Explore

ACH Authorization Handbook

Proper authorization is the key to avoiding chargebacks

TL;DR

Obtaining the proper authorization for ACH transactions is the most important step you can take to protect against disputes, return fees, and reversed transactions.

According to

Nacha⁠

(the organization that oversees the Automated Clearing House (ACH) network) rules, there are only three reasons people can dispute ACH charges to their account:

If it was never authorized by the account holder or the authorization was revoked;

If it was processed on a date earlier than authorized; or

If it is for an amount different than authorized

That’s it. And, disputing an ACH charge requires that the account holder provide notice to the bank in writing (or the electronic equivalent) that one of those three conditions exists. (Note that this is significantly different from credit card transactions where a customer can have a charge reversed simply by claiming that the product or service received was not what they expected.)

The key word is Authorized—which according to NACHA means something very specific depending on the

SEC Codes⁠

provided when submitting the transaction via the ACHQ API

As part of the authorization process, we recommend collecting and storing digitally or in paper form for two years the following information from your customers (note this is not an exhaustive list):

Clear, legible consent

Your authorization page or consent checkbox must plainly state that you are obtaining consent to debit your customer’s bank account for a specific transaction or set of recurring transactions.

One way to achieve this is for the authorization form to have express language such as:

I authorize (your company) to electronically debit my account and, if necessary, electronically credit my account to correct erroneous debits.

Transaction specific details

Date, time of transaction, debiting account info (bank name and last 4 digits of the bank account at minimum,) item purchased, IP address (and corresponding details such as email/phone), frequency if it is a recurring payment

Client/account information

Name on account/shipping information, any other controls in place to verify the identity of the customer

Any additional or transaction info

Prior transaction history, particularly for recurring payments (e.g. IP information, other logins, other purchases)

Receipt of transaction

Prompt your customer to print the authorization and retain a hard copy or electronic copy, and send an e-mail receipt of the processed transaction to your customer.

Process for revocation

Your authorization flow must provide your customer with a method to revoke authorization by notifying you, so be sure to include a telephone number and/or e-mail address where your customer can contact you. You should display this information on the authorization page and receipt/confirmation sent to the customer after the transaction has been completed.

SEC Codes

An SEC code is a three letter word code that describes how a payment was authorized by the consumer or business receiving an ACH transaction.

SEC CODE

DIRECTION

AUTHORIZATION REQUIREMENT

Prearranged Payment & Deposit (PPD) (Corporate to Consumer)

Credits

Authorization required. Oral or non-written means (i.e., voided check) accepted.

Prearranged Payment & Deposit (PPD) (Corporate to Consumer)

Debits

Authorization required. Written, signed or Similarly Authenticated.

Corporate Credit or Debit (CCD) (Corporate to Corporate)

Debits/ Credits

Agreement required for transfers between companies; written authorization implied.

Internet-Initiated/Mobile Entry (WEB) (Corporate to Consumer)

Debits

Similarly Authenticated authorization required due to the nature of the Internet.

Internet-Initiated/Mobile Entry (WEB) (Consumer to Consumer)

Credits

No authorization required.

Point-of-Sale (POS)

Debit/ Credit

Written and signed or similarly authenticated

There are no rows in this table

⁠

This is all pretty important!

Obtaining the proper authorization for your ACH transaction is the most important step you can take to ensure compliance with the network rules and protect yourself against disputes, return fees, and reversed transactions.

If you’re like most people and just want to make sure you’re not breaking any rules, skip below for a

sample ACH agreement⁠

A Very Serious ACH Compliance Guide

Some of this stuff is pretty opaque, so don’t worry about becoming an ACH rules expert. We’re providing the gory details here just incase that’s your kind of thing.

Authorization for Debit Entries to Consumer Accounts

Content: 2022 NACHA Operating Guidelines

Section: Section II Originating Depository Financial Institutions

Subsection: Chapter 16 Relationship with Receiver and Authorization Requirements

SubSubsection: CONSUMER RECEIVERS

An Originator of a debit entry to a Receiver’s consumer account must obtain a written authorization that is signed or similarly authenticated by the Receiver, except as otherwise expressly permitted by the Rules. In addition to meeting the general requirements for all authorizations, as discussed above, the Originator must ensure that each consumer debit authorization includes the following minimum information:

Language clearly stating whether the authorization obtained from the Receiver is for a single entry, recurring entries, or one or more subsequent entries initiated under the terms of a standing authorization;

The amount of the entry or entries, or a reference to the method of determining the amount of the entry(ies);

The timing of the entries, including the start date, number of entries, and frequency of the entries;

The Receiver’s name or identity;

The account to be debited (this should include whether the account is a demand deposit account or a savings account);

The date of the Receiver’s authorization; and

Language that instructs the Receiver how to revoke the authorization directly with the Originator. This must include the time and manner in which the Receiver must communicate the revocation to the Originator. For a single entry authorized in advance, the right of the Receiver to revoke authorization must provide the Originator a reasonable opportunity to act on the revocation instruction prior to initiating the entry.

Where an authorization is a standing authorization for the initiation of subsequent entries, the Originator may meet these requirements through a combination of the standing authorization and the Receiver’s affirmative action to initiate a subsequent entry.

In any case where the Rules permit an Originator to obtain the Receiver’s authorization for a debit by notice to the Receiver, the Originator also may choose, at its discretion, to obtain the Receiver’s authorization by a signed, written authorization that meets the requirements described above.

Authentication of Authorization – With the exception of ARC, BOC, RCK, and Return Fee Entries, the authorization must be signed or similarly authenticated by the consumer.

WEB Debit Entries

Debit WEB entries are used by non-consumer Originators to debit a consumer based on an authorization that is communicated, other than by an oral communication via a telephone call, from the Receiver to the Originator via the Internet or a Wireless Network. Like most other debit entries to consumer accounts, the consumer Receiver’s authorization obtained via the Internet or a Wireless Network must be in writing, must be signed or similarly authenticated by the Receiver, and must conform to the minimum standards applicable to all consumer debit authorizations, as discussed in Chapter 16 (Relationship with Receiver and Authorization Requirements) of these Guidelines. (Note: Additional data security requirements and validation of receiver identity and account information also apply to internet-based authorizations.)

To meet the requirement that the authorization be in writing, in the context of WEB entries, the Receiver must be able to read the authorization language displayed on a computer screen or other visual display. The Originator should prompt the Receiver to print the authorization and retain a hard copy or electronic copy. The Originator must be able to provide the Receiver with a hard copy of the authorization if requested to do so. Only the Receiver may authorize the WEB transaction, and not a Third-Party Service Provider on behalf of the Receiver.

The Nacha Operating Rules allow the use of a digital signature or code to similarly authenticate a written authorization. Examples of methods used to similarly authenticate an authorization include, but are not limited to, the use of digital signatures, codes, shared secrets, PINs, biometrics, etc. To satisfy the requirements of the Nacha Operating Rules, which parallel Regulation E, the authentication method chosen must identify the Receiver and demonstrate the Receiver’s assent to the authorization.

Originators should understand the distinction between authenticating a Receiver for general use on a website (or marketing purposes, etc.) and authentication in the context of an authorization. Authentication of an authorization is strongest when the authorization and the authentication of that authorization occur simultaneously or nearly simultaneously. Although an initial website session log-in may constitute adequate authentication for a click-through authorization as part of the same session, Originators and ODFIs should consider the strength of the association of an initial log-in with a later authorization. The burden of demonstrating that the authentication process is sufficiently linked to the authorization will be on the Originator and ODFI.

Similarly Authenticated

The similarly authenticated standard permits signed, written authorizations to be provided electronically. These writing and signature requirements are satisfied by compliance with the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.).

To satisfy the requirements of Regulation E and the Nacha Operating Rules, the authentication method chosen must evidence both the consumer’s identity and his assent to the authorization.

Examples of methods used to similarly authenticate an authorization include, but are not limited to, the use of digital signatures, codes, shared secrets, PINs, etc.

Authentication of an authorization is strongest when the authorization and the authentication of that authorization occur simultaneously or nearly simultaneously. Although an initial website session log-in may constitute adequate authentication for a click-through authorization as part of the same session, Originators and ODFIs should consider the strength of the association of an initial log-in with a later authorization. The Originator and ODFI bear the burden of demonstrating that the authentication process is sufficiently linked to the authorization.

One of the practical considerations for an Originator is how to present an authorization to a Receiver over the Internet that both meets the requirements of the Nacha Operating Rules and is easily understood. As long as the required information is included in the authorization language, Originators have the flexibility to draft the language in any way that is user-friendly for their customers.

Originators must retain records of a Receiver’s authorization in accordance with the requirements discussed in these Guidelines. In the physical world this record would be an original or copy of the signed authorization. In the electronic world where the authorization will be similarly authenticated, the Originator must keep a copy of the authorization and a record of the authentication. The Originator must also be able to provide these records to the ODFI upon its request. The ODFI may request these records either for its own use or to forward to the RDFI (the Receiver’s financial institution).

In the event that an Originator must demonstrate proof of a Receiver’s authorization for a debit WEB entry, it should provide documentation that provides transaction details including Receiver information.

Example: Originators can provide a screen shot of the authorization language and then the date/timestamp of the Receiver login and the authorization process that evidenced both the consumers’ identity and his assent to the authorization.

Copy of Authorization to Receiver

An Originator must provide the Receiver with an Electronic or hard copy of the Receiver’s authorization. The copy may be provided to the consumer via mail, internet/online network, in person or any other method allowable under applicable legal requirements. In circumstances where the consumer signs the written authorization or, alternatively, uses the telephone to similarly authenticate the written authorization by speaking or key entering a code for identification, the consumer has a paper authorization in his possession, which should be retained as the copy of the authorization. The consumer can also request an additional hard copy of the authorization from the Originator. For the Internet/on-line network alternative, the consumer reads the authorization that is displayed on the computer screen or other visual display. The consumer should print the authorization from his computer screen and retain this copy. The Originator must be able to provide the consumer with a hard copy of a debit authorization if requested to do so.

Retention of Authorization

The Originator must retain an original or copy of a written authorization, and readily and accurately reproducible records evidencing any other form of authorization. The record of authorization must be retained by the Originator for a period of two years following the termination or revocation of the authorization. The authorization may be retained as an electronic record that (1) accurately reflects the information in the record, and (2) is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise. Standing and oral authorizations have specific retention requirements that are discussed in their respective sections below.

Standing Authorizations

The Standing Authorizations Rule (the Rule) established standards for a standing authorization as an advance authorization by a consumer of future debits at various intervals. Under a Standing Authorization, future debits are initiated by the consumer through further actions. The Rule allows for Originators to obtain Standing Authorizations in writing or orally. The Rule also defines Subsequent Entries, which are individual payments initiated based on a Standing Authorization. Subsequent Entries may be initiated in any manner identified in the Standing Authorization.

The Rule allows Originators some flexibility in the use of consumer Standard Entry Class (SEC) Codes for individual Subsequent Entries. Originators may use the WEB SEC Code for Subsequent Entries when initiated by either a telephone call or via the Internet/wireless network, respectively, regardless of how the Standing Authorization was obtained. In these cases, the Originator does not need to meet the authorization requirements of TEL or WEB, but does need to meet the risk management and security requirements associated with those SEC Codes.

Use of WEB Standard Entry Class Code for Subsequent Entries

At its discretion, an Originator may identify a Subsequent Entry as a debit WEB Entry if the Receiver’s affirmative action for the initiation of the Subsequent Entry is communicated by the Receiver to the Originator via the Internet or a Wireless Network, regardless of the manner in which the Standing Authorization was obtained.

Standing Authorization requirements

A Standing Authorization is an advance authorization obtained from a Receiver for one or more future entries (referred to as subsequent entries) that require the Receiver’s affirmative action to initiate. An Originator of a standing authorization must meet the minimum standards for a consumer debit authorization identified above, but it may do so through a combination of the standing authorization and the Receiver’s affirmative action to initiate each subsequent entry.

As part of the terms of a standing authorization, the Originator must clearly specify the action(s) that the Receiver can take to initiate a subsequent entry. These actions can include, but are not limited to, a telephone call, an internet interaction, or a text message.

Examples of standing authorizations include, among others:

Bill payment- A standing authorization could allow a consumer to initiate payments on a credit card account intermittently and via various channels (phone, online, mobile app, text, virtual assistant technology, etc.)

E-wallet /personal financial management- A consumer could provide a standing authorization for future debits related to using an e-wallet or other personal financial management service

Personal or home virtual assistants - A standing authorization could be used in conjunction with services and apps that allow future e-commerce and payments to be initiated via virtual voice assistant or similar functionality

Account transfers- A consumer could provide a standing authorization to authorize funding debits to a brokerage account based on investment activity

For a standing authorization, an Originator must retain the original or a copy of each standing authorization for two years following the termination or revocation of the authorization. The Originator must also retain proof that the Receiver affirmatively initiated each payment in accordance with the terms of the standing authorization for two years following the Settlement Date of the entry.

Receiver Account Information

In any case where the Receiver’s affirmative action to initiate a subsequent entry involves the communication or confirmation of any of the Receiver’s banking information (such as routing number, account number, PIN, or other identification symbol) via an unsecured electronic network, the Originator must comply with ACH data security requirements.

Authorization Requirements

Content: 2022 NACHA Operating Guidelines

Section: Section V Standard Entry Class Codes

Subsection: Chapter 45 Prearranged Payment and Deposit Entries (PPD)

As with any ACH transaction, the Originator must obtain the Receiver’s authorization to initiate PPD entries through the ACH Network to the Receiver’s account. For PPD debit entries, the authorization must

be in writing;

be readily identifiable as an ACH authorization;

have clear and readily understandable terms;

meet the minimum authorization requirements as discussed in Chapter 16 of these Guidelines; and

be either signed or similarly authenticated by the consumer. (Refer to the discussion below on the use of the similarly authenticated standard with PPD entries.)

The Originator must provide the Receiver a copy of the authorization for all debit entries.

For credit entries to a consumer account, the authorization may be obtained in writing, or it may be obtained orally or by other non-written means.

The Rules do not require the consumer’s authorization to initiate reversing entries to correct erroneous transactions. However, Originators should consider obtaining express authorization of credits or debits to correct errors.

An Originator must retain the original or a reproducible copy of the Receiver’s authorization for two years from the termination or revocation of the authorization and must be able to provide the ODFI with an accurate copy within the time period required by the ODFI.

To reduce the costs and time needed to resolve some exceptions in which proof of authorization is requested, Originators and their ODFIs may agree to accept the return of the debit rather than provide a copy of the authorization to the RDFI. In these cases, the ODFI must provide the RDFI with written confirmation that the ODFI has agreed to accept the return of the entry at any time within ten banking days of providing the confirmation to the RDFI. Even when the ODFI has accepted a return or has agreed to accept the return of the entry, it is still possible that the RDFI may require a copy of the Receiver’s authorization. In these situations, the RDFI will need to submit a subsequent request for evidence of the Receiver’s authorization to the ODFI, and the Originator must provide the original, copy or other accurate record of the authorization to its ODFI for provision to the RDFI within ten banking days of the RDFI’s subsequent request. Originators and ODFIs that choose to take advantage of this alternative to providing proof of authorization should consider whether any changes or modifications to their business processes may be necessary.

PPD Entries and the Similarly Authenticated Standard

As an alternative to providing a written signature to authorize a PPD debit entry, the consumer Receiver may similarly authenticate the written authorization that was previously delivered to him by the Originator. The similar authentication method must evidence both the consumer’s identity and his assent to the authorization.

For example, where there is an existing relationship, the Originator could have previously delivered the written terms of the authorization to the consumer with an explanation of a telephone payment option. The consumer Receiver could authenticate his agreement to the terms of the authorization by key-entering into a VRU or speaking into a recorded line a PIN provided with the authorization that identifies the consumer. (Either the consumer or the Originator could have initiated the telephone call in this case.)

Alternatively, an Originator having no relationship with the Receiver could deliver the terms of the authorization to the Receiver in a catalog mailed on an unsolicited basis. Either party (consumer or Originator) could initiate the telephone call, during which the consumer Receiver would authenticate his agreement to the terms of the authorization by key-entering into a VRU or speaking into a recorded line a PIN printed in the catalog.

When a consumer uses the telephone to similarly authenticate an authorization, Originators should consider the following as best practices:

The PIN code should be a minimum of four digits.

If there is not an existing relationship between the Originator and the Receiver, the code should be printed on the written authorization that is in the consumer’s possession when the telephone conversion occurs. This demonstrates the consumer’s possession of the authorization language at the time of the call.

Outbound calls by an Originator to a consumer where there is no prior relationship pose heightened risks for obtaining a properly authenticated, bona fide authorization. Originators in these circumstances should pay particular attention to compliance with the Federal Trade Commission’s (FTC’s) Telemarketing Sales Rule (16 C.F.R. Part 310) and should take steps to ensure that their authorization language is clear, conspicuous, and readily understood by the Receiver, and that their means of authentication unambiguously indicates the Receiver’s assent to the transaction.

The Originator must retain a record of any authentication code relayed by the consumer. If the consumer verbally expresses the authentication code, the Originator must make and retain an audio recording of the consumer’s statement of the code. If the consumer relays the authentication code by key-entering it into a VRU, a record of the keystrokes must be retained. As with other ACH transactions, proof of authorization is required. Originators must retain a copy of both the written authorization and the consumer’s use of the authentication code. Both must be accurately reproduced and provided to the ODFI upon request.

Originators should be aware of the distinction between PPD entries that are similarly authenticated using the telephone and Telephone-Initiated Entries, which are discussed in Chapter 47 of these Guidelines.

Notice of Change in Amount

If the amount of a debit entry to be initiated to a consumer account differs from the amount of the immediately preceding debit entry relating to the same authorization, or differs from a preauthorized amount, an Originator must send the Receiver written notification of the amount of the entry and the date on or after which the entry will be debited. The Originator must provide this notice at least ten calendar days prior to the date on which the entry is scheduled to be initiated.

No Notice Required for Change Within Agreed Range

The Originator is not required to give the notice above if (i) the Originator provides, and the Receiver chooses, the option to receive such notice only if the amount of the entry falls outside a specified range or if the entry differs from the most recent entry by more than an agreed upon amount, and (ii) the variation in the amount of the entry is within the tolerance agreed to by the Receiver.

Notice of Change in Scheduled Debiting Date

An Originator that changes the scheduled date on or after which debit entries are to be initiated to a Receiver’s account must send to the Receiver written notification of the new date on or after which entries are scheduled to be debited to the Receiver’s account. The Originator must send such notification to the Receiver at least seven calendar days before the first such entry is scheduled to be debited to the Receiver’s account. Variation in debiting dates due to Saturdays, Sundays, or holidays are not considered to be changes in the scheduled dates

Samples and templates

Authorization language

Your Authorization for ACH Debits and Credits

By agreeing to these Terms, you authorize [[Full Entity Legal Name]] (“[[Company]]”) to electronically debit and credit your designated deposit account at your designated depository financial institution (your “Bank Account”) via ACH and, if ever applicable, to correct erroneous debits and credits via ACH for [[CHOOSE AND USE ONLY ONE]]

a single (one-time) entry for [[date and amount]]

recurring entries (that recur at substantially regular intervals without my affirmative action to initiate future entries) [[interval and amount]]

subsequent entries (initiated under the terms of my standing authorization) that require my affirmative action to initiate those future entries

You also acknowledge that the amount and frequency of the foregoing debits and credits may vary and that you waive your right to receive prior notice of the amount and date of each debit and credit.

You acknowledge that the electronic authorization contained in this ACH Authorization represents your written authorization for ACH transactions as provided herein and will remain in full force and effect until you notify [[Company]] that you wish to revoke this authorization by emailing [[support email address]]. You must notify [[Company]] at least 14 Business Days before the scheduled debit date of any ACH transaction from your Bank Account in order to cancel this authorization. If we do not receive notice at least 14 Business Days before the scheduled debit date, we may attempt, in our sole discretion, to cancel the debit transaction. However, we assume no responsibility for our failure to do so.

If you withdraw your electronic authorization contained in this ACH Authorization, we will suspend or close your [[Company]] account, and you will no longer be able to use your [[Company]] account or the Services, except as otherwise expressly provided in our terms of service ([[link to terms of service]]). Please note that withdrawal of your electronic authorization contained in this ACH Authorization will not apply to transactions performed before the withdrawal of your authorization becomes effective.

In addition to any of your other representations and warranties in this ACH Authorization, you represent that: (a) your browser is equipped with at least 128-bit security encryption; (b) you are capable of printing, storing, or otherwise saving a copy of this electronic authorization for your records; and (c) the ACH transactions you hereby authorize comply with applicable law.

For purposes of these Terms, “Business Day” means Monday through Friday, excluding federal banking holidays.

Web payment forms

For custom payment forms that directly integrate with the ACHQ API, you must display the authorization terms on your payment page or have the buyer "click to consent" before confirming the Payment

Recommended authorization

We recommend that you use the following mandate text for your custom payment form or in the application/website user agreement. This text must include the customer’s name, bank account information, and the date.

By clicking [accept], you authorize Widgets Inc to debit the bank account specified above for any amount owed for charges arising from your use of Widgets Inc’ services and/or purchase of products from Widgets Inc, pursuant to Widgets Inc’ website and terms, until this authorization is revoked. You may amend or cancel this authorization at any time by providing notice to Widgets Inc with 30 (thirty) days notice.

If you plan to use the customer’s bank account for future payments also include:

If you use Widgets Inc’ services or purchase additional products periodically pursuant to Widgets Inc’ terms, you authorize Widgets Inc to debit your bank account periodically. Payments that fall outside of the regular debits authorized above will only be debited after your authorization is obtained.

Regardless of the end-user experience, your application must capture the customer consent in a reproduceable fashion. This consent will be used to protect you from customer disputes.

Sending notification emails

You can send custom email notifications to customers to satisfy Nacha requirements.

In the email, include the following information:

Authorization date

Amount

Account holder name

Financial institution

Routing number

Last four digits of the account number

The following is a sample auth confirmation email that you can send.

Agreement Date

June 16, 2023

Amount

$50.00

Account Holder Name

Bob Loblaw

Financial Institution

Chase Bank

Routing Number

021000021

Account Number

**6789

There are no rows in this table

⁠

Thank you for signing up for direct debits from Widgets Inc. You have authorized Widgets Inc to debit the bank account specified above for any amount owed for charges arising from your use of Widgets Inc’ services and/or purchase of products from Widgets Inc, pursuant to Widgets Inc’ website and terms, until this authorization is revoked. You may amend or cancel this authorization at any time by providing notice to Widgets Inc with 30 (thirty) days notice.

CCD Specific Language

As with all ACH transactions, the Originator of a CCD entry must receive the Receiver’s authorization to debit or credit the Receiver’s account. The Nacha Operating Rules do not require the CCD/CTX authorization to be in a specific form. However, the rules require the Originator and Receiver to have an agreement that binds the Receiver to the Rules. This trading partner agreement should contain the authorization requirements and procedures as determined by the parties; the companies negotiate the terms.

Nacha isn’t very helpful with specifics here due to the varied nature of B2B (CCD) transactions. Our recommendation would be to follow best practices outlined in this guide while also including specific language to the following affect:

Both parties agree to be bound by Nacha Operating Rules as they pertain to all ACH transactions initiated by [[YOUR COMPANY Full Entity Legal Name]]that credit or debit the [[YOUR CUSTOMER Full Entity Legal Name]] bank account and acknowledge that the origination of ACH transactions to the listed account must comply with provisions of U.S. law.

PDF Template

⁠

Recurring Payment Authorization template_2022.pdf

140.7 kB

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.