[Federal Register Volume 85, Number 44 (Thursday, March 5, 2020)]
[Rules and Regulations]
[Pages 12870-12874]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03562]


=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE

39 CFR Part 501


Authorization To Manufacture and Distribute Postage Evidencing 
Systems

AGENCY: Postal ServiceTM.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Postal Service is amending its Postage Evidencing Systems 
regulations. These changes put the financial responsibility for 
returned checks and returned Automated Clearinghouse (ACH) debit 
payments on the applicable resetting company (RC) and PC Postage 
provider. These responsibilities include providing reimbursement for 
any penalties or fines imposed on the Postal Service for returned 
checks or ACH debit payments, and remitting the amount of the returned 
check or ACH debit payment, as applicable, plus the reimbursement to 
the Postal Service within 10 federal banking days of the date the 
invoice is mailed. These changes also update the Statement on Standards 
for Attestation Engagements (SSAE) 18 requirements and add the 
requirement for System and Organization Control (SOC) 2 reporting.

DATES: Effective March 5, 2020.

FOR FURTHER INFORMATION CONTACT: Lisa H Arcari, Director, Commercial 
Payment, [email protected], 202-268-4270.

SUPPLEMENTARY INFORMATION: The Postal Service issued proposed revisions 
to 39 CFR part 501, set forth in the Federal Register on October 7, 
2019 (84 FR 53353). The proposal made several major changes: (1) 
Imposing the financial responsibility for returned checks and returned 
Automated Clearinghouse (ACH) debit payments on the resetting companies 
(Postage Meter Manufacturers) and on the PC Postage Providers, as 
applicable (collectively ``Providers''), (2) imposing a $30 return fee 
on the Providers for returned checks and ACH debits, and (3) requiring 
the Providers to submit System and Organization Control (SOC) 2, Type 
II reports to the Postal Service as a requirement for continued 
operations as a Provider.
    Five sets of comments were received in response to the Federal 
Register Notice, from FP USA (Francotyp Postalia), Pitney Bowes Inc., 
Stamps.com/Endicia (PSI Systems, Inc.), Neopost USA (soon to be 
Quadient), and PostCom. There are four common themes throughout these 
comments; as such they can be broken down as follows:

ACH Returns

Industry Comments

    The proposal to impose financial responsibility for returned checks 
and returned ACH debit payments received several comments. Some 
commenters opined that the proposed rule unfairly makes providers 
liable for ACH returns and will lead to a reduction of ACH use by 
customers at a time when the Postal Service is trying to increase its 
use. Although Providers bear this financial responsibility for credit 
cards, the credit card real-time validation process is much more 
robust, and ACH returns are not revealed until several days after the 
transaction occurs. This risk continues with each ACH debit 
transaction, unlike for credit cards. While acknowledging that 
Providers are and should be responsible for helping the Postal Service 
to try to collect ACH return funds on the Postal Service's behalf, many 
commenters believe it is unreasonable for the Providers to take on this 
financial burden.
    One commenter believes the proposed rule offered little explanation 
as to why the changes are necessary or whether there will be any 
benefits. Instead of changing its regulations, this commenter suggests 
that the Postal Service should work with the small pool of Providers to 
come up with a solution for ACH debit returns. Another commenter 
contends that shifting liability for ACH returns is a customer 
unfriendly unlawful taking, and that it violates Executive Order 13771 
relating to economically significant regulatory actions that impose 
costs on industry.
    Some commenters also argued that automatically locking customer 
accounts would cause significant service interruptions to large 
customers in connection with routine business activities, resulting in 
customers switching to a non-Postal service

[[Page 12871]]

provider or to non-ACH payment methods. If the risk of ACH returns is 
now shifted to the Providers, these commenters argue that they should 
have the discretion to decide whether or not to lock the account since 
they will be bearing the risk of non-payment. Another commenter added 
that, if the Postal Service intends to impose the risk of a failed 
payment on the Providers, then the Providers should have the discretion 
to delay refilling meters and PC Postage accounts until check payments 
clear and ACH transactions are proven effective. Along these same 
lines, another commenter requested that, since the checks and ACH debit 
transactions are made payable to the Postal Service, the Postal Service 
should assign the Providers the legal right to pursue customers for 
returned checks and ACH debits.
    With respect to the processing of ACH payments, one commenter 
suggested that the Postal Service should work with Citibank to 
implement same-day ACH as an option to allow providers the ability to 
reduce the delay in disabling customers for returned ACH debits. 
According to this commenter, the current ACH process can take up to 10 
days to receive a return transaction, and the Postal Service and 
Citibank should work on a plan to implement a `Real Time' ACH 
validation. This commenter also suggested that Providers should be 
given 45 days to collect returned postage download amounts from 
customers, noting its position that 10 days does not give the customer 
sufficient time to work with internal accounts payable departments to 
process replacement payments.
    Finally, one commenter expressed the view that the change is 
directed at PC Postage vendors, who caused this issue by not addressing 
it long ago. This commenter believes the Postal Service is placing an 
undue burden on meter manufacturers for a problem caused by PC Postage 
vendors.

USPS Response

    The Postal Service agrees with some of these comments and 
proposals, while disagreeing with others, as described below.
    As an initial matter, the Postal Service notes that the National 
Automated Clearing House Association (NACHA) manages the development, 
administration, and governance of the ACH Network. The NACHA Rules, 
which the Postal Service is obliged to follow, provide the legal and 
operational foundation of the ACH network, and are meant to safeguard 
customers' sensitive data. Imposing responsibility for returned checks 
and returned ACH debit payments on Providers encourages the Providers 
to take adequate measures to authenticate the identity of their 
customers through account validation and to ensure that each account 
that is debited is authorized. Providers have direct relationships with 
the shippers and mailers who are their customers, and they are in the 
best position to authenticate the customers and their accounts. This 
requirement also aligns with NACHA Know Your Customer guidance and best 
practices. The Provider must adhere to the ACH returns to ACH volume 
thresholds as outlined in the NACHA operating rules and guidelines. The 
Postal Service intends to work with Providers to offer its expertise 
and guidance on these rules.
    With respect to the locking of customer accounts, the Postal 
Service notes that this is not a new requirement; the wording was 
updated from the original regulation for clarity. The Providers should 
not have discretion on whether or not to lock the account, as 
continuing to allow ACH debit returns violates NACHA rules, to which 
the Postal Service is subject.
    The Postal Service agrees with the suggestion that Providers should 
have the discretion to delay refilling meters and PC Postage accounts 
until check payments clear and ACH transactions are proven effective. 
Providers currently have this discretion, and will continue to have it 
under the final rule.
    The Postal Service also agrees with the proposal that it assign 
Providers the legal right to pursue customers for returned checks and 
ACH debits. Discussions concerning the implementation of this proposal 
will occur after the rule is published.
    The Postal Service disagrees that imposing responsibility on 
Providers for ACH returns involves a taking of property under the Fifth 
Amendment or a violation of any applicable Executive order. Remitting 
payment via ACH is the customer's choice, not a regulatory requirement 
that is imposed by the Postal Service. Moreover, requiring Providers to 
cover the cost of ACH returns is consistent with industry practice, as 
explained above.
    As for the suggestion that the Postal Service work with Citibank to 
implement same-day ACH or ``Real Time'' ACH validation, based on our 
experience, ACH debit returns that take 10 days are not the norm. The 
Postal Service would need more information on returns past the two-day 
window to research. In any event, the Postal Service is in the process 
of evaluating the impacts to the Postal Service of same-day ACH and the 
effectiveness of these products to Providers. After the Postal 
Service's positive review of the feasibility of same-day ACH 
transactions in this context, meter manufacturers and PC Postage 
providers interested in any of these products should inform the Postal 
Service, and the Postal Service will review these requests on a case-
by-case basis.
    In addition, to clarify the proposed timeline in response to the 
suggestion that Providers be given 45 days to collect returned postage 
amounts from customers, the Postal Service notes that invoices will be 
generated on a monthly basis for returns incurred for the previous 
month. The 10-day period will start once the invoice for returns from 
the previous month is mailed. In other words, the 10-day window does 
not begin on the day the ACH debit return occurs, but rather on the day 
the Postal Service invoice is mailed.
    The financial responsibility for ACH debit returns will be shifted 
to the providers beginning April 1, 2020. The first invoice will be 
sent in early May 2020 for the debit returns that occurred in April.
    Finally, the Postal Service disagrees with the assessment that the 
proposed rule places an undue burden on meter manufacturers for a 
problem caused by PC Postage vendors. The Postal Service already holds 
and is continuing to hold PC Postage Providers and meter manufacturers 
to the same standards.

$30 Return Fee

Industry Comments

    Several commenters expressed concerns that the proposed $30 ACH 
return fee would have negative processing and customer service 
implications, which would discourage customers' continued use of ACH. 
They believe many customers would object to paying the fee, and may 
leave the Postal Service if the fee cannot be waived, particularly if 
service cannot be immediately restored. If the Postal Service wants to 
collect this fee, they argue, then the Postal Service should do so 
itself so that it can exercise discretion on whether the fee should be 
waived. These commenters also noted that the proposed fee would add 
cost to the Providers without providing any benefit to them. Updates to 
systems and to Postal Service reporting for these fees, including daily 
balance accounting reconciliation (DBAR) updates, would require 
definition before an estimated implementation timeline could be 
provided. In addition, because changes to these systems could affect 
the SOC reports, SOC control objectives would

[[Page 12872]]

need to be updated for this change. These commenters also suggested 
that the ACH fee should be able to be deducted from customers' prepaid 
funds (if available), and the DBAR should be updated to reflect this 
option.
    One commenter suggested that the Postal Service should provide the 
industry with updated Postal Service terms and conditions to support 
the fees for returned ACH debits and checks. Because new terms would 
apply to the fees, the commenter noted its expectation that the fee 
would only apply to new and renewal customers. The commenter suggested 
further that the Postal Service should clarify that individual 
Providers are only responsible for charging for returned checks and ACH 
credits for the Providers' active customers.

USPS Response

    Charging the customer a fee for a returned ACH transaction is a 
common practice, and the $30 amount of the fee is consistent with the 
existing charge for bounced checks. Nevertheless, upon further 
consideration and in response to the commenters' concerns, the Postal 
Service has decided to eliminate the $30 fee in the final rule. The fee 
was intended to reimburse the Postal Service for costs it may incur in 
connection with returned checks or ACH debit payments. As an 
alternative to an automatic $30 fee for every returned item, the final 
rule reserves the Postal Service's right to seek reimbursement from a 
Provider for any penalties or fines that are imposed on the Postal 
Service (for example, by a bank) occasioned by repeated returned checks 
or ACH debit payments from that Provider's customer. This would be in 
accord with current practice and would encourage the Providers to 
review and vet their customers and their behavior, to avoid being 
assessed penalties or fines. If the Postal Service does not incur any 
such penalties or fines, then the Provider will only be responsible for 
the amount of the returned check or ACH debit payment, as applicable, 
without any additional fees imposed. Under the final rule, the Provider 
may choose whether to pass any such reimbursement costs (of penalties 
or fines) on to its customer.
    The comments relating to applicability of the $30 fee to new and 
renewal customers and/or active customers are largely moot, in light of 
the Postal Service's decision to eliminate the $30 fee. However, it 
should be noted that Providers will be responsible for reimbursement of 
fines and penalties incurred by the Postal Service, regardless of 
whether the customers that caused those issues are new, renewal, 
active, or other customers of the Provider.

SOC 2, Type II Report

Industry Comments

    Several commenters addressed the proposal to require SOC 2, Type II 
reporting. For example, they stated that the scope of the SOC 2 Type II 
mandate should be relevant to the information exchanged, and should be 
narrowly drawn to those applications, reports, and technology relevant 
to the Postal Service's controls. Commenters also argued that the 
report should address privacy.
    Other commenters stated that the changes required to support a SOC 
2 Type II report will take considerable effort to scope, develop, test 
and implement, and that this is an unreasonable expense and burden on 
the industry.
    Finally, the commenters noted that the Postal Service needs to 
provide the industry with the SOC 2 Control objectives. Control 
objectives provided by February 28 of each year should be required to 
be implemented in the next audit period.

USPS Response

    The Postal Service disagrees with limiting the scope to only those 
applications mentioned by the commenters and privacy. The purpose of 
the SOC 2 reporting is to meet the needs of a broad range of users that 
need detailed information and assurance about the controls at a service 
organization relevant to security, availability, and processing 
integrity of the systems the service organization uses to process 
users' data and the confidentiality and privacy of the information 
processed by these systems. The goal is to understand the security 
posture of the entire organization.
    As for the commenters' concerns about expense and burden, SOC 2 
reporting is an industry standard, and has been for many years. There 
is an expense, but it is to the industry's benefit too. The Postal 
Service will give the industry reasonable time to adopt these changes.
    The Postal Service agrees that it should provide the industry with 
SOC 2 control objectives, and will provide these by March 18, 2020 for 
the Type I report and by January 31 of each year to be implemented in 
the appropriate audit period for Type II reports. The Postal Service 
will strive to give the industry ample time to implement any changes to 
control objectives from one year to the next.

General Comments

    Industry comment: The implementation timeframes in the proposal 
need to be clarified for both items.
    USPS response: The Postal Service will require a SOC 2 Type I 
report by July 1, 2020, the Postal Service will provide the initial 
control objectives by March 18, 2020. The first SOC 2 Type II report 
will be due August 15, 2021, and the subsequent Type II reports will be 
due on August 15 each year going forward. For future years, the Postal 
Service will provide the SOC 2 control objectives by January 31.
    Industry comment: The Postal Service teams should have raised the 
proposed rules as an issue during the Industry meetings. Discussion at 
industry meetings would have allowed the industry to educate the Postal 
Service on each provider's processes and discuss a phased plan to 
achieve the Postal Service objectives.
    USPS response: NACHA's upcoming rule changes and customer 
validation were discussed at the July 25, 2019 Industry Working 
meeting. The NACHA webinars were made available to the industry. It is 
within the Postal Service's discretion whether and how much to discuss 
a proposed rule with the industry before publishing.

List of Subjects in 39 CFR Part 501

    Administrative practice and procedure, Postal Service.

    For the reasons stated in the preamble, the Postal Service amends 
39 CFR part 501 as follows:

PART 501--[AMENDED]

0
1. The authority citation for part 501 continues to read as follows:

    Authority:  5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 
2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.


0
2. Amend Sec.  501.15 by revising paragraphs (g), (i), and (j) to read 
as follows:


Sec.  501.15   Computerized Meter Resetting System.

* * * * *
    (g) Financial responsibility for returned payments. The RC is 
required to reimburse the Postal Service upon request for any returned 
checks or ACH debits for postage payments. The RC must, upon first 
becoming aware of a returned check or ACH debit, immediately lock the 
customer's CMRS account to prevent a meter reset until the RC receives 
confirmation of payment for the returned item. If a

[[Page 12873]]

penalty or fine is assessed against the Postal Service for returned 
checks or ACH debit payments from an RC's customer, the Postal Service 
may request reimbursement for such penalty or fine from the RC. The RC 
is required to remit the amount of the returned item to the Postal 
Service plus the reimbursement request, to the extent applicable, 
within ten (10) banking days. Invoices will be created monthly for 
returns and/or applicable penalties or fines incurred for the previous 
month. The 10 banking days will start once the invoice is mailed. The 
RC has discretion to decide whether to charge its customer for any such 
reimbursement costs (of penalties or fines) the RC pays to the Postal 
Service in connection with the customer's returned check or ACH debit.
* * * * *
    (i) Security and revenue protection. To receive Postal Service 
approval to continue to operate systems in the postage meters 
environment, the RC must submit to a periodic examination and provide a 
System and Organization Control (SOC) 1 Type II Report of its meter 
system and any other applications and technology infrastructure that 
may have a material impact on Postal Service revenues, as determined by 
the Postal Service. Additionally, RC must submit to a periodic 
examination and provide a SOC 2 Type II Report of its meter system data 
security, accuracy, processing integrity and data integrity for any 
applications, reports, and technology infrastructure that may have a 
material impact on the RC's reports, which the Postal Service relies 
upon. For the initial SOC 2 Type I report, the Postal Service will 
provide the control objectives by March 18, 2020. The due date for the 
initial SOC 2 Type I is July 1, 2020, with the SOC 2 Type II due on 
August 15, 2021. Both the SOC 1 and SOC 2 examinations shall be 
performed by a qualified, independent audit firm and shall be conducted 
in accordance with the Statements on Standards for Attestation 
Engagements (SSAEs) No. 18, Service Organizations, developed by the 
American Institute of Certified Public Accountants (AICPA), as amended 
or superseded. Expenses associated with such examination shall be 
incurred by the RC. The examination shall include testing of the 
operating effectiveness of relevant RC internal controls (SOC 1 Type II 
SSAE 18 & SOC 2 Type II SSAE 18 Reports). If the service organization 
uses another service organization (sub-service provider), the RC should 
consider the nature and materiality of the transactions and data 
processed by the sub-service organization and the contribution of the 
sub-service organization's processes and controls in the achievement of 
the Postal Service's control objectives. Resetting companies are 
expected to submit any request for changes to control objectives by 
December 31 of each year, which will be taken under consideration by 
the Postal Service for review and approval. The Postal Service will 
provide common control objectives to be covered by the SOC 1 Type II 
SSAE 18 by January 31 each year. As a result of the examination, the 
service auditor shall provide the RC and the Postal Service with an 
opinion on the design and operating effectiveness of the RC's internal 
controls related to the meter system and any other applications and 
technology infrastructure considered material to the services provided 
to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be 
conducted on no less than an annual basis, and are to be as of and for 
the 12 months ended June 30 of each year (except for new contracts for 
which the examination period will be no less than the period from the 
contract date to the following June 30, unless otherwise agreed to by 
the Postal Service). The SOC 1 and SOC 2 examination reports are to be 
provided to the Postal Service by August 15 of each year. To the extent 
that internal control weaknesses are identified in a SOC report, the 
Postal Service requires prompt communication and remediation of such 
weaknesses and shall have the right to review working papers and engage 
in discussions about the work performed with the service auditor. The 
Postal Service requires that all remediation efforts (if applicable) 
are completed and reported by the RC prior to the Postal Service's 
fiscal year end (September 30). In addition, the RC will be responsible 
for evaluating its internal control environment related to the meter 
system and any other applications and technology infrastructure 
considered material to the services provided to the Postal Service by 
the RC, in particular, disclosing changes to internal controls for the 
period of July 1 to September 30. This evaluation should be documented 
and submitted to the Postal Service by October 15 of each year. The RC 
will be responsible for all costs related to the examinations conducted 
by the service auditor and the RC.
    (j) Inspection of records and facilities. The RC must make its 
facilities that handle the operation of the computerized resetting 
system and all records about the operation of the system available for 
inspection by representatives of the Postal Service at all reasonable 
times. At its discretion, the Postal Service may continue to fund 
inspections as it has in the past, provided the costs are not 
associated with a particular security issue related to the RC's meter 
systems and supporting infrastructure.
* * * * *

0
3. Amend Sec.  501.16 by revising paragraph (d) and (f) to read as 
follows:


Sec.  501.16   PC postage payment methodology.

* * * * *
    (d) Financial responsibility for returned payments. The provider 
must reimburse the Postal Service upon request for any returned checks 
or ACH debits for postage payments. The provider must, upon first 
becoming aware of a returned check or ACH debit, immediately lock the 
customer account to prevent resetting the account until the provider 
receives confirmation of payment for the returned item. If a penalty or 
fine is assessed against the Postal Service for returned checks or ACH 
debit payments from a provider's customer, the Postal Service may 
request reimbursement for such penalty or fine from the provider. The 
provider is required to remit the amount of the returned item plus the 
amount of the reimbursement request, to the extent applicable, to the 
Postal Service within ten (10) banking days. Invoices will be created 
monthly for returns and/or applicable penalties or fines incurred for 
the previous month. The 10 banking days will start once the invoice is 
mailed. The provider has discretion to decide whether to charge its 
customer for any such reimbursement costs (of penalties or fines) the 
provider pays to the Postal Service in connection with the customer's 
returned check or ACH debit.
* * * * *
    (f) Security and revenue protection. To receive Postal Service 
approval to continue to operate PC Postage systems, the provider must 
submit to a periodic examination and provide a SOC 1 Type II Report of 
its PC Postage system and any other applications and technology 
infrastructure that may have a material impact on Postal Service 
revenues, as determined by the Postal Service. Additionally, provider 
must submit to a periodic examination and provide a SOC 2 Type II 
Report of its meter system data security, accuracy, processing 
integrity and data integrity for any applications, reports, and 
technology infrastructure that may have a material impact on the 
provider's reports, which the Postal Service relies upon. The 
examination shall be performed by a

[[Page 12874]]

qualified, independent audit firm and shall be conducted in accordance 
with the Statements on Standards for Attestation Engagements (SSAEs) 
No. 18, Service Organizations, developed by the American Institute of 
Certified Public Accountants (AICPA), as amended or superseded. 
Expenses associated with such examination shall be incurred by the 
provider. The examination shall include testing of the operating 
effectiveness of relevant provider internal controls (SOC 1 Type II 
SSAE 18 Report). If the service organization uses another service 
organization (sub-service provider), the provider should consider the 
nature and materiality of the transactions processed by the sub-service 
organization and the contribution of the sub-service organization's 
processes and controls in the achievement of the Postal Service's 
control objectives. The control objectives to be covered by the SOC 1 
Type II SSAE 18 report are subject to Postal Service review and 
approval, and are to be provided to the Postal Service 30 days prior to 
the initiation of each examination period. Resetting companies are 
expected to submit any request for changes to control objectives by 
December 31 of each year, which will be taken under consideration by 
the Postal Service for review and approval. The Postal Service will 
provide common control objectives to be covered by the SOC 1 Type II 
SSAE 18 by January 31 each year. As a result of the examination, the 
service auditor shall provide the provider and the Postal Service with 
an opinion on the design and operating effectiveness of the provider's 
internal controls related to the meter system, and any other 
applications and technology infrastructure considered material to the 
services provided to the Postal Service by the RC. SOC 1 and SOC 2 
examinations are to be conducted on no less than an annual basis, and 
are to be as of and for the 12 months ended June 30 of each year 
(except for new contracts for which the examination period will be no 
less than the period from the contract date to the following June 30, 
unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2 
examination reports are to be provided to the Postal Service by August 
15 of each year. To the extent that internal control weaknesses are 
identified in a SOC 1 Type II SSAE 18 report, the Postal Service 
requires prompt communication and remediation of such weaknesses and 
will review working papers and engage in discussions about the work 
performed with the service auditor. The Postal Service requires that 
all remediation efforts (if applicable) are completed and reported by 
the provider to the Postal Service's fiscal year end (September 30). In 
addition, the provider will be responsible evaluating its internal 
control environment related to the meter system and any other 
applications and technology infrastructure considered material to the 
services provided to the Postal Service by the provider, in particular, 
disclosing changes to internal controls for the period of July 1 to 
September 30. This evaluation should be documented and submitted to the 
Postal Service by October 15 each year. The provider will be 
responsible for all costs related to the examinations conducted by the 
service auditor and the RC.
* * * * *

Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2020-03562 Filed 3-4-20; 8:45 am]
 BILLING CODE P