39 CFR Document 2020-03562
Authorization To Manufacture and Distribute Postage Evidencing Systems
November 6, 2020
CFR

AGENCY:

Postal ServiceTM.

ACTION:

Final rule.

SUMMARY:

The Postal Service is amending its Postage Evidencing Systems regulations. These changes put the financial responsibility for returned checks and returned Automated Clearinghouse (ACH) debit payments on the applicable resetting company (RC) and PC Postage provider. These responsibilities include providing reimbursement for any penalties or fines imposed on the Postal Service for returned checks or ACH debit payments, and remitting the amount of the returned check or ACH debit payment, as applicable, plus the reimbursement to the Postal Service within 10 federal banking days of the date the invoice is mailed. These changes also update the Statement on Standards for Attestation Engagements (SSAE) 18 requirements and add the requirement for System and Organization Control (SOC) 2 reporting.

DATES:

Effective March 5, 2020.

FOR FURTHER INFORMATION CONTACT:

Lisa H Arcari, Director, Commercial Payment, lisa.h.arcari@usps.gov, 202-268-4270.

SUPPLEMENTARY INFORMATION:

The Postal Service issued proposed revisions to 39 CFR part 501, set forth in the Federal Register on October 7, 2019 (84 FR 53353). The proposal made several major changes: (1) Imposing the financial responsibility for returned checks and returned Automated Clearinghouse (ACH) debit payments on the resetting companies (Postage Meter Manufacturers) and on the PC Postage Providers, as applicable (collectively “Providers”), (2) imposing a $30 return fee on the Providers for returned checks and ACH debits, and (3) requiring the Providers to submit System and Organization Control (SOC) 2, Type II reports to the Postal Service as a requirement for continued operations as a Provider.

Five sets of comments were received in response to the Federal Register Notice, from FP USA (Francotyp Postalia), Pitney Bowes Inc., Stamps.com/Endicia (PSI Systems, Inc.), Neopost USA (soon to be Quadient), and PostCom. There are four common themes throughout these comments; as such they can be broken down as follows:

ACH Returns

Industry Comments

The proposal to impose financial responsibility for returned checks and returned ACH debit payments received several comments. Some commenters opined that the proposed rule unfairly makes providers liable for ACH returns and will lead to a reduction of ACH use by customers at a time when the Postal Service is trying to increase its use. Although Providers bear this financial responsibility for credit cards, the credit card real-time validation process is much more robust, and ACH returns are not revealed until several days after the transaction occurs. This risk continues with each ACH debit transaction, unlike for credit cards. While acknowledging that Providers are and should be responsible for helping the Postal Service to try to collect ACH return funds on the Postal Service's behalf, many commenters believe it is unreasonable for the Providers to take on this financial burden.

One commenter believes the proposed rule offered little explanation as to why the changes are necessary or whether there will be any benefits. Instead of changing its regulations, this commenter suggests that the Postal Service should work with the small pool of Providers to come up with a solution for ACH debit returns. Another commenter contends that shifting liability for ACH returns is a customer unfriendly unlawful taking, and that it violates Executive Order 13771 relating to economically significant regulatory actions that impose costs on industry.

Some commenters also argued that automatically locking customer accounts would cause significant service interruptions to large customers in connection with routine business activities, resulting in customers switching to a non-Postal service provider or to non-ACH payment methods. If the risk of ACH returns is now shifted to the Providers, these commenters argue that they should have the discretion to decide whether or not to lock the account since they will be bearing the risk of non-payment. Another commenter added that, if the Postal Service intends to impose the risk of a failed payment on the Providers, then the Providers should have the discretion to delay refilling meters and PC Postage accounts until check payments clear and ACH transactions are proven effective. Along these same lines, another commenter requested that, since the checks and ACH debit transactions are made payable to the Postal Service, the Postal Service should assign the Providers the legal right to pursue customers for returned checks and ACH debits.

With respect to the processing of ACH payments, one commenter suggested that the Postal Service should work with Citibank to implement same-day ACH as an option to allow providers the ability to reduce the delay in disabling customers for returned ACH debits. According to this commenter, the current ACH process can take up to 10 days to receive a return transaction, and the Postal Service and Citibank should work on a plan to implement a `Real Time' ACH validation. This commenter also suggested that Providers should be given 45 days to collect returned postage download amounts from customers, noting its position that 10 days does not give the customer sufficient time to work with internal accounts payable departments to process replacement payments.

Finally, one commenter expressed the view that the change is directed at PC Postage vendors, who caused this issue by not addressing it long ago. This commenter believes the Postal Service is placing an undue burden on meter manufacturers for a problem caused by PC Postage vendors.

USPS Response

The Postal Service agrees with some of these comments and proposals, while disagreeing with others, as described below.

As an initial matter, the Postal Service notes that the National Automated Clearing House Association (NACHA) manages the development, administration, and governance of the ACH Network. The NACHA Rules, which the Postal Service is obliged to follow, provide the legal and operational foundation of the ACH network, and are meant to safeguard customers' sensitive data. Imposing responsibility for returned checks and returned ACH debit payments on Providers encourages the Providers to take adequate measures to authenticate the identity of their customers through account validation and to ensure that each account that is debited is authorized. Providers have direct relationships with the shippers and mailers who are their customers, and they are in the best position to authenticate the customers and their accounts. This requirement also aligns with NACHA Know Your Customer guidance and best practices. The Provider must adhere to the ACH returns to ACH volume thresholds as outlined in the NACHA operating rules and guidelines. The Postal Service intends to work with Providers to offer its expertise and guidance on these rules.

With respect to the locking of customer accounts, the Postal Service notes that this is not a new requirement; the wording was updated from the original regulation for clarity. The Providers should not have discretion on whether or not to lock the account, as continuing to allow ACH debit returns violates NACHA rules, to which the Postal Service is subject.

The Postal Service agrees with the suggestion that Providers should have the discretion to delay refilling meters and PC Postage accounts until check payments clear and ACH transactions are proven effective. Providers currently have this discretion, and will continue to have it under the final rule.

The Postal Service also agrees with the proposal that it assign Providers the legal right to pursue customers for returned checks and ACH debits. Discussions concerning the implementation of this proposal will occur after the rule is published.

The Postal Service disagrees that imposing responsibility on Providers for ACH returns involves a taking of property under the Fifth Amendment or a violation of any applicable Executive order. Remitting payment via ACH is the customer's choice, not a regulatory requirement that is imposed by the Postal Service. Moreover, requiring Providers to cover the cost of ACH returns is consistent with industry practice, as explained above.

As for the suggestion that the Postal Service work with Citibank to implement same-day ACH or “Real Time” ACH validation, based on our experience, ACH debit returns that take 10 days are not the norm. The Postal Service would need more information on returns past the two-day window to research. In any event, the Postal Service is in the process of evaluating the impacts to the Postal Service of same-day ACH and the effectiveness of these products to Providers. After the Postal Service's positive review of the feasibility of same-day ACH transactions in this context, meter manufacturers and PC Postage providers interested in any of these products should inform the Postal Service, and the Postal Service will review these requests on a case-by-case basis.

In addition, to clarify the proposed timeline in response to the suggestion that Providers be given 45 days to collect returned postage amounts from customers, the Postal Service notes that invoices will be generated on a monthly basis for returns incurred for the previous month. The 10-day period will start once the invoice for returns from the previous month is mailed. In other words, the 10-day window does not begin on the day the ACH debit return occurs, but rather on the day the Postal Service invoice is mailed.

The financial responsibility for ACH debit returns will be shifted to the providers beginning April 1, 2020. The first invoice will be sent in early May 2020 for the debit returns that occurred in April.

Finally, the Postal Service disagrees with the assessment that the proposed rule places an undue burden on meter manufacturers for a problem caused by PC Postage vendors. The Postal Service already holds and is continuing to hold PC Postage Providers and meter manufacturers to the same standards.

$30 Return Fee

Industry Comments

Several commenters expressed concerns that the proposed $30 ACH return fee would have negative processing and customer service implications, which would discourage customers' continued use of ACH. They believe many customers would object to paying the fee, and may leave the Postal Service if the fee cannot be waived, particularly if service cannot be immediately restored. If the Postal Service wants to collect this fee, they argue, then the Postal Service should do so itself so that it can exercise discretion on whether the fee should be waived. These commenters also noted that the proposed fee would add cost to the Providers without providing any benefit to them. Updates to systems and to Postal Service reporting for these fees, including daily balance accounting reconciliation (DBAR) updates, would require definition before an estimated implementation timeline could be provided. In addition, because changes to these systems could affect the SOC reports, SOC control objectives would need to be updated for this change. These commenters also suggested that the ACH fee should be able to be deducted from customers' prepaid funds (if available), and the DBAR should be updated to reflect this option.

One commenter suggested that the Postal Service should provide the industry with updated Postal Service terms and conditions to support the fees for returned ACH debits and checks. Because new terms would apply to the fees, the commenter noted its expectation that the fee would only apply to new and renewal customers. The commenter suggested further that the Postal Service should clarify that individual Providers are only responsible for charging for returned checks and ACH credits for the Providers' active customers.

USPS Response

Charging the customer a fee for a returned ACH transaction is a common practice, and the $30 amount of the fee is consistent with the existing charge for bounced checks. Nevertheless, upon further consideration and in response to the commenters' concerns, the Postal Service has decided to eliminate the $30 fee in the final rule. The fee was intended to reimburse the Postal Service for costs it may incur in connection with returned checks or ACH debit payments. As an alternative to an automatic $30 fee for every returned item, the final rule reserves the Postal Service's right to seek reimbursement from a Provider for any penalties or fines that are imposed on the Postal Service (for example, by a bank) occasioned by repeated returned checks or ACH debit payments from that Provider's customer. This would be in accord with current practice and would encourage the Providers to review and vet their customers and their behavior, to avoid being assessed penalties or fines. If the Postal Service does not incur any such penalties or fines, then the Provider will only be responsible for the amount of the returned check or ACH debit payment, as applicable, without any additional fees imposed. Under the final rule, the Provider may choose whether to pass any such reimbursement costs (of penalties or fines) on to its customer.

The comments relating to applicability of the $30 fee to new and renewal customers and/or active customers are largely moot, in light of the Postal Service's decision to eliminate the $30 fee. However, it should be noted that Providers will be responsible for reimbursement of fines and penalties incurred by the Postal Service, regardless of whether the customers that caused those issues are new, renewal, active, or other customers of the Provider.

SOC 2, Type II Report

Industry Comments

Several commenters addressed the proposal to require SOC 2, Type II reporting. For example, they stated that the scope of the SOC 2 Type II mandate should be relevant to the information exchanged, and should be narrowly drawn to those applications, reports, and technology relevant to the Postal Service's controls. Commenters also argued that the report should address privacy.

Other commenters stated that the changes required to support a SOC 2 Type II report will take considerable effort to scope, develop, test and implement, and that this is an unreasonable expense and burden on the industry.

Finally, the commenters noted that the Postal Service needs to provide the industry with the SOC 2 Control objectives. Control objectives provided by February 28 of each year should be required to be implemented in the next audit period.

USPS Response

The Postal Service disagrees with limiting the scope to only those applications mentioned by the commenters and privacy. The purpose of the SOC 2 reporting is to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems. The goal is to understand the security posture of the entire organization.

As for the commenters' concerns about expense and burden, SOC 2 reporting is an industry standard, and has been for many years. There is an expense, but it is to the industry's benefit too. The Postal Service will give the industry reasonable time to adopt these changes.

The Postal Service agrees that it should provide the industry with SOC 2 control objectives, and will provide these by March 18, 2020 for the Type I report and by January 31 of each year to be implemented in the appropriate audit period for Type II reports. The Postal Service will strive to give the industry ample time to implement any changes to control objectives from one year to the next.

General Comments

Industry comment: The implementation timeframes in the proposal need to be clarified for both items.

USPS response: The Postal Service will require a SOC 2 Type I report by July 1, 2020, the Postal Service will provide the initial control objectives by March 18, 2020. The first SOC 2 Type II report will be due August 15, 2021, and the subsequent Type II reports will be due on August 15 each year going forward. For future years, the Postal Service will provide the SOC 2 control objectives by January 31.

Industry comment: The Postal Service teams should have raised the proposed rules as an issue during the Industry meetings. Discussion at industry meetings would have allowed the industry to educate the Postal Service on each provider's processes and discuss a phased plan to achieve the Postal Service objectives.

USPS response: NACHA's upcoming rule changes and customer validation were discussed at the July 25, 2019 Industry Working meeting. The NACHA webinars were made available to the industry. It is within the Postal Service's discretion whether and how much to discuss a proposed rule with the industry before publishing.

List of Subjects in 39 CFR Part 501

  • Administrative practice and procedure
  • Postal Service

For the reasons stated in the preamble, the Postal Service amends 39 CFR part 501 as follows:

PART 501—[AMENDED]

1. The authority citation for part 501 continues to read as follows:

Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-452, as amended); 5 U.S.C. App. 3.

2. Amend § 501.15 by revising paragraphs (g), (i), and (j) to read as follows:

§ 501.15
Computerized Meter Resetting System.
* * * * *

(g) Financial responsibility for returned payments. The RC is required to reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments. The RC must, upon first becoming aware of a returned check or ACH debit, immediately lock the customer's CMRS account to prevent a meter reset until the RC receives confirmation of payment for the returned item. If a penalty or fine is assessed against the Postal Service for returned checks or ACH debit payments from an RC's customer, the Postal Service may request reimbursement for such penalty or fine from the RC. The RC is required to remit the amount of the returned item to the Postal Service plus the reimbursement request, to the extent applicable, within ten (10) banking days. Invoices will be created monthly for returns and/or applicable penalties or fines incurred for the previous month. The 10 banking days will start once the invoice is mailed. The RC has discretion to decide whether to charge its customer for any such reimbursement costs (of penalties or fines) the RC pays to the Postal Service in connection with the customer's returned check or ACH debit.

* * * * *

(i) Security and revenue protection. To receive Postal Service approval to continue to operate systems in the postage meters environment, the RC must submit to a periodic examination and provide a System and Organization Control (SOC) 1 Type II Report of its meter system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. Additionally, RC must submit to a periodic examination and provide a SOC 2 Type II Report of its meter system data security, accuracy, processing integrity and data integrity for any applications, reports, and technology infrastructure that may have a material impact on the RC's reports, which the Postal Service relies upon. For the initial SOC 2 Type I report, the Postal Service will provide the control objectives by March 18, 2020. The due date for the initial SOC 2 Type I is July 1, 2020, with the SOC 2 Type II due on August 15, 2021. Both the SOC 1 and SOC 2 examinations shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 18, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the RC. The examination shall include testing of the operating effectiveness of relevant RC internal controls (SOC 1 Type II SSAE 18 & SOC 2 Type II SSAE 18 Reports). If the service organization uses another service organization (sub-service provider), the RC should consider the nature and materiality of the transactions and data processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. Resetting companies are expected to submit any request for changes to control objectives by December 31 of each year, which will be taken under consideration by the Postal Service for review and approval. The Postal Service will provide common control objectives to be covered by the SOC 1 Type II SSAE 18 by January 31 each year. As a result of the examination, the service auditor shall provide the RC and the Postal Service with an opinion on the design and operating effectiveness of the RC's internal controls related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2 examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC report, the Postal Service requires prompt communication and remediation of such weaknesses and shall have the right to review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the RC prior to the Postal Service's fiscal year end (September 30). In addition, the RC will be responsible for evaluating its internal control environment related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This evaluation should be documented and submitted to the Postal Service by October 15 of each year. The RC will be responsible for all costs related to the examinations conducted by the service auditor and the RC.

(j) Inspection of records and facilities. The RC must make its facilities that handle the operation of the computerized resetting system and all records about the operation of the system available for inspection by representatives of the Postal Service at all reasonable times. At its discretion, the Postal Service may continue to fund inspections as it has in the past, provided the costs are not associated with a particular security issue related to the RC's meter systems and supporting infrastructure.

* * * * *

3. Amend § 501.16 by revising paragraph (d) and (f) to read as follows:

§ 501.16
PC postage payment methodology.
* * * * *

(d) Financial responsibility for returned payments. The provider must reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments. The provider must, upon first becoming aware of a returned check or ACH debit, immediately lock the customer account to prevent resetting the account until the provider receives confirmation of payment for the returned item. If a penalty or fine is assessed against the Postal Service for returned checks or ACH debit payments from a provider's customer, the Postal Service may request reimbursement for such penalty or fine from the provider. The provider is required to remit the amount of the returned item plus the amount of the reimbursement request, to the extent applicable, to the Postal Service within ten (10) banking days. Invoices will be created monthly for returns and/or applicable penalties or fines incurred for the previous month. The 10 banking days will start once the invoice is mailed. The provider has discretion to decide whether to charge its customer for any such reimbursement costs (of penalties or fines) the provider pays to the Postal Service in connection with the customer's returned check or ACH debit.

* * * * *

(f) Security and revenue protection. To receive Postal Service approval to continue to operate PC Postage systems, the provider must submit to a periodic examination and provide a SOC 1 Type II Report of its PC Postage system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. Additionally, provider must submit to a periodic examination and provide a SOC 2 Type II Report of its meter system data security, accuracy, processing integrity and data integrity for any applications, reports, and technology infrastructure that may have a material impact on the provider's reports, which the Postal Service relies upon. The examination shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 18, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the provider. The examination shall include testing of the operating effectiveness of relevant provider internal controls (SOC 1 Type II SSAE 18 Report). If the service organization uses another service organization (sub-service provider), the provider should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. The control objectives to be covered by the SOC 1 Type II SSAE 18 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. Resetting companies are expected to submit any request for changes to control objectives by December 31 of each year, which will be taken under consideration by the Postal Service for review and approval. The Postal Service will provide common control objectives to be covered by the SOC 1 Type II SSAE 18 by January 31 each year. As a result of the examination, the service auditor shall provide the provider and the Postal Service with an opinion on the design and operating effectiveness of the provider's internal controls related to the meter system, and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2 examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 18 report, the Postal Service requires prompt communication and remediation of such weaknesses and will review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the provider to the Postal Service's fiscal year end (September 30). In addition, the provider will be responsible evaluating its internal control environment related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the provider, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This evaluation should be documented and submitted to the Postal Service by October 15 each year. The provider will be responsible for all costs related to the examinations conducted by the service auditor and the RC.

* * * * *

Brittany M. Johnson,

Attorney, Federal Compliance.

[FR Doc. 2020-03562 Filed 3-4-20; 8:45 am]

BILLING CODE P


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.