What is NACHA? US ACH Network Rules Body Explained

What NACHA Does

NACHA is the rule-making body for the Automated Clearing House (ACH) network, the US system that moves money between bank accounts in batch via the Federal Reserve and the Electronic Payments Network. Two operators (the Fed and EPN) actually move the files. NACHA writes the rules everyone has to follow.

The NACHA Operating Rules cover everything from how a transaction has to be authorized to how returns work, what risk thresholds originators have to maintain, and what fees apply when rules are broken. Every depository financial institution that sends or receives ACH entries agrees to be bound by the rules. Originating businesses sign up through their banks.

SEC Codes (Standard Entry Class)

Every ACH entry carries a three-letter Standard Entry Class (SEC) code that tells the receiving bank what kind of transaction it is and what authorization rules apply. The most common codes for consumer-facing payments:

• WEB: A debit authorized via the internet or wireless network. Used for online ACH payments.
• TEL: A debit authorized over the telephone, either voice or DTMF, where there's an existing relationship between consumer and originator (or the consumer initiates the call).
• PPD: Prearranged Payment and Deposit. The original consumer ACH code, used for direct deposits of payroll and recurring debits authorized in writing.
• CCD: Cash Concentration or Disbursement. Business-to-business transactions.
• CTX: Corporate Trade Exchange. B2B with structured remittance information.
• RCK: Re-presented Check. A bounced paper check converted to ACH for re-presentment.
• POP: Point of Purchase. A check converted to ACH at the point of sale.
• BOC: Back Office Conversion. A check accepted at point of sale and converted to ACH later.

Each code has its own authorization, disclosure, and notification rules. Sending a transaction with the wrong SEC code is a violation that can lead to returns, fines, and termination from the network.

WEB Debit Account Validation Rule

One of the most important recent NACHA changes took effect in March 2021: originators of WEB debit entries must use "a commercially reasonable fraudulent transaction detection system" that validates the receiver's bank account is open and able to receive the debit before initiating the first WEB debit on that account.

In practice, this means originators have to either:

• Use an account validation service (most common: micro-deposits, bank-API account verification, or a third-party validation network)
• Use a verified payment method (like a token from a previous successful transaction)
• Use a real-time account validation service approved by NACHA

The rule was driven by surging unauthorized return rates on WEB debits, often from account-takeover fraud where bad actors set up debits against accounts they didn't own.

Same-Day ACH

Traditional ACH settles next-day or two days out. Same-Day ACH (SDA) launched in 2016 and has expanded several times. There are now three same-day processing windows:

• Window 1: Files submitted by 10:30 AM ET, settle at 1:00 PM ET
• Window 2: Files submitted by 2:45 PM ET, settle at 5:00 PM ET
• Window 3: Files submitted by 4:45 PM ET, settle at 6:00 PM ET

The per-transaction limit for Same-Day ACH is $1 million as of 2022. Originators pay a fee per same-day entry that gets passed through to the receiving bank.

Return Codes

NACHA defines a long list of return codes (the R-codes) that receiving banks use to reject ACH entries. The ones merchants encounter most often:

• R01: Insufficient funds
• R02: Account closed
• R03: No account or unable to locate account
• R04: Invalid account number structure
• R07: Authorization revoked by customer
• R08: Payment stopped
• R10: Customer advises unauthorized
• R29: Corporate customer advises not authorized

Originators have to monitor return rates. NACHA's risk thresholds limit unauthorized returns (R05, R07, R10, R11, R29, R51) to 0.5% of total ACH debits, and overall return rate to 15%, with administrative returns (R02, R03, R04) capped separately at 3%. Exceeding thresholds triggers NACHA review and potential fines.

Authorization Requirements

For consumer debits (WEB, TEL, PPD), the originator must obtain authorization that's clear and readily identifiable. WEB requires written authorization that may be electronic. TEL requires either an audio recording of the authorization or written notice sent to the consumer before the debit. PPD requires written authorization signed or similarly authenticated by the consumer.

Originators must retain the authorization for two years after termination or revocation and provide a copy to the receiving bank on request.

Fines and Enforcement

NACHA enforces the rules through a National System of Fines. Violations can carry fines from $1,000 to $500,000 per occurrence depending on severity, with rule violation classes including authorization issues, formatting errors, return rate excesses, and notification failures. Persistent violators can be suspended from originating ACH transactions.