ACH is seeing rapid adoption for use in B2B vendor payments as companies are gradually moving away from paper checks. The ACH network saw a 15.5% increase in B2B transactions compared to last year, for a total of 1.4 billion payments, according to a report from NACHA. NACHA is the organization that oversees the ACH network.
But how safe are ACH payments? According to data from NACHA, fewer than 0.03% of ACH transactions are returned as unauthorized. That is a pretty high success rate by any standard, but while ACH payments are generally quite safe for the payer, the vendor is the one who is putting their sensitive banking data at risk. When it comes to Microsoft Dynamics 365 Business Central, there are a few considerations to ensure ACH payments are properly secured to protect vendor information.
Securing your business’s ACH payments is not only good for vendor relations, it protects you against liability for fraud.
Related: ACH Transfer vs Wire Transfer
The latest guidelines from NACHA require Encryption at Rest to make recipient bank account numbers invisible to human eyes for all ACH transfers. While these guidelines are being rolled out in phases and currently only affect large businesses in large part, this is the direction the industry is going and it is likely to be required for all businesses in the near future. Business Central does not do Encryption at Rest natively.
What is Encrypted at Rest?
“Data at Rest” is just what it sounds like--data that is not in a state of transit, i.e. data that is not being transferred over the internet. This basically refers to all the natively-stored data on your server, desktop, mobile or other hard disk. “Encrypted at Rest” simply refers to any method used to encrypt any of that at-rest data. The best way to think about Encrypted at Rest is to compare it to storing your data in a bank vault, vs Encrypted in Transit which would be more like moving data with an armored truck service.
Phase 1: This applied to ACH originators and 3rd parties making more than 6 million ACH payments annually. Phase 1 became effective on June 30, 2021
Phase 2: This applied to ACH originators and 3rd parties making more than 2 million ACH payments annually. Phase 2 became effective on June 30, 2022.
Like we said, Business Central does not meet the Encryption at Rest requirement natively, but that doesn't mean it can't be done. Fidesic AP makes it easy to stay compliant with the latest rules and guidelines in accounts payable. If you are running payroll or you make ACH payments through any Business Central module or integration, it is a good idea to check that these are meeting the requirements as well.
Further Reading: What the ACH Boom Means for Dynamics GP and BC Users
ACH payments are safe for you but you can make them safer for your vendors. Here's how...
Bank account numbers and routing numbers can be used to access funds. Instead of emailing your vendors or collecting this info by phone, set up a secure portal where vendors can enter their banking information so your team never has to lay eyes on the data. This way, vendors aren't sending sensitive data over less secure platforms like email. Vendors should also be able to manage their info through this portal when (or if) they need to make updates.
To make sure your ACH payments are secure, it is best to store data in encrypted servers that comply with the highest industry standards of security (SSAE Type 16, SOC 2). Never store this data on local hard drives and it's best if you don't store it on your local servers either. Opting for secure 3rd party storage tends to be the most secure route.
Sending ACH files via SFTP will make sure your ACH payments are secure end-to-end. Enable audit traceability for all transactions, and again, remove human eyes from ever seeing banking info to ensure the file can't be edited en route to the bank
Fidesic AP is the go-to accounts payable automation solution for Business Central and simplifies ACH with higher levels of security. Here's why Fidesic is different:
Related: How does Direct ACH Transmission Work?