Could someone give me a few examples of what is not allowed under the new ACH Data Security Requirements. Would faxing a NOC to an originator be allowed?

Thanks

Having a customer originate an ACH file across the internet or through email without encryption is a no-no because that entails sending an unsecured file through an unsecured public network. While not recommended, having a customer transmit an unencrypted file via telephone transfer (not going through a PBX) is OK according to the NACHA rules but the UCC says that you need to have a commercially reasonable security procedure to protect you from liability. Yes, faxing a NOC is OK.

The Audit Program asks "what process is used to ensure that the session is protected or the information is encrypted" What would be the correct answeer for this?

The key term in the audit progrem section you quote is "transmitted or exchanged ... via an Unsecured Electronic Network". The use of the telephone to call from the Bank to a client's telephone or fax machine is not considered going through an "Electronic Network."

(However, a telephone dial-up to an ISP for internet access is considered going through an "Unsecured Electronic Network" and is subject to encryption requirements.)

The protection of a telephone or fax session can be done in a number of commercially reasonable ways. The most frequent, short of actual encryption, is via telephone call-backs for the Bank to pick up ACH files. Most important is that the client should acknowledge the security procedure you use so that they can either "accept" the commercially reasonable procedure you're offering or go someplace else.

Can you tell me where in the NACHA Operating Rules this verbiage is stated,( "transmitted or exchanged ... via an Unsecured Electronic Network".)? Thanks