Authorization To Manufacture and Distribute Postage Evidencing Systems, 53353-53355 [2019-21576]
Download as PDF
<![CDATA[
Federal Register / Vol. 84, No. 194 / Monday, October 7, 2019 / Proposed Rules
COTP Captain of the Port Marine Safety
Unit Port Arthur
DHS Department of Homeland Security
LNG Liquefied natural gas
LOI Letter of Intent
LOR Letter of Recommendation
NVIC Navigation and Vessel Inspection
Circular
U.S.C. United States Code
WSA Waterway Suitability Assessment
II. Background and Purpose
Under 33 CFR 127.007(a), an owner or
operator planning to build a new facility
handling liquefied hazardous gas (LHG),
or an owner or operator planning new
construction to expand or modify
marine terminal operations in an
existing facility handling LHG, where
the construction, expansion, or
modification would result in an increase
in the size and/or frequency of LHG
marine traffic on the waterway
associated with the proposed facility or
modification to an existing facility, must
submit a Letter of Intent (LOI) to the
Captain of the Port of the zone in which
the facility is or will be located. Under
33 CFR 127.007(e), an owner or operator
planning such new construction or
expansion of an existing facility must
also file or update a Waterway
Suitability Assessment (WSA) that
addresses the proposed increase in LHG
marine traffic in the associated
waterway.
Under 33 CFR 127.009, after receiving
an LOI, the Captain of the Port issues a
Letter of Recommendation (LOR) as to
the suitability of the waterway for LHG
marine traffic to the appropriate
jurisdictional authorities. The LOR is
based on a series of factors listed in 33
CFR 127.009 that relate to the physical
nature of the affected waterway and
issues of safety and security associated
with LHG marine traffic on the affected
waterway.
III. Information Requested
On March 11, 2013, Sunoco Partners
Marketing and Terminals, located in
Nederland, TX, submitted an LOI and
Preliminary WSA indicating the
company’s proposed plans to expand
operations of an existing dock to handle
liquefied hazardous gas, specifically
propane and butane, with an estimated
132 vessels calling on the facility each
year. On July 14, 2019, the COTP
received a new LOI and an Addendum
to the original WSA. The purpose of this
notice is to solicit public comments on
the proposed increase in LNG marine
traffic on the Sabine-Neches Waterway.
The Coast Guard believes that public
input may be useful to the Captain of
the Port Marine Safety Unit Port Arthur
(COTP) with respect to validating the
information provided in Sunoco’s LOI
VerDate Sep<11>2014
17:17 Oct 04, 2019
Jkt 250001
and WSA Addendum and the
development of the Coast Guard’s LOR.
A brief summary of Sunoco’s proposal
is available in the docket where
indicated under ADDRESSES.
On January 24, 2011, the Coast Guard
published Navigation and Vessel
Inspection Circular (NVIC) 01–2011,
titled ‘‘Guidance Related to Waterfront
Liquefied Natural Gas (LNG) Facilities.’’
NVIC 01–2011 provides guidance for
owners and operators seeking approval
to build and operate LNG facilities. The
Coast Guard will refer to NVIC 01–2011
for process information and guidance in
evaluating Sunoco’s WSA Addendum.
NVIC 01–2011 is available in the docket
where indicated under ADDRESSES and
also on the Coast Guard’s website at
https://www.dco.uscg.mil/Portals/9/
DCO%20Documents/5p/5ps/NVIC/
2011/NVIC%2001–2011%20Final.pdf.
IV. Public Participation and Request for
Comments
We encourage you to submit
comments through the Federal portal at
https://www.regulations.gov. If your
material cannot be submitted using
https://www.regulations.gov, contact the
person in the FOR FURTHER INFORMATION
CONTACT section of this document for
alternate instructions. In your
submission, please include the docket
number for this notice of inquiry and
provide a reason for each suggestion or
recommendation.
We accept anonymous comments. All
comments received will be posted
without change to https://
www.regulations.gov and will include
any personal information you have
provided. For more about privacy and
the docket, visit https://
www.regulations.gov/privacyNotice.
Documents mentioned in this notice
of inquiry as being available in the
docket, and all public comments, will
be in our online docket at https://
www.regulations.gov and can be viewed
by following that website’s instructions.
This document is issued under
authority of 5 U.S.C. 552 (a).
Dated: September 30, 2019.
Jacqueline Twomey,
Captain, U.S. Coast Guard, Captain of the
Port Marine Safety Unit Port Arthur.
[FR Doc. 2019–21625 Filed 10–4–19; 8:45 am]
BILLING CODE 9110–04–P
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
53353
POSTAL SERVICE
39 CFR Part 501
Authorization To Manufacture and
Distribute Postage Evidencing
Systems
Postal ServiceTM.
Proposed rule.
AGENCY:
ACTION:
The Postal Service proposes
to amend its Postage Evidencing
Systems regulations. These changes
would put the financial responsibility
for returned checks and returned
Automatic Clearinghouse (ACH) debit
payments on the applicable resetting
company (RC) and PC Postage provider.
These responsibilities would include
collecting a fee from the customer for
each returned check and ACH debit
payment of $30, as may be adjusted
from time to time, and remitting the
amount of the returned check or ACH
debit payment, as applicable, plus the
fee to the Postal Service within 10
calendar days of the date of the invoice.
These changes would also update the
SSAE 18 requirements and add the
requirement for System and
Organization Control (SOC) 2 reporting.
DATES: Comments must be received on
or before November 6, 2019.
ADDRESSES: Mail or deliver written
comments to: Manager, Payment
Technology, 475 L’Enfant Plaza SW,
Room 3500, Washington, DC 20260.
Email and faxed comments are not
accepted. You may inspect and
photocopy all written comments, by
appointment only, at USPS®
Headquarters Library, 475 L’Enfant
Plaza SW, 11th Floor North,
Washington, DC 20260. These records
are available for review on Monday
through Friday, 9 a.m.–4 p.m., by
calling 202–268–2904. All submitted
comments and attachments are part of
the public record and subject to
disclosure. Do not enclose any material
in your comments that you consider to
be confidential or inappropriate for
public disclosure.
FOR FURTHER INFORMATION CONTACT:
Elizabeth M. Schafer, Treasurer,
elizabeth.m.schafer@usps.gov, 202–
268–6135.
SUPPLEMENTARY INFORMATION: The Postal
Service proposes to amend 39 CFR part
501 to make the Resetting Company
(RC) and the PC Postage provider, as
applicable, financially responsible for
returned checks and returned ACH debit
payments, to update verbiage, and to
require System and Organization
Control (SOC) 2 reporting.
The amendment to Section 501.15(g)
requires the Resetting Company (RC) to
SUMMARY:
E:\FR\FM\07OCP1.SGM
07OCP1
53354
Federal Register / Vol. 84, No. 194 / Monday, October 7, 2019 / Proposed Rules
reimburse the Postal Service upon
request for any returned checks or ACH
debits for postage payments and
clarifies that the RC must, upon first
learning of a returned check or ACH
debit, immediately lock a customer’s
account to prevent a meter reset until
the RC receives confirmation of
payment of the returned items. The
requirement encourages the RC to take
adequate measures to authenticate the
identity of the customer and ensure that
the account that is debited is
authorized, and clarifies that the RC
must prevent customers who have
returned checks and/or returned ACH
debits from continuing to charge postage
until payment is confirmed. It further
requires the RC to charge the customer
a fee for each returned check and ACH
debit of $30, as may be adjusted from
time to time, and remit the amount of
the returned check or ACH debit
payment, as applicable, plus the fee to
the Postal Service within 10 calendar
days of the invoice.
The amendment to Section 501.15(i)
updates Statements on Standards for
Attestation Engagements (SSAE) from
SSAE 16 to SSAE 18. Section 501.15(i)
requires the RC to provide System and
Organization Control (SOC) reports that
demonstrate effective internal controls.
SOC2 reports are a new requirement to
support data security and privacy
concerns. The American Institute of
Certified Public Accountants (AICPA)
created the SOC reporting framework as
part of the SSAE 18. The SOC
framework covers organizational
controls over services with the intent to:
(1) Address needs and reporting
requirements by service organizations,
and (2) Provide valuable information,
including third party risk assessment.
Section 501.15(j) is being changed to
replace the term ‘‘provider’’ with ‘‘RC’’
in the last sentence.
The amendment to Section 501.16(d)
requires the PC Postage provider
(‘‘provider’’) to reimburse the Postal
Service upon request for any returned
check or ACH debits for postage
payments and clarifies that the provider
must, upon first learning of a returned
check or ACH debit, immediately lock a
customer’s account to prevent a meter
reset until the provider receives
confirmation of payment of the returned
items. The shift encourages the PC
Postage provider to take adequate
measures to authenticate the identity of
the customer and ensure that the
account that is debited is authorized,
and clarifies that the provider must
prevent customers who have returned
ACH debits from continuing to charge
postage until payment is confirmed. It
further requires the PC Postage Provider
VerDate Sep<11>2014
17:17 Oct 04, 2019
Jkt 250001
to charge the customer a fee of $30, as
may be adjusted from time to time, for
each returned check and ACH debit
payment and remit the amount of the
returned check or ACH debit payment,
as applicable, plus the fee to the Postal
Service within 10 calendar days of the
invoice.
The amendment to Section 501.16(i)
updates Statements on Standards for
Attestation Engagements (SSAE) from
SSAE 16 to SSAE 18. This requires the
provider to provide System and
Organization Control (SOC) reports that
demonstrate effective internal controls.
SOC2 reports are a new requirement to
support data security and privacy
concerns. The American Institute of
Certified Public Accountants (AICPA)
created the SOC reporting framework as
part of the SSAE 18. The SOC
framework covers organizational
controls over services with the intent to:
(1) Address needs and reporting
requirements by service organizations,
and (2) Provide valuable information,
including third party risk assessment.
For the reasons stated in the
preamble, the Postal Service proposes to
amend 39 CFR chapter 501 as follows:
List of Subjects in 39 CFR Part 501
Administrative practice and
procedure, Postal Service
PART 501—[AMENDED]
1. The authority citation for part 501
continues to read as follows:
■
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101,
401, 403, 404, 410, 2601, 2605; Inspector
General Act of 1978, as amended (Pub. L. 95–
452, as amended); 5 U.S.C. App. 3.
2. Amend § 501.15 by revising
paragraphs (g), (i), and (j) to read as
follows:
■
§ 501.15
System
Computerized Meter Resetting
*
*
*
*
*
(g) The RC is required to reimburse
the Postal Service upon request for any
returned checks or ACH debits for
postage payments. The RC must, upon
first becoming aware of a returned check
or ACH debit, immediately lock the
customer’s CMRS account to prevent a
meter reset until the RC receives
confirmation of payment for the
returned item. The RC is required to
charge the customer a returned item fee
for returned checks or ACH debits of
$30, as may be adjusted from time to
time, and remit the fee plus the amount
of the returned item to the Postal
Service within ten (10) calendar days
after the receipt of the invoice.
*
*
*
*
*
PO 00000
Frm 00009
Fmt 4702
Sfmt 4702
(i) Security and Revenue Protection.
To receive Postal Service approval to
continue to operate systems in the
postage meters environment, the RC
must submit to a periodic examination
and provide a SOC1 Type II Report of
its meter system and any other
applications and technology
infrastructure that may have a material
impact on Postal Service revenues, as
determined by the Postal Service.
Additionally, RC must submit to a
periodic examination and provide a
SOC2 Type II Report of its meter system
data security, accuracy, processing
integrity and data integrity for any
applications, reports, and technology
infrastructure that may have a material
impact on the RC’s reports, which the
Postal Service relies upon. The
examinations shall be performed by a
qualified, independent audit firm and
shall be conducted in accordance with
the Statements on Standards for
Attestation Engagements (SSAEs) No.
18, Service Organizations, developed by
the American Institute of Certified
Public Accountants (AICPA), as
amended or superseded. Expenses
associated with such examination shall
be incurred by the RC. The examination
shall include testing of the operating
effectiveness of relevant RC internal
controls (SOC 1 Type II SSAE 18 &
SOC2 Type II SSAE 18 Reports). If the
service organization uses another
service organization (sub-service
provider), the RC should consider the
nature and materiality of the
transactions and data processed by the
sub-service organization and the
contribution of the sub-service
organization’s processes and controls in
the achievement of the Postal Service’s
control objectives. Resetting companies
are expected to submit any request for
changes to control objectives by
December 31 of each year, which will be
taken under consideration by the Postal
Service for review and approval. The
Postal Service will provide common
control objectives to be covered by the
SOC 1 Type II SSAE 18 by February 28
each year. As a result of the
examination, the service auditor shall
provide the RC and the Postal Service
with an opinion on the design and
operating effectiveness of the RC’s
internal controls related to the meter
system and any other applications and
technology infrastructure considered
material to the services provided to the
Postal Service by the RC. SOC1 and
SOC2 examinations are to be conducted
on no less than an annual basis, and are
to be as of and for the 12 months ended
June 30 of each year (except for new
contracts for which the examination
E:\FR\FM\07OCP1.SGM
07OCP1
Federal Register / Vol. 84, No. 194 / Monday, October 7, 2019 / Proposed Rules
period will be no less than the period
from the contract date to the following
June 30, unless otherwise agreed to by
the Postal Service). The SOC1 and SOC2
examination reports are to be provided
to the Postal Service by August 15 of
each year. To the extent that internal
control weaknesses are identified in a
SOC report, the Postal Service requires
prompt communication and
remediation of such weaknesses and
shall have the right to review working
papers and engage in discussions about
the work performed with the service
auditor. The Postal Service requires that
all remediation efforts (if applicable) are
completed and reported by the RC prior
to the Postal Service’s fiscal year end
(September 30). In addition, the RC will
be responsible for performing an
examination of their internal control
environment related to the meter system
and any other applications and
technology infrastructure considered
material to the services provided to the
Postal Service by the RC, in particular,
disclosing changes to internal controls
for the period of July 1 to September 30.
This examination should be
documented and submitted to the Postal
Service by October 14 of each year. The
RC will be responsible for all costs
related to the examinations conducted
by the service auditor and the RC.
(j) Inspection of records and facilities.
The RC must make its facilities that
handle the operation of the
computerized resetting system and all
records about the operation of the
system available for inspection by
representatives of the Postal Service at
all reasonable times. At its discretion,
the Postal Service may continue to fund
inspections as it has in the past,
provided the costs are not associated
with a particular security issue related
to the RC’s meter systems and
supporting infrastructure.
*
*
*
*
*
■ 3. Amend § 501.16 by revising
paragraph (d) and (f) to read as follows:
§ 501.16 PC postage payment
methodology
*
*
*
*
*
(d) The provider must reimburse the
Postal Service upon request for any
returned checks or ACH debits for
postage payments. The provider must,
upon first becoming aware of a returned
check or ACH debit, immediately lock
the customer account to prevent
resetting the account until the provider
receives confirmation of payment for the
returned item. The provider is required
to charge the customer a returned item
fee for returned checks and ACH debits
of $30, as may be adjusted from time to
time, and remit the fee plus the amount
VerDate Sep<11>2014
17:17 Oct 04, 2019
Jkt 250001
of the returned item to the Postal
Service within ten (10) calendar days
after the receipt of the invoice.
*
*
*
*
*
(f) Security and Revenue Protection.
To receive Postal Service approval to
continue to operate PC Postage systems,
the provider must submit to a periodic
examination and provide a SOC1 Type
II Report of its PC Postage system and
any other applications and technology
infrastructure that may have a material
impact on Postal Service revenues, as
determined by the Postal Service.
Additionally, provider must submit to
a periodic examination and provide a
SOC2 Type II Report of its meter system
data security, accuracy, processing
integrity and data integrity for any
applications, reports, and technology
infrastructure that may have a material
impact on the provider’s reports, which
the Postal Service relies upon. The
examination shall be performed by a
qualified, independent audit firm and
shall be conducted in accordance with
the Statements on Standards for
Attestation Engagements (SSAEs) No.
18, Service Organizations, developed by
the American Institute of Certified
Public Accountants (AICPA), as
amended or superseded. Expenses
associated with such examination shall
be incurred by the provider. The
examination shall include testing of the
operating effectiveness of relevant
provider internal controls (SOC1 Type II
SSAE 18 Report). If the service
organization uses another service
organization (sub-service provider), the
provider should consider the nature and
materiality of the transactions processed
by the sub-service organization and the
contribution of the sub-service
organization’s processes and controls in
the achievement of the Postal Service’s
control objectives. The control
objectives to be covered by the SOC 1
Type II SSAE 18 report are subject to
Postal Service review and approval, and
are to be provided to the Postal Service
30 days prior to the initiation of each
examination period. Resetting
companies are expected to submit any
request for changes to control objectives
by December 31 of each year, which will
be taken under consideration by the
Postal Service for review and approval.
The Postal Service will provide
common control objectives to be
covered by the SOC 1 Type II SSAE 18
by February 28 each year. As a result of
the examination, the service auditor
shall provide the provider and the
Postal Service with an opinion on the
design and operating effectiveness of the
provider’s internal controls related to
the meter system, and any other
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
53355
applications and technology
infrastructure considered material to the
services provided to the Postal Service
by the RC. SOC1 and SOC2
examinations are to be conducted on no
less than an annual basis, and are to be
as of and for the 12 months ended June
30 of each year (except for new
contracts for which the examination
period will be no less than the period
from the contract date to the following
June 30, unless otherwise agreed to by
the Postal Service). The SOC1 and SOC2
examination reports are to be provided
to the Postal Service by August 15 of
each year. To the extent that internal
control weaknesses are identified in a
SOC 1 Type II SSAE 18 report, the
Postal Service requires prompt
communication and remediation of such
weaknesses and will review working
papers and engage in discussions about
the work performed with the service
auditor. The Postal Service requires that
all remediation efforts (if applicable) are
completed and reported by the provider
to the Postal Service’s fiscal year end
(September 30). In addition, the
provider will be responsible for
performing an examination of their
internal control environment related to
the meter system and any other
applications and technology
infrastructure considered material to the
services provided to the Postal Service
by the provider, in particular, disclosing
changes to internal controls for the
period of July 1 to September 30. This
examination should be documented and
submitted to the Postal Service by
October 14 each year. The provider will
be responsible for all costs related to the
examinations conducted by the service
auditor and the RC.
*
*
*
*
*
Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2019–21576 Filed 10–4–19; 8:45 am]
BILLING CODE P
FEDERAL COMMUNICATIONS
COMMISSION
47 CFR Parts 0, 1, and 76
[EB Docket No. 19–214; FCC 19–86]
Procedural Streamlining of
Administrative Hearings
Federal Communications
Commission.
ACTION: Proposed rule.
AGENCY:
In this document, the
Commission proposes procedural
changes to administrative hearings
under the Communications Act of 1934,
SUMMARY:
E:\FR\FM\07OCP1.SGM
07OCP1
]]>Agencies
[Federal Register Volume 84, Number 194 (Monday, October 7, 2019)]
[Proposed Rules]
[Pages 53353-53355]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21576]
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Part 501
Authorization To Manufacture and Distribute Postage Evidencing
Systems
AGENCY: Postal ServiceTM.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Postal Service proposes to amend its Postage Evidencing
Systems regulations. These changes would put the financial
responsibility for returned checks and returned Automatic Clearinghouse
(ACH) debit payments on the applicable resetting company (RC) and PC
Postage provider. These responsibilities would include collecting a fee
from the customer for each returned check and ACH debit payment of $30,
as may be adjusted from time to time, and remitting the amount of the
returned check or ACH debit payment, as applicable, plus the fee to the
Postal Service within 10 calendar days of the date of the invoice.
These changes would also update the SSAE 18 requirements and add the
requirement for System and Organization Control (SOC) 2 reporting.
DATES: Comments must be received on or before November 6, 2019.
ADDRESSES: Mail or deliver written comments to: Manager, Payment
Technology, 475 L'Enfant Plaza SW, Room 3500, Washington, DC 20260.
Email and faxed comments are not accepted. You may inspect and
photocopy all written comments, by appointment only, at USPS[supreg]
Headquarters Library, 475 L'Enfant Plaza SW, 11th Floor North,
Washington, DC 20260. These records are available for review on Monday
through Friday, 9 a.m.-4 p.m., by calling 202-268-2904. All submitted
comments and attachments are part of the public record and subject to
disclosure. Do not enclose any material in your comments that you
consider to be confidential or inappropriate for public disclosure.
FOR FURTHER INFORMATION CONTACT: Elizabeth M. Schafer, Treasurer,
[email protected], 202-268-6135.
SUPPLEMENTARY INFORMATION: The Postal Service proposes to amend 39 CFR
part 501 to make the Resetting Company (RC) and the PC Postage
provider, as applicable, financially responsible for returned checks
and returned ACH debit payments, to update verbiage, and to require
System and Organization Control (SOC) 2 reporting.
The amendment to Section 501.15(g) requires the Resetting Company
(RC) to
[[Page 53354]]
reimburse the Postal Service upon request for any returned checks or
ACH debits for postage payments and clarifies that the RC must, upon
first learning of a returned check or ACH debit, immediately lock a
customer's account to prevent a meter reset until the RC receives
confirmation of payment of the returned items. The requirement
encourages the RC to take adequate measures to authenticate the
identity of the customer and ensure that the account that is debited is
authorized, and clarifies that the RC must prevent customers who have
returned checks and/or returned ACH debits from continuing to charge
postage until payment is confirmed. It further requires the RC to
charge the customer a fee for each returned check and ACH debit of $30,
as may be adjusted from time to time, and remit the amount of the
returned check or ACH debit payment, as applicable, plus the fee to the
Postal Service within 10 calendar days of the invoice.
The amendment to Section 501.15(i) updates Statements on Standards
for Attestation Engagements (SSAE) from SSAE 16 to SSAE 18. Section
501.15(i) requires the RC to provide System and Organization Control
(SOC) reports that demonstrate effective internal controls. SOC2
reports are a new requirement to support data security and privacy
concerns. The American Institute of Certified Public Accountants
(AICPA) created the SOC reporting framework as part of the SSAE 18. The
SOC framework covers organizational controls over services with the
intent to: (1) Address needs and reporting requirements by service
organizations, and (2) Provide valuable information, including third
party risk assessment. Section 501.15(j) is being changed to replace
the term ``provider'' with ``RC'' in the last sentence.
The amendment to Section 501.16(d) requires the PC Postage provider
(``provider'') to reimburse the Postal Service upon request for any
returned check or ACH debits for postage payments and clarifies that
the provider must, upon first learning of a returned check or ACH
debit, immediately lock a customer's account to prevent a meter reset
until the provider receives confirmation of payment of the returned
items. The shift encourages the PC Postage provider to take adequate
measures to authenticate the identity of the customer and ensure that
the account that is debited is authorized, and clarifies that the
provider must prevent customers who have returned ACH debits from
continuing to charge postage until payment is confirmed. It further
requires the PC Postage Provider to charge the customer a fee of $30,
as may be adjusted from time to time, for each returned check and ACH
debit payment and remit the amount of the returned check or ACH debit
payment, as applicable, plus the fee to the Postal Service within 10
calendar days of the invoice.
The amendment to Section 501.16(i) updates Statements on Standards
for Attestation Engagements (SSAE) from SSAE 16 to SSAE 18. This
requires the provider to provide System and Organization Control (SOC)
reports that demonstrate effective internal controls. SOC2 reports are
a new requirement to support data security and privacy concerns. The
American Institute of Certified Public Accountants (AICPA) created the
SOC reporting framework as part of the SSAE 18. The SOC framework
covers organizational controls over services with the intent to: (1)
Address needs and reporting requirements by service organizations, and
(2) Provide valuable information, including third party risk
assessment.
For the reasons stated in the preamble, the Postal Service proposes
to amend 39 CFR chapter 501 as follows:
List of Subjects in 39 CFR Part 501
Administrative practice and procedure, Postal Service
PART 501--[AMENDED]
0
1. The authority citation for part 501 continues to read as follows:
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410,
2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.
0
2. Amend Sec. 501.15 by revising paragraphs (g), (i), and (j) to read
as follows:
Sec. 501.15 Computerized Meter Resetting System
* * * * *
(g) The RC is required to reimburse the Postal Service upon request
for any returned checks or ACH debits for postage payments. The RC
must, upon first becoming aware of a returned check or ACH debit,
immediately lock the customer's CMRS account to prevent a meter reset
until the RC receives confirmation of payment for the returned item.
The RC is required to charge the customer a returned item fee for
returned checks or ACH debits of $30, as may be adjusted from time to
time, and remit the fee plus the amount of the returned item to the
Postal Service within ten (10) calendar days after the receipt of the
invoice.
* * * * *
(i) Security and Revenue Protection. To receive Postal Service
approval to continue to operate systems in the postage meters
environment, the RC must submit to a periodic examination and provide a
SOC1 Type II Report of its meter system and any other applications and
technology infrastructure that may have a material impact on Postal
Service revenues, as determined by the Postal Service. Additionally, RC
must submit to a periodic examination and provide a SOC2 Type II Report
of its meter system data security, accuracy, processing integrity and
data integrity for any applications, reports, and technology
infrastructure that may have a material impact on the RC's reports,
which the Postal Service relies upon. The examinations shall be
performed by a qualified, independent audit firm and shall be conducted
in accordance with the Statements on Standards for Attestation
Engagements (SSAEs) No. 18, Service Organizations, developed by the
American Institute of Certified Public Accountants (AICPA), as amended
or superseded. Expenses associated with such examination shall be
incurred by the RC. The examination shall include testing of the
operating effectiveness of relevant RC internal controls (SOC 1 Type II
SSAE 18 & SOC2 Type II SSAE 18 Reports). If the service organization
uses another service organization (sub-service provider), the RC should
consider the nature and materiality of the transactions and data
processed by the sub-service organization and the contribution of the
sub-service organization's processes and controls in the achievement of
the Postal Service's control objectives. Resetting companies are
expected to submit any request for changes to control objectives by
December 31 of each year, which will be taken under consideration by
the Postal Service for review and approval. The Postal Service will
provide common control objectives to be covered by the SOC 1 Type II
SSAE 18 by February 28 each year. As a result of the examination, the
service auditor shall provide the RC and the Postal Service with an
opinion on the design and operating effectiveness of the RC's internal
controls related to the meter system and any other applications and
technology infrastructure considered material to the services provided
to the Postal Service by the RC. SOC1 and SOC2 examinations are to be
conducted on no less than an annual basis, and are to be as of and for
the 12 months ended June 30 of each year (except for new contracts for
which the examination
[[Page 53355]]
period will be no less than the period from the contract date to the
following June 30, unless otherwise agreed to by the Postal Service).
The SOC1 and SOC2 examination reports are to be provided to the Postal
Service by August 15 of each year. To the extent that internal control
weaknesses are identified in a SOC report, the Postal Service requires
prompt communication and remediation of such weaknesses and shall have
the right to review working papers and engage in discussions about the
work performed with the service auditor. The Postal Service requires
that all remediation efforts (if applicable) are completed and reported
by the RC prior to the Postal Service's fiscal year end (September 30).
In addition, the RC will be responsible for performing an examination
of their internal control environment related to the meter system and
any other applications and technology infrastructure considered
material to the services provided to the Postal Service by the RC, in
particular, disclosing changes to internal controls for the period of
July 1 to September 30. This examination should be documented and
submitted to the Postal Service by October 14 of each year. The RC will
be responsible for all costs related to the examinations conducted by
the service auditor and the RC.
(j) Inspection of records and facilities. The RC must make its
facilities that handle the operation of the computerized resetting
system and all records about the operation of the system available for
inspection by representatives of the Postal Service at all reasonable
times. At its discretion, the Postal Service may continue to fund
inspections as it has in the past, provided the costs are not
associated with a particular security issue related to the RC's meter
systems and supporting infrastructure.
* * * * *
0
3. Amend Sec. 501.16 by revising paragraph (d) and (f) to read as
follows:
Sec. 501.16 PC postage payment methodology
* * * * *
(d) The provider must reimburse the Postal Service upon request for
any returned checks or ACH debits for postage payments. The provider
must, upon first becoming aware of a returned check or ACH debit,
immediately lock the customer account to prevent resetting the account
until the provider receives confirmation of payment for the returned
item. The provider is required to charge the customer a returned item
fee for returned checks and ACH debits of $30, as may be adjusted from
time to time, and remit the fee plus the amount of the returned item to
the Postal Service within ten (10) calendar days after the receipt of
the invoice.
* * * * *
(f) Security and Revenue Protection. To receive Postal Service
approval to continue to operate PC Postage systems, the provider must
submit to a periodic examination and provide a SOC1 Type II Report of
its PC Postage system and any other applications and technology
infrastructure that may have a material impact on Postal Service
revenues, as determined by the Postal Service.
Additionally, provider must submit to a periodic examination and
provide a SOC2 Type II Report of its meter system data security,
accuracy, processing integrity and data integrity for any applications,
reports, and technology infrastructure that may have a material impact
on the provider's reports, which the Postal Service relies upon. The
examination shall be performed by a qualified, independent audit firm
and shall be conducted in accordance with the Statements on Standards
for Attestation Engagements (SSAEs) No. 18, Service Organizations,
developed by the American Institute of Certified Public Accountants
(AICPA), as amended or superseded. Expenses associated with such
examination shall be incurred by the provider. The examination shall
include testing of the operating effectiveness of relevant provider
internal controls (SOC1 Type II SSAE 18 Report). If the service
organization uses another service organization (sub-service provider),
the provider should consider the nature and materiality of the
transactions processed by the sub-service organization and the
contribution of the sub-service organization's processes and controls
in the achievement of the Postal Service's control objectives. The
control objectives to be covered by the SOC 1 Type II SSAE 18 report
are subject to Postal Service review and approval, and are to be
provided to the Postal Service 30 days prior to the initiation of each
examination period. Resetting companies are expected to submit any
request for changes to control objectives by December 31 of each year,
which will be taken under consideration by the Postal Service for
review and approval. The Postal Service will provide common control
objectives to be covered by the SOC 1 Type II SSAE 18 by February 28
each year. As a result of the examination, the service auditor shall
provide the provider and the Postal Service with an opinion on the
design and operating effectiveness of the provider's internal controls
related to the meter system, and any other applications and technology
infrastructure considered material to the services provided to the
Postal Service by the RC. SOC1 and SOC2 examinations are to be
conducted on no less than an annual basis, and are to be as of and for
the 12 months ended June 30 of each year (except for new contracts for
which the examination period will be no less than the period from the
contract date to the following June 30, unless otherwise agreed to by
the Postal Service). The SOC1 and SOC2 examination reports are to be
provided to the Postal Service by August 15 of each year. To the extent
that internal control weaknesses are identified in a SOC 1 Type II SSAE
18 report, the Postal Service requires prompt communication and
remediation of such weaknesses and will review working papers and
engage in discussions about the work performed with the service
auditor. The Postal Service requires that all remediation efforts (if
applicable) are completed and reported by the provider to the Postal
Service's fiscal year end (September 30). In addition, the provider
will be responsible for performing an examination of their internal
control environment related to the meter system and any other
applications and technology infrastructure considered material to the
services provided to the Postal Service by the provider, in particular,
disclosing changes to internal controls for the period of July 1 to
September 30. This examination should be documented and submitted to
the Postal Service by October 14 each year. The provider will be
responsible for all costs related to the examinations conducted by the
service auditor and the RC.
* * * * *
Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2019-21576 Filed 10-4-19; 8:45 am]
BILLING CODE P
