When it comes to most financial transactions in the United States, the National Automated Clearing House Association, known as Nacha, makes the rules. Specifically, the association acts as the governing body for the national automated clearing house (ACH Network), developing the standards for direct payments and deposits between consumers, businesses, and federal, state, and local governments. Today, a new data security rule the association put forth went into effect, marking the first of a two-prong approach that will round out in 2022.

First introduced in April, the new rule will require more organizations to render deposit account information unreadable in electronic storage. Specifically, the rule applies to both ACH originators (the entities sending payments) and third parties that process more than six million ACH payments annually. The idea is that by making the sensitive financial information unreadable in storage, there’s less risk of data theft in the event of a breach or other exposure.

TokenEx founder and CEO Alex Pezold, who helps companies comply with such rules, told VentureBeat Nacha introduced the new requirement to “keep pace” and ward off fraud and other malicious cyber behavior amid a growth in activity on the network.

“As more transactions occur digitally, the use of the ACH Network has increased significantly — 7.1 billion ACH payments were made in the first quarter of 2021 alone,” he said. “Of course, more transactions create more opportunities for cybercriminals to acquire and profit from compromised account details.”

What it means for enterprises

In addition to companies processing more than six million ACH transactions annually, the rule also applies to third parties involved with those transactions. This includes payment processors and providers of analytics and fraud-prevention tools, among others. And while applicable across industries, Pezold said those that commonly use direct deposits, wire transfers, and echecks to send and receive electronic payments will be most affected. ACH data is commonly used in subscription services, for example.

Pezold recommends included entities work to meet compliance as soon as possible, either by re-evaluating internal practices or by procuring a third-party service. Nacha set forth some pretty serious penalties for failing to comply, including up to a $500,000 fine per occurrence and a suspension of use of the ACH Network.

And even if not currently affected, it’s a good idea for all businesses to start taking note. Phase two of the rule — set to go into effect one year later on June 30, 2022 — will reduce the threshold significantly. Specifically, it will apply to ACH originators and third parties with more than two million ACH payments annually.

Rising cybercrime hinges on data

More and more, cybercriminals are relying on data to extort payouts — the more valuable the data, the better. In fact, recent research from across the cybersecurity industry cites the rising integration of blackmail and extortion techniques into ransomware operations as the most significant threat enterprises face. Acronis, for example, declared “2021 will be the year of extortion.”

CrowdStrike also warned the approach is growing. Criminals want “to steal as much data as they can get their hands on. Then they’ll say ‘If you don’t pay us, we’re going to release all this sensitive data,’ which could have reputational or even regulatory impact,” CrowdStrike senior VP Adam Meyers told VentureBeat earlier this year when discussing the company’s 2021 Global Threat Report.

Today, many enterprises aim to protect their data with next-gen cybersecurity solutions, specifically ones that use AI and machine learning to detect never-before-seen threats. But cyber criminals aren’t ever far behind, and they’re continuously developing new tools and techniques, and even forming alliances, to bolster their attacks. Since preventing entry to systems alone hasn’t been working well for most enterprises — security breaches have increased by 67% since 2014 — obscuring the data to make it less valuable is a good step.