Access to the FTP servers are IP restricted and everything is encrypted in transit and at rest on the server via PGP. In my organization the transfers where via FTPS not SFTP, big distinction, the FTPS implementations can be not as secure by default as SFTP.
But yes, once it's on the ACH processors servers it's their responsibility and not your compliance issue. They will pass an audit, but from a security point of view, they could do it better in a few areas.
As the client, though - we uploaded via SFTP, the connections were IP restricted and the files were PGP encrypted.
I know that doesn't address what happens after we send the bank the file - but that's not our concern, right?