-
The Automated Clearing House (ACH) Network is an electronic payments network used by individuals, businesses, financial institutions, and government organizations. The Network functions as an efficient, electronic alternative to paper checks. It allows funds to be electronically debited or credited to a checking account, savings account, financial institution general ledger account, or credited to a loan account.
The National Automated Clearing House Association (Nacha) was formed in 1974 to coordinate the ACH movement nationwide and establish uniform rules and standard formats. Through the joint efforts of Nacha and the Federal Reserve System, local ACHs were linked electronically on a nationwide basis in 1978. The main benefits associated with the use of the ACH Network are cost reduction and improved productivity over paper check transactions.
Does your business accept payments through its website? Do clients pay by check, card, or wire transfer? The ACH Network provides a secure and efficient way to accept and send payments within the United States and to other countries.
Nacha develops and administers the private sector Nacha Operating Rules for ACH payments, which define the roles and responsibilities of ACH Network participants.
This website is designed to help you and your business to understand and comply with the requirements of the Nacha Operating Rules and Guidelines. We have prepared areas of this website to address specific requirements with the Rules. To help you navigate and find the answers to your questions about ACH origination use the links below. This website should be considered as a tool to be used in addition to your access and full understanding of the Nacha Operating Rules and Guidelines that are published by Nacha annually. You can order a copy of the current version of the Nacha Operating Rules here.
-
Your company may have been originating ACH entries for many years or maybe you are just now considering ACH Origination. On this page, we will explain some of the basics of getting started with ACH Origination.
Relationship with an Originating Depository Financial Institution - ODFI
Not all financial institutions in the United States participate in the ACH Network. Many financial institutions participate as a Receiving Depository Financial Institution only. This means they receive both debit and credit ACH entries and post those entries to their customer/member accounts, process unpostable, unauthorized, and stop payment entries back to the ODFI, as well as initiate Notification of Change Entries to correct the banking information within the ACH entry.
The Nacha Operating Rules for ACH origination begins with a business that desires to use the ACH Network to initiate business-to-business payments (B2B) credit and debit entries (i.e., vendor payments, corporate cash concentration, invoice collection) and business-to-consumer payments (B2C) (i.e., payroll deposits, expense reimbursement, bill collections, tuition payments, utility payments). The business Originator must first inquire of its financial institution to see if the institution offers ACH Origination services. If not the business customer must search for a financial institution that operates as an ODFI and offers ACH Origination services. Each institution will have its own ACH Originator application, due diligence, and approval process. Most institutions will have a process in place to qualify business customers for ACH origination services.
Article Two of the Nacha Operating Rules requires an ODFI to perform the following before permitting a business customer to originate ACH entries:
Use a commercially reasonable method to verify the identity of the ACH Originator
Enter into an Origination Agreement with the ACH Originator that at a minimum includes the following:
The Originator must authorize the ODFI to originate entries on behalf of the Originator to Receivers’ accounts;
The Originator must agree to be bound by the Nacha Operating Rules;
The Originator must agree not to originate entries that violate the laws of the United States;
Define any restrictions on the types of entries that may be originated;
The right of the ODFI to terminate or suspend the ACH Originator Agreement for breach of the Rules in a manner that permits the ODFI to comply with the Nacha Operating Rules;
The right of the ODFI to audit the Originator’s compliance with the ACH Origination Agreement and the Nacha Operating Rules.
The ODFI must perform due diligence with respect to the ACH Originator sufficient to form a reasonable belief that the Originator has the capacity to perform its obligations in conformance with the Nacha Operating Rules. The ODFI must also:
Assess the ACH Originator’s intended ACH activity and the risk it presents;
Establish, implement, and periodically review an exposure limit (dollar amount allowed to be originated in a specific time period);
Establish and implement procedures to:
Monitor the Originator’s ACH origination and return activity over multiple settlement dates (typically 3 - 5 days for credit entries and 60 days for consumer debit entries);
Enforce the types of entries that may be originated (typically by SEC code, CCD, PPD, WEB, TEL, etc., and debit or credit or both);
Enforce the exposure limit.
In addition to the above minimum requirement, the ODFI will have additional requirements for business customers/members that apply for ACH Origination services.
-
A three-character code within an ACH Company / Batch Header Record to identify the payment types contained with an ACH Batch. (examples include PPD, CCD, CTX, TEL, WEB, RCK, ARC, POP)
For more information, Click Here to Log In - Standard Entry Class Codes - Payments Learning Center
-
A non-dollar entry sent through the ACH Network by an Originator to an RDFI to verify the accuracy of the account information. Prenotifications are optional. If an Originator chooses to send a prenotification the RDFI must verify the account information. An Originator initiating a prenotification may initiate subsequent Entries to the Receiver’s account as soon as the third banking day following the Settlement Date of the prenotification entry. Originators receiving Notifications of Change should be aware that requested changes should be made prior to the initiation of the next entry or within six banking days, whichever is later.
For more information, Click Here to Log In - Prenotifications - Payments Learning Center
-
An item/entry that cannot be processed and is being returned by the RDFI to the ODFI.
For more information, Click Here to Log In - Management Return Entries - Payments Learning Center
-
After an item is Returned, an Entry initiated to the same Receiver's account in the same amount in payment or fulfillment of the same underlying obligation.
For more information, Click Here to Log In- Reinitiating Return Entries - Payments Learning Center
-
A single entry initiated by an Originator to the account of a Receiver to collect a return fee.
-
A non-monetary entry transmitted by an RDFI for the purpose of identifying incorrect information contained within an entry and providing correct data to be sued on future entries. A NOC is also known by the SEC Code COR. The SEC Code COR is also used by the ODFI to create a refused Notification of Change to refuse an NOC entry containing incorrect or incomplete information.
-
An ACH entry or file sent to correct or reverse previously originated duplicate or erroneous files or entries. Reversals must be sent within five banking days of the settlement date of the original entry/file.
-
Waiting Period Following Prenotication Entries - Nacha Operating Rules Subsection 2.6.2
An Originator that has originated a prenotification entry to a Receiver’s account may initiate entries to the Receiver’s account as soon as the third banking day following the settlement date of the prenotification entry, provided the Originator has not received a return or notification of change to the prenotification entry. If a return or notification of change is received in response to a prenotification entry by the opening of business on the second banking day following the settlement date of the prenotification, the Originator must not transmit subsequent entries to the Receiver’s account until it has remedied the reason for the return entry or made the correction requested by the notification of entry.
General Rules for Micro-Entries - Nacha Operating Rules Subsection 2.7.1
An Originator may originate one or more micro-entries to a Receiver’s account prior to initiating future credit or debit entries to a Receiver’s account. A credit micro-entry must be in the amount of less than $1.00. One or more debit micro-entries must not exceed, in total, the amount of the corresponding credit micro-entry.
Micro-entry formatting requirements are addressed in the Nacha Operating Rules Subsection 2.7.2; it states that micro-entries must be submitted as a separate batch of entries and contain “ACCTVERIFY” in the Company Entry Description Field of the Company Batch Header Record. The name of the Originator identified in the Company Name Field must reflect the same Originator that will be identified in future entries to the Receiver’s account. Minor variations to the Originator’s name, for accounting or tracking purposes, are acceptable as long as the name of the Originator remains readily recognizable to the Receiver.
The Nacha Operating Rules Subsections 2.7.3 and 2.7.4 address restrictions on transmission of debit micro-entries and waiting period following the origination of micro-entries.
Subsection 2.7.3 states that an Originator that transmits one or more debit micro-entries to a Receiver’s account must simultaneously transmit for settlement, at the same time, one or more credit micro-entries credit micro-entries that, in aggregate value, are equal to or greater than the amount of the debit micro-entry(ies).
Subsection 2.7.4 states that an Originator that originated one or more micro-entries to a Receiver’s account may initiate future entries to the Receiver’s account as soon as the Originator’s process for verifying the amounts of the micro-entries has been completed.
Electronic Signatures - Nacha Operating Rules Subsection 2.3.2.3
The writing and signature requirements of WSUDs, Stop Payment forms, debit authorizations, and ODFI/Originator Agreements, may be satisfied by compliance with Electronic Signatures in Global and National Commerce Act. An electronic authorization must be visually displayed in a manner that enables the consumer to read the communication and obtained in a manner that evidences the identity of the person who signed the document.
Restrictions on Data Passing - Nacha Operating Rules Subsection 2.3.4
An Originator must not disclose and must ensure that an Originator and any Third-Party Service Provider acting on behalf of the Originator do not disclose the Receiver’s account number or routing number to any third party, directly or indirectly, in initiating a separate debit entry. The Receiver’s account and routing number information should be used only for the intended purpose as described in the debit authorization.
Security Requirements - Nacha Operating Rules Section 1.6
Each non-consumer Originators, Third-Party Service Providers, and Third-Party Senders, whose ACH origination or transmission volume exceeds two million entries annually must, by June 30th of the following year, protect account numbers used in the initiation of ACH entries by rendering them unreadable when stored electronically. The rule applies only to account numbers collected for or used in ACH entries and does not apply to the storage of paper authorizations.
Notices to Variable Recurring Debit Entries to Consumer Accounts - Nacha Operating Rules Subsection 2.3.2.8
If the amount of a recurring debit entry to be initiated to a consumer account differs from the amount authorized, the Originator must send the Receiver written notification of the amount of the entry and the date on or after which the entry will be debited at least 10 calendar days prior to the date on which the entry is scheduled to be initiated.
If the date of a recurring debit entry to be initiated to a consumer account differs from the amount authorized, the Originator must send the Receiver written notification of the new date on or after which the entry is scheduled to be debited at least 7 calendar days before the first such entry is scheduled to be initiated. Saturdays, Sundays, and holidays are not considered to be changes in the scheduled date.
-
In 2021, the Federal Financial Institutions Examination Council (FFIEC) issued an update to its 2005 and 2011 guidance on Internet Banking Security and Authentication and Access to Financial Institution Services and Systems. The Guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011), which provided risk management practices for financial institutions offering Internet‐based products and services. This Guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data. The Guidance also recognizes that authentication considerations have extended beyond customers and include employees, third parties, and system-to-system communications. This Guidance highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program. Periodic risk assessments inform financial institution management’s decisions about authentication solutions and other controls that are deployed to mitigate identified risks. When a risk assessment indicates that single-factor authentication with layered security is inadequate, multi-factor authentication (MFA) or controls of equivalent strength, combined with other layered security controls, can more effectively mitigate risks associated with authentication.
Types of Risk:
Strategic Risk – The risk of loss to earnings and capital for improperly aligning the organization’s goals with its capabilities and management expertise.
Reputation Risk – The risk of loss to earnings and capital when the organization’s public image is negatively impacted by damaged customer relationships. This could result in loss of public confidence and trust and increase the risk for expensive lawsuits.
Fraud Risk – The risk that a payment transaction will be initiated or altered to misdirect or misappropriate funds.
Credit Risk or Exposure Risk – The risk that a party to a transaction cannot provide the necessary funds, as contracted, for settlement to take place.
Operational Risk – The risk that a transaction will be altered or delayed due to an unintentional error, either mechanical or human.
Compliance Risk – The risk of loss to earnings and capital when the organization fails to be in compliance with the ACH Rules, federal and state laws, and regulations.
Liquidity Risk – The risk of loss when one, or both, of the organizations involved in a transaction do not have sufficient liquid assets to settle funds.
Fraud Prevention Practices:
The appropriate steps should be taken within your organization to ensure that all User ID's, Passwords, Authentication Methods, and any other applicable security procedures issued to your employees are protected and kept confidential. All staff should be aware of the need for proper user security, password controls and separation of duties.
The organization should consider having one computer in the office which is not used to browse the internet. Limiting internet access to the computer which is used to house and transmit ACH data will help avoid the accidental downloading of harmful programs or viruses that could potentially compromise the organization’s computer system.
Dual control, one employee generates the ACH file and the system requires a secondary employee to log in and approve the ACH file, is strongly encouraged to ensure adequate separation of duties to assist in preventing ACH origination fraud. Organizations should utilize dual control to submit ACH files for processing.
ACH Origination systems should utilize multi-factor authentication by way of a secure User ID, Password, picture, access token code, and by presenting the user with challenge questions when the transaction appears to be outside the normal range for the organization.
The organization should have solid policies and procedures in place to avoid becoming another fraud victim. The sooner ACH fraud can be detected, the more successful the organization will be in recovering potentially lost funds.
