Authorization To Manufacture and Distribute Postage Evidencing Systems, 12870-12874 [2020-03562]
Download as PDF
12870
Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations
AIRAC date
State
City
Airport
FDC date
26–Mar–20 ........
26–Mar–20 ........
26–Mar–20 ........
FL
FL
NY
Titusville .............................
Titusville .............................
New York ...........................
Arthur Dunn Air Park .........
Arthur Dunn Air Park .........
John F Kennedy Intl ..........
0/8867
0/8868
0/8874
2/6/20
2/6/20
2/7/20
26–Mar–20 ........
FL
Bonifay ...............................
Tri-County ..........................
0/8877
2/6/20
26–Mar–20 ........
TX
Denton ...............................
Denton Enterprise ..............
0/8892
2/6/20
26–Mar–20 ........
AZ
Tucson ...............................
Tucson Intl .........................
0/8926
2/3/20
26–Mar–20 ........
AZ
Tucson ...............................
Tucson Intl .........................
0/9081
2/3/20
26–Mar–20 ........
26–Mar–20 ........
26–Mar–20 ........
OR
ND
CA
Grants Pass .......................
Grand Forks .......................
Sacramento ........................
Grants Pass .......................
Grand Forks Intl .................
Sacramento Mather ...........
0/9185
0/9985
9/4931
2/7/20
2/11/20
2/6/20
26–Mar–20 ........
IN
Indianapolis ........................
Indianapolis Intl ..................
9/4955
1/28/20
26–Mar–20 ........
IN
Indianapolis ........................
Indianapolis Intl ..................
9/4956
1/28/20
26–Mar–20 ........
IN
Columbus ...........................
Columbus Muni ..................
9/9469
1/21/20
[FR Doc. 2020–04175 Filed 3–4–20; 8:45 am]
BILLING CODE 4910–13–P
POSTAL SERVICE
39 CFR Part 501
Authorization To Manufacture and
Distribute Postage Evidencing
Systems
Postal ServiceTM.
ACTION: Final rule.
AGENCY:
The Postal Service is
amending its Postage Evidencing
Systems regulations. These changes put
the financial responsibility for returned
checks and returned Automated
Clearinghouse (ACH) debit payments on
the applicable resetting company (RC)
and PC Postage provider. These
responsibilities include providing
reimbursement for any penalties or fines
imposed on the Postal Service for
returned checks or ACH debit payments,
and remitting the amount of the
returned check or ACH debit payment,
as applicable, plus the reimbursement to
the Postal Service within 10 federal
banking days of the date the invoice is
mailed. These changes also update the
Statement on Standards for Attestation
Engagements (SSAE) 18 requirements
and add the requirement for System and
Organization Control (SOC) 2 reporting.
DATES: Effective March 5, 2020.
FOR FURTHER INFORMATION CONTACT: Lisa
H Arcari, Director, Commercial
SUMMARY:
khammond on DSKJM1Z7X2PROD with RULES
FDC No.
VerDate Sep<11>2014
15:45 Mar 04, 2020
Jkt 250001
Payment, lisa.h.arcari@usps.gov, 202–
268–4270.
SUPPLEMENTARY INFORMATION: The Postal
Service issued proposed revisions to 39
CFR part 501, set forth in the Federal
Register on October 7, 2019 (84 FR
53353). The proposal made several
major changes: (1) Imposing the
financial responsibility for returned
checks and returned Automated
Clearinghouse (ACH) debit payments on
the resetting companies (Postage Meter
Manufacturers) and on the PC Postage
Providers, as applicable (collectively
‘‘Providers’’), (2) imposing a $30 return
fee on the Providers for returned checks
and ACH debits, and (3) requiring the
Providers to submit System and
Organization Control (SOC) 2, Type II
reports to the Postal Service as a
requirement for continued operations as
a Provider.
Five sets of comments were received
in response to the Federal Register
Notice, from FP USA (Francotyp
Postalia), Pitney Bowes Inc.,
Stamps.com/Endicia (PSI Systems, Inc.),
Neopost USA (soon to be Quadient), and
PostCom. There are four common
themes throughout these comments; as
such they can be broken down as
follows:
ACH Returns
Industry Comments
The proposal to impose financial
responsibility for returned checks and
returned ACH debit payments received
several comments. Some commenters
opined that the proposed rule unfairly
PO 00000
Frm 00012
Fmt 4700
Sfmt 4700
Subject
RNAV (GPS)-A, Orig-A.
RNAV (GPS)-B, Orig-A.
RNAV (RNP) Z RWY 31R,
Amdt 1A.
RNAV (GPS) RWY 19,
Orig-B.
RNAV (GPS) RWY 36,
Amdt 2B.
RNAV (GPS) RWY 11R,
Orig-C.
ILS OR LOC RWY 11L,
Amdt 14B.
RNAV (GPS)-A, Orig.
VOR RWY 17R, Amdt 6A.
ILS OR LOC RWY 22L (SA
CAT I), ILS RWY 22L
(SA CAT II), Amdt 7.
ILS OR LOC RWY 5R, ILS
RWY 5R (SA CAT I), ILS
RWY 5R (CAT II), ILS
RWY 5R (CAT III), Amdt
7.
RNAV (RNP) Z RWY 23L,
Amdt 2.
ILS OR LOC RWY 23,
Amdt 8.
makes providers liable for ACH returns
and will lead to a reduction of ACH use
by customers at a time when the Postal
Service is trying to increase its use.
Although Providers bear this financial
responsibility for credit cards, the credit
card real-time validation process is
much more robust, and ACH returns are
not revealed until several days after the
transaction occurs. This risk continues
with each ACH debit transaction, unlike
for credit cards. While acknowledging
that Providers are and should be
responsible for helping the Postal
Service to try to collect ACH return
funds on the Postal Service’s behalf,
many commenters believe it is
unreasonable for the Providers to take
on this financial burden.
One commenter believes the proposed
rule offered little explanation as to why
the changes are necessary or whether
there will be any benefits. Instead of
changing its regulations, this commenter
suggests that the Postal Service should
work with the small pool of Providers
to come up with a solution for ACH
debit returns. Another commenter
contends that shifting liability for ACH
returns is a customer unfriendly
unlawful taking, and that it violates
Executive Order 13771 relating to
economically significant regulatory
actions that impose costs on industry.
Some commenters also argued that
automatically locking customer
accounts would cause significant
service interruptions to large customers
in connection with routine business
activities, resulting in customers
switching to a non-Postal service
E:\FR\FM\05MRR1.SGM
05MRR1
Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
provider or to non-ACH payment
methods. If the risk of ACH returns is
now shifted to the Providers, these
commenters argue that they should have
the discretion to decide whether or not
to lock the account since they will be
bearing the risk of non-payment.
Another commenter added that, if the
Postal Service intends to impose the risk
of a failed payment on the Providers,
then the Providers should have the
discretion to delay refilling meters and
PC Postage accounts until check
payments clear and ACH transactions
are proven effective. Along these same
lines, another commenter requested
that, since the checks and ACH debit
transactions are made payable to the
Postal Service, the Postal Service should
assign the Providers the legal right to
pursue customers for returned checks
and ACH debits.
With respect to the processing of ACH
payments, one commenter suggested
that the Postal Service should work with
Citibank to implement same-day ACH as
an option to allow providers the ability
to reduce the delay in disabling
customers for returned ACH debits.
According to this commenter, the
current ACH process can take up to 10
days to receive a return transaction, and
the Postal Service and Citibank should
work on a plan to implement a ‘Real
Time’ ACH validation. This commenter
also suggested that Providers should be
given 45 days to collect returned
postage download amounts from
customers, noting its position that 10
days does not give the customer
sufficient time to work with internal
accounts payable departments to
process replacement payments.
Finally, one commenter expressed the
view that the change is directed at PC
Postage vendors, who caused this issue
by not addressing it long ago. This
commenter believes the Postal Service is
placing an undue burden on meter
manufacturers for a problem caused by
PC Postage vendors.
USPS Response
The Postal Service agrees with some
of these comments and proposals, while
disagreeing with others, as described
below.
As an initial matter, the Postal Service
notes that the National Automated
Clearing House Association (NACHA)
manages the development,
administration, and governance of the
ACH Network. The NACHA Rules,
which the Postal Service is obliged to
follow, provide the legal and
operational foundation of the ACH
network, and are meant to safeguard
customers’ sensitive data. Imposing
responsibility for returned checks and
VerDate Sep<11>2014
15:45 Mar 04, 2020
Jkt 250001
returned ACH debit payments on
Providers encourages the Providers to
take adequate measures to authenticate
the identity of their customers through
account validation and to ensure that
each account that is debited is
authorized. Providers have direct
relationships with the shippers and
mailers who are their customers, and
they are in the best position to
authenticate the customers and their
accounts. This requirement also aligns
with NACHA Know Your Customer
guidance and best practices. The
Provider must adhere to the ACH
returns to ACH volume thresholds as
outlined in the NACHA operating rules
and guidelines. The Postal Service
intends to work with Providers to offer
its expertise and guidance on these
rules.
With respect to the locking of
customer accounts, the Postal Service
notes that this is not a new requirement;
the wording was updated from the
original regulation for clarity. The
Providers should not have discretion on
whether or not to lock the account, as
continuing to allow ACH debit returns
violates NACHA rules, to which the
Postal Service is subject.
The Postal Service agrees with the
suggestion that Providers should have
the discretion to delay refilling meters
and PC Postage accounts until check
payments clear and ACH transactions
are proven effective. Providers currently
have this discretion, and will continue
to have it under the final rule.
The Postal Service also agrees with
the proposal that it assign Providers the
legal right to pursue customers for
returned checks and ACH debits.
Discussions concerning the
implementation of this proposal will
occur after the rule is published.
The Postal Service disagrees that
imposing responsibility on Providers for
ACH returns involves a taking of
property under the Fifth Amendment or
a violation of any applicable Executive
order. Remitting payment via ACH is
the customer’s choice, not a regulatory
requirement that is imposed by the
Postal Service. Moreover, requiring
Providers to cover the cost of ACH
returns is consistent with industry
practice, as explained above.
As for the suggestion that the Postal
Service work with Citibank to
implement same-day ACH or ‘‘Real
Time’’ ACH validation, based on our
experience, ACH debit returns that take
10 days are not the norm. The Postal
Service would need more information
on returns past the two-day window to
research. In any event, the Postal
Service is in the process of evaluating
the impacts to the Postal Service of
PO 00000
Frm 00013
Fmt 4700
Sfmt 4700
12871
same-day ACH and the effectiveness of
these products to Providers. After the
Postal Service’s positive review of the
feasibility of same-day ACH transactions
in this context, meter manufacturers and
PC Postage providers interested in any
of these products should inform the
Postal Service, and the Postal Service
will review these requests on a case-bycase basis.
In addition, to clarify the proposed
timeline in response to the suggestion
that Providers be given 45 days to
collect returned postage amounts from
customers, the Postal Service notes that
invoices will be generated on a monthly
basis for returns incurred for the
previous month. The 10-day period will
start once the invoice for returns from
the previous month is mailed. In other
words, the 10-day window does not
begin on the day the ACH debit return
occurs, but rather on the day the Postal
Service invoice is mailed.
The financial responsibility for ACH
debit returns will be shifted to the
providers beginning April 1, 2020. The
first invoice will be sent in early May
2020 for the debit returns that occurred
in April.
Finally, the Postal Service disagrees
with the assessment that the proposed
rule places an undue burden on meter
manufacturers for a problem caused by
PC Postage vendors. The Postal Service
already holds and is continuing to hold
PC Postage Providers and meter
manufacturers to the same standards.
$30 Return Fee
Industry Comments
Several commenters expressed
concerns that the proposed $30 ACH
return fee would have negative
processing and customer service
implications, which would discourage
customers’ continued use of ACH. They
believe many customers would object to
paying the fee, and may leave the Postal
Service if the fee cannot be waived,
particularly if service cannot be
immediately restored. If the Postal
Service wants to collect this fee, they
argue, then the Postal Service should do
so itself so that it can exercise discretion
on whether the fee should be waived.
These commenters also noted that the
proposed fee would add cost to the
Providers without providing any benefit
to them. Updates to systems and to
Postal Service reporting for these fees,
including daily balance accounting
reconciliation (DBAR) updates, would
require definition before an estimated
implementation timeline could be
provided. In addition, because changes
to these systems could affect the SOC
reports, SOC control objectives would
E:\FR\FM\05MRR1.SGM
05MRR1
12872
Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
need to be updated for this change.
These commenters also suggested that
the ACH fee should be able to be
deducted from customers’ prepaid funds
(if available), and the DBAR should be
updated to reflect this option.
One commenter suggested that the
Postal Service should provide the
industry with updated Postal Service
terms and conditions to support the fees
for returned ACH debits and checks.
Because new terms would apply to the
fees, the commenter noted its
expectation that the fee would only
apply to new and renewal customers.
The commenter suggested further that
the Postal Service should clarify that
individual Providers are only
responsible for charging for returned
checks and ACH credits for the
Providers’ active customers.
USPS Response
Charging the customer a fee for a
returned ACH transaction is a common
practice, and the $30 amount of the fee
is consistent with the existing charge for
bounced checks. Nevertheless, upon
further consideration and in response to
the commenters’ concerns, the Postal
Service has decided to eliminate the $30
fee in the final rule. The fee was
intended to reimburse the Postal Service
for costs it may incur in connection
with returned checks or ACH debit
payments. As an alternative to an
automatic $30 fee for every returned
item, the final rule reserves the Postal
Service’s right to seek reimbursement
from a Provider for any penalties or
fines that are imposed on the Postal
Service (for example, by a bank)
occasioned by repeated returned checks
or ACH debit payments from that
Provider’s customer. This would be in
accord with current practice and would
encourage the Providers to review and
vet their customers and their behavior,
to avoid being assessed penalties or
fines. If the Postal Service does not
incur any such penalties or fines, then
the Provider will only be responsible for
the amount of the returned check or
ACH debit payment, as applicable,
without any additional fees imposed.
Under the final rule, the Provider may
choose whether to pass any such
reimbursement costs (of penalties or
fines) on to its customer.
The comments relating to
applicability of the $30 fee to new and
renewal customers and/or active
customers are largely moot, in light of
the Postal Service’s decision to
eliminate the $30 fee. However, it
should be noted that Providers will be
responsible for reimbursement of fines
and penalties incurred by the Postal
Service, regardless of whether the
VerDate Sep<11>2014
15:45 Mar 04, 2020
Jkt 250001
customers that caused those issues are
new, renewal, active, or other customers
of the Provider.
SOC 2, Type II Report
Industry Comments
Several commenters addressed the
proposal to require SOC 2, Type II
reporting. For example, they stated that
the scope of the SOC 2 Type II mandate
should be relevant to the information
exchanged, and should be narrowly
drawn to those applications, reports,
and technology relevant to the Postal
Service’s controls. Commenters also
argued that the report should address
privacy.
Other commenters stated that the
changes required to support a SOC 2
Type II report will take considerable
effort to scope, develop, test and
implement, and that this is an
unreasonable expense and burden on
the industry.
Finally, the commenters noted that
the Postal Service needs to provide the
industry with the SOC 2 Control
objectives. Control objectives provided
by February 28 of each year should be
required to be implemented in the next
audit period.
USPS Response
The Postal Service disagrees with
limiting the scope to only those
applications mentioned by the
commenters and privacy. The purpose
of the SOC 2 reporting is to meet the
needs of a broad range of users that need
detailed information and assurance
about the controls at a service
organization relevant to security,
availability, and processing integrity of
the systems the service organization
uses to process users’ data and the
confidentiality and privacy of the
information processed by these systems.
The goal is to understand the security
posture of the entire organization.
As for the commenters’ concerns
about expense and burden, SOC 2
reporting is an industry standard, and
has been for many years. There is an
expense, but it is to the industry’s
benefit too. The Postal Service will give
the industry reasonable time to adopt
these changes.
The Postal Service agrees that it
should provide the industry with SOC
2 control objectives, and will provide
these by March 18, 2020 for the Type I
report and by January 31 of each year to
be implemented in the appropriate audit
period for Type II reports. The Postal
Service will strive to give the industry
ample time to implement any changes to
control objectives from one year to the
next.
PO 00000
Frm 00014
Fmt 4700
Sfmt 4700
General Comments
Industry comment: The
implementation timeframes in the
proposal need to be clarified for both
items.
USPS response: The Postal Service
will require a SOC 2 Type I report by
July 1, 2020, the Postal Service will
provide the initial control objectives by
March 18, 2020. The first SOC 2 Type
II report will be due August 15, 2021,
and the subsequent Type II reports will
be due on August 15 each year going
forward. For future years, the Postal
Service will provide the SOC 2 control
objectives by January 31.
Industry comment: The Postal Service
teams should have raised the proposed
rules as an issue during the Industry
meetings. Discussion at industry
meetings would have allowed the
industry to educate the Postal Service
on each provider’s processes and
discuss a phased plan to achieve the
Postal Service objectives.
USPS response: NACHA’s upcoming
rule changes and customer validation
were discussed at the July 25, 2019
Industry Working meeting. The NACHA
webinars were made available to the
industry. It is within the Postal Service’s
discretion whether and how much to
discuss a proposed rule with the
industry before publishing.
List of Subjects in 39 CFR Part 501
Administrative practice and
procedure, Postal Service.
For the reasons stated in the
preamble, the Postal Service amends 39
CFR part 501 as follows:
PART 501—[AMENDED]
1. The authority citation for part 501
continues to read as follows:
■
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101,
401, 403, 404, 410, 2601, 2605; Inspector
General Act of 1978, as amended (Pub. L. 95–
452, as amended); 5 U.S.C. App. 3.
2. Amend § 501.15 by revising
paragraphs (g), (i), and (j) to read as
follows:
■
§ 501.15 Computerized Meter Resetting
System.
*
*
*
*
*
(g) Financial responsibility for
returned payments. The RC is required
to reimburse the Postal Service upon
request for any returned checks or ACH
debits for postage payments. The RC
must, upon first becoming aware of a
returned check or ACH debit,
immediately lock the customer’s CMRS
account to prevent a meter reset until
the RC receives confirmation of
payment for the returned item. If a
E:\FR\FM\05MRR1.SGM
05MRR1
khammond on DSKJM1Z7X2PROD with RULES
Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations
penalty or fine is assessed against the
Postal Service for returned checks or
ACH debit payments from an RC’s
customer, the Postal Service may
request reimbursement for such penalty
or fine from the RC. The RC is required
to remit the amount of the returned item
to the Postal Service plus the
reimbursement request, to the extent
applicable, within ten (10) banking
days. Invoices will be created monthly
for returns and/or applicable penalties
or fines incurred for the previous
month. The 10 banking days will start
once the invoice is mailed. The RC has
discretion to decide whether to charge
its customer for any such
reimbursement costs (of penalties or
fines) the RC pays to the Postal Service
in connection with the customer’s
returned check or ACH debit.
*
*
*
*
*
(i) Security and revenue protection.
To receive Postal Service approval to
continue to operate systems in the
postage meters environment, the RC
must submit to a periodic examination
and provide a System and Organization
Control (SOC) 1 Type II Report of its
meter system and any other applications
and technology infrastructure that may
have a material impact on Postal Service
revenues, as determined by the Postal
Service. Additionally, RC must submit
to a periodic examination and provide
a SOC 2 Type II Report of its meter
system data security, accuracy,
processing integrity and data integrity
for any applications, reports, and
technology infrastructure that may have
a material impact on the RC’s reports,
which the Postal Service relies upon.
For the initial SOC 2 Type I report, the
Postal Service will provide the control
objectives by March 18, 2020. The due
date for the initial SOC 2 Type I is July
1, 2020, with the SOC 2 Type II due on
August 15, 2021. Both the SOC 1 and
SOC 2 examinations shall be performed
by a qualified, independent audit firm
and shall be conducted in accordance
with the Statements on Standards for
Attestation Engagements (SSAEs) No.
18, Service Organizations, developed by
the American Institute of Certified
Public Accountants (AICPA), as
amended or superseded. Expenses
associated with such examination shall
be incurred by the RC. The examination
shall include testing of the operating
effectiveness of relevant RC internal
controls (SOC 1 Type II SSAE 18 & SOC
2 Type II SSAE 18 Reports). If the
service organization uses another
service organization (sub-service
provider), the RC should consider the
nature and materiality of the
transactions and data processed by the
VerDate Sep<11>2014
15:45 Mar 04, 2020
Jkt 250001
sub-service organization and the
contribution of the sub-service
organization’s processes and controls in
the achievement of the Postal Service’s
control objectives. Resetting companies
are expected to submit any request for
changes to control objectives by
December 31 of each year, which will be
taken under consideration by the Postal
Service for review and approval. The
Postal Service will provide common
control objectives to be covered by the
SOC 1 Type II SSAE 18 by January 31
each year. As a result of the
examination, the service auditor shall
provide the RC and the Postal Service
with an opinion on the design and
operating effectiveness of the RC’s
internal controls related to the meter
system and any other applications and
technology infrastructure considered
material to the services provided to the
Postal Service by the RC. SOC 1 and
SOC 2 examinations are to be conducted
on no less than an annual basis, and are
to be as of and for the 12 months ended
June 30 of each year (except for new
contracts for which the examination
period will be no less than the period
from the contract date to the following
June 30, unless otherwise agreed to by
the Postal Service). The SOC 1 and SOC
2 examination reports are to be provided
to the Postal Service by August 15 of
each year. To the extent that internal
control weaknesses are identified in a
SOC report, the Postal Service requires
prompt communication and
remediation of such weaknesses and
shall have the right to review working
papers and engage in discussions about
the work performed with the service
auditor. The Postal Service requires that
all remediation efforts (if applicable) are
completed and reported by the RC prior
to the Postal Service’s fiscal year end
(September 30). In addition, the RC will
be responsible for evaluating its internal
control environment related to the meter
system and any other applications and
technology infrastructure considered
material to the services provided to the
Postal Service by the RC, in particular,
disclosing changes to internal controls
for the period of July 1 to September 30.
This evaluation should be documented
and submitted to the Postal Service by
October 15 of each year. The RC will be
responsible for all costs related to the
examinations conducted by the service
auditor and the RC.
(j) Inspection of records and facilities.
The RC must make its facilities that
handle the operation of the
computerized resetting system and all
records about the operation of the
system available for inspection by
representatives of the Postal Service at
PO 00000
Frm 00015
Fmt 4700
Sfmt 4700
12873
all reasonable times. At its discretion,
the Postal Service may continue to fund
inspections as it has in the past,
provided the costs are not associated
with a particular security issue related
to the RC’s meter systems and
supporting infrastructure.
*
*
*
*
*
■ 3. Amend § 501.16 by revising
paragraph (d) and (f) to read as follows:
§ 501.16 PC postage payment
methodology.
*
*
*
*
*
(d) Financial responsibility for
returned payments. The provider must
reimburse the Postal Service upon
request for any returned checks or ACH
debits for postage payments. The
provider must, upon first becoming
aware of a returned check or ACH debit,
immediately lock the customer account
to prevent resetting the account until
the provider receives confirmation of
payment for the returned item. If a
penalty or fine is assessed against the
Postal Service for returned checks or
ACH debit payments from a provider’s
customer, the Postal Service may
request reimbursement for such penalty
or fine from the provider. The provider
is required to remit the amount of the
returned item plus the amount of the
reimbursement request, to the extent
applicable, to the Postal Service within
ten (10) banking days. Invoices will be
created monthly for returns and/or
applicable penalties or fines incurred
for the previous month. The 10 banking
days will start once the invoice is
mailed. The provider has discretion to
decide whether to charge its customer
for any such reimbursement costs (of
penalties or fines) the provider pays to
the Postal Service in connection with
the customer’s returned check or ACH
debit.
*
*
*
*
*
(f) Security and revenue protection.
To receive Postal Service approval to
continue to operate PC Postage systems,
the provider must submit to a periodic
examination and provide a SOC 1 Type
II Report of its PC Postage system and
any other applications and technology
infrastructure that may have a material
impact on Postal Service revenues, as
determined by the Postal Service.
Additionally, provider must submit to a
periodic examination and provide a
SOC 2 Type II Report of its meter system
data security, accuracy, processing
integrity and data integrity for any
applications, reports, and technology
infrastructure that may have a material
impact on the provider’s reports, which
the Postal Service relies upon. The
examination shall be performed by a
E:\FR\FM\05MRR1.SGM
05MRR1
12874
Federal Register / Vol. 85, No. 44 / Thursday, March 5, 2020 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
qualified, independent audit firm and
shall be conducted in accordance with
the Statements on Standards for
Attestation Engagements (SSAEs) No.
18, Service Organizations, developed by
the American Institute of Certified
Public Accountants (AICPA), as
amended or superseded. Expenses
associated with such examination shall
be incurred by the provider. The
examination shall include testing of the
operating effectiveness of relevant
provider internal controls (SOC 1 Type
II SSAE 18 Report). If the service
organization uses another service
organization (sub-service provider), the
provider should consider the nature and
materiality of the transactions processed
by the sub-service organization and the
contribution of the sub-service
organization’s processes and controls in
the achievement of the Postal Service’s
control objectives. The control
objectives to be covered by the SOC 1
Type II SSAE 18 report are subject to
Postal Service review and approval, and
are to be provided to the Postal Service
30 days prior to the initiation of each
examination period. Resetting
companies are expected to submit any
request for changes to control objectives
by December 31 of each year, which will
be taken under consideration by the
Postal Service for review and approval.
The Postal Service will provide
common control objectives to be
covered by the SOC 1 Type II SSAE 18
by January 31 each year. As a result of
the examination, the service auditor
VerDate Sep<11>2014
15:45 Mar 04, 2020
Jkt 250001
shall provide the provider and the
Postal Service with an opinion on the
design and operating effectiveness of the
provider’s internal controls related to
the meter system, and any other
applications and technology
infrastructure considered material to the
services provided to the Postal Service
by the RC. SOC 1 and SOC 2
examinations are to be conducted on no
less than an annual basis, and are to be
as of and for the 12 months ended June
30 of each year (except for new
contracts for which the examination
period will be no less than the period
from the contract date to the following
June 30, unless otherwise agreed to by
the Postal Service). The SOC 1 and SOC
2 examination reports are to be provided
to the Postal Service by August 15 of
each year. To the extent that internal
control weaknesses are identified in a
SOC 1 Type II SSAE 18 report, the
Postal Service requires prompt
communication and remediation of such
weaknesses and will review working
papers and engage in discussions about
the work performed with the service
auditor. The Postal Service requires that
all remediation efforts (if applicable) are
completed and reported by the provider
to the Postal Service’s fiscal year end
(September 30). In addition, the
provider will be responsible evaluating
its internal control environment related
to the meter system and any other
applications and technology
infrastructure considered material to the
services provided to the Postal Service
PO 00000
Frm 00016
Fmt 4700
Sfmt 9990
by the provider, in particular, disclosing
changes to internal controls for the
period of July 1 to September 30. This
evaluation should be documented and
submitted to the Postal Service by
October 15 each year. The provider will
be responsible for all costs related to the
examinations conducted by the service
auditor and the RC.
*
*
*
*
*
Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2020–03562 Filed 3–4–20; 8:45 am]
BILLING CODE P
ENVIRONMENTAL PROTECTION
AGENCY
40 CFR Part 52
[EPA–R09–OAR–2019–0439; FRL–10005–
31–Region 9]
Air Plan Approval; California; Mojave
Desert Air Quality Management District
Correction
In Rule document 2020–03251,
appearing on pages 11812–11814, in the
issue of Thursday, February 27, 2020,
make the following correction:
On page 11812, in the first column,
the subject-line is corrected to read as
set forth above.
[FR Doc. C1–2020–03251 Filed 3–4–20; 8:45 am]
BILLING CODE 1301–00–D
E:\FR\FM\05MRR1.SGM
05MRR1
Agencies
[Federal Register Volume 85, Number 44 (Thursday, March 5, 2020)]
[Rules and Regulations]
[Pages 12870-12874]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03562]
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Part 501
Authorization To Manufacture and Distribute Postage Evidencing
Systems
AGENCY: Postal ServiceTM.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Postal Service is amending its Postage Evidencing Systems
regulations. These changes put the financial responsibility for
returned checks and returned Automated Clearinghouse (ACH) debit
payments on the applicable resetting company (RC) and PC Postage
provider. These responsibilities include providing reimbursement for
any penalties or fines imposed on the Postal Service for returned
checks or ACH debit payments, and remitting the amount of the returned
check or ACH debit payment, as applicable, plus the reimbursement to
the Postal Service within 10 federal banking days of the date the
invoice is mailed. These changes also update the Statement on Standards
for Attestation Engagements (SSAE) 18 requirements and add the
requirement for System and Organization Control (SOC) 2 reporting.
DATES: Effective March 5, 2020.
FOR FURTHER INFORMATION CONTACT: Lisa H Arcari, Director, Commercial
Payment, [email protected], 202-268-4270.
SUPPLEMENTARY INFORMATION: The Postal Service issued proposed revisions
to 39 CFR part 501, set forth in the Federal Register on October 7,
2019 (84 FR 53353). The proposal made several major changes: (1)
Imposing the financial responsibility for returned checks and returned
Automated Clearinghouse (ACH) debit payments on the resetting companies
(Postage Meter Manufacturers) and on the PC Postage Providers, as
applicable (collectively ``Providers''), (2) imposing a $30 return fee
on the Providers for returned checks and ACH debits, and (3) requiring
the Providers to submit System and Organization Control (SOC) 2, Type
II reports to the Postal Service as a requirement for continued
operations as a Provider.
Five sets of comments were received in response to the Federal
Register Notice, from FP USA (Francotyp Postalia), Pitney Bowes Inc.,
Stamps.com/Endicia (PSI Systems, Inc.), Neopost USA (soon to be
Quadient), and PostCom. There are four common themes throughout these
comments; as such they can be broken down as follows:
ACH Returns
Industry Comments
The proposal to impose financial responsibility for returned checks
and returned ACH debit payments received several comments. Some
commenters opined that the proposed rule unfairly makes providers
liable for ACH returns and will lead to a reduction of ACH use by
customers at a time when the Postal Service is trying to increase its
use. Although Providers bear this financial responsibility for credit
cards, the credit card real-time validation process is much more
robust, and ACH returns are not revealed until several days after the
transaction occurs. This risk continues with each ACH debit
transaction, unlike for credit cards. While acknowledging that
Providers are and should be responsible for helping the Postal Service
to try to collect ACH return funds on the Postal Service's behalf, many
commenters believe it is unreasonable for the Providers to take on this
financial burden.
One commenter believes the proposed rule offered little explanation
as to why the changes are necessary or whether there will be any
benefits. Instead of changing its regulations, this commenter suggests
that the Postal Service should work with the small pool of Providers to
come up with a solution for ACH debit returns. Another commenter
contends that shifting liability for ACH returns is a customer
unfriendly unlawful taking, and that it violates Executive Order 13771
relating to economically significant regulatory actions that impose
costs on industry.
Some commenters also argued that automatically locking customer
accounts would cause significant service interruptions to large
customers in connection with routine business activities, resulting in
customers switching to a non-Postal service
[[Page 12871]]
provider or to non-ACH payment methods. If the risk of ACH returns is
now shifted to the Providers, these commenters argue that they should
have the discretion to decide whether or not to lock the account since
they will be bearing the risk of non-payment. Another commenter added
that, if the Postal Service intends to impose the risk of a failed
payment on the Providers, then the Providers should have the discretion
to delay refilling meters and PC Postage accounts until check payments
clear and ACH transactions are proven effective. Along these same
lines, another commenter requested that, since the checks and ACH debit
transactions are made payable to the Postal Service, the Postal Service
should assign the Providers the legal right to pursue customers for
returned checks and ACH debits.
With respect to the processing of ACH payments, one commenter
suggested that the Postal Service should work with Citibank to
implement same-day ACH as an option to allow providers the ability to
reduce the delay in disabling customers for returned ACH debits.
According to this commenter, the current ACH process can take up to 10
days to receive a return transaction, and the Postal Service and
Citibank should work on a plan to implement a `Real Time' ACH
validation. This commenter also suggested that Providers should be
given 45 days to collect returned postage download amounts from
customers, noting its position that 10 days does not give the customer
sufficient time to work with internal accounts payable departments to
process replacement payments.
Finally, one commenter expressed the view that the change is
directed at PC Postage vendors, who caused this issue by not addressing
it long ago. This commenter believes the Postal Service is placing an
undue burden on meter manufacturers for a problem caused by PC Postage
vendors.
USPS Response
The Postal Service agrees with some of these comments and
proposals, while disagreeing with others, as described below.
As an initial matter, the Postal Service notes that the National
Automated Clearing House Association (NACHA) manages the development,
administration, and governance of the ACH Network. The NACHA Rules,
which the Postal Service is obliged to follow, provide the legal and
operational foundation of the ACH network, and are meant to safeguard
customers' sensitive data. Imposing responsibility for returned checks
and returned ACH debit payments on Providers encourages the Providers
to take adequate measures to authenticate the identity of their
customers through account validation and to ensure that each account
that is debited is authorized. Providers have direct relationships with
the shippers and mailers who are their customers, and they are in the
best position to authenticate the customers and their accounts. This
requirement also aligns with NACHA Know Your Customer guidance and best
practices. The Provider must adhere to the ACH returns to ACH volume
thresholds as outlined in the NACHA operating rules and guidelines. The
Postal Service intends to work with Providers to offer its expertise
and guidance on these rules.
With respect to the locking of customer accounts, the Postal
Service notes that this is not a new requirement; the wording was
updated from the original regulation for clarity. The Providers should
not have discretion on whether or not to lock the account, as
continuing to allow ACH debit returns violates NACHA rules, to which
the Postal Service is subject.
The Postal Service agrees with the suggestion that Providers should
have the discretion to delay refilling meters and PC Postage accounts
until check payments clear and ACH transactions are proven effective.
Providers currently have this discretion, and will continue to have it
under the final rule.
The Postal Service also agrees with the proposal that it assign
Providers the legal right to pursue customers for returned checks and
ACH debits. Discussions concerning the implementation of this proposal
will occur after the rule is published.
The Postal Service disagrees that imposing responsibility on
Providers for ACH returns involves a taking of property under the Fifth
Amendment or a violation of any applicable Executive order. Remitting
payment via ACH is the customer's choice, not a regulatory requirement
that is imposed by the Postal Service. Moreover, requiring Providers to
cover the cost of ACH returns is consistent with industry practice, as
explained above.
As for the suggestion that the Postal Service work with Citibank to
implement same-day ACH or ``Real Time'' ACH validation, based on our
experience, ACH debit returns that take 10 days are not the norm. The
Postal Service would need more information on returns past the two-day
window to research. In any event, the Postal Service is in the process
of evaluating the impacts to the Postal Service of same-day ACH and the
effectiveness of these products to Providers. After the Postal
Service's positive review of the feasibility of same-day ACH
transactions in this context, meter manufacturers and PC Postage
providers interested in any of these products should inform the Postal
Service, and the Postal Service will review these requests on a case-
by-case basis.
In addition, to clarify the proposed timeline in response to the
suggestion that Providers be given 45 days to collect returned postage
amounts from customers, the Postal Service notes that invoices will be
generated on a monthly basis for returns incurred for the previous
month. The 10-day period will start once the invoice for returns from
the previous month is mailed. In other words, the 10-day window does
not begin on the day the ACH debit return occurs, but rather on the day
the Postal Service invoice is mailed.
The financial responsibility for ACH debit returns will be shifted
to the providers beginning April 1, 2020. The first invoice will be
sent in early May 2020 for the debit returns that occurred in April.
Finally, the Postal Service disagrees with the assessment that the
proposed rule places an undue burden on meter manufacturers for a
problem caused by PC Postage vendors. The Postal Service already holds
and is continuing to hold PC Postage Providers and meter manufacturers
to the same standards.
$30 Return Fee
Industry Comments
Several commenters expressed concerns that the proposed $30 ACH
return fee would have negative processing and customer service
implications, which would discourage customers' continued use of ACH.
They believe many customers would object to paying the fee, and may
leave the Postal Service if the fee cannot be waived, particularly if
service cannot be immediately restored. If the Postal Service wants to
collect this fee, they argue, then the Postal Service should do so
itself so that it can exercise discretion on whether the fee should be
waived. These commenters also noted that the proposed fee would add
cost to the Providers without providing any benefit to them. Updates to
systems and to Postal Service reporting for these fees, including daily
balance accounting reconciliation (DBAR) updates, would require
definition before an estimated implementation timeline could be
provided. In addition, because changes to these systems could affect
the SOC reports, SOC control objectives would
[[Page 12872]]
need to be updated for this change. These commenters also suggested
that the ACH fee should be able to be deducted from customers' prepaid
funds (if available), and the DBAR should be updated to reflect this
option.
One commenter suggested that the Postal Service should provide the
industry with updated Postal Service terms and conditions to support
the fees for returned ACH debits and checks. Because new terms would
apply to the fees, the commenter noted its expectation that the fee
would only apply to new and renewal customers. The commenter suggested
further that the Postal Service should clarify that individual
Providers are only responsible for charging for returned checks and ACH
credits for the Providers' active customers.
USPS Response
Charging the customer a fee for a returned ACH transaction is a
common practice, and the $30 amount of the fee is consistent with the
existing charge for bounced checks. Nevertheless, upon further
consideration and in response to the commenters' concerns, the Postal
Service has decided to eliminate the $30 fee in the final rule. The fee
was intended to reimburse the Postal Service for costs it may incur in
connection with returned checks or ACH debit payments. As an
alternative to an automatic $30 fee for every returned item, the final
rule reserves the Postal Service's right to seek reimbursement from a
Provider for any penalties or fines that are imposed on the Postal
Service (for example, by a bank) occasioned by repeated returned checks
or ACH debit payments from that Provider's customer. This would be in
accord with current practice and would encourage the Providers to
review and vet their customers and their behavior, to avoid being
assessed penalties or fines. If the Postal Service does not incur any
such penalties or fines, then the Provider will only be responsible for
the amount of the returned check or ACH debit payment, as applicable,
without any additional fees imposed. Under the final rule, the Provider
may choose whether to pass any such reimbursement costs (of penalties
or fines) on to its customer.
The comments relating to applicability of the $30 fee to new and
renewal customers and/or active customers are largely moot, in light of
the Postal Service's decision to eliminate the $30 fee. However, it
should be noted that Providers will be responsible for reimbursement of
fines and penalties incurred by the Postal Service, regardless of
whether the customers that caused those issues are new, renewal,
active, or other customers of the Provider.
SOC 2, Type II Report
Industry Comments
Several commenters addressed the proposal to require SOC 2, Type II
reporting. For example, they stated that the scope of the SOC 2 Type II
mandate should be relevant to the information exchanged, and should be
narrowly drawn to those applications, reports, and technology relevant
to the Postal Service's controls. Commenters also argued that the
report should address privacy.
Other commenters stated that the changes required to support a SOC
2 Type II report will take considerable effort to scope, develop, test
and implement, and that this is an unreasonable expense and burden on
the industry.
Finally, the commenters noted that the Postal Service needs to
provide the industry with the SOC 2 Control objectives. Control
objectives provided by February 28 of each year should be required to
be implemented in the next audit period.
USPS Response
The Postal Service disagrees with limiting the scope to only those
applications mentioned by the commenters and privacy. The purpose of
the SOC 2 reporting is to meet the needs of a broad range of users that
need detailed information and assurance about the controls at a service
organization relevant to security, availability, and processing
integrity of the systems the service organization uses to process
users' data and the confidentiality and privacy of the information
processed by these systems. The goal is to understand the security
posture of the entire organization.
As for the commenters' concerns about expense and burden, SOC 2
reporting is an industry standard, and has been for many years. There
is an expense, but it is to the industry's benefit too. The Postal
Service will give the industry reasonable time to adopt these changes.
The Postal Service agrees that it should provide the industry with
SOC 2 control objectives, and will provide these by March 18, 2020 for
the Type I report and by January 31 of each year to be implemented in
the appropriate audit period for Type II reports. The Postal Service
will strive to give the industry ample time to implement any changes to
control objectives from one year to the next.
General Comments
Industry comment: The implementation timeframes in the proposal
need to be clarified for both items.
USPS response: The Postal Service will require a SOC 2 Type I
report by July 1, 2020, the Postal Service will provide the initial
control objectives by March 18, 2020. The first SOC 2 Type II report
will be due August 15, 2021, and the subsequent Type II reports will be
due on August 15 each year going forward. For future years, the Postal
Service will provide the SOC 2 control objectives by January 31.
Industry comment: The Postal Service teams should have raised the
proposed rules as an issue during the Industry meetings. Discussion at
industry meetings would have allowed the industry to educate the Postal
Service on each provider's processes and discuss a phased plan to
achieve the Postal Service objectives.
USPS response: NACHA's upcoming rule changes and customer
validation were discussed at the July 25, 2019 Industry Working
meeting. The NACHA webinars were made available to the industry. It is
within the Postal Service's discretion whether and how much to discuss
a proposed rule with the industry before publishing.
List of Subjects in 39 CFR Part 501
Administrative practice and procedure, Postal Service.
For the reasons stated in the preamble, the Postal Service amends
39 CFR part 501 as follows:
PART 501--[AMENDED]
0
1. The authority citation for part 501 continues to read as follows:
Authority: 5 U.S.C. 552(a); 39 U.S.C. 101, 401, 403, 404, 410,
2601, 2605; Inspector General Act of 1978, as amended (Pub. L. 95-
452, as amended); 5 U.S.C. App. 3.
0
2. Amend Sec. 501.15 by revising paragraphs (g), (i), and (j) to read
as follows:
Sec. 501.15 Computerized Meter Resetting System.
* * * * *
(g) Financial responsibility for returned payments. The RC is
required to reimburse the Postal Service upon request for any returned
checks or ACH debits for postage payments. The RC must, upon first
becoming aware of a returned check or ACH debit, immediately lock the
customer's CMRS account to prevent a meter reset until the RC receives
confirmation of payment for the returned item. If a
[[Page 12873]]
penalty or fine is assessed against the Postal Service for returned
checks or ACH debit payments from an RC's customer, the Postal Service
may request reimbursement for such penalty or fine from the RC. The RC
is required to remit the amount of the returned item to the Postal
Service plus the reimbursement request, to the extent applicable,
within ten (10) banking days. Invoices will be created monthly for
returns and/or applicable penalties or fines incurred for the previous
month. The 10 banking days will start once the invoice is mailed. The
RC has discretion to decide whether to charge its customer for any such
reimbursement costs (of penalties or fines) the RC pays to the Postal
Service in connection with the customer's returned check or ACH debit.
* * * * *
(i) Security and revenue protection. To receive Postal Service
approval to continue to operate systems in the postage meters
environment, the RC must submit to a periodic examination and provide a
System and Organization Control (SOC) 1 Type II Report of its meter
system and any other applications and technology infrastructure that
may have a material impact on Postal Service revenues, as determined by
the Postal Service. Additionally, RC must submit to a periodic
examination and provide a SOC 2 Type II Report of its meter system data
security, accuracy, processing integrity and data integrity for any
applications, reports, and technology infrastructure that may have a
material impact on the RC's reports, which the Postal Service relies
upon. For the initial SOC 2 Type I report, the Postal Service will
provide the control objectives by March 18, 2020. The due date for the
initial SOC 2 Type I is July 1, 2020, with the SOC 2 Type II due on
August 15, 2021. Both the SOC 1 and SOC 2 examinations shall be
performed by a qualified, independent audit firm and shall be conducted
in accordance with the Statements on Standards for Attestation
Engagements (SSAEs) No. 18, Service Organizations, developed by the
American Institute of Certified Public Accountants (AICPA), as amended
or superseded. Expenses associated with such examination shall be
incurred by the RC. The examination shall include testing of the
operating effectiveness of relevant RC internal controls (SOC 1 Type II
SSAE 18 & SOC 2 Type II SSAE 18 Reports). If the service organization
uses another service organization (sub-service provider), the RC should
consider the nature and materiality of the transactions and data
processed by the sub-service organization and the contribution of the
sub-service organization's processes and controls in the achievement of
the Postal Service's control objectives. Resetting companies are
expected to submit any request for changes to control objectives by
December 31 of each year, which will be taken under consideration by
the Postal Service for review and approval. The Postal Service will
provide common control objectives to be covered by the SOC 1 Type II
SSAE 18 by January 31 each year. As a result of the examination, the
service auditor shall provide the RC and the Postal Service with an
opinion on the design and operating effectiveness of the RC's internal
controls related to the meter system and any other applications and
technology infrastructure considered material to the services provided
to the Postal Service by the RC. SOC 1 and SOC 2 examinations are to be
conducted on no less than an annual basis, and are to be as of and for
the 12 months ended June 30 of each year (except for new contracts for
which the examination period will be no less than the period from the
contract date to the following June 30, unless otherwise agreed to by
the Postal Service). The SOC 1 and SOC 2 examination reports are to be
provided to the Postal Service by August 15 of each year. To the extent
that internal control weaknesses are identified in a SOC report, the
Postal Service requires prompt communication and remediation of such
weaknesses and shall have the right to review working papers and engage
in discussions about the work performed with the service auditor. The
Postal Service requires that all remediation efforts (if applicable)
are completed and reported by the RC prior to the Postal Service's
fiscal year end (September 30). In addition, the RC will be responsible
for evaluating its internal control environment related to the meter
system and any other applications and technology infrastructure
considered material to the services provided to the Postal Service by
the RC, in particular, disclosing changes to internal controls for the
period of July 1 to September 30. This evaluation should be documented
and submitted to the Postal Service by October 15 of each year. The RC
will be responsible for all costs related to the examinations conducted
by the service auditor and the RC.
(j) Inspection of records and facilities. The RC must make its
facilities that handle the operation of the computerized resetting
system and all records about the operation of the system available for
inspection by representatives of the Postal Service at all reasonable
times. At its discretion, the Postal Service may continue to fund
inspections as it has in the past, provided the costs are not
associated with a particular security issue related to the RC's meter
systems and supporting infrastructure.
* * * * *
0
3. Amend Sec. 501.16 by revising paragraph (d) and (f) to read as
follows:
Sec. 501.16 PC postage payment methodology.
* * * * *
(d) Financial responsibility for returned payments. The provider
must reimburse the Postal Service upon request for any returned checks
or ACH debits for postage payments. The provider must, upon first
becoming aware of a returned check or ACH debit, immediately lock the
customer account to prevent resetting the account until the provider
receives confirmation of payment for the returned item. If a penalty or
fine is assessed against the Postal Service for returned checks or ACH
debit payments from a provider's customer, the Postal Service may
request reimbursement for such penalty or fine from the provider. The
provider is required to remit the amount of the returned item plus the
amount of the reimbursement request, to the extent applicable, to the
Postal Service within ten (10) banking days. Invoices will be created
monthly for returns and/or applicable penalties or fines incurred for
the previous month. The 10 banking days will start once the invoice is
mailed. The provider has discretion to decide whether to charge its
customer for any such reimbursement costs (of penalties or fines) the
provider pays to the Postal Service in connection with the customer's
returned check or ACH debit.
* * * * *
(f) Security and revenue protection. To receive Postal Service
approval to continue to operate PC Postage systems, the provider must
submit to a periodic examination and provide a SOC 1 Type II Report of
its PC Postage system and any other applications and technology
infrastructure that may have a material impact on Postal Service
revenues, as determined by the Postal Service. Additionally, provider
must submit to a periodic examination and provide a SOC 2 Type II
Report of its meter system data security, accuracy, processing
integrity and data integrity for any applications, reports, and
technology infrastructure that may have a material impact on the
provider's reports, which the Postal Service relies upon. The
examination shall be performed by a
[[Page 12874]]
qualified, independent audit firm and shall be conducted in accordance
with the Statements on Standards for Attestation Engagements (SSAEs)
No. 18, Service Organizations, developed by the American Institute of
Certified Public Accountants (AICPA), as amended or superseded.
Expenses associated with such examination shall be incurred by the
provider. The examination shall include testing of the operating
effectiveness of relevant provider internal controls (SOC 1 Type II
SSAE 18 Report). If the service organization uses another service
organization (sub-service provider), the provider should consider the
nature and materiality of the transactions processed by the sub-service
organization and the contribution of the sub-service organization's
processes and controls in the achievement of the Postal Service's
control objectives. The control objectives to be covered by the SOC 1
Type II SSAE 18 report are subject to Postal Service review and
approval, and are to be provided to the Postal Service 30 days prior to
the initiation of each examination period. Resetting companies are
expected to submit any request for changes to control objectives by
December 31 of each year, which will be taken under consideration by
the Postal Service for review and approval. The Postal Service will
provide common control objectives to be covered by the SOC 1 Type II
SSAE 18 by January 31 each year. As a result of the examination, the
service auditor shall provide the provider and the Postal Service with
an opinion on the design and operating effectiveness of the provider's
internal controls related to the meter system, and any other
applications and technology infrastructure considered material to the
services provided to the Postal Service by the RC. SOC 1 and SOC 2
examinations are to be conducted on no less than an annual basis, and
are to be as of and for the 12 months ended June 30 of each year
(except for new contracts for which the examination period will be no
less than the period from the contract date to the following June 30,
unless otherwise agreed to by the Postal Service). The SOC 1 and SOC 2
examination reports are to be provided to the Postal Service by August
15 of each year. To the extent that internal control weaknesses are
identified in a SOC 1 Type II SSAE 18 report, the Postal Service
requires prompt communication and remediation of such weaknesses and
will review working papers and engage in discussions about the work
performed with the service auditor. The Postal Service requires that
all remediation efforts (if applicable) are completed and reported by
the provider to the Postal Service's fiscal year end (September 30). In
addition, the provider will be responsible evaluating its internal
control environment related to the meter system and any other
applications and technology infrastructure considered material to the
services provided to the Postal Service by the provider, in particular,
disclosing changes to internal controls for the period of July 1 to
September 30. This evaluation should be documented and submitted to the
Postal Service by October 15 each year. The provider will be
responsible for all costs related to the examinations conducted by the
service auditor and the RC.
* * * * *
Brittany M. Johnson,
Attorney, Federal Compliance.
[FR Doc. 2020-03562 Filed 3-4-20; 8:45 am]
BILLING CODE P