Sometime there is confusion of where the transaction of ACH is actually taking place. The upload could be the result or request for ACH transfer not the actual transaction. It depends. HTTPS is an acceptable encryption tunnel. There is no need to encrypt the text, then encrypt the tunnel then decrypt the tunnel, then decrypt the text. Sending the request via encrypted HTTPS is acceptable. There will be other countermeasures in place to make sure the direct deposit baseline isn't breached. For instance an acount getting 100,000.00 when it's normally 1,00.00. Human error is the enemy as well.