using ACH payments with NACHA Operating Rules

Understanding ACH Payments

Automated Clearing House (ACH)

Banner image for Simple and Safe Best Practices

Simple and Safe Best Practices

Do you originate ACH files as a part of your business? If so, you should be aware of the Operating Rules & Guidelines issued annually by the National Automated Clearinghouse Association (Nacha). The Nacha Operating Rules & Guidelines oversee every ACH payment and provide exact guidelines for securely storing, accessing and transmitting sensitive customer information.

You should have a basic knowledge of Nacha Operating Rules & Guidelines even if you use a third-party payment processing system to process ACH. It’s your responsibility to know the ACH Rules and make sure your business is compliant. Keep up with the Rules changes on the Nacha website.
Best Practices for ACH

Best Practices for ACH

Nacha rules require that unauthorized or improper corporate ACH debits posted to your account, be returned no later than the opening of business on the second banking day following the settlement date of the original entry (i.e., one day to return an ACH debit). If an unauthorized debit is not returned by two days after posting, it will be much more difficult to recover lost funds.

Nacha rules require ACH origination customers to change information (the information requested to be changed by the Receiving Depository Financial Institution (RDFI)) within six (6) banking days of receipt of the NOC or the next time the transaction is generated, whichever is later. Common changes include updates to transaction codes, account numbers, or routing numbers.

  • A returned ACH entry may not be reinitiated unless (1) the entry has been returned for insufficient or uncollected funds; (2) the entry has been returned for stopped payment and re-initiation has been authorized by the Account Holder, or (3) the Originating Depository Financial Instituion (SouthState Bank) has taken corrective action to remedy the reason for the return.
  • An originator may re-initiate a debit entry within 180 days up to two times. Those entries must be sent in a separate batch and contain identical content in the Company Name, Company ID, and Amount field.
  • Re-initiated entries must contain “RETRY PYMT” in the Company Entry Description Field.

Whenever possible, divide responsibilities among several employees. To prevent unauthorized ACH payments, separate out the payments process where one employee will create/upload the ACH batch and another employee is responsible for approving batches. To prevent unauthorized or inappropriate system access, separate the payments approval process where one user can add or delete users but does not have the ability to approve, delete, or edit batches.

Train employee to be alert for things that do not look right, such as the Treasury Navigator® color scheme or layout not looking the same as before, egregious misspellings on the website or email notifications, "system down" warnings, etc. Another red flag is the inability to log into Treasury Navigator®, despite multiple attempts with a known credentials. This may be an indication that the credentials have been compromised, or that the user is already logged in from another computer.

Do not allow employees to use social networking sites on the same computer systems as the business’ online banking system. Common social media attacks include likejacking, where attackers use fake “like” buttons to trick users into clicking website buttons that install malware and post updates on a user’s newsfeed to spread the attack; or, fake offerings/apps to join a fake group or subscription with incentives that are used to steal credentials or harvest other personal data.

Rules and Updates Every ACH Originator Should Know

Rules and Updates Every ACH Originator Should Know

Originator must obtain authorization for both consumer credit and debit entries and should ensure that the authorization is clear and readily understandable by the account holder/receiver.
  • The authorization should clearly state account number and routing number (i.e. a copy of the account holder’s check), and account type (demand deposit, savings).
  • The consumer must date and either sign or similarly authenticate debit authorizations.
  • A review of authorizations should be performed to make sure it meets the requirements of the NACHA Operating Rules.

Originators can expect the return of consumer entries that were not properly authorized.

  • An unauthorized debit entry is an entry in which (1) the authorization requirements have not been followed in accordance with the Nacha Operating Rules or invalid under applicable legal requirements; (2) a transaction was initiated in an amount different than that authorized by the Receiver; (3) a transaction was initiated for settlement earlier than authorized by the Receiver.

In general, consumer debit entries must be returned by the RDFI in such time and manner that the return is made available to the ODFI no later than the opening of business on the banking day following the sixtieth (60) calendar day following the settlement date of the original entry. This return deadline also applies to the return of debit entries for which the consumer Receiver had previously revoked his authorization.

As with consumer entries, the business Receiver (Company) must authorize all ACH credits and debits to its account.

  • The Receiver of CCD (Corporate Credit and Debit), CTX (Corporate Trade Exchange) entries, and IAT (International ACH Transactions to a corporate customer account) must enter into an agreement with the Originator to which the Receiver has agreed to be bound by the Nacha Operating Rules.
  • This agreement for credits and/or debits to the corporate customer account should be clear to the corporate customer as to what the credit/debit represents.

Unlike consumer entries, in general, the non-consumer receiver of a CCD, CTX or IAT entry must return entries no later than the opening of business on the second (2) banking day following the settlement date requiring prompt review of transactions to detect any unauthorized entries.

For recurring debits, when the debit amount varies, the Rules require the Originator to notify the account holder/receiver within ten (10) calendar days before the scheduled transfer date. If an Originator changes the date in which it debits the account holder/receiver, it must notify the account holder/ Receiver in writing of the new date of the entry at least seven (7) calendar days before the first entry to be affected by the change is scheduled to be debited to the Receiver’s account.

The signed or similarly authenticated authorization must be retained by the Originator for a period of two years following the termination or revocation of the authorization.

  • In the case of a paper authorization that has been signed by the consumer, the Originator must retain either the original or a copy of the signed authorization.
  • This authorization may be obtained in an electronic format that (1) accurately reflects the information in the record, and (2) is capable of being accurately reproduced for later reference.

At the request of its ODFI, Originator must provide the original, copy or other accurate Record of the Receiver’s authorization to the ODFI for its use or for the use of a RDFI requesting the information. The Originator must provide in such time and manner as to enable the ODFI to deliver the authorization to a requesting RDFI within ten (10) banking days of the RDFI’s initial request.

The Originator is required to ensure there is clear identification of the source of an ACH transaction. Specifically, the Rules require the Originator to populate the Company Name Field with the name by which it is known to and readily recognized by the Receiver of the entry. As this company name appears on the account holder’s statement, it should be easily recognized by the account holder/receiver of the debit/credit.

Origination of the IAT standard entry class code is not permitted by SouthState Bank. Certain ACH payments that were classified as domestic transactions may be classified as international payments, or IAT transactions today. The ACH transaction may be classified as an international payment (IAT transaction) if your company (1) is a subsidiary of a multi-national corporation; (2) has foreign subsidiaries; (3) buys or sells to organizations or individuals outside of the territorial jurisdiction of the United States; or (4) sends payroll, pension or benefit payments via the ACH Network to individuals that have permanent resident addresses outside the territorial jurisdiction of the United States.

Corporations are required to comply with OFAC obligations, and the penalties for ignoring those obligations can be both criminal and civil and include both jail time and fines ranging from $10,000 to $10,000,000 per occurrence. If these fines are levied against the financial institution, they may be passed back to the corporate originator depending on the specifics of the case and the details of their contract with the financial institution. The fines are levied by the U.S. government and funds collected are the property of the government, not the financial institution. Additional information on OFAC obligations and fines can be found at the following link:

Prenotifications are zero dollar entries generated to validate the account held at the RDFI. Originators may originate a prenote; however this is not required under the Rules. If the Originator initiates a prenotification, it must wait three (3) banking days prior to initiating the live dollar amount.

An Originator may reverse an erroneous or duplicate file, or an item within the file, within 5 banking days after the Settlement Date of the original file. The word "REVERSAL" must be placed in the Company Batch Header Field and if the file is reversing an erroneous file, the Originator must initiate a correcting file with the reversing file. The Originator should notify the account holder(s)/ receiver(s) of the reversing entry and reason of the reversing entry no later than the Settlement Date of the reversing entry.

SouthState Bank permits Originators to send PPD (Prearranged Payments and Deposits) for entries posting to consumer accounts and CCD (Corporate Credits and Debits), CCD+, and CTX (Corporate Trade Exchange) for entries posting to corporate accounts. Any other types of standard entry class codes require approval from SouthState Bank prior to its use.

This affects Originators as a stop payment may be placed on the RDFI’s system for all future transactions relating to the one Originator for the payment. Originators need to train internal staff to ensure they understand that there may be multiple stop payments returned. These should not be reinitiated until resolved.

A Third-Party Sender is a type of Third-Party Service Provider that acts as an intermediary between the bank and the entity’s (Third-Party Sender’s) customers. The Rules require that all Third-Party Senders conduct Rule compliance audit and risk assessment of its ACH operation and compliance with the Rules no later than December 31 of each year. Documentation supporting the completion of an audit must be (1) retained for a period of six years from the date of the audit, and (2) provided to Nacha upon request. As this is a Rule requirement, SouthState Bank requires a copy of the ACH audit and Risk Assessment each year. Approved Third-Party Senders should reference their agreement for the additional requirements. This applies only to Third-Party Senders.

The originating customer is responsible for ensuring they (along with any third party service providers acting on their behalf) implement and maintain security policies, procedures, and systems related to the initiation, processing, and storage of entries and resulting protected information.

In addition, it is the responsibility of the customer to educate staff on how to protect the business’ online banking system, take reasonable steps to maintain the confidentiality and security of the security procedures and any passwords, codes, security devices, including but not limited to security tokens and secure browser sessions.

Security policies, procedure and systems must: (1) Protect the confidentially and integrity of the protected information, (2) Protect against anticipated threats or hazards to the security or integrity of protected information until its destruction and (3) Protect against unauthorized use of protected information that could result in substantial harm to the customer.

SouthState Bank as an ODFI may establish additional risk management procedures such as requiring an audit of its Originators activity be performed, closely monitoring the return volume of its originators, and assessing the risk associated with the type of ACH activity performed by each Originator. Originators need to understand the necessity of risk management practices regarding the following (1) The performance of the due diligence with respect to Originators and Third-Party Senders; (2)The assessment of the nature of the Originator’s or Third-Party Sender’s ACH activity and the risks it presents; and, (3) the establishment of procedures to monitor an Originator’s or a Third-Party Sender’s origination and return activity, and to enforce exposure limits and restrictions on the types of ACH transactions that may be originated.

Frequently Asked Questions

Frequently Asked Questions

When an ACH return is received, your account will receive chargeback or creditback return entry and you will be notified of the return, along with information on how to view the return details.

Fees may vary, please refer to your fee schedule.

Dispute an ACH return if it was a duplicate, it was misrouted, information was inaccurate, the return didn’t occur within the expected time frames, or an unintended credit to the receiver was the result of the reversal.


A notification of change (NOC) occurs when the bank receiving the ACH entry notifies the bank sending the ACH entry that some portion of the information is incorrect. With NOCs, ACH transactions posted to the recipients account but the information within the ACH entry need to be corrected to ensure future transactions are received will be processed.

Accuracy of information when sending ACH batches or files is always important. Otherwise, there’s a risk of misdirecting ACH transaction(s) and relying on another bank to make proper corrections. These transactions are often critical to the recipient, such as a payroll deposit. In addition, Nacha rules require changes be made within (6) six banking days after receipt of a notification of change or an ACH return. If this is not complied with, penalties may be assessed against the originating bank.

Decrease the odds of an ACH Return by verifying an input was correct (including the recipient’s bank routing number). The Federal Reserve has a tool to verify the routing number is correct for ACH processing. FRFS: Search for FedACH Participant RDFIs (

Business Email Compromise (BEC)

Business Email Compromise (BEC)

Learn More

Business Email Compromise is a type of phishing scam in which fraudsters try to hack, spoof or impersonate business email addresses. They may change one letter or number in a familiar email address to make their scam appear legitimate.

Example: [email protected][email protected]

Scammers may send emails to employees in an attempt to gain credentials or convince someone to send a fraudulent wire. They may also send an email that appears to be from a known third party such as a vendor.

Scammers have also been known to send an email to customers, posing as the legitimate business, in an attempt to obtain their payment information or other sensitive information.

BEC scams are often difficult to spot, but there are a few red flags to be on the lookout for. Common signs of BEC messages include:

  • The message is brief, urgent, and presses you to bypass normal policies and procedures;
  • The request appears to from an executive, vendor or other partner that is outside of the norm;
  • A request for sensitive employee, payroll or company information;
  • Emails have misspelled words or poor grammar;
  • Unexpected attachments sent by email;
  • Emails sent after business hours or on weekends, holidays, or other nonstandard business days.

Carefully check the email address of the sender to ensure it’s legitimate. Since they can be just one character off, spoofed email addresses can be easy to miss.

As with any type of fraud, verifying information before sharing sensitive information or sending payments is a key step. Pay close attention to all emails to ensure they are from a known source.

When in doubt, do not click links within an email or open attachments.

If you receive new payment instructions from someone you submit payment to on a regular basis, confirm the new instructions with that individual or company in person or over the phone using contact information you’ve previously used.

If fraud or loss does happen as a result of responding to a BEC email with sensitive information, there are a few steps to take:

  • Report it to your organization’s IT/cybersecurity team.
  • Call us at (877) 840-8588 so that we can take the necessary precautions to secure your SouthState accounts.
  • Change passwords for email and financial accounts.
  • Review account statements for any suspicious activity.
  • Contact the police and file a report.
Get Started

Get Started

Icon for Give Us a Call

Give Us a Call

(877) 840-8588
Icon for Contact a Banker

Contact a Banker

Email Us

Secure Log In

Close login menu
Login Error

Your username is valid but has a problem. Please call customer support

Our website uses cookies to ensure your online experience is as informative and relevant as possible. Please review our Privacy Policy to learn more about the information we collect.