ACH Risk: How to assess ACH payment risk and reduce returns

Learn about how combatting ACH risk can save your company money, fight fraud, and create a better customer experience.

July 27, 2023

Sarah Cantu Headshot
Sarah Cantu

Sarah is a writer and editor who creates white papers, customer stories, and educational pieces for Plaid. Her favorite thing about fintech is that it makes financial awareness more accessible.

Automated Clearing House (ACH) payments are popular because they’re low-cost and accessible. But they come with risks, especially for returns. Often the result of fraud or insufficient funds, an ACH return is a rejected or incomplete payment. At scale, returns can eat into profits, counteracting ACH’s low cost. 

In addition, companies often implement ACH holds lasting several days to prevent returns. But this approach limits a customer’s ability to get the most out of a service or move their money, hurting their ACH experience. 

With the ACH network processing 7.7 billion payments in the first quarter of 2023, preventing returns can have a major impact on businesses. Understanding and assessing ACH risk can give your business the benefits of ACH while curbing its downsides. 

Why use ACH?

ACH is a bank-linked payment method, meaning it moves money from one bank account to another. It’s run by the National Automated Clearinghouse Association (Nacha) and is often described as the digitization of checks. 

Compared to its physical predecessors, like cash and checks, ACH is convenient and remote-friendly. Plus, it’s incredibly common, with Nacha having processed 30 billion payments in 2022 totaling $72.62 trillion. It’s also very low cost, with the median falling between $0.26 and $0.50 for businesses in 2022. In some cases, fees can be set lower for high volumes, or even set to a flat rate.

ACH is ideal for recurring payments like autopay, which helps people make payments on time. Other common use cases include some peer-to-peer (P2P) payments and direct deposit. Because many people prefer ACH, offering ACH can also help businesses meet customer preferences.

ACH risks: lost funds and fraud 


The biggest issue companies have with ACH is returns. If a company has already released funds to a customer and is hit with a return, they have to eat the cost unless they’re able to collect it from the user. Returns are common with ACH because there is no real-time verification of transaction information, and typical payments take 1-3 days to process unless payers are using same-day ACH. 

This settlement window creates the possibility for people to use money from their account before the payment settles. This can increase the likelihood of an insufficient funds return (code R01), for which the merchant will incur a fee. On the consumer side, it increases the risk of over-drafting an account, too. This is one of the most common ACH return scenarios and can really hurt the customer experience. 

Returns can happen at the bank or customer level. Bank initiated-returns may be the result of things like insufficient funds, closed accounts, or invalid account numbers, and these returns are typically submitted within two business days. Some customer-initiated returns are due to the customer revoking authorization, claiming the payment was never authorized, or that it did not follow agreed-upon terms. Customers have up to 60 calendar days to inform their bank that the payment should be returned for these reasons.

Nacha maintains return rate thresholds that companies must meet. Too many returns can lead to fines or jeopardize a company’s ability to remain in the network and process ACH payments in the future. These thresholds have shifted over time, so it can also be challenging for companies to keep up with Nacha’s changing regulations. 


Another major risk for ACH is fraud, with ACH debits being the second most popular payment method targeted for fraud in 2021. In addition to non-fraud returns, the lack of real-time verification for ACH transactions also contributes to fraud challenges. 

For example, in ghost funding, fraudsters fund online accounts using ACH, knowing they do not have sufficient funds. If the product or service does not prevent the user from actioning on the funds until they settle, the fraudster can make purchases using the account’s “ghost” funds.

Fraudsters can use stolen account information to transfer money to accounts they control or pay for goods via ACH. Some examples include: 

  • Account takeover (ATO) attacks involve criminals gaining control of accounts using stolen credentials. 

  • Phishing attacks–where malicious emails or websites are designed to steal credentials–are another common cause. 

  • First-party fraud involves using your own personal information to commit fraud. With ACH, this could look like a fraudster controlling two accounts and debiting money from one account to the other using a fintech service. Then, reporting that they did not authorize the debit. If the fintech service refunds the money, the fraudster has now profited off of the transaction. 

  • Social engineering attacks can take a variety of forms, but they all involve tricking people into sharing sensitive information, like account details or login credentials. 

→ Need to reduce the risk of ACH fraud and returns? Plaid Signal provides an instant risk assessment and enables you to customize payment flows based on the likelihood of an ACH return.

Plaid's 2023 Fintech Effect Survey

Navigate the latest consumer trends, create lifetime customers, and grow your business

How to assess ACH risk and reduce returns 

There are a number of tactics companies can use to assess ACH risk and prevent returns:

Timing holds correctly 

Getting hold timing right is key to reducing returns. An ACH hold happens when a transaction is pending, but funds are not yet available to use because the transaction hasn’t been fully cleared yet. 

If a company or partner bank times holds correctly, they won’t have to pay any insufficient funds (NSF) returns out of pocket. This is because the funds stay in the company or partner bank’s control while the payment is settling and can be used to cover the return. Note that this method prevents losses but does not prevent NSF returns from happening, which means that the organization could still exceed Nacha return rate thresholds and receive fees for the returns. 

Holistic risk assessment 

ACH is just one part of the risk to your company, so working with other departments can help mitigate risk across the organization. While every payment method’s risk considerations are unique, other teams’ learnings can often be applied to ACH. 

As Shahar Ronen, anti-fraud expert and Product Manager at Plaid, explains, “ACH risk needs to be a part of your existing overall risk strategy. Enlist other teams, like onboarding or card risk, to see what patterns they’ve found. That will give you a good baseline for how users are supposed to behave and what a risky user is like to begin with.” 

Part of this is holistically understanding transaction risk, from return patterns to device signal analysis. Plaid Signal uses machine learning to assess over 1,000 unique risk factors and deliver customer-initiated and bank-initiated return risk scores. 

With this information, you can add dynamic protection measures to defend your business. For instance, you can release funds immediately for low-risk transactions, but institute identity verification or account balance checks for higher-risk ones. This way, you’re neither adding unnecessary roadblocks for safe transactions nor leaving the gate wide open for risky ones. 

Gradual rollout 

If your organization is new to ACH, consider a partial rollout instead of making it available to all customers on day one. This will help limit the amount of returns you get upfront. As Ronen puts it, “It’s not uncommon for companies to see high losses at the beginning of an ACH program while they figure things out. Having some limited data, like a gradual rollout, will help you contain these losses.”  

For example, you may consider only offering ACH payments for transactions below a certain amount. Or you may only offer it to customers who are part of a loyalty program. This way, only a small portion of your customer base has access to the payment method, and you can identify and work out issues with a smaller group, rather than risk losing more money with your entire customer base.  

Try dynamic payment rail routing

Payment rails are the infrastructure behind money movement and every payment type has its own rail with benefits and downsides. Many companies already employ a multi-rail strategy, meaning they accept payments using multiple methods, which can help satisfy customer preferences. Dynamic payment routing goes one step further by helping companies optimize the payment flow to mitigate risk, save on fees, increase completion rates, and more. 

Routing payments dynamically means using data about the transaction to determine the best payment rail. For example, if a customer does not have sufficient balance in their bank account, a card can be used as a fallback, preventing an insufficient funds return. 

That said, companies should bear in mind that the user’s overall trustworthiness, and not just their trust in a specific payment method, should be taken into account. As Ronen puts it, “You can charge a card to avoid an ACH return but get hit with a chargeback because the user is a fraudster. Make sure that if you don’t feel good about one payment source, you feel good about the other.” 

As more payment rails emerge, dynamic payment routing will likely become more commonplace.

Mitigate risk and prevent ACH returns 

ACH offers customers low fees and convenience, but fighting returns is critical to the success of an ACH program. Strategies like assessing risk holistically, using data to identify risk, and dynamic rail routing, can help mitigate ACH risk. Signal analyzes thousands of risk factors to help you avoid ACH returns. 

Learn more about how Signal can help you reap the benefits of ACH while protecting your bottom line. 

Find out how Plaid can help your business grow

By submitting this form, I confirm that I have read and understood Plaid’s Privacy Statement.

This form goes to our sales team. If you have questions about connecting your financial accounts to a Plaid-powered app, visit our consumer help center for more information.