eLaws | eCases | United States Code | Federal Courts |
Home » 2019 Issues » 84 FR (10/07/2019) » 2019-21576. Authorization To Manufacture and Distribute Postage Evidencing Systems

  2019-21576. Authorization To Manufacture and Distribute Postage Evidencing Systems  

  • Start Preamble

    AGENCY:

    Postal ServiceTM.

    ACTION:

    Proposed rule.

    SUMMARY:

    The Postal Service proposes to amend its Postage Evidencing Systems regulations. These changes would put the financial responsibility for returned checks and returned Automatic Clearinghouse (ACH) debit payments on the applicable resetting company (RC) and PC Postage provider. These responsibilities would include collecting a fee from the customer for each returned check and ACH debit payment of $30, as may be adjusted from time to time, and remitting the amount of the returned check or ACH debit payment, as applicable, plus the fee to the Postal Service within 10 calendar days of the date of the invoice. These changes would also update the SSAE 18 requirements and add the requirement for System and Organization Control (SOC) 2 reporting.

    DATES:

    Comments must be received on or before November 6, 2019.

    ADDRESSES:

    Mail or deliver written comments to: Manager, Payment Technology, 475 L'Enfant Plaza SW, Room 3500, Washington, DC 20260. Email and faxed comments are not accepted. You may inspect and photocopy all written comments, by appointment only, at USPS® Headquarters Library, 475 L'Enfant Plaza SW, 11th Floor North, Washington, DC 20260. These records are available for review on Monday through Friday, 9 a.m.-4 p.m., by calling 202-268-2904. All submitted comments and attachments are part of the public record and subject to disclosure. Do not enclose any material in your comments that you consider to be confidential or inappropriate for public disclosure.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Elizabeth M. Schafer, Treasurer, elizabeth.m.schafer@usps.gov, 202-268-6135.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    The Postal Service proposes to amend 39 CFR part 501 to make the Resetting Company (RC) and the PC Postage provider, as applicable, financially responsible for returned checks and returned ACH debit payments, to update verbiage, and to require System and Organization Control (SOC) 2 reporting.

    The amendment to Section 501.15(g) requires the Resetting Company (RC) to Start Printed Page 53354reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments and clarifies that the RC must, upon first learning of a returned check or ACH debit, immediately lock a customer's account to prevent a meter reset until the RC receives confirmation of payment of the returned items. The requirement encourages the RC to take adequate measures to authenticate the identity of the customer and ensure that the account that is debited is authorized, and clarifies that the RC must prevent customers who have returned checks and/or returned ACH debits from continuing to charge postage until payment is confirmed. It further requires the RC to charge the customer a fee for each returned check and ACH debit of $30, as may be adjusted from time to time, and remit the amount of the returned check or ACH debit payment, as applicable, plus the fee to the Postal Service within 10 calendar days of the invoice.

    The amendment to Section 501.15(i) updates Statements on Standards for Attestation Engagements (SSAE) from SSAE 16 to SSAE 18. Section 501.15(i) requires the RC to provide System and Organization Control (SOC) reports that demonstrate effective internal controls. SOC2 reports are a new requirement to support data security and privacy concerns. The American Institute of Certified Public Accountants (AICPA) created the SOC reporting framework as part of the SSAE 18. The SOC framework covers organizational controls over services with the intent to: (1) Address needs and reporting requirements by service organizations, and (2) Provide valuable information, including third party risk assessment. Section 501.15(j) is being changed to replace the term “provider” with “RC” in the last sentence.

    The amendment to Section 501.16(d) requires the PC Postage provider (“provider”) to reimburse the Postal Service upon request for any returned check or ACH debits for postage payments and clarifies that the provider must, upon first learning of a returned check or ACH debit, immediately lock a customer's account to prevent a meter reset until the provider receives confirmation of payment of the returned items. The shift encourages the PC Postage provider to take adequate measures to authenticate the identity of the customer and ensure that the account that is debited is authorized, and clarifies that the provider must prevent customers who have returned ACH debits from continuing to charge postage until payment is confirmed. It further requires the PC Postage Provider to charge the customer a fee of $30, as may be adjusted from time to time, for each returned check and ACH debit payment and remit the amount of the returned check or ACH debit payment, as applicable, plus the fee to the Postal Service within 10 calendar days of the invoice.

    The amendment to Section 501.16(i) updates Statements on Standards for Attestation Engagements (SSAE) from SSAE 16 to SSAE 18. This requires the provider to provide System and Organization Control (SOC) reports that demonstrate effective internal controls. SOC2 reports are a new requirement to support data security and privacy concerns. The American Institute of Certified Public Accountants (AICPA) created the SOC reporting framework as part of the SSAE 18. The SOC framework covers organizational controls over services with the intent to: (1) Address needs and reporting requirements by service organizations, and (2) Provide valuable information, including third party risk assessment.

    For the reasons stated in the preamble, the Postal Service proposes to amend 39 CFR chapter 501 as follows:

    Start List of Subjects

    List of Subjects in 39 CFR Part 501

    • Administrative practice and procedure
    • Postal Service
    End List of Subjects Start Part

    PART 501—[AMENDED]

    End Part Start Amendment Part

    1. The authority citation for part 501 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-452, as amended); 5 U.S.C. App. 3.

    End Authority Start Amendment Part

    2. Amend § 501.15 by revising paragraphs (g), (i), and (j) to read as follows:

    End Amendment Part
    Computerized Meter Resetting System
    * * * * *

    (g) The RC is required to reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments. The RC must, upon first becoming aware of a returned check or ACH debit, immediately lock the customer's CMRS account to prevent a meter reset until the RC receives confirmation of payment for the returned item. The RC is required to charge the customer a returned item fee for returned checks or ACH debits of $30, as may be adjusted from time to time, and remit the fee plus the amount of the returned item to the Postal Service within ten (10) calendar days after the receipt of the invoice.

    * * * * *

    (i) Security and Revenue Protection. To receive Postal Service approval to continue to operate systems in the postage meters environment, the RC must submit to a periodic examination and provide a SOC1 Type II Report of its meter system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. Additionally, RC must submit to a periodic examination and provide a SOC2 Type II Report of its meter system data security, accuracy, processing integrity and data integrity for any applications, reports, and technology infrastructure that may have a material impact on the RC's reports, which the Postal Service relies upon. The examinations shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 18, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the RC. The examination shall include testing of the operating effectiveness of relevant RC internal controls (SOC 1 Type II SSAE 18 & SOC2 Type II SSAE 18 Reports). If the service organization uses another service organization (sub-service provider), the RC should consider the nature and materiality of the transactions and data processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. Resetting companies are expected to submit any request for changes to control objectives by December 31 of each year, which will be taken under consideration by the Postal Service for review and approval. The Postal Service will provide common control objectives to be covered by the SOC 1 Type II SSAE 18 by February 28 each year. As a result of the examination, the service auditor shall provide the RC and the Postal Service with an opinion on the design and operating effectiveness of the RC's internal controls related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. SOC1 and SOC2 examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination Start Printed Page 53355period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The SOC1 and SOC2 examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC report, the Postal Service requires prompt communication and remediation of such weaknesses and shall have the right to review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the RC prior to the Postal Service's fiscal year end (September 30). In addition, the RC will be responsible for performing an examination of their internal control environment related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This examination should be documented and submitted to the Postal Service by October 14 of each year. The RC will be responsible for all costs related to the examinations conducted by the service auditor and the RC.

    (j) Inspection of records and facilities. The RC must make its facilities that handle the operation of the computerized resetting system and all records about the operation of the system available for inspection by representatives of the Postal Service at all reasonable times. At its discretion, the Postal Service may continue to fund inspections as it has in the past, provided the costs are not associated with a particular security issue related to the RC's meter systems and supporting infrastructure.

    * * * * *
    Start Amendment Part

    3. Amend § 501.16 by revising paragraph (d) and (f) to read as follows:

    End Amendment Part
    PC postage payment methodology
    * * * * *

    (d) The provider must reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments. The provider must, upon first becoming aware of a returned check or ACH debit, immediately lock the customer account to prevent resetting the account until the provider receives confirmation of payment for the returned item. The provider is required to charge the customer a returned item fee for returned checks and ACH debits of $30, as may be adjusted from time to time, and remit the fee plus the amount of the returned item to the Postal Service within ten (10) calendar days after the receipt of the invoice.

    * * * * *

    (f) Security and Revenue Protection. To receive Postal Service approval to continue to operate PC Postage systems, the provider must submit to a periodic examination and provide a SOC1 Type II Report of its PC Postage system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service.

    Additionally, provider must submit to a periodic examination and provide a SOC2 Type II Report of its meter system data security, accuracy, processing integrity and data integrity for any applications, reports, and technology infrastructure that may have a material impact on the provider's reports, which the Postal Service relies upon. The examination shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 18, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the provider. The examination shall include testing of the operating effectiveness of relevant provider internal controls (SOC1 Type II SSAE 18 Report). If the service organization uses another service organization (sub-service provider), the provider should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization's processes and controls in the achievement of the Postal Service's control objectives. The control objectives to be covered by the SOC 1 Type II SSAE 18 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. Resetting companies are expected to submit any request for changes to control objectives by December 31 of each year, which will be taken under consideration by the Postal Service for review and approval. The Postal Service will provide common control objectives to be covered by the SOC 1 Type II SSAE 18 by February 28 each year. As a result of the examination, the service auditor shall provide the provider and the Postal Service with an opinion on the design and operating effectiveness of the provider's internal controls related to the meter system, and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. SOC1 and SOC2 examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The SOC1 and SOC2 examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 18 report, the Postal Service requires prompt communication and remediation of such weaknesses and will review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the provider to the Postal Service's fiscal year end (September 30). In addition, the provider will be responsible for performing an examination of their internal control environment related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the provider, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This examination should be documented and submitted to the Postal Service by October 14 each year. The provider will be responsible for all costs related to the examinations conducted by the service auditor and the RC.

    * * * * *
    Start Signature

    Brittany M. Johnson,

    Attorney, Federal Compliance.

    End Signature End Supplemental Information

    [FR Doc. 2019-21576 Filed 10-4-19; 8:45 am]

    BILLING CODE P

Visit the Official Version
Leave a Comment

Document Information

Published:
10/07/2019
Department:
Postal Service
Entry Type:
Proposed Rule
Action:
Proposed rule.
Document Number:
2019-21576
Dates:
Comments must be received on or before November 6, 2019.
Pages:
53353-53355 (3 pages)
Topics:
Administrative practice and procedure, Postal Service
PDF File:
2019-21576.pdf
CFR: (2)
39 CFR 501.15
39 CFR 501.16