[Federal Register Volume 85, Number 44 (Thursday, March 5, 2020)]
[Rules and Regulations]
[Pages 12870-12874]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03562]
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Part 501
Authorization To Manufacture and Distribute Postage Evidencing
Systems
AGENCY: Postal ServiceTM.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Postal Service is amending its Postage Evidencing Systems
regulations. These changes put the financial responsibility for
returned checks and returned Automated Clearinghouse (ACH) debit
payments on the applicable resetting company (RC) and PC Postage
provider. These responsibilities include providing reimbursement for
any penalties or fines imposed on the Postal Service for returned
checks or ACH debit payments, and remitting the amount of the returned
check or ACH debit payment, as applicable, plus the reimbursement to
the Postal Service within 10 federal banking days of the date the
invoice is mailed. These changes also update the Statement on Standards
for Attestation Engagements (SSAE) 18 requirements and add the
requirement for System and Organization Control (SOC) 2 reporting.
DATES: Effective March 5, 2020.
FOR FURTHER INFORMATION CONTACT: Lisa H Arcari, Director, Commercial
Payment, [email protected], 202-268-4270.
SUPPLEMENTARY INFORMATION: The Postal Service issued proposed revisions
to 39 CFR part 501, set forth in the Federal Register on October 7,
2019 (84 FR 53353). The proposal made several major changes: (1)
Imposing the financial responsibility for returned checks and returned
Automated Clearinghouse (ACH) debit payments on the resetting companies
(Postage Meter Manufacturers) and on the PC Postage Providers, as
applicable (collectively ``Providers''), (2) imposing a $30 return fee
on the Providers for returned checks and ACH debits, and (3) requiring
the Providers to submit System and Organization Control (SOC) 2, Type
II reports to the Postal Service as a requirement for continued
operations as a Provider.
Five sets of comments were received in response to the Federal
Register Notice, from FP USA (Francotyp Postalia), Pitney Bowes Inc.,
Stamps.com/Endicia (PSI Systems, Inc.), Neopost USA (soon to be
Quadient), and PostCom. There are four common themes throughout these
comments; as such they can be broken down as follows:
ACH Returns
Industry Comments
The proposal to impose financial responsibility for returned checks
and returned ACH debit payments received several comments. Some
commenters opined that the proposed rule unfairly makes providers
liable for ACH returns and will lead to a reduction of ACH use by
customers at a time when the Postal Service is trying to increase its
use. Although Providers bear this financial responsibility for credit
cards, the credit card real-time validation process is much more
robust, and ACH returns are not revealed until several days after the
transaction occurs. This risk continues with each ACH debit
transaction, unlike for credit cards. While acknowledging that
Providers are and should be responsible for helping the Postal Service
to try to collect ACH return funds on the Postal Service's behalf, many
commenters believe it is unreasonable for the Providers to take on this
financial burden.
One commenter believes the proposed rule offered little explanation
as to why the changes are necessary or whether there will be any
benefits. Instead of changing its regulations, this commenter suggests
that the Postal Service should work with the small pool of Providers to
come up with a solution for ACH debit returns. Another commenter
contends that shifting liability for ACH returns is a customer
unfriendly unlawful taking, and that it violates Executive Order 13771
relating to economically significant regulatory actions that impose
costs on industry.
Some commenters also argued that automatically locking customer
accounts would cause significant service interruptions to large
customers in connection with routine business activities, resulting in
customers switching to a non-Postal service
[[Page 12871]]
provider or to non-ACH payment methods. If the risk of ACH returns is
now shifted to the Providers, these commenters argue that they should
have the discretion to decide whether or not to lock the account since
they will be bearing the risk of non-payment. Another commenter added
that, if the Postal Service intends to impose the risk of a failed
payment on the Providers, then the Providers should have the discretion
to delay refilling meters and PC Postage accounts until check payments
clear and ACH transactions are proven effective. Along these same
lines, another commenter requested that, since the checks and ACH debit
transactions are made payable to the Postal Service, the Postal Service
should assign the Providers the legal right to pursue customers for
returned checks and ACH debits.
With respect to the processing of ACH payments, one commenter
suggested that the Postal Service should work with Citibank to
implement same-day ACH as an option to allow providers the ability to
reduce the delay in disabling customers for returned ACH debits.
According to this commenter, the current ACH process can take up to 10
days to receive a return transaction, and the Postal Service and
Citibank should work on a plan to implement a `Real Time' ACH
validation. This commenter also suggested that Providers should be
given 45 days to collect returned postage download amounts from
customers, noting its position that 10 days does not give the customer
sufficient time to work with internal accounts payable departments to
process replacement payments.
Finally, one commenter expressed the view that the change is
directed at PC Postage vendors, who caused this issue by not addressing
it long ago. This commenter believes the Postal Service is placing an
undue burden on meter manufacturers for a problem caused by PC Postage
vendors.
USPS Response
The Postal Service agrees with some of these comments and
proposals, while disagreeing with others, as described below.
As an initial matter, the Postal Service notes that the National
Automated Clearing House Association (NACHA) manages the development,
administration, and governance of the ACH Network. The NACHA Rules,
which the Postal Service is obliged to follow, provide the legal and
operational foundation of the ACH network, and are meant to safeguard
customers' sensitive data. Imposing responsibility for returned checks
and returned ACH debit payments on Providers encourages the Providers
to take adequate measures to authenticate the identity of their
customers through account validation and to ensure that each account
that is debited is authorized. Providers have direct relationships with
the shippers and mailers who are their customers, and they are in the
best position to authenticate the customers and their accounts. This
requirement also aligns with NACHA Know Your Customer guidance and best
practices. The Provider must adhere to the ACH returns to ACH volume
thresholds as outlined in the NACHA operating rules and guidelines. The
Postal Service intends to work with Providers to offer its expertise
and guidance on these rules.
With respect to the locking of customer accounts, the Postal
Service notes that this is not a new requirement; the wording was
updated from the original regulation for clarity. The Providers should
not have discretion on whether or not to lock the account, as
continuing to allow ACH debit returns violates NACHA rules, to which
the Postal Service is subject.
The Postal Service agrees with the suggestion that Providers should
have the discretion to delay refilling meters and PC Postage accounts
until check payments clear and ACH transactions are proven effective.
Providers currently have this discretion, and will continue to have it
under the final rule.
The Postal Service also agrees with the proposal that it assign
Providers the legal right to pursue customers for returned checks and
ACH debits. Discussions concerning the implementation of this proposal
will occur after the rule is published.
The Postal Service disagrees that imposing responsibility on
Providers for ACH returns involves a taking of property under the Fifth
Amendment or a violation of any applicable Executive order. Remitting
payment via ACH is the customer's choice, not a regulatory requirement
that is imposed by the Postal Service. Moreover, requiring Providers to
cover the cost of ACH returns is consistent with industry practice, as
explained above.
As for the suggestion that the Postal Service work with Citibank to
implement same-day ACH or ``Real Time'' ACH validation, based on our
experience, ACH debit returns that take 10 days are not the norm. The
Postal Service would need more information on returns past the two-day
window to research. In any event, the Postal Service is in the process
of evaluating the impacts to the Postal Service of same-day ACH and the
effectiveness of these products to Providers. After the Postal
Service's positive review of the feasibility of same-day ACH
transactions in this context, meter manufacturers and PC Postage
providers interested in any of these products should inform the Postal
Service, and the Postal Service will review these requests on a case-
by-case basis.
In addition, to clarify the proposed timeline in response to the
suggestion that Providers be given 45 days to collect returned postage
amounts from customers, the Postal Service notes that invoices will be
generated on a monthly basis for returns incurred for the previous
month. The 10-day period will start once the invoice for returns from
the previous month is mailed. In other words, the 10-day window does
not begin on the day the ACH debit return occurs, but rather on the day
the Postal Service invoice is mailed.
The financial responsibility for ACH debit returns will be shifted
to the providers beginning April 1, 2020. The first invoice will be
sent in early May 2020 for the debit returns that occurred in April.
Finally, the Postal Service disagrees with the assessment that the
proposed rule places an undue burden on meter manufacturers for a
problem caused by PC Postage vendors. The Postal Service already holds
and is continuing to hold PC Postage Providers and meter manufacturers
to the same standards.
$30 Return Fee
Industry Comments
Several commenters expressed concerns that the proposed $30 ACH
return fee would have negative processing and customer service
implications, which would discourage customers' continued use of ACH.
They believe many customers would object to paying the fee, and may
leave the Postal Service if the fee cannot be waived, particularly if
service cannot be immediately restored. If the Postal Service wants to
collect this fee, they argue, then the Postal Service should do so
itself so that it can exercise discretion on whether the fee should be
waived. These commenters also noted that the proposed fee would add
cost to the Providers without providing any benefit to them. Updates to
systems and to Postal Service reporting for these fees, including daily
balance accounting reconciliation (DBAR) updates, would require
definition before an estimated implementation timeline could be
provided. In addition, because changes to these systems could affect
the SOC reports, SOC control objectives would
[[Page 12872]]
need to be updated for this change. These commenters also suggested
that the ACH fee should be able to be deducted from customers' prepaid
funds (if available), and the DBAR should be updated to reflect this
option.
One commenter suggested that the Postal Service should provide the
industry with updated Postal Service terms and conditions to support
the fees for returned ACH debits and checks. Because new terms would
apply to the fees, the commenter noted its expectation that the fee
would only apply to new and renewal customers. The commenter suggested
further that the Postal Service should clarify that individual
Providers are only responsible for charging for returned checks and ACH
credits for the Providers' active customers.
USPS Response
Charging the customer a fee for a returned ACH transaction is a
common practice, and the $30 amount of the fee is consistent with the
existing charge for bounced checks. Nevertheless, upon further
consideration and in response to the commenters' concerns, the Postal
Service has decided to eliminate the $30 fee in the final rule. The fee
was intended to reimburse the Postal Service for costs it may incur in
connection with returned checks or ACH debit payments. As an
alternative to an automatic $30 fee for every returned item, the final
rule reserves the Postal Service's right to seek reimbursement from a
Provider for any penalties or fines that are imposed on the Postal
Service (for example, by a bank) occasioned by repeated returned checks
or ACH debit payments from that Provider's customer. This would be in
accord with current practice and would encourage the Providers to
review and vet their customers and their behavior, to avoid being
assessed penalties or fines. If the Postal Service does not incur any
such penalties or fines, then the Provider will only be responsible for
the amount of the returned check or ACH debit payment, as applicable,
without any additional fees imposed. Under the final rule, the Provider
may choose whether to pass any such reimbursement costs (of penalties
or fines) on to its customer.
The comments relating to applicability of the $30 fee to new and
renewal customers and/or active customers are largely moot, in light of
the Postal Service's decision to eliminate the $30 fee. However, it
should be noted that Providers will be responsible for reimbursement of
fines and penalties incurred by the Postal Service, regardless of
whether the customers that caused those issues are new, renewal,
active, or other customers of the Provider.
SOC 2, Type II Report
Industry Comments
Several commenters addressed the proposal to require SOC 2, Type II
reporting. For example, they stated that the scope of the SOC 2 Type II
mandate should be relevant to the information exchanged, and should be
narrowly drawn to those applications, reports, and technology relevant
to the Postal Service's controls. Commenters also argued that the
report should address privacy.
Other commenters stated that the changes required to support a SOC
2 Type II report will take considerable effort to scope, develop, test
and implement, and that this is an unreasonable expense and burden on
the industry.
Finally, the commenters noted that the Postal Service needs to
provide the industry with the SOC 2 Control objectives. Control
objectives provided by February 28 of each year should be required to
be implemented in the next audit period.
USPS Response
The Postal Service disagrees with limiting the scope to only those
applications mentioned by the commenters and privacy. The purpose of
the SOC 2 reporting is to meet the needs of a broad range of users that
need detailed information and assurance about the controls at a service
organization relevant to security, availability, and processing
integrity of the systems the service organization uses to process
users' data and the confidentiality and privacy of the information
processed by these systems. The goal is to understand the security
posture of the entire organization.
As for the commenters' concerns about expense and burden, SOC 2
reporting is an industry standard, and has been for many years. There
is an expense, but it is to the industry's benefit too. The Postal
Service will give the industry reasonable time to adopt these changes.
The Postal Service agrees that it should provide the industry with
SOC 2 control objectives, and will provide these by March 18, 2020 for
the Type I report and by January 31 of each year to be implemented in
the appropriate audit period for Type II reports. The Postal Service
will strive to give the industry ample time to implement any changes to
control objectives from one year to the next.
General Comments
Industry comment: The implementation timeframes in the proposal
need to be clarified for both items.
USPS response: The Postal Service will require a SOC 2 Type I
report by July 1, 2020, the Postal Service will provide the initial
control objectives by March 18, 2020. The first SOC 2 Type II report
will be due August 15, 2021, and the subsequent Type II reports will be
due on August 15 each year going forward. For future years, the Postal
Service will provide the SOC 2 control objectives by January 31.
Industry comment: The Postal Service teams should have raised the
proposed rules as an issue during the Industry meetings. Discussion at
industry meetings would have allowed the industry to educate the Postal
Service on each provider's processes and discuss a phased plan to
achieve the Postal Service objectives.
USPS response: NACHA's upcoming rule changes and customer
validation were discussed at the July 25, 2019 Industry Working
meeting. The NACHA webinars were made available to the industry. It is
within the Postal Service's discretion whether and how much to discuss
a proposed rule with the industry before publishing.
List of Subjects in 39 CFR Part 501
Administrative practice and procedure, Postal Service.
For the reasons stated in the preamble, the Postal Service amends
39 CFR part 501 as follows:
PART 501--[AMENDED]
0
1. The authority citation for part 501 continues to read as follows:
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410,
2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.
0
2. Amend Sec. 501.15 by revising paragraphs (g), (i), and (j) to read
as follows:
Sec. 501.15 Computerized Meter Resetting System.
* * * * *
(g) Financial responsibility for returned payments. The RC is
required to reimburse the Postal Service upon request for any returned
checks or ACH debits for postage payments. The RC must, upon first
becoming aware of a returned check or ACH debit, immediately lock the
customer's CMRS account to prevent a meter reset until the RC receives
confirmation of payment for the returned item. If a
[[Page 12873]]
penalty or fine is assessed against the Postal Service for returned
checks or ACH debit payments from an RC's customer, the Postal Service
may request reimbursement for such penalty or fine from the RC. The RC
is required to remit the amount of the returned item to the Postal
Service plus the reimbursement request, to the extent applicable,
within ten (10) banking days. Invoices will be created monthly for
returns and/or applicable penalties or fines incurred for the previous
month. The 10 banking days will start once the invoice is mailed. The
RC has discretion to decide whether to charge its customer for any such
reimbursement costs (of penalties or fines) the RC pays to the Postal
Service in connection with the customer's returned check or ACH debit.
* * * * *
(i) Security and revenue protection. To receive Postal Service
approval to continue to operate systems in the postage meters
environment, the RC must submit to a periodic examination and provide a
System and Organization Control (SOC) 1 Type II Report of its meter
system and any other applications and technology infrastructure that
may have a material impact on Postal Service revenues, as determined by
the Postal Service. Additionally, RC must submit to a periodic
examination and provide a SOC 2 Type II Report of its meter system data
security, accuracy, processing integrity and data integrity for any
applications, reports, and technology infrastructure that may have a
material impact on the RC's reports, which the Postal Service relies
upon. For the initial SOC 2 Type I report, the Postal Service will
provide the control objectives by March 18, 2020. The due date for the
initial SOC 2 Type I is July 1, 2020, with the SOC 2 Type II due on
August 15, 2021. Both the SOC 1 and SOC 2 examinations shall be
performed by a qualified, independent audit firm and shall be conducted
in accordance with the Statements on Standards for Attestation
Engagements (SSAEs) No. 18, Service Organizations, developed by the
American Institute of Certified Public Accountants (AICPA), as amended
or superseded. Expenses associated with such examination shall be
incurred by the RC. The examination shall include testing of the
operating effectiveness of relevant RC internal controls (SOC 1 Type II
SSAE 18 & SOC 2 Type II SSAE 18 Reports). If the service organization
uses another service organization (sub-service provider), the RC should
consider the nature and materiality of the transactions and data
processed by the sub-service organization and the contribution of the
sub-service organization's processes and controls in the achievement of
the Postal Service's control objectives. Resetting companies are
expected to submit any request for changes to control objectives by
December 31 of each year, which will be taken under consideration by
the Postal Service for review and approval. The Postal Service will
provide common control objectives to be covered by the SOC 1 Type II
SSAE 18 by January 31 each year. As a result of the examination, the
service auditor shall provide the RC and the Postal Service with an
opinion on the design and operating effectiveness of the RC's internal
controls related to the meter system and any other applications and
technology infrastructure considered material to the services provided
to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be
conducted on no less than an annual basis, and are to be as of and for
the 12 months ended June 30 of each year (except for new contracts for
which the examination period will be no less than the period from the
contract date to the following June 30, unless otherwise agreed to by
the Postal Service). The SOC 1 and SOC 2 examination reports are to be
provided to the Postal Service by August 15 of each year. To the extent
that internal control weaknesses are identified in a SOC report, the
Postal Service requires prompt communication and remediation of such
weaknesses and shall have the right to review working papers and engage
in discussions about the work performed with the service auditor. The
Postal Service requires that all remediation efforts (if applicable)
are completed and reported by the RC prior to the Postal Service's
fiscal year end (September 30). In addition, the RC will be responsible
for evaluating its internal control environment related to the meter
system and any other applications and technology infrastructure
considered material to the services provided to the Postal Service by
the RC, in particular, disclosing changes to internal controls for the
period of July 1 to September 30. This evaluation should be documented
and submitted to the Postal Service by October 15 of each year. The RC
will be responsible for all costs related to the examinations conducted
by the service auditor and the RC.
(j) Inspection of records and facilities. The RC must make its
facilities that handle the operation of the computerized resetting
system and all records about the operation of the system available for
inspection by representatives of the Postal Service at all reasonable
times. At its discretion, the Postal Service may continue to fund
inspections as it has in the past, provided the costs are not
associated with a particular security issue related to the RC's meter
systems and supporting infrastructure.
* * * * *
0
3. Amend Sec. 501.16 by revising paragraph (d) and (f) to read as
follows:
Sec. 501.16 PC postage payment methodology.
* * * * *
(d) Financial responsibility for returned payments. The provider
must reimburse the Postal Service upon request for any returned checks
or ACH debits for postage payments. The provider must, upon first
becoming aware of a returned check or ACH debit, immediately lock the
customer account to prevent resetting the account until the provider
receives confirmation of payment for the returned item. If a penalty or
fine is assessed against the Postal Service for returned checks or ACH
debit payments from a provider's customer, the Postal Service may
request reimbursement for such penalty or fine from the provider. The
provider is required to remit the amount of the returned item plus the
amount of the reimbursement request, to the extent applicable, to the
Postal Service within ten (10) banking days. Invoices will be created
monthly for returns and/or applicable penalties or fines incurred for
the previous month. The 10 banking days will start once the invoice is
mailed. The provider has discretion to decide whether to charge its
customer for any such reimbursement costs (of penalties or fines) the
provider pays to the Postal Service in connection with the customer's
returned check or ACH debit.
* * * * *
(f) Security and revenue protection. To receive Postal Service
approval to continue to operate PC Postage systems, the provider must
submit to a periodic examination and provide a SOC 1 Type II Report of
its PC Postage system and any other applications and technology
infrastructure that may have a material impact on Postal Service
revenues, as determined by the Postal Service. Additionally, provider
must submit to a periodic examination and provide a SOC 2 Type II
Report of its meter system data security, accuracy, processing
integrity and data integrity for any applications, reports, and
technology infrastructure that may have a material impact on the
provider's reports, which the Postal Service relies upon. The
examination shall be performed by a
[[Page 12874]]
qualified, independent audit firm and shall be conducted in accordance
with the Statements on Standards for Attestation Engagements (SSAEs)
No. 18, Service Organizations, developed by the American Institute of
Certified Public Accountants (AICPA), as amended or superseded.
Expenses associated with such examination shall be incurred by the
provider. The examination shall include testing of the operating
effectiveness of relevant provider internal controls (SOC 1 Type II
SSAE 18 Report). If the service organization uses another service
organization (sub-service provider), the provider should consider the
nature and materiality of the transactions processed by the sub-service
organization and the contribution of the sub-service organization's
processes and controls in the achievement of the Postal Service's
control objectives. The control objectives to be covered by the SOC 1
Type II SSAE 18 report are subject to Postal Service review and
approval, and are to be provided to the Postal Service 30 days prior to
the initiation of each examination period. Resetting companies are
expected to submit any request for changes to control objectives by
December 31 of each year, which will be taken under consideration by
the Postal Service for review and approval. The Postal Service will
provide common control objectives to be covered by the SOC 1 Type II
SSAE 18 by January 31 each year. As a result of the examination, the
service auditor shall provide the provider and the Postal Service with
an opinion on the design and operating effectiveness of the provider's
internal controls related to the meter system, and any other
applications and technology infrastructure considered material to the
services provided to the Postal Service by the RC. SOC 1 and SOC 2
examinations are to be conducted on no less than an annual basis, and
are to be as of and for the 12 months ended June 30 of each year
(except for new contracts for which the examination period will be no
less than the period from the contract date to the following June 30,
unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2
examination reports are to be provided to the Postal Service by August
15 of each year. To the extent that internal control weaknesses are
identified in a SOC 1 Type II SSAE 18 report, the Postal Service
requires prompt communication and remediation of such weaknesses and
will review working papers and engage in discussions about the work
performed with the service auditor. The Postal Service requires that
all remediation efforts (if applicable) are completed and reported by
the provider to the Postal Service's fiscal year end (September 30). In
addition, the provider will be responsible evaluating its internal
control environment related to the meter system and any other
applications and technology infrastructure considered material to the
services provided to the Postal Service by the provider, in particular,
disclosing changes to internal controls for the period of July 1 to
September 30. This evaluation should be documented and submitted to the
Postal Service by October 15 each year. The provider will be
responsible for all costs related to the examinations conducted by the
service auditor and the RC.
* * * * *
Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2020-03562 Filed 3-4-20; 8:45 am]
BILLING CODE P