ACH has steadily grown, while check payments are declining. Seventy-eight percent of organizations use ACH for some vendor payments. And while 82 percent of organizations still make some payments by check, according to a survey by the Association for Financial Professionals (AFP), the volume of checks by businesses has been steadily declining. According to the Federal Reserve, in 2010, the commercial check volume included 7.7 billion items. The volume in 2020 was 3.7 billion items, a decrease of more than 50 percent. The long-predicted but prolonged demise of the check continues, if not apace.
Checks gradually are being replaced by electronic payments of various kinds, including ACH. And the replacement rate appears to have jumped in the pandemic. This month NACHA reported that the ACH Network experienced significant growth in 2021, including 5.3 billion B2B payments valued at $50 trillion. That B2B ACH payment figure is a 20.4 percent increase since 2020.
According to the AFP survey, more companies accept payment by check than use checks to make payments. AFP posits that this is a positive sign for electronic payments. NACHA also launched Same Day ACH five years ago, and it has grown exponentially since. ACH has become common.
What Does This Mean for Vendor Information Management?
You must have the vendor’s bank routing and account numbers to pay a vendor via ACH. That is sensitive information. Consequently, organizations are responsible for securing that (and other) data.
Furthermore, NACHA has data protection requirements. Did you know NACHA has a security rule requiring large ACH payment senders to protect electronically stored account numbers? It’s a new addition to the 2013 ACH Security Framework and became applicable in June 2021.
It applies to businesses, governments, merchants, billers and third parties that send six million or more ACH payments per year. In addition, in June 2022 the rule extends to those that send 2 million or more ACH payments. The NACHA rule does not specify a specific technology to use but says they must be “commercially reasonable.” Examples include encryption, truncation, masking, tokenization or secure hosted storage solutions.
The Issue Is Information Security
Even if you don’t send that many ACH payments a year, security is an issue. NACHA strongly encourages voluntary adoption of the data security standards as a sound business practice for organizations below the required threshold. Companies must protect their vendors’ bank account information. Likewise, they must secure other sensitive data, such as social security numbers and credit or virtual card numbers.
The Federal Trade Commission provides a guide to businesses for safeguarding information. They urge organizations first to take stock—determine what sensitive data you collect, where and how you collect it, and where you store it. See Protecting Personal Information: A Guide for Business. How are you storing sensitive information? Talk to IT about this. Be sure IT understands what kind of data you have and where.
How do you gather that information? Regular readers of this newsletter will know that email is a frightfully insecure way to collect sensitive vendor information. Business email compromise (BEC) has become a big business for criminals, and they are pretty good at it. (See Criminal Email Compromise: Are You Prepared?)
So don’t ask your vendors to email their information to you and if they are emailing it to you, tell them to stop. Instead, look for secure ways to gather that data, such as a secure vendor portal that eliminates your exposure to email risk. This includes existing vendors sending new bank information. Then be sure that information is securely stored through encryption, authorized access and other controls.
For information on how VendorInfo can help you collect vendor tax and bank information securely and provide bank account verification and automatic compliance reviews through a secure supplier portal, contact us.