[Federal Register Volume 84, Number 194 (Monday, October 7, 2019)]
[Proposed Rules]
[Pages 53353-53355]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21576]
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Part 501
Authorization To Manufacture and Distribute Postage Evidencing
Systems
AGENCY: Postal ServiceTM.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Postal Service proposes to amend its Postage Evidencing
Systems regulations. These changes would put the financial
responsibility for returned checks and returned Automatic Clearinghouse
(ACH) debit payments on the applicable resetting company (RC) and PC
Postage provider. These responsibilities would include collecting a fee
from the customer for each returned check and ACH debit payment of $30,
as may be adjusted from time to time, and remitting the amount of the
returned check or ACH debit payment, as applicable, plus the fee to the
Postal Service within 10 calendar days of the date of the invoice.
These changes would also update the SSAE 18 requirements and add the
requirement for System and Organization Control (SOC) 2 reporting.
DATES: Comments must be received on or before November 6, 2019.
ADDRESSES: Mail or deliver written comments to: Manager, Payment
Technology, 475 L'Enfant Plaza SW, Room 3500, Washington, DC 20260.
Email and faxed comments are not accepted. You may inspect and
photocopy all written comments, by appointment only, at USPS[supreg]
Headquarters Library, 475 L'Enfant Plaza SW, 11th Floor North,
Washington, DC 20260. These records are available for review on Monday
through Friday, 9 a.m.-4 p.m., by calling 202-268-2904. All submitted
comments and attachments are part of the public record and subject to
disclosure. Do not enclose any material in your comments that you
consider to be confidential or inappropriate for public disclosure.
FOR FURTHER INFORMATION CONTACT: Elizabeth M. Schafer, Treasurer,
[email protected], 202-268-6135.
SUPPLEMENTARY INFORMATION: The Postal Service proposes to amend 39 CFR
part 501 to make the Resetting Company (RC) and the PC Postage
provider, as applicable, financially responsible for returned checks
and returned ACH debit payments, to update verbiage, and to require
System and Organization Control (SOC) 2 reporting.
The amendment to Section 501.15(g) requires the Resetting Company
(RC) to
[[Page 53354]]
reimburse the Postal Service upon request for any returned checks or
ACH debits for postage payments and clarifies that the RC must, upon
first learning of a returned check or ACH debit, immediately lock a
customer's account to prevent a meter reset until the RC receives
confirmation of payment of the returned items. The requirement
encourages the RC to take adequate measures to authenticate the
identity of the customer and ensure that the account that is debited is
authorized, and clarifies that the RC must prevent customers who have
returned checks and/or returned ACH debits from continuing to charge
postage until payment is confirmed. It further requires the RC to
charge the customer a fee for each returned check and ACH debit of $30,
as may be adjusted from time to time, and remit the amount of the
returned check or ACH debit payment, as applicable, plus the fee to the
Postal Service within 10 calendar days of the invoice.
The amendment to Section 501.15(i) updates Statements on Standards
for Attestation Engagements (SSAE) from SSAE 16 to SSAE 18. Section
501.15(i) requires the RC to provide System and Organization Control
(SOC) reports that demonstrate effective internal controls. SOC2
reports are a new requirement to support data security and privacy
concerns. The American Institute of Certified Public Accountants
(AICPA) created the SOC reporting framework as part of the SSAE 18. The
SOC framework covers organizational controls over services with the
intent to: (1) Address needs and reporting requirements by service
organizations, and (2) Provide valuable information, including third
party risk assessment. Section 501.15(j) is being changed to replace
the term ``provider'' with ``RC'' in the last sentence.
The amendment to Section 501.16(d) requires the PC Postage provider
(``provider'') to reimburse the Postal Service upon request for any
returned check or ACH debits for postage payments and clarifies that
the provider must, upon first learning of a returned check or ACH
debit, immediately lock a customer's account to prevent a meter reset
until the provider receives confirmation of payment of the returned
items. The shift encourages the PC Postage provider to take adequate
measures to authenticate the identity of the customer and ensure that
the account that is debited is authorized, and clarifies that the
provider must prevent customers who have returned ACH debits from
continuing to charge postage until payment is confirmed. It further
requires the PC Postage Provider to charge the customer a fee of $30,
as may be adjusted from time to time, for each returned check and ACH
debit payment and remit the amount of the returned check or ACH debit
payment, as applicable, plus the fee to the Postal Service within 10
calendar days of the invoice.
The amendment to Section 501.16(i) updates Statements on Standards
for Attestation Engagements (SSAE) from SSAE 16 to SSAE 18. This
requires the provider to provide System and Organization Control (SOC)
reports that demonstrate effective internal controls. SOC2 reports are
a new requirement to support data security and privacy concerns. The
American Institute of Certified Public Accountants (AICPA) created the
SOC reporting framework as part of the SSAE 18. The SOC framework
covers organizational controls over services with the intent to: (1)
Address needs and reporting requirements by service organizations, and
(2) Provide valuable information, including third party risk
assessment.
For the reasons stated in the preamble, the Postal Service proposes
to amend 39 CFR chapter 501 as follows:
List of Subjects in 39 CFR Part 501
Administrative practice and procedure, Postal Service
PART 501--[AMENDED]
0
1. The authority citation for part 501 continues to read as follows:
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410,
2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.
0
2. Amend Sec. 501.15 by revising paragraphs (g), (i), and (j) to read
as follows:
Sec. 501.15 Computerized Meter Resetting System
* * * * *
(g) The RC is required to reimburse the Postal Service upon request
for any returned checks or ACH debits for postage payments. The RC
must, upon first becoming aware of a returned check or ACH debit,
immediately lock the customer's CMRS account to prevent a meter reset
until the RC receives confirmation of payment for the returned item.
The RC is required to charge the customer a returned item fee for
returned checks or ACH debits of $30, as may be adjusted from time to
time, and remit the fee plus the amount of the returned item to the
Postal Service within ten (10) calendar days after the receipt of the
invoice.
* * * * *
(i) Security and Revenue Protection. To receive Postal Service
approval to continue to operate systems in the postage meters
environment, the RC must submit to a periodic examination and provide a
SOC1 Type II Report of its meter system and any other applications and
technology infrastructure that may have a material impact on Postal
Service revenues, as determined by the Postal Service. Additionally, RC
must submit to a periodic examination and provide a SOC2 Type II Report
of its meter system data security, accuracy, processing integrity and
data integrity for any applications, reports, and technology
infrastructure that may have a material impact on the RC's reports,
which the Postal Service relies upon. The examinations shall be
performed by a qualified, independent audit firm and shall be conducted
in accordance with the Statements on Standards for Attestation
Engagements (SSAEs) No. 18, Service Organizations, developed by the
American Institute of Certified Public Accountants (AICPA), as amended
or superseded. Expenses associated with such examination shall be
incurred by the RC. The examination shall include testing of the
operating effectiveness of relevant RC internal controls (SOC 1 Type II
SSAE 18 & SOC2 Type II SSAE 18 Reports). If the service organization
uses another service organization (sub-service provider), the RC should
consider the nature and materiality of the transactions and data
processed by the sub-service organization and the contribution of the
sub-service organization's processes and controls in the achievement of
the Postal Service's control objectives. Resetting companies are
expected to submit any request for changes to control objectives by
December 31 of each year, which will be taken under consideration by
the Postal Service for review and approval. The Postal Service will
provide common control objectives to be covered by the SOC 1 Type II
SSAE 18 by February 28 each year. As a result of the examination, the
service auditor shall provide the RC and the Postal Service with an
opinion on the design and operating effectiveness of the RC's internal
controls related to the meter system and any other applications and
technology infrastructure considered material to the services provided
to the Postal Service by the RC. SOC1 and SOC2 examinations are to be
conducted on no less than an annual basis, and are to be as of and for
the 12 months ended June 30 of each year (except for new contracts for
which the examination
[[Page 53355]]
period will be no less than the period from the contract date to the
following June 30, unless otherwise agreed to by the Postal Service).
The SOC1 and SOC2 examination reports are to be provided to the Postal
Service by August 15 of each year. To the extent that internal control
weaknesses are identified in a SOC report, the Postal Service requires
prompt communication and remediation of such weaknesses and shall have
the right to review working papers and engage in discussions about the
work performed with the service auditor. The Postal Service requires
that all remediation efforts (if applicable) are completed and reported
by the RC prior to the Postal Service's fiscal year end (September 30).
In addition, the RC will be responsible for performing an examination
of their internal control environment related to the meter system and
any other applications and technology infrastructure considered
material to the services provided to the Postal Service by the RC, in
particular, disclosing changes to internal controls for the period of
July 1 to September 30. This examination should be documented and
submitted to the Postal Service by October 14 of each year. The RC will
be responsible for all costs related to the examinations conducted by
the service auditor and the RC.
(j) Inspection of records and facilities. The RC must make its
facilities that handle the operation of the computerized resetting
system and all records about the operation of the system available for
inspection by representatives of the Postal Service at all reasonable
times. At its discretion, the Postal Service may continue to fund
inspections as it has in the past, provided the costs are not
associated with a particular security issue related to the RC's meter
systems and supporting infrastructure.
* * * * *
0
3. Amend Sec. 501.16 by revising paragraph (d) and (f) to read as
follows:
Sec. 501.16 PC postage payment methodology
* * * * *
(d) The provider must reimburse the Postal Service upon request for
any returned checks or ACH debits for postage payments. The provider
must, upon first becoming aware of a returned check or ACH debit,
immediately lock the customer account to prevent resetting the account
until the provider receives confirmation of payment for the returned
item. The provider is required to charge the customer a returned item
fee for returned checks and ACH debits of $30, as may be adjusted from
time to time, and remit the fee plus the amount of the returned item to
the Postal Service within ten (10) calendar days after the receipt of
the invoice.
* * * * *
(f) Security and Revenue Protection. To receive Postal Service
approval to continue to operate PC Postage systems, the provider must
submit to a periodic examination and provide a SOC1 Type II Report of
its PC Postage system and any other applications and technology
infrastructure that may have a material impact on Postal Service
revenues, as determined by the Postal Service.
Additionally, provider must submit to a periodic examination and
provide a SOC2 Type II Report of its meter system data security,
accuracy, processing integrity and data integrity for any applications,
reports, and technology infrastructure that may have a material impact
on the provider's reports, which the Postal Service relies upon. The
examination shall be performed by a qualified, independent audit firm
and shall be conducted in accordance with the Statements on Standards
for Attestation Engagements (SSAEs) No. 18, Service Organizations,
developed by the American Institute of Certified Public Accountants
(AICPA), as amended or superseded. Expenses associated with such
examination shall be incurred by the provider. The examination shall
include testing of the operating effectiveness of relevant provider
internal controls (SOC1 Type II SSAE 18 Report). If the service
organization uses another service organization (sub-service provider),
the provider should consider the nature and materiality of the
transactions processed by the sub-service organization and the
contribution of the sub-service organization's processes and controls
in the achievement of the Postal Service's control objectives. The
control objectives to be covered by the SOC 1 Type II SSAE 18 report
are subject to Postal Service review and approval, and are to be
provided to the Postal Service 30 days prior to the initiation of each
examination period. Resetting companies are expected to submit any
request for changes to control objectives by December 31 of each year,
which will be taken under consideration by the Postal Service for
review and approval. The Postal Service will provide common control
objectives to be covered by the SOC 1 Type II SSAE 18 by February 28
each year. As a result of the examination, the service auditor shall
provide the provider and the Postal Service with an opinion on the
design and operating effectiveness of the provider's internal controls
related to the meter system, and any other applications and technology
infrastructure considered material to the services provided to the
Postal Service by the RC. SOC1 and SOC2 examinations are to be
conducted on no less than an annual basis, and are to be as of and for
the 12 months ended June 30 of each year (except for new contracts for
which the examination period will be no less than the period from the
contract date to the following June 30, unless otherwise agreed to by
the Postal Service). The SOC1 and SOC2 examination reports are to be
provided to the Postal Service by August 15 of each year. To the extent
that internal control weaknesses are identified in a SOC 1 Type II SSAE
18 report, the Postal Service requires prompt communication and
remediation of such weaknesses and will review working papers and
engage in discussions about the work performed with the service
auditor. The Postal Service requires that all remediation efforts (if
applicable) are completed and reported by the provider to the Postal
Service's fiscal year end (September 30). In addition, the provider
will be responsible for performing an examination of their internal
control environment related to the meter system and any other
applications and technology infrastructure considered material to the
services provided to the Postal Service by the provider, in particular,
disclosing changes to internal controls for the period of July 1 to
September 30. This examination should be documented and submitted to
the Postal Service by October 14 each year. The provider will be
responsible for all costs related to the examinations conducted by the
service auditor and the RC.
* * * * *
Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2019-21576 Filed 10-4-19; 8:45 am]
BILLING CODE P