Title 200 | Chapter 038 | Regulation 080REG
PROPOSED
This document is not yet current.
FINANCE AND ADMINISTRATION CABINET
Office of the Controller
(New Administrative Regulation)
200 KAR 38:080.Account Validation Standards.
Section 1.
Definitions.(1)
"Account Validation Service" or "AVS" means a commercially reasonable process to verify that an account is open, active, and capable of receiving ACH debits (or credits).(2)
"Agency" is defined by KRS 11.080.(3)
"Automated Clearing House" or "ACH" means a secure, batch-oriented electronic funds transfer system that acts as a central clearinghouse for financial transactions, connecting all United States financial institutions.(4)
"Electronic Fund Transfer" or "EFT" means an electronic data processing medium that takes the place of a paper check for debiting or crediting an account and of which a permanent record is made.(5)
"Electronic Accounting and Reporting System" means the web-enabled, centralized accounting application used by the Commonwealth of Kentucky to manage state-level financial operations.(6)
"Internal Control" is defined by 200 KAR 38:070.(7)
"National Automated Clearing House Association" or "NACHA" means the nonprofit organization that governs, develops, and administers the ACH Network in the United States.(8)
"Risk-Based Monitoring" means a process whereby agencies utilize a risk assessment framework to monitor their operations.(9)
"SAS" means the Office of Statewide Accounting Services, as organized pursuant to KRS 42.0201.(10)
"Validation" means confirmation that an account number is active and capable of receiving ACH transactions.Section 2.
Scope: The requirements of this regulation apply to all Commonwealth of Kentucky agencies, cabinets, departments, constitutional offices, and any organizational unit that:(1)
Maintains ACH/EFT banking information at the agency level;(2)
Initiates ACH/EFT payments through the Commonwealth's electronic accounting and reporting system or an interfaced system;(3)
Initiates ACH/EFT payments through third‑party system that transmits payment files to the Commonwealth; or(4)
Collects, stores, or updates vendor or payee banking details.Section 3.
Agencies to implement NACHA-compliant AVS or equivalent validation process.(1)
Validation must be performed when:(a)
A new ACH/EFT record is created;(b)
Existing ACH/EFT data is modified;(c)
Annually, for any ACH/EFT data stored outside the Commonwealth's electronic accounting and reporting system; and(d)
Prior to transmitting any agency‑managed ACH/EFT file in the Commonwealth's electronic accounting and reporting system.(2)
The following data shall be validated:(a)
Account owner's legal name;(b)
Account number; and(c)
Routing Number.Section 4.
Agency Responsibilities.(1)
Internal Control Requirements: Agencies shall comply with the following internal control requirements:(a)
Actively maintain internal controls;(b)
Annually file an Internal Control Plan, prepared in accordance with the requirements of 200 KAR 38:070, with the Office of the Controller;(c)
Document their ACH validation procedures; and(d)
Ensure segregation of duties and fraud prevention controls by implementing risk-based, internal controls that restrict any single employee from having full control over the ACH payment lifecycle via separation of initiation, approval, and reconciliation.(2)
Internal Procedures: Agencies shall create and maintain written internal procedures to address any instance where ACH/EFT account validation fails. At a minimum, these procedures shall include:(a)
Immediate review of a failed validation result;(b)
Suspension of ACH/EFT payment activity for the affected payee until a successful validation is completed;(c)
Verification steps to confirm whether the failure resulted from incorrect data entry, outdated records, or a mismatch identified by the validation service; and(d)
Documentation of all review and corrective actions taken in connection with the failed validation.(3)
Implementation: Agencies implement NACHA‑compliant procedures, train staff, and maintain documentation as follows:(a)
Agency created internal procedures must support standardized Company Entry Descriptions, audit trails, and NACHA‑compliant validation.(b)
Agency internal control procedures and execution of such procedures may be reviewed for compliance with the requirements of this regulation and be subject to penalties for violation.(4)
Documentation: Agencies must document each annual validation, new ACH/EFT record creation, as well as modifications of ACH/EFT data and maintain the documentation in accordance with the requirements of the Kentucky Open Records Act.(5)
Exceptions: Any exceptions to the requirements of this regulation require written approval from the Office of the Controller and be subject to requirements for compensating controls or mitigation plan as prerequisite to approval.(6)
Penalties: non-compliance with the requirements of this regulation may result in the following penalties:(a)
A written audit finding that the agency failed to comply;(b)
Suspension of ACH/EFT privileges;(c)
Issuance of a corrective action plan by the Office of the Controller; and(d)
Other corrective action, as appropriate.HOLLY M. JOHNSON, Secretary
APPROVED BY AGENCY: March 19, 2026
FILED WITH LRC: March 20, 2026 at 8:30 a.m.
PUBLIC HEARING AND COMMENT PERIOD: A public hearing on this administrative regulation shall be held on June 24, 2026, at 10:00 a.m. at the Kentucky Finance and Administration Cabinet, 200 Mero Street, Frankfort, Kentucky 40622. Individuals interested in being heard at this hearing shall notify this agency in writing five workdays prior to the hearing, of their intent to attend. If no notification of intent to attend the hearing is received by that date, the hearing may be cancelled. This hearing is open to the public. Any person who wishes to be heard will be given an opportunity to comment on the proposed administrative regulation. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted until 11:59 p.m. on June 30, 2026. Send written notification of intent to be heard at the public hearing or written comments on the proposed administrative regulation to the contact person.
CONTACT PERSON: Cary Bishop, Assistant General Counsel, Office of General Counsel, 200 Mero Street, 5th Floor, Frankfort, Kentucky 40622. Phone: (502)564-6660, Fax: (502)564-9875. Email: cary.bishop@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Cary Bishop
Subject Headings:
(1) Provide a brief summary of:
(a) What this administrative regulation does:
This administrative regulation establishes statewide governance policies and procedures for all Executive, Legislative and Judicial Branch agencies regarding compliance with the National Automated Clearing House Association (NACHA) Account Validation Rule and associated Automated Clearing House (ACH) fraud‑prevention requirements.
(b) The necessity of this administrative regulation:
This policy ensures that all ACH and EFT payment data maintained by agencies is validated, monitored, and safeguarded prior to disbursement through the Commonwealth’s financial systems, including its Electronic Accounting and Reporting System and all agency‑managed payment repositories.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
42.0201(3) requires the State Controller to serve as the Commonwealth's chief accounting officer and to be responsible for all aspects of accounting policies and procedures, financial accounting systems, and internal accounting control policies and procedures. KRS 45.237 requires the Finance and Administration Cabinet to develop policies and procedures for the purpose of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant. Compliance with NACHA requirements regarding ACH fraud prevention directly advances the goal of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
This regulation provides clear and unambiguous guidance to agencies regarding mandatory fraud prevention procedures.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
Not applicable as this is a new regulation.
(b) The necessity of the amendment to this administrative regulation:
Not applicable as this is a new regulation.
(c) How the amendment conforms to the content of the authorizing statutes:
Not applicable as this is a new regulation.
(d) How the amendment will assist in the effective administration of the statutes:
Not applicable as this is a new regulation.
(3) Does this administrative regulation or amendment implement legislation from the previous five years?
: No.
(4) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
This regulation will affect all branches of state government in regards to electronic fund transactions and automatic clearing house interactions.
(5) Provide an analysis of how the entities identified in question (4) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (4) will have to take to comply with this administrative regulation or amendment:
The regulation will require agencies to (1) follow objective standards of practice and documentation regarding ACH/EFT transactions, (2) create and maintain processes designed to mitigate ACH/EFT fraud, and (3) train relevant staff on standards that must be maintained for ACH/EFT transactions.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (4):
No additional cost.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (4):
Compliance with the regulation will provide additional protection to agencies against fraudulent electronic transactions.
(6) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
No additional cost.
(b) On a continuing basis:
No additional cost.
(7) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation or this amendment:
No additional funding is necessary for implementation of this regulation.
(8) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
No additional funding is necessary for implementation of this regulation.
(9) State whether or not this administrative regulation establishes any fees or directly or indirectly increases any fees:
No fees are established or increased.
(10) TIERING: Is tiering applied?
No. The requirements of the regulation are uniform.
FISCAL IMPACT STATEMENT
(1) Identify each state statute, federal statute, or federal regulation that requires or authorizes the action taken by the administrative regulation:
No federal statute or regulation at issue. The regulation is being filed to comply with NACHA standards for ACH/EFT transactions that are applicable to both public and private entities.
(2) State whether this administrative regulation is expressly authorized by an act of the General Assembly, and if so, identify the act:
While not specifically and expressly authorized, 42.0201(3) requires the State Controller to serve as the Commonwealth's chief accounting officer and to be responsible for all aspects of accounting policies and procedures, financial accounting systems, and internal accounting control policies and procedures. KRS 45.237 requires the Finance and Administration Cabinet to develop policies and procedures for the purpose of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant. Compliance with NACHA requirements regarding ACH fraud prevention directly advances the goal of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant.
(3)(a) Identify the promulgating agency and any other affected state units, parts, or divisions:
This regulation is being promulgated by the Finance and Administration Cabinet Office of the Controller and the regulation will affect all branches of state government in regards to electronic fund transactions and automatic clearing house interactions.
(b) Estimate the following for each affected state unit, part, or division identified in (3)(a):
1. Expenditures:
For the first year:
$0
For subsequent years:
$0
2. Revenues:
For the first year:
$0
For subsequent years:
$0
3. Cost Savings:
For the first year:
$0
For subsequent years:
$0
(4)(a) Identify affected local entities (for example: cities, counties, fire departments, school districts):
No local entity will be affected.
(b) Estimate the following for each affected local entity identified in (4)(a):
1. Expenditures:
For the first year:
$0
For subsequent years:
$0
2. Revenues:
For the first year:
$0
For subsequent years:
$0
3. Cost Savings:
For the first year:
$0
For subsequent years:
$0
(5)(a) Identify any affected regulated entities not listed in (3)(a) or (4)(a):
None
(b) Estimate the following for each regulated entity identified in (5)(a):
1. Expenditures:
For the first year:
$0
For subsequent years:
$0
2. Revenues:
For the first year:
$0
For subsequent years:
$0
3. Cost Savings:
For the first year:
$0
For subsequent years:
$0
(6) Provide a narrative to explain the following for each entity identified in (3)(a), (4)(a), and (5)(a)
(a) Fiscal impact of this administrative regulation:
No fiscal impact is expected from this amendment.
(b) Methodology and resources used to reach this conclusion:
Review by the Office of the Controller and Office of General Counsel, within the Finance and Administration Cabinet, to confirm that anticipated changes are not expected to have a significant fiscal impact.
(7) Explain, as it relates to the entities identified in (3)(a), (4)(a), and (5)(a):
(a) Whether this administrative regulation will have a "major economic impact", as defined by KRS 13A.010(14):
No, the standards within the regulation aim to provide clarification and guidance to agencies regarding already existing ACH/EFT processes.
(b) The methodology and resources used to reach this conclusion:
Review by the Office of the Controller and Office of General Counsel, within the Finance and Administration Cabinet, to confirm that anticipated changes are not expected to have a significant fiscal impact.
FINANCE AND ADMINISTRATION CABINET
Office of the Controller
(New Administrative Regulation)
200 KAR 38:080.Account Validation Standards.
Section 1.
Definitions.(1)
"Account Validation Service" or "AVS" means a commercially reasonable process to verify that an account is open, active, and capable of receiving ACH debits (or credits).(2)
"Agency" is defined by KRS 11.080.(3)
"Automated Clearing House" or "ACH" means a secure, batch-oriented electronic funds transfer system that acts as a central clearinghouse for financial transactions, connecting all United States financial institutions.(4)
"Electronic Fund Transfer" or "EFT" means an electronic data processing medium that takes the place of a paper check for debiting or crediting an account and of which a permanent record is made.(5)
"Electronic Accounting and Reporting System" means the web-enabled, centralized accounting application used by the Commonwealth of Kentucky to manage state-level financial operations.(6)
"Internal Control" is defined by 200 KAR 38:070.(7)
"National Automated Clearing House Association" or "NACHA" means the nonprofit organization that governs, develops, and administers the ACH Network in the United States.(8)
"Risk-Based Monitoring" means a process whereby agencies utilize a risk assessment framework to monitor their operations.(9)
"SAS" means the Office of Statewide Accounting Services, as organized pursuant to KRS 42.0201.(10)
"Validation" means confirmation that an account number is active and capable of receiving ACH transactions.Section 2.
Scope: The requirements of this regulation apply to all Commonwealth of Kentucky agencies, cabinets, departments, constitutional offices, and any organizational unit that:(1)
Maintains ACH/EFT banking information at the agency level;(2)
Initiates ACH/EFT payments through the Commonwealth's electronic accounting and reporting system or an interfaced system;(3)
Initiates ACH/EFT payments through third‑party system that transmits payment files to the Commonwealth; or(4)
Collects, stores, or updates vendor or payee banking details.Section 3.
Agencies to implement NACHA-compliant AVS or equivalent validation process.(1)
Validation must be performed when:(a)
A new ACH/EFT record is created;(b)
Existing ACH/EFT data is modified;(c)
Annually, for any ACH/EFT data stored outside the Commonwealth's electronic accounting and reporting system; and(d)
Prior to transmitting any agency‑managed ACH/EFT file in the Commonwealth's electronic accounting and reporting system.(2)
The following data shall be validated:(a)
Account owner's legal name;(b)
Account number; and(c)
Routing Number.Section 4.
Agency Responsibilities.(1)
Internal Control Requirements: Agencies shall comply with the following internal control requirements:(a)
Actively maintain internal controls;(b)
Annually file an Internal Control Plan, prepared in accordance with the requirements of 200 KAR 38:070, with the Office of the Controller;(c)
Document their ACH validation procedures; and(d)
Ensure segregation of duties and fraud prevention controls by implementing risk-based, internal controls that restrict any single employee from having full control over the ACH payment lifecycle via separation of initiation, approval, and reconciliation.(2)
Internal Procedures: Agencies shall create and maintain written internal procedures to address any instance where ACH/EFT account validation fails. At a minimum, these procedures shall include:(a)
Immediate review of a failed validation result;(b)
Suspension of ACH/EFT payment activity for the affected payee until a successful validation is completed;(c)
Verification steps to confirm whether the failure resulted from incorrect data entry, outdated records, or a mismatch identified by the validation service; and(d)
Documentation of all review and corrective actions taken in connection with the failed validation.(3)
Implementation: Agencies implement NACHA‑compliant procedures, train staff, and maintain documentation as follows:(a)
Agency created internal procedures must support standardized Company Entry Descriptions, audit trails, and NACHA‑compliant validation.(b)
Agency internal control procedures and execution of such procedures may be reviewed for compliance with the requirements of this regulation and be subject to penalties for violation.(4)
Documentation: Agencies must document each annual validation, new ACH/EFT record creation, as well as modifications of ACH/EFT data and maintain the documentation in accordance with the requirements of the Kentucky Open Records Act.(5)
Exceptions: Any exceptions to the requirements of this regulation require written approval from the Office of the Controller and be subject to requirements for compensating controls or mitigation plan as prerequisite to approval.(6)
Penalties: non-compliance with the requirements of this regulation may result in the following penalties:(a)
A written audit finding that the agency failed to comply;(b)
Suspension of ACH/EFT privileges;(c)
Issuance of a corrective action plan by the Office of the Controller; and(d)
Other corrective action, as appropriate.HOLLY M. JOHNSON, Secretary
APPROVED BY AGENCY: March 19, 2026
FILED WITH LRC: March 20, 2026 at 8:30 a.m.
PUBLIC HEARING AND COMMENT PERIOD: A public hearing on this administrative regulation shall be held on June 24, 2026, at 10:00 a.m. at the Kentucky Finance and Administration Cabinet, 200 Mero Street, Frankfort, Kentucky 40622. Individuals interested in being heard at this hearing shall notify this agency in writing five workdays prior to the hearing, of their intent to attend. If no notification of intent to attend the hearing is received by that date, the hearing may be cancelled. This hearing is open to the public. Any person who wishes to be heard will be given an opportunity to comment on the proposed administrative regulation. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted until 11:59 p.m. on June 30, 2026. Send written notification of intent to be heard at the public hearing or written comments on the proposed administrative regulation to the contact person.
CONTACT PERSON: Cary Bishop, Assistant General Counsel, Office of General Counsel, 200 Mero Street, 5th Floor, Frankfort, Kentucky 40622. Phone: (502)564-6660, Fax: (502)564-9875. Email: cary.bishop@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Cary Bishop
Subject Headings:
(1) Provide a brief summary of:
(a) What this administrative regulation does:
This administrative regulation establishes statewide governance policies and procedures for all Executive, Legislative and Judicial Branch agencies regarding compliance with the National Automated Clearing House Association (NACHA) Account Validation Rule and associated Automated Clearing House (ACH) fraud‑prevention requirements.
(b) The necessity of this administrative regulation:
This policy ensures that all ACH and EFT payment data maintained by agencies is validated, monitored, and safeguarded prior to disbursement through the Commonwealth’s financial systems, including its Electronic Accounting and Reporting System and all agency‑managed payment repositories.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
42.0201(3) requires the State Controller to serve as the Commonwealth's chief accounting officer and to be responsible for all aspects of accounting policies and procedures, financial accounting systems, and internal accounting control policies and procedures. KRS 45.237 requires the Finance and Administration Cabinet to develop policies and procedures for the purpose of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant. Compliance with NACHA requirements regarding ACH fraud prevention directly advances the goal of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
This regulation provides clear and unambiguous guidance to agencies regarding mandatory fraud prevention procedures.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
Not applicable as this is a new regulation.
(b) The necessity of the amendment to this administrative regulation:
Not applicable as this is a new regulation.
(c) How the amendment conforms to the content of the authorizing statutes:
Not applicable as this is a new regulation.
(d) How the amendment will assist in the effective administration of the statutes:
Not applicable as this is a new regulation.
(3) Does this administrative regulation or amendment implement legislation from the previous five years?
: No.
(4) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
This regulation will affect all branches of state government in regards to electronic fund transactions and automatic clearing house interactions.
(5) Provide an analysis of how the entities identified in question (4) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (4) will have to take to comply with this administrative regulation or amendment:
The regulation will require agencies to (1) follow objective standards of practice and documentation regarding ACH/EFT transactions, (2) create and maintain processes designed to mitigate ACH/EFT fraud, and (3) train relevant staff on standards that must be maintained for ACH/EFT transactions.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (4):
No additional cost.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (4):
Compliance with the regulation will provide additional protection to agencies against fraudulent electronic transactions.
(6) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
No additional cost.
(b) On a continuing basis:
No additional cost.
(7) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation or this amendment:
No additional funding is necessary for implementation of this regulation.
(8) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
No additional funding is necessary for implementation of this regulation.
(9) State whether or not this administrative regulation establishes any fees or directly or indirectly increases any fees:
No fees are established or increased.
(10) TIERING: Is tiering applied?
No. The requirements of the regulation are uniform.
FISCAL IMPACT STATEMENT
(1) Identify each state statute, federal statute, or federal regulation that requires or authorizes the action taken by the administrative regulation:
No federal statute or regulation at issue. The regulation is being filed to comply with NACHA standards for ACH/EFT transactions that are applicable to both public and private entities.
(2) State whether this administrative regulation is expressly authorized by an act of the General Assembly, and if so, identify the act:
While not specifically and expressly authorized, 42.0201(3) requires the State Controller to serve as the Commonwealth's chief accounting officer and to be responsible for all aspects of accounting policies and procedures, financial accounting systems, and internal accounting control policies and procedures. KRS 45.237 requires the Finance and Administration Cabinet to develop policies and procedures for the purpose of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant. Compliance with NACHA requirements regarding ACH fraud prevention directly advances the goal of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant.
(3)(a) Identify the promulgating agency and any other affected state units, parts, or divisions:
This regulation is being promulgated by the Finance and Administration Cabinet Office of the Controller and the regulation will affect all branches of state government in regards to electronic fund transactions and automatic clearing house interactions.
(b) Estimate the following for each affected state unit, part, or division identified in (3)(a):
1. Expenditures:
For the first year:
$0
For subsequent years:
$0
2. Revenues:
For the first year:
$0
For subsequent years:
$0
3. Cost Savings:
For the first year:
$0
For subsequent years:
$0
(4)(a) Identify affected local entities (for example: cities, counties, fire departments, school districts):
No local entity will be affected.
(b) Estimate the following for each affected local entity identified in (4)(a):
1. Expenditures:
For the first year:
$0
For subsequent years:
$0
2. Revenues:
For the first year:
$0
For subsequent years:
$0
3. Cost Savings:
For the first year:
$0
For subsequent years:
$0
(5)(a) Identify any affected regulated entities not listed in (3)(a) or (4)(a):
None
(b) Estimate the following for each regulated entity identified in (5)(a):
1. Expenditures:
For the first year:
$0
For subsequent years:
$0
2. Revenues:
For the first year:
$0
For subsequent years:
$0
3. Cost Savings:
For the first year:
$0
For subsequent years:
$0
(6) Provide a narrative to explain the following for each entity identified in (3)(a), (4)(a), and (5)(a)
(a) Fiscal impact of this administrative regulation:
No fiscal impact is expected from this amendment.
(b) Methodology and resources used to reach this conclusion:
Review by the Office of the Controller and Office of General Counsel, within the Finance and Administration Cabinet, to confirm that anticipated changes are not expected to have a significant fiscal impact.
(7) Explain, as it relates to the entities identified in (3)(a), (4)(a), and (5)(a):
(a) Whether this administrative regulation will have a "major economic impact", as defined by KRS 13A.010(14):
No, the standards within the regulation aim to provide clarification and guidance to agencies regarding already existing ACH/EFT processes.
(b) The methodology and resources used to reach this conclusion:
Review by the Office of the Controller and Office of General Counsel, within the Finance and Administration Cabinet, to confirm that anticipated changes are not expected to have a significant fiscal impact.