Over $93 trillion in ACH payments passed through the Automated Clearing House (ACH) network in 2025. ACH transactions, which include direct deposits, bill payments, peer-to-peer transfers, and more, require ACH participants to comply with a detailed set of rules and standards enforced by an organization called Nacha.
This article will provide a detailed look at what Nacha is, its rules for ACH transactions, and how businesses can best comply with them.
Key Takeaways:
Nacha governs the ACH network by creating rules, enforcing compliance, and promoting secure electronic payments.
All ACH participants, including Originators, ODFIs, RDFIs, and Third-Party Senders, must follow Nacha rules and maintain proper authorization records.
ACH transactions use standardized codes (such as WEB, TEL, PPD, CCD) and require account validation to prevent fraud.
Account verification methods include microdeposits, manual checks, prenotes, database verification, and instant account verification.
Glossary
ODFI (Originating Depository Financial Institution): Bank or credit union that receives ACH payment instructions from an Originator and forwards them into the network
RDFI (Receiving Depository Financial Institution): Bank that receives ACH entries and posts them to the Receiver’s account, or returns the entries
Originator: Company (or in limited cases, an individual) that initiates an ACH debit or credit with proper authorization
Receiver: Individual or entity whose bank account is debited or credited via an authorized ACH transaction
Third-party sender: An intermediary that transmits ACH entries on behalf of Originators, not the Originator itself
WEB debit: SEC code for ACH debits authorized online or via wireless network; account validation is required on first use
TEL: SEC code for ACH debits authorized by phone; is limited to single-entry or recurring with an existing relationship.
PPD: SEC code for consumer ACH credits/debits authorized in writing, covering standard direct deposit and recurring bill pay.
CCD: SEC code for business-to-business ACH transactions, including payroll and vendor payments.
Micro-entries/Microdeposits: One or more small payments (often a credit with a code, or a credit with a balancing debit) are sent to a bank account for account validation; the user confirms the code or amounts; fraud detection and volume monitoring are required. Also referred to as microdeposits.
Account validation: Account is verified as open and belonging to the intended Receiver; is required for WEB debit entries.
What does Nacha mean?
Nacha was originally NACHA, an acronym for the National Automated Clearing House Association. Though the acronym is no longer officially used, it reflects the organization’s origins and its role in the ACH ecosystem.
An independent organization since 1985, Nacha is a nonprofit consortium responsible for:
Setting operating rules and guidance for member banks and ACH network participants
Enforcing those rules for more than 10,000 banks and participants
Driving development and adoption of the ACH system
Acting as a trade organization through education, advocacy, and industry collaboration
Beyond rulemaking and enforcement, Nacha also provides:
Compliance resources: Operating Rules and Guidelines, audit guidance, risk management materials, and rule interpretations
Educational programs: Training, webinars, conferences, and accreditation programs such as Accredited ACH Professional (AAP) and Accredited Payments Risk Professional (APRP)
Advocacy and industry development: Collaboration with regulators and policymakers, working groups, and initiatives to advance ACH security, standards, and innovation
What’s the difference between Nacha and ACH?
The ACH network is the U.S. interbank system for electronic funds transfers. It is operated by two national ACH operators:
The Clearing House (TCH), which runs the Electronic Payments Network (EPN)
FedACH, which is part of the Federal Reserve system
Nacha is the governing body that oversees the ACH network. It sets the rules, ensures compliance, and promotes education and innovation across the ecosystem.
In short:
Nacha creates and enforces the rules
The Clearing House and FedACH operate the network according to those rules
A Modern Guide to ACH
How to add ACH to your platform and reduce losses and risks
Who do Nacha rules apply to?
Nacha rules apply to every party that participates in ACH transactions, including the businesses that initiate payments, the financial institutions that process them, and any intermediaries in between.
Two examples of how businesses participate in ACH include:
1. A subscription merchant, such as a SaaS company or streaming service, uses ACH debits (typically WEB or PPD entries) to pull recurring payments directly from customer bank accounts.
Nacha requires written authorization for the payments, account validation on first use of any account number (for WEB), and advance notice to customers when variable amounts change. Return rate monitoring is important. Unauthorized return rates must stay below 0.5% of total ACH debits originated.
2. A loan servicer uses ACH debits to collect monthly payments from borrowers and may issue ACH credits to disburse loan funds or refunds. Debit entries are typically WEB (requiring account validation on first use) or TEL (requiring verification of the routing number) and an authorization specifying payment amounts and timing.
Loan servicers must also closely monitor return rates, as elevated rates can signal disputes or fraud and trigger scrutiny from their ODFI.
Note: These are just two examples; Nacha rules apply to a wide range of businesses participating in ACH transactions.
What parties are involved, and what are their main Nacha requirements?
Every ACH transaction passes through a chain of parties, from the business or individual initiating the payment to the financial institution receiving it. Each of these parties is subject to its own set of Nacha compliance requirements. Some of the key requirements are outlined below.
1. Originator
The Originator is the business or individual who initiates an ACH transaction after obtaining authorization from the Receiver.
Originators are required to:
Obtain written or electronic authorization from the Receiver before initiating any ACH debit
Implement account validation for WEB debits on the first use of an account number or when the account number changes, required as part of a 'commercially reasonable fraudulent transaction detection system' (WEB Account Validation, eff. March 19, 2021)
Retain authorization records for a minimum of two years after the termination or revocation of the authorization
Establish and implement risk-based processes and procedures that are reasonably intended to identify entries suspected of being unauthorized or authorized under false pretenses, per Nacha’s Fraud Monitoring Rule
Render stored deposit account information unreadable if the Originator processes 2 million or more ACH transactions annually (Data Security Rule, Phase 2, eff. June 30, 2022)
2. ODFI
The ODFI is the bank or credit union that enters into an agreement with an Originator, accepts ACH transaction instructions, and forwards entries to the ACH network.
ODFIs are required to:
Conduct due diligence on Originators and Third-Party Senders before entering into ACH origination agreements
Warrant that each ACH entry transmitted has been authorized by the Receiver in accordance with the Nacha Operating Rules
Register all Third-Party Sender customers with Nacha's Third-Party Sender Registry, including TPS name, location, routing number, and Company IDs.
Monitor Originator and TPS return rates and take corrective action when thresholds are breached
Establish and implement risk-based processes and procedures reasonably intended to identify entries suspected of being unauthorized or authorized under False Pretenses (including the option to consider fraud monitoring steps taken by other originating participants when designing the ODFI's own procedures), per Nacha's Fraud Monitoring Rule
Review these risk-based processes and procedures at least annually and make appropriate updates
Provide proof of authorization to RDFIs within 10 banking days of request, or agree to accept the return of the entry
3. RDFI
The RDFI is the financial institution that receives ACH entries from the ACH network and posts them to (or returns them from) the Receiver's account.
RDFIs are required to:
Receive and post ACH entries in accordance with Nacha rules and applicable law (including Regulation E for consumer accounts)
Return unauthorized entries using the correct return reason code within applicable return timeframes
Make funds available for ACH credits by the timeframes set out in the Nacha rules
Establish and implement risk-based processes and procedures reasonably intended to identify incoming ACH credit entries suspected of being unauthorized or authorized under False Pretenses, per Nacha's Fraud Monitoring Rule
Complete an annual ACH Rules compliance audit covering all areas of the Nacha Operating Rules applicable to the RDFI's operations
4. Third-party sender
A Third-Party Sender (TPS) is an intermediary that transmits ACH entries into the ACH network on behalf of Originators, without itself being the Originator.
Third-Party Senders are required to:
Enter into written agreements with both their ODFI and their Originator customers that address ACH compliance obligations
Conduct a formal risk assessment of ACH operations and document it
Disclose all nested TPS relationships to their ODFI (cases where the TPS is itself transmitting on behalf of another TPS)
Establish and implement risk-based processes and procedures reasonably intended to identify entries suspected of being unauthorized or authorized under False Pretenses, relevant to the TPS's role in authorization or transmission, per Nacha's Fraud Monitoring Rule
Ensure Originator customers comply with Nacha rules, and take appropriate action when non-compliance is identified
Complete an annual ACH Rules compliance audit covering all areas of the Nacha Operating Rules applicable to the TPS's operations
Five ACH account verification methods
Each of the account verification methods below has a different speed, fraud coverage profile, and friction cost, and can be used as part of your Nacha compliance program. The right choice depends on your transaction type, risk tolerance, user experience requirements, and time-to-onboard constraints.
Microdeposits
Microdeposits involve sending either a small credit with a code or one or two credits with a balancing debit to the user's bank account.
Steps: Collect account details, initiate transactions, wait for settlement, the user confirms exact amounts or the included code, then the account is validated
Time to verify: 1–3 business days
Best use cases: Lower-risk onboarding flows where the delay is acceptable, such as investment account funding
Manual validation
Manual validation relies on the user providing their routing and account number, sometimes supplemented by a voided check or bank statement.
Steps: Collect account/routing number, optionally request voided check, perform format validation, proceed with transaction
Time to verify: Up to several days
Best use cases: Low-volume, high-touch business-to-business payment contexts where relationships are established
Prenotes
A prenote is a zero-dollar test entry sent through the ACH network before the first real transaction.
Steps: Collect account details, send a zero-dollar prenote, wait for the return window, if not returned, proceed with a live transaction
Time to verify: 3+ business days minimum
Best use cases: High-value B2B payments where a delay is operationally acceptable and the relationship is verified through other means
Database verification
Database verification checks a user's account and routing number against third-party databases of known account information, fraud signals, and financial institution data.
Steps: Collect account/routing number, query verification database in real time, receive pass/fail or risk score, proceed or flag
Time to verify: Seconds
Best use cases: High-volume consumer and business payment flows where speed matters and additional data signals are available
Instant account verification
Instant Account Verification uses open banking connectivity to allow users to authenticate directly with their bank via secure login credentials.
Steps: User selects their bank, authenticates via online banking credentials (username and password) or OAuth (an authorization protocol that grants limited access to banking information without sharing passwords), the verification provider retrieves account data, and the account is validated
Time to verify: Seconds
Best use cases: Consumer fintech, lending, payroll onboarding, marketplaces
How organizations can make Nacha compliance easier
For organizations that rely on the ACH network, the best way to streamline Nacha compliance is to ensure awareness of the Rules and full compliance with them. A foundation for debiting accounts is to quickly and effectively verify the account and routing numbers and confirm that the account is in good standing before initiating an ACH transaction. These are recommended steps to comply with Nacha’s account verification and fraud mitigation requirements, and certain account verification methods make compliance easier and more pleasant for users than others.
Plaid Instant Auth enables consumers to easily and securely connect their financial accounts for ACH transactions by validating their account and routing numbers in seconds. For businesses onboarding new customers to fund accounts, transfer money, or pay bills via ACH, Instant Auth is the fastest way to do so while also mitigating risk.
Find out how Plaid can help your business grow
Learn more
Recommended Reading
4 ways to get customers to pay with ACH
How an ACH transfer works: a complex process explained
ACH vs wire transfer: what’s the difference?