New Banking Changes for Payroll Systems

 

Join us for an informative webinar on “New Banking Changes for Payroll Systems” featuring expert panelists Joshua Gohman, Director of Information Security, and Alyssa Oruoja, Director of Operational Compliance. In this session, we will delve into the recently implemented Nacha rule for ACH data security and its implications for payroll systems. Explore the scope and limitations of the rule and understand why these new ACH payment requirements are crucial for businesses. Our expert panelists will provide valuable insights on how your business can effectively prepare for these banking changes. Don’t miss this opportunity to stay informed and ensure compliance with the latest regulations affecting your payroll systems.

Transcript

VANNOY:

Hi everyone. Mike Vannoy, vice President of Marketing at Asure, and today we’re gonna be talking about some new banking changes as it relates to payroll companies. The the world of money movement and banking is, is really changing fast you know, forever. A payroll company would impound funds from the employer. You set up ACH files that stands for Automated Clearinghouse that those ACH files then go out to the banks of your employees. And that’s how they get their direct deposits or checks get printed, and those checks get drawn off of the, the payroll company’s bank account, right? I think all of us are used to, you know, I know my daughters when they babysit, you know, they get paid in real time on Venmo in, in the, so the world of peer-to-peer payments.

You know, we’re starting to serve clients with a same day pay, get work today, get paid today kind of concepts. So this world of money movement and payroll is certainly changing. One of the areas that’s changing is, I’d say is enhancements to the asis, meaning the, the current a c h banking system, the way money moves from bank account to bank account. There’s increased security around this. And so to help me unpack this, this topic today, I got two really, really highly qualified guests and happen to be really cool people. Josh Gohman, Alyssa Oruoja both work for as Asure Josh Heads information security Alyssa, senior Director of Compliance and their, they’re quite expert in this topic. Really look forward to diving in deeper. Thanks for joining me, Josh and Alyssa. Yeah,

GOHMAN:

Thank you. No problem.

VANNOY:

Okay, so maybe let, let’s, let’s back up just a a bit here. Maybe Josh, before you kind of jump in cuz some of this stuff is a little wonky, a little technical and involves data encryption and storage and whatnot. But just any color around the ACH h system and more specifically, I think NACHA rules. What is, what is an, what is a NACHA rule? Who’s nacha?

GOHMAN:

Yeah, absolutely. So, NACHA is the national automated Clearinghouse Association. You talked about auto automated clearinghouse or ACH h payments. They’re the kind of governing body that creates that standard that allows for interbank transfers through this ACH h system. And with that, they create all kinds of standards for how payments should be formatted how the banks will receive and transmit, and the, the timeframes for those payments. And also in this case, security standards. How are we securing payments or transaction information that is in transit? And then how are we securing payment information when it’s stored, like inside the payroll system or, or really anywhere that it’s stored electronically.

VANNOY:

Okay. And then, so start taking us through what the, the new regs, the new, the new guidance coming from NACHA are and, and who is. Right.

GOHMAN:

So I think the, you know, the, the, there’s been a, a significant proliferation in the use of ACH h payments beyond direct deposit and you know, bank event or business to business transactions. You’re starting to see it on, on websites. You mentioned, you know, Venmo in the backend that’s really using ach. And so the, the industry is seeing that account numbers or ACH account numbers are being used in fraud very similar to what we saw in the credit card industry 10, 15 years ago. And so what NACHA has done is adopted some of the data security rules from the payment card industry, data security standard, P C I D S S. And those standards create some very specific rules how organizations have to store or have to protect the account numbers when stored electronically. And it’s the standards kind of vague when you read it, it says they have to be rendered unreadable.

 And there’s a couple of different options that companies have to, to render. Those account numbers unreadable when they’re stored electronically. Now, initially this rule only applies to large third party centers and originators. So organizations that processed 6 million transactions and then now 2 million transactions. But what does that mean for smaller businesses or smaller processors? I think that, again just like the nacho organization pulled rules from the payment card industry, I think we can look at that as a, a format for how NACHA is going to implement this rule going forward. You know, PCI did the same thing where they started with large merchants, 6 million transactions, 2 million transactions, and then now today, anybody who stores processes or transmits credit card information has to store credit card account numbers in a way that renders them unreadable. And so I think that in the future, you’re gonna see this rule really apply to anybody that stores processes or transmits account numbers. And that could be, you know, your small business, you know, the employees you get their account information into, to, to set up direct deposit information. We have businesses that need to be able to send and debit payment information from a B2B scenario. So more than just big senders in the future, I think this is, this is something that, that really everyone needs to start thinking about.

VANNOY:

Yeah, Josh, I, I almost think, you know what, why, why did we choose this as a topic to, to bring to our audience today, which mostly consists of employers of small and mid-sized growing companies, right? One, there’s the Stanley check that you just need to make sure whatever vendor you’re working with Asure or anybody else, they’re compliant. Yeah. So that that you’re not breaking the law and you have good security. But, you know, we try to bring the best information we can in this show because we see the inevitability. And tell me if, I think I’m overstating this I think we see the inevitability where the burden will eventually go to the employer, not not just someone who has, who processes greater than X million transactions a month, but anybody who stores bank information, just like a small employer on the sales revenue side of their business, they can’t store people’s credit card information, right? That’s right. We, we think the same thing will happen here. No matter how big or small your company is, you’re not gonna be able to store, store your employee’s banking information. Am am I overstating that?

GOHMAN:

No, I think that’s exactly where the, the industry is going. I think they’re seeing that these account numbers are just as vulnerable to fraud as, as any other payment information, and that we have a duty to protect you know, sensitive information for, you know, about the people that we, we deal with, right? So in, in the employer scenario, you’re, you’re very right. I mean, I think there’s, you know, employers store, bank account information more than many other small businesses, right? Or many other organizations. And so it’s important that they think about how they receive the information, how they store it, how they process it. You know, if they’re partnering with a third party, many, many are, you know, payroll as a payroll company you know, how they’re processing it, how they’re storing it. So

VANNOY:

You, and it’s

ORUOJA:

More than just employee.

VANNOY:

Go ahead. Go ahead.

ORUOJA:

Thanks, Mike. It’s more than just employee direct deposit. You have to think about it from a garnishment perspective because you are sending those funds on behalf of an employee. So where you put those files, whether they’re sort of electronically or not, it ultimately ends up going through ach h which means it’s ultimately subject to these rulings. So it’s really broadening what we think of when we think of money movement in general for our employees and on behalf of our businesses.

VANNOY:

And then, let’s just be really practical. So, you know, indu, industry insiders, like you guys who use the words data must be unreadable or, you know, we’ll talk about tokenization in a little bit just real life. What, what is, what does unreadable mean to, to the, to the small business owner?

GOHMAN:

Yeah, so that means you know, you have a couple of different options there. Certainly you have, you know, you could, if you’re a small business owner, you could certainly redact the information. If you are storing those files, you receive a an account direct deposit setup form, and you process it, and then upon, you know, when you wanna store it after it’s been processed, you know, redacting that information you know, like it could be as simple as, you know, drawing over it with a black marker before you scan in, scan it into the system, or or something like that. Certainly deletion is, is an option. I know that kind of sounds counterintuitive, but it actually is a method that you can use because you shouldn’t store data that you don’t need often, sometimes collect data going back 10 to 15 years stale data should be deleted so you don’t need it.

But then more technical ways of rendering data, unreadable would be encryption. So encrypting the files when they’re at rest, so using a storage solution that would encrypt the files. And then also you kind of mentioned tokenization, which is a big kind of buzzword in the payments industry. And so tokenization is like a special type of encryption in that it preserves the format of the original number. So it, if you start with a 10 digit number, when you tokenize it, you get a 10 digit not a number, but you get a 10 digit value back and it can preserve the last four so that it’s still usable, right? So you think about when you, you review a report, or you’re looking at, you know, the UI in a, in an application it’s, it’s, it’s often that we just see the last four digits, whether it’s our credit cards or bank account information, that’s a common display criteria. Well, tokenization allows the application to display the token like that, and and it not be the, not actually be the account number, it’s a token. And tokenization is completely reversible so that you can basically reconstitute the account number from the token without having to store the account number. So it’s a really useful method for protecting sensitive data.

VANNOY:

So if I can kind of recap. So the, the requirement from nacha mm-hmm. <Affirmative> and today it’s it has been the requirement for a few people who process more than 6 million transactions going to 2 million transactions. Our belief is this is going down to, to to, to the employer level that you, no matter how many transactions you have, the law is gonna require you to not store bank information in the same way. You can’t store credit card information, but I have that correct, first of all, right?

GOHMAN:

Yes, that is correct.

VANNOY:

And then what, what can employers, or what should employers do about it? I think there’s a end and a back end of this problem, the back end with their payroll processor. They must ensure they’re working with a provider. And, and, and presumably all the big ones, you know, Asure a d p, Paychex, the big, the big folks are gonna be compliant in this area. We, we certainly will be, and we’ll talk about how but it’s also, I think, safe to assume that some of this stuff is complex in some of the smaller people’s providers are, are going struggle technologically keeping up in this area. So at at, at minimum, you gotta validate that your, your, your payroll provider can handle this and will be compliant. I think the, how employers should be thinking about this as on the front end you have a new hire form.

 If, if you’re kind of living a little old school and it’s, you got a form, you print it and you give it to the employee and they, and they manually fill out this form, and part of that includes their bank account number and routing number that you’re gonna route their direct deposit to you’re either gonna have to black marker it or, and ensure you can’t read through the black marker, or you’re gonna have to destroy it and probably prove that you destroyed it. That would be the low tech ways of doing it. The higher tech ways would be if it’s electronic, maybe it’s still a paper form that you scan, you could have this stored in an encrypted way that could later be retrieved or this more sophisticated, technologically elegant approach of tokenization that most of his experience. You go to a website I’m ordering, you know, I go to American Airlines to, to book a flight, and it’s ask me what credit card I want to use, and it, you know, it’s a little bunch of little stars represent the numbers, and then the last four digits of the card that I recognize the number of, right. Am I summarizing that properly? Alyssa,

ORUOJA:

You absolutely are. Although instead of going to American Airlines, I might be thinking about Amazon and my shopping habits, but those are the same type of items that you would be thinking of as it relates to tokenization. So it’s really about also making sure that you’re thinking about your internal processes leading up to that, because nobody wants to transition cold Turkey. So if we start sending people to their phones to do onboarding, or if we start, you know, really changing how we collect that information, we’re less subject and have a less of a learning curve as it starts to really move down the line.

VANNOY:

Yeah, and I think maybe just how I would guide employers it seems obvious why the, the, the industry would move the, I’d say the financial industry, not the payroll industry, financial industry, would move to protecting bank account information the same way you do credit card information. But as you think about your employer brand, you know how damaging would it be to your employer brand if you were known in, in your, in your town as being the one whose employee information got hacked and their bank accounts got hacked, right? Because if, I think, you know, if you’ve been using a credit card for more than a decade or two I think we’ve all gotten those early fraud warning kind of calls, right? Where fraud attempts, somebody maybe got our credit card and you can stop it.

And usually the credit cards companies help you out, and you don’t, it doesn’t cost you anything. If somebody gets your bank account number, your checking account, your savings account your, I mean, the impact could be devastating, right? I mean, they, they could sweep your account like this. And you take an employee who might be really struggling coming out of a pandemic living paycheck to paycheck in, in, in trying to try to fill, fill the gas pump get the gas tank with today’s prices. I mean, these people under stress and I, I’d say the risk is actually, even though the legislation isn’t there yet, like it is with the credit card companies, I almost think the risk is much higher for an employer because the impact to your employee could, could really be quite devastating. Am I being overly dramatic on this, Alyssa or, or Josh?

ORUOJA:

No, I think it’s the logical progression. We’re all getting used to the clean desk rule, right? When you leave, you put things in your filing cabinet. We don’t leave things exposed. This is the logical extension of that into the electronic rule. How many times have we gotten those calls about our warranties being expired, or, you know, there’s this great new policy that I need to look at. It’s just getting further and further into our everyday lives, and we have to be in a defensive position for that, for ourselves and for our employees.

VANNOY:

Okay. So we’ll have future conversations on this topic and the trend around data privacy, data security. Today, NACHA is the governing body. It’s an association, but they do set the standards for money movement in the banking industry through the, through banks and the Fed. And so you get this clearinghouse, the ACH automated clearinghouse. So I, I think more for another day. But if we come back to just the NACHA rules, are there any other specificities around the rules of what it does cover before we kind of move to what it doesn’t cover?

GOHMAN:

Yeah, what I would say on that is that it’s everywhere. Account numbers are stored electronically. This is not a, you know, payroll database or something. It’s only there it is if you store those files on a, you know, a shared drive or in, in in the cloud in a Dropbox or SharePoint or something like that, anywhere they’re stored electronically, this rule applies to, so it’s, it’s not just like within the payroll system or within the banking system. It is anywhere you store account numbers electronically.

VANNOY:

Yeah. So nacha, it’s it’s not P NACHA payroll, na, association of Clearinghouse Association, right? It’s anywhere. AACH is the platform for, for money movement. That’s a, it’s a really good call out. Josh, anything else I’m missing?

GOHMAN:

No, think that’s good.

VANNOY:

Okay. So I don’t know who wants to start this one. Alyssa, I know you have some insight here. What doesn’t the new NACHA rules cover?

ORUOJA:

So it doesn’t cover the transactions or the detail while it’s being used, right? So we know that we’ve gotta send files to the bank to ultimately allow them to be processed. We need the live account numbers there. So while the data is in use, it’s able to be readable, right? But at the point that it’s moving while it’s in flux, where it could essentially be captured mid-flight, it’s got to be protected and it also needs to be protected when it’s at rest or when it’s just sitting in that file folder and moving through. So it’s about the three real steps of that account number and that transaction. So when you first get it, it’s at rest. You’re moving it to the bank or the tax payment agency, or any vendor that’s your in use or in transit while it’s doing that movement. Then while they’re actually processing, that’s when you’re in use. And it’s only that in use piece where it can be readable, because I can’t necessarily deposit something into a tokenized account. Those last four digits are important, but so are the other six, Josh.

VANNOY:

So this is where, if you’re an employer and you’re just thinking about storing banking information as part of say your onboarding documents you could be as low tech as black marker throwing away those forms, right? But if you’re the payroll provider, you have to, I mean, you, you gotta pay the employees. So you have to have the information not readable while you, while you say at rest. But yet it has to be a real bank account number that can be used to create the ACH file that actually facilitates the, the, the payroll payment. Am I, am I summarizing that correctly?

ORUOJA:

Mm-Hmm. <affirmative> absolutely are,

GOHMAN:

Yeah.

VANNOY:

Okay. What, what else are there is, before we go deeper on that topic, is there anything else that the nacho rules don’t cover?

GOHMAN:

It doesn’t cover routing numbers. It’s only the account number. So routing numbers are clear to or find a store in plain text electronically. So this rule really focuses on just the account number and not the routing number.

VANNOY:

And I think I know why that would be. Can you just add some color on that, Josh? Why, why, why would that be the case?

GOHMAN:

Well, I think it’s because the routing number is not sensitive. The routing number is essentially universal for that bank, right? Chase Bank of America, right? They have, they, they, they all have more than one per bank, but it’s, every account in that bank uses essentially the same routing number. So it’s, it’s not as critical if it were to be compromised. Whereas the account number is specific to you or to the business and it can’t you know, if it’s compromised, then it has to be changed. There’s no, there’s no way around that. So if someone gets a routing number, which are generally fairly easy to get, cuz you can get those on the bank’s websites and things, right? So they, we don’t have to protect those to the same level that we do account numbers.

VANNOY:

So, just to be clear, so a a lot of business owners know that I, I, I think plenty of business owners, they’re experts in their industry but not banking and may not have realized that, but quite literally a routing number is like a digital address to the bank. And so the same way you can look up a physical address, you can go to Google Maps and find out physical address of your bank. You can publicly find the routing number to that bank. Most banks will probably have a few different routing numbers that routes money to different different accounts within the bank. Mm-Hmm. <affirmative>. But it is the it is the personal or business account number that we’re really talking about here, right?

GOHMAN:

That’s right. Yeah.

VANNOY:

Yeah. Okay. Anything else that the rule doesn’t cover that you wanna unpack?

GOHMAN:

No, no. I think we, I think the, the covered, the, the big three, which is in you know, inre or, or in transit in at rest and in use. And, and this rule really covers the at rest piece.

VANNOY:

And, and to be clear, cause I I don’t want to use overly harsh scare tactics here for, with, with folks, it doesn’t cover the, the employer yet. This is today, this is people processing the, the, what, I think it’s July of 22, right? That anybody more than 6 million transactions. So almost no small mid-sized company is processing more than a couple million transactions a month. So this is really to the payroll providers for now, but clearly it’s foreshadowing of what is to come for the employer and their personal storage record. Am I saying that right?

GOHMAN:

Yes, that’s

VANNOY:

Right. I’m not, I’m not commingling. Ok. Okay. Alright, so let’s, let’s talk about you know, maybe some impact, you know, what, what are, what are I, I think there’s some unforeseen, I don’t know if that’s the right way saying it. There’s some goodness that can happen here beyond just being compliant and following a rule positive impact to a business po positive impact for employees. Can you, can you tell us what this means?

GOHMAN:

Yeah, I mean, certainly as we mentioned previously, these account numbers because there beginning to be able to be used in, you know, on websites to make payments. You can, you can buy things off Amazon, as Alyssa mentioned, you know, with an account number. You can pay for utility bills, you can do all these things on these websites with account numbers. Now, fraudsters are seeing that as a method that they could monetize. In the past it had to be a credit card because you couldn’t put a bank account information into a website to buy something. So now that you’re seeing that being able to be used or account numbers, ACH account numbers, being able to be used in that fashion, you’re starting to see fraudsters aggressively target account numbers so that they can, again, fraudulently buy stuff on the internet or whatever, and and use that. So this is part of this compliance is you know, some organizations have to do it, other organizations should do it because it’s a best practice and it really does protect the information that you know, their employees or, or of consumers.

ORUOJA:

Well, and Mike, you mentioned it earlier, this is really the baby step to getting into more realtime transactions. We know about the Venmos and the things like that, but ultimately this is gonna get us closer to realtime fraud detection. It will be great when we can put in an account number and ultimately know, does it belong to the person that is registering? You know, are we seeing influx of items coming from other countries to usurp funds and things of that nature? This is setting in the framework for being able to get that real time feedback as well.

VANNOY:

Yeah, I mean, just think about the acronym itself. Automated clearinghouse, it’s a clearinghouse which for decades has been about allowing this time that’s required to make sure you’ve, you’ve cleared the transaction, that the funds actually exist, that the account is real, right? Mm-Hmm. and so that, that, that takes time, which is why generally you think about ach h it can be faster, it can be slower depending on the banks, but you think about that as kinda like a 48 hour process. But clearly the future is realtime money movement, right? It’s not gonna be through the traditional ACH process, whether that’s peer-to-peer like Venmo where you have money that is captive within that peer net peer-to-peer network system, but maybe there’s a transaction to get money in or outta that system. That kind of functionality clearly is coming very, very soon from traditional banks. It’ll be the big banks at first. But this will, this will eventually replace the ACH process.

GOHMAN:

Well, I, I think, I think also, Mike, we’re seeing that the ACH process is trying to keep up with, with that process as well. I mean, we have same day ACH already, and I think they’re, they’re trying to maintain you know, relevance. They’re trying to maintain and update their standards to work at the speed of business, you know, as, as, as everybody’s moving to real time you know, transactions the nacho organization is trying to keep up to. And I think, again, that’s another thing that’s accelerating this need for security because the faster money moves the faster a fraudster can get away with it. Because when the money moves through the ACH system and once the transaction is complete, you cannot recall it, it doesn’t come back. It’s not like a credit card transaction where you know, they credit the money back and the money is gone. And so it’s really where it needs the security upfront

VANNOY:

That that’s, it’s really well said, judge. Cuz I mean, we we’re not taking shots at the ACH system, right? I mean, it, it serves a very important purpose, which is security. I mean and you’re, you’re gonna see this convergence in all of our worlds. You’re gonna see it in money movement as you move more and more to real time. When the money’s gone, the money’s gone. And so you better be sure you got it right. Same thing for buying a house. You think how, I think how long it takes to buy a house and how long it takes to, to go through a title company to make sure you get clear title. Oh, there’s a, there’s a future world where all that’s gonna happen in instantaneous too, but the, you gotta make sure you’re transferring real ownership properly. There’s a lot of stuff to figure out in do, right? So probably wiser to think about the acceleration of speed of the ACH process that is gonna come closer and closer to real time rather than worrying about the technical methods behind the scenes. Is that, is that fair?

GOHMAN:

Yeah, I think so. Very fair. Yeah.

VANNOY:

Okay. Anything else guidance that you’d want to give our audience today on why you think these new ACH payment requirements are so important?

GOHMAN:

Well, I mean, I think from a, from an industry perspective, you know, having a standard set of requirements is really important. You know, as we kind of mentioned these, these requirements are coming or derived from the payment card industry. They have a very robust set of rules that the standards are well thought out, well built, well vetted. They’re, you know, been implemented in a tried and true fashion. So relying on well-defined standards like that really allows you know, organizations at all levels to, to implement these rules very quickly or, or very clearly I should say, maybe that, you know, because there are many businesses that have already implemented this for credit cards and it’s now just we, this is a different type of data we, we need to, to secure. So that kind of clear guidance that we’ve already vetted out the problems essentially, is what I’m trying to say. And so now it allows businesses and organizations to, to implement it very effectively.

VANNOY:

Yeah. Let, so let, let’s use that as a transition to, to kind of our close here. What, let’s give as much practical guidance. So some of this is a little bit of theory. The NA rules are real. They are changing the legislation that will directly impact employers and their personal storage. Maybe not quite there yet. So it’s a little more theoretical. But what really good practical advice can we give to our audience so that, that, you know, they, they can implement new businesses right away.

ORUOJA:

The first thing that I would say there is be really cognizant of the data that you’re collecting and then what you’re doing with it from the point of that collection to when you use it. So if you’re doing the old school paper forms, what do you do with those forms after you’ve moved it through your payroll system? Whether that’s something that you’re doing in house or a system that you’re using like Asure or any of the other players. But ultimately think about that progression. Also, think about how you’re dealing with the data once it’s in your systems, right? For now, you may be able to go in very quickly and confirm an employee account In the future, you won’t be able to do that because you may only see the last four digits of those account numbers. So think about setting those best practices for yourself about answering those employee inquiries. Hey, I can’t remember what my savings account is. You guys do all that transaction. Can you give it to me real quick? Maybe not so much. Right? So it’s really about thinking about what you do with it day to day. And some of this, we’ve really gone nose blind too. It’s just there and we’ve interacted with it the same way for years, and now we need to think about it along those steps,

VANNOY:

Right?

GOHMAN:

Yeah, absolutely. And I think, you know, Alyssa, your point was very I think it was very good about thinking about all the ways that you collect that data because, you know, oftentimes it’s email, we use email all the time as a, as a source. But think about if well email is a storage system cuz those, those files reside there. If you cc you know, the employee is CCing multiple people, then you have multiple copies of that, that file. They’re all stored in that system. And so kind of getting a handle on your processes so that you can identify where those entry points are and then where the, the exit points are, like where you, you’re putting it into the payroll system and then you are storing the file somewhere or you’re deleting the file. And I think too, it’s taking a hard look at what you really need to store as far as you know, documentation outside the payroll system you know, for records, right? Is the, is the information stored in the payroll system? Do I need a second copy of it? Because any data you store is a risk not just from a compliance perspective, but just broader than that from a security breach perspective. So kind of thinking about pruning that data down, keeping it manageable and then deleting it when it’s no longer needed is very important.

ORUOJA:

And one final note on that, it’s about where it’s being stored within the organization. Mm-Hmm. <affirmative>, you don’t necessarily want the individual HR person having it on their laptop versus a centralized area where you can add higher levels of encryptions or things of that nature. So it’s really about thinking about the organization in total as opposed to an individual job function and what they’re doing with that data.

GOHMAN:

Yeah, absolutely. That’s correct. Yeah.

VANNOY:

This is great. Is there anything else? Any other practical guidance you’d give to employers?

GOHMAN:

No, I mean, other than understanding what the, your payroll provider that you’re partnering with, what their procedures are, what their how they handle your data how it’s being stored in their system, how they’re processing it and transmitting it when you send it to them, if, if you’re sending it to them to update into the payroll system. So kind of thinking of that as a partnership and understanding that, you know, they have a piece of your security, just like you have a piece of your security.

VANNOY:

Yeah. And maybe, maybe the final, and I’m not, I don’t wanna get pitchy here about a sure product, but to me, part of the solution here is, is fundamentally changing the end-to-end process instead of like you know, if you have a, have an old school paper-based system that maybe you had bank account information and name rank, serial number, demographic information benefits information on one piece of paper, maybe you split that into two pieces of paper and then one of the banking information you destroy after entered into the system. Mm-Hmm. <affirmative>. There’s, there’s different, different, different ways you could handle modifying the existing approach. At the end of the day, it’s your employee who’s giving you and providing you this banking information. And the simplest thing you could do would be to put it in their hands right. The employee from their own personal device, let them enter the banking information into the payroll system through a self-service application natively.

 At minimum you’re gonna eliminate the keystrokes and potential errors that exist when an employee fills out a form, whether that’s a good automated, pretty electronic process or a very paper-based process. If you have human beings copy pasting or keying information to the payroll system, it’s just kind of a silly waste of time. That’s not needed in a, in a modern era. So you can empower your employees to, to own their own data. It’s instantly has the value of all the encryption and all the tokenization of any good modern payroll system like ours. While at the same time saving all the time in, in kind of just completely eliminating the need for how do I redact, how do I store, how do I encrypt all this data myself as a, as a payroll HR function? Am I, am I saying that right? Is there any other guidance you’d give there? I

ORUOJA:

Think you’re spot on, Mike, and I think really the bottom line there is be cognizant of what you’re doing and only save what you need. If you don’t need it past the point of initiation, don’t retain it,

VANNOY:

Right? Right. And if you’re gonna retain data, do it in a system that does automatically compliant with all of the laws natively, like like Asures barrel HR system and, and the self-service capabilities come with it. You got enough to worry about growing your company if you’re a smaller, mid-sized business without having to worry about tokenization in, in, in encryption of data to store HR personnel files. It’s there, there, there’s a better way. So anything else that you guys would wanna offer in closing Josh and Alyssa, this, this has been great.

GOHMAN:

Just my, my my last point would just be that, you know, as custodians of personal information at every level, I think we have to look at these compliance requirements as kind of the bare minimum. You know, voluntary adoption is a best practice. You know, look to the standards, even if it doesn’t apply to you today, look to the standards to say that’s what the best practice is, or that’s the really the minimum best practice. And I should try to adhere to that so that I’m protecting you know, all the personal information or all the sensitive data that, that I’m retaining on behalf of other people.

VANNOY:

Yeah. Anything for you, Alyssa?

ORUOJA:

I think that Josh really covered it, but think about it as well, from a cyber insurance perspective. Yeah. Starting these minimum requirements and getting it there will actually reduce costs overall. So while you are protecting your brand, your employees, you’re also lowering your operating costs as well.

GOHMAN:

Yeah. Very good. Yeah. Yeah.

VANNOY:

Yeah. Very good. Okay, guys, very much enjoyed the conversation. The, I think in summary, the, the nacho requirements directly impact us as a payroll provider. They’re gonna impact all the payroll providers. But th this is a, this is a wave that’s coming and you as an employer, you’re gonna need to think about data security very specifically treating banking account information, the same ways you legally have to treat credit card information. And if you’re, if you’re not thinking about a solution it’s already embedded into the way we do business. So if we can help with apparel apparel, HR, tax solution, we’d love to talk about it. If you need time to 10 systems to stay compliant with F L S A overtime calculations or you just need help with the HR department on a fractional basis, our HR services team would be happy to help. Until next week, Josh and Alyssa, thanks for joining me today. Yeah, thank you, Mike. Always good talking to you. And until next week, thanks everyone. Yes, that’s it.

Unlock your growth potential

Talk with one of experts to explore how Asure can help you reduce administrative burdens and focus on growth.