(the organization that oversees the Automated Clearing House (ACH) network) rules, there are only three reasons people can dispute ACH charges to their account:
If it was never authorized by the account holder or the authorization was revoked;
If it was processed on a date earlier than authorized; or
If it is for an amount different than authorized
That’s it. And, disputing an ACH charge requires that the account holder provide notice to the bank in writing (or the electronic equivalent) that one of those three conditions exists. (Note that this is significantly different from credit card transactions where a customer can have a charge reversed simply by claiming that the product or service received was not what they expected.)
The key word is Authorized—which according to NACHA means something very specific depending on the
provided when submitting the transaction via the ACHQ API
As part of the authorization process, we recommend collecting and storing digitally or in paper form for two years the following information from your customers (note this is not an exhaustive list):
Clear, legible consent
Your authorization page or consent checkbox must plainly state that you are obtaining consent to debit your customer’s bank account for a specific transaction or set of recurring transactions.
One way to achieve this is for the authorization form to have express language such as:
I authorize (your company) to electronically debit my account and, if necessary, electronically credit my account to correct erroneous debits.
Transaction specific details
Date, time of transaction, debiting account info (bank name and last 4 digits of the bank account at minimum,) item purchased, IP address (and corresponding details such as email/phone), frequency if it is a recurring payment
Name on account/shipping information, any other controls in place to verify the identity of the customer
Any additional or transaction info
Prior transaction history, particularly for recurring payments (e.g. IP information, other logins, other purchases)
Receipt of transaction
Prompt your customer to print the authorization and retain a hard copy or electronic copy, and send an e-mail receipt of the processed transaction to your customer.
Process for revocation
Your authorization flow must provide your customer with a method to revoke authorization by notifying you, so be sure to include a telephone number and/or e-mail address where your customer can contact you. You should display this information on the authorization page and receipt/confirmation sent to the customer after the transaction has been completed.
An SEC code is a three letter word code that describes how a payment was authorized by the consumer or business receiving an ACH transaction.
Prearranged Payment & Deposit (PPD) (Corporate to Consumer)
Authorization required. Oral or non-written means (i.e., voided check) accepted.
Prearranged Payment & Deposit (PPD) (Corporate to Consumer)
Authorization required. Written, signed or Similarly Authenticated.
Corporate Credit or Debit (CCD) (Corporate to Corporate)
Agreement required for transfers between companies; written authorization implied.
Internet-Initiated/Mobile Entry (WEB) (Corporate to Consumer)
Similarly Authenticated authorization required due to the nature of the Internet.
Internet-Initiated/Mobile Entry (WEB) (Consumer to Consumer)
No authorization required.
Written and signed or similarly authenticated
There are no rows in this table
This is all pretty important!
Obtaining the proper authorization for your ACH transaction is the most important step you can take to ensure compliance with the network rules and protect yourself against disputes, return fees, and reversed transactions.
If you’re like most people and just want to make sure you’re not breaking any rules, skip below for a
Some of this stuff is pretty opaque, so don’t worry about becoming an ACH rules expert. We’re providing the gory details here just incase that’s your kind of thing.
Authorization for Debit Entries to Consumer Accounts
Content: 2022 NACHA Operating Guidelines
Section: Section II Originating Depository Financial Institutions
Subsection: Chapter 16 Relationship with Receiver and Authorization Requirements
SubSubsection: CONSUMER RECEIVERS
An Originator of a debit entry to a Receiver’s consumer account must obtain a written authorization that is signed or similarly authenticated by the Receiver, except as otherwise expressly permitted by the Rules. In addition to meeting the general requirements for all authorizations, as discussed above, the Originator must ensure that each consumer debit authorization includes the following minimum information:
Language clearly stating whether the authorization obtained from the Receiver is for a single entry, recurring entries, or one or more subsequent entries initiated under the terms of a standing authorization;
The amount of the entry or entries, or a reference to the method of determining the amount of the entry(ies);
The timing of the entries, including the start date, number of entries, and frequency of the entries;
The Receiver’s name or identity;
The account to be debited (this should include whether the account is a demand deposit account or a savings account);
The date of the Receiver’s authorization; and
Language that instructs the Receiver how to revoke the authorization directly with the Originator. This must include the time and manner in which the Receiver must communicate the revocation to the Originator. For a single entry authorized in advance, the right of the Receiver to revoke authorization must provide the Originator a reasonable opportunity to act on the revocation instruction prior to initiating the entry.
Where an authorization is a standing authorization for the initiation of subsequent entries, the Originator may meet these requirements through a combination of the standing authorization and the Receiver’s affirmative action to initiate a subsequent entry.
In any case where the Rules permit an Originator to obtain the Receiver’s authorization for a debit by notice to the Receiver, the Originator also may choose, at its discretion, to obtain the Receiver’s authorization by a signed, written authorization that meets the requirements described above.
Authentication of Authorization – With the exception of ARC, BOC, RCK, and Return Fee Entries, the authorization must be signed or similarly authenticated by the consumer.
Copy of Authorization to Receiver
An Originator must provide the Receiver with an Electronic or hard copy of the Receiver’s authorization. The copy may be provided to the consumer via mail, internet/online network, in person or any other method allowable under applicable legal requirements. In circumstances where the consumer signs the written authorization or, alternatively, uses the telephone to similarly authenticate the written authorization by speaking or key entering a code for identification, the consumer has a paper authorization in his possession, which should be retained as the copy of the authorization. The consumer can also request an additional hard copy of the authorization from the Originator. For the Internet/on-line network alternative, the consumer reads the authorization that is displayed on the computer screen or other visual display. The consumer should print the authorization from his computer screen and retain this copy. The Originator must be able to provide the consumer with a hard copy of a debit authorization if requested to do so.
The similarly authenticated standard permits signed, written authorizations to be provided electronically. These writing and signature requirements are satisfied by compliance with the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.).
To satisfy the requirements of Regulation E and the Nacha Operating Rules, the authentication method chosen must evidence both the consumer’s identity and his assent to the authorization.
Examples of methods used to similarly authenticate an authorization include, but are not limited to, the use of digital signatures, codes, shared secrets, PINs, etc. Authentication of an authorization is strongest when the authorization and the authentication of that authorization occur simultaneously or nearly simultaneously. Although an initial website session log-in may constitute adequate authentication for a click-through authorization as part of the same session, Originators and ODFIs should consider the strength of the association of an initial log-in with a later authorization. The Originator and ODFI bear the burden of demonstrating that the authentication process is sufficiently linked to the authorization.
Retention of Authorization
The Originator must retain an original or copy of a written authorization, and readily and accurately reproducible records evidencing any other form of authorization. The record of authorization must be retained by the Originator for a period of two years following the termination or revocation of the authorization. The authorization may be retained as an electronic record that (1) accurately reflects the information in the record, and (2) is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise. Standing and oral authorizations have specific retention requirements that are discussed in their respective sections below.
A Standing Authorization is an advance authorization obtained from a Receiver for one or more future entries (referred to as subsequent entries) that require the Receiver’s affirmative action to initiate. An Originator of a standing authorization must meet the minimum standards for a consumer debit authorization identified above, but it may do so through a combination of the standing authorization and the Receiver’s affirmative action to initiate each subsequent entry.
As part of the terms of a standing authorization, the Originator must clearly specify the action(s) that the Receiver can take to initiate a subsequent entry. These actions can include, but are not limited to, a telephone call, an internet interaction, or a text message.
Examples of standing authorizations include, among others:
Bill payment- A standing authorization could allow a consumer to initiate payments on a credit card account intermittently and via various channels (phone, online, mobile app, text, virtual assistant technology, etc.)
E-wallet /personal financial management- A consumer could provide a standing authorization for future debits related to using an e-wallet or other personal financial management service
Personal or home virtual assistants - A standing authorization could be used in conjunction with services and apps that allow future e-commerce and payments to be initiated via virtual voice assistant or similar functionality
Account transfers- A consumer could provide a standing authorization to authorize funding debits to a brokerage account based on investment activity
For a standing authorization, an Originator must retain the original or a copy of each standing authorization for two years following the termination or revocation of the authorization. The Originator must also retain proof that the Receiver affirmatively initiated each payment in accordance with the terms of the standing authorization for two years following the Settlement Date of the entry.
Receiver Account Information
In any case where the Receiver’s affirmative action to initiate a subsequent entry involves the communication or confirmation of any of the Receiver’s banking information (such as routing number, account number, PIN, or other identification symbol) via an unsecured electronic network, the Originator must comply with ACH data security requirements.
Content: 2022 NACHA Operating Guidelines
Section: Section V Standard Entry Class Codes
Subsection: Chapter 45 Prearranged Payment and Deposit Entries (PPD)
As with any ACH transaction, the Originator must obtain the Receiver’s authorization to initiate PPD entries through the ACH Network to the Receiver’s account. For PPD debit entries, the authorization must
be in writing;
be readily identifiable as an ACH authorization;
have clear and readily understandable terms;
meet the minimum authorization requirements as discussed in Chapter 16 of these Guidelines; and
be either signed or similarly authenticated by the consumer. (Refer to the discussion below on the use of the similarly authenticated standard with PPD entries.)
The Originator must provide the Receiver a copy of the authorization for all debit entries.
For credit entries to a consumer account, the authorization may be obtained in writing, or it may be obtained orally or by other non-written means.
The Rules do not require the consumer’s authorization to initiate reversing entries to correct erroneous transactions. However, Originators should consider obtaining express authorization of credits or debits to correct errors.
An Originator must retain the original or a reproducible copy of the Receiver’s authorization for two years from the termination or revocation of the authorization and must be able to provide the ODFI with an accurate copy within the time period required by the ODFI.
To reduce the costs and time needed to resolve some exceptions in which proof of authorization is requested, Originators and their ODFIs may agree to accept the return of the debit rather than provide a copy of the authorization to the RDFI. In these cases, the ODFI must provide the RDFI with written confirmation that the ODFI has agreed to accept the return of the entry at any time within ten banking days of providing the confirmation to the RDFI. Even when the ODFI has accepted a return or has agreed to accept the return of the entry, it is still possible that the RDFI may require a copy of the Receiver’s authorization. In these situations, the RDFI will need to submit a subsequent request for evidence of the Receiver’s authorization to the ODFI, and the Originator must provide the original, copy or other accurate record of the authorization to its ODFI for provision to the RDFI within ten banking days of the RDFI’s subsequent request. Originators and ODFIs that choose to take advantage of this alternative to providing proof of authorization should consider whether any changes or modifications to their business processes may be necessary.
PPD Entries and the Similarly Authenticated Standard
As an alternative to providing a written signature to authorize a PPD debit entry, the consumer Receiver may similarly authenticate the written authorization that was previously delivered to him by the Originator. The similar authentication method must evidence both the consumer’s identity and his assent to the authorization.
For example, where there is an existing relationship, the Originator could have previously delivered the written terms of the authorization to the consumer with an explanation of a telephone payment option. The consumer Receiver could authenticate his agreement to the terms of the authorization by key-entering into a VRU or speaking into a recorded line a PIN provided with the authorization that identifies the consumer. (Either the consumer or the Originator could have initiated the telephone call in this case.)
Alternatively, an Originator having no relationship with the Receiver could deliver the terms of the authorization to the Receiver in a catalog mailed on an unsolicited basis. Either party (consumer or Originator) could initiate the telephone call, during which the consumer Receiver would authenticate his agreement to the terms of the authorization by key-entering into a VRU or speaking into a recorded line a PIN printed in the catalog.
When a consumer uses the telephone to similarly authenticate an authorization, Originators should consider the following as best practices:
The PIN code should be a minimum of four digits.
If there is not an existing relationship between the Originator and the Receiver, the code should be printed on the written authorization that is in the consumer’s possession when the telephone conversion occurs. This demonstrates the consumer’s possession of the authorization language at the time of the call.
Outbound calls by an Originator to a consumer where there is no prior relationship pose heightened risks for obtaining a properly authenticated, bona fide authorization. Originators in these circumstances should pay particular attention to compliance with the Federal Trade Commission’s (FTC’s) Telemarketing Sales Rule (16 C.F.R. Part 310) and should take steps to ensure that their authorization language is clear, conspicuous, and readily understood by the Receiver, and that their means of authentication unambiguously indicates the Receiver’s assent to the transaction.
The Originator must retain a record of any authentication code relayed by the consumer. If the consumer verbally expresses the authentication code, the Originator must make and retain an audio recording of the consumer’s statement of the code. If the consumer relays the authentication code by key-entering it into a VRU, a record of the keystrokes must be retained. As with other ACH transactions, proof of authorization is required. Originators must retain a copy of both the written authorization and the consumer’s use of the authentication code. Both must be accurately reproduced and provided to the ODFI upon request.
Originators should be aware of the distinction between PPD entries that are similarly authenticated using the telephone and Telephone-Initiated Entries, which are discussed in Chapter 47 of these Guidelines.
Notice of Change in Amount
If the amount of a debit entry to be initiated to a consumer account differs from the amount of the immediately preceding debit entry relating to the same authorization, or differs from a preauthorized amount, an Originator must send the Receiver written notification of the amount of the entry and the date on or after which the entry will be debited. The Originator must provide this notice at least ten calendar days prior to the date on which the entry is scheduled to be initiated.
No Notice Required for Change Within Agreed Range
The Originator is not required to give the notice above if (i) the Originator provides, and the Receiver chooses, the option to receive such notice only if the amount of the entry falls outside a specified range or if the entry differs from the most recent entry by more than an agreed upon amount, and (ii) the variation in the amount of the entry is within the tolerance agreed to by the Receiver.
Notice of Change in Scheduled Debiting Date
An Originator that changes the scheduled date on or after which debit entries are to be initiated to a Receiver’s account must send to the Receiver written notification of the new date on or after which entries are scheduled to be debited to the Receiver’s account. The Originator must send such notification to the Receiver at least seven calendar days before the first such entry is scheduled to be debited to the Receiver’s account. Variation in debiting dates due to Saturdays, Sundays, or holidays are not considered to be changes in the scheduled dates
Samples and templates
Your Authorization for ACH Debits and Credits
By agreeing to these Terms, you authorize [[Full Entity Legal Name]] (“[[Company]]”) to electronically debit and credit your designated deposit account at your designated depository financial institution (your “Bank Account”) via ACH and, if ever applicable, to correct erroneous debits and credits via ACH for [[CHOOSE AND USE ONLY ONE]]
a single (one-time) entry for [[date and amount]]
recurring entries (that recur at substantially regular intervals without my affirmative action to initiate future entries) [[interval and amount]]
subsequent entries (initiated under the terms of my standing authorization) that require my affirmative action to initiate those future entries
You also acknowledge that the amount and frequency of the foregoing debits and credits may vary and that you waive your right to receive prior notice of the amount and date of each debit and credit.
You acknowledge that the electronic authorization contained in this ACH Authorization represents your written authorization for ACH transactions as provided herein and will remain in full force and effect until you notify [[Company]] that you wish to revoke this authorization by emailing [[support email address]]. You must notify [[Company]] at least 14 Business Days before the scheduled debit date of any ACH transaction from your Bank Account in order to cancel this authorization. If we do not receive notice at least 14 Business Days before the scheduled debit date, we may attempt, in our sole discretion, to cancel the debit transaction. However, we assume no responsibility for our failure to do so.
If you withdraw your electronic authorization contained in this ACH Authorization, we will suspend or close your [[Company]] account, and you will no longer be able to use your [[Company]] account or the Services, except as otherwise expressly provided in our terms of service ([[link to terms of service]]). Please note that withdrawal of your electronic authorization contained in this ACH Authorization will not apply to transactions performed before the withdrawal of your authorization becomes effective.
In addition to any of your other representations and warranties in this ACH Authorization, you represent that: (a) your browser is equipped with at least 128-bit security encryption; (b) you are capable of printing, storing, or otherwise saving a copy of this electronic authorization for your records; and (c) the ACH transactions you hereby authorize comply with applicable law.
For purposes of these Terms, “Business Day” means Monday through Friday, excluding federal banking holidays.