National Automated Clearing House Association (NACHA)

Rules Awareness Information

Each UTA Merchant Customer ("UTA Merchant") originating ACH entries through United TranzActions must comply with the NACHA Operating Rules ("Rules") as stated within the ACH agreement between United TranzActions and the UTA Merchant. The National Automated Clearing House Association (NACHA) is the rule making body governing the ACH network and therefore all participants of the ACH network must comply with these Rules. To ensure that United TranzActions communicates effectively, we have provided links below to the specific, UTA Merchant requirements as stated within the Rules.

Annually, it is recommended that you purchase a copy of the updated NACHA Operating Rules & Guidelines by visiting http://www.nacha.org. You may also obtain free limited access to the basic NACHA Operating Rules in read-only format by visiting http://www.achrulesonline.org.

As you may be aware, NACHA updates these Rules with changes, additions and deletions on an annual basis. United TranzActions will ensure that, annually, we communicate these changes to ensure that our companies are educated and can make any necessary changes to their daily process as a result of these changes.

It is important that you, as UTA Merchant utilizing the ACH network to process debit(s) and credit(s), make appropriate changes to your internal processes as necessary to accommodate any Rules changes that may be applicable to you. For a detailed and complete list of proposed rules and amendments and rule changes, visit https://www.nacha.org/rcntAmndmts. If you have any questions regarding the impact of these Rules, please do not hesitate to contact your United TranzActions' Relationship Manager.

Your Responsibilities as an Originator

  • Obtain proper authorizations, dependent upon the transaction type, and retain authorizations for two years past revocation.
  • If requested by the Bank, provide a copy of the authorization. The Bank may request to see your authorizations from time to time as part of an annual audit.
  • Send entries on the proper date.
  • Give appropriate notice to debtor if changing amount or date.
  • Cease subsequent entries when notified.
  • Make necessary changes to payee account information within three (3) banking days upon receipt of a Notice of Correction or before another entry is sent.
  • Check payees against OFAC compliance checklists.
  • Protect the banking information received to originate transactions.
  • Ensure your computer and you are protected as outlined in the Bank Cash Management Agreement.
  • Ensure the Originator is clearly identified as the source of the ACH transaction.

Consumer Debit Authorizations

  • For consumers, an authorization to debit an account must be in writing or "similarly authenticated."
  • The most common SEC code for consumer debits is PPD.

Corporate Authorizations

  • For companies, there must be a record of an agreement between the two parties.
  • The most common SEC codes for corporate transactions are CCD or CTX, depending upon addenda origination. It is used for debits and credits.

Changing Date or Amounts of Debits

  • ACH Rules require you to notify your debtors of any changes in date or amount debited under the following circumstances:
    • Seven (7) calendar days' notice for a change of date (consumer and corporate).
    • Ten (10) calendar days' notice for a change in amount (consumer only).
  • Sending the notice via U.S. Mail is acceptable.

Pre-notifications (Pre-notes)

  • Pre-notes are zero-dollar entries that precede the first live entry. The purpose of a pre note is to verify account information.
  • Pre-notes are optional for you to send. However, if sent, pre note rules must be followed and a pre-note must precede the first live entry by at least three (3) banking days.
  • The Receiving Bank is not required to validate the name of the payee on the prenote, although many do; they are only required to check the account number.

Notice of Change (NOC)

  • NOC is created by the Receiver's financial institution to notify the originator (via the Bank) that:
    • Previously valid information in an ACH entry (Direct Deposit/Direct Payment) is now outdated, and needs to be changed
    • Information in an ACH entry (Direct Deposit/Direct Payment) is erroneous, and needs to be corrected.
  • UTA will notify you of any NOCs received on your behalf.
  • ACH Rules require the originator to make changes or corrections within three (3) banking days of receiving the information from the Bank or before another entry is sent.
  • The Receiving Bank warrants that the Information they provide to you is correct.
  • The Bank may pass along any fines received based upon your non-compliance.
  • The Originator has the option of responding to NOCs for Single Entry (non-recurring) payments. This applies to the following SEC Codes only: ARC, BOC, POP, POS, RCK and XCK entries, as well as, TEL and WEB entries bearing a single entry indicator ("S" or "blank" for TEL and "S" for WEB).

Notification of Change (NOC) Codes (most common)

NOC Code Reason Description
C01 Account Number Account number is incorrect or is formatted incorrectly.
C02 Transit/Routing Number Due to a merger or consolidation, a once valid routing number must be changed.
C03 Transit/Routing Number and Account Number Due to a merger or consolidation, a once valid transit/routing number must be changed and the account number structure is no longer valid.
C04 Account Name Customer has changed name.
C05 Transaction Code Transaction code is incorrect and this is causing the ACH entry to be routed to the wrong application (demand or savings),
C06 Account Number and Transaction Code Account number is incorrect or is formatted incorrectly and the transaction code is incorrect causing the ACH entry to be routed to the wrong application (demand or savings).
C07 Transit/Routing Number, Account Number and Transaction Code Due to a merger or consolidation, a once valid transit/routing number must be changed, the account number structure is no longer valid and the transaction code is incorrect causing the ACH entry to be routed to the wrong application (demand or savings).
C09 Individual Identification Number The individual id number was incorrect.
C13 Addenda Format Information in the Entry Detail Record was correct and the entry was processed and posted by RDFI. However, information found in the addenda record was unclear or was formatted incorrectly.


  • Returns must be processed by the Receiving Bank within 24 hours of settlement. Returns that are unauthorized beyond the 24 hours are the company's liability and any disputes may have to be settled outside of the banking network. Review your account activity daily.
  • An exception to the 24-hour rule is consumer unauthorized returns, which may be returned within 60 days of posting.
  • The use of consumer (PPD) or corporate (CCD) entry codes determines the applicable ACH return rules.
  • If the Receiving Bank receives a dispute claiming a debit was unauthorized, the Receiving Bank must get a signed Written Statement of Unauthorized Debit from the account holder. You may obtain a copy of that statement by requesting a copy through the Bank.
  • You may re-initiate a debit entry up to two times if (1) the entry has been returned for insufficient or uncollected funds (Return Reason Code R01 and R09), (2) the entry has been returned for stopped payment and re-initiation has been authorized by the Account Holder, or (3) the Bank has taken corrective action to remedy the reason for the return.
  • A "Stop Payment" return may be re-initiated only if you receive approval from the payee to re-send the item.
  • It is a violation of NACHA Rules to re-initiate the debit entry if a return is received for any other reason.
  • Disagreements regarding authorization should be handled OUTSIDE of the ACH Network
  • Originators must maintain a return rate below .5% for entries returned as unauthorized.
  • Originators can have no more that 3% of your total debit entries returned due to administrative or account data errors.
  • Originators can have no more than 15% of your total debit entries returned for any return reason.

Return Entry Codes (most common)

Reason for Return Action by Originator
R01 -Insufficient Funds Originator may initiate a new ACH entry within 180 days of original Settlement date
R02 - Account Closed Originator must stop initiation of entries and obtain an authorization from the Receiver for another account.
R03 - No Account/Unable to Locate Originator must stop initiation of entries and contact the Receiver for correct account information.
R04 - Invalid Account Originator must stop initiation of entries until account number I structure is corrected.
ROS - Unauthorized Debit to Consumer Account Using Corporate SEC Code Originator must stop initiation of entries.
R06 - ODFI Request for Return Originator must accept requested return.
R07 - Authorization Revoked Originator must stop initiation of entries until new consumer authorization is obtained
R08 - Payment Stopped Originator must contact Receiver to identify the reason for the Stop Payment and obtain authorization before reinitiating the entry.
R09 - Uncollected Funds Originator may initiate a new ACH entry within 180 days of the original Settlement Date.
R10 - Customer Advises Not Authorized, Notice Not Provided, Improper Source Document, or Amount of Entry Not Accurately Obtained from Source Document Originator must stop initiation of entries.
R12 - Account Sold to Another DFI Originator must stop initiation of entries and obtain correct routing number information for initiation of subsequent entries.
R16 - Account Frozen Originator must stop initiation of entries.
R20 - Non Transaction Account Originator must stop initiation of entries.
R24 - Duplicate Entry Originator should accept the return. If the entry has already been reversed, Originator should contact the RDFI to determine a solution. An Originator may reverse an erroneous or duplicate ACH entry/file up to 5 banking days after the Settlement Date of the entry/file. OR it may request the RDFI to send a return.
R29 - Corporate Customer Advises Not Authorized Originator must stop initiation of entries until subsequent authorization has been obtained.


  • If a reversing entry must be made, please consult the ACH Manager User Guide or contact Customer Service for instructions.
  • Reversals may only be made for the following three conditions:
    • wrong dollar amount
    • wrong account number
    • duplicate transaction
  • When initiating a reversal, the reversing entry must be for the full amount, must be sent within five (5) banking days of original entry and must be sent within 24 hours of discovering the error.
  • The Receiving Bank is under no obligation to post the reversing debit if it overdraws the payee's account or if the payee's account is closed.
  • A payee must be notified if a reversing entry debits his or her account. However, a payee does not need to authorize the reversing debit.
  • The word "REVERSAL" must be placed in the Company Batch Header Field and if the file is reversing an erroneous file, then a correcting file must be initiated with the reversing file

OFAC (Office of Foreign Asset Control)

  • You are required to check payees against OFAC compliance checklists.
  • OFAC lists countries, groups and individuals with which U.S. Companies are not permitted to send or receive funds.
  • The Bank must protect itself by informing every client that it is against the law to send debit or credit entries to OFAC-blocked entities.
  • You may check the OFAC SDN list at: http://sdnsearch.ofac.treas.gov

What is an ACH Application (SEC) Code?

ACH applications are payment types used by Originators, such as your company, to identify ACH debit and/or credit entries transmitted to a corporate or consumer account at the RDFI. Each ACH application is identified and recognized by a specific Standard Entry Class (SEC) code, which appears in the ACH record format. The SEC code also identifies the specific record layout that will be used to carry the payment and payment-related information

Standard Entry Class (SEC) Codes (most common)

Standard Entry Class (Sec) Code Title Transaction Type Account Type Required Agreement Or Authorization Reference NACHA Operating Rules and Guidelines (Rules)
PPD Prearranged Payment and Deposit Credit or Debit Single or Recurring Entry Consumer In writing and signed for Debits. Orally or other written or non-written means for Credits. Section V - Chapter 45
CCD Corporate Credit or Debit Entry Credit or Debit Single Recurring Entry Non-Consumer Agreement between Originator and Receiver Section V - Chapter 39
TEL Telephone Initiated Entry Debit Single or Recurring Entry Consumer Orally authorized over telephone Sect ion V - Chapter 47
WEB Internet- Initiated/Mobile Entry Debit Single or Recurring Entry Consumer In writing and signed or similarly authenticated Section V - Chapter 48

What are the Fraud Risks for ACH?

ACH Origination fraud is a challenge for Financial Institutions and ACH Originators like your company. In one origination system hacking scheme, perpetrators hack into the originator's (your company) computer system using compromised User IDs and passwords and originate ACH credits to "mule" accounts created for the express purpose of committing fraud. Those accounts are then emptied and abandoned. The true originator's account (your account) is debited for the invalid origination file. The credits are usually irretrievable by the time the fraud is discovered. The originator's credentials may have been compromised by an insider within the organization or stolen through key loggers or Trojan Horse programs on the compromised computer.

Due to the risk of this type of fraud, it is essential that all computer equipment used by your company to operate UTA's ACH Origination program is regularly updated and patched for security vulnerabilities (including the use of and updating of firewall, virus protection, anti-malware protection, anti-spam protection.) You may also want to consider having one computer in your office which is not used to browse the internet or read e-mail to be your sole source of access to the UTA ACH Origination program. Limiting access to the computer which is used to house and transmit ACH data may help avoid the accidental downloading of harmful programs/viruses that could potentially compromise your transactions.

The appropriate steps should be taken within your company to ensure that all User ID's, Passwords, Authentication Methods and any other applicable security procedures issued to your employees are protected and kept confidential. All staff should be aware of the need for proper user security, password controls and separation of duties.

As ACH Origination is a higher risk commercial banking function, we suggest that your company perform your own internal risk assessment and controls evaluation periodically to be sure you are considering all available security options.

For additional information on protecting your business from Internet fraud, please visit the U.S. Chamber of Commerce website and view the free link to the "Internet Security Essentials for Business" handbook (https://www.uschamber.com/issue-brief/internet-security-essentials-business-20).

What happens if a Security Breach occurs?

Immediately contact the bank if you suspect an ACH data breach. As an ACH Originator, you are required to immediately report the breach to UTA who must report it to NACHA.

Why are Proof of Authorization forms so important?

When an accountholder questions the legitimacy of an ACH debit on their account, prior to their bank charging the item back to the originating party, the bank will request a Proof of Authorization Form from the ACH originator. It's during this process that the originator has a chance to win the dispute, that is, so long as they're able to produce a valid Proof of Authorization Form that complies with all applicable ACH rules and regulations.

What information do you need to include?

Proof of Authorization forms can be collected in paper or electronic form and (at minimum) should:

  • Give permission to the ACH originator to debit/credit the recipient's account.
  • Include the dollar amount (or range of amounts) to be debited (or credited). Depending on your circumstances, you may also wish to include language that permits you to correct (or reverse) any accidental over/under payments.
  • Provide a time for when the transactions should be expected. Ex. Monthly, Weekly, Per Invoice, etc.
  • State the terms for the POA to be revoked-verbally or in writing-and the timeframe needed for the originator to act on the notice of revocation.
  • Signature (or electronic signature) of the accountholder that the ACH is being sent to.

How long do you need to retain POA forms?

ACH originators should keep POA forms for two years after the date of the last transaction. It's up to the company whether they retain the form in paper or scanned/electronic format, but regardless, it's helpful to develop a retention system whereby you can easily produce all relevant supporting documentation.

"Please click here to see a sample of the ACH Authorization form."

Additional Laws, Rules, and Regulations for ACH Agreements

1) Required annual UCC4A Disclosure

Uniform Commercial Code Article 4A (UCC 4A) Uniform Commercial Code (UCC) is a series of state laws that govern commercial transactions. Article 4A of the UCC governs corporate ACH transactions that are referred to as "corporate wholesale credit entries." RDFIs may identify these transactions by Standard Entry Class Codes CCD or CTX. UCC 4A also addresses the commercially reasonable security procedures’ that must in place for ACH Origination to occur.

UCC 4A Disclosure Requirements Funds Availability The financial institution may make payment provisional on "wholesale credits" until receipt of final settlement from the Federal Reserve Bank. Wholesale credits (i.e., CCD and CTX entries) generally represent larger dollar values and increased risk. If the RDFI chooses to make payment provisional until final settlement, then notification of the provisional nature of the payment must be provided by means of a "Provisional Payment Disclosure." If the financial institution does not receive final settlement for an entry posted to the Receiver's account, then it is entitled to a refund from the Receiver.

Provisional Payment Disclosure "Credit given by [us] to [you] with respect to an Automated Clearing House credit entry is provisional until [we] receive final settlement for such entry through a Federal Reserve Bank. If [we] do not receive such final settlement, [you] are hereby notified and agree that [we] are entitled to a refund of the amount credited to [you] in connection with such entry, and party making payment to [you] via such entry (i.e., the Originator of the entry) shall not be deemed to have paid [you] the amount of such entry"

Notice Disclosure Requirement. It is the RDFI's responsibility to notify Receivers of wholesale credits before midnight of its next funds transfer business day following the Settlement Date of the entry. If the financial institution fails to give such notice, it is obligated to compensate the Receiver for any interest losses incurred as a result of the failure. RDFIs are excused from providing next day notice as long as a disclosure is provided to customers/members that notification will not be given.

Choice of Law Disclosure We may accept on your behalf payments to your account which have been transmitted through one or more Automated Clearing Houses (ACH) and which are not subject to the Electronic Fund Transfer Act and your rights and obligations with respect to such payments shall be construed in accordance with and governed by the laws of the state of Pennsylvania as provided by the operating rules of the National Automated Clearing House Association, which are applicable to ACH transactions involving your account.

2) Regulation E

For Merchant's obligations with respect to consumer alleged errors, click on below link.