments by the company.  It can also help stop or slow down a cybercriminal who must take over two logons to successfully send a transaction.  

CAPITOL FEDERAL BANK ACH AGREEMENT, ATTACHMENT 2:  Security Measures and Recommendations
SECURITY RECOMMENDATIONS:
Additional steps should be taken by the Company to identify and protect against fraudulent or unapproved transactions. The Company understands the risks and assumes all liability if they choose not to implement the following actions.

  • Utilize at least 2 separate user logons to transmit an ACH file for all ACH origination to provide separation of duties and dual authorization at the Company level.

Will your company notify the bank immediately if your email, computer, online banking or network is ever breached or compromised?

It is important to notify the bank immediately once you become aware of a breach or compromise. Once notified, the bank can protect your online banking access and transmission of outgoing payments until you understand the full scope of the compromise. 

CAPITOL FEDERAL BANK ACH AGREEMENT, ATTACHMENT 2: Security Measures and Recommendations
SECURITY RECOMMENDATIONS:
If the Company believes or suspects that their system has been breached or information has been accessed by an unauthorized individual, the Company will verbally notify the Bank immediately at 1-888-510-7333, followed by written confirmation to the Bank within 24 hours of the initial verbal notification.

Does your company require a signed authorization form for each payment you originate and do you retain the form for 2 years after the final payment?

The NACHA Operating Rules require that all originators receive written permission to debit another party’s account.  You must make the signed authorization form available if your customer files a written statement of unauthorized debit with their bank asserting that you were not authorized to debit their account.  Without the signed written authorization, we may be forced to take the funds from your account and return the funds to the requesting bank. 

While it is not required, the bank strongly recommends that you require written permission for a credit or direct deposit as well.  There have been cases recently when an employee has asked for a direct deposit to an account that is not in their name, and then later demanded an additional payment because they were unable to access the funds.  Your defense is stronger if the employee signed an authorization form.  In most cases, it is best not to send a direct deposit to a person that is not an owner on the receiving account. 

CAPITOL FEDERAL BANK ACH AGREEMENT Section 1:
The Company agrees to comply with and be bound by the NACHA Operating Rules as they are revised from time to time (the “Rules”).

CAPITOL FEDERAL BANK ACH AGREEMENT Section 7:
The Company shall obtain all consents and authorizations required under the Rules and Applicable Law; including, but not limited to, the pre-authorizations required before originating a direct debit Entry and/or a direct credit Entry for electronic presentment, and posting to the account of any third-party consumer or non-personal entity. The Company shall retain such consents and authorizations for two (2) years after they expire. If the Bank receives a Written Statement of Unauthorized Debit for a consumer debit entry within the timeframe defined in Regulation E and it was originated by the Company, the Bank is obligated to follow internal procedures, as well as the Rules, and investigate any unauthorized or erroneous Entry. The Company will provide documentation to the Bank that consent and authorizations were obtained properly. The Bank may return the Entry to the Company and give credit to the Consumer.

Are proper SEC codes used for ACH payments? 

  • PPD = Prearranged Payments and Deposits  (Personal payment)
  • CCD = Corporate Credit or Debit  (Corporate payment)

Personal and Corporate payment types cannot be mixed in the same template or batch.

The NACHA Operating Rules require that all originators use the proper Standard Entry Class (SEC) code when sending a debit or credit payment.  These codes define the type of payment, authorization method and rule set that applies.  For example, a customer that receives a PPD debit on their account has up to 60 days to dispute the transaction as unauthorized.  A CCD payment must be disputed within 24 business hours. 

If you upload your ACH file, your accounting software will help you determine which SEC code to select.  The online banking service at CAPITOL FEDERAL BANK will help you select the code if you are building templates.  You may not mix PPD (Personal) and CCD (Corporate) payments in one template or batch.  You must create two separate templates or add additional batches to your upload.

The type of transactions your company is authorized to send is noted in your ACH Agreement.  The standard transaction types for most companies are PPD and CCD.

CAPITOL FEDERAL BANK ACH AGREEMENT Section 1:
The Company agrees to comply with and be bound by the NACHA Operating Rules as they are revised from time to time (the “Rules”).

Is your company correcting the information provided in a “Notices of Change” (NOC) within the required six (6) banking days after receiving the email notification?

CAPITOL FEDERAL BANK has partnered with the Federal Reserve Bank to send your Returns and NOCs by email early in the morning.  For privacy reasons, they are encrypted and password protected. Your company has determined which persons should receive the notices and has provided their emails. Contact us when updates are needed. 

The NOC is provided because the transaction was sent with incorrect information.  The receiving bank accepted the transaction but needs the sender to correct the error.  They provide the incorrect and correct information in the notice.  NACHA rules require your company to investigate the incorrect data and make corrections within six (6) business days of receiving the notice and prior to sending another payment.

The Return notice is sent because the transaction was not accepted.  The funds are returned with the notice, and a reason for the return is provided. You must refrain from sending another payment until new information is provided by your employee, customer or vendor.

CAPITOL FEDERAL BANK ACH AGREEMENT Section 1:
The Company agrees to comply with and be bound by the NACHA Operating Rules as they are revised from time to time (the “Rules”).

CAPITOL FEDERAL BANK ACH AGREEMENT Section 18:
The Bank will inform the Company of a notification of change (“NOCs”) received no later than two (2) Banking Days after the receipt of the Entries. Notifications will be sent by secure email using appropriate encryption standards. The Company agrees to make the changes submitted within six (6) Banking Days of the settlement date of the original Entry or before the next “live” Entry, whichever is later.

Does your company maintain a “Security Framework Policy” regarding the collection, storage, access and destruction of the private data used to create your ACH payments?

The NACHA Operating Rules require that all originators protect the security and integrity of private information, such as banking information, throughout the lifecycle of the ACH payment.  Each company should maintain a policy or incorporate this information into their existing security policy. If your company ever experiences a breach or compromise and private data in your payment files is affected, the bank may request the policy.  Failure to provide a policy may result in fines from the NACHA network.  A self-assessment tool is available upon request. 

The policy should include:

  • Collection of Data: How do you collect the data?(Example: signed authorization form)
  • Storage of Data: Where do you store the information you collect?(Example: locked file cabinet)
  • Access Controls: Who has access to the information you collect? (Example: listing which employees handle the information)
  • Destruction of Data: How and when do you destroy the information, if you do? (Example: utilize a commercial shred)

CAPITOL FEDERAL BANK ACH AGREEMENT Section 1:
The Company agrees to comply with and be bound by the NACHA Operating Rules as they are revised from time to time (the “Rules”).