Authorization To Manufacture and Distribute Postage Evidencing Systems, 12870-12874 [2020-03562]

Download as PDF 12870 Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations AIRAC date State City Airport FDC date 26–Mar–20 ........ 26–Mar–20 ........ 26–Mar–20 ........ FL FL NY Titusville ............................. Titusville ............................. New York ........................... Arthur Dunn Air Park ......... Arthur Dunn Air Park ......... John F Kennedy Intl .......... 0/8867 0/8868 0/8874 2/6/20 2/6/20 2/7/20 26–Mar–20 ........ FL Bonifay ............................... Tri-County .......................... 0/8877 2/6/20 26–Mar–20 ........ TX Denton ............................... Denton Enterprise .............. 0/8892 2/6/20 26–Mar–20 ........ AZ Tucson ............................... Tucson Intl ......................... 0/8926 2/3/20 26–Mar–20 ........ AZ Tucson ............................... Tucson Intl ......................... 0/9081 2/3/20 26–Mar–20 ........ 26–Mar–20 ........ 26–Mar–20 ........ OR ND CA Grants Pass ....................... Grand Forks ....................... Sacramento ........................ Grants Pass ....................... Grand Forks Intl ................. Sacramento Mather ........... 0/9185 0/9985 9/4931 2/7/20 2/11/20 2/6/20 26–Mar–20 ........ IN Indianapolis ........................ Indianapolis Intl .................. 9/4955 1/28/20 26–Mar–20 ........ IN Indianapolis ........................ Indianapolis Intl .................. 9/4956 1/28/20 26–Mar–20 ........ IN Columbus ........................... Columbus Muni .................. 9/9469 1/21/20 [FR Doc. 2020–04175 Filed 3–4–20; 8:45 am] BILLING CODE 4910–13–P POSTAL SERVICE 39 CFR Part 501 Authorization To Manufacture and Distribute Postage Evidencing Systems Postal ServiceTM. ACTION: Final rule. AGENCY: The Postal Service is amending its Postage Evidencing Systems regulations. These changes put the financial responsibility for returned checks and returned Automated Clearinghouse (ACH) debit payments on the applicable resetting company (RC) and PC Postage provider. These responsibilities include providing reimbursement for any penalties or fines imposed on the Postal Service for returned checks or ACH debit payments, and remitting the amount of the returned check or ACH debit payment, as applicable, plus the reimbursement to the Postal Service within 10 federal banking days of the date the invoice is mailed. These changes also update the Statement on Standards for Attestation Engagements (SSAE) 18 requirements and add the requirement for System and Organization Control (SOC) 2 reporting. DATES: Effective March 5, 2020. FOR FURTHER INFORMATION CONTACT: Lisa H Arcari, Director, Commercial SUMMARY: khammond on DSKJM1Z7X2PROD with RULES FDC No. VerDate Sep<11>2014 15:45 Mar 04, 2020 Jkt 250001 Payment, lisa.h.arcari@usps.gov, 202– 268–4270. SUPPLEMENTARY INFORMATION: The Postal Service issued proposed revisions to 39 CFR part 501, set forth in the Federal Register on October 7, 2019 (84 FR 53353). The proposal made several major changes: (1) Imposing the financial responsibility for returned checks and returned Automated Clearinghouse (ACH) debit payments on the resetting companies (Postage Meter Manufacturers) and on the PC Postage Providers, as applicable (collectively ‘‘Providers’’), (2) imposing a $30 return fee on the Providers for returned checks and ACH debits, and (3) requiring the Providers to submit System and Organization Control (SOC) 2, Type II reports to the Postal Service as a requirement for continued operations as a Provider. Five sets of comments were received in response to the Federal Register Notice, from FP USA (Francotyp Postalia), Pitney Bowes Inc., Stamps.com/Endicia (PSI Systems, Inc.), Neopost USA (soon to be Quadient), and PostCom. There are four common themes throughout these comments; as such they can be broken down as follows: ACH Returns Industry Comments The proposal to impose financial responsibility for returned checks and returned ACH debit payments received several comments. Some commenters opined that the proposed rule unfairly PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 Subject RNAV (GPS)-A, Orig-A. RNAV (GPS)-B, Orig-A. RNAV (RNP) Z RWY 31R, Amdt 1A. RNAV (GPS) RWY 19, Orig-B. RNAV (GPS) RWY 36, Amdt 2B. RNAV (GPS) RWY 11R, Orig-C. ILS OR LOC RWY 11L, Amdt 14B. RNAV (GPS)-A, Orig. VOR RWY 17R, Amdt 6A. ILS OR LOC RWY 22L (SA CAT I), ILS RWY 22L (SA CAT II), Amdt 7. ILS OR LOC RWY 5R, ILS RWY 5R (SA CAT I), ILS RWY 5R (CAT II), ILS RWY 5R (CAT III), Amdt 7. RNAV (RNP) Z RWY 23L, Amdt 2. ILS OR LOC RWY 23, Amdt 8. makes providers liable for ACH returns and will lead to a reduction of ACH use by customers at a time when the Postal Service is trying to increase its use. Although Providers bear this financial responsibility for credit cards, the credit card real-time validation process is much more robust, and ACH returns are not revealed until several days after the transaction occurs. This risk continues with each ACH debit transaction, unlike for credit cards. While acknowledging that Providers are and should be responsible for helping the Postal Service to try to collect ACH return funds on the Postal Service’s behalf, many commenters believe it is unreasonable for the Providers to take on this financial burden. One commenter believes the proposed rule offered little explanation as to why the changes are necessary or whether there will be any benefits. Instead of changing its regulations, this commenter suggests that the Postal Service should work with the small pool of Providers to come up with a solution for ACH debit returns. Another commenter contends that shifting liability for ACH returns is a customer unfriendly unlawful taking, and that it violates Executive Order 13771 relating to economically significant regulatory actions that impose costs on industry. Some commenters also argued that automatically locking customer accounts would cause significant service interruptions to large customers in connection with routine business activities, resulting in customers switching to a non-Postal service E:\FR\FM\05MRR1.SGM 05MRR1 Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES provider or to non-ACH payment methods. If the risk of ACH returns is now shifted to the Providers, these commenters argue that they should have the discretion to decide whether or not to lock the account since they will be bearing the risk of non-payment. Another commenter added that, if the Postal Service intends to impose the risk of a failed payment on the Providers, then the Providers should have the discretion to delay refilling meters and PC Postage accounts until check payments clear and ACH transactions are proven effective. Along these same lines, another commenter requested that, since the checks and ACH debit transactions are made payable to the Postal Service, the Postal Service should assign the Providers the legal right to pursue customers for returned checks and ACH debits. With respect to the processing of ACH payments, one commenter suggested that the Postal Service should work with Citibank to implement same-day ACH as an option to allow providers the ability to reduce the delay in disabling customers for returned ACH debits. According to this commenter, the current ACH process can take up to 10 days to receive a return transaction, and the Postal Service and Citibank should work on a plan to implement a ‘Real Time’ ACH validation. This commenter also suggested that Providers should be given 45 days to collect returned postage download amounts from customers, noting its position that 10 days does not give the customer sufficient time to work with internal accounts payable departments to process replacement payments. Finally, one commenter expressed the view that the change is directed at PC Postage vendors, who caused this issue by not addressing it long ago. This commenter believes the Postal Service is placing an undue burden on meter manufacturers for a problem caused by PC Postage vendors. USPS Response The Postal Service agrees with some of these comments and proposals, while disagreeing with others, as described below. As an initial matter, the Postal Service notes that the National Automated Clearing House Association (NACHA) manages the development, administration, and governance of the ACH Network. The NACHA Rules, which the Postal Service is obliged to follow, provide the legal and operational foundation of the ACH network, and are meant to safeguard customers’ sensitive data. Imposing responsibility for returned checks and VerDate Sep<11>2014 15:45 Mar 04, 2020 Jkt 250001 returned ACH debit payments on Providers encourages the Providers to take adequate measures to authenticate the identity of their customers through account validation and to ensure that each account that is debited is authorized. Providers have direct relationships with the shippers and mailers who are their customers, and they are in the best position to authenticate the customers and their accounts. This requirement also aligns with NACHA Know Your Customer guidance and best practices. The Provider must adhere to the ACH returns to ACH volume thresholds as outlined in the NACHA operating rules and guidelines. The Postal Service intends to work with Providers to offer its expertise and guidance on these rules. With respect to the locking of customer accounts, the Postal Service notes that this is not a new requirement; the wording was updated from the original regulation for clarity. The Providers should not have discretion on whether or not to lock the account, as continuing to allow ACH debit returns violates NACHA rules, to which the Postal Service is subject. The Postal Service agrees with the suggestion that Providers should have the discretion to delay refilling meters and PC Postage accounts until check payments clear and ACH transactions are proven effective. Providers currently have this discretion, and will continue to have it under the final rule. The Postal Service also agrees with the proposal that it assign Providers the legal right to pursue customers for returned checks and ACH debits. Discussions concerning the implementation of this proposal will occur after the rule is published. The Postal Service disagrees that imposing responsibility on Providers for ACH returns involves a taking of property under the Fifth Amendment or a violation of any applicable Executive order. Remitting payment via ACH is the customer’s choice, not a regulatory requirement that is imposed by the Postal Service. Moreover, requiring Providers to cover the cost of ACH returns is consistent with industry practice, as explained above. As for the suggestion that the Postal Service work with Citibank to implement same-day ACH or ‘‘Real Time’’ ACH validation, based on our experience, ACH debit returns that take 10 days are not the norm. The Postal Service would need more information on returns past the two-day window to research. In any event, the Postal Service is in the process of evaluating the impacts to the Postal Service of PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 12871 same-day ACH and the effectiveness of these products to Providers. After the Postal Service’s positive review of the feasibility of same-day ACH transactions in this context, meter manufacturers and PC Postage providers interested in any of these products should inform the Postal Service, and the Postal Service will review these requests on a case-bycase basis. In addition, to clarify the proposed timeline in response to the suggestion that Providers be given 45 days to collect returned postage amounts from customers, the Postal Service notes that invoices will be generated on a monthly basis for returns incurred for the previous month. The 10-day period will start once the invoice for returns from the previous month is mailed. In other words, the 10-day window does not begin on the day the ACH debit return occurs, but rather on the day the Postal Service invoice is mailed. The financial responsibility for ACH debit returns will be shifted to the providers beginning April 1, 2020. The first invoice will be sent in early May 2020 for the debit returns that occurred in April. Finally, the Postal Service disagrees with the assessment that the proposed rule places an undue burden on meter manufacturers for a problem caused by PC Postage vendors. The Postal Service already holds and is continuing to hold PC Postage Providers and meter manufacturers to the same standards. $30 Return Fee Industry Comments Several commenters expressed concerns that the proposed $30 ACH return fee would have negative processing and customer service implications, which would discourage customers’ continued use of ACH. They believe many customers would object to paying the fee, and may leave the Postal Service if the fee cannot be waived, particularly if service cannot be immediately restored. If the Postal Service wants to collect this fee, they argue, then the Postal Service should do so itself so that it can exercise discretion on whether the fee should be waived. These commenters also noted that the proposed fee would add cost to the Providers without providing any benefit to them. Updates to systems and to Postal Service reporting for these fees, including daily balance accounting reconciliation (DBAR) updates, would require definition before an estimated implementation timeline could be provided. In addition, because changes to these systems could affect the SOC reports, SOC control objectives would E:\FR\FM\05MRR1.SGM 05MRR1 12872 Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES need to be updated for this change. These commenters also suggested that the ACH fee should be able to be deducted from customers’ prepaid funds (if available), and the DBAR should be updated to reflect this option. One commenter suggested that the Postal Service should provide the industry with updated Postal Service terms and conditions to support the fees for returned ACH debits and checks. Because new terms would apply to the fees, the commenter noted its expectation that the fee would only apply to new and renewal customers. The commenter suggested further that the Postal Service should clarify that individual Providers are only responsible for charging for returned checks and ACH credits for the Providers’ active customers. USPS Response Charging the customer a fee for a returned ACH transaction is a common practice, and the $30 amount of the fee is consistent with the existing charge for bounced checks. Nevertheless, upon further consideration and in response to the commenters’ concerns, the Postal Service has decided to eliminate the $30 fee in the final rule. The fee was intended to reimburse the Postal Service for costs it may incur in connection with returned checks or ACH debit payments. As an alternative to an automatic $30 fee for every returned item, the final rule reserves the Postal Service’s right to seek reimbursement from a Provider for any penalties or fines that are imposed on the Postal Service (for example, by a bank) occasioned by repeated returned checks or ACH debit payments from that Provider’s customer. This would be in accord with current practice and would encourage the Providers to review and vet their customers and their behavior, to avoid being assessed penalties or fines. If the Postal Service does not incur any such penalties or fines, then the Provider will only be responsible for the amount of the returned check or ACH debit payment, as applicable, without any additional fees imposed. Under the final rule, the Provider may choose whether to pass any such reimbursement costs (of penalties or fines) on to its customer. The comments relating to applicability of the $30 fee to new and renewal customers and/or active customers are largely moot, in light of the Postal Service’s decision to eliminate the $30 fee. However, it should be noted that Providers will be responsible for reimbursement of fines and penalties incurred by the Postal Service, regardless of whether the VerDate Sep<11>2014 15:45 Mar 04, 2020 Jkt 250001 customers that caused those issues are new, renewal, active, or other customers of the Provider. SOC 2, Type II Report Industry Comments Several commenters addressed the proposal to require SOC 2, Type II reporting. For example, they stated that the scope of the SOC 2 Type II mandate should be relevant to the information exchanged, and should be narrowly drawn to those applications, reports, and technology relevant to the Postal Service’s controls. Commenters also argued that the report should address privacy. Other commenters stated that the changes required to support a SOC 2 Type II report will take considerable effort to scope, develop, test and implement, and that this is an unreasonable expense and burden on the industry. Finally, the commenters noted that the Postal Service needs to provide the industry with the SOC 2 Control objectives. Control objectives provided by February 28 of each year should be required to be implemented in the next audit period. USPS Response The Postal Service disagrees with limiting the scope to only those applications mentioned by the commenters and privacy. The purpose of the SOC 2 reporting is to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. The goal is to understand the security posture of the entire organization. As for the commenters’ concerns about expense and burden, SOC 2 reporting is an industry standard, and has been for many years. There is an expense, but it is to the industry’s benefit too. The Postal Service will give the industry reasonable time to adopt these changes. The Postal Service agrees that it should provide the industry with SOC 2 control objectives, and will provide these by March 18, 2020 for the Type I report and by January 31 of each year to be implemented in the appropriate audit period for Type II reports. The Postal Service will strive to give the industry ample time to implement any changes to control objectives from one year to the next. PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 General Comments Industry comment: The implementation timeframes in the proposal need to be clarified for both items. USPS response: The Postal Service will require a SOC 2 Type I report by July 1, 2020, the Postal Service will provide the initial control objectives by March 18, 2020. The first SOC 2 Type II report will be due August 15, 2021, and the subsequent Type II reports will be due on August 15 each year going forward. For future years, the Postal Service will provide the SOC 2 control objectives by January 31. Industry comment: The Postal Service teams should have raised the proposed rules as an issue during the Industry meetings. Discussion at industry meetings would have allowed the industry to educate the Postal Service on each provider’s processes and discuss a phased plan to achieve the Postal Service objectives. USPS response: NACHA’s upcoming rule changes and customer validation were discussed at the July 25, 2019 Industry Working meeting. The NACHA webinars were made available to the industry. It is within the Postal Service’s discretion whether and how much to discuss a proposed rule with the industry before publishing. List of Subjects in 39 CFR Part 501 Administrative practice and procedure, Postal Service. For the reasons stated in the preamble, the Postal Service amends 39 CFR part 501 as follows: PART 501—[AMENDED] 1. The authority citation for part 501 continues to read as follows: ■ Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95– 452, as amended); 5 U.S.C. App. 3. 2. Amend § 501.15 by revising paragraphs (g), (i), and (j) to read as follows: ■ § 501.15 Computerized Meter Resetting System. * * * * * (g) Financial responsibility for returned payments. The RC is required to reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments. The RC must, upon first becoming aware of a returned check or ACH debit, immediately lock the customer’s CMRS account to prevent a meter reset until the RC receives confirmation of payment for the returned item. If a E:\FR\FM\05MRR1.SGM 05MRR1 khammond on DSKJM1Z7X2PROD with RULES Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations penalty or fine is assessed against the Postal Service for returned checks or ACH debit payments from an RC’s customer, the Postal Service may request reimbursement for such penalty or fine from the RC. The RC is required to remit the amount of the returned item to the Postal Service plus the reimbursement request, to the extent applicable, within ten (10) banking days. Invoices will be created monthly for returns and/or applicable penalties or fines incurred for the previous month. The 10 banking days will start once the invoice is mailed. The RC has discretion to decide whether to charge its customer for any such reimbursement costs (of penalties or fines) the RC pays to the Postal Service in connection with the customer’s returned check or ACH debit. * * * * * (i) Security and revenue protection. To receive Postal Service approval to continue to operate systems in the postage meters environment, the RC must submit to a periodic examination and provide a System and Organization Control (SOC) 1 Type II Report of its meter system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. Additionally, RC must submit to a periodic examination and provide a SOC 2 Type II Report of its meter system data security, accuracy, processing integrity and data integrity for any applications, reports, and technology infrastructure that may have a material impact on the RC’s reports, which the Postal Service relies upon. For the initial SOC 2 Type I report, the Postal Service will provide the control objectives by March 18, 2020. The due date for the initial SOC 2 Type I is July 1, 2020, with the SOC 2 Type II due on August 15, 2021. Both the SOC 1 and SOC 2 examinations shall be performed by a qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 18, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the RC. The examination shall include testing of the operating effectiveness of relevant RC internal controls (SOC 1 Type II SSAE 18 & SOC 2 Type II SSAE 18 Reports). If the service organization uses another service organization (sub-service provider), the RC should consider the nature and materiality of the transactions and data processed by the VerDate Sep<11>2014 15:45 Mar 04, 2020 Jkt 250001 sub-service organization and the contribution of the sub-service organization’s processes and controls in the achievement of the Postal Service’s control objectives. Resetting companies are expected to submit any request for changes to control objectives by December 31 of each year, which will be taken under consideration by the Postal Service for review and approval. The Postal Service will provide common control objectives to be covered by the SOC 1 Type II SSAE 18 by January 31 each year. As a result of the examination, the service auditor shall provide the RC and the Postal Service with an opinion on the design and operating effectiveness of the RC’s internal controls related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2 examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC report, the Postal Service requires prompt communication and remediation of such weaknesses and shall have the right to review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the RC prior to the Postal Service’s fiscal year end (September 30). In addition, the RC will be responsible for evaluating its internal control environment related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This evaluation should be documented and submitted to the Postal Service by October 15 of each year. The RC will be responsible for all costs related to the examinations conducted by the service auditor and the RC. (j) Inspection of records and facilities. The RC must make its facilities that handle the operation of the computerized resetting system and all records about the operation of the system available for inspection by representatives of the Postal Service at PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 12873 all reasonable times. At its discretion, the Postal Service may continue to fund inspections as it has in the past, provided the costs are not associated with a particular security issue related to the RC’s meter systems and supporting infrastructure. * * * * * ■ 3. Amend § 501.16 by revising paragraph (d) and (f) to read as follows: § 501.16 PC postage payment methodology. * * * * * (d) Financial responsibility for returned payments. The provider must reimburse the Postal Service upon request for any returned checks or ACH debits for postage payments. The provider must, upon first becoming aware of a returned check or ACH debit, immediately lock the customer account to prevent resetting the account until the provider receives confirmation of payment for the returned item. If a penalty or fine is assessed against the Postal Service for returned checks or ACH debit payments from a provider’s customer, the Postal Service may request reimbursement for such penalty or fine from the provider. The provider is required to remit the amount of the returned item plus the amount of the reimbursement request, to the extent applicable, to the Postal Service within ten (10) banking days. Invoices will be created monthly for returns and/or applicable penalties or fines incurred for the previous month. The 10 banking days will start once the invoice is mailed. The provider has discretion to decide whether to charge its customer for any such reimbursement costs (of penalties or fines) the provider pays to the Postal Service in connection with the customer’s returned check or ACH debit. * * * * * (f) Security and revenue protection. To receive Postal Service approval to continue to operate PC Postage systems, the provider must submit to a periodic examination and provide a SOC 1 Type II Report of its PC Postage system and any other applications and technology infrastructure that may have a material impact on Postal Service revenues, as determined by the Postal Service. Additionally, provider must submit to a periodic examination and provide a SOC 2 Type II Report of its meter system data security, accuracy, processing integrity and data integrity for any applications, reports, and technology infrastructure that may have a material impact on the provider’s reports, which the Postal Service relies upon. The examination shall be performed by a E:\FR\FM\05MRR1.SGM 05MRR1 12874 Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES qualified, independent audit firm and shall be conducted in accordance with the Statements on Standards for Attestation Engagements (SSAEs) No. 18, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), as amended or superseded. Expenses associated with such examination shall be incurred by the provider. The examination shall include testing of the operating effectiveness of relevant provider internal controls (SOC 1 Type II SSAE 18 Report). If the service organization uses another service organization (sub-service provider), the provider should consider the nature and materiality of the transactions processed by the sub-service organization and the contribution of the sub-service organization’s processes and controls in the achievement of the Postal Service’s control objectives. The control objectives to be covered by the SOC 1 Type II SSAE 18 report are subject to Postal Service review and approval, and are to be provided to the Postal Service 30 days prior to the initiation of each examination period. Resetting companies are expected to submit any request for changes to control objectives by December 31 of each year, which will be taken under consideration by the Postal Service for review and approval. The Postal Service will provide common control objectives to be covered by the SOC 1 Type II SSAE 18 by January 31 each year. As a result of the examination, the service auditor VerDate Sep<11>2014 15:45 Mar 04, 2020 Jkt 250001 shall provide the provider and the Postal Service with an opinion on the design and operating effectiveness of the provider’s internal controls related to the meter system, and any other applications and technology infrastructure considered material to the services provided to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be conducted on no less than an annual basis, and are to be as of and for the 12 months ended June 30 of each year (except for new contracts for which the examination period will be no less than the period from the contract date to the following June 30, unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2 examination reports are to be provided to the Postal Service by August 15 of each year. To the extent that internal control weaknesses are identified in a SOC 1 Type II SSAE 18 report, the Postal Service requires prompt communication and remediation of such weaknesses and will review working papers and engage in discussions about the work performed with the service auditor. The Postal Service requires that all remediation efforts (if applicable) are completed and reported by the provider to the Postal Service’s fiscal year end (September 30). In addition, the provider will be responsible evaluating its internal control environment related to the meter system and any other applications and technology infrastructure considered material to the services provided to the Postal Service PO 00000 Frm 00016 Fmt 4700 Sfmt 9990 by the provider, in particular, disclosing changes to internal controls for the period of July 1 to September 30. This evaluation should be documented and submitted to the Postal Service by October 15 each year. The provider will be responsible for all costs related to the examinations conducted by the service auditor and the RC. * * * * * Brittany M. Johnson, Attorney, Federal Compliance. [FR Doc. 2020–03562 Filed 3–4–20; 8:45 am] BILLING CODE P ENVIRONMENTAL PROTECTION AGENCY 40 CFR Part 52 [EPA–R09–OAR–2019–0439; FRL–10005– 31–Region 9] Air Plan Approval; California; Mojave Desert Air Quality Management District Correction In Rule document 2020–03251, appearing on pages 11812–11814, in the issue of Thursday, February 27, 2020, make the following correction: On page 11812, in the first column, the subject-line is corrected to read as set forth above. [FR Doc. C1–2020–03251 Filed 3–4–20; 8:45 am] BILLING CODE 1301–00–D E:\FR\FM\05MRR1.SGM 05MRR1

Agencies

[Federal Register Volume 85, Number 44 (Thursday, March 5, 2020)]
[Rules and Regulations]
[Pages 12870-12874]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03562]


=======================================================================
-----------------------------------------------------------------------

POSTAL SERVICE

39 CFR Part 501


Authorization To Manufacture and Distribute Postage Evidencing 
Systems

AGENCY: Postal ServiceTM.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Postal Service is amending its Postage Evidencing Systems 
regulations. These changes put the financial responsibility for 
returned checks and returned Automated Clearinghouse (ACH) debit 
payments on the applicable resetting company (RC) and PC Postage 
provider. These responsibilities include providing reimbursement for 
any penalties or fines imposed on the Postal Service for returned 
checks or ACH debit payments, and remitting the amount of the returned 
check or ACH debit payment, as applicable, plus the reimbursement to 
the Postal Service within 10 federal banking days of the date the 
invoice is mailed. These changes also update the Statement on Standards 
for Attestation Engagements (SSAE) 18 requirements and add the 
requirement for System and Organization Control (SOC) 2 reporting.

DATES: Effective March 5, 2020.

FOR FURTHER INFORMATION CONTACT: Lisa H Arcari, Director, Commercial 
Payment, [email protected], 202-268-4270.

SUPPLEMENTARY INFORMATION: The Postal Service issued proposed revisions 
to 39 CFR part 501, set forth in the Federal Register on October 7, 
2019 (84 FR 53353). The proposal made several major changes: (1) 
Imposing the financial responsibility for returned checks and returned 
Automated Clearinghouse (ACH) debit payments on the resetting companies 
(Postage Meter Manufacturers) and on the PC Postage Providers, as 
applicable (collectively ``Providers''), (2) imposing a $30 return fee 
on the Providers for returned checks and ACH debits, and (3) requiring 
the Providers to submit System and Organization Control (SOC) 2, Type 
II reports to the Postal Service as a requirement for continued 
operations as a Provider.
    Five sets of comments were received in response to the Federal 
Register Notice, from FP USA (Francotyp Postalia), Pitney Bowes Inc., 
Stamps.com/Endicia (PSI Systems, Inc.), Neopost USA (soon to be 
Quadient), and PostCom. There are four common themes throughout these 
comments; as such they can be broken down as follows:

ACH Returns

Industry Comments

    The proposal to impose financial responsibility for returned checks 
and returned ACH debit payments received several comments. Some 
commenters opined that the proposed rule unfairly makes providers 
liable for ACH returns and will lead to a reduction of ACH use by 
customers at a time when the Postal Service is trying to increase its 
use. Although Providers bear this financial responsibility for credit 
cards, the credit card real-time validation process is much more 
robust, and ACH returns are not revealed until several days after the 
transaction occurs. This risk continues with each ACH debit 
transaction, unlike for credit cards. While acknowledging that 
Providers are and should be responsible for helping the Postal Service 
to try to collect ACH return funds on the Postal Service's behalf, many 
commenters believe it is unreasonable for the Providers to take on this 
financial burden.
    One commenter believes the proposed rule offered little explanation 
as to why the changes are necessary or whether there will be any 
benefits. Instead of changing its regulations, this commenter suggests 
that the Postal Service should work with the small pool of Providers to 
come up with a solution for ACH debit returns. Another commenter 
contends that shifting liability for ACH returns is a customer 
unfriendly unlawful taking, and that it violates Executive Order 13771 
relating to economically significant regulatory actions that impose 
costs on industry.
    Some commenters also argued that automatically locking customer 
accounts would cause significant service interruptions to large 
customers in connection with routine business activities, resulting in 
customers switching to a non-Postal service

[[Page 12871]]

provider or to non-ACH payment methods. If the risk of ACH returns is 
now shifted to the Providers, these commenters argue that they should 
have the discretion to decide whether or not to lock the account since 
they will be bearing the risk of non-payment. Another commenter added 
that, if the Postal Service intends to impose the risk of a failed 
payment on the Providers, then the Providers should have the discretion 
to delay refilling meters and PC Postage accounts until check payments 
clear and ACH transactions are proven effective. Along these same 
lines, another commenter requested that, since the checks and ACH debit 
transactions are made payable to the Postal Service, the Postal Service 
should assign the Providers the legal right to pursue customers for 
returned checks and ACH debits.
    With respect to the processing of ACH payments, one commenter 
suggested that the Postal Service should work with Citibank to 
implement same-day ACH as an option to allow providers the ability to 
reduce the delay in disabling customers for returned ACH debits. 
According to this commenter, the current ACH process can take up to 10 
days to receive a return transaction, and the Postal Service and 
Citibank should work on a plan to implement a `Real Time' ACH 
validation. This commenter also suggested that Providers should be 
given 45 days to collect returned postage download amounts from 
customers, noting its position that 10 days does not give the customer 
sufficient time to work with internal accounts payable departments to 
process replacement payments.
    Finally, one commenter expressed the view that the change is 
directed at PC Postage vendors, who caused this issue by not addressing 
it long ago. This commenter believes the Postal Service is placing an 
undue burden on meter manufacturers for a problem caused by PC Postage 
vendors.

USPS Response

    The Postal Service agrees with some of these comments and 
proposals, while disagreeing with others, as described below.
    As an initial matter, the Postal Service notes that the National 
Automated Clearing House Association (NACHA) manages the development, 
administration, and governance of the ACH Network. The NACHA Rules, 
which the Postal Service is obliged to follow, provide the legal and 
operational foundation of the ACH network, and are meant to safeguard 
customers' sensitive data. Imposing responsibility for returned checks 
and returned ACH debit payments on Providers encourages the Providers 
to take adequate measures to authenticate the identity of their 
customers through account validation and to ensure that each account 
that is debited is authorized. Providers have direct relationships with 
the shippers and mailers who are their customers, and they are in the 
best position to authenticate the customers and their accounts. This 
requirement also aligns with NACHA Know Your Customer guidance and best 
practices. The Provider must adhere to the ACH returns to ACH volume 
thresholds as outlined in the NACHA operating rules and guidelines. The 
Postal Service intends to work with Providers to offer its expertise 
and guidance on these rules.
    With respect to the locking of customer accounts, the Postal 
Service notes that this is not a new requirement; the wording was 
updated from the original regulation for clarity. The Providers should 
not have discretion on whether or not to lock the account, as 
continuing to allow ACH debit returns violates NACHA rules, to which 
the Postal Service is subject.
    The Postal Service agrees with the suggestion that Providers should 
have the discretion to delay refilling meters and PC Postage accounts 
until check payments clear and ACH transactions are proven effective. 
Providers currently have this discretion, and will continue to have it 
under the final rule.
    The Postal Service also agrees with the proposal that it assign 
Providers the legal right to pursue customers for returned checks and 
ACH debits. Discussions concerning the implementation of this proposal 
will occur after the rule is published.
    The Postal Service disagrees that imposing responsibility on 
Providers for ACH returns involves a taking of property under the Fifth 
Amendment or a violation of any applicable Executive order. Remitting 
payment via ACH is the customer's choice, not a regulatory requirement 
that is imposed by the Postal Service. Moreover, requiring Providers to 
cover the cost of ACH returns is consistent with industry practice, as 
explained above.
    As for the suggestion that the Postal Service work with Citibank to 
implement same-day ACH or ``Real Time'' ACH validation, based on our 
experience, ACH debit returns that take 10 days are not the norm. The 
Postal Service would need more information on returns past the two-day 
window to research. In any event, the Postal Service is in the process 
of evaluating the impacts to the Postal Service of same-day ACH and the 
effectiveness of these products to Providers. After the Postal 
Service's positive review of the feasibility of same-day ACH 
transactions in this context, meter manufacturers and PC Postage 
providers interested in any of these products should inform the Postal 
Service, and the Postal Service will review these requests on a case-
by-case basis.
    In addition, to clarify the proposed timeline in response to the 
suggestion that Providers be given 45 days to collect returned postage 
amounts from customers, the Postal Service notes that invoices will be 
generated on a monthly basis for returns incurred for the previous 
month. The 10-day period will start once the invoice for returns from 
the previous month is mailed. In other words, the 10-day window does 
not begin on the day the ACH debit return occurs, but rather on the day 
the Postal Service invoice is mailed.
    The financial responsibility for ACH debit returns will be shifted 
to the providers beginning April 1, 2020. The first invoice will be 
sent in early May 2020 for the debit returns that occurred in April.
    Finally, the Postal Service disagrees with the assessment that the 
proposed rule places an undue burden on meter manufacturers for a 
problem caused by PC Postage vendors. The Postal Service already holds 
and is continuing to hold PC Postage Providers and meter manufacturers 
to the same standards.

$30 Return Fee

Industry Comments

    Several commenters expressed concerns that the proposed $30 ACH 
return fee would have negative processing and customer service 
implications, which would discourage customers' continued use of ACH. 
They believe many customers would object to paying the fee, and may 
leave the Postal Service if the fee cannot be waived, particularly if 
service cannot be immediately restored. If the Postal Service wants to 
collect this fee, they argue, then the Postal Service should do so 
itself so that it can exercise discretion on whether the fee should be 
waived. These commenters also noted that the proposed fee would add 
cost to the Providers without providing any benefit to them. Updates to 
systems and to Postal Service reporting for these fees, including daily 
balance accounting reconciliation (DBAR) updates, would require 
definition before an estimated implementation timeline could be 
provided. In addition, because changes to these systems could affect 
the SOC reports, SOC control objectives would

[[Page 12872]]

need to be updated for this change. These commenters also suggested 
that the ACH fee should be able to be deducted from customers' prepaid 
funds (if available), and the DBAR should be updated to reflect this 
option.
    One commenter suggested that the Postal Service should provide the 
industry with updated Postal Service terms and conditions to support 
the fees for returned ACH debits and checks. Because new terms would 
apply to the fees, the commenter noted its expectation that the fee 
would only apply to new and renewal customers. The commenter suggested 
further that the Postal Service should clarify that individual 
Providers are only responsible for charging for returned checks and ACH 
credits for the Providers' active customers.

USPS Response

    Charging the customer a fee for a returned ACH transaction is a 
common practice, and the $30 amount of the fee is consistent with the 
existing charge for bounced checks. Nevertheless, upon further 
consideration and in response to the commenters' concerns, the Postal 
Service has decided to eliminate the $30 fee in the final rule. The fee 
was intended to reimburse the Postal Service for costs it may incur in 
connection with returned checks or ACH debit payments. As an 
alternative to an automatic $30 fee for every returned item, the final 
rule reserves the Postal Service's right to seek reimbursement from a 
Provider for any penalties or fines that are imposed on the Postal 
Service (for example, by a bank) occasioned by repeated returned checks 
or ACH debit payments from that Provider's customer. This would be in 
accord with current practice and would encourage the Providers to 
review and vet their customers and their behavior, to avoid being 
assessed penalties or fines. If the Postal Service does not incur any 
such penalties or fines, then the Provider will only be responsible for 
the amount of the returned check or ACH debit payment, as applicable, 
without any additional fees imposed. Under the final rule, the Provider 
may choose whether to pass any such reimbursement costs (of penalties 
or fines) on to its customer.
    The comments relating to applicability of the $30 fee to new and 
renewal customers and/or active customers are largely moot, in light of 
the Postal Service's decision to eliminate the $30 fee. However, it 
should be noted that Providers will be responsible for reimbursement of 
fines and penalties incurred by the Postal Service, regardless of 
whether the customers that caused those issues are new, renewal, 
active, or other customers of the Provider.

SOC 2, Type II Report

Industry Comments

    Several commenters addressed the proposal to require SOC 2, Type II 
reporting. For example, they stated that the scope of the SOC 2 Type II 
mandate should be relevant to the information exchanged, and should be 
narrowly drawn to those applications, reports, and technology relevant 
to the Postal Service's controls. Commenters also argued that the 
report should address privacy.
    Other commenters stated that the changes required to support a SOC 
2 Type II report will take considerable effort to scope, develop, test 
and implement, and that this is an unreasonable expense and burden on 
the industry.
    Finally, the commenters noted that the Postal Service needs to 
provide the industry with the SOC 2 Control objectives. Control 
objectives provided by February 28 of each year should be required to 
be implemented in the next audit period.

USPS Response

    The Postal Service disagrees with limiting the scope to only those 
applications mentioned by the commenters and privacy. The purpose of 
the SOC 2 reporting is to meet the needs of a broad range of users that 
need detailed information and assurance about the controls at a service 
organization relevant to security, availability, and processing 
integrity of the systems the service organization uses to process 
users' data and the confidentiality and privacy of the information 
processed by these systems. The goal is to understand the security 
posture of the entire organization.
    As for the commenters' concerns about expense and burden, SOC 2 
reporting is an industry standard, and has been for many years. There 
is an expense, but it is to the industry's benefit too. The Postal 
Service will give the industry reasonable time to adopt these changes.
    The Postal Service agrees that it should provide the industry with 
SOC 2 control objectives, and will provide these by March 18, 2020 for 
the Type I report and by January 31 of each year to be implemented in 
the appropriate audit period for Type II reports. The Postal Service 
will strive to give the industry ample time to implement any changes to 
control objectives from one year to the next.

General Comments

    Industry comment: The implementation timeframes in the proposal 
need to be clarified for both items.
    USPS response: The Postal Service will require a SOC 2 Type I 
report by July 1, 2020, the Postal Service will provide the initial 
control objectives by March 18, 2020. The first SOC 2 Type II report 
will be due August 15, 2021, and the subsequent Type II reports will be 
due on August 15 each year going forward. For future years, the Postal 
Service will provide the SOC 2 control objectives by January 31.
    Industry comment: The Postal Service teams should have raised the 
proposed rules as an issue during the Industry meetings. Discussion at 
industry meetings would have allowed the industry to educate the Postal 
Service on each provider's processes and discuss a phased plan to 
achieve the Postal Service objectives.
    USPS response: NACHA's upcoming rule changes and customer 
validation were discussed at the July 25, 2019 Industry Working 
meeting. The NACHA webinars were made available to the industry. It is 
within the Postal Service's discretion whether and how much to discuss 
a proposed rule with the industry before publishing.

List of Subjects in 39 CFR Part 501

    Administrative practice and procedure, Postal Service.

    For the reasons stated in the preamble, the Postal Service amends 
39 CFR part 501 as follows:

PART 501--[AMENDED]

0
1. The authority citation for part 501 continues to read as follows:

    Authority:  5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410, 
2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.


0
2. Amend Sec.  501.15 by revising paragraphs (g), (i), and (j) to read 
as follows:


Sec.  501.15   Computerized Meter Resetting System.

* * * * *
    (g) Financial responsibility for returned payments. The RC is 
required to reimburse the Postal Service upon request for any returned 
checks or ACH debits for postage payments. The RC must, upon first 
becoming aware of a returned check or ACH debit, immediately lock the 
customer's CMRS account to prevent a meter reset until the RC receives 
confirmation of payment for the returned item. If a

[[Page 12873]]

penalty or fine is assessed against the Postal Service for returned 
checks or ACH debit payments from an RC's customer, the Postal Service 
may request reimbursement for such penalty or fine from the RC. The RC 
is required to remit the amount of the returned item to the Postal 
Service plus the reimbursement request, to the extent applicable, 
within ten (10) banking days. Invoices will be created monthly for 
returns and/or applicable penalties or fines incurred for the previous 
month. The 10 banking days will start once the invoice is mailed. The 
RC has discretion to decide whether to charge its customer for any such 
reimbursement costs (of penalties or fines) the RC pays to the Postal 
Service in connection with the customer's returned check or ACH debit.
* * * * *
    (i) Security and revenue protection. To receive Postal Service 
approval to continue to operate systems in the postage meters 
environment, the RC must submit to a periodic examination and provide a 
System and Organization Control (SOC) 1 Type II Report of its meter 
system and any other applications and technology infrastructure that 
may have a material impact on Postal Service revenues, as determined by 
the Postal Service. Additionally, RC must submit to a periodic 
examination and provide a SOC 2 Type II Report of its meter system data 
security, accuracy, processing integrity and data integrity for any 
applications, reports, and technology infrastructure that may have a 
material impact on the RC's reports, which the Postal Service relies 
upon. For the initial SOC 2 Type I report, the Postal Service will 
provide the control objectives by March 18, 2020. The due date for the 
initial SOC 2 Type I is July 1, 2020, with the SOC 2 Type II due on 
August 15, 2021. Both the SOC 1 and SOC 2 examinations shall be 
performed by a qualified, independent audit firm and shall be conducted 
in accordance with the Statements on Standards for Attestation 
Engagements (SSAEs) No. 18, Service Organizations, developed by the 
American Institute of Certified Public Accountants (AICPA), as amended 
or superseded. Expenses associated with such examination shall be 
incurred by the RC. The examination shall include testing of the 
operating effectiveness of relevant RC internal controls (SOC 1 Type II 
SSAE 18 & SOC 2 Type II SSAE 18 Reports). If the service organization 
uses another service organization (sub-service provider), the RC should 
consider the nature and materiality of the transactions and data 
processed by the sub-service organization and the contribution of the 
sub-service organization's processes and controls in the achievement of 
the Postal Service's control objectives. Resetting companies are 
expected to submit any request for changes to control objectives by 
December 31 of each year, which will be taken under consideration by 
the Postal Service for review and approval. The Postal Service will 
provide common control objectives to be covered by the SOC 1 Type II 
SSAE 18 by January 31 each year. As a result of the examination, the 
service auditor shall provide the RC and the Postal Service with an 
opinion on the design and operating effectiveness of the RC's internal 
controls related to the meter system and any other applications and 
technology infrastructure considered material to the services provided 
to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be 
conducted on no less than an annual basis, and are to be as of and for 
the 12 months ended June 30 of each year (except for new contracts for 
which the examination period will be no less than the period from the 
contract date to the following June 30, unless otherwise agreed to by 
the Postal Service). The SOC 1 and SOC 2 examination reports are to be 
provided to the Postal Service by August 15 of each year. To the extent 
that internal control weaknesses are identified in a SOC report, the 
Postal Service requires prompt communication and remediation of such 
weaknesses and shall have the right to review working papers and engage 
in discussions about the work performed with the service auditor. The 
Postal Service requires that all remediation efforts (if applicable) 
are completed and reported by the RC prior to the Postal Service's 
fiscal year end (September 30). In addition, the RC will be responsible 
for evaluating its internal control environment related to the meter 
system and any other applications and technology infrastructure 
considered material to the services provided to the Postal Service by 
the RC, in particular, disclosing changes to internal controls for the 
period of July 1 to September 30. This evaluation should be documented 
and submitted to the Postal Service by October 15 of each year. The RC 
will be responsible for all costs related to the examinations conducted 
by the service auditor and the RC.
    (j) Inspection of records and facilities. The RC must make its 
facilities that handle the operation of the computerized resetting 
system and all records about the operation of the system available for 
inspection by representatives of the Postal Service at all reasonable 
times. At its discretion, the Postal Service may continue to fund 
inspections as it has in the past, provided the costs are not 
associated with a particular security issue related to the RC's meter 
systems and supporting infrastructure.
* * * * *

0
3. Amend Sec.  501.16 by revising paragraph (d) and (f) to read as 
follows:


Sec.  501.16   PC postage payment methodology.

* * * * *
    (d) Financial responsibility for returned payments. The provider 
must reimburse the Postal Service upon request for any returned checks 
or ACH debits for postage payments. The provider must, upon first 
becoming aware of a returned check or ACH debit, immediately lock the 
customer account to prevent resetting the account until the provider 
receives confirmation of payment for the returned item. If a penalty or 
fine is assessed against the Postal Service for returned checks or ACH 
debit payments from a provider's customer, the Postal Service may 
request reimbursement for such penalty or fine from the provider. The 
provider is required to remit the amount of the returned item plus the 
amount of the reimbursement request, to the extent applicable, to the 
Postal Service within ten (10) banking days. Invoices will be created 
monthly for returns and/or applicable penalties or fines incurred for 
the previous month. The 10 banking days will start once the invoice is 
mailed. The provider has discretion to decide whether to charge its 
customer for any such reimbursement costs (of penalties or fines) the 
provider pays to the Postal Service in connection with the customer's 
returned check or ACH debit.
* * * * *
    (f) Security and revenue protection. To receive Postal Service 
approval to continue to operate PC Postage systems, the provider must 
submit to a periodic examination and provide a SOC 1 Type II Report of 
its PC Postage system and any other applications and technology 
infrastructure that may have a material impact on Postal Service 
revenues, as determined by the Postal Service. Additionally, provider 
must submit to a periodic examination and provide a SOC 2 Type II 
Report of its meter system data security, accuracy, processing 
integrity and data integrity for any applications, reports, and 
technology infrastructure that may have a material impact on the 
provider's reports, which the Postal Service relies upon. The 
examination shall be performed by a

[[Page 12874]]

qualified, independent audit firm and shall be conducted in accordance 
with the Statements on Standards for Attestation Engagements (SSAEs) 
No. 18, Service Organizations, developed by the American Institute of 
Certified Public Accountants (AICPA), as amended or superseded. 
Expenses associated with such examination shall be incurred by the 
provider. The examination shall include testing of the operating 
effectiveness of relevant provider internal controls (SOC 1 Type II 
SSAE 18 Report). If the service organization uses another service 
organization (sub-service provider), the provider should consider the 
nature and materiality of the transactions processed by the sub-service 
organization and the contribution of the sub-service organization's 
processes and controls in the achievement of the Postal Service's 
control objectives. The control objectives to be covered by the SOC 1 
Type II SSAE 18 report are subject to Postal Service review and 
approval, and are to be provided to the Postal Service 30 days prior to 
the initiation of each examination period. Resetting companies are 
expected to submit any request for changes to control objectives by 
December 31 of each year, which will be taken under consideration by 
the Postal Service for review and approval. The Postal Service will 
provide common control objectives to be covered by the SOC 1 Type II 
SSAE 18 by January 31 each year. As a result of the examination, the 
service auditor shall provide the provider and the Postal Service with 
an opinion on the design and operating effectiveness of the provider's 
internal controls related to the meter system, and any other 
applications and technology infrastructure considered material to the 
services provided to the Postal Service by the RC. SOC 1 and SOC 2 
examinations are to be conducted on no less than an annual basis, and 
are to be as of and for the 12 months ended June 30 of each year 
(except for new contracts for which the examination period will be no 
less than the period from the contract date to the following June 30, 
unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2 
examination reports are to be provided to the Postal Service by August 
15 of each year. To the extent that internal control weaknesses are 
identified in a SOC 1 Type II SSAE 18 report, the Postal Service 
requires prompt communication and remediation of such weaknesses and 
will review working papers and engage in discussions about the work 
performed with the service auditor. The Postal Service requires that 
all remediation efforts (if applicable) are completed and reported by 
the provider to the Postal Service's fiscal year end (September 30). In 
addition, the provider will be responsible evaluating its internal 
control environment related to the meter system and any other 
applications and technology infrastructure considered material to the 
services provided to the Postal Service by the provider, in particular, 
disclosing changes to internal controls for the period of July 1 to 
September 30. This evaluation should be documented and submitted to the 
Postal Service by October 15 each year. The provider will be 
responsible for all costs related to the examinations conducted by the 
service auditor and the RC.
* * * * *

Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2020-03562 Filed 3-4-20; 8:45 am]
 BILLING CODE P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.