FAR 32.1104—Protection of EFT information.
Plain-English Summary
FAR 32.1104 is a short but important safeguard for contractor payment data. It addresses the Government’s duty to protect contractors’ electronic funds transfer (EFT) information from improper disclosure, which includes bank account details and other payment information used to make contract payments electronically. The section exists to reduce the risk of fraud, identity theft, unauthorized access, and payment disruption that can result if sensitive financial data is exposed. In practice, it means contracting offices, payment offices, and other Government personnel who handle contractor EFT data must treat that information as sensitive and limit access and disclosure to authorized purposes only. Although the text is brief, its effect is broad: it reinforces confidentiality expectations around payment records and supports secure administration of contractor payments under FAR Part 32.
Key Rules
Protect EFT information
The Government must protect contractor EFT information against improper disclosure. This means the information cannot be casually shared, posted, or released to people who do not have a legitimate need to know.
Limit access to authorized use
EFT data should be accessed only by personnel who need it to perform official duties related to contract administration, payment processing, or other authorized Government functions.
Prevent unauthorized disclosure
The rule requires active protection against disclosure that is not proper under law, regulation, or official need. Agencies should use secure handling practices, including controlled storage, transmission, and record access.
Apply to contractor payment data
The protection covers contractor EFT information used for payment purposes, such as bank routing and account information. Because this data is financially sensitive, it must be handled with care throughout the payment lifecycle.
Responsibilities
Government
Protect contractor EFT information from improper disclosure and ensure it is handled only by authorized personnel for official purposes.
Contracting Officer
Ensure EFT information collected or maintained in the contracting process is safeguarded and shared only as permitted for contract administration and payment processing.
Payment Office / Finance Personnel
Maintain secure controls over EFT data used to make payments, including limiting access, preventing unauthorized release, and using approved systems and procedures.
Agency
Establish and enforce internal controls, policies, and systems that protect contractor EFT information from improper disclosure.
Contractor
Provide EFT information as required for payment and monitor its own banking and payment details for accuracy, while understanding that the Government must protect the information it receives.
Practical Implications
EFT data should be treated like sensitive financial information, not routine contract paperwork. Offices should avoid unnecessary email distribution, unsecured storage, or broad file access.
A common pitfall is over-sharing bank account details with staff who do not need them. Agencies should use role-based access and secure systems to reduce exposure.
Contractors should expect their payment information to be handled confidentially, but they should still verify that the Government has the correct EFT data to avoid payment errors.
Improper disclosure can create fraud risk and payment disruption, so agencies should train personnel on secure handling and reporting of suspected breaches or unauthorized access.
Because the rule is brief, agencies must rely on broader privacy, records, and information security controls to implement it effectively in day-to-day operations.
Official Regulatory Text
The Government shall protect against improper disclosure of contractors’ EFT information.