N.J. Admin. Code § 5:30-9A.4

Current through Register Vol. 56, No. 23, December 2, 2024

Section 5:30-9A.4 - Standard electronic funds transfer technologies; internal controls and conditions for use

(a) Local units, local authorities, boards of education, and county colleges shall only initiate and approve electronic funds in accordance with this subchapter. Standard electronic funds transfer technologies shall incorporate, at minimum, the following features and safeguards:

1. The ability to designate specific individuals able to initiate disbursements, barring those not authorized to initiate disbursements from doing so;

2. The ability to designate individuals who may authorize disbursement, and segregate initiation and authorization functions. Password or other security controls shall be in place to restrict access based on an individual's authorized role;

3. The ability to confirm receipt of payment by vendor;

4. The ability to bar automatic debits from local unit accounts;

5. The ability for appropriate officials to view transaction history, generate activity reports, and conduct supervisory reviews of all transactions;

6. The ability to backup transaction data and store such data offline;

7. Measures to mitigate risk of duplicate payment;

8. The creation and maintenance of an audit trail, such that transaction history, including demands for payment and payment initiation, authorization, and confirmation, can be independently tracked and detailed through the use of an electronic data interchange or functional equivalent;

9. The following cybersecurity best practice framework shall be followed:

i. Any system supporting a standard electronic funds transfer technology shall:

(1) Be hosted on dedicated servers or in a FedRAMP Moderate Impact Level Authorized Cloud. When using cloud services, the vendor shall check provider credentials and contracts;

(2) Encrypt stored and transmitted financial information and personal identification information;

(3) Maintain only critical personal identification information. Social Security numbers shall not be utilized as identification numbers for system purposes;

(4) Employ a resilient password policy;

(5) Undergo regular and stress testing;

(6) Have regular security updates on all software and devices carried out;

(7) Have back-up plans, information disposal, and disaster recovery procedures created and tested;

(8) Undergo regular security risk assessments for detecting compromises, along with regular monitoring for vulnerabilities, with necessary patches and updates being implemented; and

(9) Develop a Cybersecurity Incident Response Plan; and

ii. The managing organization shall:

(1) Check provider credentials and contracts when using cloud services;

(2) Educate staff in good security measures and perform employee background checks; and

(3) Create a computer security incident response team, generally called a CSIRT;

10. Financial institution providers of standard electronic funds transfer technologies shall provide annual evidence of satisfactory internal control to the chief financial officer;

11. ACH payments shall follow rules set forth by the National Automated Clearing House Association (NACHA) or an equivalent successor banking industry standard. In addition, the following safeguards shall be instituted:

i. All electronic funds transfers through the ACH must utilize electronic data exchange (EDI) technology and be subject to an Electronic Funds Transfer and Indemnification Agreement;

ii. A user that can generate an ACH file shall neither have upload rights nor access that permits editing of a vendor routing number or vendor account number;

iii. Each edit to vendor ACH information shall be approved by a separate individual and be logged showing the user editing the data, date stamp, IP address, and the approval of the edit;

iv. Any ACH file that is in plain text format shall not be stored on a local computer past the time transmitted to a bank; and

v. If supported by the financial institution of a local unit, local authority, board of education, or county college, said entities shall avail themselves of the ability to recall ACH payments via NACHA file;

12. A charge account or charge card issued by a specific vendor, which can only be utilized for goods and services provided by said vendor, may be utilized by local units, local authorities, and county colleges, but must incorporate the following safeguards:

i. Outstanding balances shall be required to be paid in full each month. No local unit shall utilize revolving charge cards;

ii. Allows the local unit, local authority, or county college to designate specific employees authorized to utilize the charge account or card and track purchases by individual user;

iii. Allows dollar amount limits to be placed on each single purchase; and

iv. Provides the ability to receive itemized statements and pay by invoice; and

13. No charge account or charge card issued by a specific vendor may be utilized for travel or dining expenses.

(b) The governing body of a local unit, local authority, board of education, or county college may only utilize standard electronic funds transfer technologies upon instituting, at a minimum, the following fiscal and operational controls:

1. The appropriate administrative ordinance or resolution shall be adopted authorizing the policies and procedures governing the use of standard electronic funds transfer technologies consistent with this subchapter;

2. The CFO shall ensure that the minimum internal controls set forth in this chapter, along with those internal controls set forth in the policies and procedures of the local unit, local authority, board of education, or county college are in place and being adhered to;

3. Initiation and authorization roles shall be segregated, and password-restricted. The CFO shall be responsible for authorization of all electronic funds transfers, unless the transfer was initiated by the CFO. If the CFO initiates an electronic funds transfer, another officer designated by the governing body that is not under the supervision of the CFO shall be responsible for authorization of the transfer. A backup officer may be designated in the event the CFO or chief administrative officer are unavailable. All payment of claims ordinances or resolutions enacted pursuant to N.J.S.A. 40A:5-17.b shall, at a minimum, comply with the provisions of this section. This section shall not be interpreted to prevent a local unit, local authority, board of education, or county college from requiring more than one officer to authorize an electronic funds transfer.

i. For counties organized pursuant to the provisions of the Optional County Charter Law, N.J.S.A. 40:41A-1 et seq., unless otherwise set forth in an ordinance adopted pursuant to N.J.S.A. 40A:5-17.b that provides a method of disbursing moneys or payment of claims, any electronic funds transfer shall be initiated by the chief executive officer.

ii. For counties not organized pursuant to the provisions of the Optional County Charter Law, N.J.S.A. 40:41A-1 et seq., unless otherwise set forth in a resolution adopted pursuant to N.J.S.A. 40A:5-17.b that provides a method of disbursing moneys or payment of claims, any electronic funds transfer shall be initiated by the clerk of the freeholder board.

iii. Unless otherwise set forth in an ordinance adopted pursuant to N.J.S.A. 40A:5-17.b that provides a method of disbursing moneys or payment of claims, any electronic funds transfer by a municipality shall be initiated by the mayor or other chief executive officer, and authorized by the municipal clerk in addition to the chief finance officer.

4. No local unit, including a county college, shall disburse funds unless the goods and services are certified as having been provided pursuant to N.J.S.A. 40A:5-16.b, unless otherwise permitted pursuant to N.J.S.A. 40A:5-16.c(1) and this subchapter;

5. Each bill list approved or ratified by the governing body shall indicate the type of standard electronic funds transfer technology that has been or will be utilized in paying the claim, along with a reference that permits tracking;

6. On no less than a weekly basis, activity reports on all transactions utilizing standard electronic funds transfer technologies shall be reviewed by the CFO or another individual under the supervision of the CFO, and in the case of a board of education, an individual appointed by the governing body on an annual basis that is not under the direct supervision of the CFO and is not empowered to initiate or authorize electronic funds transfers. Reconciliation shall be performed on a regular basis. Any activity reports generated by the CFO shall be monitored by another officer, designated by the governing body, who is not under the supervision of the CFO;

7. A user that uploads an ACH file shall check the amounts and recipients against a register displaying ACH payments; and

8. For a charge account or card issued by a specific vendor, a local unit, local authority, or county college shall:

i. Issue a monthly purchase order for each individual charge account or card authorizing a maximum amount that can be expended each month;

ii. Designate specific employees able to utilize the account or card;

iii. Require billing by invoice;

iv. Pay the outstanding balance in full each month; and

v. Establish policies and procedures for use, such as are required for procurement card usage pursuant to N.J.A.C. 5:30-9A.7, except that the designation of a program manager shall not be required.

N.J. Admin. Code § 5:30-9A.4

Adopted by 50 N.J.R. 316(a), effective 1/16/2018